Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:network:wifi:wireless.security.8021x [2020/12/30 13:35] – Corrected multiline code blocks, updated wpad info for 19.07 johnfzc | docs:guide-user:network:wifi:wireless.security.8021x [2021/12/03 16:01] – Clarify setting systemcrash | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Introduction to 802.1x ====== | + | ====== Introduction to 802.1X ====== |
| One of the lesser known features of 802.11 security, at least among home and small business users, is the ability to have individual usernames and passwords on a centralized authentication server which can be used by one or more wireless access point. A key advantage of this type of setup is that individual users can be added and removed from wireless access without disrupting other users or re-keying the network, which is why it is popular with enterprise customers. If you have a more complex setup such as Active Directory for user logins, it is possible to connect your wireless network back to your Active Directory server for authenticating these users. | One of the lesser known features of 802.11 security, at least among home and small business users, is the ability to have individual usernames and passwords on a centralized authentication server which can be used by one or more wireless access point. A key advantage of this type of setup is that individual users can be added and removed from wireless access without disrupting other users or re-keying the network, which is why it is popular with enterprise customers. If you have a more complex setup such as Active Directory for user logins, it is possible to connect your wireless network back to your Active Directory server for authenticating these users. | ||
| - | The wireless encryption mode used to support this type of setup is "WPA Enterprise" | + | The wireless encryption mode used to support this type of setup is "WPA Enterprise" |
| Note that the individual usernames and passwords are stored in a RADIUS server which the access point will communicate with to authenticate users. In most cases, this RADIUS server software is running elsewhere on the network (obviously the access point will need to be able to reach it), but it is possible to install and run a RADIUS server on OpenWrt as well. The installation and configuration of a RADIUS server is outside the scope of this document however a few hints will be provided. RADIUS is a standardized protocol which is supported by many server applications including the Microsoft Windows Network Policy Server (NPS) can authenticate Active Directory users. A commonly used open source RAIDUS server is FreeRADIUS. | Note that the individual usernames and passwords are stored in a RADIUS server which the access point will communicate with to authenticate users. In most cases, this RADIUS server software is running elsewhere on the network (obviously the access point will need to be able to reach it), but it is possible to install and run a RADIUS server on OpenWrt as well. The installation and configuration of a RADIUS server is outside the scope of this document however a few hints will be provided. RADIUS is a standardized protocol which is supported by many server applications including the Microsoft Windows Network Policy Server (NPS) can authenticate Active Directory users. A commonly used open source RAIDUS server is FreeRADIUS. | ||
| + | |||
| + | {{section> | ||
| ===== Prerequisites ===== | ===== Prerequisites ===== | ||
| Before beginning you will want to make sure you have completed the following steps: | Before beginning you will want to make sure you have completed the following steps: | ||
| - | * Installed a RADIUS server such as [[docs: | + | * Installed a RADIUS server such as [[docs: |
| - | * Configured your router as a " | + | * Configured your router as a " |
| * Configured one or more usernames and passwords on the RADIUS server. Note that the user passwords must be stored in a format which matches the format the supplicant is using to check the password. For Windows clients this means you need to store the password as an NT/LM Hash value, for other clients it would usually be Crypt/ | * Configured one or more usernames and passwords on the RADIUS server. Note that the user passwords must be stored in a format which matches the format the supplicant is using to check the password. For Windows clients this means you need to store the password as an NT/LM Hash value, for other clients it would usually be Crypt/ | ||
