Thanks for providing the configs.
I setup freeradius on my Archer A7v5 running Openwrt following the official instructions here
In those instructions, it asked me to disable 'pap' protocol. Due to that i was getting this error:
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry 5ad882695ad9 at line 1
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) } # authorize = ok
(0) WARNING: No module configured to handle comparisons with &control:Cleartext-Password
(0) WARNING: Add pap or chap to the authorize { ... } and authenticate { ... } sections of this virtual server to handle this "known good" password type
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
In addition to the official instructions, i just enabled 'pap' again by uncommenting the 'pap' block which i commented out in the first place, and everything started working fine.
The eap.patch and inner-tunnel.patch that you mentioned, i didn't apply them, cause they weren't in the official docs, and it's working fine for me without those.
I also had to add
option ppsk '1'
to wireless config. WIthout that, i was getting PSK mismatch error, even though Tunnel-Password was specified in radius server.
Also i had to manually add r0kh and r1kh keys to get roaming working.
Here's my final config,
I have 4 Archer A7v5 (1 router, 3 as dumb AP's hardwired)
5 Vlans (WAN, LAN, GUEST, IOT, GAMING) (Guest has sqm 60Mbps, Gaming has 100Mbps).
I got 400Mbps down and up fiber to home.
2 SSID ( 1 with WPA2 Enterprise for lan devices, another with WPA2 PSK with dynamic vlans) (surprisingly, all my IOT devices works fine on this dynamic vlan ssid)
802.11k/v/r with DAWN is enabled on both SSID.
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option band '5g'
option cell_density '0'
option country 'IN'
option channel 'auto'
option txpower '15'
option htmode 'VHT80'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'Network'
option ieee80211r '1'
option reassociation_deadline '20000'
option dtim_period '3'
option disassoc_low_ack '0'
option bss_transition '1'
option wnm_sleep_mode '1'
option time_advertisement '2'
option time_zone 'IST-5:30'
option ieee80211k '1'
option encryption 'wpa2+ccmp'
option auth_secret 'xx'
option acct_secret 'xx'
option auth_server '172.26.31.1'
option acct_server '172.26.31.1'
option ft_over_ds '0'
option ft_psk_generate_local '0'
option wnm_sleep_mode_no_keys '1'
option proxy_arp '1'
option rsn_preauth '1'
option eap_reauth_period '0'
option mbo '1'
option ieee80211w '1'
option mobility_domain '541d'
option pmk_r1_push '1'
option nasid '005f678051ec'
option r1_key_holder '005f678051ec'
list r0kh '00:5f:67:80:51:ec,005f678051ec,10309ceadb4262ab28037306aef34fbb'
list r0kh '00:5f:67:80:51:ed,005f678051ed,10309ceadb4262ab28037306aef34fbb'
list r0kh '5c:a6:e6:b8:7e:07,5ca6e6b87e07,10309ceadb4262ab28037306aef34fbb'
list r0kh '5c:a6:e6:b8:7e:08,5ca6e6b87e08,10309ceadb4262ab28037306aef34fbb'
list r0kh '5c:a6:e6:b8:7d:8c,5ca6e6b87d8c,10309ceadb4262ab28037306aef34fbb'
list r0kh '5c:a6:e6:b8:7d:8d,5ca6e6b87d8d,10309ceadb4262ab28037306aef34fbb'
list r0kh '3c:84:6a:ad:a3:e6,3c846aada3e6,10309ceadb4262ab28037306aef34fbb'
list r0kh '3c:84:6a:ad:a3:e7,3c846aada3e7,10309ceadb4262ab28037306aef34fbb'
list r1kh '00:5f:67:80:51:ec,00:5f:67:80:51:ec,10309ceadb4262ab28037306aef34fbb'
list r1kh '00:5f:67:80:51:ed,00:5f:67:80:51:ed,10309ceadb4262ab28037306aef34fbb'
list r1kh '5c:a6:e6:b8:7e:07,5c:a6:e6:b8:7e:07,10309ceadb4262ab28037306aef34fbb'
list r1kh '5c:a6:e6:b8:7e:08,5c:a6:e6:b8:7e:08,10309ceadb4262ab28037306aef34fbb'
list r1kh '5c:a6:e6:b8:7d:8c,5c:a6:e6:b8:7d:8c,10309ceadb4262ab28037306aef34fbb'
list r1kh '5c:a6:e6:b8:7d:8d,5c:a6:e6:b8:7d:8d,10309ceadb4262ab28037306aef34fbb'
list r1kh '3c:84:6a:ad:a3:e6,3c:84:6a:ad:a3:e6,10309ceadb4262ab28037306aef34fbb'
list r1kh '3c:84:6a:ad:a3:e7,3c:84:6a:ad:a3:e7,10309ceadb4262ab28037306aef34fbb'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option band '2g'
option cell_density '0'
option country 'IN'
option channel 'auto'
option txpower '15'
option htmode 'HT40'
option noscan '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'Network'
option ieee80211r '1'
option reassociation_deadline '20000'
option dtim_period '3'
option disassoc_low_ack '0'
option bss_transition '1'
option wnm_sleep_mode '1'
option time_advertisement '2'
option time_zone 'IST-5:30'
option ieee80211k '1'
option encryption 'wpa2+ccmp'
option auth_server '172.26.31.1'
option auth_secret 'xx'
option acct_server '172.26.31.1'
option acct_secret 'xx'
option ft_over_ds '0'
option ft_psk_generate_local '0'
option wnm_sleep_mode_no_keys '1'
option proxy_arp '1'
option rsn_preauth '1'
option eap_reauth_period '0'
option mbo '1'
option ieee80211w '1'
option mobility_domain '541d'
option pmk_r1_push '1'
option nasid '005f678051ed'
option r1_key_holder '005f678051ed'
list r0kh '00:5f:67:80:51:ec,005f678051ec,10309ceadb4262ab28037306aef34fbb'
list r0kh '00:5f:67:80:51:ed,005f678051ed,10309ceadb4262ab28037306aef34fbb'
list r0kh '5c:a6:e6:b8:7e:07,5ca6e6b87e07,10309ceadb4262ab28037306aef34fbb'
list r0kh '5c:a6:e6:b8:7e:08,5ca6e6b87e08,10309ceadb4262ab28037306aef34fbb'
list r0kh '5c:a6:e6:b8:7d:8c,5ca6e6b87d8c,10309ceadb4262ab28037306aef34fbb'
list r0kh '5c:a6:e6:b8:7d:8d,5ca6e6b87d8d,10309ceadb4262ab28037306aef34fbb'
list r0kh '3c:84:6a:ad:a3:e6,3c846aada3e6,10309ceadb4262ab28037306aef34fbb'
list r0kh '3c:84:6a:ad:a3:e7,3c846aada3e7,10309ceadb4262ab28037306aef34fbb'
list r1kh '00:5f:67:80:51:ec,00:5f:67:80:51:ec,10309ceadb4262ab28037306aef34fbb'
list r1kh '00:5f:67:80:51:ed,00:5f:67:80:51:ed,10309ceadb4262ab28037306aef34fbb'
list r1kh '5c:a6:e6:b8:7e:07,5c:a6:e6:b8:7e:07,10309ceadb4262ab28037306aef34fbb'
list r1kh '5c:a6:e6:b8:7e:08,5c:a6:e6:b8:7e:08,10309ceadb4262ab28037306aef34fbb'
list r1kh '5c:a6:e6:b8:7d:8c,5c:a6:e6:b8:7d:8c,10309ceadb4262ab28037306aef34fbb'
list r1kh '5c:a6:e6:b8:7d:8d,5c:a6:e6:b8:7d:8d,10309ceadb4262ab28037306aef34fbb'
list r1kh '3c:84:6a:ad:a3:e6,3c:84:6a:ad:a3:e6,10309ceadb4262ab28037306aef34fbb'
list r1kh '3c:84:6a:ad:a3:e7,3c:84:6a:ad:a3:e7,10309ceadb4262ab28037306aef34fbb'
config wifi-iface 'wifinet8'
option device 'radio0'
option mode 'ap'
option ssid 'Network Home'
option encryption 'psk2'
option network 'GUEST'
option auth_server '172.26.31.1'
option auth_secret 'xx'
option acct_server '172.26.31.1'
option acct_secret 'xx'
option ppsk '1'
option dynamic_vlan '2'
option vlan_file '/etc/config/hostapd0.vlan'
option vlan_naming '1'
option vlan_tagged_interface 'eth0'
option vlan_bridge 'br-'
option ieee80211r '1'
option reassociation_deadline '20000'
option dtim_period '3'
option disassoc_low_ack '0'
option bss_transition '1'
option wnm_sleep_mode '1'
option time_advertisement '2'
option time_zone 'IST-5:30'
option ieee80211k '1'
option ft_over_ds '0'
option ft_psk_generate_local '0'
option wnm_sleep_mode_no_keys '1'
option proxy_arp '1'
option rsn_preauth '1'
option eap_reauth_period '0'
option ieee80211w '1'
option mbo '1'
option mobility_domain '6d7f'
option pmk_r1_push '1'
option nasid '025f678051ec'
option r1_key_holder '025f678051ec'
list r0kh '02:5f:67:80:51:ec,025f678051ec,e43e0dc9603a428feaefe1bb4d54dbd2'
