OpenWrt Forum Archive

Topic: [Howto] 802.1X, VLANs, and Guest Access on TP-Link WR710Ns

The content of this topic has been archived on 25 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

This howto covers using TP-Link's WR710N mini 2.4GHz router(s) as access points to provide:

  • per-user WiFi username and password using 802.1X

  • multiple VLANs, to enable (for example) guest access without providing access to internal network resources using 802.1Q

  • hostapd dynamic VLANs, meaning the target VLAN (i.e. guest or not) is controlled by the username with a single SSID

The configuration also supports roaming of devices between multiple access points, and has been built around v1 hardware and OperWRT 15.05. The RADIUS server (for 802.1X) used for developed was Windows Server 2008R2.

Why would you want this? Because Windows 10 and other platforms share standard PSK WiFi meaning that we've lost control of our networks. 802.1X per-user based WiFi is however not shared, and we can control who has access and when and how (trusted or guest status).

Why WR710N? Just because that's what I use for WiFi, they're very cheap (like £10-£15) and reliable (although single-stream 2.4GHz devices).

Assumptions and Requirements

  • TP-Link WR710N's running OpenWRT

  • Separate device(s) providing DHCP, DNS, and routing - the WR710's here are just access points

  • 802.1Q enabled switches connecting everything together with the appropriate VLANs configured

Initial OpenWRT Configuration

Clear everything to defaults; an easy way to do this is to perform a firmware upgrade selecting not to preserve anything:

root@AP:~# cd /tmp
root@AP:/tmp# wget
Connecting to (
openwrt-15.05-ar71xx 100% |**********************************************************************************************|  3328k 0:00:00 ETA
root@AP:/tmp# wget
Connecting to (
md5sums              100% |**********************************************************************************************| 45661  0:00:00 ETA
root@AP:/tmp# md5sum -c md5sums 2> /dev/null | grep OK
openwrt-15.05-ar71xx-generic-tl-wr710n-v1-squashfs-sysupgrade.bin: OK
root@AP:/tmp# sysupgrade -n -v openwrt-15.05-ar71xx-generic-tl-wr710n-v1-squashfs-sysupgrade.bin 

Once the device comes back, login via Telnet at and set password, hostname etc then configure /etc/config/network using vi to get the thing Internet access (IP address, gateway and dns needed). Reboot then install required packages - we need to replace wpad-mini with hostapd (for 802.1X) and nano as a text editor is generally easier than vi for the remainder:

root@ap:~# opkg update
Signature check passed.
root@ap:~# opkg remove wpad-mini
Removing package wpad-mini from root...
root@ap:~# opkg install hostapd nano

Now disable firewall and dnsmasq, since something else is handling DHCP and we aren't doing and routing on these access points:

root@ap:~# cd /etc/init.d
root@ap:/etc/init.d# chmod -x dnsmasq 
root@ap:/etc/init.d# chmod -x firewall

Network Configuration

Now to configure the network interfaces. The WR710N has an integrated five-port switch but only one external port is actually connected to it - the LAN port. The mappings are like so:

  • eth0 - WAN port

  • eth1 - (port0) Switch (port3) LAN port

  • wlan0 - 2.4GHz single-stream radio

Using the LAN port for 802.1Q tagged VLANs means we can use the standard OpenWRT switch methods to work with it. The WAN port can still be bridged into a particular VLAN, for example for wired emergency management or to connect a daisy-chained device.

With the WR710N with 15.05, it's necessary to enable VLANs, set the port membership, but also the native VLAN ID must be set otherwise all ports will be tagged (only). For example, is /etc/config/network:

config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'
config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0t 1 2 3t 4'
config 'switch_port'
    option port    '3'
    option pvid    '1'
config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '0t 3t'

Note the use of '3t' in the initial vlan 1 definition; at this point port 3 is untagged on VLAN 0, tagged on VLAN 1. The following section, switch_port pvid 1 effectively then makes this untagged, which is likely how we want it. Subsequent VLAN definitions are then tagged, the configuration for which needs to also be reflected in the upstream switch.

Next create the vlan interfaces, this will replace the standard 'eth1' interface definition. Here we're bridging the two physical interfaces into VLAN 1 untagged and assigning an IP address of This will be our management interface; other VLANs don't need an IP address assigned as the access point will be providing a layer-2 link (only) into some other network. Also be aware these and many home-grade devices have shared-VLAN-learning, meaning care is needed to ensure MAC addresses exist in only one VLAN.

config interface 'vlan1'
    option ifname 'eth0 eth1.1'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option ipaddr ''
    option netmask ''
    option gateway ''
    option dns ''
    option ip6assign '60'
config interface 'vlan2'
    option ifname 'eth1.2'
    option type 'bridge'

Wireless Configuration

The wireless configuration for 802.1X is straightforward per the 802.1X guide on the site wiki. For the WR710N, physical config:

config wifi-device  radio0
        option type     mac80211
        option channel  1
        option hwmode   11g
        option path     'platform/ar933x_wmac'
        option htmode   'HT40+'
        list ht_capab   'SHORT-GI-20'
        list ht_capab   'SHORT-GI-40'
        list ht_capab   'TX-STBC'
        list ht_capab   'RX-STBC1'
        list ht_capab   'DSSS_CCK-40'
        # option noscan '1'
        option country  'GB'
        option disabled 0

And, the 802.1X SSID config. We need a RADIUS server, which we tell the access point about with 'option server', this can be a free radius server or for example Network Policy Server on Windows, meaning you can use your Windows Server user accounts to control access to WiFi.

