Differences

This shows you the differences between two versions of the page.

--- technical:ppsk-hostapd [2024/04/26 09:13] – [wpa_psk_radius=3] system
+++ technical:ppsk-hostapd [2024/04/30 08:22] (current) – [Key specific for VLAN] system
@@ Line 8: / Line 8: @@
 ===== File or RADIUS =====
   * The PPSK function in hostapd gives the user the choice of providing the PPSKs via a file or via RADIUS.
-  * The option of providing the PPSKs in a text file enables fast and simplified provisioning.
+  * The option to provide the PPSKs in a text file enables fast and simplified provisioning.
 ------
@@ Line 62: / Line 62: @@
 ===== FILE - Advanced PPSK on OpenWrt =====
-  * The first section dealt with a very basic PPSK implementation.
+  * The first section dealt with a very simple PPSK implementation.
   * This section is about more advanced options, including mapping MAC and VLAN to specific keys.
   * You can also visit [[https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696|this]] forum discussion where most of the information comes from.
@@ Line 91: / Line 91: @@
 </code>
   * A few additional steps are required for the VLAN tagging function of hostapd to work as intended.
+  * We need to include a few options to instruct hostapd how to handle the VLANs.
-<alert type="danger">TO BE COMPLETED</alert>
+  * Refer to this snippet from /etc/config/wireless
+<code bash>
+option wpa_psk_file '/etc/hostapd.wpa_psk'
+option vlan_file '/etc/hostapd.vlan'
+option vlan_tagged_interface 'eth0'
+option vlan_bridge 'br-vlan'
+option dynamic_vlan '1'
+</code>
+  * Then here is an example of hostapd.vlan
+<code bash>
+# VLAN ID to network interface mapping
+	vlan1
+	vlan2
+	vlan3
+	vlan4
+	guest
+# Optional wildcard entry matching all VLAN IDs. The first # in the interface
+# name will be replaced with the VLAN ID. The network interfaces are created
+# (and removed) dynamically based on the use.
+*	vlan#
+</code>
+  * hostapd will create a bridge with each VLAN and automatically create tagged interfaces and make them members of this bridge:
+<code bash>
+root@OpenWrt:~# brctl show
+bridge name     bridge id               STP enabled     interfaces
+br-vlan3        8000.4018b1eb3c80       no              vlan3
+                                                        eth0.3
+br-lan          7fff.4018b1eb3c80       no              eth0
+</code>
 ------
@@ Line 164: / Line 191: @@
 </code>
   * The difference in behaviour between wpa_psk_radius=2 and wpa_psk_radius=3 occurs when the PPSK is not correct.
-  * If wpa_psk_radius=2, hostapd will **NOT** make any follow-up attempts.
+  * If wpa_psk_radius=2, hostapd does **NOT** make any follow-up attempts.
-  * If wpa_psk_radius=3, hostapd will make a follow-up attempt with additional attributes:
+  * If wpa_psk_radius=3, hostapd makes a follow-up attempt with additional attributes:
 <code bash>
 (10) Received Access-Request Id 49 from 44.88.212.194:47297 to 164.160.89.129:1812 length 337
@@ Line 201: / Line 228: @@
-  * As a matter of interest, during a troubleshooting session I had FreeRADIUS running in debug mode for a day or two while sending requests from hostapd to it.
+  * Interestingly, during a troubleshooting session, I left FreeRADIUS running in debug mode for a day or two while sending requests to it from hostapd.
-  * At one stage, it would not receive the follow-up request no matter how many times I rebooted the access points.
+  * At some point, it stopped receiving the follow-up request no matter how many times I restarted the access points.
-  * Eventually I restarted FreeRADIUS out of desperation and lo and behold the follow up requests came in again.
+  * Finally, out of desperation, I restarted FreeRADIUS and lo and behold, the follow-up requests started coming in again.
-  * So just a heads-up on FreeRADIUS.
+  * Just a heads up about FreeRADIUS.
 </alert>
 ==== Reference config ====
-  * Let us look at a simple reference configuration of /etc/config/wireless that has RADIUS based PPSK configured.
+  * Let us take a look at a simple reference configuration of /etc/config/wireless in which RADIUS-based PPSK is configured.
