What if I told you that the whole 802.1x authentication is enforced at ONT level and is not necessary to get online?
In corporate networks it's the switch that communicates with AAA server, receives and processes 802.1x frames and enables or disables access on a switch port.
In ATT's GPON world, the switch is an ONT (the SoC has a switch part in it) and it is responsible for 802.1x. On top of that, 802.1x is not part of standard OMCI features - it's an add-on that is requested from ONT vendors by AT&T.
So if you use a generic ONT like an ONT SFP stick, which has no support for AT&T's OMCI extensions, you do not need 802.1x, certificates, rooting gateways extracting and decoding certs. I wish I knew all that before I spent all this time rooting RGs and developing tools to decode the certs. But it appears that all of that is unnecessary if you are using your own ONT.
All you need to get online is to match OMCI version (0xA0), ONT Hardware version, ONT Software version, Vendor string with Serial Number and password ("DEFAULT").
Depending on the type of ONT you use (I have only tried Lantiq and Realtek based SFPs so far), you may need to set your VLANs to something other than default '0', but the bottom line is that 802.1x is completely unnecessary.
I have only tried this on GPON so far, but there is a good chance XGS-PON works the same way.
Happy 4th of July!
↧