Hi,
How can I use my MT7621A based OpenWRT router as RADIUS-Authenticator for wired devices connected to its LAN ports? I searched a lot, but could not find a working implementation.
This is just for my home setup, not for anything mission critical, still I would like it to work properly.
My setup consists of:
- Central L3 switch which also has an integrated RADIUS server (Mikrotik CRS326 with RouterOS and User Manager)
- OpenWRT router Cudy X6 V1 (MT7621A) with OpenWRT 23.05.2, connected to the Mikrotik via Trunk LAN port (all VLANs tagged)
- ISP cable router connected to the OpenWRT's WAN port (probably not relevant here).
The Mikrotik authenticates LAN devices with 802.1X and assigns the correct VLAN. This is what I also want to achieve for the OpenWRT LAN Ports.
I managed to setup a WPA2 Enterprise 802.1X Wifi with automatic VLAN assignment on the OpenWRT quite easily, but how can I do this for the wired ports?
Target Configuration
(simplified, in fact there are more VLANs)
VLANs
- VLAN1 for trusted LAN
- VLAN8 for Management LAN
- VLAN9 for Guest VLAN
Ports
- lan1: Trunk Port (VLAN1+8+9 tagged) to Mikrotik (OpenWRT as 802.1X supplicant - not part of this post, documentation available)
- lan2: Access Port with 802.1X auth and - if possible - dynamic VLAN assigned by RADIUS
- lan3: Access Port with 802.1X auth and - if possible - dynamic VLAN assigned by RADIUS
- lan4: Access Port with 802.1X auth and - if possible - dynamic VLAN assigned by RADIUS
It is important that the LAN ports will be used as proper switch ports (HW switching, not via CPU).
My (probably too naïve) basic idea would be to have hostapd listen on lan2...lan4 and if RADIUS auth is successful, set the respective port to $VLANID untagged*. But how to accomplish this?
Current configuration:
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd12:3456:789a::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:t'
config bridge-vlan
option device 'br-lan'
option vlan '8'
list ports 'lan1:t'
config bridge-vlan
option device 'br-lan'
option vlan '9'
list ports 'lan1:t'
config device
option type 'bridge'
option name 'br-vlan1'
list ports 'br-lan.1'
config device
option type 'bridge'
option name 'br-vlan9'
list ports 'br-lan.9'
config interface 'vlan1_Trusted'
option proto 'static'
option device 'br-vlan1'
option ipaddr '192.168.1.2'
option netmask '255.255.255.0'
config interface 'vlan8_Mgmt'
option proto 'static'
option device 'br-lan.8'
option ipaddr '192.168.8.2'
option netmask '255.255.255.0'
config interface 'vlan9_Guest'
option proto 'static'
option device 'br-vlan9'
option ipaddr '192.168.9.2'
option netmask '255.255.255.0'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
option channel '1'
option band '2g'
option cell_density '0'
option htmode 'HE20'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'jdr-test_2G'
option encryption 'wpa3-mixed+ccmp'
option auth_server '192.168.8.1'
option auth_secret 'redacted'
option acct_server '192.168.8.1'
option acct_secret 'redacted'
option vlan_bridge 'br-vlan'
option vlan_tagged_interface 'br-lan'
option vlan_naming '1'
option dynamic_vlan '2'
option eap_reauth_period '604800'
config wifi-device 'radio1'
option type 'mac80211'
option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
option channel '36'
option band '5g'
option htmode 'HE80'
option disabled '1'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'