Dynamic VLAN tagging error

Hi guys, I am trying to make dynamic VLANs work on OpenWRT 21 release and miserably failing at it. I have followed the wiki for freeradius setup and then for dynamic VLANs setup. I am successful in making the freeradius work without dynamic VLANs on the 21 release. In past, dynamic VLANs were working successfully with OpenWRT release 18 with the same configuration.

I have narrowed down the issue to the way OpenWRT is forming bridges in new releases. In past as far as I understood, after assigning the name and type to an interface i.e config device 'vlanX, option type 'bridge' and option ifname 'eth0.X', only the interface becomes the bridge.

In OpenWRT 21 release the whole VLAN becomes the bridge, on setting the option dynamic_vlan '1' on an android-client, it is giving "ip obtain failure error" while with the option set to 2 only the authentication from the radius server then it immediately "dissociates"

.Here are my configurations:
network

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option description 'lan'
	option ports '0t 4'

config device
	option name 'br-vlan2'
	option type 'bridge'
	list ports 'eth0.2'
	option bridge_empty '1'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.12.1'
	option device 'br-vlan2'

wireless

onfig wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option ssid 'redacted'
	option auth_server '127.0.0.1'
	option auth_secret 'Flying Dutchman'
	option auth_port '1812'
	option short_preamble '0'
	option skip_inactivity_poll '1'
	option disassoc_low_ack '0'
	option encryption 'wpa2'
	option dynamic_vlan	'2'
	option 'vlan_tagged_interface' 'eth0'
	option 'vlan_bridge' 'br-vlan'
	option 'vlan_naming' '0'

hostapd-conf

driver=nl80211
logger_syslog=127
logger_syslog_level=2
logger_stdout=127
logger_stdout_level=2
country_code=AU
ieee80211d=1
hw_mode=g
supported_rates=60 90 120 180 240 360 480 540
basic_rates=60 120 240
beacon_int=100
dtim_period=2
channel=acs_survey

bss=wlan1-1
ctrl_interface=/var/run/hostapd
bss_load_update_period=60
chan_util_avg_period=600
disassoc_low_ack=0
skip_inactivity_poll=1
preamble=0
wmm_enabled=1
ignore_broadcast_ssid=0
uapsd_advertisement_enabled=1
utf8_ssid=1
multi_ap=0
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=testing123
eapol_key_index_workaround=1
ieee8021x=1
auth_algs=1
wpa=2
wpa_pairwise=CCMP
ssid=Flying Dutchman
wpa_disable_eapol_key_retries=0
wpa_key_mgmt=WPA-EAP
okc=0
disable_pmksa_caching=1
dynamic_vlan=2
vlan_naming=1
vlan_bridge=br-vlan
vlan_no_bridge=
vlan_tagged_interface=eth0
vlan_file=/var/run/hostapd-wlan1-1.vlan
qos_map_set=0,0,2,16,1,1,255,255,18,22,24,38,40,40,44,46,48,56
config_id=1f3c4e77dec01aae5c60e46edaf14f84
bssid=[redacted]

authorize

"username"      Cleartext-Password := "password"
 		Tunnel-Type = "VLAN",
		Tunnel-Medium-Type = "IEEE-802",
		Tunnel-Private-Group-ID = "2"

