RADIUS dynamic VLAN

systemcrash · December 1, 2021, 1:57am

@anon50098793 - I think you were last to edit this wiki

One question regarding this part:

Now that we have a guest network functioning on the router we can modify our wireless configuration to support 802.1X dynamic vlans. To do this modify the SSID setup in your /etc/config/wireless file and remove the network option and add the dynamic_vlan and vlan_tagged_interface options. An example based on the basic 802.1X setup found above would be: .

It gives

config wifi-iface
      option device 'radio1'
      option mode 'ap'
      option ssid 'Test8021xNetwork'
      option encryption 'wpa2'
      option server '192.168.1.10'
      option key 'MyClientPassword'
      option dynamic_vlan     '2'
      option 'vlan_tagged_interface' 'eth1'
      option 'vlan_bridge' 'br-vlan'
      option 'vlan_naming' '0'

But the example above talks about vlan 3. Earlier, however, is mentioned:

We're skipping over VLAN 2 because the particular router used to create this demonstration uses VLAN 2 to connect the WAN port to the CPU, not all routers do this, some wire the WAN port directly to the CPU.

Was this intentional or just a mistake? Docs say default is "0" so just making sure it's not some boolean value.

anon50098793 · December 1, 2021, 4:53am

howdy, not sure what i've modified on that page, but it would have been something very minor... (likely non-technical > probably the config-network-device infobox)

unable to offer any evidence-based technical input on this... however, checking the hostapd help pages... the value of 2 for dynamic_vlan relates to negotiation mode... and does not represent local vlan numbers...

https://wireless.wiki.kernel.org/en/users/documentation/hostapd

A value of 0 disables dynamic VLAN tagging, a value of 1 allows dynamic VLAN tagging and a value of 2 will reject the authentication if the RADIUS server does not provide the appropriate tunnel attributes.

client vlan mappings are (hopefully) passed from the radius server

systemcrash · December 1, 2021, 5:59pm

Ah, OK, thanks. I got the impression from reading that we were somehow passing the VLAN number here. The setting didn't specify what data-type it takes.

Perhaps this information could be added to this stub, and/or wifi settings. Information capture is important... Are you the right person to ask? Or is that someone called @dansan on the wiki?

anon50098793 · December 2, 2021, 10:43am

edit away... that page seems to be limping along on the input of many... (and can use constant improvement/clarification)

the wifi param page itself follows a stricter structure i'm unfamilar with, but can see benefit stating that this is (currently) a 'tri-state?' parameter...

systemcrash · December 3, 2021, 1:23am

Yeah word. I was attempting to capture the elements into a PR for extending the GUI. I think I got it.

I can't remember whether I have a wiki account....

bobafetthotmail · December 3, 2021, 9:49am

I think you do, I see a "systemcrash" in the wiki account list

systemcrash · December 3, 2021, 4:10pm

Ah, github
OK - made a few small edits for clarification.