Hello all,
Is there any way to setup a backup RADIUS server for WPA2-Enterprise connections? The 'server' setting in the wireless config allows only one server address to be set. I know hostapd supports multiple radius servers but how can I add them to the UCI config?
Currently I have it set like this and I'm not sure if it will work or not:
config 'wifi-device' 'radio0'
option 'type' 'mac80211'
option 'channel' '5'
option 'macaddr' '00:1f:c6:51:34:dc'
option 'hwmode' '11g'
option 'disabled' '0'
config 'wifi-iface'
option 'device' 'radio0'
option 'network' 'lan'
option 'mode' 'ap'
option 'ssid' 'OpenWrt'
option 'encryption' 'wpa2'
#RADIUS Server
option 'auth_server' '192.168.1.249'
option 'auth_server' '192.168.1.250'
option 'auth_secret' 'test123'
option 'acct_server' '192.168.1.249'
option 'auth_server' '192.168.1.250'
option 'acct_secret' 'test123'
Thanks for any help,
1 Like
Update this config does not work and causes radius to stop working on the AP.... Any help would be appreciated!
Hostapd supports configuring multiple radius servers.In OpenWrt ,hostapd.sh script restricts to only one radius server. If you want you can change the scripts to accept more and write it to hosapd.conf.
Would this solution work?
https://patchwork.ozlabs.org/patch/612999/
Any status on merging this upstream?
matej37
November 22, 2019, 12:26pm
5
Hi @Catfriend1 ,
this has not been merged to upstream OpenWRT, probably because there were some suggestions to use different format.
I have modified this patch to use the list of Radius servers as secret;ip;port, for example:
list auth_servers 'secret1;10.1.1.1;123'
list auth_servers 'secret2;10.1.1.2;'
The downside of this approach is that the secret cannot use ';' in it, since it is used as delimiter between the fields.
The patch for this is:
--- a/package/network/services/hostapd/files/hostapd.sh
+++ b/package/network/services/hostapd/files/hostapd.sh
@@ -161,6 +161,8 @@ hostapd_common_add_bss_config() {
config_add_string auth_secret
config_add_int 'auth_port:port' 'port:port'
+ config_add_array auth_servers
+
config_add_string acct_server
config_add_string acct_secret
config_add_int acct_port
@@ -353,10 +355,25 @@ hostapd_set_bss_options() {
set_default auth_port 1812
set_default dae_port 3799
+ # leave the default option for legacy compatibility
+ [ -n "$auth_server" ] && {
+ append bss_conf "auth_server_addr=$auth_server" "$N"
+ append bss_conf "auth_server_port=$auth_port" "$N"
+ append bss_conf "auth_server_shared_secret=$auth_secret" "$N"
+ }
- append bss_conf "auth_server_addr=$auth_server" "$N"
- append bss_conf "auth_server_port=$auth_port" "$N"
- append bss_conf "auth_server_shared_secret=$auth_secret" "$N"
+ # List of fallback RADIUS servers
+ for svr in $auth_servers_list; do
+ auth_secret=${svr%%;*}
+ svr=${svr#*;}
+ auth_server=${svr%%;*}
+ auth_port=${svr##*;}
+
+ set_default auth_port 1812
+ append bss_conf "auth_server_addr=$auth_server" "$N"
+ append bss_conf "auth_server_port=$auth_port" "$N"
+ append bss_conf "auth_server_shared_secret=$auth_secret" "$N"
+ done
[ -n "$eap_reauth_period" ] && append bss_conf "eap_reauth_period=$eap_reauth_period" "$N"
Would this be acceptable?
Thanks,
1 Like
@matej37 wew, thanks
E.g. a;pass\;word;b or even more common(?): a/pass\/word/b like linux sed has it.
This is a pretty important feature. Could any OpenWRT developers comment on this?
2 Likes
I am just a user of openwrt and from my point of view it is acceptable for a start. Maybe some escaping could be added in the future, just an idea...