Radius Log

Fri May 20 06:02:41 2022 : Debug: (8) Received Access-Request Id 198 from 127.0.0.1:42593 to 127.0.0.1:1812 length 243
Fri May 20 06:02:41 2022 : Debug: (8)   User-Name = "username"
Fri May 20 06:02:41 2022 : Debug: (8)   Called-Station-Id = "[bssid-redacted]:Flying Dutchman"
Fri May 20 06:02:41 2022 : Debug: (8)   NAS-Port-Type = Wireless-802.11
Fri May 20 06:02:41 2022 : Debug: (8)   Service-Type = Framed-User
Fri May 20 06:02:41 2022 : Debug: (8)   NAS-Port = 1
Fri May 20 06:02:41 2022 : Debug: (8)   Calling-Station-Id = "[redacted]"
Fri May 20 06:02:41 2022 : Debug: (8)   Connect-Info = "CONNECT 54Mbps 802.11g"
Fri May 20 06:02:41 2022 : Debug: (8)   Acct-Session-Id = "6F15CF928BCDE380"
Fri May 20 06:02:41 2022 : Debug: (8)   Attr-186 = 0x000fac04
Fri May 20 06:02:41 2022 : Debug: (8)   Attr-187 = 0x000fac04
Fri May 20 06:02:41 2022 : Debug: (8)   Attr-188 = 0x000fac01
Fri May 20 06:02:41 2022 : Debug: (8)   Framed-MTU = 1400
Fri May 20 06:02:41 2022 : Debug: (8)   EAP-Message = 0x020c00251900170303001a0000000000000003313dd22794699cbafd7f8cb0d061e14d3def
Fri May 20 06:02:41 2022 : Debug: (8)   State = 0x8e3d1b5f8931027ea2a5775956759b52
Fri May 20 06:02:41 2022 : Debug: (8)   Message-Authenticator = 0xd0a01734c932441a5690f918c2f0cd30
Fri May 20 06:02:41 2022 : Debug: (8) Restoring &session-state
Fri May 20 06:02:41 2022 : Debug: (8)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
Fri May 20 06:02:41 2022 : Debug: (8)   &session-state:TLS-Session-Version = "TLS 1.2"
Fri May 20 06:02:41 2022 : Debug: (8) # Executing section authorize from file /etc/freeradius3/sites-enabled/default
Fri May 20 06:02:41 2022 : Debug: (8)   authorize {
Fri May 20 06:02:41 2022 : Debug: (8)     policy filter_username {
Fri May 20 06:02:41 2022 : Debug: (8)       if (&User-Name) {
Fri May 20 06:02:41 2022 : Debug: (8)       if (&User-Name)  -> TRUE
Fri May 20 06:02:41 2022 : Debug: (8)       if (&User-Name)  {
Fri May 20 06:02:41 2022 : Debug: (8)         if (&User-Name =~ / /) {
Fri May 20 06:02:41 2022 : Debug: No old matches
Fri May 20 06:02:41 2022 : Debug: (8)         if (&User-Name =~ / /)  -> FALSE
Fri May 20 06:02:41 2022 : Debug: (8)         if (&User-Name =~ /@[^@]*@/ ) {
Fri May 20 06:02:41 2022 : Debug: No old matches
Fri May 20 06:02:41 2022 : Debug: (8)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
Fri May 20 06:02:41 2022 : Debug: (8)         if (&User-Name =~ /\.\./ ) {
Fri May 20 06:02:41 2022 : Debug: No old matches
Fri May 20 06:02:41 2022 : Debug: (8)         if (&User-Name =~ /\.\./ )  -> FALSE
Fri May 20 06:02:41 2022 : Debug: (8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
Fri May 20 06:02:41 2022 : Debug: No old matches
Fri May 20 06:02:41 2022 : Debug: (8)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
Fri May 20 06:02:41 2022 : Debug: (8)         if (&User-Name =~ /\.$/)  {
Fri May 20 06:02:41 2022 : Debug: No old matches
Fri May 20 06:02:41 2022 : Debug: (8)         if (&User-Name =~ /\.$/)   -> FALSE
Fri May 20 06:02:41 2022 : Debug: (8)         if (&User-Name =~ /@\./)  {
Fri May 20 06:02:41 2022 : Debug: No old matches
Fri May 20 06:02:41 2022 : Debug: (8)         if (&User-Name =~ /@\./)   -> FALSE
Fri May 20 06:02:41 2022 : Debug: (8)       } # if (&User-Name)  = notfound
Fri May 20 06:02:41 2022 : Debug: (8)     } # policy filter_username = notfound
Fri May 20 06:02:41 2022 : Debug: (8)     modsingle[authorize]: calling preprocess (rlm_preprocess)
Fri May 20 06:02:41 2022 : Debug: (8)     modsingle[authorize]: returned from preprocess (rlm_preprocess)
Fri May 20 06:02:41 2022 : Debug: (8)     [preprocess] = ok
Fri May 20 06:02:41 2022 : Debug: (8)     modsingle[authorize]: calling suffix (rlm_realm)
Fri May 20 06:02:41 2022 : Debug: (8) suffix: Checking for suffix after "@"
Fri May 20 06:02:41 2022 : Debug: (8) suffix: No '@' in User-Name = "username", looking up realm NULL
Fri May 20 06:02:41 2022 : Debug: (8) suffix: No such realm "NULL"
Fri May 20 06:02:41 2022 : Debug: (8)     modsingle[authorize]: returned from suffix (rlm_realm)
Fri May 20 06:02:41 2022 : Debug: (8)     [suffix] = noop
Fri May 20 06:02:41 2022 : Debug: (8)     modsingle[authorize]: calling eap (rlm_eap)
Fri May 20 06:02:41 2022 : Debug: (8) eap: Peer sent EAP Response (code 2) ID 12 length 37
Fri May 20 06:02:41 2022 : Debug: (8) eap: Continuing tunnel setup
Fri May 20 06:02:41 2022 : Debug: (8)     modsingle[authorize]: returned from eap (rlm_eap)
Fri May 20 06:02:41 2022 : Debug: (8)     [eap] = ok
Fri May 20 06:02:41 2022 : Debug: (8)   } # authorize = ok
Fri May 20 06:02:41 2022 : Debug: (8) Found Auth-Type = eap
Fri May 20 06:02:41 2022 : Debug: (8) # Executing group from file /etc/freeradius3/sites-enabled/default
Fri May 20 06:02:41 2022 : Debug: (8)   authenticate {
