Hey guys,
I went through the guide https://oldwiki.archive.openwrt.org/doc/howto/wireless.security.8021x to configure the setup.
Currently the dynamic vlan is not working - I'm getting following exception:
IEEE 802.1X: authentication server did not include required VLAN ID in Access-Accept
The user should be configured correctly on radius side:
"test1" Cleartext-Password := "test1234"
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-ID = "2001"
I already tried to set parameter use_tunneled_reply = yes in the eap.conf - without success.
I'm using a router of linksys - model wrt3200acm. It uses wlan chips Marvell 88W8964 & 88W8887.
The missing vlan id occurs on accesspoints for both chips.
The loaded wireless driver:
modinfo mwlwifi
module: /lib/modules/4.14.95/mwlwifi.ko
license: GPL v2
depends: mac80211,cfg80211
Does anybody know a way to fix the issue? Do I need another driver?
Thanks in advance!
Log of freeradius:
(8) Received Access-Request Id 12 from 192.168.1.1:35296 to 192.168.1.212:1812 length 227
(8) User-Name = "test1"
(8) Called-Station-Id = "24-F5-A2-C2-F7-A3:OpenWrt66"
(8) NAS-Port-Type = Wireless-802.11
(8) Service-Type = Framed-User
(8) Calling-Station-Id = "50-BC-96-84-3C-0A"
(8) Connect-Info = "CONNECT 0Mbps 802.11a"
(8) Acct-Session-Id = "FBC4D9D5335E908D"
(8) WLAN-Pairwise-Cipher = 1027076
(8) WLAN-Group-Cipher = 1027076
(8) WLAN-AKM-Suite = 1027073
(8) Framed-MTU = 1400
(8) EAP-Message = 0x02c400251900170303001aa993629d35404e00ad1c5a0a7407ff581146e3125452592ee783
(8) State = 0x02a3739105676a2e936f29e2dce577c0
(8) Message-Authenticator = 0x1150b37a80e65cf0e641ec37cd6b4af6
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "test1", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 196 length 37
(8) eap: Continuing tunnel setup
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0x07911ddf065507a3
(8) eap: Finished EAP session with state 0x02a3739105676a2e
(8) eap: Previous EAP request found for state 0x02a3739105676a2e, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established. Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap: EAP-Message = 0x02c400061a03
(8) eap_peap: Setting User-Name to test1
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap: EAP-Message = 0x02c400061a03
(8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap: User-Name = "test1"
(8) eap_peap: State = 0x07911ddf065507a31bae855f17af14cc
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x02c400061a03
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "test1"
(8) State = 0x07911ddf065507a31bae855f17af14cc
(8) WARNING: Outer and inner identities are the same. User privacy is compromised.
(8) server inner-tunnel {
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "test1", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 196 length 6
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) files: users: Matched entry test1 at line 1
(8) [files] = ok
(8) [expiration] = noop
(8) [logintime] = noop
(8) pap: WARNING: Auth-Type already set. Not setting to PAP
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Expiring EAP session with state 0x07911ddf065507a3
(8) eap: Finished EAP session with state 0x07911ddf065507a3
(8) eap: Previous EAP request found for state 0x07911ddf065507a3, released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap: Sending EAP Success (code 3) ID 196 length 4
(8) eap: Freeing handler
(8) [eap] = ok
(8) } # authenticate = ok
(8) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) post-auth {
(8) if (0) {
(8) if (0) -> FALSE
(8) } # post-auth = noop
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) Tunnel-Type = VLAN
(8) Tunnel-Medium-Type = IEEE-802
(8) Tunnel-Private-Group-Id = "2001"
(8) MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) MS-MPPE-Send-Key = 0xbe3c6b969f091ce56e85811c6631acee
(8) MS-MPPE-Recv-Key = 0x655e59abbb2d252b95d6c354835a7dd2
(8) EAP-Message = 0x03c40004
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) User-Name = "test1"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap: Tunnel-Type = VLAN
(8) eap_peap: Tunnel-Medium-Type = IEEE-802
(8) eap_peap: Tunnel-Private-Group-Id = "2001"
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0xbe3c6b969f091ce56e85811c6631acee
(8) eap_peap: MS-MPPE-Recv-Key = 0x655e59abbb2d252b95d6c354835a7dd2
(8) eap_peap: EAP-Message = 0x03c40004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "test1"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap: Tunnel-Type = VLAN
(8) eap_peap: Tunnel-Medium-Type = IEEE-802
(8) eap_peap: Tunnel-Private-Group-Id = "2001"
(8) eap_peap: MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap: MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap: MS-MPPE-Send-Key = 0xbe3c6b969f091ce56e85811c6631acee
(8) eap_peap: MS-MPPE-Recv-Key = 0x655e59abbb2d252b95d6c354835a7dd2
(8) eap_peap: EAP-Message = 0x03c40004
(8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap: User-Name = "test1"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap: Sending EAP Request (code 1) ID 197 length 46
(8) eap: EAP session adding &reply:State = 0x02a373910a666a2e
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) Challenge { ... } # empty sub-section is ignored
(8) Sent Access-Challenge Id 12 from 192.168.1.212:1812 to 192.168.1.1:35296 length 0
(8) EAP-Message = 0x01c5002e19001703030023c7243f74b347ca13a28c159867b25b51f0169732447fb67858f886fd251affdb427ab8
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0x02a373910a666a2e936f29e2dce577c0
(8) Finished request