User Tools

Site Tools


docs:guide-user:network:wifi:wireless.security.8021x

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
docs:guide-user:network:wifi:wireless.security.8021x [2018/06/11 14:20]
tmomas link fixed
docs:guide-user:network:wifi:wireless.security.8021x [2018/09/10 14:03] (current)
tmomas OpenWrt spelling
Line 5: Line 5:
 The wireless encryption mode used to support this type of setup is "WPA Enterprise"​ or "WPA2 Enterprise"​ on the access point. You may also see references to 802.1x which is the standard for authenticating users, either wired or wirelessly, through a RADIUS server and is the underlying protocol used by the WPA/2 Enterprise wireless encryption mode. The wireless encryption mode used to support this type of setup is "WPA Enterprise"​ or "WPA2 Enterprise"​ on the access point. You may also see references to 802.1x which is the standard for authenticating users, either wired or wirelessly, through a RADIUS server and is the underlying protocol used by the WPA/2 Enterprise wireless encryption mode.
  
-Note that the individual usernames and passwords are stored in a RADIUS server which the access point will communicate with to authenticate users. In most cases this RADIUS server software is running elsewhere on the network (obviously the access point will need to be able to reach it) but it is possible to install and run a RADIUS server on OpenWRT ​as well. The installation and configuration of a RADIUS server is outside the scope of this document however a few hints will be provided. RADIUS is a standardized protocol which is supported by many server applications including the Microsoft Windows Network Policy Server (NPS) can authenticate Active Directory users. A commonly used open source RAIDUS server is FreeRADIUS.+Note that the individual usernames and passwords are stored in a RADIUS server which the access point will communicate with to authenticate users. In most cases this RADIUS server software is running elsewhere on the network (obviously the access point will need to be able to reach it) but it is possible to install and run a RADIUS server on OpenWrt ​as well. The installation and configuration of a RADIUS server is outside the scope of this document however a few hints will be provided. RADIUS is a standardized protocol which is supported by many server applications including the Microsoft Windows Network Policy Server (NPS) can authenticate Active Directory users. A commonly used open source RAIDUS server is FreeRADIUS.
  
 ===== Prerequisites ===== ===== Prerequisites =====
  
 Before beginning you will want to make sure you have completed the following steps: Before beginning you will want to make sure you have completed the following steps:
-  * Installed a RADIUS server such as FreeRADIUS (on OpenWRT ​or on another server). Note that in 802.1x documentation the system holding the username/​password database is referred to as the "​authentication server"​ or sometimes just the "​server"​.+  * Installed a RADIUS server such as FreeRADIUS (on OpenWrt ​or on another server). Note that in 802.1x documentation the system holding the username/​password database is referred to as the "​authentication server"​ or sometimes just the "​server"​.
   * Configured your router as a "​client"​ on the RADIUS server. The IP address of your router/​access point must be allowed to connect to the RADIUS server and have an associated key/​password which it will use to authenticate to the RADIUS server. Note that in 802.1x documentation the router/​access point is referred to as the "​client"​ or sometimes as the "​authenticator"​ to distinguish it from the end user device which is attempting to authenticate and which is called the "​supplicant"​.   * Configured your router as a "​client"​ on the RADIUS server. The IP address of your router/​access point must be allowed to connect to the RADIUS server and have an associated key/​password which it will use to authenticate to the RADIUS server. Note that in 802.1x documentation the router/​access point is referred to as the "​client"​ or sometimes as the "​authenticator"​ to distinguish it from the end user device which is attempting to authenticate and which is called the "​supplicant"​.
   * Configured one or more usernames and passwords on the RADIUS server. Note that the user passwords must be stored in a format which matches the format the supplicant is using to check the password. For Windows clients this means you need to store the password as an NT/LM Hash value, for other clients it would usually be Crypt/​MD5/​SHA. To simplify things you can store the password as cleartext and the RADIUS server will then be able to generate the needed hashes on the fly but this has obvious security downsides and should be considered carefully but may be of use for troubleshooting.   * Configured one or more usernames and passwords on the RADIUS server. Note that the user passwords must be stored in a format which matches the format the supplicant is using to check the password. For Windows clients this means you need to store the password as an NT/LM Hash value, for other clients it would usually be Crypt/​MD5/​SHA. To simplify things you can store the password as cleartext and the RADIUS server will then be able to generate the needed hashes on the fly but this has obvious security downsides and should be considered carefully but may be of use for troubleshooting.
Line 16: Line 16:
 ===== Basic 802.1x Wireless User Authentication ===== ===== Basic 802.1x Wireless User Authentication =====
  