Fri May 20 06:02:41 2022 : Debug: (8)     modsingle[authenticate]: calling eap (rlm_eap)
Fri May 20 06:02:41 2022 : Debug: (8) eap: Expiring EAP session with state 0x8e3d1b5f8931027e
Fri May 20 06:02:41 2022 : Debug: (8) eap: Finished EAP session with state 0x8e3d1b5f8931027e
Fri May 20 06:02:41 2022 : Debug: (8) eap: Previous EAP request found for state 0x8e3d1b5f8931027e, released from the list
Fri May 20 06:02:41 2022 : Debug: (8) eap: Peer sent packet with method EAP PEAP (25)
Fri May 20 06:02:41 2022 : Debug: (8) eap: Calling submodule eap_peap to process data
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap: Continuing EAP-TLS
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap: Peer sent flags ---
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap: [eaptls verify] = ok
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap: Done initial handshake
Fri May 20 06:02:41 2022 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 0
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap: [eaptls process] = ok
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap: Session established.  Decoding tunneled attributes
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap: PEAP state phase2
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap: EAP method MSCHAPv2 (26)
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap: Got tunneled request
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap:   EAP-Message = 0x020c00061a03
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap: Setting User-Name to username
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap: Sending tunneled request to inner-tunnel
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap:   EAP-Message = 0x020c00061a03
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap:   User-Name = "username"
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap:   State = 0xcbd8c861cad4d24bb8af9dc7872e7809
Fri May 20 06:02:41 2022 : Debug: (8) Virtual server inner-tunnel received request
Fri May 20 06:02:41 2022 : Debug: (8)   EAP-Message = 0x020c00061a03
Fri May 20 06:02:41 2022 : Debug: (8)   FreeRADIUS-Proxied-To = 127.0.0.1
Fri May 20 06:02:41 2022 : Debug: (8)   User-Name = "username"
Fri May 20 06:02:41 2022 : Debug: (8)   State = 0xcbd8c861cad4d24bb8af9dc7872e7809
Fri May 20 06:02:41 2022 : WARNING: (8) Outer and inner identities are the same.  User privacy is compromised.
Fri May 20 06:02:41 2022 : Debug: (8) server inner-tunnel {
Fri May 20 06:02:41 2022 : Debug: (8)   session-state: No cached attributes
Fri May 20 06:02:41 2022 : Debug: (8)   # Executing section authorize from file /etc/freeradius3/sites-enabled/inner-tunnel
Fri May 20 06:02:41 2022 : Debug: (8)     authorize {
Fri May 20 06:02:41 2022 : Debug: (8)       policy filter_username {
Fri May 20 06:02:41 2022 : Debug: (8)         if (&User-Name) {
Fri May 20 06:02:41 2022 : Debug: (8)         if (&User-Name)  -> TRUE
Fri May 20 06:02:41 2022 : Debug: (8)         if (&User-Name)  {
Fri May 20 06:02:41 2022 : Debug: (8)           if (&User-Name =~ / /) {
Fri May 20 06:02:41 2022 : Debug: No old matches
Fri May 20 06:02:41 2022 : Debug: (8)           if (&User-Name =~ / /)  -> FALSE
Fri May 20 06:02:41 2022 : Debug: (8)           if (&User-Name =~ /@[^@]*@/ ) {
Fri May 20 06:02:41 2022 : Debug: No old matches
Fri May 20 06:02:41 2022 : Debug: (8)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
Fri May 20 06:02:41 2022 : Debug: (8)           if (&User-Name =~ /\.\./ ) {
Fri May 20 06:02:41 2022 : Debug: No old matches
Fri May 20 06:02:41 2022 : Debug: (8)           if (&User-Name =~ /\.\./ )  -> FALSE
Fri May 20 06:02:41 2022 : Debug: (8)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
Fri May 20 06:02:41 2022 : Debug: No old matches
Fri May 20 06:02:41 2022 : Debug: (8)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
Fri May 20 06:02:41 2022 : Debug: (8)           if (&User-Name =~ /\.$/)  {
Fri May 20 06:02:41 2022 : Debug: No old matches
Fri May 20 06:02:41 2022 : Debug: (8)           if (&User-Name =~ /\.$/)   -> FALSE
Fri May 20 06:02:41 2022 : Debug: (8)           if (&User-Name =~ /@\./)  {
Fri May 20 06:02:41 2022 : Debug: No old matches
Fri May 20 06:02:41 2022 : Debug: (8)           if (&User-Name =~ /@\./)   -> FALSE
Fri May 20 06:02:41 2022 : Debug: (8)         } # if (&User-Name)  = notfound
Fri May 20 06:02:41 2022 : Debug: (8)       } # policy filter_username = notfound
Fri May 20 06:02:41 2022 : Debug: (8)       modsingle[authorize]: calling inner-eap (rlm_eap)
Fri May 20 06:02:41 2022 : Debug: (8) inner-eap: Peer sent EAP Response (code 2) ID 12 length 6
Fri May 20 06:02:41 2022 : Debug: (8) inner-eap: No EAP Start, assuming it's an on-going EAP conversation
