Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:network:wifi:wireless.security.8021x [2021/06/06 00:27] – Uppercase 802.1X nicklowe | docs:guide-user:network:wifi:wireless.security.8021x [2021/12/03 16:01] – Clarify setting systemcrash | ||
|---|---|---|---|
| Line 6: | Line 6: | ||
| Note that the individual usernames and passwords are stored in a RADIUS server which the access point will communicate with to authenticate users. In most cases, this RADIUS server software is running elsewhere on the network (obviously the access point will need to be able to reach it), but it is possible to install and run a RADIUS server on OpenWrt as well. The installation and configuration of a RADIUS server is outside the scope of this document however a few hints will be provided. RADIUS is a standardized protocol which is supported by many server applications including the Microsoft Windows Network Policy Server (NPS) can authenticate Active Directory users. A commonly used open source RAIDUS server is FreeRADIUS. | Note that the individual usernames and passwords are stored in a RADIUS server which the access point will communicate with to authenticate users. In most cases, this RADIUS server software is running elsewhere on the network (obviously the access point will need to be able to reach it), but it is possible to install and run a RADIUS server on OpenWrt as well. The installation and configuration of a RADIUS server is outside the scope of this document however a few hints will be provided. RADIUS is a standardized protocol which is supported by many server applications including the Microsoft Windows Network Policy Server (NPS) can authenticate Active Directory users. A commonly used open source RAIDUS server is FreeRADIUS. | ||
| + | |||
| + | {{section> | ||
| ===== Prerequisites ===== | ===== Prerequisites ===== | ||
| Line 108: | Line 110: | ||
| It's likely that you will want to setup a DHCP server for this guest interface as well as appropriate firewall rules to allow access to the Internet but prevent access to the LAN computers but doing those things is outside the scope of this document. We'll proceed assuming that you have addressing and firewall rules setup and working. Before proceeding you may want to temporarily setup a separate wireless SSID on the router which does NOT use 802.1X which is bridged to the guest network and verify it works, if it does not you'll want to figure that out before adding in the 802.1X dynamic VLAN complexity. | It's likely that you will want to setup a DHCP server for this guest interface as well as appropriate firewall rules to allow access to the Internet but prevent access to the LAN computers but doing those things is outside the scope of this document. We'll proceed assuming that you have addressing and firewall rules setup and working. Before proceeding you may want to temporarily setup a separate wireless SSID on the router which does NOT use 802.1X which is bridged to the guest network and verify it works, if it does not you'll want to figure that out before adding in the 802.1X dynamic VLAN complexity. | ||
| - | Now that we have a guest network functioning on the router we can modify our wireless configuration to support 802.1X dynamic vlans. To do this modify the SSID setup in your ''/ | + | Now that we have a guest network functioning on the router we can modify our wireless configuration to support 802.1X dynamic vlans. To do this modify the SSID setup in your ''/ |
| config wifi-iface | config wifi-iface | ||
| Line 125: | Line 127: | ||
| " | " | ||
| - | | + | |
| - | Tunnel-Medium-Type = " | + | Tunnel-Medium-Type = " |
| - | Tunnel-Private-Group-ID = " | + | Tunnel-Private-Group-ID = " |
| - | With the important part being the three " | + | With the important part being the three " |
| - | If everything has been done correctly to this point you should be able to reboot your router and try testing | + | If everything has been done correctly to this point you should be able to reboot your router and test with some different usernames with different VLANs associated |
| ==== How It Works/ | ==== How It Works/ | ||