Dynamic vlan over wpa2-eap not working

Installing and Using OpenWrt Network and Wireless Configuration
1

Hey guys,

I went through the guide https://oldwiki.archive.openwrt.org/doc/howto/wireless.security.8021x to configure the setup.

Currently the dynamic vlan is not working - I'm getting following exception:

 IEEE 802.1X: authentication server did not include required VLAN ID in Access-Accept

The user should be configured correctly on radius side:

"test1"      Cleartext-Password := "test1234"
                Tunnel-Type = "VLAN",
                Tunnel-Medium-Type = "IEEE-802",
                Tunnel-Private-Group-ID = "2001"

I already tried to set parameter use_tunneled_reply = yes in the eap.conf - without success.

I'm using a router of linksys - model wrt3200acm. It uses wlan chips Marvell 88W8964 & 88W8887.
The missing vlan id occurs on accesspoints for both chips.

The loaded wireless driver:

modinfo mwlwifi
module:		/lib/modules/4.14.95/mwlwifi.ko
license:	GPL v2
depends:	mac80211,cfg80211

Does anybody know a way to fix the issue? Do I need another driver?

Thanks in advance!

Log of freeradius:

(8) Received Access-Request Id 12 from 192.168.1.1:35296 to 192.168.1.212:1812 length 227
(8)   User-Name = "test1"
(8)   Called-Station-Id = "24-F5-A2-C2-F7-A3:OpenWrt66"
(8)   NAS-Port-Type = Wireless-802.11
(8)   Service-Type = Framed-User
(8)   Calling-Station-Id = "50-BC-96-84-3C-0A"
(8)   Connect-Info = "CONNECT 0Mbps 802.11a"
(8)   Acct-Session-Id = "FBC4D9D5335E908D"
(8)   WLAN-Pairwise-Cipher = 1027076
(8)   WLAN-Group-Cipher = 1027076
(8)   WLAN-AKM-Suite = 1027073
(8)   Framed-MTU = 1400
(8)   EAP-Message = 0x02c400251900170303001aa993629d35404e00ad1c5a0a7407ff581146e3125452592ee783
(8)   State = 0x02a3739105676a2e936f29e2dce577c0
(8)   Message-Authenticator = 0x1150b37a80e65cf0e641ec37cd6b4af6
(8) session-state: No cached attributes
(8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(8)   authorize {
(8)     policy filter_username {
(8)       if (&User-Name) {
(8)       if (&User-Name)  -> TRUE
(8)       if (&User-Name)  {
(8)         if (&User-Name =~ / /) {
(8)         if (&User-Name =~ / /)  -> FALSE
(8)         if (&User-Name =~ /@[^@]*@/ ) {
(8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)         if (&User-Name =~ /\.\./ ) {
(8)         if (&User-Name =~ /\.\./ )  -> FALSE
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(8)         if (&User-Name =~ /\.$/)  {
(8)         if (&User-Name =~ /\.$/)   -> FALSE
(8)         if (&User-Name =~ /@\./)  {
(8)         if (&User-Name =~ /@\./)   -> FALSE
(8)       } # if (&User-Name)  = notfound
(8)     } # policy filter_username = notfound
(8)     [preprocess] = ok
(8)     [chap] = noop
(8)     [mschap] = noop
(8)     [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "test1", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)     [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 196 length 37
(8) eap: Continuing tunnel setup
(8)     [eap] = ok
(8)   } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8)   authenticate {
(8) eap: Expiring EAP session with state 0x07911ddf065507a3
(8) eap: Finished EAP session with state 0x02a3739105676a2e
(8) eap: Previous EAP request found for state 0x02a3739105676a2e, released from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established.  Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap:   EAP-Message = 0x02c400061a03
(8) eap_peap: Setting User-Name to test1
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap:   EAP-Message = 0x02c400061a03
(8) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap:   User-Name = "test1"
(8) eap_peap:   State = 0x07911ddf065507a31bae855f17af14cc
(8) Virtual server inner-tunnel received request
(8)   EAP-Message = 0x02c400061a03
(8)   FreeRADIUS-Proxied-To = 127.0.0.1
(8)   User-Name = "test1"
(8)   State = 0x07911ddf065507a31bae855f17af14cc
(8) WARNING: Outer and inner identities are the same.  User privacy is compromised.
(8) server inner-tunnel {
(8)   session-state: No cached attributes
(8)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8)     authorize {
(8)       policy filter_username {
(8)         if (&User-Name) {
(8)         if (&User-Name)  -> TRUE
(8)         if (&User-Name)  {
(8)           if (&User-Name =~ / /) {
(8)           if (&User-Name =~ / /)  -> FALSE
(8)           if (&User-Name =~ /@[^@]*@/ ) {
