I wanted to setup 802.1x on my Archer C7 v5 and WDR3600.
I was wondering if and how I can use dynamic VLANS without freeradius.
config wifi-iface 'wlan8021x'
option device 'radio1'
option mode 'ap'
option ssid 'test'
option encryption 'psk2+tkip+ccmp'
option key 'testing123'
option dynamic_vlan '2'
option vlan_tagged_interface 'eth0'
option vlan_bridge 'br-vlan'
option vlan_naming '0'
# To hostapd-phy1.conf I added the last two lines because I have no idea
# how to configure that with /etc/config/wireless or with UCI.
# After modification hostapd-phy1.conf I used: `kill -SIGHUP $( pidof hostapd )` to reload
bss=wlan1-3
ctrl_interface=/var/run/hostapd
bss_load_update_period=60
chan_util_avg_period=600
disassoc_low_ack=1
skip_inactivity_poll=0
preamble=1
wmm_enabled=1
ignore_broadcast_ssid=0
uapsd_advertisement_enabled=1
utf8_ssid=1
multi_ap=0
wpa_passphrase=testing123
wpa_psk_file=/var/run/hostapd-wlan1-3.psk
auth_algs=1
wpa=2
wpa_pairwise=CCMP TKIP
ssid=test
wpa_disable_eapol_key_retries=0
wpa_key_mgmt=WPA-PSK
okc=0
disable_pmksa_caching=1
dynamic_vlan=2
vlan_naming=0
vlan_bridge=br-vlan
vlan_no_bridge=
vlan_tagged_interface=eth0
vlan_file=/var/run/hostapd-wlan1-3.vlan
qos_map_set=0,0,2,16,1,1,255,255,18,22,24,38,40,40,44,46,48,56
config_id=e3426d3d5f68d42f8edd8f0e9cf67035
bssid=96:9a:4a:1a:f6:00
macaddr_acl=1
accept_mac_file=/var/run/accept
# /var/run/accept
f8:ad:cb:20:79:xx 65
But then syslog shows me:
Sat Feb 12 19:53:47 2022 daemon.info hostapd: wlan1-3: STA f8:ad:cb:20:79:xx RADIUS: Invalid VLAN 65 received from RADIUS server
Ok I then tried with freeradius...
# wireless
config wifi-iface 'wlan8021x'
option device 'radio1'
option mode 'ap'
option ssid '802.1x'
option encryption 'wpa2'
option server '127.0.0.1'
option key 'testing123'
option dynamic_vlan '2'
option vlan_tagged_interface 'eth0'
option vlan_bridge 'br-vlan'
option vlan_naming '0'
Used freeradius config mostly out of the box, only setting a user
"bernd" Cleartext-Password := "test!"
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-Id = 65
On first try I got
authentication server did not include required VLAN ID in Access-Accept
Which I got "fixed"(?!?!) with Post #3 on https://forum.archive.openwrt.org/viewtopic.php?id=34832
Then I got
Invalid VLAN 65 received from RADIUS server
Which was fixed via
# hostapd-wlan1-3.vlan
65 br-vlan65
* br-vlan#
And now I got stuck again with
Sat Feb 12 20:07:24 2022 daemon.info hostapd: wlan1-3: STA e6:c6:20:f9:02:d4 IEEE 802.11: authenticated
Sat Feb 12 20:07:24 2022 daemon.info hostapd: wlan1-3: STA e6:c6:20:f9:02:d4 IEEE 802.11: associated (aid 1)
Sat Feb 12 20:07:24 2022 daemon.notice hostapd: wlan1-3: CTRL-EVENT-EAP-STARTED e6:c6:20:f9:02:d4
Sat Feb 12 20:07:24 2022 daemon.notice hostapd: wlan1-3: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
Sat Feb 12 20:07:24 2022 daemon.info hostapd: wlan1-3: STA e6:c6:20:f9:02:d4 RADIUS: VLAN ID 65
Sat Feb 12 20:07:24 2022 daemon.notice hostapd: Failed to update VLAN-ID for WPA
Sat Feb 12 20:07:24 2022 daemon.err hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=e6:c6:20:f9:02:d4 ifname=br-vlan65 vlan_id=65) failed: -22 (Invalid argument)
Sat Feb 12 20:07:27 2022 daemon.notice hostapd: wlan1-3: CTRL-EVENT-EAP-RETRANSMIT2 e6:c6:20:f9:02:d4
