Hostapd config Multiple RADIUS servers

Hello all,

Is there any way to setup a backup RADIUS server for WPA2-Enterprise connections? The 'server' setting in the wireless config allows only one server address to be set. I know hostapd supports multiple radius servers but how can I add them to the UCI config?

Currently I have it set like this and I'm not sure if it will work or not:

config 'wifi-device' 'radio0'
        option 'type' 'mac80211'
        option 'channel' '5'
        option 'macaddr' '00:1f:c6:51:34:dc'
        option 'hwmode' '11g'
        option 'disabled' '0'

config 'wifi-iface'
        option 'device' 'radio0'
        option 'network' 'lan'
        option 'mode' 'ap'
        option 'ssid' 'OpenWrt'
        option 'encryption' 'wpa2'
        #RADIUS Server
        option 'auth_server' '192.168.1.249'
        option 'auth_server' '192.168.1.250'
        option 'auth_secret' 'test123'
        option 'acct_server' '192.168.1.249'
        option 'auth_server' '192.168.1.250'
        option 'acct_secret' 'test123'

Thanks for any help,

Update this config does not work and causes radius to stop working on the AP.... Any help would be appreciated!

Hostapd supports configuring multiple radius servers.In OpenWrt ,hostapd.sh script restricts to only one radius server. If you want you can change the scripts to accept more and write it to hosapd.conf.

Would this solution work?

https://patchwork.ozlabs.org/patch/612999/

Any status on merging this upstream?

Hi @Catfriend1,

this has not been merged to upstream OpenWRT, probably because there were some suggestions to use different format.

I have modified this patch to use the list of Radius servers as secret;ip;port, for example:

        list auth_servers 'secret1;10.1.1.1;123'
        list auth_servers 'secret2;10.1.1.2;'

The downside of this approach is that the secret cannot use ';' in it, since it is used as delimiter between the fields.

The patch for this is:

--- a/package/network/services/hostapd/files/hostapd.sh
+++ b/package/network/services/hostapd/files/hostapd.sh
@@ -161,6 +161,8 @@ hostapd_common_add_bss_config() {
        config_add_string auth_secret
        config_add_int 'auth_port:port' 'port:port'
 
+       config_add_array auth_servers
+
        config_add_string acct_server
        config_add_string acct_secret
        config_add_int acct_port
@@ -353,10 +355,25 @@ hostapd_set_bss_options() {
                        set_default auth_port 1812
                        set_default dae_port 3799
 
+                       # leave the default option for legacy compatibility
+                       [ -n "$auth_server" ] && {
+                               append bss_conf "auth_server_addr=$auth_server" "$N"
+                               append bss_conf "auth_server_port=$auth_port" "$N"
+                               append bss_conf "auth_server_shared_secret=$auth_secret" "$N"
+                       }
 
-                       append bss_conf "auth_server_addr=$auth_server" "$N"
-                       append bss_conf "auth_server_port=$auth_port" "$N"
-                       append bss_conf "auth_server_shared_secret=$auth_secret" "$N"
+                       # List of fallback RADIUS servers
+                       for svr in $auth_servers_list; do
+                               auth_secret=${svr%%;*}
+                               svr=${svr#*;}
+                               auth_server=${svr%%;*}
+                               auth_port=${svr##*;}
+
+                               set_default auth_port 1812
+                               append bss_conf "auth_server_addr=$auth_server" "$N"
+                               append bss_conf "auth_server_port=$auth_port" "$N"
+                               append bss_conf "auth_server_shared_secret=$auth_secret" "$N"
+                       done
 
                        [ -n "$eap_reauth_period" ] && append bss_conf "eap_reauth_period=$eap_reauth_period" "$N"

Would this be acceptable?

Thanks,
Matej

1 Like

@matej37 wew, thanks :slight_smile: I am just a user of openwrt and from my point of view it is acceptable for a start. Maybe some escaping could be added in the future, just an idea...

E.g. a;pass\;word;b or even more common(?): a/pass\/word/b like linux sed has it.

This is a pretty important feature. Could any OpenWRT developers comment on this?

1 Like