Attached is a modified /lib/netifd/hostapd.sh that will allow you have a captive portal on a single radio with OpenWRT authenticating by email. Seems to work with just about any OpenWRT device allowing a lot of flexibility across hardware and wireless radios. Maybe this will be useful for others.
If you diff the current hostapd of 19.07.8 against attached, it is pretty
straightforward to cut and paste the auth none) section with the radius
bits to work with any OpenWRT hostapd.sh version.
Have not checked to see if you can add another wan IP to then allow hostapd
to handle CoA on two radios, and setup the single AP as two switches in PF
with different NASIDs, but last we checked at 17.x, the one radio
configuration was all we could muster to make CoA work.
The configuration example below applies to 5Ghz radio on a ZyXEL NBG6817
(Armor Z2) where its logical wan is kernel interface eth0 connected via
switchport 0 and physical WAN port connected via switchport 5 with tagged
PF VLANs (70-72) and a tagged local access network VLAN (73) passing
through the switchchip ('0t 5t')
A complimentary /etc/config/wireless
config wifi-iface 'default_radio0'
option device radio0
option mode 'ap'
option encryption 'none'
option vlan_file '/etc/config/hostapd.vlan'
option vlan_tagged_interface 'eth0'
option vlan_bridge 'br-vlan'
option vlan_naming '0'
option dynamic_vlan '2'
option auth_port '1812'
option auth_server '<<PFMGMTIP>>'
option auth_secret '<<RadiusSecret>>'
option dae_port '3799'
option dae_client '<<PFMGMTIP>>'
option dae_secret '<<RadiusSecret>>'
option acct_port '1813'
option acct_server '<<PFMGMTIP>>'
option acct_secret '<<RadiusSecret>>'
option nasid '<<APHostname>>'
option ssid '<<SSIDfromConnectionProfile>>'
Additionally, you will want to ensure your OpenWRT firewall allows
connections from your PF Server for CoA/Accounting sessions in
/etc/config/firewall The blanket rules below allow for ssh, http, etc. as
well.
config rule
option name 'PF_1'
option src 'wan'
option src_ip '<<PFMGMTIP>>'
option family 'ipv4'
option proto 'icmp'
option target 'ACCEPT'
config rule
option name 'PF_2'
option src 'wan'
option src_ip '<<PFMGMTIP>>'
option family 'ipv4'
option proto 'tcp'
option target 'ACCEPT'
config rule
option name 'PF_3'
option src 'wan'
option src_ip '<<PFMGMTIP>>'
option family 'ipv4'
option proto 'udp'
option target 'ACCEPT'
You will need to define this configuration for vlan changes; wlan0 = radio0
from wireless config.
PF_AP# cat /etc/config/hostapd.vlan
* wlan0.#
You will need to drop in hostapd in place of wpad-basic; drop in your
modified hostapd.sh after this step.
opkg update
opkg remove wpad-basic wpad-basic-wolfssl
opkg install wpad hostapd-common
You might want some extra tools, these are optional but may be helpful
opkg install luci ipset screen iftop tcpdump curl mtr wget ca-certificates
diffutils iperf3 iwinfo snmpd ethtool sqm-scripts luci-app-sqm
Optionally add the hostapd.sh path to sysupgrade.conf if you want it to
hang around across upgrades.
In this instance, the AP network configuration uses a trunk on wan;
Understanding the nuances of the switchchip and kernel network interfaces
makes this unique to the device. In this case, the PF Management network
is VLAN 70, Registration is VLAN 71, Isolation is VLAN 72 and VLAN 73
provides Internet access. It is not inline, so VLAN 73 is the unprotected,
normal network that has DNS/DHCP, etc. provided to clients independent of
the Packetfence configuration. Excerpts from /etc/config/network are below
config interface 'wan'
option force_link '1'
option proto 'static'
option ipaddr '<<SWITCH_IP>>'
option netmask '255.255.255.0'
option gateway '<<MGMT_GW>>'
option dns '<<DNS>>'
option ifname 'eth0.70'
config interface 'vlan71'
option type 'bridge'
option force_link '1'
option ifname 'eth0.71'
config interface 'vlan72'
option force_link '1'
option type 'bridge'
option ifname 'eth0.72'
config interface 'vlan73'
option type 'bridge'
option force_link '1'
option ifname 'eth0.73'
config switch_vlan
option device 'switch0'
option vlan '70'
option ports '0t 5t'
option vid '70'
config switch_vlan
option device 'switch0'
option vlan '71'
option ports '0t 5t'
option vid '71'
config switch_vlan
option device 'switch0'
option vlan '72'
option ports '0t 5t'
option vid '72'
config switch_vlan
option device 'switch0'
option vlan '73'
option ports '0t 5t'
option vid '73'
You can use logread and tcpdump to debug and/or watch radius/CoA
interactions.
The packetfence side requires appropriate switch, connection profiles,
auth, smtp, certs, interfaces, etc. where we use email address to
authorize access to 1D beyond the default 10min; Although we configure by
GUI, some hints at the resulting configuration are below that may be
helpful looking at your own resulting configuration.
profiles.conf
[<<ConnectionProfile>>]
filter=ssid:<<SIDfromConnectionProfile>>
sources=email
switches.conf
[group <<switchgroup>>]
registrationVlan=71
deauthMethod=RADIUS
isolationVlan=72
other_deviceVlan=73
guestVlan=73
gamingVlan=73
customerVlan=73
defaultVlan=73
radiusSecret=<<RadiusSecret>>
mode=production
type=Hostapd
authentication.conf
[email]
description=Email-based registration
email_activation_timeout=10m
type=Email
allow_localdomain=yes
create_local_account=no
password_length=8
local_account_logins=0
hash_passwords=bcrypt
dynamic_routing_module=AuthModule
[email rule catchall]
description=
class=authentication
match=all
action0=set_role=guest
action1=set_access_duration=1D
pf.conf
[captive_portal]
wispr_redirection=enabled
network_redirect_delay=20s
[fencing]
wait_for_redirect=15
hostapd-19.07.8.sh
Description: application/shellscript
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
