I'm trying to set up dynamic wireless VLANs using MAC address RADIUS authentication. This must be a fairly common scenario - trusted clients (e.g. laptops) with a recognised MAC address join the trusted LAN, whereas anything else (mobile phones, Amazon Echo etc.) go into an untrusted "Hot LAN" with Internet access but not much else. This avoids having to have multiple SSIDs on the wireless AP. I'm following guidance here Wi-Fi: Hostapd VLAN for guest network and here Dynamic VLAN Tagging but can't find a clear step-by-step guide, certainly not in the context of ClearOS 7.
I already have a bridge (br0) containing all the physical Ethernet NICs on the firewall/router + the wireless AP running on hostapd. I've installed FreeRADIUS and my users file looks like this:
RADIUS is obviously very sensitive to correct syntax and it took a lot of trial and error (including getting indentation right) before radiusd would even start. It does so I am reasonably sure the syntax is correct, but not as to whether it actually does the right thing as I haven't used RADIUS before.
I created a hostapd.vlan file referenced from hostapd.conf containing the following:
wlan0.1 gets created, but doesn't get added to br0. I'm not sure if the syntax is correct as I couldn't find a working example anywhere, nor what the precedence is between the .vlan file and other VLAN bridge settings in hostapd.conf. The "untrusted" VLAN (which should be wlan0.1000 I think) never gets created, even if I try to connect from a device not specified in RADIUS.
I can't see any wreless in the IP Settings screen - at first I thought the fix to Iface.php mentioned here running 7.3 home, wifi interface is not showing up under ip setting or dhcp hadn't been applied, but on looking at the documentation it seems wireless is intentionally removed from IP Settings in the current release. That isn't a problem (most of the settings would have to be done in config files anyway) but as the VLANs are dynamic they never leave any config files in /etc/sysconfig/network-scripts and it's not possible to see or change the bridge setup.
I suspect I'm getting fairly close but may be getting syntax wrong somewhere. Grateful for any suggestions. If I can get this working I'm happy to write it up as a "How to" guide as it does seem like it could be a common requirement.
Thanks,
Andrew
I already have a bridge (br0) containing all the physical Ethernet NICs on the firewall/router + the wireless AP running on hostapd. I've installed FreeRADIUS and my users file looks like this:
$INCLUDE /etc/raddb/clearos-users
002314c4cc90 Auth-Type := Accept
DEFAULT Auth-Type := Accept
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 1000
RADIUS is obviously very sensitive to correct syntax and it took a lot of trial and error (including getting indentation right) before radiusd would even start. It does so I am reasonably sure the syntax is correct, but not as to whether it actually does the right thing as I haven't used RADIUS before.
I created a hostapd.vlan file referenced from hostapd.conf containing the following:
1 wlan0.1 br0
* wlan0.#
wlan0.1 gets created, but doesn't get added to br0. I'm not sure if the syntax is correct as I couldn't find a working example anywhere, nor what the precedence is between the .vlan file and other VLAN bridge settings in hostapd.conf. The "untrusted" VLAN (which should be wlan0.1000 I think) never gets created, even if I try to connect from a device not specified in RADIUS.
I can't see any wreless in the IP Settings screen - at first I thought the fix to Iface.php mentioned here running 7.3 home, wifi interface is not showing up under ip setting or dhcp hadn't been applied, but on looking at the documentation it seems wireless is intentionally removed from IP Settings in the current release. That isn't a problem (most of the settings would have to be done in config files anyway) but as the VLANs are dynamic they never leave any config files in /etc/sysconfig/network-scripts and it's not possible to see or change the bridge setup.
I suspect I'm getting fairly close but may be getting syntax wrong somewhere. Grateful for any suggestions. If I can get this working I'm happy to write it up as a "How to" guide as it does seem like it could be a common requirement.
Thanks,
Andrew
Share this post:
Responses (11)
-
Accepted Answer
Everything to do with the naming of the guest VLAN/bridge is governed by the Tunnel-Private-Group-ID setting in RADIUS. wlan0.1 is named so because "1" is what comes from RADIUS, and the* wlan0.#
in hostapd.vlan dynamically creates the VLAN using that ID. The "1" is also appended to "br" to get the bridge interface name.
