Wi-Fi PSK-like auth for Ethernet (without RADIUS)

oxwivi · April 15, 2026, 6:27pm

Per my understanding, Ethernet authentication is basically implementation of IEEE 802.1X, which necessarily requires authentication by a RADIUS server.

Is there any other authentication methods that would basically be a PSK instead of a whole credential auth? I simply want some APs on the LAN authenticate to access a specific VLAN. I'm not administrating user access, so credentials and RADIUS are definitely not what I'm looking for.

_bernd · April 15, 2026, 6:35pm

Afaik in theory: hostapd can do this for Ethernet too but please don't ask me how to emulate or simplify the auth part...

See this as a general reference: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/configuring_and_managing_networking/setting-up-an-802-1x-network-authentication-service-for-lan-clients-by-using-hostapd-with-freeradius-backend

If you achieve any progress please ping me!

oxwivi · April 15, 2026, 7:08pm

Mmh, this is interesting but I don't want to do this for a couple of reasons:

Don't want to manually edit hostapd.conf outside of UCI/LuCi parameters.
I'm not familiar with RADIUS myself, how the hell do I simplify the auth... At that point might as well go full FreeRADIUS with more complete docs.

And speaking of RADIUS. doesn't dumb switches have a hard time dealing with EAPOL packets or something?

Anyhow, I do want to "deploy" auth to my LAN properly, and not have to chase any problems that may arise. Therefore, I respectfully veto your suggestion.

_bernd · April 15, 2026, 7:17pm

I did not wanted to say that's the way to go because of the radius dependency but only to illustrate the hostapd part.
I'm also curious if it is somehow possible to configure hostapd without radius to do dynamic vlan assignments on Ethernet ports.

slh · April 15, 2026, 10:38pm

The disjunct capabilities exist in the respective upstream projects, but I'm not aware of any kind of glue in OpenWrt (or really elsewhere) tying this together and making it 'easy' (most traditional OpenWrt devices aren't fast enough to do this, OpenWrt on switches is relatively young in comparison and there've been/ are way more pressing topics so far). This will require investigation and some development on your side, exceeding merely setting uci configs. It is an interesting topic, and I'm interested in your results, but I fear it's not a well trodden path.

bmork · April 16, 2026, 9:57am

This should be relevant:

github.com/openwrt/openwrt

realtek: Support EAPOL trap and BR_PORT_LOCKED for 802.1x (#21775)

main ← 0xharshal:hg/locked-port-support

opened 12:06PM - 29 Jan 26 UTC

0xharshal

+101 -29

To lock or unlock a port following commands can be used ``` bridge link set de…v lan1 locked on learning off bridge link set dev lan1 locked off learning on ``` An authentication daemon like hostapd with wired driver can process authentication with EAPOL packets and decide to add the FDB entry manually to allow a particular MAC address to communicate in the bridge. To add/delete an fdb entry following commands can be used, ``` bridge fdb add 12:34:56:78:90:ab dev lan1 vlan 1 master extern_learn bridge fdb del 12:34:56:78:90:ab dev lan1 vlan 1 master ``` Trapped traffic can be sniffed using tcpdump ``` tcpdump -ni lan1 ```

You can't use this for a specific VLAN unless you break it out to a dedicated port. 802.1x authorize access to ports.

Don't try to avoid RADIUS. No need to make this more complicated than necessary by inventing non-standard ways to do stuff

oxwivi · April 16, 2026, 10:39pm

To summarize:

RADIUS is the only way to get any auth, no standard PSK method.
802.1X cannot let you auth to a specific VLAN.
Dumb switches cannot support EAPOL anyway.

That's three different reasons why I can't do precisely what I wanted. Unless the whole protocol is updated to address my suggested use-case, it ain't happening.

My disappointment is immeasurable, and my ~~day~~ night is runined.