OpenWrt Forum Archive

Topic: Freeradius WPA/WPA2 EAP-TLS

The content of this topic has been archived on 31 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
EL
8 Oct 2007, 15:04

Hi,

I've setup the following
  - free radius (on a seperate server) with its own CA root
  - Windows XP / Linux wpa_supplicant clients with personal certificates
  - Kamikaze (7.09) running in Access mode on an interface:

config wifi-iface       wifi
        option device   wl0
        option network  lan
        option mode     ap
        option ssid     rad-1
        option hidden   0
        option encryption wpa+wpa2
        option key      radpass
        option server   172.16.0.1
        option port     1812
        option isolate  0

The clients can connect to the network, I see all the TLS Challenge/Response on the server and
I supply (dhcpd on the seperate server) the clients with an IP address.

All works great.



Now I'ld like to expand the wireless reach and add several (also Kamikaze 7.09) APs with WDS.

I added an extra interface for the WDS link on both APs:
config wifi-iface       wds
        option device   wl0
        option network  lan
        option mode     wds
        option ssid     wds-link
        option bssid    <mac of the neighbour>
        option encryption wpa
        option key      12345678
        option hidden   0
        option timeout  30
        option lazywds  0

and added the same 'wifi' setup for the wpa+wpa2 on the second AP.

And then... nothing works anymore.  Running the 'AP' interface and the 'WDS' interface in 'encryption: none' goes ok,
but swithing the 'WDS' interface to some form of encryption, the link breaks.

I can't get the 'AP' interface running with wpa+wpa2 and the 'WDS' interface with 'none'. Although this isn't what I want, I suspected that it
atleast would work..

Anyone some pointers, how to create ap/repeater links which are encrypted? I've searched a great deal and can't get a WDS link working, when
using wpa+wpa2 on the AP part.


On a side note: is it possible, to retrieve a list of associated macs using wlc or some other tool? This would ease my debugging ;-)
Ha, just noticed this: http://wiki.openwrt.org/Faq#head-6d3c54 … ad381cfa15

ps: these are WRT54GL devices.

Cheers, Eric


edit1: Could a time-difference between the wired AP and the (wireless) WDS/AP be a problem? I'm running an ntpclient on the wired one..

edit2: I don't see any traffic on the wl0 interface (the wired AP), but the frame counter is increasing steadily. It looks like there are communication issues between both devices, although keys etc are identical.

edit3: without the WDS link, I am able to get Sony Ericsson P1i and Nokia N95 to authenticate against the radius server, using all the needed certificates on the devices. This is working really great. Now just to get the WDS link up.

(Last edited by EL on 8 Oct 2007, 20:36)

Post #2
EL
9 Oct 2007, 12:10

I was hoping I wouldn't have to reply to my own posts, but maybe some folks can shed a light on this.

I've included the patch as mentioned in https://dev.openwrt.org/ticket/2463 . The WDS link appears to work (encrypted), but only when
there is no encryption on the lan part.

The lan part is has an encryption: wpa+wpa2 and
the wds part an encryption: psk2. This does NOT work.

I've tried the other (2) variants for nas4not, but nothing seems to give me a working WDS, when the lan part is using wpa+wpa2.

(Last edited by EL on 9 Oct 2007, 12:11)

Post #3
EL
9 Oct 2007, 12:33

Things get weirder:

running wpa+wpa2 on the lan interface and psk on the wds part:
starting udhcpc -i wds0.1 on one device shows requests and replies on the wl0 interface of the other device.
although I don't see this on the interface of the device where I run udhcpc...

The discussion might have continued from here.