PSK VLAN assignment and MAB (MAC address bypass)

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi,

I've been reading the following:
https://forum.openwrt.org/t/individual-per-passphrase-per-mac-wifi-vlans-using-wpa-psk-file-no-radius-required/161696
which has in its title 'per-passphrase-per-mac', but I don't see anywhere how to assign a VLAN by MAC (similar to MAB using Radius)
Elsewhere, I see there is an option macfilter '(radius|allow)'.

What I want to achieve is a single SSID that assigns VLANs on the basis of both PSK for guests and MAC for IoT devices. Is it possible to combine both mechanisms for one SSID?

I'm aware of the downsides of MAC authentication due to the possibility of spoofing, however the IoT VLAN will be locked down tight. Or is there a better way to auto-assign IoT devices to an appropriate VLAN (with a single SSID)?

Thanks.

2

I think what you want is multi psk.

Please see:

https://forum.openwrt.org/t/individual-per-passphrase-per-mac-wifi-vlans-using-wpa-psk-file-no-radius-required

On recenter versions of OpenWrt for SAE/WPA3 the mac address is actually a requirement, where wildcarding does not work.

You can use list mac 'xxx' inside the wifi-station

3

Thanks, that's the same link I provided above. I shall read more thoroughly.

I'm already using FreeRADIUS to do MAC based VLAN assignment on a switch, but want to extend that to my OpenWrt access points, while also allowing for PPSK