Fri May 20 06:02:41 2022 : Debug: (8)       modsingle[authorize]: returned from inner-eap (rlm_eap)
Fri May 20 06:02:41 2022 : Debug: (8)       [inner-eap] = updated
Fri May 20 06:02:41 2022 : Debug: (8)       modsingle[authorize]: calling chap (rlm_chap)
Fri May 20 06:02:41 2022 : Debug: (8)       modsingle[authorize]: returned from chap (rlm_chap)
Fri May 20 06:02:41 2022 : Debug: (8)       [chap] = noop
Fri May 20 06:02:41 2022 : Debug: (8)       modsingle[authorize]: calling mschap (rlm_mschap)
Fri May 20 06:02:41 2022 : Debug: (8)       modsingle[authorize]: returned from mschap (rlm_mschap)
Fri May 20 06:02:41 2022 : Debug: (8)       [mschap] = noop
Fri May 20 06:02:41 2022 : Debug: (8)       modsingle[authorize]: calling suffix (rlm_realm)
Fri May 20 06:02:41 2022 : Debug: (8) suffix: Checking for suffix after "@"
Fri May 20 06:02:41 2022 : Debug: (8) suffix: No '@' in User-Name = "username", looking up realm NULL
Fri May 20 06:02:41 2022 : Debug: (8) suffix: No such realm "NULL"
Fri May 20 06:02:41 2022 : Debug: (8)       modsingle[authorize]: returned from suffix (rlm_realm)
Fri May 20 06:02:41 2022 : Debug: (8)       [suffix] = noop
Fri May 20 06:02:41 2022 : Debug: (8)       update control {
Fri May 20 06:02:41 2022 : Debug: (8)         &Proxy-To-Realm := LOCAL
Fri May 20 06:02:41 2022 : Debug: (8)       } # update control = noop
Fri May 20 06:02:41 2022 : Debug: (8)       modsingle[authorize]: calling files (rlm_files)
Fri May 20 06:02:41 2022 : Debug: (8) files: users: Matched entry username at line 1
Fri May 20 06:02:41 2022 : Debug: (8) files: ::: FROM 3 TO 0 MAX 3
Fri May 20 06:02:41 2022 : Debug: (8) files: ::: Examining Tunnel-Type
Fri May 20 06:02:41 2022 : Debug: (8) files: ::: APPENDING Tunnel-Type FROM 0 TO 0
Fri May 20 06:02:41 2022 : Debug: (8) files: ::: Examining Tunnel-Medium-Type
Fri May 20 06:02:41 2022 : Debug: (8) files: ::: APPENDING Tunnel-Medium-Type FROM 1 TO 0
Fri May 20 06:02:41 2022 : Debug: (8) files: ::: Examining Tunnel-Private-Group-Id
Fri May 20 06:02:41 2022 : Debug: (8) files: ::: APPENDING Tunnel-Private-Group-Id FROM 2 TO 0
Fri May 20 06:02:41 2022 : Debug: (8) files: ::: TO in 0 out 0
Fri May 20 06:02:41 2022 : Debug: (8)       modsingle[authorize]: returned from files (rlm_files)
Fri May 20 06:02:41 2022 : Debug: (8)       [files] = ok
Fri May 20 06:02:41 2022 : Debug: (8)       modsingle[authorize]: calling expiration (rlm_expiration)
Fri May 20 06:02:41 2022 : Debug: (8)       modsingle[authorize]: returned from expiration (rlm_expiration)
Fri May 20 06:02:41 2022 : Debug: (8)       [expiration] = noop
Fri May 20 06:02:41 2022 : Debug: (8)       modsingle[authorize]: calling logintime (rlm_logintime)
Fri May 20 06:02:41 2022 : Debug: (8)       modsingle[authorize]: returned from logintime (rlm_logintime)
Fri May 20 06:02:41 2022 : Debug: (8)       [logintime] = noop
Fri May 20 06:02:41 2022 : Debug: (8)       modsingle[authorize]: calling pap (rlm_pap)
Fri May 20 06:02:41 2022 : WARNING: (8) pap: Auth-Type already set.  Not setting to PAP
Fri May 20 06:02:41 2022 : Debug: (8)       modsingle[authorize]: returned from pap (rlm_pap)
Fri May 20 06:02:41 2022 : Debug: (8)       [pap] = noop
Fri May 20 06:02:41 2022 : Debug: (8)     } # authorize = updated
Fri May 20 06:02:41 2022 : WARNING: (8)   You set Proxy-To-Realm = LOCAL, but the realm does not exist!  Cancelling invalid proxy request.
Fri May 20 06:02:41 2022 : Debug: (8)   Found Auth-Type = inner-eap
Fri May 20 06:02:41 2022 : Debug: (8)   # Executing group from file /etc/freeradius3/sites-enabled/inner-tunnel
Fri May 20 06:02:41 2022 : Debug: (8)     authenticate {
Fri May 20 06:02:41 2022 : Debug: (8)       modsingle[authenticate]: calling inner-eap (rlm_eap)
Fri May 20 06:02:41 2022 : Debug: (8) inner-eap: Expiring EAP session with state 0xcbd8c861cad4d24b
Fri May 20 06:02:41 2022 : Debug: (8) inner-eap: Finished EAP session with state 0xcbd8c861cad4d24b
Fri May 20 06:02:41 2022 : Debug: (8) inner-eap: Previous EAP request found for state 0xcbd8c861cad4d24b, released from the list
Fri May 20 06:02:41 2022 : Debug: (8) inner-eap: Peer sent packet with method EAP MSCHAPv2 (26)
Fri May 20 06:02:41 2022 : Debug: (8) inner-eap: Calling submodule eap_mschapv2 to process data
Fri May 20 06:02:41 2022 : Debug: (8) inner-eap: Sending EAP Success (code 3) ID 12 length 4
Fri May 20 06:02:41 2022 : Debug: (8) inner-eap: Freeing handler
Fri May 20 06:02:41 2022 : Debug: (8)       modsingle[authenticate]: returned from inner-eap (rlm_eap)
Fri May 20 06:02:41 2022 : Debug: (8)       [inner-eap] = ok
Fri May 20 06:02:41 2022 : Debug: (8)     } # authenticate = ok
Fri May 20 06:02:41 2022 : Debug: (8)   # Executing section post-auth from file /etc/freeradius3/sites-enabled/inner-tunnel
Fri May 20 06:02:41 2022 : Debug: (8)     post-auth {