list r0kh '02:5f:67:80:51:ed,025f678051ed,e43e0dc9603a428feaefe1bb4d54dbd2'
list r0kh '5e:a6:e6:b8:7e:07,5ea6e6b87e07,e43e0dc9603a428feaefe1bb4d54dbd2'
list r0kh '5e:a6:e6:b8:7e:08,5ea6e6b87e08,e43e0dc9603a428feaefe1bb4d54dbd2'
list r0kh '5e:a6:e6:b8:7d:8c,5ea6e6b87d8c,e43e0dc9603a428feaefe1bb4d54dbd2'
list r0kh '5e:a6:e6:b8:7d:8d,5ea6e6b87d8d,e43e0dc9603a428feaefe1bb4d54dbd2'
list r0kh '3e:84:6a:ad:a3:e6,3e846aada3e6,e43e0dc9603a428feaefe1bb4d54dbd2'
list r0kh '3e:84:6a:ad:a3:e7,3e846aada3e7,e43e0dc9603a428feaefe1bb4d54dbd2'
list r1kh '02:5f:67:80:51:ec,02:5f:67:80:51:ec,e43e0dc9603a428feaefe1bb4d54dbd2'
list r1kh '02:5f:67:80:51:ed,02:5f:67:80:51:ed,e43e0dc9603a428feaefe1bb4d54dbd2'
list r1kh '5e:a6:e6:b8:7e:07,5e:a6:e6:b8:7e:07,e43e0dc9603a428feaefe1bb4d54dbd2'
list r1kh '5e:a6:e6:b8:7e:08,5e:a6:e6:b8:7e:08,e43e0dc9603a428feaefe1bb4d54dbd2'
list r1kh '5e:a6:e6:b8:7d:8c,5e:a6:e6:b8:7d:8c,e43e0dc9603a428feaefe1bb4d54dbd2'
list r1kh '5e:a6:e6:b8:7d:8d,5e:a6:e6:b8:7d:8d,e43e0dc9603a428feaefe1bb4d54dbd2'
list r1kh '3e:84:6a:ad:a3:e6,3e:84:6a:ad:a3:e6,e43e0dc9603a428feaefe1bb4d54dbd2'
list r1kh '3e:84:6a:ad:a3:e7,3e:84:6a:ad:a3:e7,e43e0dc9603a428feaefe1bb4d54dbd2'
config wifi-iface 'wifinet10'
option device 'radio1'
option mode 'ap'
option ssid 'Network Home'
option encryption 'psk2'
option network 'GUEST'
option auth_server '172.26.31.1'
option auth_secret 'xx'
option acct_server '172.26.31.1'
option acct_secret 'xx'
option ppsk '1'
option dynamic_vlan '2'
option vlan_file '/etc/config/hostapd1.vlan'
option vlan_naming '1'
option vlan_tagged_interface 'eth0'
option vlan_bridge 'br-'
option ieee80211r '1'
option reassociation_deadline '20000'
option dtim_period '3'
option disassoc_low_ack '0'
option bss_transition '1'
option wnm_sleep_mode '1'
option time_advertisement '2'
option time_zone 'IST-5:30'
option ieee80211k '1'
option ft_over_ds '0'
option ft_psk_generate_local '0'
option wnm_sleep_mode_no_keys '1'
option proxy_arp '1'
option rsn_preauth '1'
option eap_reauth_period '0'
option ieee80211w '1'
option mbo '1'
option mobility_domain '6d7f'
option pmk_r1_push '1'
option nasid '025f678051ed'
option r1_key_holder '025f678051ed'
list r0kh '02:5f:67:80:51:ec,025f678051ec,e43e0dc9603a428feaefe1bb4d54dbd2'
list r0kh '02:5f:67:80:51:ed,025f678051ed,e43e0dc9603a428feaefe1bb4d54dbd2'
list r0kh '5e:a6:e6:b8:7e:07,5ea6e6b87e07,e43e0dc9603a428feaefe1bb4d54dbd2'
list r0kh '5e:a6:e6:b8:7e:08,5ea6e6b87e08,e43e0dc9603a428feaefe1bb4d54dbd2'
list r0kh '5e:a6:e6:b8:7d:8c,5ea6e6b87d8c,e43e0dc9603a428feaefe1bb4d54dbd2'
list r0kh '5e:a6:e6:b8:7d:8d,5ea6e6b87d8d,e43e0dc9603a428feaefe1bb4d54dbd2'
list r0kh '3e:84:6a:ad:a3:e6,3e846aada3e6,e43e0dc9603a428feaefe1bb4d54dbd2'
list r0kh '3e:84:6a:ad:a3:e7,3e846aada3e7,e43e0dc9603a428feaefe1bb4d54dbd2'
list r1kh '02:5f:67:80:51:ec,02:5f:67:80:51:ec,e43e0dc9603a428feaefe1bb4d54dbd2'
list r1kh '02:5f:67:80:51:ed,02:5f:67:80:51:ed,e43e0dc9603a428feaefe1bb4d54dbd2'
list r1kh '5e:a6:e6:b8:7e:07,5e:a6:e6:b8:7e:07,e43e0dc9603a428feaefe1bb4d54dbd2'
list r1kh '5e:a6:e6:b8:7e:08,5e:a6:e6:b8:7e:08,e43e0dc9603a428feaefe1bb4d54dbd2'
list r1kh '5e:a6:e6:b8:7d:8c,5e:a6:e6:b8:7d:8c,e43e0dc9603a428feaefe1bb4d54dbd2'
list r1kh '5e:a6:e6:b8:7d:8d,5e:a6:e6:b8:7d:8d,e43e0dc9603a428feaefe1bb4d54dbd2'
list r1kh '3e:84:6a:ad:a3:e6,3e:84:6a:ad:a3:e6,e43e0dc9603a428feaefe1bb4d54dbd2'
list r1kh '3e:84:6a:ad:a3:e7,3e:84:6a:ad:a3:e7,e43e0dc9603a428feaefe1bb4d54dbd2'
/etc/config/hostapd0.vlan
1 wlan0.1 br-lan
3 wlan0.3 br-iot
4 wlan0.4 br-guest
5 wlan0.5 br-gaming
/etc/config/hostapd1.vlan
1 wlan1.1 br-lan
3 wlan1.3 br-iot
4 wlan1.4 br-guest