If I change the ID to "99" in RADIUS
everything is created using "99" in the name.DEFAULT Auth-Type := Accept
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 99
The bridge interface is normally statically defined as well in order to set IP address, DHCP etc. Hostapd doesn't seem to mind - if the bridge is already defined it brings it up and joins it, if not it creates it automatically (although without IP settings it can't do much). This is pretty much what happenes anyway in default Hostapd without any VLANs - there isn't a "ifcfg-wlp6s0" file as the bridge used by the wireless LAN is set in hostapd.conf, and any wired NICs that belong have a "BRIDGE=" line in their ifcfg file.[root@gateway hostapd]# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.00301806f618 no eno1
enp2s0
enp3s0
enp4s0
enp5s0
enp7s0
wlp6s0
br1 8000.000000000000 no
br99 8000.6c3b6be6cccc no wlan0.99
As mentioned previously it should be possible to assign the bridge directly in hostapd.vlan (though I can't get that to work) and also to define VLAN names statically. However if only simple setup is needed this is much simpler and more reliable - if I need to "move" the guest LAN to a different name there are only a couple of places I need to make a simple change ("Tunnel-Private-Group-ID" value in RADIUS, and the name of the "ifcfg-br" file). -
Accepted Answer
Doesn't the VLAN ID "1" just indicate the .1 after wlan0, so wlan0.1? I don't think it indicates the 1 in br1. If for example you already have br0, br1,and br2 defines and the base WiFi is allocated to br1, what tells this set up to use br3? Or will it still use (incorrectly) br1 or even br2. I am not following the logic of how the bridged interface is chosen.
Not having tried it as I don't have the set up, but shouldn't either vlan_tagged_interface be set to br1, or the * should be something to indicate br1 in /etc/hostapd.vlan? ..... or is that the function of "Tunnel-Private-Group-ID = 1"? -
Accepted Answer
I replied directly to Nick with comments on the draft "howto".
In this configuration RADIUS will only ever assign devices to a single VLAN, with VLAN ID "1", and as the default name prefix for bridged VLAN interfaces in Hostapd is "br", we know that any unrecognised/untrusted MACs will go into VLAN wlan0.1 and that that will be added to bridge br1. Apparently it should be possible to assign VLANs to bridge interfaces directly in hostapd.vlan but I can't get that to work or find any documentation. But in any case this method is probably better as it is automatic and ensures systematic naming. -
Accepted Answer
Can you look at the draft howto here and give feedback. I have copied and pasted where possible.
Unless it is automatic, how does wlan0.1 know it has to attach itself to br1? -
Accepted Answer
HOWTO - Guest WiFi VLAN using RADIUS
This is how I set up a dynamic wireless VLAN using MAC address RADIUS authentication for "guest" access. The objective is for trusted clients (e.g. laptops) with a recognised MAC address to join the trusted LAN, whereas anything else (mobile phones, Amazon Echo etc.) goes into an untrusted "Hot LAN" where they can access the Internet, and each other, but not much else. This avoids having to have multiple SSIDs on the wireless AP, and minimises the impact if the passphrase does get compromised. This does not cover setting up RADIUS for WPA-EAP or LDAP user authentication - though that could no doubt be done as well. I followed guidance here Wi-Fi: Hostapd VLAN for guest network and here Dynamic VLAN Tagging but this is what worked for me in the context of ClearOS 7.
hostapd and RADIUS both need to be installed, as well as utilities such as iw and brctl if not already present. I already have a bridge (br0) containing all the physical Ethernet NICs on the firewall/router + the wireless AP running on hostapd. br0 is the single internal LAN, using DHCP for IP address assignment (with permanent leases for known MAC addresses).
First of all check your gateway wireless NIC supports VLANs - run "iw list" and look for "AP/VLAN" under "Supported interface modes:":iw list
:
Supported interface modes:
* IBSS
* managed
* AP
* AP/VLAN
* monitor
* P2P-client
In hostapd.conf leave the "bridge=" and "interface=" settings unaltered:
br0 will still be used for the trusted wireless clients.# Customize these for your local configuration...
bridge=br0
interface=wlp6s0
hw_mode=g
channel=9
ssid=MySSID
Enter the general configuration details for the RADIUS server. As this is located on the ClearOS gateway it uses the loopback IP address:# RADIUS authentication server
own_ip_addr=127.0.0.1
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=ItsASecret
Now enter the VLAN configuration:
"macaddr_acl=2" tells hostapd to use RADIUS for MAC authentication, rather than an accept/deny file, and "dynamic_vlan=1" tells it to leave recognised MACs (which don't get a VLAN tag) on the default wireless LAN. hostapd automatically creates a bridge for each wireless VLAN and "vlan_bridge=br" overrides the default prefix used together with the VLAN ID from RADIUS to form the name. "vlan_file=/etc/hostapd/hostapd.vlan" tells hostapd where the VLAN definition file is located. My hostapd.vlan contains a single line# VLAN Configuration #
#
# Dynamic VLAN mode; allow RADIUS authentication server to decide which VLAN
# is used for the stations. This information is parsed from following RADIUS
# attributes based on RFC 3580 and RFC 2868: Tunnel-Type (value 13 = VLAN),
# Tunnel-Medium-Type (value 6 = IEEE 802), Tunnel-Private-Group-ID (value
# VLANID as a string). Optionally, the local MAC ACL list (accept_mac_file) can
# be used to set static client MAC address to VLAN ID mapping.
# 0 = disabled (default)
# 1 = option; use default interface if RADIUS server does not include VLAN ID
# 2 = required; reject authentication if RADIUS server does not include VLAN ID
dynamic_vlan=1
# Station MAC address -based authentication
# 0 = accept unless in deny list
# 1 = deny unless in accept list
# 2 = use external RADIUS server (accept/deny lists are searched first)
macaddr_acl=2
# Bridge (prefix) to add the wifi and the tagged interface to. This gets the
# VLAN ID appended. It defaults to brvlan%d if no tagged interface is given
# and br%s.%d if a tagged interface is given, provided %s = tagged interface
# and %d = VLAN ID.
vlan_bridge=br
# VLAN interface list for dynamic VLAN mode is read from a separate text file.
# This list is used to map VLAN ID from the RADIUS server to a network
# interface. Each station is bound to one interface in the same way as with
# multiple BSSIDs or SSIDs. Each line in this text file is defining a new
# interface and the line must include VLAN ID and interface name separated by
# white space (space or tab).
# If no entries are provided by this file, the station is statically mapped
# to <bss-iface>.<vlan-id> interfaces.
# Each line can optionally also contain the name of a bridge to add the VLAN to
vlan_file=/etc/hostapd/hostapd.vlan
which creates a separate dynamic VLAN for each VLAN ID it gets from RADIUS. This will only create the VLAN(s) if there is anything to go into them; a line like "1 wlan0.1" would create wlan0.1 unconditionally.* wlan0.#
In the /etc/raddb/users file (actually a symlink to /etc/raddb/mods-config/files/authorize) comment out the line "$INCLUDE /etc/raddb/clearos-users". This is the only line in the ClearOS factory implementation, which is oriented for LDAP user authentication. Then add a line for each trusted wireless client MAC address, followed by a default section to assign a VLAN tag to unrecognised/untrusted MACs.
RADIUS is very sensitive to correct syntax (including indentation) and the trusted MAC addresses must come before the "DEFAULT" section. Any trusted MAC address is accepted and joins the default wireless LAN. Anything else is accepted and tagged with VLAN ID1, and added by hostapd to VLAN wlan0.1 and bridge br1. NB: "Default" in hostapd refers to recognised MAC addresses, whereas in RADIUS "DEFAULT" refers to the unrecognised ones. Also, in this setup RADIUS doesn't do any further authentication of supplicants who know the PSK, but just determines which interface they connect to.# $INCLUDE /etc/raddb/clearos-users
# List trusted MAC addresses here
:
801f02611e88 Auth-Type := Accept # Edimax Nano USB
002314c4cc90 Auth-Type := Accept # Andrew Dell laptop
:
DEFAULT Auth-Type := Accept
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 1
As I know which bridge any unrecognised/untrusted MACs will go into (br1) I can configure that as my "guest" LAN as normal in /etc/sysconfig/network-scripts/ifcfg-br1
This setup means that I could also have a wired port(s) in the "guest" LAN this way if necessary, by having a line "BRIDGE=br1" in their ifcfg file. In my case the "Hot LAN" role is exactly what I want (untrusted devices can access the Internet, and each other at TCP/IP level and above, but nothing else) so I set that in /etc/clearos/network.conf:DEVICE=br1
TYPE="Bridge"
ONBOOT="yes"
USERCTL="no"
BOOTPROTO="static"
IPADDR="192.168.a.b"
NETMASK="255.255.p.q"
I can now see the correct interfaces in each bridge:# Network interface roles
EXTIF="ppp0"
LANIF="br0"
DMZIF=""
HOTIF="br1"
You can't see the wireless interfaces in ClearOS IP Settings as that currently doesn't display wireless NICs.[root@gateway ~]# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.00301806f618 no eno1
enp2s0
enp3s0
enp4s0
enp5s0
enp7s0
wlp6s0
br1 8000.6c3b6be6cccc no wlan0.1
Obviously this will only work if the trusted clients have static MAC addresses, so MAC address randomisation needs to be disabled on these. If using Network Manager in Fedora add
to /etc/NetworkManager/NetworkManager.conf to force use of the physical MAC address. It would be nice to use physical MAC with the "home" SSID and randomise otherwise, but I don't think that is possible.[connection]
wifi.cloned-mac-address=permanent
-
Accepted Answer
1) With this config hostapd would create br1 automatically, but it wouldn't be much use. I define it in /etc/sysconfig/network-scripts so I can assign IP address, set up DHCP etc.
