Tying to get EAPOL to work

I have extracted ca.pem, client.pem and privatekey.pem from my ISPs modem and I saw that vyos has EAPOL built in and I wanted to try it. However I cannot seem make it work with my eth0 interface or any other interface. I am faced with this message

set interfaces ethernet eth0 eapol ca-cert-file /config/auth/att/ca.pem

Configuration path: interfaces ethernet eth0 eapol [ca-cert-file] is not valid
Set failed

I am following in this thread https://phabricator.vyos.net/T1466
I am not sure what I am doing incorrectly. Any help is appreciated. I did try my .pem files with openwrt and pfsense routers using the same hardware as vyos and they did work. I wanted to try vyos becuase I love the cli configure interface.

Hello @jay-0d and welcome to our community!

You are probably using the new VyOS 1.4.
Try this way (Key usage (CLI)):
import and add certificates used by services on router:
Key usage (CLI)
Then use these commands:

vyos@vyos# set interfaces ethernet eth0 eapol
Possible completions:
ca-certificate Certificate Authority in PKI configuration
certificate Certificate in PKI configuration
passphrase Private key passphrase

1 Like

Thank you for your response. I was able to follow and add ca.pem, client.pem and private.pem using the ‘set pki’ commands however I am getting this message

Invalid certificate/private key specified for EAPoL

my private.pem was in pkcs1 and had to convert it to pkcs8 using openssl before I could add it.
So far i have installed ca.pem using the

set pki ca

client.pem using

set pki certificate

and privatekey.pem using

set pki ca name private key

Hi @jay-0d , that output points to the wrong cert/key combination on your configuration side. I think the key is related to your certificate, not CA and configuration will look like:

set pki ca <ca_name> certificate ‘<ca_cert_string>’
set pki certificate <cert_name> certificate ‘<cert_string>’
set pki certificate <cert_name> private key ‘<cert_key>’

set interfaces ethernet <interface_name> eapol ca-certificate <ca_name>
set interfaces ethernet <interface_name> eapol certificate <cert_name>

@jay-0d a shot in the dark, does this happen to be for an AT&T modem bypass?