I have AT&T fiber. It terminates into an ONT, which is fine, but AT&T wants you to run all your traffic through their residential gateway, which is not fine. The gateway authenticates the line with 802.1X (EAP-TLS) using a certificate baked into the device. If you pull that certificate out and run wpa_supplicant on your own router, the router can do the handshake itself and you can retire the AT&T box. On a UDM-Pro you can run wpa_supplicant right on the WAN port and plug straight into the ONT.

I first wrote this in 2020 pointing at a couple of community scripts. The idea is the same; the way I run it now is cleaner and survives firmware updates. This is how it works on a current UniFi OS.

Bring your own binary, keep everything in /data

UniFi OS does not include a wpa_supplicant you can rely on, so you supply your own. The trick that makes it hold up is to keep the binary and everything it needs in /data, which survives reboots and firmware updates. An update replaces the entire base OS image, so anything you put in /etc or borrow from the system can vanish. Keep the binary, libraries, certs, and config in /data and an update can swap the whole OS out from under you without touching your setup.

Layout

Everything lives under /data/att-supplicant/ on the UDM-Pro:

/data/att-supplicant/
  bin/wpa_supplicant        # you supply this; the OS doesn't include one
  lib/libpcsclite.so.1      # the one extra lib the binary needs
  conf/wpa_supplicant.conf
  conf/ca.pem
  conf/client.pem
  conf/private_key.pem

/data persists across reboots and firmware updates; it is where the UniFi controller keeps its own database. The base OS image gets replaced on an update, so keeping the binary, libs, certs, and config in /data keeps your setup intact no matter what the update does.

Get the certificates

You need the EAP-TLS certificate and private key from an AT&T gateway: a CA chain, the client certificate, and the private key. Extracting them from the gateway’s manufacturing data is its own topic and well documented elsewhere (search for mfg_dat_decode). The EAP identity is the gateway’s WAN MAC address. Drop the three PEM files in conf/, and guard them closely: don’t share them, and don’t lose them.

Get a wpa_supplicant binary

The UDM-Pro is aarch64 with a Debian bullseye userland, so the official Debian arm64 package is a drop-in. Pull it apart on any machine and copy the binary over:

# arm64 wpa_supplicant
curl -fsSLO https://deb.debian.org/debian/pool/main/w/wpa/wpasupplicant_2.9.0-21+deb11u3_arm64.deb
ar x wpasupplicant_*.deb && tar xf data.tar.xz
# binary is ./sbin/wpa_supplicant

# its one extra dependency, libpcsclite
curl -fsSLO https://deb.debian.org/debian/pool/main/p/pcsc-lite/libpcsclite1_1.9.1-1_arm64.deb
ar x libpcsclite1_*.deb && tar xf data.tar.xz
# lib is ./usr/lib/aarch64-linux-gnu/libpcsclite.so.1.0.0  (copy it as libpcsclite.so.1)

Put wpa_supplicant in bin/ and libpcsclite.so.1 in lib/. Confirm it runs and nothing else is missing:

LD_LIBRARY_PATH=/data/att-supplicant/lib ldd /data/att-supplicant/bin/wpa_supplicant | grep "not found"
LD_LIBRARY_PATH=/data/att-supplicant/lib /data/att-supplicant/bin/wpa_supplicant -v

The config

conf/wpa_supplicant.conf, pointing at the certs by their /data path:

eapol_version=1
ap_scan=0
fast_reauth=1
network={
    ca_cert="/data/att-supplicant/conf/ca.pem"
    client_cert="/data/att-supplicant/conf/client.pem"
    private_key="/data/att-supplicant/conf/private_key.pem"
    identity="XX:XX:XX:XX:XX:XX"
    eap=TLS
    eapol_flags=0
    key_mgmt=IEEE8021X
    phase1="allow_canned_success=1"
}

identity is the gateway WAN MAC. No MAC cloning on the UDM is required; the certificate is what authenticates.

The systemd unit

/etc/systemd/system/att-supplicant.service. It runs the /data binary, sets LD_LIBRARY_PATH so the loader finds the bundled lib, and restarts if it ever dies:

[Unit]
Description=AT&T EAP-TLS wired supplicant (eth8)
After=local-fs.target

[Service]
Type=simple
Environment=LD_LIBRARY_PATH=/data/att-supplicant/lib
ExecStart=/data/att-supplicant/bin/wpa_supplicant -s -Dwired -ieth8 -c/data/att-supplicant/conf/wpa_supplicant.conf
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target

Two things. eth8 is the UDM-Pro’s WAN port; confirm yours with ip -br link and match where the ONT is plugged in. And do not order this After=network-online.target, which is tempting but wrong: this service is what brings the network online, so waiting on the network deadlocks after a firmware update.

Enable and start it, then watch for the handshake:

systemctl daemon-reload
systemctl enable --now att-supplicant.service
journalctl -u att-supplicant -f   # look for CTRL-EVENT-EAP-SUCCESS

Once you see EAP-SUCCESS, the WAN DHCP lease shows up within a few seconds and you are online.

After a firmware update

Most updates need nothing; the unit lives in /etc and everything it runs lives in /data. If the WAN is down after a big jump:

  • The update resets the SSH password and changes the login prompt. Re-set the password in the console UI before you try to get in.
  • Usually systemctl restart att-supplicant is all it takes.
  • If the binary won’t start, the base OS moved to a newer Debian and a shared library went missing. Run the ldd check above and bundle whatever it names into lib/ the same way as libpcsclite (libssl and libnl are the likely candidates). This is the whole reason for keeping the binary self-contained.

Older references

Background on the concept and extracting the certs: