Further to our last post, we are trying to get Packetfence working with
OpenWRT 15.05 hostapd.
We have read all the following sources in addition to Google and Mailing
List searches on information related to Hostapd integration:
PacketFence_Administration_Guide-5.7.0.pdf
PacketFence_Network_Devices_Configuration_Guide-5.7.0.pdf
PacketFence_Inline_Deployment_Quick_Guide_ZEN-5.7.0.pdf
PacketFence_OpenWrt-Hostapd_Quick_Install_Guide.asciidoc
<https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_OpenWrt-Hostapd_Quick_Install_Guide.asciidoc>
OpenWRT Dynamic VLAN Hostapd Explanation
<https://wiki.openwrt.org/doc/howto/wireless.security.8021x#x_dynamic_vlans_on_an_openwrt_router>
In our recent post to the list we had a number of questions related to the
correct configuration of OpenWRT to get dynamic vlans working with
Packetfence. These were answered on the OpenWRT Dynamic VLAN wiki page
referenced in Earl Robinson's post
<https://sourceforge.net/p/packetfence/mailman/message/34123618/>, linked
above.
We are at the point where a RADIUS Session is established between OpenWRT
and Packetfence for secure SSIDs, but nothing is happening when connecting
clients to our open SSID.
Q1) Does OpenWRT setup a Radius connection for the open SSIDs? (we think it
should)
Q2) Do we need to pre-bind the open SSIDs to the registration VLAN (we
don't think so, and expect hostapd to do that with a
Tunnel-Private-Group-ID parameter via radius)
We are expecting a radius session for the open SSID to program OpenWRT with
the registration vlan, however we are seeing no activity, and it appears
that radius is only being setup for the secure SSIDs.
Here is a quick overview of our configuration of our VLANs on OpenWRT, PF
can ping OpenWRT on all interfaces.
80 - Normal (10.2.1.0/24) PF on 10.2.1.2, OpenWRT on 10.2.1.3
81 - Registration (10.2.2.0/24) PF on 10.2.2.2, OpenWRT on 10.2.2.3
82 - Isolation (10.2.3.0/24) PF on 10.2.3.2, OpenWRT on 10.2.3.3
83 - Management (102.244.196.144/28) PF on 102.244.196.146, OpenWRT on
102.244.196.147
>From logread -f we see the following when starting wifi showing Hostapd
radius session for OpenWRT-Secure on 2.4G (wlan1-1) and 5G (wlan0-1) .. but
nothing for OpenWRT-Open (wlan0-0 and wlan1-0).
daemon.notice netifd: radio1 (6269): Configuration file:
/var/run/hostapd-phy1.conf
kern.info kernel: [ 4994.530000] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is
not ready
daemon.notice netifd: radio1 (6269): wlan1: interface state
UNINITIALIZED->COUNTRY_UPDATE
daemon.notice netifd: radio1 (6269): Using interface wlan1 with hwaddr
60:e3:27:2f:16:31 and ssid "OpenWrt-OPEN"
kern.info kernel: [ 4994.600000] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link
becomes ready
kern.info kernel: [ 4994.610000] IPv6: ADDRCONF(NETDEV_UP): wlan1-1: link
is not ready
daemon.notice netifd: radio1 (6269): Using interface wlan1-1 with hwaddr
62:e3:27:2f:16:31 and ssid "OpenWrt-SECURE"
daemon.notice netifd: radio0 (6254): Configuration file:
/var/run/hostapd-phy0.conf
daemon.notice netifd: radio1 (6269): wlan1-1: RADIUS Authentication server
102.244.196.146:1812
daemon.info hostapd: wlan1-1: RADIUS Authentication server
102.244.196.146:1812
daemon.notice netifd: radio1 (6269): wlan1-1: RADIUS Accounting server
102.244.196.146:1813
daemon.info hostapd: wlan1-1: RADIUS Accounting server 102.244.196.146:1813
At the same time as the SSIDs are configured we see one line of the
following for each of the authentication and accounting sessions on both
secure SSIDS in the packetfence radius.log
Info: rlm_perl: MAC address is empty or invalid in this request. It could
be normal on certain radius calls
>From logread -f on OpenWRT we see the following when we connect a client to
OpenWRT-OPEN
daemon.info hostapd: wlan0: STA f8:16:54:cd:36:0b IEEE 802.11: authenticated
daemon.info hostapd: wlan0: STA f8:16:54:cd:36:0b IEEE 802.11: associated
(aid 1)
daemon.info hostapd: wlan0: STA f8:16:54:cd:36:0b RADIUS: starting
accounting session 56D4A795-00000002
But at this point, the wlan0-0 interface does not bind to any br-vlanX, nor
do we see any communication to the packetfence server.
Our understanding is that Packetfence should have a radius session for the
OpenWRT-OPEN SSID and upon connection pass the Normal VLAN80 to OpenWRT
when we connect to OpenWRT-Open.
So why do we not have a Radius session for OpenWRT-OPEN?
Did we miss something like perhaps needing to pre-connect OpenWRT-Open to
the Registration VLAN?
Any help appreciated.
