Dynamic VLAN not working

Hi all,

openwrt version 18.06.1
QCA9880 which uses ath10k

I am trying to setup dynamic VLAN with MAC authentication using freeRadius.

hostapd-phy0.conf

driver=nl80211
...
ieee80211d=1
ieee80211h=1
hw_mode=a
...
ieee80211n=1
ht_coex=0
ht_capab=[HT40+][LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][MAX-AMSDU-7935][DSSS_CCK-40]
vht_oper_chwidth=0
vht_oper_centr_freq_seg0_idx=151
ieee80211ac=1
vht_capab=[RXLDPC][SHORT-GI-80][TX-STBC-2BY1][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][RX-STBC-1][MAX-MPDU-11454][MAX-A-MPDU-LEN-EXP7]

interface=wlan0
ctrl_interface=/var/run/hostapd
...
wpa_passphrase=secret
...
ssid=testssid
wpa_disable_eapol_key_retries=0
...
macaddr_acl=2
...
dynamic_vlan=2
vlan_bridge=br-vlan
auth_server_addr=10.155.2.2
auth_server_port=1812
auth_server_shared_secret=testing123
acct_server_addr=10.155.2.2
acct_server_port=1813
acct_server_shared_secret=testing123

FreeRadius config:

xxxxxxxxxxxx    Cleartext-Password := xxxxxxxxxxxx
    Tunnel-Type = "VLAN",
    Tunnel-Medium-Type = "IEEE-802",
    Tunnel-Private-Group-ID := 4

ifconfig shows:

br-vlan2, br-vlan3, br-vlan4
eth0, eth0.2, eth0.3, eth0.4
wlan0

I am receiving this message and the STA is not receiving any dhcp:

[daemon.info](http://daemon.info) hostapd: wlan0: STA xx:xx:xx:xx:xx:xx RADIUS: Invalid VLAN
4 received from RADIUS server
[daemon.info](http://daemon.info) hostapd: wlan0: STA xx:xx:xx:xx:xx:xx IEEE 802.11: authenticated
[daemon.info](http://daemon.info) hostapd: wlan0: STA xx:xx:xx:xx:xx:xx IEEE 802.11:
associated (aid 1)
daemon.notice hostapd: wlan0: AP-STA-CONNECTED xx:xx:xx:xx:xx:xx
[daemon.info](http://daemon.info) hostapd: wlan0: STA xx:xx:xx:xx:xx:xx RADIUS: starting
accounting session 7E2E6F0F53968240
[daemon.info](http://daemon.info) hostapd: wlan0: STA xx:xx:xx:xx:xx:xx WPA: pairwise key
handshake completed (RSN)

After reading the posts/links below, I tried an experiment.
I manually created vlans on wlan0: wlan0.3, wlan0.4 and then created /etc/config/hostapd.vlan and populated as so:

3 wlan0.3
4 wlan0.4
* wlan0.#

added the option vlan_file=/etc/config/hostapd.vlan to hostapd config

brctl show

bridge name	bridge id	    STP enabled	         interfaces
br-vlan2	7fff.aecb3f32cd10	no		    eth0.2
br-vlan3	7fff.aecb3f33cd11	no		    eth0.3
							    wlan0.3
br-vlan4	7fff.aecb3f34cd12	no		    eth0.4
                                                            wlan0.4

Now wlan0.3 and wlan0.4 are created and added to the appropriate bridges.
With this setup I am getting these errors:

daemon.info hostapd: wlan0: STA xx:xx:xx:xx:xx:xx RADIUS: VLAN ID 4
daemon.info hostapd: wlan0: STA xx:xx:xx:xx:xx:xx IEEE 802.11: authenticated
daemon.info hostapd: wlan0: STA xx:xx:xx:xx:xx:xx IEEE 802.11: associated (aid 1)
daemon.notice hostapd: Failed to update VLAN-ID for WPA
daemon.err hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=xx:xx:xx:xx:xx:xx ifname=wlan0.4 vlan_id=4) failed: -22 (Invalid argument)

Is there any way to tell hostapd to use already created interfaces instead of trying to create new ones?

Any advice?
Thanks :slight_smile:

Posts read:

I believe this is wrapped up in the ath10k firmware not being able to process different encryption keys per client. In a dynamic VLAN situation that would be a huge security problem, since anyone authorized on one VLAN could use their AES key (it being the same for all clients on the whole AP, on any VLAN) to snoop on other networks that they are not authorized for.

That was the situation as of last year. I don't know if anything has been developed since then.

@mk24 thanks for the info. I will look into it further.

I have tested the patch on https://bugs.openwrt.org/index.php?do=details&task_id=488 and it fixed the VLAN issue on ath10k.

I am wondering when that will be pushed to upstream?

@heavymetal do you have a patch that works with current master trunk ?

Has anybody else information on why this has never been resolved in OpenWrt ?

Thanks!
Hernán.-

@hmronline I don't have a working patch with the master trunk. I have been trying all day to get a patch working but couldn't get it to work.

@heavymetal and everyone interested on having this working, take a look at this thread:

Please let the developers know there is interest on this fix.

Thanks!
Hernán.-

1 Like

Hi everyone, it seems there is some progress on this topic.

Does anyone know how to get this updated into OpenWrt?