 <code bash>
 config wifi-iface 'zero'
         option ifname 'zero0'
-        option disabled '0'
         option encryption 'psk2'
         option acct_interval '300'
-        option isolate '0'
         option mode 'ap'
+        option nasid 'a_hosta_53_97'
+        option acct_server '164.160.89.129'
         option acct_secret 'testing123'
         option auth_server '164.160.89.129'
+        option auth_secret 'testing123'
         option network 'lan'
-        option radius_acct_req_attr '126:s:a_hosta_53_97_0_58'
         option device 'radio0'
-        option nasid 'a_hosta_53_97'
+        option ssid 'PPSK-APdesk-1'
-        option hidden '0'
+        option ppsk '1'
-        option acct_server '164.160.89.129'
         option vlan_naming '0'
         option vlan_tagged_interface 'wan'
         option vlan_bridge 'br-ex_vlan'
         option dynamic_vlan '1'
-        option ssid 'PPSK-APdesk-1'
-        option ppsk '1'
-        option auth_secret 'testing123'
-        option radius_auth_req_attr '126:s:a_hosta_53_97_0_58'
 </code>
-  * RADIUS based PPSK implementations typically has two components:
+  * RADIUS-based PPSK implementations usually consist of two components:
-      * The private key which are used for authentication onto the WiFi network.
+      * The private key, which is used for authentication on the WiFi network.
-      * VLAN assignment which are usually tied to the private key which the user provided.
+      * The VLAN assignment, which is usually bound to the private key specified by the user.
-  * VLAN assignment is optional and if the RADIUS server did not specify a VLAN in the Access Accept, then hostapd will not do any vlan tagging on that client's connection.
+  * The VLAN assignment is optional. If the RADIUS server has not specified a VLAN in the access acceptance, hostapd does not perform VLAN tagging for the connection of this client.
-  * If there is a VLAN specified in the RADIUS reply, how hostapd will handle the VLAN assignment is determined with the following config options:
+  * If a VLAN is specified in the RADIUS response, the following configuration options determine how hostapd handles the VLAN assignment:
 <code>
 option vlan_naming '0'
@@ Line 246: / Line 268: @@
 option dynamic_vlan '1'
 </code>
-  * With these settings, if a client connect and RADIUS for instance specifies VLAN 100, hostapd will dynamically create the following bridge:
+  * If a client establishes a connection and RADIUS specifies VLAN 100, for example, hostapd dynamically creates the following bridge:
 <code bash>
 brctl show
@@ Line 254: / Line 276: @@
 </code>
-  * The bridge name is formulated using the value of **vlan_bridge** and appending the VLAN number (100).
+  * The name  of the bridge is formulated with the value of **vlan_bridge** and the appending of the VLAN number (100).
-  * The members of this bridge is the tagged WiFi client connection, zero0.100 and vlan100.
+  * The members of this bridge are the tagged WiFi client connection, zero0.100 and vlan100.
-  * The interface **vlan100** needs a bit more explanation. Depending on the value of **vlan_naming** which can be 0 or 1, it will determine the name of the second interface.
+  * The **vlan100** interface requires a little more explanation. Depending on the value of **vlan_naming**, which can be 0 or 1, the name of the second interface is determined.
-  * See this part from the hostapd documentation
+  * Have a look at this part of the hostapd documentation
 <code bash>
 # When hostapd creates a VLAN interface on vlan_tagged_interfaces, it needs
@@ Line 265: / Line 287: @@
 #vlan_naming=0
 </code>
-  * If we thus changed our config to **option vlan_naming '1'**, the bridge would like like this:
+  * So if we change our configuration to the **vlan_naming '1'** option, the bridge would look like this:
 <code bash>
 brctl show
@@ Line 273: / Line 295: @@
 </code>
-  * Remember for the VLAN to work correct you will also have to provide a DHCP server on the VLAN for the client to receive an IP address after the authenticated onto the WiFi network.
+  * Remember that for the VLAN to work correctly, you must also provide a DHCP server in the VLAN so that the client receives an IP address after it has authenticated itself in the WiFi network.
-  * If you do not have that available in your current network, you can easily do it in in MESHdesk and APdesk.
+  * If you do not have such a server in your current network, you can easily do this in MESHdesk and APdesk.
-  * The detail on those will be discussed in their respective wiki pages.
+  * The details are explained on the corresponding wiki pages.