-Enterprise WPA is not supported by the wpad-mini access point software on OpenWRT ​so you will need to remove that and install the full version of hostapd:+Enterprise WPA is not supported by the wpad-mini access point software on OpenWrt ​so you will need to remove that and install the full version of hostapd:
  
 ''​opkg update ''​opkg update
Line 35: Line 35:
 Where 192.168.1.10 is a previously configured RADIUS server which is expecting connections from this client (router/AP) using the password "​MyClientPassword"​. Where 192.168.1.10 is a previously configured RADIUS server which is expecting connections from this client (router/AP) using the password "​MyClientPassword"​.
  
-===== 802.1x Dynamic VLANs on an OpenWRT ​Router =====+===== 802.1x Dynamic VLANs on an OpenWrt ​Router =====
  
 ==== Introduction ==== ==== Introduction ====
  
-In the following example we'll extend our previous 802.1x wireless network authentication to automatically assign users connecting to the SAME SSID to either the main "​lan"​ network or a new "​guest"​ network depending on their username. Note that some of the functionality needed to make this work was not included in OpenWRT ​until the "Chaos Calmer"​ release. It is technically possible to make dynamic VLANs work in prior releases but it requires modifying some system files, it is suggested that you run "Chaos Calmer"​ r43473 or newer releases if you want to use 802.1x dynamic VLANs on a router. If you really want the details on what needs to be changed see [[https://​dev.openwrt.org/​changeset/​43473/​|r43473]],​ [[https://​dev.openwrt.org/​changeset/​42787|r42787]],​ and [[https://​dev.openwrt.org/​changeset/​41872|r41872]].+In the following example we'll extend our previous 802.1x wireless network authentication to automatically assign users connecting to the SAME SSID to either the main "​lan"​ network or a new "​guest"​ network depending on their username. Note that some of the functionality needed to make this work was not included in OpenWrt ​until the "Chaos Calmer"​ release. It is technically possible to make dynamic VLANs work in prior releases but it requires modifying some system files, it is suggested that you run "Chaos Calmer"​ r43473 or newer releases if you want to use 802.1x dynamic VLANs on a router. If you really want the details on what needs to be changed see [[https://​dev.openwrt.org/​changeset/​43473/​|r43473]],​ [[https://​dev.openwrt.org/​changeset/​42787|r42787]],​ and [[https://​dev.openwrt.org/​changeset/​41872|r41872]].
  
-NOTE: You'll be working on changing the way your router'​s CPU connects to the switch as part of these configuration changes. If done improperly it's possible to lock yourself out of the router. If you do this you will need to be familiar with the recovery mechanism of your router so that you can get back in and reset or fix your configurations. It's a good idea to **have a backup of your working configuration before starting** and to be familiar with the way OpenWRT ​handles VLAN configuration (which can vary a bit from router to router). If you have physical access to your router you shouldn'​t be able to brick the router in such a way that it's impossible to recover but if you're working wirelessly or remotely it is possible. //It's best to setup a test network on a second router and work on that until you are familiar with the configuration as this is a tricky process to get right at first.//+NOTE: You'll be working on changing the way your router'​s CPU connects to the switch as part of these configuration changes. If done improperly it's possible to lock yourself out of the router. If you do this you will need to be familiar with the recovery mechanism of your router so that you can get back in and reset or fix your configurations. It's a good idea to **have a backup of your working configuration before starting** and to be familiar with the way OpenWrt ​handles VLAN configuration (which can vary a bit from router to router). If you have physical access to your router you shouldn'​t be able to brick the router in such a way that it's impossible to recover but if you're working wirelessly or remotely it is possible. //It's best to setup a test network on a second router and work on that until you are familiar with the configuration as this is a tricky process to get right at first.//
  
