Ath10k and dynamic VLANS

_bernd · February 12, 2022, 8:41pm

I wanted to setup 802.1x on my Archer C7 v5 and WDR3600.

I was wondering if and how I can use dynamic VLANS without freeradius.

config wifi-iface       'wlan8021x'
    option  device      'radio1'
    option  mode        'ap'
    option  ssid        'test'
    option  encryption  'psk2+tkip+ccmp'
    option  key         'testing123'
    option  dynamic_vlan '2'
    option  vlan_tagged_interface 'eth0'
    option  vlan_bridge 'br-vlan'
    option  vlan_naming '0'

# To hostapd-phy1.conf I added the last two lines because I have no idea
# how to configure that with /etc/config/wireless or with UCI.
# After modification hostapd-phy1.conf I used: `kill -SIGHUP $( pidof hostapd )` to reload

bss=wlan1-3
ctrl_interface=/var/run/hostapd
bss_load_update_period=60
chan_util_avg_period=600
disassoc_low_ack=1
skip_inactivity_poll=0
preamble=1
wmm_enabled=1
ignore_broadcast_ssid=0
uapsd_advertisement_enabled=1
utf8_ssid=1
multi_ap=0
wpa_passphrase=testing123
wpa_psk_file=/var/run/hostapd-wlan1-3.psk
auth_algs=1
wpa=2
wpa_pairwise=CCMP TKIP
ssid=test
wpa_disable_eapol_key_retries=0
wpa_key_mgmt=WPA-PSK
okc=0
disable_pmksa_caching=1
dynamic_vlan=2
vlan_naming=0
vlan_bridge=br-vlan
vlan_no_bridge=
vlan_tagged_interface=eth0
vlan_file=/var/run/hostapd-wlan1-3.vlan
qos_map_set=0,0,2,16,1,1,255,255,18,22,24,38,40,40,44,46,48,56
config_id=e3426d3d5f68d42f8edd8f0e9cf67035
bssid=96:9a:4a:1a:f6:00
macaddr_acl=1
accept_mac_file=/var/run/accept

# /var/run/accept
f8:ad:cb:20:79:xx    65

But then syslog shows me:

Sat Feb 12 19:53:47 2022 daemon.info hostapd: wlan1-3: STA f8:ad:cb:20:79:xx RADIUS: Invalid VLAN 65 received from RADIUS server

Ok I then tried with freeradius...

# wireless
config wifi-iface       'wlan8021x'
    option  device      'radio1'
    option  mode        'ap'
    option  ssid        '802.1x'
    option  encryption  'wpa2'
    option  server      '127.0.0.1'
    option  key         'testing123'
    option  dynamic_vlan '2'
    option  vlan_tagged_interface 'eth0'
    option  vlan_bridge 'br-vlan'
    option  vlan_naming '0'

Used freeradius config mostly out of the box, only setting a user

"bernd" Cleartext-Password := "test!"
        Tunnel-Type = "VLAN",
        Tunnel-Medium-Type = "IEEE-802",
        Tunnel-Private-Group-Id = 65

On first try I got
authentication server did not include required VLAN ID in Access-Accept
Which I got "fixed"(?!?!) with Post #3 on https://forum.archive.openwrt.org/viewtopic.php?id=34832

