Radius for home?


I have OpenWrt on my main router, and have a Broadcom router with a tomato firmware that's acting as a wireless client to OpenWrt (on 5 GHz band) with an AP on 2.4 GHz band.

All working right, except that these seem to be some incompatability with WiFi encyption between the two routers. PSK2 personal didn't work, no matter which cypher I tried. It seems that WEP is the only option that works. I understand that WEP is vurnlable, even with MAC address white listing, as that can be faked.

The picture below is form Tomato, showing the avaialble options for securuty. Greyed-out are not avaialble for wiless client. Do you think it's worth trying Radius? Or isn't it likely to work if PSK2 personal didn't?

What packages would be required to run Radius on OpenWrt router (if that could be a solution)?



WEP is beyond insecure. WPA2 with CCMP is required for current 802.11 schemes. On OpenWrt

option encryption 'psk2+ccmp'

(or variants such as with / and/or aes as an equivalent of ccmp) is generally considered the most secure of the "personal" options.

I suspect that the problem is with Tomato, based on what you've posted. If it doesn't support "WPA2 Personal", it isn't standards compliant.

RADIUS or Enterprise security can be run on "any" server, but not a simple thing to set up. Further, many IoT and older devices don't support anything other than PSK-based auth.

Yes, I know how to set-up encryption in LuCI, and WPA2 is supported by Tomato as well (both AES and TKIP). What I'm saying is that when they are set like that, there is no WAN connection on Tomato.

That connection will be only for the connection between the two routers, so no other devices inolved, but if RADIUS doesn't seem like a good idea, is there a way to try to diagnose why WPA2 givs no working connection? I understand that Tomato is outsdie factor, but how to see what's happening form OpenWrt side?

At least from what I understand OpenWrt works properly using WPA2 / CCMP

Can you connect clients to the OpenWrt AP with it configured with WPA2 / CCMP?

I still haven't seen anything to suggest that there is a problem with OpenWrt in this scenario. Would you post the config wifi-iface section of your OpenWrt config (you can block out the key and SSID, and use the pre-formatted button </> for clarity)?

Are there any error messages in the output of logread or the logs seen in LuCI?

Do you have a "wifi scanner" app for your phone, or a desktop that can confirm that OpenWrt is using WPA2 / CCMP? (On recent macOS, option-click of the wireless icon in the menubar will reveal more details.)

I'm not sure why a combined WPA1 / WPA2 mode would be "available" when the fixed WPA modes are locked out.

As a desperate measure, one thing that I have done to press a router with limited firmware to be a wireless relay is to make the relay router an AP and the main router (one of) its clients.

Lots of posts about this kind of problem with Tomato, with one possible approach at

An example of this [problem with the UI/UX] is having the Security option set to "WPA2 Personal" prior to switching to wireless client mode. Only "WPA / WPA2 Personal" is available in wireless client mode, but the setting does not change automatically. As a result the client router will be unable to authenticate, even when WPA2 is the only allowed method on the upstream router.

This might be helpful as well

Do you mean actually swapping them, so the thirdparty router is the one connected directly to internet?



I have no reason to beleive that there is an issue at Openwrt side. I was just asking if there is any way to have the two routers to play together nicely.

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'pci0000:01/0000:01:00.0'
	option country 'IE'
	option legacy_rates '0'
	option channel '40'
	option htmode 'HT20'

config wifi-iface
	option device 'radio0'
	option mode 'ap'
	option network 'lan'
	option ssid 'HP'
	option macfilter 'allow'
	list maclist '***'
	option encryption 'psk2+ccmp'
	option key 'xxxxxxxx'

If I just change to WEP, on both routers, it just works!

Anyway, I guess I will have ot live with WEP until I change the client router. It's AC @ 5 GHz, so signal won't reach far and hopefully nobody around is expecting to find a WEP to crack!

The problem is almost certainly Tomato, the solution is almost certainly in the first link above. Please read what it says about the flaws in Tomato’s setup process and how to work around them.

1 Like

No. The router connected to the Internet is the wifi client. The third party router is an AP. With "client isolation" turned off it will bridge all of its other cilents (the users of the extended AP), and those on the other band, back to the main router (using relayd on the main router). This can work even with the most basic stock firmware.

But I agree with @jeff that Tomato ought to be able to work as a WPA client, if you go through the proper dance to set it up.

Thanks. I read the post and I'm aware of the GUI a few times, but that doesn't sppear the reason.

The image below is from Tomato. So, it should be as per the document, but it doesn't work with WPA/WAPA2+AES.

Anyway, I think I will just give up. I spent like over a day trying to get it to work. So will have to live with WEP till I get another OpenWrt router.

Have you tried WPA2 only and AES/CCMP, however they call it?

(There hasn't been a need for mixed-mode in probably a decade or more now.)

The thning is that in Tomato the WPA2 only isn't avaialble for Wirless Client mode (neither is WAP only for that matter). How is WPA / WAP2 avaialble, I don't understand. But that's confirmed by one of your links.

So I have to choose WPA / WPA2 mixed for Tomato. In OpenWrt, I tried both WPA2 (as one of the article suggested) and WPA / WPA2 mixed. But that gives no WAN connection on Tomato. And on OpenWrt, the Tomato Router appears as associated station for a second or two, with RX of 0, then it just disappers, then shows up again for a second or two then disappears and so on.

1 Like

It still sounds like your problem is exactly what was described in the linked and quoted post, Toglik's response, here in more detail

Important: When configuring Tomato as a client, click every available drop-down box in the Wireless section, in order from first to last, even if you wish to keep the current setting! If this is not done, it is possible to select an invalid configuration which will prevent the connection from working - even if it seems like it shouldn't make a difference. An example of this is having the Security option set to "WPA2 Personal" prior to switching to wireless client mode. Only "WPA / WPA2 Personal" is available in wireless client mode, but the setting does not change automatically. As a result the client router will be unable to authenticate, even when WPA2 is the only allowed method on the upstream router.

Correct me if I am wrong, but last release of Tomato was 6 years ago. Not sure if it is worthy to troubleshoot unsupported firmware.

I believe it depends on the fork. While some have been untouched for nearly a decade, others, such as http://freshtomato.org/ show active development (I have not examined the source to determine what that means).

https://bitbucket.org/pedro311/freshtomato-mips/src/fda181f4cdc0f83d7685d17f9539a3dd893f06c9/release/src/?at=mips-master shows Linux 2.6.36 released 20 October, 2010. So clearly nothing of substance with regard to Kernel security patches.

Yes, I did that. If I had the radio set to AP mode with WPA2, then I change to Wirless Client mode, encryption doesn't change, so I change it. though, still doesn't work.

@trendy This one is based on Tomato by Shibby, so from 2017. But yes, chasing it further doesn't sound making the best use of time!

1 Like