 ==== Configuration ==== ==== Configuration ====
-Because we'll be working with multiple VLANs we need to create an additional VLAN for the guest network and enable VLAN tagging on the CPU port for the "​lan"​ and "​guest"​ VLANs so that the router can communicate with both VLANs. In this case we'll keep the "​lan"​ network on VLAN 1 and create a new "​guest"​ network on VLAN 3. We're skipping over VLAN 2 because the particular router used to create this demonstration uses VLAN 2 to connect the WAN port to the CPU, not all routers do this, some wire the WAN port directly to the CPU. More information on the switch port layout can be found on the OpenWRT ​wiki page for your particular router.+Because we'll be working with multiple VLANs we need to create an additional VLAN for the guest network and enable VLAN tagging on the CPU port for the "​lan"​ and "​guest"​ VLANs so that the router can communicate with both VLANs. In this case we'll keep the "​lan"​ network on VLAN 1 and create a new "​guest"​ network on VLAN 3. We're skipping over VLAN 2 because the particular router used to create this demonstration uses VLAN 2 to connect the WAN port to the CPU, not all routers do this, some wire the WAN port directly to the CPU. More information on the switch port layout can be found on the OpenWrt ​wiki page for your particular router.
  
-First, modify the existing "​lan"​ VLAN to tag traffic going to the CPU port. In this example the CPU is on port 0 and ports 2, 3, 4 and 5 are the existing LAN switch ports (which we want to keep on the "​lan"​ VLAN as they were). Port 1 on this router is a secondary CPU port used for the WAN connection. **Ports on your own router may vary, check the switch port details for your router on the OpenWRT ​wiki page for your specific router.** On this router the existing VLAN 1 switch configuration in the ''/​etc/​config/​network''​ file looks like:+First, modify the existing "​lan"​ VLAN to tag traffic going to the CPU port. In this example the CPU is on port 0 and ports 2, 3, 4 and 5 are the existing LAN switch ports (which we want to keep on the "​lan"​ VLAN as they were). Port 1 on this router is a secondary CPU port used for the WAN connection. **Ports on your own router may vary, check the switch port details for your router on the OpenWrt ​wiki page for your specific router.** On this router the existing VLAN 1 switch configuration in the ''/​etc/​config/​network''​ file looks like:
  
 ''​config switch_vlan ''​config switch_vlan
Line 72: Line 72:
 Note that the only port in this VLAN is a tagged connection to the CPU port right now but the router will automatically bridge guest wireless users onto this VLAN following the 802.1x server'​s instruction. You can create additional VLANs as needed for your network design but beware the limits of the switch chip in your router. Many switch chips in consumer routers are limited to 15 VLANs. Note that the only port in this VLAN is a tagged connection to the CPU port right now but the router will automatically bridge guest wireless users onto this VLAN following the 802.1x server'​s instruction. You can create additional VLANs as needed for your network design but beware the limits of the switch chip in your router. Many switch chips in consumer routers are limited to 15 VLANs.
  
-Next we need to modify the interface configuration in the same file. Because we're now tagging VLAN traffic we need to modify the "​lan"​ interface configuration slightly. On this router the LAN CPU port is eth1, //check the switch port details for your router on the OpenWRT ​wiki page for your router to determine the LAN CPU port on your own router//. Where we previously found a section like:+Next we need to modify the interface configuration in the same file. Because we're now tagging VLAN traffic we need to modify the "​lan"​ interface configuration slightly. On this router the LAN CPU port is eth1, //check the switch port details for your router on the OpenWrt ​wiki page for your router to determine the LAN CPU port on your own router//. Where we previously found a section like:
  