Fri May 20 06:02:41 2022 : Debug: (8)       update outer.session-state {
Fri May 20 06:02:41 2022 : Debug: (8)         User-Name := &User-Name -> 'username'
Fri May 20 06:02:41 2022 : Debug: (8)       } # update outer.session-state = noop
Fri May 20 06:02:41 2022 : Debug: (8)       if (0) {
Fri May 20 06:02:41 2022 : Debug: (8)       if (0)  -> FALSE
Fri May 20 06:02:41 2022 : Debug: (8)     } # post-auth = noop
Fri May 20 06:02:41 2022 : Debug: (8) } # server inner-tunnel
Fri May 20 06:02:41 2022 : Debug: (8) Virtual server sending reply
Fri May 20 06:02:41 2022 : Debug: (8)   Tunnel-Type = VLAN
Fri May 20 06:02:41 2022 : Debug: (8)   Tunnel-Medium-Type = IEEE-802
Fri May 20 06:02:41 2022 : Debug: (8)   Tunnel-Private-Group-Id = "2"
Fri May 20 06:02:41 2022 : Debug: (8)   MS-MPPE-Encryption-Policy = Encryption-Allowed
Fri May 20 06:02:41 2022 : Debug: (8)   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
Fri May 20 06:02:41 2022 : Debug: (8)   MS-MPPE-Send-Key = 0x2348a4bcedb2d874d2bfa050d456fc8e
Fri May 20 06:02:41 2022 : Debug: (8)   MS-MPPE-Recv-Key = 0x5a241e61bad9d5e5f3108dc9f90b0cec
Fri May 20 06:02:41 2022 : Debug: (8)   EAP-Message = 0x030c0004
Fri May 20 06:02:41 2022 : Debug: (8)   Message-Authenticator = 0x00000000000000000000000000000000
Fri May 20 06:02:41 2022 : Debug: (8)   User-Name = "username"
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap: Got tunneled reply code 2
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap:   Tunnel-Type = VLAN
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap:   Tunnel-Medium-Type = IEEE-802
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap:   Tunnel-Private-Group-Id = "2"
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap:   MS-MPPE-Send-Key = 0x2348a4bcedb2d874d2bfa050d456fc8e
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap:   MS-MPPE-Recv-Key = 0x5a241e61bad9d5e5f3108dc9f90b0cec
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap:   EAP-Message = 0x030c0004
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap:   User-Name = "username"
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap: Got tunneled reply RADIUS code 2
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap:   Tunnel-Type = VLAN
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap:   Tunnel-Medium-Type = IEEE-802
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap:   Tunnel-Private-Group-Id = "2"
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap:   MS-MPPE-Encryption-Policy = Encryption-Allowed
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap:   MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap:   MS-MPPE-Send-Key = 0x2348a4bcedb2d874d2bfa050d456fc8e
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap:   MS-MPPE-Recv-Key = 0x5a241e61bad9d5e5f3108dc9f90b0cec
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap:   EAP-Message = 0x030c0004
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap:   Message-Authenticator = 0x00000000000000000000000000000000
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap:   User-Name = "username"
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap: Tunneled authentication was successful
Fri May 20 06:02:41 2022 : Debug: (8) eap_peap: SUCCESS
Fri May 20 06:02:41 2022 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 0
Fri May 20 06:02:41 2022 : Debug: (8) eap: Sending EAP Request (code 1) ID 13 length 46
Fri May 20 06:02:41 2022 : Debug: (8) eap: EAP session adding &reply:State = 0x8e3d1b5f8630027e
Fri May 20 06:02:41 2022 : Debug: (8)     modsingle[authenticate]: returned from eap (rlm_eap)
Fri May 20 06:02:41 2022 : Debug: (8)     [eap] = handled
Fri May 20 06:02:41 2022 : Debug: (8)   } # authenticate = handled
Fri May 20 06:02:41 2022 : Debug: (8) Using Post-Auth-Type Challenge
Fri May 20 06:02:41 2022 : Debug: (8) # Executing group from file /etc/freeradius3/sites-enabled/default
Fri May 20 06:02:41 2022 : Debug: (8)   Challenge { ... } # empty sub-section is ignored
Fri May 20 06:02:41 2022 : Debug: (8) session-state: Saving cached attributes
Fri May 20 06:02:41 2022 : Debug: (8)   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
Fri May 20 06:02:41 2022 : Debug: (8)   TLS-Session-Version = "TLS 1.2"
Fri May 20 06:02:41 2022 : Debug: (8)   User-Name := "username"
Fri May 20 06:02:41 2022 : Debug: (8) Sent Access-Challenge Id 198 from 127.0.0.1:1812 to 127.0.0.1:42593 length 0
Fri May 20 06:02:41 2022 : Debug: (8)   EAP-Message = 0x010d002e190017030300239304ada92bc6a5700bb73e5e8f9d2dcb1786924b9a3cbc63d663b5cd21a1a51dca975e
Fri May 20 06:02:41 2022 : Debug: (8)   Message-Authenticator = 0x00000000000000000000000000000000
Fri May 20 06:02:41 2022 : Debug: (8)   State = 0x8e3d1b5f8630027ea2a5775956759b52
