Dynamic VLAN not working

sjpacket · November 21, 2018, 8:42pm

Hi all,

openwrt version 18.06.1
QCA9880 which uses ath10k

I am trying to setup dynamic VLAN with MAC authentication using freeRadius.

hostapd-phy0.conf

driver=nl80211
...
ieee80211d=1
ieee80211h=1
hw_mode=a
...
ieee80211n=1
ht_coex=0
ht_capab=[HT40+][LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][MAX-AMSDU-7935][DSSS_CCK-40]
vht_oper_chwidth=0
vht_oper_centr_freq_seg0_idx=151
ieee80211ac=1
vht_capab=[RXLDPC][SHORT-GI-80][TX-STBC-2BY1][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][RX-STBC-1][MAX-MPDU-11454][MAX-A-MPDU-LEN-EXP7]

interface=wlan0
ctrl_interface=/var/run/hostapd
...
wpa_passphrase=secret
...
ssid=testssid
wpa_disable_eapol_key_retries=0
...
macaddr_acl=2
...
dynamic_vlan=2
vlan_bridge=br-vlan
auth_server_addr=10.155.2.2
auth_server_port=1812
auth_server_shared_secret=testing123
acct_server_addr=10.155.2.2
acct_server_port=1813
acct_server_shared_secret=testing123

FreeRadius config:

xxxxxxxxxxxx    Cleartext-Password := xxxxxxxxxxxx
    Tunnel-Type = "VLAN",
    Tunnel-Medium-Type = "IEEE-802",
    Tunnel-Private-Group-ID := 4

ifconfig shows:

br-vlan2, br-vlan3, br-vlan4
eth0, eth0.2, eth0.3, eth0.4
wlan0

I am receiving this message and the STA is not receiving any dhcp:

[daemon.info](http://daemon.info) hostapd: wlan0: STA xx:xx:xx:xx:xx:xx RADIUS: Invalid VLAN
4 received from RADIUS server
[daemon.info](http://daemon.info) hostapd: wlan0: STA xx:xx:xx:xx:xx:xx IEEE 802.11: authenticated
[daemon.info](http://daemon.info) hostapd: wlan0: STA xx:xx:xx:xx:xx:xx IEEE 802.11:
associated (aid 1)
daemon.notice hostapd: wlan0: AP-STA-CONNECTED xx:xx:xx:xx:xx:xx
[daemon.info](http://daemon.info) hostapd: wlan0: STA xx:xx:xx:xx:xx:xx RADIUS: starting
accounting session 7E2E6F0F53968240
[daemon.info](http://daemon.info) hostapd: wlan0: STA xx:xx:xx:xx:xx:xx WPA: pairwise key
handshake completed (RSN)

After reading the posts/links below, I tried an experiment.
I manually created vlans on wlan0: wlan0.3, wlan0.4 and then created /etc/config/hostapd.vlan and populated as so:

3 wlan0.3
4 wlan0.4
* wlan0.#

added the option vlan_file=/etc/config/hostapd.vlan to hostapd config

brctl show

bridge name	bridge id	    STP enabled	         interfaces
br-vlan2	7fff.aecb3f32cd10	no		    eth0.2
br-vlan3	7fff.aecb3f33cd11	no		    eth0.3
							    wlan0.3
br-vlan4	7fff.aecb3f34cd12	no		    eth0.4
                                                            wlan0.4

Now wlan0.3 and wlan0.4 are created and added to the appropriate bridges.
With this setup I am getting these errors:

daemon.info hostapd: wlan0: STA xx:xx:xx:xx:xx:xx RADIUS: VLAN ID 4
daemon.info hostapd: wlan0: STA xx:xx:xx:xx:xx:xx IEEE 802.11: authenticated
daemon.info hostapd: wlan0: STA xx:xx:xx:xx:xx:xx IEEE 802.11: associated (aid 1)
daemon.notice hostapd: Failed to update VLAN-ID for WPA
daemon.err hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=xx:xx:xx:xx:xx:xx ifname=wlan0.4 vlan_id=4) failed: -22 (Invalid argument)

Is there any way to tell hostapd to use already created interfaces instead of trying to create new ones?

Any advice?
Thanks

Posts read:

mk24 · November 21, 2018, 10:35pm

I believe this is wrapped up in the ath10k firmware not being able to process different encryption keys per client. In a dynamic VLAN situation that would be a huge security problem, since anyone authorized on one VLAN could use their AES key (it being the same for all clients on the whole AP, on any VLAN) to snoop on other networks that they are not authorized for.

That was the situation as of last year. I don't know if anything has been developed since then.

sjpacket · November 28, 2018, 10:00pm

@mk24 thanks for the info. I will look into it further.

heavymetal · June 15, 2019, 6:50am

I have tested the patch on https://bugs.openwrt.org/index.php?do=details&task_id=488 and it fixed the VLAN issue on ath10k.

I am wondering when that will be pushed to upstream?

hmronline · July 4, 2019, 10:40am

@heavymetal do you have a patch that works with current master trunk ?

Has anybody else information on why this has never been resolved in OpenWrt ?

Thanks!
Hernán.-

heavymetal · July 9, 2019, 8:10am

@hmronline I don't have a working patch with the master trunk. I have been trying all day to get a patch working but couldn't get it to work.

hmronline · July 10, 2019, 5:07pm

@heavymetal and everyone interested on having this working, take a look at this thread:

Please let the developers know there is interest on this fix.

Thanks!
Hernán.-

hmronline · September 11, 2019, 5:50pm

Hi everyone, it seems there is some progress on this topic.

Does anyone know how to get this updated into OpenWrt?

imac · February 13, 2020, 10:52pm

For Ath10k, 18.06.x is fine for the AP/VLAN interface mode, but not 19.07.0 / 19.07.1

There seems to be some more info on the -ct bug, and a rebuild to non -ct firmware would likely resolve.

NerdyProjects posted a commit to OpenWRT that seems related

commit 92953ae99f240a0b45ab66defde5f7b8eeb94e35
Author: Koen Vandeputte <koen.vandeputte@ncentric.com>
Date:   Tue Sep 24 11:58:54 2019 +0200

    ath10k-ct: update to version 2019-09-09
    
    5e8cd86f90da ath10k-ct: Backport ap-vlan code from 5.2 to 4.20 and 4.19 drivers.
    0c518586bd7f ath10k-ct: Fix a few warning splats.
    
    Adds AP VLAN.
    Refreshed all patches.