Then I got
Invalid VLAN 65 received from RADIUS server
Which was fixed via

# hostapd-wlan1-3.vlan 
65      br-vlan65
*       br-vlan#

And now I got stuck again with

Sat Feb 12 20:07:24 2022 daemon.info hostapd: wlan1-3: STA e6:c6:20:f9:02:d4 IEEE 802.11: authenticated
Sat Feb 12 20:07:24 2022 daemon.info hostapd: wlan1-3: STA e6:c6:20:f9:02:d4 IEEE 802.11: associated (aid 1)
Sat Feb 12 20:07:24 2022 daemon.notice hostapd: wlan1-3: CTRL-EVENT-EAP-STARTED e6:c6:20:f9:02:d4
Sat Feb 12 20:07:24 2022 daemon.notice hostapd: wlan1-3: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
Sat Feb 12 20:07:24 2022 daemon.info hostapd: wlan1-3: STA e6:c6:20:f9:02:d4 RADIUS: VLAN ID 65
Sat Feb 12 20:07:24 2022 daemon.notice hostapd: Failed to update VLAN-ID for WPA
Sat Feb 12 20:07:24 2022 daemon.err hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=e6:c6:20:f9:02:d4 ifname=br-vlan65 vlan_id=65) failed: -22 (Invalid argument)
Sat Feb 12 20:07:27 2022 daemon.notice hostapd: wlan1-3: CTRL-EVENT-EAP-RETRANSMIT2 e6:c6:20:f9:02:d4
Sat Feb 12 20:07:33 2022 daemon.notice hostapd: wlan1-3: CTRL-EVENT-EAP-RETRANSMIT2 e6:c6:20:f9:02:d4
Sat Feb 12 20:07:45 2022 daemon.notice hostapd: wlan1-3: CTRL-EVENT-EAP-RETRANSMIT2 e6:c6:20:f9:02:d4
Sat Feb 12 20:08:05 2022 daemon.notice hostapd: wlan1-3: CTRL-EVENT-EAP-RETRANSMIT2 e6:c6:20:f9:02:d4
Sat Feb 12 20:08:25 2022 daemon.notice hostapd: wlan1-3: CTRL-EVENT-EAP-RETRANSMIT2 e6:c6:20:f9:02:d4
Sat Feb 12 20:08:41 2022 daemon.info hostapd: wlan1-3: STA e6:c6:20:f9:02:d4 IEEE 802.11: authenticated
Sat Feb 12 20:08:41 2022 daemon.info hostapd: wlan1-3: STA e6:c6:20:f9:02:d4 IEEE 802.11: associated (aid 1)
Sat Feb 12 20:08:41 2022 daemon.notice hostapd: wlan1-3: CTRL-EVENT-EAP-STARTED e6:c6:20:f9:02:d4
Sat Feb 12 20:08:41 2022 daemon.notice hostapd: wlan1-3: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
Sat Feb 12 20:08:41 2022 daemon.info hostapd: wlan1-3: STA e6:c6:20:f9:02:d4 RADIUS: VLAN ID 65
Sat Feb 12 20:08:41 2022 daemon.notice hostapd: Failed to update VLAN-ID for WPA
Sat Feb 12 20:08:41 2022 daemon.err hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=e6:c6:20:f9:02:d4 ifname=br-vlan65 vlan_id=65) failed: -22 (Invalid argument)
Sat Feb 12 20:08:44 2022 daemon.notice hostapd: wlan1-3: CTRL-EVENT-EAP-RETRANSMIT2 e6:c6:20:f9:02:d4
Sat Feb 12 20:08:50 2022 daemon.notice hostapd: wlan1-3: CTRL-EVENT-EAP-RETRANSMIT2 e6:c6:20:f9:02:d4
Sat Feb 12 20:09:02 2022 daemon.notice hostapd: wlan1-3: CTRL-EVENT-EAP-RETRANSMIT2 e6:c6:20:f9:02:d4

Which leaves me alone in the dark with four (4) results on google...
https://www.google.com/search?channel=nrow5&client=firefox-b-d&q=hostapd%3A+nl80211%3A+NL80211_ATTR_STA_VLAN+ifname+vlan_id+failed%3A+-22+(Invalid+argument)+ ("hostapd: nl80211: NL80211_ATTR_STA_VLAN ifname vlan_id failed: -22 (Invalid argument)")

Failed to update VLAN-ID for WPA led me to https://bugs.openwrt.org/index.php?do=details&task_id=488 which I assume is already integrated?

In the meantime I got some posts in this forum and hostapd mailinglist that there was/is also an 802.1x issue with ath10k firmware and/or driver because each station will have its own key(?), and ath10k or the firmware is not able to handle this(?). Is this still the case?
@jow mentioned it here WPA2 Enterprise 802.1x dynmic vlans not working - #9 by jow in June 2018

But people on the internet with Archer C7 say they have 802.1x working with 21.02.

I also found and applied this change https://git.openwrt.org/?p=openwrt/openwrt.git;a=blobdiff;f=package/network/services/hostapd/files/hostapd.sh;h=1fa22cb69e060ca0eeb494d3158e1efe35374432;hp=7981f02ed6a035d2062ef70e3d9a01251358e861;hb=96e9c81aabe9e14d6ec75c3f238c4ca7389b92a8;hpb=4f2243d40a400aa1ce6ae5d06325f93b4d9463a5 to local /lib/netifd/hostapd.sh as I'm running the latest stable 21.02.1 build from/with the imagebuilder for now.

TL;DR; I want dynamic VLANs on Wifi and need some help. The guide in the wiki is quite outdated and left me with some dark spots. I'm not really comfortable with what I'm actually doing but I think at least the simple radius config is working, as I see successful authentication, and the VLAN ID is passed to hostapd. But something is still wrong.

_bernd · February 12, 2022, 9:42pm

I realized my first try (802.1x without freeradius) missed the hostapd-wlan1-3.vlan file.
After I set this up I get the same error as with freeradius:

daemon.info hostapd: wlan1-3: STA f8:ad:cb:20:79:xx RADIUS: VLAN ID 65
daemon.info hostapd: wlan1-3: STA f8:ad:cb:20:79:xx IEEE 802.11: authenticated
daemon.info hostapd: wlan1-3: STA f8:ad:cb:20:79:xx IEEE 802.11: associated (aid 1)
daemon.notice hostapd: Failed to update VLAN-ID for WPA
daemon.err hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=f8:ad:cb:20:79:xx ifname=br-vlan65 vlan_id=65) failed: -22 (Invalid argument)

BTW: How would I make the vlan-file persistent?

mk24 · February 13, 2022, 2:03am

Try it on 2 GHz first. The ct variant of the ath10k driver used to fail because VLAN operation is not supported. I don't know if that has been added.