Fri May 20 06:02:41 2022 : Debug: (8) Finished request
Fri May 20 06:02:41 2022 : Debug: Waking up in 4.6 seconds.
Fri May 20 06:02:41 2022 : Debug: (9) Received Access-Request Id 199 from 127.0.0.1:42593 to 127.0.0.1:1812 length 252
Fri May 20 06:02:41 2022 : Debug: (9)   User-Name = "username"
Fri May 20 06:02:41 2022 : Debug: (9)   Called-Station-Id = "A0-63-91-A6-4D-A0:Flying Dutchman"
Fri May 20 06:02:41 2022 : Debug: (9)   NAS-Port-Type = Wireless-802.11
Fri May 20 06:02:41 2022 : Debug: (9)   Service-Type = Framed-User
Fri May 20 06:02:41 2022 : Debug: (9)   NAS-Port = 1
Fri May 20 06:02:41 2022 : Debug: (9)   Calling-Station-Id = "4C-66-41-41-6E-74"
Fri May 20 06:02:41 2022 : Debug: (9)   Connect-Info = "CONNECT 54Mbps 802.11g"
Fri May 20 06:02:41 2022 : Debug: (9)   Acct-Session-Id = "6F15CF928BCDE380"
Fri May 20 06:02:41 2022 : Debug: (9)   Attr-186 = 0x000fac04
Fri May 20 06:02:41 2022 : Debug: (9)   Attr-187 = 0x000fac04
Fri May 20 06:02:41 2022 : Debug: (9)   Attr-188 = 0x000fac01
Fri May 20 06:02:41 2022 : Debug: (9)   Framed-MTU = 1400
Fri May 20 06:02:41 2022 : Debug: (9)   EAP-Message = 0x020d002e190017030300230000000000000004c571bdb9946d356451cfb505a88f37313e5e87f8661b26492ecd35
Fri May 20 06:02:41 2022 : Debug: (9)   State = 0x8e3d1b5f8630027ea2a5775956759b52
Fri May 20 06:02:41 2022 : Debug: (9)   Message-Authenticator = 0x4db15ef01bc190088166bfe502503fba
Fri May 20 06:02:41 2022 : Debug: (9) Restoring &session-state
Fri May 20 06:02:41 2022 : Debug: (9)   &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
Fri May 20 06:02:41 2022 : Debug: (9)   &session-state:TLS-Session-Version = "TLS 1.2"
Fri May 20 06:02:41 2022 : Debug: (9)   &session-state:User-Name := "username"
Fri May 20 06:02:41 2022 : Debug: (9) # Executing section authorize from file /etc/freeradius3/sites-enabled/default
Fri May 20 06:02:41 2022 : Debug: (9)   authorize {
Fri May 20 06:02:41 2022 : Debug: (9)     policy filter_username {
Fri May 20 06:02:41 2022 : Debug: (9)       if (&User-Name) {
Fri May 20 06:02:41 2022 : Debug: (9)       if (&User-Name)  -> TRUE
Fri May 20 06:02:41 2022 : Debug: (9)       if (&User-Name)  {
Fri May 20 06:02:41 2022 : Debug: (9)         if (&User-Name =~ / /) {
Fri May 20 06:02:41 2022 : Debug: No old matches
Fri May 20 06:02:41 2022 : Debug: (9)         if (&User-Name =~ / /)  -> FALSE
Fri May 20 06:02:41 2022 : Debug: (9)         if (&User-Name =~ /@[^@]*@/ ) {
Fri May 20 06:02:41 2022 : Debug: No old matches
Fri May 20 06:02:41 2022 : Debug: (9)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
Fri May 20 06:02:41 2022 : Debug: (9)         if (&User-Name =~ /\.\./ ) {
Fri May 20 06:02:41 2022 : Debug: No old matches
Fri May 20 06:02:41 2022 : Debug: (9)         if (&User-Name =~ /\.\./ )  -> FALSE
Fri May 20 06:02:41 2022 : Debug: (9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
Fri May 20 06:02:41 2022 : Debug: No old matches
Fri May 20 06:02:41 2022 : Debug: (9)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
Fri May 20 06:02:41 2022 : Debug: (9)         if (&User-Name =~ /\.$/)  {
Fri May 20 06:02:41 2022 : Debug: No old matches
Fri May 20 06:02:41 2022 : Debug: (9)         if (&User-Name =~ /\.$/)   -> FALSE
Fri May 20 06:02:41 2022 : Debug: (9)         if (&User-Name =~ /@\./)  {
Fri May 20 06:02:41 2022 : Debug: No old matches
Fri May 20 06:02:41 2022 : Debug: (9)         if (&User-Name =~ /@\./)   -> FALSE
Fri May 20 06:02:41 2022 : Debug: (9)       } # if (&User-Name)  = notfound
Fri May 20 06:02:41 2022 : Debug: (9)     } # policy filter_username = notfound
Fri May 20 06:02:41 2022 : Debug: (9)     modsingle[authorize]: calling preprocess (rlm_preprocess)
Fri May 20 06:02:41 2022 : Debug: (9)     modsingle[authorize]: returned from preprocess (rlm_preprocess)
Fri May 20 06:02:41 2022 : Debug: (9)     [preprocess] = ok
Fri May 20 06:02:41 2022 : Debug: (9)     modsingle[authorize]: calling suffix (rlm_realm)
Fri May 20 06:02:41 2022 : Debug: (9) suffix: Checking for suffix after "@"
Fri May 20 06:02:41 2022 : Debug: (9) suffix: No '@' in User-Name = "username", looking up realm NULL
Fri May 20 06:02:41 2022 : Debug: (9) suffix: No such realm "NULL"
Fri May 20 06:02:41 2022 : Debug: (9)     modsingle[authorize]: returned from suffix (rlm_realm)
Fri May 20 06:02:41 2022 : Debug: (9)     [suffix] = noop
Fri May 20 06:02:41 2022 : Debug: (9)     modsingle[authorize]: calling eap (rlm_eap)
Fri May 20 06:02:41 2022 : Debug: (9) eap: Peer sent EAP Response (code 2) ID 13 length 46
Fri May 20 06:02:41 2022 : Debug: (9) eap: Continuing tunnel setup
Fri May 20 06:02:41 2022 : Debug: (9)     modsingle[authorize]: returned from eap (rlm_eap)
Fri May 20 06:02:41 2022 : Debug: (9)     [eap] = ok
Fri May 20 06:02:41 2022 : Debug: (9)   } # authorize = ok
