Dynamic pre-shared key (dpsk) via radius

Installing and Using OpenWrt Network and Wireless Configuration
1

I'd like to achieve what the wpa_psk_file offers, but with the information fetched from a radius server:

  • a device with mac connects using a psk
  • openwrt sends a radius auth request containing mac and psk to the radius server
  • the radius server sends a reply
    • an Access-Accept reply would contain Tunnel-Type = VLAN and Tunnel-Private-Group-Id =
  • openwrt disconnects the device or puts it into the according VLAN

Any help would be much apreciated.

Background: Have one open ssid in a network that only allows access to a registration portal. Once a user registered themself information is provided to which ssid connect for network access using a provided personal pre-shared key.

This would allow e.g. guest networks for which each guest has its own PSK (without the configuration overhead for enterprise encryption). If the users account expires the associated devices cannot access the network anymore.

2

Searching finally for 'ppsk' I found this thread and hope that'll help me.

Update: If I followed that information correctly the most recent version of OpenWRT does support this feature. Will look at it…

Update: Seems like https://github.com/openwrt/luci/commit/05af14b25bc0fc2262416dcebf3360b11104198b reverts the needed changes to luci because of https://github.com/openwrt/luci/issues/6902 .

Update: Replacing the wireless.js script with the version from the former MR let me configure dpsk aka ppsk through luci. I ended up with these parameters in /etc/config/wireless:

        option device 'radio0'
        option mode 'ap'
        option ssid 'PPSK_SSID'
        option encryption 'psk2'
        option ppsk '1'
        option auth_server '192.168.1.1'
        option dynamic_vlan '2'
        option vlan_tagged_interface 'eth0'
        option vlan_bridge 'br-vlan'
        option auth_port '1812'
        option per_sta_vif '1'
        option vlan_naming '1'
        option auth_secret 'radius_secret'

which is for these settings in luci:

2024-04-01_19-46-07-401603172
2024-04-01_19-46-07-4016031721292×852 71.9 KB

Without luci being able to set these settings they could be edited directly in /etc/config/wireless. If I do not misread this: mode: ['ap', 'ap-wds'], encryption: ['psk', 'psk2', 'psk+psk2', 'psk-mixed'] ppsk should work for modes ap & ap-wds and with encryptions psk, psk2, psk+psk2, psk-mixed.

Even though the settings end up in my /var/run/hostapd-phy0.conf the SSID does not become active, yet. (I didn't re-install the full version of wpad after my upgrade, but that is needed to interpret the according hostapd.conf lines)

Update: This seems to work. I get radius-requests on my radius server and I guess I have to adapt it to answer with the required tunnel-password (which it doesn't at the moment). But my question can be considered solved I guess.

1 Like
3

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.