With Frederic's tip below we were able to easily modify the hostapd.sh script shipped with OpenWRT 15.05 to include some bits to setup RADIUS configuration for unencrypted SSIDs and support the current 15.05 bridge naming configuration as described on the OpenWRT wiki.
Details follow,
cheers,
Ian
Basically we took the case none) from hostapd_set_bss_options in the 14.07
packetfence hostapd.sh and applied it to the stable 15.05 /lib/neifd/hostapd.sh
script shipped with 15.05.
We notice that vlan_naming was missing from the 14.07pf version (possible
bug) in the json_get_vars so we fixed that and also added the
vlan_bridge config
option used in 15.05 for bridge naming. We then overwrote the [ -n
"$dynamic_vlan" ] && { section in none) with the same from the 15.05 eap) to
get the bridge naming to work as designed in 15.05.
We attached our modified hostapd.sh script here.
A 15.05 version should be an easy commit for the pf maintainers to add a
new version to github. We opted to modify the 15.05 script as there were
a few other enhancements and features added by OpenWRT since 14.07 to the
hostapd.sh script we could see in the diff, so preserving those seemed like
the logical update path rather than replacing with the older version.
The modification just adds the required options to
/var/run/hostapd-phy[0|1].conf
when they are defined in /etc/config/wireless, so it will not break
anything. Should work with any Chaos Calmer build/device.
Below we have the output of logread showing the initial radius sessions
being setup during wifi init, followed by a single client session being
added when connecting to OpenWRT-OPEN.
We also have include the bridge output showing the dynamic vlan change to
our Registration VLAN as well as the packetfence radius response log
indicating the correct parameters to set our registration VLAN 81.
root@Archer1632# logread
Restarting Wifi (executing "wifi" on command line)
daemon.notice netifd: radio0 (2284): Configuration file:
/var/run/hostapd-phy0.conf
kern.warn kernel: [ 676.320000] ath10k_pci 0000:01:00.0: otp stream is
empty, using board.bin contents
kern.info kernel: [ 677.390000] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is
not ready
daemon.notice netifd: radio0 (2284): wlan0: interface state
UNINITIALIZED->COUNTRY_UPDATE
daemon.notice netifd: radio0 (2284): wlan0: interface state
COUNTRY_UPDATE->HT_SCAN
daemon.notice netifd: radio1 (2309): Configuration file:
/var/run/hostapd-phy1.conf
daemon.notice netifd: radio1 (2309): wlan1: interface state
UNINITIALIZED->COUNTRY_UPDATE
daemon.notice netifd: radio1 (2309): Using interface wlan1 with hwaddr
60:e3:27:2f:16:31 and ssid "OpenWrt-OPEN"
daemon.notice netifd: radio1 (2309): wlan1: RADIUS Authentication server
102.244.196.146:1812
daemon.info hostapd: wlan1: RADIUS Authentication server
102.244.196.146:1812
kern.info kernel: [ 677.580000] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is
not ready
kern.info kernel: [ 677.610000] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link
becomes ready
kern.info kernel: [ 677.640000] IPv6: ADDRCONF(NETDEV_UP): wlan1-1: link
is not ready
daemon.info hostapd: wlan1-1: RADIUS Authentication server
102.244.196.146:1812
daemon.info hostapd: wlan1-1: RADIUS Accounting server 102.244.196.146:1813
kern.info kernel: [ 677.650000] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1-1:
link becomes ready
daemon.notice netifd: radio1 (2309): Using interface wlan1-1 with hwaddr
62:e3:27:2f:16:31 and ssid "OpenWrt-SECURE"
daemon.notice netifd: radio1 (2309): wlan1-1: RADIUS Authentication server
102.244.196.146:1812
daemon.notice netifd: radio1 (2309): wlan1-1: RADIUS Accounting server
102.244.196.146:1813
daemon.notice netifd: radio1 (2309): wlan1: interface state
COUNTRY_UPDATE->ENABLED
daemon.notice netifd: radio1 (2309): wlan1: AP-ENABLED
daemon.info hostapd: wlan0: RADIUS Authentication server
102.244.196.146:1812
daemon.notice netifd: radio0 (2284): Using interface wlan0 with hwaddr
60:e3:27:2f:16:30 and ssid "OpenWrt-OPEN"
daemon.notice netifd: radio0 (2284): wlan0: RADIUS Authentication server
102.244.196.146:1812
kern.info kernel: [ 677.720000] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link
becomes ready
daemon.info hostapd: wlan0-1: RADIUS Authentication server
102.244.196.146:1812
daemon.info hostapd: wlan0-1: RADIUS Accounting server 102.244.196.146:1813
daemon.notice netifd: radio0 (2284): Using interface wlan0-1 with hwaddr
62:e3:27:2f:16:30 and ssid "OpenWrt-SECURE"
daemon.notice netifd: radio0 (2284): wlan0-1: RADIUS Authentication server
102.244.196.146:1812
daemon.notice netifd: radio0 (2284): wlan0-1: RADIUS Accounting server
102.244.196.146:1813
kern.info kernel: [ 677.740000] IPv6: ADDRCONF(NETDEV_UP): wlan0-1: link
is not ready
daemon.notice netifd: radio0 (2284): wlan0: interface state HT_SCAN->ENABLED
kern.info kernel: [ 677.770000] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0-1:
link becomes ready
daemon.notice netifd: radio0 (2284): wlan0: AP-ENABLED
Client Connecting to OpenWRT-OPEN
root@Archer1632:~# logread -f
daemon.info hostapd: wlan0: STA f8:16:54:cd:36:0b RADIUS: VLAN ID 81
daemon.info hostapd: wlan0: STA f8:16:54:cd:36:0b IEEE 802.11: authenticated
daemon.info hostapd: wlan0: STA f8:16:54:cd:36:0b IEEE 802.11: associated
(aid 1)
daemon.info hostapd: wlan0: STA f8:16:54:cd:36:0b RADIUS: starting
accounting session 56D5C9FB-00000000
kern.info kernel: [ 3264.210000] device wlan0.81 entered promiscuous mode
kern.info kernel: [ 3264.210000] br-vlan81: port 2(wlan0.81) entered
forwarding state
kern.info kernel: [ 3264.220000] br-vlan81: port 2(wlan0.81) entered
forwarding state
daemon.notice netifd: Bridge 'br-vlan81' link is up
daemon.notice netifd: Interface 'vlan81' has link connectivity
kern.info kernel: [ 3266.220000] br-vlan81: port 2(wlan0.81) entered
forwarding state
Bridge Output just after Client Connecting
root@Archer1632:~# brctl show
bridge name bridge id STP enabled interfaces
br-lan 7fff.60e3272f1632 no eth1
br-vlan80 7fff.60e3272f1633 no eth0.80
br-vlan81 7fff.60e3272f1633 no eth0.81
wlan0.81
br-vlan82 7fff.60e3272f1633 no eth0.82
Packetfence Logs Showing Radius Autz Request
packetfence4:/usr/local/pf/logs# tail -f packetfence.log
httpd.aaa(3236) INFO: [mac:f8:16:54:cd:36:0b] handling radius autz request:
from switch_ip => (102.244.196.147), connection_type =>
Wireless-802.11-NoEAP,switch_mac => (60:e3:27:2f:16:30), mac =>
[f8:16:54:cd:36:0b], port => 0, username => "f81654cd360b", ssid =>
OpenWrt-OPEN (pf::radius::authorize)
httpd.aaa(3236) INFO: [mac:f8:16:54:cd:36:0b] does not yet exist in
database. Adding it now (pf::radius::authorize)
httpd.aaa(3236) INFO: [mac:f8:16:54:cd:36:0b] is of status unreg; belongs
into registration VLAN (pf::role::getRegistrationRole)
httpd.aaa(3236) INFO: [mac:f8:16:54:cd:36:0b] (102.244.196.147) Added VLAN
81 to the returned RADIUS reply (pf::Switch::returnRadiusAccessAccept)
httpd.aaa(3236) INFO: [mac:f8:16:54:cd:36:0b] (102.244.196.147) Returning
ACCEPT with VLAN 81 (pf::Switch::returnRadiusAccessAccept)
Our OpenWRT /etc/config/network and /etc/config/wireless are in this post
https://sourceforge.net/p/packetfence/mailman/message/34895965/
On Tue, Mar 1, 2016 at 9:35 AM, Frederic Hermann <[email protected]>
wrote:
> Hi Ian,
>
> I think it's all about the hostapd.sh script on the openwrt.
>
> We use packetfence with a custom openwrt firmware based on Barrier Breaker
> (14.07) and we had to replace the hostapd.sh to enable radius-based
> MAC-auth on open SSID.
>
> If you edit the original hostapd.sh provided by openwrt, you will see that
> all the radius configuration is not used when there is no encryption
> protocol.
>
> You should probably use the hostapd.sh provided by packetfence (
> https://github.com/inverse-inc/packetfence/blob/devel/addons/hostapd/hostapd-14.07.sh)
> and try to make it work with openwrt 15.05.
>
> hope this help.
>
>
>
>
>
>
>
>
> ------------------------------
>
> *De: *"Ian MacDonald" <[email protected]>
> *À: *[email protected]
> *Envoyé: *Lundi 29 Février 2016 23:26:58
> *Objet: *[PacketFence-users] PF 5.7 / Hostapd - Progess w/ 2 Radius
> Questions
>
> Further to our last post, we are trying to get Packetfence working with
> OpenWRT 15.05 hostapd.
>
> We have read all the following sources in addition to Google and Mailing
> List searches on information related to Hostapd integration:
>
> PacketFence_Administration_Guide-5.7.0.pdf
> PacketFence_Network_Devices_Configuration_Guide-5.7.0.pdf
> PacketFence_Inline_Deployment_Quick_Guide_ZEN-5.7.0.pdf
> PacketFence_OpenWrt-Hostapd_Quick_Install_Guide.asciidoc
> <https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_OpenWrt-Hostapd_Quick_Install_Guide.asciidoc>
> OpenWRT Dynamic VLAN Hostapd Explanation
> <https://wiki.openwrt.org/doc/howto/wireless.security.8021x#x_dynamic_vlans_on_an_openwrt_router>
>
> In our recent post to the list we had a number of questions related to the
> correct configuration of OpenWRT to get dynamic vlans working with
> Packetfence. These were answered on the OpenWRT Dynamic VLAN wiki page
> referenced in Earl Robinson's post
> <https://sourceforge.net/p/packetfence/mailman/message/34123618/>, linked
> above.
>
> We are at the point where a RADIUS Session is established between OpenWRT
> and Packetfence for secure SSIDs, but nothing is happening when connecting
> clients to our open SSID.
>
> Q1) Does OpenWRT setup a Radius connection for the open SSIDs? (we think
> it should)
> Q2) Do we need to pre-bind the open SSIDs to the registration VLAN (we
> don't think so, and expect hostapd to do that with a
> Tunnel-Private-Group-ID parameter via radius)
>
> We are expecting a radius session for the open SSID to program OpenWRT
> with the registration vlan, however we are seeing no activity, and it
> appears that radius is only being setup for the secure SSIDs.
> (...)
>
>
hostapd-15.05_pf_imac.sh
Description: Bourne shell script
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