5 wlan1.5 br-gaming
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '172.26.31.1'
option delegate '0'
option ipv6 '0'
config device
option name 'eth0.2'
option macaddr '00:5f:67:80:51:ee'
config interface 'wan'
option device 'eth0.2'
option proto 'static'
option ipaddr '172.26.1.50'
option netmask '255.255.255.0'
option gateway '172.26.1.1'
list dns '1.1.1.2'
list dns '1.0.0.2'
option ipv6 '0'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 2t 3 4'
option vid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 1'
option vid '2'
config switch_vlan
option device 'switch0'
option vlan '3'
option ports '0t 2t'
option vid '3'
config switch_vlan
option device 'switch0'
option vlan '4'
option ports '0t 2t'
option vid '4'
config device
option type 'bridge'
option name 'br-guest'
list ports 'eth0.4'
config device
option type 'bridge'
option name 'br-iot'
list ports 'eth0.3'
config interface 'GUEST'
option proto 'static'
option device 'br-guest'
option ipaddr '172.26.30.1'
option netmask '255.255.255.0'
option ipv6 '0'
config interface 'IOT'
option proto 'static'
option device 'br-iot'
option ipaddr '172.26.32.1'
option netmask '255.255.255.0'
option ipv6 '0'
config switch_vlan
option device 'switch0'
option vlan '5'
option ports '0t 2t'
option vid '5'
config device
option type 'bridge'
option name 'br-gaming'
list ports 'eth0.5'
config interface 'GAMING'
option proto 'static'
option device 'br-gaming'
option ipaddr '172.26.33.1'
option netmask '255.255.255.0'
option ipv6 '0'
/etc/config/dawn
config local
option loglevel '0'
config network
option broadcast_ip '172.26.31.255'
option broadcast_port '1025'
option tcp_port '1026'
option network_option '2'
option shared_key 'Niiiiiiiiiiiiick'
option iv 'Niiiiiiiiiiiiick'
option use_symm_enc '0'
option collision_domain '-1'
option bandwidth '-1'
config hostapd
option hostapd_dir '/var/run/hostapd'
config times
option update_client '10'
option remove_client '15'
option remove_probe '30'
option remove_ap '460'
option update_hostapd '10'
option update_tcp_con '10'
option update_chan_util '5'
option update_beacon_reports '20'
option con_timeout '60'
config metric 'global'
option min_probe_count '3'
option bandwidth_threshold '100' #changed
option use_station_count '0'
option max_station_diff '1'
option eval_probe_req '0'
option eval_auth_req '0'
option eval_assoc_req '0'
option kicking '1' #changed
option kicking_threshold '20'
option deny_auth_reason '1'
option deny_assoc_reason '17'
option min_number_to_kick '2' #changed
option chan_util_avg_period '3'
option set_hostapd_nr '2' #changed
option duration '120'
option rrm_mode 'tap'
config metric '802_11g'
option initial_score '55' #changed
option ht_support '5'
option vht_support '5'
option no_ht_support '0'
option no_vht_support '0'
option rssi '15'
option rssi_val '-60'
option low_rssi_val '-80'
option low_rssi '-15'
option chan_util '0'
option chan_util_val '140'
option max_chan_util '-15'
option max_chan_util_val '170'
option rssi_weight '4' #changed
option rssi_center '-70'
config metric '802_11a'
option initial_score '100'
option ht_support '7' #changed
option vht_support '7' #changed
option no_ht_support '0'
option no_vht_support '0'
option rssi '15'
option rssi_val '-60'
option low_rssi_val '-80'
option low_rssi '-15'
option chan_util '0'
option chan_util_val '140'
option max_chan_util '-15'
option max_chan_util_val '170'
option rssi_weight '4' #changed
option rssi_center '-70'
These configs are for the router. Setting SQM on eth0.5 to limit my VLan 5's bandwidth was not working since traffic is going straight to WAN interface.