2) All the individual NIC config files (/etc/sysconfig/network-scripts/ifcfg-eno1 etc.) contain a line "BRIDGE=br0". The setup in 1) above also means that I could have a wired port(s) in the untrusted "Hot" LAN this way if necessary.
UPDATE: If 2) means "how do I identify known wireless MACs" these are listed in the RADIUS users file before the "DEFAULT" section that assigns the VLAN ID e.g.
I guess it would be possible to put the known stations into a VLAN as well but no need if you just want a binary separation.# $INCLUDE /etc/raddb/clearos-users
# List trusted MAC addresses here
002314c4cc90 Auth-Type := Accept # Andrew Dell laptop
DEFAULT Auth-Type := Accept
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 1
-
Accepted Answer
-
Accepted Answer
Turns out (as usual) to be less complicated than I had expected.
Leave the normal bridge settings in hostapd - while it's possible to put the trusted MAC addresses into a VLAN you don't have to, and leaving this means that they go into the trusted LAN bridge where they can communicate with wired NICs.
The hostapd.vlan file only needs one line, to define a single dynamic VLAN for any unrecognised MACs:
If I make the dynamic VLAN tag in the RADIUS users file to be "1"...* wlan0.#
...and set the bridge prefix for VLANs in hostapd.conf to be "br"...DEFAULT Auth-Type := Accept
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 1
...then the dynamic VLAN automatically gets added to br1, which I can configure as normal in /etc/sysconfig/network-scripts/ifcfg-br1# Bridge (prefix) to add the wifi and the tagged interface to. This gets the
# VLAN ID appended. It defaults to brvlan%d if no tagged interface is given
# and br%s.%d if a tagged interface is given, provided %s = tagged interface
# and %d = VLAN ID.
vlan_bridge=br
In my case the "Hot LAN" role is exactly what I want (untrusted devices can access the Internet, and each other at TCP/IP level and above, but nothing else) so I set that in /etc/clearos/network.conf:DEVICE=br1
TYPE="Bridge"
ONBOOT="yes"
USERCTL="no"
BOOTPROTO="static"
IPADDR="192.168.a.b"
NETMASK="255.255.p.q"
I can now see the correct interfaces in each bridge:# Network interface roles
EXTIF="ppp0"
LANIF="br0"
DMZIF=""
HOTIF="br1"
You can't see the wireless interfaces in ClearOS IP Settings as that currently doesn't display wireless NICs.[root@gateway ~]# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.00301806f618 no eno1
enp2s0
enp3s0
enp4s0
enp5s0
enp7s0
wlp6s0
br1 8000.6c3b6be6cccc no wlan0.1
I'll do a cleaned up version of the saga as a how-to guide in case it is useful for anyone else. -
Accepted Answer
The ClearOS implementation has been designed for user authentication, so connects to LDAP. I think there are a few places where it refers to LDAP ("grep -i ldap /etc/raddb/* -r"), but many of the references are only used if the sites or modules are enabled by symlinking to the ???-enabled folders.
To be honest, you best source of information is probably gong to be the freeradius mailing list. Did you also know that you can run Radius in debug mode? I found this essential when troubleshooting the domain implementation, and you will be required to do this if you use the mailing list. There is an even more verbose debug mode but you should not need it unless asked (and they can get upset if you give it initially).
If you do get to the end of your set up, it would be great if you could post back with a howto . -
Accepted Answer
If I comment out the line$INCLUDE /etc/raddb/clearos-users
at the top of the RADIUS users file the MAC addresses get checked properly and both VLANs are created. That clearos-users file contains just
As I'm not currently using LDAP for individual user authentication I guess I don't need to worry for now about what it is supposed to do.DEFAULT LDAP-Group != "allusers", Auth-Type := Reject
I'm still not entirely clear about now stations are assigned to VLANs, and still need to sort out the bridge interfaces so I can use DHCP and firewall rules with them, but definitely progress. -
Accepted Answer
As you have found, the IP Settings WiFi interface has unfortunately gone. I hope it will reappear sometime in the future, but it is not going to happen for the moment.
I don't really know either Radius or hostpad. I have managed to get hostapd working in the past, and I have had the app-radius working as well, with independent access points and a domain, but please see bug 19821. It is so broken from what was intended that it just about works!
If hostapd is creating the vlans, and you are only going to have a couple, can you manually add them to the bridge using brctl? Or check if hostapd is adding them with a "brctl show".
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »