This howto covers using TP-Link's WR710N mini 2.4GHz router(s) as access points to provide:
per-user WiFi username and password using 802.1X
multiple VLANs, to enable (for example) guest access without providing access to internal network resources using 802.1Q
hostapd dynamic VLANs, meaning the target VLAN (i.e. guest or not) is controlled by the username with a single SSID
The configuration also supports roaming of devices between multiple access points, and has been built around v1 hardware and OperWRT 15.05. The RADIUS server (for 802.1X) used for developed was Windows Server 2008R2.
Why would you want this? Because Windows 10 and other platforms share standard PSK WiFi meaning that we've lost control of our networks. 802.1X per-user based WiFi is however not shared, and we can control who has access and when and how (trusted or guest status).
Why WR710N? Just because that's what I use for WiFi, they're very cheap (like £10-£15) and reliable (although single-stream 2.4GHz devices).
Assumptions and Requirements
TP-Link WR710N's running OpenWRT
Separate device(s) providing DHCP, DNS, and routing - the WR710's here are just access points
802.1Q enabled switches connecting everything together with the appropriate VLANs configured
Initial OpenWRT Configuration
Clear everything to defaults; an easy way to do this is to perform a firmware upgrade selecting not to preserve anything:
root@AP:~# cd /tmp
root@AP:/tmp# wget http://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/openwrt-15.05-ar71xx-generic-tl-wr710n-v1-squashfs-sysupgrade.bin
Connecting to downloads.openwrt.org (78.24.191.177:80)
openwrt-15.05-ar71xx 100% |**********************************************************************************************| 3328k 0:00:00 ETA
root@AP:/tmp# wget http://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/md5sums
Connecting to downloads.openwrt.org (78.24.191.177:80)
md5sums 100% |**********************************************************************************************| 45661 0:00:00 ETA
root@AP:/tmp# md5sum -c md5sums 2> /dev/null | grep OK
openwrt-15.05-ar71xx-generic-tl-wr710n-v1-squashfs-sysupgrade.bin: OK
root@AP:/tmp# sysupgrade -n -v openwrt-15.05-ar71xx-generic-tl-wr710n-v1-squashfs-sysupgrade.bin
Once the device comes back, login via Telnet at 192.168.1.1 and set password, hostname etc then configure /etc/config/network using vi to get the thing Internet access (IP address, gateway and dns needed). Reboot then install required packages - we need to replace wpad-mini with hostapd (for 802.1X) and nano as a text editor is generally easier than vi for the remainder:
root@ap:~# opkg update
Downloading http://downloads.openwrt.org/chaos_calmer/15.05/ar71xx/generic/packages/base/Packages.gz.
...
Signature check passed.
root@ap:~# opkg remove wpad-mini
Removing package wpad-mini from root...
root@ap:~# opkg install hostapd nano
Now disable firewall and dnsmasq, since something else is handling DHCP and we aren't doing and routing on these access points:
root@ap:~# cd /etc/init.d
root@ap:/etc/init.d# chmod -x dnsmasq
root@ap:/etc/init.d# chmod -x firewall
Network Configuration
Now to configure the network interfaces. The WR710N has an integrated five-port switch but only one external port is actually connected to it - the LAN port. The mappings are like so:
eth0 - WAN port
eth1 - (port0) Switch (port3) LAN port
wlan0 - 2.4GHz single-stream radio
Using the LAN port for 802.1Q tagged VLANs means we can use the standard OpenWRT switch methods to work with it. The WAN port can still be bridged into a particular VLAN, for example for wired emergency management or to connect a daisy-chained device.
With the WR710N with 15.05, it's necessary to enable VLANs, set the port membership, but also the native VLAN ID must be set otherwise all ports will be tagged (only). For example, is /etc/config/network:
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 1 2 3t 4'
config 'switch_port'
option port '3'
option pvid '1'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 3t'
Note the use of '3t' in the initial vlan 1 definition; at this point port 3 is untagged on VLAN 0, tagged on VLAN 1. The following section, switch_port pvid 1 effectively then makes this untagged, which is likely how we want it. Subsequent VLAN definitions are then tagged, the configuration for which needs to also be reflected in the upstream switch.
