Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
technical:ppsk-hostapd [2024/04/26 09:13] – [wpa_psk_radius=3] system | technical:ppsk-hostapd [2024/04/30 08:22] (current) – [Key specific for VLAN] system | ||
---|---|---|---|
Line 8: | Line 8: | ||
===== File or RADIUS ===== | ===== File or RADIUS ===== | ||
* The PPSK function in hostapd gives the user the choice of providing the PPSKs via a file or via RADIUS. | * The PPSK function in hostapd gives the user the choice of providing the PPSKs via a file or via RADIUS. | ||
- | * The option | + | * The option |
------ | ------ | ||
Line 62: | Line 62: | ||
===== FILE - Advanced PPSK on OpenWrt ===== | ===== FILE - Advanced PPSK on OpenWrt ===== | ||
- | * The first section dealt with a very basic PPSK implementation. | + | * The first section dealt with a very simple |
* This section is about more advanced options, including mapping MAC and VLAN to specific keys. | * This section is about more advanced options, including mapping MAC and VLAN to specific keys. | ||
* You can also visit [[https:// | * You can also visit [[https:// | ||
Line 91: | Line 91: | ||
</ | </ | ||
* A few additional steps are required for the VLAN tagging function of hostapd to work as intended. | * A few additional steps are required for the VLAN tagging function of hostapd to work as intended. | ||
- | + | * We need to include a few options to instruct hostapd how to handle the VLANs. | |
- | <alert type=" | + | * Refer to this snippet from / |
+ | <code bash> | ||
+ | option wpa_psk_file '/ | ||
+ | option vlan_file '/ | ||
+ | option vlan_tagged_interface ' | ||
+ | option vlan_bridge ' | ||
+ | option dynamic_vlan ' | ||
+ | </code> | ||
+ | * Then here is an example of hostapd.vlan | ||
+ | <code bash> | ||
+ | # VLAN ID to network interface mapping | ||
+ | 1 vlan1 | ||
+ | 2 vlan2 | ||
+ | 3 vlan3 | ||
+ | 4 vlan4 | ||
+ | 100 guest | ||
+ | # Optional wildcard entry matching all VLAN IDs. The first # in the interface | ||
+ | # name will be replaced with the VLAN ID. The network interfaces are created | ||
+ | # (and removed) dynamically based on the use. | ||
+ | * vlan# | ||
+ | </ | ||
+ | * hostapd will create a bridge with each VLAN and automatically create tagged interfaces and make them members of this bridge: | ||
+ | <code bash> | ||
+ | root@OpenWrt: | ||
+ | bridge name | ||
+ | br-vlan3 | ||
+ | eth0.3 | ||
+ | br-lan | ||
+ | </ | ||
------ | ------ | ||
Line 164: | Line 191: | ||
</ | </ | ||
* The difference in behaviour between wpa_psk_radius=2 and wpa_psk_radius=3 occurs when the PPSK is not correct. | * The difference in behaviour between wpa_psk_radius=2 and wpa_psk_radius=3 occurs when the PPSK is not correct. | ||
- | * If wpa_psk_radius=2, | + | * If wpa_psk_radius=2, |
- | * If wpa_psk_radius=3, | + | * If wpa_psk_radius=3, |
<code bash> | <code bash> | ||
(10) Received Access-Request Id 49 from 44.88.212.194: | (10) Received Access-Request Id 49 from 44.88.212.194: | ||
Line 201: | Line 228: | ||
- | * As a matter of interest, during a troubleshooting session I had FreeRADIUS running in debug mode for a day or two while sending requests | + | * Interestingly, during a troubleshooting session, I left FreeRADIUS running in debug mode for a day or two while sending requests to it from hostapd. |
- | * At one stage, it would not receive | + | * At some point, it stopped receiving |
- | * Eventually I restarted FreeRADIUS | + | * Finally, |
- | * So just a heads-up on FreeRADIUS. | + | * Just a heads up about FreeRADIUS. |
</ | </ | ||
==== Reference config ==== | ==== Reference config ==== | ||
- | * Let us look at a simple reference configuration of / | + | * Let us take a look at a simple reference configuration of / |
<code bash> | <code bash> | ||
config wifi-iface ' | config wifi-iface ' | ||
option ifname ' | option ifname ' | ||
- | option disabled ' | ||
option encryption ' | option encryption ' | ||
option acct_interval ' | option acct_interval ' | ||
- | option isolate ' | ||
option mode ' | option mode ' | ||
+ | option nasid ' | ||
+ | option acct_server ' | ||
option acct_secret ' | option acct_secret ' | ||
option auth_server ' | option auth_server ' | ||
+ | option auth_secret ' | ||
option network ' | option network ' | ||
- | option radius_acct_req_attr ' | ||
option device ' | option device ' | ||
- | option | + | option |
- | option | + | option |
- | option acct_server ' | + | |
option vlan_naming ' | option vlan_naming ' | ||
option vlan_tagged_interface ' | option vlan_tagged_interface ' | ||
option vlan_bridge ' | option vlan_bridge ' | ||
- | option dynamic_vlan ' | + | option dynamic_vlan ' |
- | option ssid ' | + | |
- | option ppsk ' | + | |
- | option auth_secret ' | + | |
- | option radius_auth_req_attr ' | + | |
</ | </ | ||
- | * RADIUS based PPSK implementations | + | * RADIUS-based PPSK implementations |
- | * The private key which are used for authentication | + | * The private key, which is used for authentication |
- | * VLAN assignment which are usually | + | * The VLAN assignment, which is usually |
- | * VLAN assignment is optional | + | * The VLAN assignment is optional. If the RADIUS server |
- | * If there is a VLAN specified in the RADIUS | + | * If a VLAN is specified in the RADIUS |
< | < | ||
option vlan_naming ' | option vlan_naming ' | ||
Line 246: | Line 268: | ||
option dynamic_vlan ' | option dynamic_vlan ' | ||
</ | </ | ||
- | * With these settings, if a client | + | * If a client |
<code bash> | <code bash> | ||
brctl show | brctl show | ||
Line 254: | Line 276: | ||
</ | </ | ||
- | * The bridge | + | * The name of the bridge |
- | * The members of this bridge | + | * The members of this bridge |
- | * The interface | + | * The **vlan100** |
- | * See this part from the hostapd documentation | + | * Have a look at this part of the hostapd documentation |
<code bash> | <code bash> | ||
# When hostapd creates a VLAN interface on vlan_tagged_interfaces, | # When hostapd creates a VLAN interface on vlan_tagged_interfaces, | ||
Line 265: | Line 287: | ||
# | # | ||
</ | </ | ||
- | * If we thus changed | + | * So if we change |
<code bash> | <code bash> | ||
brctl show | brctl show | ||
Line 273: | Line 295: | ||
</ | </ | ||
- | * Remember for the VLAN to work correct | + | * Remember |
- | * If you do not have that available | + | * If you do not have such a server |
- | * The detail | + | * The details are explained |