802.1X using an external freeradius server on a different subnet

Is there a way to configure openwrt based AP (or add a package and configure) to allow the wireless supplicants/users to authenticate against an external freeradius server which resides on a different subnet different from the LAN/WLAN subnet?

If there is a way, I am assuming that the external freeradius server should be connected to a WAN port on the openwrt based AP.

Your help will be greatly appreciated.
Emil

Something like this? AKA setting "just" the IP of the radius server (auth_server)?

config wifi-iface
    option  ifname      'wl2-8021x'
   ...
    option  auth_server '192.168.xx.x'
    option  auth_secret 'test123'    # TODO: CHANGE ME
    option  dynamic_vlan '2'
    option  vlan_bridge 'br-vlan'
    option  vlan_naming '0'
    option  vlan_file   '/etc/config/hostapd-wl2-8021x.vlan'
# /etc/config/hostapd-wl2-8021x.vlan
1       wl2-8021x.1     br-vlan1

65      wl2-8021x.65    br-vlan65
66      wl2-8021x.66    br-vlan66
67      wl2-8021x.67    br-vlan67

*       wl2-8021x.#     br-vlan#

Thanks for your response.

I should have been more clear that the external freeradius server is on the public network (assigned a public ip address). And, thus I made the assumption that the freeradius server would be connected to a WAN port whether the default WAN port or a LAN port converted into a WAN port. Do you think your approach (with modifications to the interface and hostapd files) would still work? If yes, what modifications do you suggest?

I greatly appreciate your help.
Emil

It doesn't matter where the radius server is. If the router you're configuring has an explicit route to it via a connected network, via a static route, or via the default route (usually on the WAN interface) then the radius packets will get to it and get back again.

Did you try it?

3 Likes

Thanks for your response. I will try _bernd suggestions.

1 Like

If you own this RADIUS server you may want to set up an encrypted tunnel to it (e.g. Wireguard), as raw RADIUS is not very secure against attacks that may happen on the Internet.

Great point. I will make sure to secure the connection between the AP and the radius server.
I appreciate the help.