Unlock 802.1X wired internet via OpenWRT on TP-Link WA901ND

TP-Link WA901ND

This weekend, I struggled to flash a TP-Link TL-WA901ND access point with OpenWRT and connect it to my university’s dorm internet.

It took 7 hours to figure out what I accidentaly achieved after 2 but didn’t understand and couldn’t reproduce then. For anyone who wants to do the same, I publish this article for reference.

Tomorrow, we’ll be airing a new Zettelkasten post. Promise.

Update 2013-11-26: I enabled comments so you can ask questions and tell me where you’re stuck.

Update 2013-12-11: With my configuration, this device won’t create its own LAN and hide connected devices from the network server. Instead, it’s operating in bridge mode so that every device connected via wi-fi obtains its own IP address as if it was connected to the port directly. Your physical port will be blocked in Bielefeld (and Marburg, it seems) if too many devices connect at the same time or too many different MAC addresses request access in a short time, though. I recommend you pick up a different device like the TP-Link WDR-3600 (“N600”)1 instead which is capable of the required feature to circumvent this issue.


This isn’t the first device I want to connect to the internet at my university. The TP-Link TL-WA901ND (henceforth called “WA901ND” or “The Router” for brevity) is unique in its port design, though: there’s only one LAN/WAN port, bound to eth0. While you usually plug the internet into the WAN port during setup, I had to setup wifi first or the port would’ve been used by my local machine.

The objective is to install OpenWRT with the wpa_supplicant package to authenticate to the WPA 2 Enterprise network. I’m no network specialist. Thus my vocabulary may be inappropriate at times (though not in a way which includes profanity). Forgive me, please, and send feedback.

Network schema
My local wifi-only network VS the university’s WAN. Image via OpenWRT Wiki.

1. Connect to 802.1X encrypted internet

I’m at Bielefeld University. European universities provide a 802.1X/WPA Enterprise encrypted Wifi connection called “eduroam”. Furthermore, student dormitories (“Wohnheim”) in Bielefeld got blazing fast ethernet with 802.1X PEAP/MD5 authentication (“Wohnheimnetz”).

Popular eduroam-specific use cases cover the authentication problem, which is nice for reference. They don’t connect to the 802.1X encrypted network via LAN or cable, though. Eduroam is a wireless LAN. I, on the other hand, need to create a wired connection. This was a problem since the instructions didn’t work out of the box.

Let’s get started.

Install OpenWRT via the TP-Link web interface. It’s quick and painless. The Router responds to telnet after a reboot and waits for you to set a passwd, so do that first.

I prepared configuration files for the router in accordance with Bielefeld University-specific instructions on how to set up OpenWRT and wpa_supplicant:

Shove them over to The Router via scp:

$ scp wpa_supplicant.conf root@
$ scp whnetz.init root@

To find out which packages I needed, I asked The Router via SSH:

$ opkg print-architecture
arch all 1
arch noarch 1
arch ar71xx 10

Get the packages wpa_cli, wpa_supplicant and the wpad-mini replacement called hostapd from the OpenWRT v12.09 ar71xx-architecture package repository.2 Copy them over, changing file names appropriately:

$ scp hostapd_20130807-1_ar71xx.ipk wpa-supplicant_20130807-1_ar71xx.ipk wpa-cli_20130807-1_ar71xx.ipk root@

Log into the WA901ND again and install the new packages, removing the old wpad-mini:

$ cd /tmp
$ opkg remove wpad-mini
$ opkg install wpa-cli_20130807-1_ar71xx.ipk
$ opkg install wpa-supplicant_20130807-1_ar71xx.ipk
$ opkg install hostapd_20130807-1_ar71xx.ipk

2. Setup W-LAN

You need to activate the W-LAN interface first:

$ uci set wireless.@wifi-device[0].disabled=0
$ uci commit wireless
$ wifi

There should be no errors.

