WPA2 Personal & Enterprise on same WiFi radio

Since I have successfully configured WPA2 Enterprise, the next step is to try configure both Personal & Enterprise on the same WiFi radio. That's where problems emerge.

Basically, it seems that WPA2 Enterprise and WPA2 Personal cannot reside within the same network range, which will make WPA2 Enterprise not able to get an ip address, logread showed:

Wed Apr  7 11:34:18 2021 daemon.warn dnsmasq-dhcp[6738]: DHCP packet received on wlan1-1 which has no address
Wed Apr  7 11:34:21 2021 daemon.warn dnsmasq-dhcp[6738]: DHCP packet received on wlan1-1 which has no address
Wed Apr  7 11:34:25 2021 daemon.warn dnsmasq-dhcp[6738]: DHCP packet received on wlan1-1 which has no address

Then I tried to use another guest network for WPA2 Enterprise usage, the corresponding configuration in /etc/config/firewall is as follow:

config zone
        option name 'guest2'
        option network 'guest2'
        option device 'wlan2'
        option input    REJECT
        option output   ACCEPT
        option forward  REJECT

config forwarding
        option src 'guest2'
        option dest 'lan'

and allowing 'guest2' with DHCP and DNS stuff. Now the WPA2 Enterprise can get ip address and successful get a WiFi connection, but the client cannot access internet somehow.

I am not sure what went wrong, perhaps it's related to 'option device' set to 'wlan2' which does not exist? Checked route, it shows

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.1.1     0.0.0.0         UG    0      0        0 br-lan
172.16.1.0      *               255.255.255.0   U     0      0        0 wlan1-1
172.16.3.0      *               255.255.255.0   U     0      0        0 wlan0
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan

in which 172.16.1.0/24 is the range of new established 'guest2' network interface, indicated as wlan1-1, I don't know where it came from.

Any ideas why the forwarding rule in /etc/config/firewall not working as expected?

Sorry, I did not get your original problem with wpa2 enterprise and wpa2 personal. Can you please describe exactly what did not work ?

I use wpa2 enterprise for my home network and wpa2 personal for my guest network on the same radio without any problem.

What release do you use ? What hardware ?

My AP is a D-Link DIR-860L B1, which runs latest snapshot of OpenWRT.

The original problem is that WPA2 Enterprise cannot get ip address from dhcp if it shares the same address range 172.16.2.0/24 with WPA2 Personal.

Then I tried to give WPA2 Enterprise address range 172.16.1.0/24, now the end user device can connect with WPA2 Enterprise with a given address while the traffic is not able to be forwarded to lan.

@Stefan1, is it that you can share the address range between both?

So you have experienced that 2 wireless ssids, one with wpa2/enterprise, one with wpa2/psk, being in the same network which is using the openwrt built-in dhcp server have a problem getting ip addresses.
I can hardly believe that this is related to the type of authentication. If you add a 3rd ssid with wpa2/psk in the same network, does that work ?

My setup is different. Running 19.07.7 on tplink archer c6 access points. My raspi radius server is also running a dhcp server in my lan network, I do only use openwrts dhcp in the guest network. But my 2 radios both using wpa2/enterprise in my lan network work flawlessly with the dnsmasq dhcp server running on my raspi.

1 Like

My settings with both WPA2 Enterprise also work flawlessly with both radios. The trouble begins with when I am trying to keep the old WPA2/psk for compatibility consideration.

It seems it could work as expected. For now the problem became how to get the 3rd network get access to the internet.

Finally I managed to make it work.

The fact that WPA2 Enterprise cannot share ip segment with WPA2 Personal should be noted here. Not sure if it's deliberately set like that by design.

Today I made my son angry, keeping him half an hour without wifi as I tried out your scenario:

Having 2 SSIDs in the same network, one with wpa2/psk, one with wpa2/enterprise, and using the dhcp server works flawlessly on my system.
I changed the network of my wpa/enterprise wifi to the guest network, and was able to use either one of the two SSIDs to enter the guest network, got an IP there (the identical one...). This scenario also worked after restarting the router, and in any order (first using the wpa2/enterprise ssid, then using the psk ssid, and the other way round).
On my system there is simply no dependency between the type of authentication and the dhcp server.

Thanks for trying.

Have you tried with 2 SSIDs on the same radio and the same guest network?

Yes, same radio, same network

If you want the same IP range for both APs put them in the same network bridge. It does not work to try to configure DHCP to hand out the same IP range on two separate networks.

  • the network must be defined as type bridge in /etc/config/network, or only one physical link will be allowed. In other words, if two APs (on the same radio or different) are set to the same non-bridge network, only one will work, and it is a race condition deciding which one.
  • users of the two APs will have the same firewall allowances and restrictions, since they are in the same network.

Are both of these SSIDs in AP mode or am I right in thinking that you are using enterprise as a client and trying to use the personal as AP and trying to bridge these together? You can't bridge SSIDs unless you're running WDS

@dlakelan,
Both SSIDs is in AP mode.

@mk24
Thanks for the detailed info, which explained what I've experienced.

Now I am using 2 different guest network for the 2 SSIDs on same radio, it works as expected.