I'm setting up EAP Dynamic VLAN Assignment for a shared network.
RADIUS is already set up and confirmed to be working, but I couldn't find recent(DSA) documents about access point configuration.
With my current configs, hostapd logs the following errors upon connection:
Sat Feb 15 14:00:51 2025 daemon.info hostapd: phy0-ap0: STA 12:34:56:78:90:AB RADIUS: VLAN ID 20
Sat Feb 15 14:00:51 2025 daemon.notice hostapd: phy0-ap0: CTRL-EVENT-EAP-SUCCESS2 12:34:56:78:90:AB
Sat Feb 15 14:00:51 2025 daemon.err hostapd: VLAN: vlan_add: ADD_VLAN_CMD failed for br-lan: File exists
Device
OpenWrt 24.10.0 with wpad-openssl, GL.iNet MT-6000(Flint 2), MediaTek ARM
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'REDACTED'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan3:u*'
list ports 'lan4:t'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'lan2:u*'
list ports 'lan4:t*'
config interface 'lan'
option device 'br-lan.10'
option proto 'static'
option ipaddr '10.10.0.1'
option netmask '255.255.255.0'
option ip6assign '64'
option ip6ifaceid 'eui64'
option ip6weight '1000'
config device
option name 'wan'
option macaddr 'REDACTED'
config interface 'lan_clients'
option proto 'static'
option device 'br-lan.20'
option ipaddr '10.20.0.1'
option netmask '255.255.255.0'
option ip6assign '64'
option ip6ifaceid 'eui64'
option ip6weight '600'
config interface 'lan_wireguard'
option proto 'wireguard'
option private_key 'REDACTED'
option ip6weight '800'
config wireguard_lan_wireguard
option description 'REDACTED'
config interface 'wan'
option proto 'REDACTED'
config interface 'wan_6'
option proto 'REDACTED'
config bridge-vlan
option device 'br-lan'
option vlan '80'
list ports 'lan4:t'
config interface 'lan_guests'
option proto 'static'
option device 'br-lan.80'
option ip6assign '64'
option ip6ifaceid 'eui64'
option ip6weight '500'
option ipaddr '10.80.0.1'
option netmask '255.255.255.0'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'REDACTED'
option band '2g'
option channel 'auto'
option htmode 'HE20'
option country 'REDACTED'
option cell_density '0'
config wifi-device 'radio1'
option type 'mac80211'
option path 'REDACTED'
option band '5g'
option channel 'auto'
option htmode 'HE40'
option cell_density '0'
option country 'REDACTED'
option disabled '1'
config wifi-iface 'wifinet0'
option device 'radio1'
option mode 'ap'
option ssid 'REDACTED'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid 'REDACTED'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'REDACTED'
config wifi-iface 'wifinet4'
option device 'radio0'
option mode 'ap'
option ssid 'VLAN_SSID'
option encryption 'wpa3'
option macaddr 'REDACTED'
option dtim_period '3'
option max_inactivity '600'
option auth_server '10.10.0.2'
option auth_secret 'REDACTED'
option acct_server '10.10.0.2'
option acct_secret 'REDACTED'
option ieee80211r '1'
option nasid 'REDACTED'
option reassociation_deadline '20000'
option ft_over_ds '0'
option ieee80211k '1'
option rnr '1'
option time_advertisement '2'
option time_zone 'UTC0'
option wnm_sleep_mode '1'
option bss_transition '1'
option proxy_arp '1'
list r0kh 'REDACTED'
list r1kh 'REDACTED'
option network 'lan'
option dynamic_vlan '2'
option vlan_tagged_interface 'br-lan'
option vlan_bridge 'br-wireless'
option ocv '1'
config wifi-iface 'wifinet5'
option device 'radio0'
option mode 'ap'
option ssid 'REDACTED'
config wifi-iface 'wifinet6'
option device 'radio0'
option mode 'ap'
option ssid 'REDACTED'
/etc/config/firewall
config defaults
option input 'DROP'
option output 'DROP'
option forward 'DROP'
option flow_offloading '1'
option flow_offloading_hw '1'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'lan_wireguard'
config zone
option name 'wan'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
option enabled '0'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
list icmp_type 'bad-header'
list icmp_type 'destination-unreachable'
list icmp_type 'echo-reply'
list icmp_type 'neighbour-advertisement'
list icmp_type 'neighbour-solicitation'
list icmp_type 'packet-too-big'
list icmp_type 'router-advertisement'
list icmp_type 'router-solicitation'
list icmp_type 'time-exceeded'
list icmp_type 'unknown-header-type'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
list icmp_type 'bad-header'
list icmp_type 'destination-unreachable'
list icmp_type 'echo-reply'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'unknown-header-type'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config zone
option name 'lan_clients'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan_clients'
config forwarding
option src 'lan_clients'
option dest 'wan'
config rule
option name 'Allow-WireGuard'
option family 'REDACTED'
list proto 'udp'
option src 'wan'
option dest_port 'REDACTED'
option target 'ACCEPT'
config zone
option name 'lan_guests'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lan_guests'
config forwarding
option src 'lan_guests'
option dest 'wan'
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '0'
option local '/internal/'
option domain 'internal'
option expandhosts '1'
option nonegcache '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option allservers '1'
option cachesize '8000'
option min_cache_ttl '300'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'lan_clients'
option interface 'lan_clients'
option start '100'
option limit '150'
option leasetime '12h'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option dhcpv6 'server'
config host
option name 'RADIUS_server'
option ip '10.10.0.2'
list mac 'REDACTED'
option leasetime '7d'
config dhcp 'lan_guests'
option interface 'lan_guests'
option start '100'
option limit '150'
option leasetime '12h'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option dhcpv6 'server'