I set up the wifi so its decoupled from the LAN port. The Router itself will get the IP192.168.10.1’ in a network interface I appended to /etc/config/network:

# /etc/config/network 
# ...
config interface 'wlanAP'
        option proto 'static'
        option ipaddr ''   # ip for wifi
        option netmask ''

You’ll have to assign your computer a static IP manually as well to connect via wifi. I picked ‘’ for my Mac. You’ll have to do this every time you want to reconfigure The Router later on. But don’t worry about that just now, we’re not finished, yet.

The wifi has to use the newly created network interface first:

$ uci set wireless.@wifi-iface[0].network="wlanAP"

While you’re at it, change the wireless networks’ SSID and passphrase:

$ uci set wireless.@wifi-iface[0].encryption=psk2
$ uci set wireless.@wifi-iface[0].key="fill_in_your_key"
$ uci set wireless.@wifi-iface[0].ssid="fill_in_your_key"
$ uci commit wireless

To reload network interface settings and restart wifi, run

$ /etc/init.d/network restart

Wait until the network is up and running. Then unplug your computer, activate and connect via wifi with a static IP like ‘’.

3. Bridge WAN and WLAN/Wifi

We’ll change the ethernet port’s settings now. Afterwards, you won’t be able to connect to The Router via LAN anymore. So ensure wifi is working as expected right now.

Lots of forum threads started with the OpenWRT [Dumb Access Point configuration]. It gets a lot of things right, but it’s not tailored to a single-ethernet-port device. Since there’s no eth1 device or wan network interface available for bridging, I had to try lots and lots of different solutions.3

Change the LAN interface to this:

# /etc/config/network 
# ...
config interface 'lan'
        option ifname 'eth0'
        option proto 'dhcp'

wpa_supplicant will need to retrieve a device IP via DHCP. This will do the trick.

$ /etc/init.d/whnetz enable # autostart 802.1X on login
$ /etc/init.d/whnetz start

The router itself should be online right now.

$ wget -s http://google.de

Now let the wifi network bridge to The ethernet post, which is called ‘lan’ but should be ‘wan’ from now on, really. Any computer connecting via wifi with DHCP will retrieve a university network IP, starting with ‘212’ instead of ‘198’. That’s why you won’t be able to access The Router via wifi if you don’t set an IP manually: you’re computer will be in a totally different IP-range.

Enable bridging like this:

# /etc/config/network
# ...
config interface 'wlanAP'
    option proto 'static'
    option ipaddr ''   # Router-IP vom WLAN aus
    option netmask ''
    option type 'bridge'
    option ifname 'eth0' # same as lan

Restart the network again:

$ /etc/init.d/network restart

When it’s finished and everything still works on The Router’s side, you still won’t have access to the internet from your computer as long as you’re accessing your private LAN. Disconnect from wifi and obtain an IP via DHCP from The Router. Instead of a 192.168.10.x LAN address, you should get one starting with 212. Depending on your computer, you may have to request a new DHCP lease manually.

Parting words

The WA901ND unlocked the ethernet port via 802.1X and every device connecting through it will be granted access.

Thats’s esentiay the same unlocking mechanism when using a switch: you can authenticate with one machine hooked to the switch and all the others will benefit as well. Because doing so manually is a pain, we all want our access points to handle that.

So that’s all there is. I hope this reference will spare you a headache or two.

I myself went online quickly but didn’t understand how I could access The Router again. I needed to combine both DHCP for ethernet and static IP for wifi. Took me hours to figure that out.

Since so many visitors are attracted to this page, I enabled comments for this post. What do you struggle with while you set up your router?

  1. Affiliate link; I get a small kickback from the vendor if you buy from my link but it won’t cost you anything. 

  2. I picked the nightly builds and they worked fine yesterday. Your mileage may vary, though, so I recommend you stick to the packages compatible with v12.09. 

  3. Some use relayd, but only for repeater usage. Others bridge LAN and so on. Didn’t apply to this case. 

Browse the blog archive