 ''​config interface '​lan'​ ''​config interface '​lan'​
Line 139: Line 139:
 ==== How It Works/​Troubleshooting ==== ==== How It Works/​Troubleshooting ====
  
-If you were able to make standard 802.1x work on your router and also can make VLANs work on your router but are having problems trying to do 802.1x with dynamic VLANs or you want to customize your configuration it is helpful to know how OpenWRT ​handles dynamic VLANs.+If you were able to make standard 802.1x work on your router and also can make VLANs work on your router but are having problems trying to do 802.1x with dynamic VLANs or you want to customize your configuration it is helpful to know how OpenWrt ​handles dynamic VLANs.
  
-When we set the interface names in the above example to "​vlan1"​ and "​vlan3"​ and set their type to "​bridge" ​OpenWRT ​automatically created two bridges (software switches) on the router named "​br-vlan1"​ and "​br-vlan3"​. You can see these bridges, and which ports they'​re connected to, by running the ''​brctl show''​ command which gives output like this:+When we set the interface names in the above example to "​vlan1"​ and "​vlan3"​ and set their type to "​bridge" ​OpenWrt ​automatically created two bridges (software switches) on the router named "​br-vlan1"​ and "​br-vlan3"​. You can see these bridges, and which ports they'​re connected to, by running the ''​brctl show''​ command which gives output like this:
  
 ''​root@OpenWrt:​~#​ brctl show ''​root@OpenWrt:​~#​ brctl show
Line 162: Line 162:
 But how does wlan0.1 know to connect to eth1.1 on br-vlan1? The answer lies in the hostapd software and in the additional configuration we did in ''/​etc/​config/​wireless''​. But how does wlan0.1 know to connect to eth1.1 on br-vlan1? The answer lies in the hostapd software and in the additional configuration we did in ''/​etc/​config/​wireless''​.
  
-On a normal Linux based access point the idea is that you only need to set a ''​vlan_tagged_interface''​ option in your configuration which lets hostapd know what tagged CPU interface contains access to all VLANs. Hostapd would then automatically create subinterfaces like ethX.Y where ethX is the tagged interface and Y is the VLAN number. Unfortunately this simple configuration does not work with OpenWRT ​because most users are ALREADY using bridging on their CPU interface by setting the interface type to bridge in ''/​etc/​config/​network''​ which is part of the standard ​OpenWRT ​configuration as it is how non-802.1x wireless users connect to the CPU port. When you set things up that way OpenWRT ​automatically creates a bridge called "​br-lan"​ or "​br-"​ in front of whatever the interface name is and then adds the physical interface such as eth1.1 to the bridge. Run ''​brctl show''​ on an OpenWRT ​router which is not configured for 802.1x dynamic VLANs to see this setup.+On a normal Linux based access point the idea is that you only need to set a ''​vlan_tagged_interface''​ option in your configuration which lets hostapd know what tagged CPU interface contains access to all VLANs. Hostapd would then automatically create subinterfaces like ethX.Y where ethX is the tagged interface and Y is the VLAN number. Unfortunately this simple configuration does not work with OpenWrt ​because most users are ALREADY using bridging on their CPU interface by setting the interface type to bridge in ''/​etc/​config/​network''​ which is part of the standard ​OpenWrt ​configuration as it is how non-802.1x wireless users connect to the CPU port. When you set things up that way OpenWrt ​automatically creates a bridge called "​br-lan"​ or "​br-"​ in front of whatever the interface name is and then adds the physical interface such as eth1.1 to the bridge. Run ''​brctl show''​ on an OpenWrt ​router which is not configured for 802.1x dynamic VLANs to see this setup.
  
