I'm setting up an wireless AP with OpenWRT to support dynamic vlan's, provided by a RADIUS server.
I found a guide on OpenWRT.org which I followed, and with some extra research I'm almost there. The only thing not working is the dynamic vlan assignment. And I can't figure out why.
I'm running 15.05 chaos calmer on a TP-link Archer C7 in 'ap' mode. Firewall and DHCP are turned off, as they are provided by the network.
I can authenticate with the RADIUS server and login to both my internal and guest network if I manually bridge the SSID to the desired VLAN. Dynamic VLANs are not working though. FreeRadius is correctly transmitting the Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group-ID; as checked with wireshark. I'm not sure, but I think it might have something to do with hostapd not getting the right settings.
Any help would be greatly appreciated
My /etc/config/wireless looks as follows:
config wifi-iface
option device 'radio1'
option mode 'ap'
option ssid 'WTD_Test_Rad'
option encryption 'wpa2'
option server '172.16.20.105'
option key 'RadiusSecret'
option dynamic_vlan '2'
option vlan_tagged_interface 'eth1'
option vlan_naming 0
option vlan_bridge 'br-vlan'
but I cannot find these vlan settings in the hostapd config file: /var/run/hostapd-phy1.conf
interface=wlan1
ctrl_interface=/var/run/hostapd
disassoc_low_ack=1
preamble=1
wmm_enabled=1
ignore_broadcast_ssid=0
uapsd_advertisement_enabled=1
auth_server_addr=172.16.20.105
auth_server_port=1812
auth_server_shared_secret=RadiusSecret@WalkingTheDog
eapol_key_index_workaround=1
ieee8021x=1
auth_algs=1
wpa=2
wpa_pairwise=CCMP
ssid=WTD_Test_Rad
wpa_key_mgmt=WPA-EAP
okc=0
disable_pmksa_caching=1
bssid=60:e3:27:58:3a:8d
The hostapd -dd shows receiving the right AVP's but doesn't seem to care about any of it.
wlan1: RADIUS Received 195 bytes from RADIUS server
wlan1: RADIUS Received RADIUS message
RADIUS message: code=2 (Access-Accept) identifier=79 length=195
Attribute 79 (EAP-Message) length=6
Value: 03f50004
Attribute 80 (Message-Authenticator) length=18
Value: d544a5f47ae84b9716fd76fb447a54e7
Attribute 1 (User-Name) length=10
Value: 'Mdirickx'
Attribute 64 (Tunnel-Type) length=6
Value: 0000000d
Attribute 65 (Tunnel-Medium-Type) length=6
Value: 00000006
Attribute 81 (Tunnel-Private-Group-Id) length=3
Value: 32
Attribute 1 (User-Name) length=10
Value: 'Mdirickx'
wlan1: STA 40:78:6a:53:eb:fb RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
wlan1: STA 40:78:6a:53:eb:fb IEEE 802.1X: old identity 'Mdirickx' updated with User-Name from Access-Accept 'Mdirickx'
wlan1: STA 40:78:6a:53:eb:fb IEEE 802.1X: decapsulated EAP packet (code=3 id=245 len=4) from RADIUS server: EAP Success
wlan1: STA 40:78:6a:53:eb:fb IEEE 802.1X: Sending EAP Packet (identifier 245)
wlan1: STA 40:78:6a:53:eb:fb WPA: sending 1/4 msg of 4-Way Handshake
wlan1: STA 40:78:6a:53:eb:fb WPA: received EAPOL-Key frame (2/4 Pairwise)
wlan1: STA 40:78:6a:53:eb:fb WPA: sending 3/4 msg of 4-Way Handshake
wlan1: STA 40:78:6a:53:eb:fb WPA: received EAPOL-Key frame (4/4 Pairwise)
wlan1: STA 40:78:6a:53:eb:fb WPA: pairwise key handshake completed (RSN)
wlan1: AP-STA-CONNECTED 40:78:6a:53:eb:fb
wlan1: STA 40:78:6a:53:eb:fb IEEE 802.1X: authorizing port
wlan1: STA 40:78:6a:53:eb:fb RADIUS: starting accounting session 56EC0FBB-00000004
wlan1: STA 40:78:6a:53:eb:fb IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
Best Answer
I'd make a comment instead of an answer but I don't have enough reputation here for that. I literally wrote the HOWTO you linked to in your OP on using 802.1x Dynamic VLANs in OpenWRT as well as figured out and submitted the patches to get them working.
Some of what you're saying doesn't seem to make sense. In particular that
option dynamic_vlan '1'works butoption dynamic_vlan '2'doesn't even show up in the hostapd configuration file shouldn't be the case. The OpenWRT script which reads your /etc/config/wireless file and translates it into the hostapd config file just looks for the dynamic_vlan option and if it's there and has an integer value puts it into the hostapd file so if 1 shows up in the hostapd file, 2 should as well. Please check to see if it's showing up in your hostapd config file when you set dynamic_vlan to 1. That will give some more information to work with.