Fri May 20 06:02:41 2022 : Debug: (9) Found Auth-Type = eap
Fri May 20 06:02:41 2022 : Debug: (9) # Executing group from file /etc/freeradius3/sites-enabled/default
Fri May 20 06:02:41 2022 : Debug: (9)   authenticate {
Fri May 20 06:02:41 2022 : Debug: (9)     modsingle[authenticate]: calling eap (rlm_eap)
Fri May 20 06:02:41 2022 : Debug: (9) eap: Expiring EAP session with state 0x8e3d1b5f8630027e
Fri May 20 06:02:41 2022 : Debug: (9) eap: Finished EAP session with state 0x8e3d1b5f8630027e
Fri May 20 06:02:41 2022 : Debug: (9) eap: Previous EAP request found for state 0x8e3d1b5f8630027e, released from the list
Fri May 20 06:02:41 2022 : Debug: (9) eap: Peer sent packet with method EAP PEAP (25)
Fri May 20 06:02:41 2022 : Debug: (9) eap: Calling submodule eap_peap to process data
Fri May 20 06:02:41 2022 : Debug: (9) eap_peap: Continuing EAP-TLS
Fri May 20 06:02:41 2022 : Debug: (9) eap_peap: Peer sent flags ---
Fri May 20 06:02:41 2022 : Debug: (9) eap_peap: [eaptls verify] = ok
Fri May 20 06:02:41 2022 : Debug: (9) eap_peap: Done initial handshake
Fri May 20 06:02:41 2022 : Debug: Ignoring cbtls_msg call with pseudo content type 256, version 0
Fri May 20 06:02:41 2022 : Debug: (9) eap_peap: [eaptls process] = ok
Fri May 20 06:02:41 2022 : Debug: (9) eap_peap: Session established.  Decoding tunneled attributes
Fri May 20 06:02:41 2022 : Debug: (9) eap_peap: PEAP state send tlv success
Fri May 20 06:02:41 2022 : Debug: (9) eap_peap: Received EAP-TLV response
Fri May 20 06:02:41 2022 : Debug: (9) eap_peap: Success
Fri May 20 06:02:41 2022 : Debug: (9) eap: Sending EAP Success (code 3) ID 13 length 4
Fri May 20 06:02:41 2022 : Debug: (9) eap: Freeing handler
Fri May 20 06:02:41 2022 : Debug: (9)     modsingle[authenticate]: returned from eap (rlm_eap)
Fri May 20 06:02:41 2022 : Debug: (9)     [eap] = ok
Fri May 20 06:02:41 2022 : Debug: (9)   } # authenticate = ok
Fri May 20 06:02:41 2022 : Debug: (9) # Executing section post-auth from file /etc/freeradius3/sites-enabled/default
Fri May 20 06:02:41 2022 : Debug: (9)   post-auth {
Fri May 20 06:02:41 2022 : Debug: (9)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
Fri May 20 06:02:41 2022 : Debug: (9)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name))  -> TRUE
Fri May 20 06:02:41 2022 : Debug: (9)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name))  {
Fri May 20 06:02:41 2022 : Debug: (9)       update reply {
Fri May 20 06:02:41 2022 : Debug: (9)         &User-Name !* ANY
Fri May 20 06:02:41 2022 : Debug: (9)       } # update reply = noop
Fri May 20 06:02:41 2022 : Debug: (9)     } # if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name))  = noop
Fri May 20 06:02:41 2022 : Debug: (9)     update {
Fri May 20 06:02:41 2022 : Debug: (9)       &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES128-GCM-SHA256'
Fri May 20 06:02:41 2022 : Debug: (9)       &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2'
Fri May 20 06:02:41 2022 : Debug: (9)       &reply::User-Name += &session-state:User-Name[*] -> 'username'
Fri May 20 06:02:41 2022 : Debug: (9)     } # update = noop
Fri May 20 06:02:41 2022 : Debug: (9)     modsingle[post-auth]: calling exec (rlm_exec)
Fri May 20 06:02:41 2022 : Debug: (9)     modsingle[post-auth]: returned from exec (rlm_exec)
Fri May 20 06:02:41 2022 : Debug: (9)     [exec] = noop
Fri May 20 06:02:41 2022 : Debug: (9)     policy remove_reply_message_if_eap {
Fri May 20 06:02:41 2022 : Debug: (9)       if (&reply:EAP-Message && &reply:Reply-Message) {
Fri May 20 06:02:41 2022 : Debug: (9)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
Fri May 20 06:02:41 2022 : Debug: (9)       else {
Fri May 20 06:02:41 2022 : Debug: (9)         modsingle[post-auth]: calling noop (rlm_always)
Fri May 20 06:02:41 2022 : Debug: (9)         modsingle[post-auth]: returned from noop (rlm_always)
Fri May 20 06:02:41 2022 : Debug: (9)         [noop] = noop
Fri May 20 06:02:41 2022 : Debug: (9)       } # else = noop
Fri May 20 06:02:41 2022 : Debug: (9)     } # policy remove_reply_message_if_eap = noop
Fri May 20 06:02:41 2022 : Debug: (9)   } # post-auth = noop
Fri May 20 06:02:41 2022 : Debug: (9) Sent Access-Accept Id 199 from 127.0.0.1:1812 to 127.0.0.1:42593 length 0
Fri May 20 06:02:41 2022 : Debug: (9)   MS-MPPE-Recv-Key = 0x204d0f4860b8e2565fdac4acc4094b304086498632c38a32c1777a5214e39172
Fri May 20 06:02:41 2022 : Debug: (9)   MS-MPPE-Send-Key = 0x814975ac38435a8a45822326f292dbba10d2166703db2dff1acbb2459c0a39bd
Fri May 20 06:02:41 2022 : Debug: (9)   EAP-Message = 0x030d0004
Fri May 20 06:02:41 2022 : Debug: (9)   Message-Authenticator = 0x00000000000000000000000000000000
Fri May 20 06:02:41 2022 : Debug: (9)   User-Name += "username"
Fri May 20 06:02:41 2022 : Debug: (9) Finished request

