Hi, I'm experimenting with using EAP-TLS to increase wireless security and to reduce SSID spamming for vlans. Running this on my Archer C7 v2 with 19.07.5 it works great on 2.4 GHz (QCA9558) following this guide (and this). However, when I try the same configuration on the 5 GHz interface (QCA9880) the EAP times out. Meanwhile I see this log entry that might be the reason for failing:
daemon.err hostapd: Failed to create interface wlan0-1.51: -122 (Not supported)
Reading the comments in for the driver package it seemed that the ct version lacks support for vlans, but in an email they assure me that this should work with the community driver. I did also try it with the Qualcomm and ct-htt versions but they gave the same results...
In the log you can see a full reboot of the router, at the end you can see this voip phone first connecting successfully to the 2.4GHz adapter (wlan1), after that I switch the phone to 5GHz (wlan0) and the conversation is cut short. After a while my Android joins the party to no avail.
Anyone have an idea why this is happening, or better, how to get it working?
wireless config
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11a'
option country 'NL'
option legacy_rates '0'
option path 'pci0000:00/0000:00:00.0'
option htmode 'VHT40'
option channel '44'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option encryption 'psk2+ccmp'
option key 'secret'
option ssid 'AP'
option network 'vlan1'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11g'
option htmode 'HT20'
option channel 'auto'
option country 'NL'
option legacy_rates '0'
option path 'platform/ahb/18100000.wmac'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option encryption 'psk2+ccmp'
option key 'secret'
option ssid 'AP'
option network 'vlan1'
config wifi-iface 'wifinet2'
option auth_server '127.0.0.1'
option ssid 'tlsnet'
option encryption 'wpa2+ccmp'
option device 'radio1'
option acct_port '1813'
option auth_port '1812'
option acct_server '127.0.0.1'
option wpa_disable_eapol_key_retries '1'
option ieee80211w '1'
option mode 'ap'
option auth_secret 'testing123'
option acct_secret 'testing123'
option dynamic_vlan '2'
option vlan_bridge 'br-vlan'
option vlan_naming '0'
config wifi-iface 'wifinet3'
option auth_server '127.0.0.1'
option ssid 'tlsnet'
option encryption 'wpa2+ccmp'
option device 'radio0'
option acct_port '1813'
option auth_port '1812'
option acct_server '127.0.0.1'
option wpa_disable_eapol_key_retries '1'
option ieee80211w '1'
option mode 'ap'
option auth_secret 'testing123'
option acct_secret 'testing123'
option dynamic_vlan '2'
option vlan_bridge 'br-vlan'
option vlan_naming '0'
freeradius radiusd.conf
prefix = /usr
exec_prefix = /usr
sysconfdir = /etc
localstatedir = /var
sbindir = /usr/sbin
logdir = /var/log
raddbdir = /etc/freeradius3
radacctdir = /var/db/radacct
name = radiusd
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = /etc/ssl/private
cadir = /etc/ssl/certs
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = /usr/lib/freeradius3
pidfile = ${run_dir}/${name}.pid
correct_escapes = true
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
hostname_lookups = no
log {
destination = files
colourise = yes
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
msg_denied = "You are already logged in - access denied"
}
checkrad = ${sbindir}/checkrad
ENV {
}
security {
allow_core_dumps = no
max_attributes = 200
reject_delay = 1
status_server = yes
}
proxy_requests = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
auto_limit_acct = no
}
modules {
$INCLUDE mods-enabled/
}
instantiate {
}
policy {
$INCLUDE policy.d/
}
$INCLUDE sites-enabled/
freeradius site config
server default {
listen {
type = auth
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
limit {
}
}
listen {
type = auth
ipv6addr = :: # any. ::1 == localhost
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipv6addr = ::
port = 0
type = acct
limit {
}
}
authorize {
filter_username
preprocess
suffix
eap {
ok = return
}
files
-sql
-ldap
expiration
logintime
}
authenticate {
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
-sql
exec
attr_filter.accounting_response
}
session {
}
post-auth {
if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
update reply {
&User-Name !* ANY
}
}
update {
&reply: += &session-state:
}
-sql
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
Post-Auth-Type Challenge {
}
}
pre-proxy {
}
post-proxy {
eap
}
}
freeradius eap config
eap {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
auth_type = PAP
tls-config tls-common {
private_key_file = ${certdir}/server.key.pem
certificate_file = ${cadir}/server.cert.pem
ca_file = ${cadir}/ca-chain.cert.pem
dh_file = ${cadir}/dh2048.pem
ca_path = ${cadir}
cipher_list = "DEFAULT"
cipher_server_preference = no
disable_tlsv1_1 = no
disable_tlsv1 = no
tls_min_version = "1.0"
tls_max_version = "1.2"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24 # hours
store {
Tunnel-Private-Group-Id
}
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
tls {
tls = tls-common
}
}
Happy new year everyone