hostapd based access point, (free) radius for aaa and vlan to separate

Jouni Malinen j at w1.fi
Mon Nov 26 23:17:49 EST 2007


On Mon, Nov 26, 2007 at 08:34:24PM +0100, Christian Beier wrote:

> I'm trying to set up a hostap daemon based access point with freeradius
> for AAA and utilisation of VLAN to separate some user groups.
> Without "up and running" VLAN interfaces everything works, the user is
> recognised and granted to access by the radius server. I mean: The
> radius and hostapd configurations are unchanged and still setted up for
> VLAN usage, only the VLAN interfaces are not added by vconfig. If I add
> them, hostapd prints a lot of
> "	REAUTH_TIMER entering state INITIALIZE"
> till timeout is reached and on the freeradius no reaction is seen.

One thing to keep in mind is that I have not tested the dynamic VLAN
code in the open source version at all and I do not remember whether I
had fully merged the Devicescape implementation.. So no guarantees on
this being functional.

> *ap
> 	hostapd v0.5.7

I don't remember whether there has been any changes in 0.6.x, but for
this particular features, I would recommend using the latest possible
version at least for initial tests..

> 	madwifi

I don't think madwifi has support for the dynamic VLAN configuration in
hostapd. This was only supported with the Devicescape IEEE 802.11
implementation (now, mac80211) which has functionality for dynamically
adding virtual interfaces on the wireless side.


> I've tried a lot and found out that setting
> "... vlan_tagged_interface=ath1 "
> results in:
> "unknown configuration item 'vlan_tagged_interface' "

Did you enabled dynamic VLAN support in the build configuration
(.config)?

> I don't know if this is related to the many atheros/madwifi vlan patches
> I found on my search and neglected because the search results where last
> year dated.

Probably not related.

> Also, I'm not sure if my syntax of the vlan_file is right.

Looks fine (if the driver were to support this, that is).

> It's the only way it works, if I add two lines for each
> Tunnel-Private-Group-Id, passed by freeradius, with the appropriate
> interfaces behind, I got an error message. I'm kind of clueless and the
> oracles of the web also have no good recommendation what do do or where
> to search the ghost in the machine.

This may be quite a battle to get working with madwifi at this point..
mac80211 with ath5k may be more likely to get people interested in
fixing the problems, but anyway, keep in mind that there are very few
(if any) people who have ever successfully tested the dynamic VLAN
feature with the open source version of hostapd..

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list