| - | ===== Basic 802.1x Wireless User Authentication ===== | + | ===== Basic 802.1X Wireless User Authentication ===== |
| Enterprise WPA is not supported by the wpad-mini access point software on OpenWrt so you will need to remove that and install the full version of hostapd: | Enterprise WPA is not supported by the wpad-mini access point software on OpenWrt so you will need to remove that and install the full version of hostapd: | ||
| Line 39: | Line 41: | ||
| Where 192.168.1.10 is a previously configured RADIUS server which is expecting connections from this client (router/AP) using the password " | Where 192.168.1.10 is a previously configured RADIUS server which is expecting connections from this client (router/AP) using the password " | ||
| - | ===== 802.1x Dynamic VLANs on an OpenWrt Router ===== | + | ===== 802.1X Dynamic VLANs on an OpenWrt Router ===== |
| ==== Introduction ==== | ==== Introduction ==== | ||
| - | In the following example we'll extend our previous 802.1x wireless network authentication to automatically assign users connecting to the SAME SSID to either the main " | + | In the following example we'll extend our previous 802.1X wireless network authentication to automatically assign users connecting to the SAME SSID to either the main " |
| NOTE: You'll be working on changing the way your router' | NOTE: You'll be working on changing the way your router' | ||
| Line 71: | Line 73: | ||
| option ports ' | option ports ' | ||
| - | Note that the only port in this VLAN is a tagged connection to the CPU port right now but the router will automatically bridge guest wireless users onto this VLAN following the 802.1x server' | + | Note that the only port in this VLAN is a tagged connection to the CPU port right now but the router will automatically bridge guest wireless users onto this VLAN following the 802.1X server' |
| Next we need to modify the interface configuration in the same file. Because we're now tagging VLAN traffic we need to modify the " | Next we need to modify the interface configuration in the same file. Because we're now tagging VLAN traffic we need to modify the " | ||
| Line 77: | Line 79: | ||
| config interface ' | config interface ' | ||
| option ifname ' | option ifname ' | ||
| - | option type ' | + | |
| - | option proto ' | + | option proto ' |
| - | option ipaddr ' | + | option ipaddr ' |
| We now need to make it: | We now need to make it: | ||
| Line 85: | Line 87: | ||
| config interface ' | config interface ' | ||
| option ifname ' | option ifname ' | ||
| - | option type ' | + | |
| - | option proto ' | + | option proto ' |
| - | option ipaddr ' | + | option ipaddr ' |
| There are TWO important changes to be made here. First, the interface MUST be named " | There are TWO important changes to be made here. First, the interface MUST be named " | ||
| Line 106: | Line 108: | ||
| Save the changes to your ''/ | Save the changes to your ''/ | ||
| - | It's likely that you will want to setup a DHCP server for this guest interface as well as appropriate firewall rules to allow access to the Internet but prevent access to the LAN computers but doing those things is outside the scope of this document. We'll proceed assuming that you have addressing and firewall rules setup and working. Before proceeding you may want to temporarily setup a separate wireless SSID on the router which does NOT use 802.1x which is bridged to the guest network and verify it works, if it does not you'll want to figure that out before adding in the 802.1x dynamic VLAN complexity. | + | It's likely that you will want to setup a DHCP server for this guest interface as well as appropriate firewall rules to allow access to the Internet but prevent access to the LAN computers but doing those things is outside the scope of this document. We'll proceed assuming that you have addressing and firewall rules setup and working. Before proceeding you may want to temporarily setup a separate wireless SSID on the router which does NOT use 802.1X which is bridged to the guest network and verify it works, if it does not you'll want to figure that out before adding in the 802.1X dynamic VLAN complexity. |
| - | Now that we have a guest network functioning on the router we can modify our wireless configuration to support 802.1x dynamic vlans. To do this modify the SSID setup in your ''/ | + | Now that we have a guest network functioning on the router we can modify our wireless configuration to support 802.1X dynamic vlans. To do this modify the SSID setup in your ''/ |
| config wifi-iface | config wifi-iface | ||