*cat /var/run/hostapd-phy0.conf *
driver=nl80211
logger_syslog=127
logger_syslog_level=2
logger_stdout=127
logger_stdout_level=2
country_code=US
ieee80211d=1
ieee80211h=1
hw_mode=a
channel=36
ieee80211n=1
ht_coex=0
ht_capab=[HT40+][LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][MAX-AMSDU-7935][DSSS_CCK-40]
vht_oper_chwidth=1
vht_oper_centr_freq_seg0_idx=42
ieee80211ac=1
vht_capab=[RXLDPC][SHORT-GI-80][TX-STBC-2BY1][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][RX-STBC1][MAX-MPDU-11454][MAX-A-MPDU-LEN-EXP7]
interface=wlan0
ctrl_interface=/var/run/hostapd
disassoc_low_ack=1
preamble=1
wmm_enabled=1
ignore_broadcast_ssid=0
uapsd_advertisement_enabled=1
auth_algs=1
wpa=0
ssid=OpenWrt-OPEN
bssid=60:e3:27:2f:16:30
bss=wlan0-1
ctrl_interface=/var/run/hostapd
disassoc_low_ack=1
preamble=1
wmm_enabled=1
ignore_broadcast_ssid=0
uapsd_advertisement_enabled=1
auth_server_addr=102.244.196.146
auth_server_port=1812
auth_server_shared_secret=testing123
acct_server_addr=102.244.196.146
acct_server_port=1813
acct_server_shared_secret=testing123
eapol_key_index_workaround=1
ieee8021x=1
dynamic_vlan=2
vlan_naming=0
vlan_bridge=br-vlan
vlan_tagged_interface=eth0
auth_algs=1
wpa=2
wpa_pairwise=CCMP
ssid=OpenWrt-SECURE
nas_identifier=Archer1632
wpa_key_mgmt=WPA-EAP
okc=0
disable_pmksa_caching=1
bssid=62:e3:27:2f:16:30
cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd53:aa5f:9819::/48'
config interface 'wan'
option proto 'static'
option dns '32.64.191.81 32.64.191.82'
option ifname 'eth0.83'
option ipaddr '102.244.196.147'
option netmask '255.255.255.240'
option gateway '102.244.196.145'
option broadcast '102.244.196.159'
config interface 'vlan80'
option proto 'static'
option ipaddr '10.2.1.3'
option type 'bridge'
option netmask '255.255.255.0'
option ifname 'eth0.80'
config interface 'vlan81'
option proto 'static'
option ipaddr '10.2.2.3'
option netmask '255.255.255.0'
option type 'bridge'
option ifname 'eth0.81'
config interface 'vlan82'
option proto 'static'
option ipaddr '10.2.3.3'
option netmask '255.255.255.0'
option type 'bridge'
option ifname 'eth0.82'
config interface 'lan'
option force_link '1'
option ip6assign '60'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ifname 'eth1'
config interface 'wan6'
option ifname 'eth0'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 2 3 4 5'
config switch_vlan
option device 'switch0'
option vlan '80'
option ports '1t 6t'
config switch_vlan
option device 'switch0'
option vlan '81'
option ports '1t 6t'
config switch_vlan
option device 'switch0'
option vlan '82'
option ports '1t 6t'
config switch_vlan
option device 'switch0'
option vlan '83'
option ports '1t 6t'
cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '36'
option hwmode '11a'
option path 'pci0000:01/0000:01:00.0'
option htmode 'VHT80'
option txpower '17'
option country 'US'
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'platform/qca955x_wmac'
option htmode 'HT20'
option txpower '24'
option country 'US'
config wifi-iface
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt-OPEN'
option encryption 'none'
option vlan_file '/etc/config/hostapd.vlan'
option vlan_tagged_interface 'eth0'
option vlan_bridge 'br-vlan'
option vlan_naming '0'
option dynamic_vlan '2'
option macfilter '2'
option auth_port '1812'
option auth_server '102.244.196.146'
option auth_secret 'testing123'
option radius_das_port '3799'
option radius_das_client '102.244.196.146 testing123'
config wifi-iface
option device 'radio1'
option mode 'ap'
option ssid 'OpenWrt-OPEN'
option encryption 'none'
option vlan_file '/etc/config/hostapd.vlan'
option vlan_tagged_interface 'eth0'
option vlan_bridge 'br-vlan'
option vlan_naming '0'
option dynamic_vlan '2'
option macfilter '2'
option auth_port '1812'
option auth_server '102.244.196.146'
option auth_secret 'testing123'
option radius_das_port '3799'
option radius_das_client '102.244.196.146 testing123'
config wifi-iface
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt-SECURE'
option encryption 'wpa2'
option vlan_file '/etc/config/hostapd.vlan'
option vlan_tagged_interface 'eth0'
option vlan_bridge 'br-vlan'
option vlan_naming '0'
option dynamic_vlan '2'
option auth_server '102.244.196.146'
option auth_port '1812'
option auth_secret 'testing123'
option acct_server '102.244.196.146'
option acct_secret 'testing123'
option acct_port '1813'
option nasid 'Archer1632'
option radius_das_port '3799'
option radius_das_client '102.244.196.146 testing123'
config wifi-iface
option device 'radio1'
option mode 'ap'
option ssid 'OpenWrt-SECURE'
option encryption 'wpa2'
option vlan_file '/etc/config/hostapd.vlan'
option vlan_tagged_interface 'eth0'
option vlan_bridge 'br-vlan'
option vlan_naming '0'
option dynamic_vlan '2'
option auth_server '102.244.196.146'
option auth_port '1812'
option auth_secret 'testing123'
option acct_server '102.244.196.146'
option acct_secret 'testing123'
option acct_port '1813'
option nasid 'Archer1632'
option radius_das_port '3799'
option radius_das_client '102.244.196.146 testing123'
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
