802.1X dynamic VLAN with DSA config

gregorij · April 24, 2022, 2:31pm

Hi, for some time I am using the configuration described here: https://openwrt.org/docs/guide-user/network/wifi/wireless.security.8021x for setting up dynamic VLAN assignments to wireless clients. It is working pretty well and I am more or less happy with this approach.

Right now, I´ve got my hands on a new router, that is using DSA instead of the legacy switch. Could anyone help me with how should I set up the DSA or alter the config for the dynamic VLAN assignment? For now, according to the tutorial from KB article, I´ve created new bridge called br-vlan, enable VLAN filtering and define the VLANs. But this is creating only one bridge and multiple VLAN (802.1q) devices.

For comparsion, screenshot from the legacy switch config:

and from DSA based router:

Could anyone help me, how should I alter the wifi config to achieve the same functionality on the new device?

Thx.

maverickluke · August 5, 2022, 4:22pm

Have you found a solution for dynamic vlan assignment on DSA?

mTek · August 30, 2022, 8:22pm

I also would like to see if anyone can comment on this as I have a device that is moving from switch config to DSA and this is stopping me from moving forwards.

fodiator · November 2, 2022, 4:14pm

I just got one, and am migrating from swconfig too. Will put config snippets here. Working, although I need to have a closer look still at FT.

—- update —-
FT just works as with swconfig. DSA migration seems rather straightforward.

root@OpenWrt:/etc/config# cat network

...
config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'
        option ipv6 '0'

config interface 'lan'
        option proto 'dhcp'
        option device 'br-lan.1'
...
config bridge-vlan
        option device 'br-lan'
        option vlan 'redacted'
        list ports 'lan:u*'
...
config bridge-vlan
        option device 'br-lan'
        option vlan '172'
        list ports 'lan:t'
...
config bridge-vlan
        option device 'br-lan'
        option vlan '1723'
        list ports 'lan:t'

config interface 'VLAN172'
        option proto 'none'
        option type 'bridge'
        option device 'br-vlan172'

config device
        option type 'bridge'
        option name 'br-vlan172'
        option mtu '1500'
        option ipv6 '0'
        option macaddr 'D8:07:B6:4D:38:D2'
        option txqueuelen '1000'
        list ports 'br-lan.172'

config device
        option type 'bridge'
        option name 'br-vlan1723'
        option mtu '1500'
        option macaddr 'D8:07:B6:4D:38:D2'
        option txqueuelen '1000'
        option ipv6 '0'
        list ports 'br-lan.1723'

config interface 'VLAN1723'
        option proto 'none'
        option device 'br-vlan1723'

root@OpenWrt:/etc/config# cat wireless

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option encryption 'wpa2'
        option auth_port '1812'
        option auth_secret 'redacted'
        option auth_server 'redacted'
        option dynamic_vlan '2'
        option vlan_tagged_interface 'eth0'
        option vlan_bridge 'br-vlan'
        option vlan_naming '0'
...
        option reassociation_deadline '20000'
        option dtim_period '5'
        option wpa_group_rekey '72000'
        option max_inactivity '15'
        option rsn_preauth '1'
        option ssid 'redacted'
        option network 'VLAN172'

Both RADIUS server and router are external. The RADIUS server supplied the VLAN ID tag, which is set to either 172 or 1723, but can be extended arbitrarily (to the applicable vlan limit)