Sat Feb 12 20:07:33 2022 daemon.notice hostapd: wlan1-3: CTRL-EVENT-EAP-RETRANSMIT2 e6:c6:20:f9:02:d4
Sat Feb 12 20:07:45 2022 daemon.notice hostapd: wlan1-3: CTRL-EVENT-EAP-RETRANSMIT2 e6:c6:20:f9:02:d4
Sat Feb 12 20:08:05 2022 daemon.notice hostapd: wlan1-3: CTRL-EVENT-EAP-RETRANSMIT2 e6:c6:20:f9:02:d4
Sat Feb 12 20:08:25 2022 daemon.notice hostapd: wlan1-3: CTRL-EVENT-EAP-RETRANSMIT2 e6:c6:20:f9:02:d4
Sat Feb 12 20:08:41 2022 daemon.info hostapd: wlan1-3: STA e6:c6:20:f9:02:d4 IEEE 802.11: authenticated
Sat Feb 12 20:08:41 2022 daemon.info hostapd: wlan1-3: STA e6:c6:20:f9:02:d4 IEEE 802.11: associated (aid 1)
Sat Feb 12 20:08:41 2022 daemon.notice hostapd: wlan1-3: CTRL-EVENT-EAP-STARTED e6:c6:20:f9:02:d4
Sat Feb 12 20:08:41 2022 daemon.notice hostapd: wlan1-3: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
Sat Feb 12 20:08:41 2022 daemon.info hostapd: wlan1-3: STA e6:c6:20:f9:02:d4 RADIUS: VLAN ID 65
Sat Feb 12 20:08:41 2022 daemon.notice hostapd: Failed to update VLAN-ID for WPA
Sat Feb 12 20:08:41 2022 daemon.err hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=e6:c6:20:f9:02:d4 ifname=br-vlan65 vlan_id=65) failed: -22 (Invalid argument)
Sat Feb 12 20:08:44 2022 daemon.notice hostapd: wlan1-3: CTRL-EVENT-EAP-RETRANSMIT2 e6:c6:20:f9:02:d4
Sat Feb 12 20:08:50 2022 daemon.notice hostapd: wlan1-3: CTRL-EVENT-EAP-RETRANSMIT2 e6:c6:20:f9:02:d4
Sat Feb 12 20:09:02 2022 daemon.notice hostapd: wlan1-3: CTRL-EVENT-EAP-RETRANSMIT2 e6:c6:20:f9:02:d4
Which leaves me alone in the dark with four (4) results on google...
https://www.google.com/search?channel=nrow5&client=firefox-b-d&q=hostapd%3A+nl80211%3A+NL80211_ATTR_STA_VLAN+ifname+vlan_id+failed%3A+-22+(Invalid+argument)+ ("hostapd: nl80211: NL80211_ATTR_STA_VLAN ifname vlan_id failed: -22 (Invalid argument)")
Failed to update VLAN-ID for WPA
led me to https://bugs.openwrt.org/index.php?do=details&task_id=488 which I assume is already integrated?
In the meantime I got some posts in this forum and hostapd mailinglist that there was/is also an 802.1x issue with ath10k firmware and/or driver because each station will have its own key(?), and ath10k or the firmware is not able to handle this(?). Is this still the case?
@jow mentioned it here WPA2 Enterprise 802.1x dynmic vlans not working - #9 by jow in June 2018
But people on the internet with Archer C7 say they have 802.1x working with 21.02.
I also found and applied this change https://git.openwrt.org/?p=openwrt/openwrt.git;a=blobdiff;f=package/network/services/hostapd/files/hostapd.sh;h=1fa22cb69e060ca0eeb494d3158e1efe35374432;hp=7981f02ed6a035d2062ef70e3d9a01251358e861;hb=96e9c81aabe9e14d6ec75c3f238c4ca7389b92a8;hpb=4f2243d40a400aa1ce6ae5d06325f93b4d9463a5 to local /lib/netifd/hostapd.sh
as I'm running the latest stable 21.02.1 build from/with the imagebuilder for now.
TL;DR; I want dynamic VLANs on Wifi and need some help. The guide in the wiki is quite outdated and left me with some dark spots. I'm not really comfortable with what I'm actually doing but I think at least the simple radius config is working, as I see successful authentication, and the VLAN ID is passed to hostapd. But something is still wrong.