-Because a physical interface can only be a member of ONE bridge hostapd is not then able to add eth1.1 to a new hostapd created bridge for wlan0.1 so you end up with no communication. If you ran ''​brctl show''​ on a misconfigured router like this you would see one or more bridge interfaces created by OpenWRT ​through the ''/​etc/​config/​network''​ file and one bridge interface created by hostapd for each VLAN a user had tried to connect to which ONLY had the wlan0.Y interface as a member. Obviously if the wlan interface is the only member of a bridge the traffic has nowhere to go so the user is unable to obtain an IP address or go anywhere.+Because a physical interface can only be a member of ONE bridge hostapd is not then able to add eth1.1 to a new hostapd created bridge for wlan0.1 so you end up with no communication. If you ran ''​brctl show''​ on a misconfigured router like this you would see one or more bridge interfaces created by OpenWrt ​through the ''/​etc/​config/​network''​ file and one bridge interface created by hostapd for each VLAN a user had tried to connect to which ONLY had the wlan0.Y interface as a member. Obviously if the wlan interface is the only member of a bridge the traffic has nowhere to go so the user is unable to obtain an IP address or go anywhere.
  
-To work around this problem we make a few changes. First, we must name our interfaces in ''/​etc/​config/​network''​ based on their VLAN such as ''​vlan1''​ and ''​vlan3''​. This causes ​OpenWRT ​to name the bridges it creates ''​br-vlan1''​ and ''​br-vlan3''​. Second, we set the ''​vlan_bridge''​ option in ''/​etc/​config/​wireless''​ to "​br-vlan"​ and the ''​vlan_naming''​ option to "​0"​ what this does is tell hostapd to create bridges using the br-vlanY naming convention (where Y is the VLAN number). As you can see those bridges will already exist based on the OpenWRT ​configuration and because you can only have one bridge with the same name hostapd just adds the wlan0.Y interface to the existing bridge allowing it to communicate with the eth1.Y interface that OpenWRT ​placed there.+To work around this problem we make a few changes. First, we must name our interfaces in ''/​etc/​config/​network''​ based on their VLAN such as ''​vlan1''​ and ''​vlan3''​. This causes ​OpenWrt ​to name the bridges it creates ''​br-vlan1''​ and ''​br-vlan3''​. Second, we set the ''​vlan_bridge''​ option in ''/​etc/​config/​wireless''​ to "​br-vlan"​ and the ''​vlan_naming''​ option to "​0"​ what this does is tell hostapd to create bridges using the br-vlanY naming convention (where Y is the VLAN number). As you can see those bridges will already exist based on the OpenWrt ​configuration and because you can only have one bridge with the same name hostapd just adds the wlan0.Y interface to the existing bridge allowing it to communicate with the eth1.Y interface that OpenWrt ​placed there.
  
-Hopefully this section allowed you to understand how hostapd interacts with OpenWRT ​to allow for dynamic VLANs over 802.1x. As you can see it's a bit of a tricky configuration. When things don't seem to be working correctly with dynamic VLANs but work with fixed VLANs a good place to start is by checking the output of the ''​brctl show''​ command and seeing which interfaces are being connected to each other. Once you verify that is the problem it gives you a starting point to figure out what must be modified in the configuration to get the correct interfaces bridged together.+Hopefully this section allowed you to understand how hostapd interacts with OpenWrt ​to allow for dynamic VLANs over 802.1x. As you can see it's a bit of a tricky configuration. When things don't seem to be working correctly with dynamic VLANs but work with fixed VLANs a good place to start is by checking the output of the ''​brctl show''​ command and seeing which interfaces are being connected to each other. Once you verify that is the problem it gives you a starting point to figure out what must be modified in the configuration to get the correct interfaces bridged together.
  
 ===== Additional Resources ===== ===== Additional Resources =====
  
 WPA Enterprise options can be found in the [[docs:​guide-user:​network:​wifi:​basic#​wpa_enterprise_access_point|Wireless documentation]]. WPA Enterprise options can be found in the [[docs:​guide-user:​network:​wifi:​basic#​wpa_enterprise_access_point|Wireless documentation]].
docs/guide-user/network/wifi/wireless.security.8021x.1528726800.txt.gz · Last modified: 2018/06/11 14:20 by tmomas