WPA2 Enterprise 802.1x dynmic vlans not working

Hello,

according to https://wiki.openwrt.org/doc/howto/wireless.security.8021x it should be very easy to configure 802.1x with dynmic vlans. Here is my configuration:

/etc/config/wireless:

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option ssid 'FIXED VLAN WIFI'
        option encryption 'wpa2'
        option server '...'
        option key '...'
        option network 'lan'

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option ssid 'DYN VLAN WIFI'
        option encryption 'wpa2'
        option server '...'
        option key '...'
        option dynamic_vlan '2'
        option vlan_tagged_interface 'eth1'
        option vlan_bridge 'br-vlan'
        option vlan_naming '0'

The network and switch configuration is irrelevant.

This is my freeradius configuration:

/etc/freeradius/3.0/clients.conf:

client 192.168.1.1 {
    ipaddr = 192.168.1.1
    secret = ...
    require_message_authenticator = yes
    nastype = other
}

/etc/freeradius/3.0/users.conf:

"hello"      Auth-Type := "EAP", Cleartext-Password := "world"
                Tunnel-Type = VLAN,
                Tunnel-Medium-Type = IEEE-802,
                Tunnel-Private-Group-ID := "1"

Connecting to FIXED VLAN WIFI works flawlessly but connecting to DYN VLAN WIFI does not work.
So I checked logread and I got this:

Sun Jul 22 12:30:56 2018 daemon.info hostapd: wlan1-2: STA 0c:8f:ff:84:8f:9e IEEE 802.11: authenticated
Sun Jul 22 12:30:56 2018 daemon.info hostapd: wlan1-2: STA 0c:8f:ff:84:8f:9e IEEE 802.11: associated (aid 1)
Sun Jul 22 12:30:56 2018 daemon.notice hostapd: wlan1-2: CTRL-EVENT-EAP-STARTED 0c:8f:ff:84:8f:9e
Sun Jul 22 12:30:56 2018 daemon.notice hostapd: wlan1-2: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
Sun Jul 22 12:30:57 2018 daemon.info hostapd: wlan1-2: STA 0c:8f:ff:84:8f:9e IEEE 802.1X: authentication server did not include required VLAN ID in Access-Accept
Sun Jul 22 12:30:57 2018 daemon.warn hostapd: wlan1-2: STA 0c:8f:ff:84:8f:9e IEEE 802.1X: authentication failed - EAP type: 25 (PEAP)

What is wrong with my configuration?

Raphael

Typo, use
https://wiki.openwrt.org/doc/howto/wireless.security.8021x

Might be missing qoutes

                Tunnel-Type = "VLAN",
                Tunnel-Medium-Type = "IEEE-802",

Does not help

Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = "1"

I will try this later. I hope it will work

Raphael

Still the same error :frowning_face:

You didn't yet mention your wireless driver. The ath10k driver is known to not support dynamic vlans due to firmware limitations. Are you using ath10k?

Good question.
It´s a TP-Link Archer C7 v2. It´s configured for both 2.4GHz and 5GHz. So there are QCA9558 and QCA9880-BR4A. It seems that for 5GHz is using ath10k but I don´t know what 2.4GHz is using.
How to fix the ath10k problem?

Raphael

Try using the following setting for a tunneled reply in your freeradius config. Solved similar issue i was experiencing.

     peap { 
                    ........
                    use_tunneled_reply = yes 
     } 

Lee

@skanker74 Does your suggestion help with dynamic VLAN with ath10k driver? Thanks :slight_smile:

If anyone was searching for ath10k to work with dynamic vlans, please let us know that you are affected in the following post:

We need your support to make this issue known.

Thanks,
Hernán.-