@ahmar16 any help will be greatly appreciated!

I have a similar set up working (with external RADIUS). One thing that initially stopped me was the default hostapd. Upgrading it through luci fixed my issue.

If that doesn’t work I’ll post my config

Glad it worked out for you! I am using the latest version of wpad instead of hostapd.

Your config might help as well. I will also give yours a go with hostapd instead of wpad

Stripped config elements:

> user@openwrt:/etc/config# cat network
> 
> ...
> 
> config interface 'wan'
>         option proto 'dhcp'
>         option device 'eth0.10'
>         option type 'bridge'
> 
> config switch
>         option name 'switch0'
>         option reset '1'
>         option enable_vlan '1'
> 
> ...
> 
> config switch_vlan
>         option device 'switch0'
>         option vlan '2'
>         option ports '6t 1'
>         option vid '10'
>         option description 'VLAN10'
> 
> config switch_vlan
>         option device 'switch0'
>         option vlan '3'
>         option vid '172'
>         option description 'VLAN172'
>         option ports '6t 5 1t'
> 
> ...
> 
> config switch_vlan
>         option device 'switch0'
>         option vlan '5'
>         option ports '6t 3 1t'
>         option vid '1723'
>         option description 'VLAN1723'
> 
> ...
> 
> config interface 'vlan1723'
>         option proto 'none'
>         option device 'br-vlan1723'
> 		
> config device
>         option name 'br-vlan1723'
>         option type 'bridge'
>         list ports 'eth0.1723'
> ...
> 
> config interface 'VLAN172'
>         option proto 'none'
>         option type 'bridge'
>         option device 'br-vlan172'
> 
> config device
>         option type 'bridge'
>         option name 'br-vlan172'
>         list ports 'eth0.172'
> 		
> ...
> 
> 
> user@openwrt:/etc/config# cat wireless
> 
> config wifi-device 'radio0'
>         option type 'mac80211'
>         option hwmode '11a'
>         option path 'pci0000:00/0000:00:00.0'
>         option cell_density '0'
>         option country ' *redacted* '
>         option channel '56'
>         option htmode 'VHT40'
>         option txpower '18'
> 
> config wifi-iface 'default_radio0'
>         option device 'radio0'
>         option mode 'ap'
>         option encryption 'wpa2'
>         option auth_server ' *redacted* '
>         option auth_port ' *redacted* '
>         option auth_secret ' *redacted* '
>         option dynamic_vlan '2'
>         option vlan_tagged_interface 'eth0'
>         option vlan_bridge 'br-vlan'
>         option vlan_naming '0'
>         option ieee80211r '1'
>         option mobility_domain ' *redacted* '
>         option ft_over_ds '1'
>         option ft_psk_generate_local '0'
>         option nasid ' *redacted* '
>         option r1_key_holder ' *redacted* '
>         list r0kh ' *redacted* '
>         ...
>         list r1kh ' *redacted* '
>         option reassociation_deadline '20000'
>         option rsn_pairwise 'CCMP'
>         option rsn_preauth '1'
>         option ieee80211k '1'
>         option bss_transition '1'
>         option pmk_r1_push '1'
>         option ssid ' *redacted* '

user@openwrt:/etc/config# cat /etc/hostapd.vlan

  • wlan0.#
  • wlan1.#

user@openwrt:~# brctl show
bridge name bridge id STP enabled interfaces
...
br-vlan172 7fff.14cc2091841b no wlan0-1
eth0.172
wlan1.172
...

Updated packages:
wpad	2020-06-08-5a8b3662-40
hostapd-common	2020-06-08-5a8b3662-40

All on  OpenWrt 21.02.2, r16495-bf0c965af0

My configuration is more or less the same as yours. Thanks for sharing though.