So i had to put SQM on dynamic wlan0.5 and wlan1.5 interface and add a cronjob to restart SQM and DAWN after about 5 min after i reboot router. I reboot all my 4 Archer's every morning to let it auto negotiate optimal wifi channel.
I have added my IOT devices like so in /etc/freeradius3/mods-config/files/authorize
"607ea461118b" Cleartext-Password := "607ea461118b" #iot1
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 3,
Tunnel-Password = network@iot123
"607ea4611bda" Cleartext-Password := "607ea4611bda" #iot2
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 3,
Tunnel-Password = network@iot123
user@gmail.com Cleartext-Password := "xyz"
Reply-Message = "Hi user. Welcome to my Network."
DEFAULT Cleartext-Password := "%{User-Name}" #GUEST Users
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 4,
Tunnel-Password = xyz #guest
The last DEFAULT block is for guest users which can have any mac address. I then use this script to auto-rotate the guest password every week.
#!/bin/ash
password=`cat /dev/urandom | env LC_CTYPE=C tr -dc _ABCDEFGHJKLMNPQRSTUVWXYZabcdefghjklmnpqrstuvwxyz23456789- | head -c 12; echo;`
one="const gpass = '${password}';"
two="export default gpass;"
file="${one}"$'\n'"${two}"
content=$(echo "${file}" | base64)
curl -i -X PUT -H 'Authorization: token xyz' -d "{\"path\": \"/xyz/guest.js\", \
\"message\": \"update guest password\", \"content\": \"${content}\", \"branch\": \"main\",\
\"sha\": $(curl -X GET https://api.github.com/repos/xyz/guest-qr/contents/xyz/guest.js | jq .sha)}" \
https://api.github.com/repos/xyz/guest-qr/contents/xyz/guest.js
ssid='Network Home'
security=WPA2
qrencode -t SVG -o /www/wifi.svg "WIFI:S:${ssid};T:${security};P:${password};;"
sed -i 's/Tunnel-Password = .* #guest/Tunnel-Password = '"${password}"' #guest/' /etc/freeradius3/mods-config/files/authorize
/etc/init.d/radiusd restart
This script also uploads the generated password to my github repo which generates a QR code for it, for which i have a static URL that anyone can open and join.
I use this repo for that.
Also, something neat i found. This command sets the AQL TX limits to a bit lower on myArcher A7v5, which improves latency a lot but with max bandwidth tradeoff
for ac in 1 2 3; do echo $ac 1000 2000 > /sys/kernel/debug/ieee80211/phy0/aql_txq_limit; done && echo 0 1000 1000 > /sys/kernel/debug/ieee80211/phy0/aql_txq_limit && for ac in 1 2 3; do echo $ac 1000 2000 > /sys/kernel/debug/ieee80211/phy1/aql_txq_limit; done && echo 0 1000 1000 > /sys/kernel/debug/ieee80211/phy1/aql_txq_limit
I get around 270Mbps down and 300Mbps up on 5Ghz wifi which is far enough for me. I'll probably downgrade to a 300Mbps connection soon.
Note: Can someone explain to me what "Reply-Message = " option of radius server does exactly? I thought i would get sort of a message on client devices, but it's not working. Maybe it's not implemented by any android devices? I don't know much about radius server.
Hope these findings and configs help someone.