Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revisionBoth sides next revision
docs:guide-user:network:wifi:wireless.security.8021x [2021/07/23 14:47] – [Introduction to 802.1X] someothertimedocs:guide-user:network:wifi:wireless.security.8021x [2021/12/03 16:01] – Clarify setting systemcrash
Line 110: Line 110:
 It's likely that you will want to setup a DHCP server for this guest interface as well as appropriate firewall rules to allow access to the Internet but prevent access to the LAN computers but doing those things is outside the scope of this document. We'll proceed assuming that you have addressing and firewall rules setup and working. Before proceeding you may want to temporarily setup a separate wireless SSID on the router which does NOT use 802.1X which is bridged to the guest network and verify it works, if it does not you'll want to figure that out before adding in the 802.1X dynamic VLAN complexity. It's likely that you will want to setup a DHCP server for this guest interface as well as appropriate firewall rules to allow access to the Internet but prevent access to the LAN computers but doing those things is outside the scope of this document. We'll proceed assuming that you have addressing and firewall rules setup and working. Before proceeding you may want to temporarily setup a separate wireless SSID on the router which does NOT use 802.1X which is bridged to the guest network and verify it works, if it does not you'll want to figure that out before adding in the 802.1X dynamic VLAN complexity.
  
-Now that we have a guest network functioning on the router we can modify our wireless configuration to support 802.1X dynamic vlans. To do this modify the SSID setup in your ''/etc/config/wireless'' file and remove the ''network'' option and add the ''dynamic_vlan'' and ''vlan_tagged_interface options''. An example based on the basic 802.1X setup found above would be:+Now that we have a guest network functioning on the router we can modify our wireless configuration to support 802.1X dynamic vlans. To do this modify the SSID setup in your ''/etc/config/wireless'' file and remove the ''network'' option and add the ''dynamic_vlan'' and ''vlan_tagged_interface options''. Note that ''dynamic_vlan'' is a tri-state setting, e.g. off=0, on=1, require=2, and is not a setting for the actual VLAN number. An example based on the basic 802.1X setup found above would be:
  
   config wifi-iface   config wifi-iface
Line 127: Line 127:
  
   "username"      Cleartext-Password := "password"   "username"      Cleartext-Password := "password"
-                Tunnel-Type = "VLAN", +                  Tunnel-Type = "VLAN", 
-                Tunnel-Medium-Type = "IEEE-802", +                  Tunnel-Medium-Type = "IEEE-802", 
-                Tunnel-Private-Group-ID = "1"+                  Tunnel-Private-Group-ID = "1"
  
-With the important part being the three "Tunnel" settings where ''Tunnel-Private-Group-ID'' is set to the VLAN that user should be placed on.+With the important part being the three "Tunnel-*" settings where ''Tunnel-Private-Group-ID'' is set to the VLAN that user should be placed on.
  
-If everything has been done correctly to this point you should be able to reboot your router and try testing with some different usernames with different VLANs associated.+If everything has been done correctly to this point you should be able to reboot your router and test with some different usernames with different VLANs associated to each user respectively.
  
 ==== How It Works/Troubleshooting ==== ==== How It Works/Troubleshooting ====
  • Last modified: 2024/10/07 14:28
  • by timsmall