When it comes to Enterprise WiFi, the simple - plug-in, set your password and enjoy - approach doesn't work as expected, especially if you have multiple APs around and need to implement fast transitioning between them. Also how to authorize the WPA2-EAP clients in your network? You need some server with credentials and stuff!
Let's start small with two OpenWRT devices, one is serving as a master router, the second is a dumb AP. We'll start with a simple WiFi network with shared passphrase and a central DHCP server. So, on the router:
Isolate clients
under the advanced tabWLAN
WLAN
, assign it to the WLAN
interface and set forwarding to wan
zoneNow you should be able to connect to this WiFi, get IP from 192.168.2.0/24 range and be able to access internet. Same access should be available over the LAN port you specified. So let's move the the dumb AP device:
WLAN
, set it to unamanaged
and assign WiFi network and some LAN port to itnetwork
So, make sure you can connect to both devices (e.g. place them far away and stand with your phone nearby each of them while connecting), everything should work. If not, check your networking, LAN port settings, maybe try to set static IP from the same network on the AP WLAN
interface and try to ping it from router,... If you see a bunch of DHCP errors int he AP log, just exclude the br-WLAN
from the DHCP settings (can be done in luci, there's a DHCP and DNS
tab).
You may have noticed that your WiFi device might get disconnected briefly when going from one AP to another, this in unpleasant during the online calls if you are used to walk while talking, or maybe you are just in the middle between the APs and your phone keeps jumping from one to another. Here's the 802.11r to save you!
When using the preshared key network, the setup is pretty straightforward, just open your WiFi settings on both devices and check the 802.11r Fast Transition
field, nothing else is needed as the encryption keys, mobility zone, etc. gets derived from the network SSID and password, at least on a recent OpenWRT version. Give it a try!
Let's talk about a basic security, assume you have a company network with several servers, multiple services, WiFi networks for employees and guests and you don't want your employees to access everything. It makes sense to separate all the traffic into several networks, but who would wire multiple ethernet cables to a single device? VLANs to a rescue!
VLANs allow passing a ethernet frames in a separate network over a single wire, basically the specification only defines additional encapsulation of the packet and the switch or other networking device on the route decides how to handle the frame (pass unchanged, strip the header making it non-VLAN network from this point, drop is the given VLAN is not allowed on the corresponding port,...).
So, let's modify our network setup a little bit. Remember the LAN ports you used for communication between router and AP? Let's start on router:
management
192.168.3.1
eth0.10
, where eth0
is the LAN port and 10 the VLAN number. management
and allow forwarding from this zone to all other zones (WLAN
,...)WLAN
network so the VLAN 11 on same LAN port as before is usedDo the same on the AP, only change the static ip on management
interface to e.g. 192.168.3.2
. The WiFi network should work same as before, but you shouldn't be able to ping the 192.168.3.0/24
addresses, these should be only pingable from inside the OpenWRT devices or from any device in the VLAN 10 if you connected anything else there. If you have any switches between the AP and router, make sure you added the VLAN 10 and 11 to corresponding ports, it won't work otherwise. Hooray, now you have your management and WLAN communication separated from each other!
That was for the easy part. Now we need to break the setup and rework the authorization. You have a radius in your network, right? The Radius provides authorization backend for the Enterprise WiFi, usually you setup LDAP server with your user accounts and passwords and connect it to the radius server as authorization backend and the radius handles all the auth requests from the network devices. There's plenty of how-tos online, just google some setup guide...
First, make sure you have a NT hashed passwords in your LDAP (ntPassword
attribute is set and valid) as the EAP is using the NT hashes by default, usual linux password in userPassword
attribute won't work here!. It's nice to launch Radius server in debug mode, so you can see what's going on while debugging the setup (launch with freeradius -X
). Also don't forget to add the Router and AP IPs to the Radius clients so they can access the server!
On both AP and Router:
wpad-basic
package (opkg remove wpad-basic
)wpad
with EAP support (opkg install wpad
)Radius-Authentication
is all that's needed.Now you can try connecting, it should work out of box, especially on Windows, just enter your username and password. You should see the authorization request on radius log (if not, your check your radius config) with successful access to the LDAP and authorization of the WiFi connection request.
As the WPA2-EAP doesn't have any common passphrase that could be used for generating a encryption keys, you have to do a lot of stuff manually. The most complicated part is the R0 and R1 keys, basically these keys are used when passing client between devices, all devices must know keys of each other. The R0 key is in MAC-address,NAS-Identifier,128-bit key as hex string
format and R1 is MAC-address,R1KH-ID as 6 octets with colons,128-bit key as hex string
. The 128bit key can be different for each key, but it's more convenient to keep it identical, you can generate any value you want, e.g. 7978490411BA8EE4C42858FB9BF0B402
. So, let's assume you have a device with BSSID of 60:A4:B7:1B:B2:FE
and the R1KH and NAS-ID are derived from BSSID. What will be the keys?
60:A4:B7:1B:B2:FE,60A4B71BB2FE,7978490411BA8EE4C42858FB9BF0B402
60:A4:B7:1B:B2:FE,60:A4:B7:1B:B2:FE,7978490411BA8EE4C42858FB9BF0B402
You have to create both keys for each device (and WiFi network as BSSID is different e.g. between 5 and 2,4 GHz networks) and distribute all these keys between your devices. So on each device under WiFi network setup:
NAS ID
- set it to BSSID of your interface without colons, e.g. 60A4B71BB2FEMobility domain
- choose some 4 digit hex number and set it to all devices, e.g. 12AB
R1 Key Holder
- Same as NAS ID
After applying this setup, you should be good to go, everything should work as it used to with WPA2-PSK, but now with per-user authorization!
Windows systems tend to be picky about certificates, as the WPA2-EAP uses PEAP method on the Radius server and the radius is using self generated certificates by default, it should just work, but if you are using a custom wildcard certificates for Radius server, you might get strange warnings with access denied, expired certificate, etc. Windows just refuse to connect when the Radius is using a wildcard cert!
I tend to use Let's encrypt everywhere, but this is not applicable for eap-tls
method on the radius servers, so, to use Let's encrypt (make sure it's not a wildcard certificate!) on freeradius, you have to modify the config a bit. I'd suggest to create a custom section tls-config
section for peap method (used by WPA2-EAP) under /etc/freeradius/3.0/mods-enabled/eap
:
tls-config tls-peap {
private_key_file = /path/to/privkey.pem
certificate_file = /path/to/cert.pem
ca_file = /path/to/fullchain.pem
dh_file = ${certdir}/dh
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24 # hours
}
verify {
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
}
}
In the same file, change the tls-default
to tls-peap
under peap
section, restart radius server and you are good to go.
Android phones (especially after version 11) tend to require a bunch of other data other from the user and password to connect to WPA2-EAP network: