How to Set Up EAP Dynamic VLAN Assignment

lunar_rover · February 15, 2025, 2:26pm

I'm setting up EAP Dynamic VLAN Assignment for a shared network.

RADIUS is already set up and confirmed to be working, but I couldn't find recent(DSA) documents about access point configuration.

With my current configs, hostapd logs the following errors upon connection:

Sat Feb 15 14:00:51 2025 daemon.info hostapd: phy0-ap0: STA 12:34:56:78:90:AB RADIUS: VLAN ID 20
Sat Feb 15 14:00:51 2025 daemon.notice hostapd: phy0-ap0: CTRL-EVENT-EAP-SUCCESS2 12:34:56:78:90:AB 
Sat Feb 15 14:00:51 2025 daemon.err hostapd: VLAN: vlan_add: ADD_VLAN_CMD failed for br-lan: File exists

Device

OpenWrt 24.10.0 with wpad-openssl, GL.iNet MT-6000(Flint 2), MediaTek ARM

/etc/config/network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'REDACTED'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan3:u*'
	list ports 'lan4:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan2:u*'
	list ports 'lan4:t*'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '10.10.0.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6ifaceid 'eui64'
	option ip6weight '1000'

config device
	option name 'wan'
	option macaddr 'REDACTED'

config interface 'lan_clients'
	option proto 'static'
	option device 'br-lan.20'
	option ipaddr '10.20.0.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6ifaceid 'eui64'
	option ip6weight '600'

config interface 'lan_wireguard'
	option proto 'wireguard'
	option private_key 'REDACTED'
	option ip6weight '800'

config wireguard_lan_wireguard
	option description 'REDACTED'

config interface 'wan'
	option proto 'REDACTED'

config interface 'wan_6'
	option proto 'REDACTED'

config bridge-vlan
	option device 'br-lan'
	option vlan '80'
	list ports 'lan4:t'

config interface 'lan_guests'
	option proto 'static'
	option device 'br-lan.80'
	option ip6assign '64'
	option ip6ifaceid 'eui64'
	option ip6weight '500'
	option ipaddr '10.80.0.1'
	option netmask '255.255.255.0'

/etc/config/wireless


config wifi-device 'radio0'
	option type 'mac80211'
	option path 'REDACTED'
	option band '2g'
	option channel 'auto'
	option htmode 'HE20'
	option country 'REDACTED'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'REDACTED'
	option band '5g'
	option channel 'auto'
	option htmode 'HE40'
	option cell_density '0'
	option country 'REDACTED'
	option disabled '1'

config wifi-iface 'wifinet0'
	option device 'radio1'
	option mode 'ap'
	option ssid 'REDACTED'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option ssid 'REDACTED'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'REDACTED'

config wifi-iface 'wifinet4'
	option device 'radio0'
	option mode 'ap'
	option ssid 'VLAN_SSID'
	option encryption 'wpa3'
	option macaddr 'REDACTED'
	option dtim_period '3'
	option max_inactivity '600'
	option auth_server '10.10.0.2'
	option auth_secret 'REDACTED'
	option acct_server '10.10.0.2'
	option acct_secret 'REDACTED'
	option ieee80211r '1'
	option nasid 'REDACTED'
	option reassociation_deadline '20000'
	option ft_over_ds '0'
	option ieee80211k '1'
	option rnr '1'
	option time_advertisement '2'
	option time_zone 'UTC0'
	option wnm_sleep_mode '1'
	option bss_transition '1'
	option proxy_arp '1'
	list r0kh 'REDACTED'
	list r1kh 'REDACTED'
	option network 'lan'
	option dynamic_vlan '2'
	option vlan_tagged_interface 'br-lan'
	option vlan_bridge 'br-wireless'
	option ocv '1'

config wifi-iface 'wifinet5'
	option device 'radio0'
	option mode 'ap'
	option ssid 'REDACTED'

config wifi-iface 'wifinet6'
	option device 'radio0'
	option mode 'ap'
	option ssid 'REDACTED'

/etc/config/firewall


config defaults
	option input 'DROP'
	option output 'DROP'
	option forward 'DROP'
	option flow_offloading '1'
	option flow_offloading_hw '1'
	option synflood_protect '1'
	option drop_invalid '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'lan_wireguard'

config zone
	option name 'wan'
	option input 'DROP'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'
	option enabled '0'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'bad-header'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'neighbour-advertisement'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'packet-too-big'
	list icmp_type 'router-advertisement'
	list icmp_type 'router-solicitation'
	list icmp_type 'time-exceeded'
	list icmp_type 'unknown-header-type'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	list icmp_type 'bad-header'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'unknown-header-type'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option enabled '0'

config zone
	option name 'lan_clients'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan_clients'

config forwarding
	option src 'lan_clients'
	option dest 'wan'

config rule
	option name 'Allow-WireGuard'
	option family 'REDACTED'
	list proto 'udp'
	option src 'wan'
	option dest_port 'REDACTED'
	option target 'ACCEPT'

config zone
	option name 'lan_guests'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan_guests'

config forwarding
	option src 'lan_guests'
	option dest 'wan'

/etc/config/dhcp


config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '0'
	option local '/internal/'
	option domain 'internal'
	option expandhosts '1'
	option nonegcache '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option ednspacket_max '1232'
	option allservers '1'
	option cachesize '8000'
	option min_cache_ttl '300'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'lan_clients'
	option interface 'lan_clients'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option dhcpv6 'server'

config host
	option name 'RADIUS_server'
	option ip '10.10.0.2'
	list mac 'REDACTED'
	option leasetime '7d'

config dhcp 'lan_guests'
	option interface 'lan_guests'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option dhcpv6 'server'

ayanna · March 27, 2025, 7:10am

It seems the RADIUS server assigns VLAN 20 to you station and hostapd correctly tries to add the VLAN based on the configured vlan_tagged_interface, however the VLAN is already configured in your 'network' section, so it fails to add the VLAN device. This seems to me a normal error and not a reason to worry since the service for the stations in that VLAN should run nornally. You experience problems with the service in that VLAN or just worried about the error, which should just be informative.

lunar_rover · March 27, 2025, 4:46pm

Thanks for replying.
I already solved the issue, the correct way is to use uci wifi-vlan entries.

Example /etc/config/wireless:

config wifi-vlan
        option iface 'wifinet4' # Wi-Fi interface name, e.g. "config wifi-iface 'wifinet4'"
        option network 'lan' # Network interface name in /etc/config/network
        option vid '10' # VLAN ID
        option name '10' # Wi-Fi VLAN interface name suffix, can be anything, usual length limit likely applies

config wifi-vlan
        option iface 'wifinet4'
        option network 'lan_clients'
        option vid '20'
        option name '20'

config wifi-vlan
        option iface 'wifinet4'
        option network 'lan_guests'
        option vid '80'
        option name '80

system · April 6, 2025, 4:47pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.