One goal of this guide is Dynamic VLANs, meaning the access point will connect clients to one of a range of VLANs based on the response from the RADIUS Server. We'll configure the RADIUS server to response with a particular VLAN ID with the authentication requests, which we enable here with 'option dynamic_vlan'. hostapd will simply append the VLAN ID to the 'option vlan_bridge' configured, so users configured for vlan 1 will be connected to br-vlan1 and users for vlan 2 to br-vlan2, in this example:

config wifi-iface
        option device           radio0
        option mode             ap
        option ssid             NetworkName
        option encryption       'wpa2'
        option server           ''
        option key              'secret-key-goes-here'
        option dynamic_vlan     '2'
        option 'vlan_tagged_interface' 'eth1'
        option 'vlan_bridge'    'br-vlan'
        option 'vlan_naming'    '0'
        option dtim_period      '1'
        option short_preamble   '1'
        option wds              '1'
        option wmm              '1'

One issue is that some home grade devices like WiFi printers won't talk 802.1X. In this case, we can just add on a second, standard PSK SSID and use this only for these devices (and refrain from sharing it):

config wifi-iface
        option device           radio0
        option mode             ap
        option ssid             NetworkName
        option encryption       'psk2'
        option key              'PSK-goes-here'
    option network        'vlan1'
        option dtim_period      '1'
        option short_preamble   '1'
        option wds              '1'
        option wmm              '1'

Note option network; this bridges this SSID straight into VLAN 1 in this case (it could equally say vlan2 etc).

RADIUS Server Configuration

So far, we've configured the OpenWRT device with multiple VLANs, disabled some stuff we don't need, and set up an 802.1X WiFi SSID. The next step is to configure the RADIUS server, in this case Windows 2008 is being used by adding the Network Policy Server Role.

Windows 2008 Network Policy Server

First thing to note is that NPS *needs* and certificate installed. Add the IIS role, create or purchase a certificate, and bind it to the default web site - that should be it.

Next create a Shared Secret template, which will contain whatever has been set as 'secret-key-goes-here' under 'option key' in the above example. This can then be set against multiple access points.

Under RADIUS Clients, create an entry for each access point based on it's IP address ( in this example) selecting the Shared Secret Template. On advanced, choose Standard RADIUS and do not check NAP capable.

Now edit the default Connect Request Policy and under Authentication Methods, ensure PEAP and MSCHAPv2 are enabled.

Then create the Network Policies - one for Trusted and one for Guests. You might also add policies to provide restricted time-of-day access for certain groups. For each policy, choose Unspecified network access server type. The Conditions will likely be group based. Under Constraints, we need to enable Session Timeout (anything will do, say 5 minutes) and ensure MSCHAPv2 is enabled. On Settings, add Standard RADIUS Attributes:

  • Framed value: PPP

  • Service Type: Framed

  • Tunnel Type: VLAN

  • Tunnel-Medium-Type: 802

  • Tunnel-Pvt-Group-ID: [this is the VLAN number users granted access by this policy will get, i.e. 1 or 2 in this example]

  • Termination-Action: RADIUS-Request

The last line works with the Session Timeout value to ensure clients re-authenticate periodically (which is transparent to the user) so that any time-of-day restrictions disconnect users, as well as enabling connection in the first place. The Tunnel-Pvt-Group-ID is the VLAN number that this policy will yield which a match is made.

Other Infrastructure

This guide has covered configuring the OpenWRT based access points and a Windows NPS server to provide user authentication; this gets wireless clients onto your network on the appropriate VLAN. Other components needed to actually provide those users access to things include a firewall/router interface in each VLAN, a DHCP scope for each VLAN (and DHCP relay if not local to those VLANs), a DNS server, and 802.1Q capable switches hooking everything together.

Note on WR710N Recovery

If you lock yourself out of the device, particularly around the switch config, the unit can be booted in recovery mode by powering up, then pressing and holding the reset button when the light starts flashing until it flashes at high speed. We can then telnet to the device on and correct the config.

I'm the original author of the 802.1x article on the wiki and some of the patches which made dynamic vlans work. I pop on the forums very occasionally and go through the 802.1x posts to try and provide some direction to people struggling with it. Good job with the guide. One note I would have is that a certificate from a trusted CA (probably meaning one you paid for) will make life MUCH easier for connecting clients. Windows 8 & 10, Android, Mac, and iOS devices actually just give you a warning you can click through pretty easily but older versions of Windows are really painful to get working on 802.1x without a cert signed by a trusted CA on the RADIUS server. It can be done but the options to allow it must be manually set before connecting and are quite buried in the UI of the supplicants so it's not very user friendly at all.

The discussion might have continued from here.