| Line 119: | Line 121: | ||
| option dynamic_vlan | option dynamic_vlan | ||
| option ' | option ' | ||
| - | option ' | + | |
| - | option ' | + | option ' |
| Finally, you need to ensure that your RADIUS server is sending VLAN information. On FreeRADIUS each username section should look like: | Finally, you need to ensure that your RADIUS server is sending VLAN information. On FreeRADIUS each username section should look like: | ||
| " | " | ||
| - | | + | |
| - | Tunnel-Medium-Type = " | + | Tunnel-Medium-Type = " |
| - | Tunnel-Private-Group-ID = " | + | Tunnel-Private-Group-ID = " |
| - | With the important part being the three " | + | With the important part being the three " |
| - | If everything has been done correctly to this point you should be able to reboot your router and try testing | + | If everything has been done correctly to this point you should be able to reboot your router and test with some different usernames with different VLANs associated |
| ==== How It Works/ | ==== How It Works/ | ||
| - | If you were able to make standard 802.1x work on your router and also can make VLANs work on your router but are having problems trying to do 802.1x with dynamic VLANs or you want to customize your configuration it is helpful to know how OpenWrt handles dynamic VLANs. | + | If you were able to make standard 802.1X work on your router and also can make VLANs work on your router but are having problems trying to do 802.1X with dynamic VLANs or you want to customize your configuration it is helpful to know how OpenWrt handles dynamic VLANs. |
| When we set the interface names in the above example to " | When we set the interface names in the above example to " | ||
| Line 144: | Line 146: | ||
| br-vlan3 | br-vlan3 | ||
| - | In this example output you can see the two bridges and that eth1.1 (the CPU port for VLAN 1) and eth1.3 (the CPU port for VLAN 3) are the only members of each respective bridge. When an 802.1x dynamic VLAN wireless client joins VLAN 1 the output will change like this: | + | In this example output you can see the two bridges and that eth1.1 (the CPU port for VLAN 1) and eth1.3 (the CPU port for VLAN 3) are the only members of each respective bridge. When an 802.1X dynamic VLAN wireless client joins VLAN 1 the output will change like this: |
| root@OpenWrt: | root@OpenWrt: | ||
| Line 156: | Line 158: | ||
| But how does wlan0.1 know to connect to eth1.1 on br-vlan1? The answer lies in the hostapd software and in the additional configuration we did in ''/ | But how does wlan0.1 know to connect to eth1.1 on br-vlan1? The answer lies in the hostapd software and in the additional configuration we did in ''/ | ||
| - | On a normal Linux based access point the idea is that you only need to set a '' | + | On a normal Linux based access point the idea is that you only need to set a '' |
| Because a physical interface can only be a member of ONE bridge hostapd is not then able to add eth1.1 to a new hostapd created bridge for wlan0.1 so you end up with no communication. If you ran '' | Because a physical interface can only be a member of ONE bridge hostapd is not then able to add eth1.1 to a new hostapd created bridge for wlan0.1 so you end up with no communication. If you ran '' | ||
| Line 164: | Line 166: | ||
| If you have problems when you are using PEAP as EAP method, check your errors using logread. If you see this error: "IEEE 802.1X: authentication server did not include required VLAN ID in Access-Accept" | If you have problems when you are using PEAP as EAP method, check your errors using logread. If you see this error: "IEEE 802.1X: authentication server did not include required VLAN ID in Access-Accept" | ||
| - | Hopefully this section allowed you to understand how hostapd interacts with OpenWrt to allow for dynamic VLANs over 802.1x. As you can see it's a bit of a tricky configuration. When things don't seem to be working correctly with dynamic VLANs but work with fixed VLANs a good place to start is by checking the output of the '' | + | Hopefully this section allowed you to understand how hostapd interacts with OpenWrt to allow for dynamic VLANs over 802.1X. As you can see it's a bit of a tricky configuration. When things don't seem to be working correctly with dynamic VLANs but work with fixed VLANs a good place to start is by checking the output of the '' |
| ===== Additional Resources ===== | ===== Additional Resources ===== | ||
| WPA Enterprise options can be found in the [[docs: | WPA Enterprise options can be found in the [[docs: | ||