Problems connecting to enterprise networks

I have an Asus RT-AX52. What I want to do is to use it to connect to a WPA2-EAP network and bridge that to some devices that only connect to personal networks.

This is not the first time I've done it; in fact, I have an older router that does this exact thing and it works just fine. I've tried copying the configuration directly and it just fails on the new one.

Here is the last thing I tried (from a blank slate):

1. Replace the default wpad-basic with wpad (tried both mbedtls and openssl)
2. Changed the lan IP to a different subnet, though that shouldn't be necessary since the enterprise network allocates public IPs. I mostly did this to make sure it works with simple psk authentication on a different network (it does).
3. Connect one of the radios to the desired network and made sure to put it in the same network with the lan (configuration below).

I've also tried messing with the channel, authentication (even though this exact auth works on the older router), tried both the 2.4 and 5GHz radios, randomizing and even hard coding a different MAC.

The result is that it just doesn't connect. My wwan interface says no carrier and the wireless network just says not associated. The exact same thing but with a psk network works, so it must be the authentication in my mind.

Here is my /etc/config/wireless:

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'sta'
	option network 'wwan lan'
	option ssid '<ssid>'
	option eap_type 'peap'
	option auth 'EAP-MSCHAPV2'
	option identity '<username>'
	option password '<password>'
	option encryption 'wpa2+ccmp'

Any ideas?

Should be single network here.

I've tried that already. The working router has both though.

You also need wpad-mbedtls in place of wpad-basic-mbedtls.

I've done that as well, yes.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
opkg list-installed | grep -e ^wpad -e ^hostap -e ^wpa_sup

Here you go.

(The wireless configuration differs from what I shared in the initial post; I had the wrong version in my clipboard at that time. I tried many many configurations anyway...)

# ubus call system board

{
	"kernel": "6.12.63",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "ASUS RT-AX52",
	"board_name": "asus,rt-ax52",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "25.12.0-rc2",
		"firmware_url": "https://downloads.openwrt.org/",
		"revision": "[260106] r32429-d76c64ad00",
		"target": "mediatek/filogic",
		"description": "OpenWrt 25.12.0-rc2 [260106] r32429-d76c64ad00",
		"builddate": "1767653330"
	}
}

# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option dhcp_default_duid '0004bc46b1af677f4e1aa2b56ff54b7f5bb9'
	option ula_prefix 'fd46:f097:8769::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ip6assign '60'
	list ipaddr '192.168.22.1/24'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option type 'bridge'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'wwan'
	option proto 'dhcp'

# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option band '2g'
	option channel '1'
	option htmode 'HT20'
	option disabled '0'
	option country 'NL'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option band '5g'
	option channel 'auto'
	option htmode 'VHT20'
	option disabled '0'
	option cell_density '0'
	option country 'NL'

config wifi-iface 'wifinet0'
	option device 'radio1'
	option mode 'sta'
	option network 'lan wan'
	option ssid '<ssid>'
	option encryption 'wpa2+ccmp'
	option eap_type 'peap'
	option auth 'EAP-MSCHAPV2'
	option identity '<username>'
	option password '<password>'
	option macaddr 'random'

# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ra_preference 'medium'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/odhcpd.leases'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
	option piodir '/tmp/odhcpd-piodir'
	option hostsdir '/tmp/hosts'

# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

I changed opkg to apk since the newer versions of openwrt switched.

# apk list --installed | grep -e ^wpad -e ^hostap -e ^wpa_sup

hostapd-common-2025.08.26~ca266cc2-r1 aarch64_cortex-a53 {feeds/base/network/services/hostapd} (BSD-3-Clause) [installed]
wpad-openssl-2025.08.26~ca266cc2-r1 aarch64_cortex-a53 {feeds/base/network/services/hostapd} (BSD-3-Clause) [installed]

Network of wifi should be lan or wwan only.
What appears in logread -f when you restart WAN connection while you yourself are connected to wired lan?

Interesting, didn't know about logread. I changed network to just wwan and restarted. Looks like there are errors parsing the identity and password, not sure what that's about, since they are the same ones I use everywhere (including the working router). They username is shaped like username@domain.cctld and the password just contains letters, digits and ascii symbols.

Relevant lines in my estimation:

Thu Jan 15 23:59:20 2026 daemon.notice netifd: Interface 'wwan' is enabled
Thu Jan 15 23:59:20 2026 daemon.err wpa_supplicant[2182]: Line 14: failed to parse identity '<identity>'.
Thu Jan 15 23:59:20 2026 daemon.err wpa_supplicant[2182]: Line 14: failed to parse identity '<identity>'.
Thu Jan 15 23:59:20 2026 daemon.err wpa_supplicant[2182]: Line 15: failed to parse password.
Thu Jan 15 23:59:20 2026 daemon.err wpa_supplicant[2182]: Line 15: failed to parse password '<password>'.
Thu Jan 15 23:59:20 2026 daemon.err wpa_supplicant[2182]: Line 16: failed to parse network block.
Thu Jan 15 23:59:20 2026 daemon.err wpa_supplicant[2182]: Failed to read or parse configuration '/var/run/wpa-supplicant-phy1-sta0.conf'.

Full log:

Thu Jan 15 23:59:19 2026 daemon.notice wpa_supplicant[2182]: Set MLD config: [ ]
Thu Jan 15 23:59:19 2026 daemon.notice hostapd: Set MLD config: [ ]
Thu Jan 15 23:59:19 2026 daemon.notice hostapd: Reload all interfaces
Thu Jan 15 23:59:19 2026 daemon.notice netifd: Interface 'wwan' is disabled
Thu Jan 15 23:59:19 2026 daemon.notice netifd: Interface 'wwan' is enabled
Thu Jan 15 23:59:19 2026 daemon.notice netifd: radio1 (9877): wifi-scripts: Starting
Thu Jan 15 23:59:19 2026 daemon.notice netifd: radio1 (9877): command failed: Not supported (-95)
Thu Jan 15 23:59:19 2026 daemon.notice wpa_supplicant[2182]: Set new config for phy phy1
Thu Jan 15 23:59:19 2026 daemon.notice wpa_supplicant[2182]: Update configuration for interface phy1-sta0
Thu Jan 15 23:59:19 2026 kern.debug kernel: [ 1773.757523] {natflow}:natflow_netdev_event(): catch NETDEV_UNREGISTER event for dev=phy1-sta0
Thu Jan 15 23:59:20 2026 daemon.notice netifd: Interface 'wwan' is disabled
Thu Jan 15 23:59:20 2026 daemon.notice hostapd: Set new config for phy phy1:
Thu Jan 15 23:59:20 2026 daemon.notice wpa_supplicant[2182]: Set new config for phy phy1
Thu Jan 15 23:59:20 2026 daemon.notice netifd: radio1 (9877): wifi-scripts: Configuring 'phy1' txantenna: 4294967295, rxantenna: 4294967295 distance: 0
Thu Jan 15 23:59:20 2026 daemon.notice netifd: radio1 (9877): wifi-scripts: password is not present in the schema
Thu Jan 15 23:59:20 2026 daemon.notice netifd: radio1 (9877): wifi-scripts: Preparing interface: phy1-sta0 with MAC: 72:33:0c:47:d1:99
Thu Jan 15 23:59:20 2026 daemon.notice netifd: radio1 (9894): wifi-scripts: Tearing down phy1
Thu Jan 15 23:59:20 2026 daemon.notice hostapd: Set new config for phy phy1:
Thu Jan 15 23:59:20 2026 daemon.notice wpa_supplicant[2182]: Set new config for phy phy1
Thu Jan 15 23:59:20 2026 daemon.notice wpa_supplicant[2182]: Remove interface phy1-sta0
Thu Jan 15 23:59:20 2026 daemon.notice netifd: radio1 (9896): wifi-scripts: Starting
Thu Jan 15 23:59:20 2026 daemon.notice hostapd: Set new config for phy phy1:
Thu Jan 15 23:59:20 2026 daemon.notice wpa_supplicant[2182]: Set new config for phy phy1
Thu Jan 15 23:59:20 2026 daemon.notice wpa_supplicant[2182]: Set new config for phy phy1
Thu Jan 15 23:59:20 2026 daemon.notice hostapd: Set new config for phy phy1:
Thu Jan 15 23:59:20 2026 daemon.notice wpa_supplicant[2182]: Set new config for phy phy1
Thu Jan 15 23:59:20 2026 daemon.notice netifd: radio1 (9896): wifi-scripts: Configuring 'phy1' txantenna: 4294967295, rxantenna: 4294967295 distance: 0
Thu Jan 15 23:59:20 2026 daemon.notice netifd: radio1 (9896): wifi-scripts: password is not present in the schema
Thu Jan 15 23:59:20 2026 daemon.notice netifd: radio1 (9896): wifi-scripts: Preparing interface: phy1-sta0 with MAC: ca:67:73:40:0e:d7
Thu Jan 15 23:59:20 2026 daemon.notice wpa_supplicant[2182]: Start pending MLD interfaces
Thu Jan 15 23:59:20 2026 kern.debug kernel: [ 1774.473773] {natflow}:natflow_netdev_event(): remove NETIF_F_GRO for dev=phy1-sta0
Thu Jan 15 23:59:20 2026 kern.debug kernel: [ 1774.473773]
Thu Jan 15 23:59:20 2026 kern.debug kernel: [ 1774.482865] {natflow}:natflow_netdev_event(): catch NETDEV_UP event for dev=phy1-sta0(tso=0,0,hw_csum=0,0), add ingress hook
Thu Jan 15 23:59:20 2026 daemon.notice netifd: Interface 'wwan' is enabled
Thu Jan 15 23:59:20 2026 daemon.err wpa_supplicant[2182]: Line 14: failed to parse identity '<identity>'.
Thu Jan 15 23:59:20 2026 daemon.err wpa_supplicant[2182]: Line 14: failed to parse identity '<identity>'.
Thu Jan 15 23:59:20 2026 daemon.err wpa_supplicant[2182]: Line 15: failed to parse password.
Thu Jan 15 23:59:20 2026 daemon.err wpa_supplicant[2182]: Line 15: failed to parse password '<password>'.
Thu Jan 15 23:59:20 2026 daemon.err wpa_supplicant[2182]: Line 16: failed to parse network block.
Thu Jan 15 23:59:20 2026 daemon.err wpa_supplicant[2182]: Failed to read or parse configuration '/var/run/wpa-supplicant-phy1-sta0.conf'.
Thu Jan 15 23:59:20 2026 daemon.notice wpa_supplicant[2182]: : CTRL-EVENT-DSCP-POLICY clear_all

That should be just MSCHAPV2

Also when you do get it working, be sure to add option ca_cert '/etc/ssl/cert.pem' to verify the network's certificate (if it is not publicly signed, obtain the CA file from the network's administration and copy it to your router). This will protect you from being attacked by an imposter AP.

I don't think that's true. The working one uses EAP-MSCHAPv2, and in LuCi it doesn't even let you select 'MSCHAPv2' when using peap... I did try it though, it doesn't work, and LuCi shows this configuration as invalid.

I'm going from this:

although what LuCi sets up is likely correct.

I found the problem. Here is the autogenerated wpa_supplicant config /var/run/wpa-supplicant-phy1-sta0.conf:

network={
	ssid="<ssid>"
	rsn_overriding=0
	scan_ssid=1
	multi_ap_backhaul_sta=0
	key_mgmt=WPA-EAP
	sae_pwe=2
	proto=RSN
	beacon_int=100
	ieee80211w=0
	identity=<identity>
	password=<password>
}

Note the lack of quotes around the identity and password. I added them in myself and started wpa_supplicant directly: wpa_supplicant -iphy1-sta0 -c/var/run/wpa-supplicant-phy1-sta0.conf, it works perfectly now.

I'm guessing it's a farily recent bug, which would make sense considering my other router runs an older openwrt. I'm not sure which program generates this file, but I guess starting wpa_supplicant manually is a workable solution for now. I'll try to figure out what the actual problem is though. Someone more knowledgeable might want to look into it.

Thanks a lot for your help!

In /lib/netifd/hostapd.sh around line 1500 there is:
append network_data "password=\"$password\"" "$N$T"
and somewhat before that, similar code for identity.
The two versions that I looked at (24.10.4 and 25.12.0-rc2) were adding double quotes as shown.

Mine is the same actually, it seems to add the quotes properly. In the meantime I've set up my own little service to start wpa_supplicant with a custom config, but the autogenerated one still looks the same as it did, no quotes.

I'm very unfamiliar with openwrt internals; is there anything that touches the file after it's generated? Running that function manually to see what it does would be helpful as well, but I'm not sure how to do that.

just wpad and network service reloads, eg some cable unplugged etc.