(8)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(8)           if (&User-Name =~ /\.\./ ) {
(8)           if (&User-Name =~ /\.\./ )  -> FALSE
(8)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(8)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(8)           if (&User-Name =~ /\.$/)  {
(8)           if (&User-Name =~ /\.$/)   -> FALSE
(8)           if (&User-Name =~ /@\./)  {
(8)           if (&User-Name =~ /@\./)   -> FALSE
(8)         } # if (&User-Name)  = notfound
(8)       } # policy filter_username = notfound
(8)       [chap] = noop
(8)       [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "test1", looking up realm NULL
(8) suffix: No such realm "NULL"
(8)       [suffix] = noop
(8)       update control {
(8)         &Proxy-To-Realm := LOCAL
(8)       } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 196 length 6
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8)       [eap] = updated
(8) files: users: Matched entry test1 at line 1
(8)       [files] = ok
(8)       [expiration] = noop
(8)       [logintime] = noop
(8) pap: WARNING: Auth-Type already set.  Not setting to PAP
(8)       [pap] = noop
(8)     } # authorize = updated
(8)   Found Auth-Type = eap
(8)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8)     authenticate {
(8) eap: Expiring EAP session with state 0x07911ddf065507a3
(8) eap: Finished EAP session with state 0x07911ddf065507a3
(8) eap: Previous EAP request found for state 0x07911ddf065507a3, released from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap: Sending EAP Success (code 3) ID 196 length 4
(8) eap: Freeing handler
(8)       [eap] = ok
(8)     } # authenticate = ok
(8)   # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(8)     post-auth {
(8)       if (0) {
(8)       if (0)  -> FALSE
(8)     } # post-auth = noop
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8)   Tunnel-Type = VLAN
(8)   Tunnel-Medium-Type = IEEE-802
(8)   Tunnel-Private-Group-Id = "2001"
(8)   MS-MPPE-Encryption-Policy = Encryption-Allowed
(8)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8)   MS-MPPE-Send-Key = 0xbe3c6b969f091ce56e85811c6631acee
(8)   MS-MPPE-Recv-Key = 0x655e59abbb2d252b95d6c354835a7dd2
(8)   EAP-Message = 0x03c40004
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   User-Name = "test1"
(8) eap_peap: Got tunneled reply code 2
(8) eap_peap:   Tunnel-Type = VLAN
(8) eap_peap:   Tunnel-Medium-Type = IEEE-802
(8) eap_peap:   Tunnel-Private-Group-Id = "2001"
(8) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap:   MS-MPPE-Send-Key = 0xbe3c6b969f091ce56e85811c6631acee
(8) eap_peap:   MS-MPPE-Recv-Key = 0x655e59abbb2d252b95d6c354835a7dd2
(8) eap_peap:   EAP-Message = 0x03c40004
(8) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap:   User-Name = "test1"
(8) eap_peap: Got tunneled reply RADIUS code 2
(8) eap_peap:   Tunnel-Type = VLAN
(8) eap_peap:   Tunnel-Medium-Type = IEEE-802
(8) eap_peap:   Tunnel-Private-Group-Id = "2001"
(8) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
(8) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
(8) eap_peap:   MS-MPPE-Send-Key = 0xbe3c6b969f091ce56e85811c6631acee
(8) eap_peap:   MS-MPPE-Recv-Key = 0x655e59abbb2d252b95d6c354835a7dd2
(8) eap_peap:   EAP-Message = 0x03c40004
(8) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
(8) eap_peap:   User-Name = "test1"
(8) eap_peap: Tunneled authentication was successful
(8) eap_peap: SUCCESS
(8) eap: Sending EAP Request (code 1) ID 197 length 46
(8) eap: EAP session adding &reply:State = 0x02a373910a666a2e
(8)     [eap] = handled
(8)   } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8)   Challenge { ... } # empty sub-section is ignored
(8) Sent Access-Challenge Id 12 from 192.168.1.212:1812 to 192.168.1.1:35296 length 0
(8)   EAP-Message = 0x01c5002e19001703030023c7243f74b347ca13a28c159867b25b51f0169732447fb67858f886fd251affdb427ab8
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   State = 0x02a373910a666a2e936f29e2dce577c0
(8) Finished request
2

The current content is at https://openwrt.org/docs/guide-user/network/wifi/wireless.security.8021x

It might have been updated a little, based on its history

If you've already created the needed "target" VLAN interfaces, including configuring vid and pvid (if needed, as many all-in-one devices' switches/drivers are limited in the number of VLANs they can put in their table), then its past my debugging skill here.