All files are persistent unless you store them in /tmp or /var, which is mounted as a RAM disk. If you want files to persist through a sysupgrade you can configure keep.d, or I just make a subdirectory of /etc/config such as /etc/config/vpnfiles for VPN certificates and keys.

_bernd · February 13, 2022, 7:51am

Morning.
On the archer I already use the 2.4 GHz radio which is radio1.
Right, /var is in tmpfs but I wanted to say that my impression is that the vlan file gets overwritten on hostapd restart. But need to test this later.

_bernd · February 13, 2022, 9:09pm

I tested on the WDR3600, which uses ath9k, on 2.4 GHz without freeradius and only mac_accept_file and vlan_file modifications on hostapd.
Same error. But I can not tell if its hostapd or nl80211 which is missing something. But what...

Sun Feb 13 20:46:24 2022 daemon.info hostapd: wlan8021x: STA f8:ad:cb:20:79:xx RADIUS: VLAN ID 65
Sun Feb 13 20:46:24 2022 daemon.info hostapd: wlan8021x: STA f8:ad:cb:20:79:xx IEEE 802.11: authenticated
Sun Feb 13 20:46:24 2022 daemon.info hostapd: wlan8021x: STA f8:ad:cb:20:79:xx IEEE 802.11: associated (aid 1)
Sun Feb 13 20:46:24 2022 daemon.notice hostapd: Failed to update VLAN-ID for WPA
Sun Feb 13 20:46:24 2022 daemon.err hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=f8:ad:cb:20:79:xx ifname=br-vlan65 vlan_id=65) failed: -22 (Invalid argument)

Increasing the log_level to 1 did not revealed any more info.

Is there anybody who could confirm a running 802.1x setup with 21.02? Would you mind telling me what hardware you are using?

kamilh · February 14, 2022, 7:37am

My setup on OpenWrt SNAPSHOT r18622-3d3d03479d working with MediaTek MT7621 Mir3g and Lantiq xrx200 tplink w8970..

no modifications to hostapd-phy1.conf needed..

I had to define wlan0.x interface names on hostapd.vlan file otherwise hostapd cannot dynamically attach wlan interface to br-vlan. It was working fine on 19.07..

# '/etc/config/wireless'
config wifi-iface 'default_radio0'
	option vlan_file '/etc/config/hostapd.vlan'
	option dynamic_vlan '2'
	option vlan_bridge 'br-vlan'
	option vlan_naming '0'

# '/etc/config/hostapd.vlan'
1       wlan0.1 br-vlan1
2       wlan0.2 br-vlan2
3       wlan0.3 br-vlan3
4       wlan0.4 br-vlan4

# '/etc/config/network'
config device
	option type 'bridge'
	option name 'br-vlan1'
	list ports 'br-lan.1'
	option bridge_empty '1'
config device
	option type 'bridge'
	option name 'br-vlan2'
	list ports 'br-lan.2'
	option bridge_empty '1'

_bernd · February 14, 2022, 7:27pm

Great! Thank you so much! It worked on the WDR3600 with ath9k!

I removed option vlan_tagged_interface 'eth0' from /etc/config/wireless and used

1   wlan8021x.1   br-vlan1
65  wlan8021x.65  br-vlan65
*   wlan8021x.#   br-vlan#

for the vlan_file.

What not worked yet, is the vlan_file statement * wlan8021x.# br-vlan#
I tought that the vlan-interface is created when needed, but now each vlan in the vlan_file a vlan-interfaces is created. Don't understand, but can live with it...

@jow sorry to bother you directly, but what do I need to do to state stuff like macaddr_acl and accept_mac_file in /etc/config/wireless? I can state it there but it is not added to hostapd-phy0.conf.

_bernd · February 15, 2022, 7:40am

I just had time yesterday to test on ath10k 2.4 GHz radio. Which worked. Will test today on 5 GHz.

What's unrealted: I'm unable to configure Mac address based auth with radius and fall through (?)/default accept for unknown addresses.
What also seams impossible to configure with UCI is PSK auth with radius vlan assignment but regarding to hostap documentation this should be a valid use case.
I want to test this with manuell edits on the hostapd conf. But that's already something. I think the issue is that it is not clear from the documentation which interfaces needs to be stated where. But I haven't wrapped my head fully around it yet either.

system · February 25, 2022, 7:40am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.