Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
technical:ppsk-hostapd [2024/04/26 08:44] – [wpa_psk_radius=3] system | technical:ppsk-hostapd [2024/04/30 08:22] (current) – [Key specific for VLAN] system | ||
---|---|---|---|
Line 8: | Line 8: | ||
===== File or RADIUS ===== | ===== File or RADIUS ===== | ||
* The PPSK function in hostapd gives the user the choice of providing the PPSKs via a file or via RADIUS. | * The PPSK function in hostapd gives the user the choice of providing the PPSKs via a file or via RADIUS. | ||
- | * The option | + | * The option |
------ | ------ | ||
Line 62: | Line 62: | ||
===== FILE - Advanced PPSK on OpenWrt ===== | ===== FILE - Advanced PPSK on OpenWrt ===== | ||
- | * The first section dealt with a very basic PPSK implementation. | + | * The first section dealt with a very simple |
* This section is about more advanced options, including mapping MAC and VLAN to specific keys. | * This section is about more advanced options, including mapping MAC and VLAN to specific keys. | ||
* You can also visit [[https:// | * You can also visit [[https:// | ||
Line 91: | Line 91: | ||
</ | </ | ||
* A few additional steps are required for the VLAN tagging function of hostapd to work as intended. | * A few additional steps are required for the VLAN tagging function of hostapd to work as intended. | ||
- | + | * We need to include a few options to instruct hostapd how to handle the VLANs. | |
- | <alert type=" | + | * Refer to this snippet from / |
+ | <code bash> | ||
+ | option wpa_psk_file '/ | ||
+ | option vlan_file '/ | ||
+ | option vlan_tagged_interface ' | ||
+ | option vlan_bridge ' | ||
+ | option dynamic_vlan ' | ||
+ | </code> | ||
+ | * Then here is an example of hostapd.vlan | ||
+ | <code bash> | ||
+ | # VLAN ID to network interface mapping | ||
+ | 1 vlan1 | ||
+ | 2 vlan2 | ||
+ | 3 vlan3 | ||
+ | 4 vlan4 | ||
+ | 100 guest | ||
+ | # Optional wildcard entry matching all VLAN IDs. The first # in the interface | ||
+ | # name will be replaced with the VLAN ID. The network interfaces are created | ||
+ | # (and removed) dynamically based on the use. | ||
+ | * vlan# | ||
+ | </ | ||
+ | * hostapd will create a bridge with each VLAN and automatically create tagged interfaces and make them members of this bridge: | ||
+ | <code bash> | ||
+ | root@OpenWrt: | ||
+ | bridge name | ||
+ | br-vlan3 | ||
+ | eth0.3 | ||
+ | br-lan | ||
+ | </ | ||
------ | ------ | ||
Line 164: | Line 191: | ||
</ | </ | ||
* The difference in behaviour between wpa_psk_radius=2 and wpa_psk_radius=3 occurs when the PPSK is not correct. | * The difference in behaviour between wpa_psk_radius=2 and wpa_psk_radius=3 occurs when the PPSK is not correct. | ||
- | * If wpa_psk_radius=2, | + | * If wpa_psk_radius=2, |
- | * If wpa_psk_radius=3, | + | * If wpa_psk_radius=3, |
<code bash> | <code bash> | ||
(10) Received Access-Request Id 49 from 44.88.212.194: | (10) Received Access-Request Id 49 from 44.88.212.194: | ||
Line 195: | Line 222: | ||
* If **wpa_psk_radius=3**, | * If **wpa_psk_radius=3**, | ||
* However, you will need to modify the / | * However, you will need to modify the / | ||
+ | |||
+ | |||
+ | <alert type=" | ||
+ | === Heads-Up === | ||
+ | |||
+ | |||
+ | * Interestingly, | ||
+ | * At some point, it stopped receiving the follow-up request no matter how many times I restarted the access points. | ||
+ | * Finally, out of desperation, | ||
+ | * Just a heads up about FreeRADIUS. | ||
+ | </ | ||
+ | |||
==== Reference config ==== | ==== Reference config ==== | ||
- | * Let us look at a simple reference configuration of / | + | * Let us take a look at a simple reference configuration of / |
<code bash> | <code bash> | ||
- | config wifi-iface 'one' | + | config wifi-iface 'zero' |
- | option ifname 'one1' | + | option ifname 'zero0' |
- | option | + | option |
- | option | + | option |
- | option | + | option |
- | option | + | option |
- | option | + | option |
- | option acct_secret ' | + | option acct_secret ' |
- | option auth_server ' | + | option auth_server ' |
- | option | + | option |
- | option | + | option |
- | option device 'radio1' | + | option device 'radio0' |
- | option | + | option |
- | option | + | option |
- | option acct_server ' | + | option vlan_naming ' |
- | option vlan_naming ' | + | option vlan_tagged_interface ' |
- | option vlan_tagged_interface ' | + | option vlan_bridge ' |
- | option vlan_bridge ' | + | option dynamic_vlan ' |
- | option dynamic_vlan '1' | + | |
- | option ssid ' | + | |
- | option ppsk ' | + | |
- | option auth_secret ' | + | |
- | option radius_auth_req_attr ' | + | |
</ | </ | ||
- | * RADIUS based PPSK implementations | + | * RADIUS-based PPSK implementations |
- | * The private key which are used for authentication | + | * The private key, which is used for authentication |
- | * VLAN assignment which are usually | + | * The VLAN assignment, which is usually |
- | * VLAN assignment is optional | + | * The VLAN assignment is optional. If the RADIUS server |
- | * If there is a VLAN specified in the RADIUS | + | * If a VLAN is specified in the RADIUS |
< | < | ||
option vlan_naming ' | option vlan_naming ' | ||
Line 234: | Line 268: | ||
option dynamic_vlan ' | option dynamic_vlan ' | ||
</ | </ | ||
- | * With these settings, if a client | + | * If a client |
+ | <code bash> | ||
+ | brctl show | ||
+ | bridge name bridge id STP enabled interfaces | ||
+ | br-ex_vlan100 7fff.ae7c588014f4 no vlan100 | ||
+ | zero0.100 | ||
+ | |||
+ | </ | ||
+ | * The name of the bridge is formulated with the value of **vlan_bridge** and the appending of the VLAN number (100). | ||
+ | * The members of this bridge are the tagged WiFi client connection, zero0.100 and vlan100. | ||
+ | * The **vlan100** interface requires a little more explanation. Depending on the value of **vlan_naming**, | ||
+ | * Have a look at this part of the hostapd documentation | ||
+ | <code bash> | ||
+ | # When hostapd creates a VLAN interface on vlan_tagged_interfaces, | ||
+ | # to know how to name it. | ||
+ | # 0 = vlan< | ||
+ | # 1 = < | ||
+ | # | ||
+ | </ | ||
+ | * So if we change our configuration to the **vlan_naming ' | ||
+ | <code bash> | ||
+ | brctl show | ||
+ | bridge name bridge id STP enabled interfaces | ||
+ | br-ex_vlan100 7fff.ae7c588014f4 no wan.100 | ||
+ | zero0.100 | ||
+ | |||
+ | </ | ||
+ | * Remember that for the VLAN to work correctly, you must also provide a DHCP server in the VLAN so that the client receives an IP address after it has authenticated itself in the WiFi network. | ||
+ | * If you do not have such a server in your current network, you can easily do this in MESHdesk and APdesk. | ||
+ | * The details are explained on the corresponding wiki pages. | ||