Next create the vlan interfaces, this will replace the standard 'eth1' interface definition. Here we're bridging the two physical interfaces into VLAN 1 untagged and assigning an IP address of 10.0.1.21. This will be our management interface; other VLANs don't need an IP address assigned as the access point will be providing a layer-2 link (only) into some other network. Also be aware these and many home-grade devices have shared-VLAN-learning, meaning care is needed to ensure MAC addresses exist in only one VLAN.
config interface 'vlan1'
option ifname 'eth0 eth1.1'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '10.0.1.21'
option netmask '255.255.255.0'
option gateway '10.0.1.1'
option dns '10.0.1.10'
option ip6assign '60'
config interface 'vlan2'
option ifname 'eth1.2'
option type 'bridge'
Wireless Configuration
The wireless configuration for 802.1X is straightforward per the 802.1X guide on the site wiki. For the WR710N, physical config:
config wifi-device radio0
option type mac80211
option channel 1
option hwmode 11g
option path 'platform/ar933x_wmac'
option htmode 'HT40+'
list ht_capab 'SHORT-GI-20'
list ht_capab 'SHORT-GI-40'
list ht_capab 'TX-STBC'
list ht_capab 'RX-STBC1'
list ht_capab 'DSSS_CCK-40'
# option noscan '1'
option country 'GB'
option disabled 0
And, the 802.1X SSID config. We need a RADIUS server, which we tell the access point about with 'option server', this can be a free radius server or for example Network Policy Server on Windows, meaning you can use your Windows Server user accounts to control access to WiFi.
One goal of this guide is Dynamic VLANs, meaning the access point will connect clients to one of a range of VLANs based on the response from the RADIUS Server. We'll configure the RADIUS server to response with a particular VLAN ID with the authentication requests, which we enable here with 'option dynamic_vlan'. hostapd will simply append the VLAN ID to the 'option vlan_bridge' configured, so users configured for vlan 1 will be connected to br-vlan1 and users for vlan 2 to br-vlan2, in this example:
config wifi-iface
option device radio0
option mode ap
option ssid NetworkName
option encryption 'wpa2'
option server '10.0.1.10'
option key 'secret-key-goes-here'
option dynamic_vlan '2'
option 'vlan_tagged_interface' 'eth1'
option 'vlan_bridge' 'br-vlan'
option 'vlan_naming' '0'
option dtim_period '1'
option short_preamble '1'
option wds '1'
option wmm '1'
One issue is that some home grade devices like WiFi printers won't talk 802.1X. In this case, we can just add on a second, standard PSK SSID and use this only for these devices (and refrain from sharing it):
config wifi-iface
option device radio0
option mode ap
option ssid NetworkName
option encryption 'psk2'
option key 'PSK-goes-here'
option network 'vlan1'
option dtim_period '1'
option short_preamble '1'
option wds '1'
option wmm '1'
Note option network; this bridges this SSID straight into VLAN 1 in this case (it could equally say vlan2 etc).
RADIUS Server Configuration
So far, we've configured the OpenWRT device with multiple VLANs, disabled some stuff we don't need, and set up an 802.1X WiFi SSID. The next step is to configure the RADIUS server, in this case Windows 2008 is being used by adding the Network Policy Server Role.
Windows 2008 Network Policy Server
First thing to note is that NPS *needs* and certificate installed. Add the IIS role, create or purchase a certificate, and bind it to the default web site - that should be it.
Next create a Shared Secret template, which will contain whatever has been set as 'secret-key-goes-here' under 'option key' in the above example. This can then be set against multiple access points.
Under RADIUS Clients, create an entry for each access point based on it's IP address (10.0.1.21 in this example) selecting the Shared Secret Template. On advanced, choose Standard RADIUS and do not check NAP capable.
Now edit the default Connect Request Policy and under Authentication Methods, ensure PEAP and MSCHAPv2 are enabled.
Then create the Network Policies - one for Trusted and one for Guests. You might also add policies to provide restricted time-of-day access for certain groups. For each policy, choose Unspecified network access server type. The Conditions will likely be group based. Under Constraints, we need to enable Session Timeout (anything will do, say 5 minutes) and ensure MSCHAPv2 is enabled. On Settings, add Standard RADIUS Attributes:
Framed value: PPP
Service Type: Framed
Tunnel Type: VLAN
Tunnel-Medium-Type: 802
Tunnel-Pvt-Group-ID: [this is the VLAN number users granted access by this policy will get, i.e. 1 or 2 in this example]
Termination-Action: RADIUS-Request
The last line works with the Session Timeout value to ensure clients re-authenticate periodically (which is transparent to the user) so that any time-of-day restrictions disconnect users, as well as enabling connection in the first place. The Tunnel-Pvt-Group-ID is the VLAN number that this policy will yield which a match is made.
Other Infrastructure
This guide has covered configuring the OpenWRT based access points and a Windows NPS server to provide user authentication; this gets wireless clients onto your network on the appropriate VLAN. Other components needed to actually provide those users access to things include a firewall/router interface in each VLAN, a DHCP scope for each VLAN (and DHCP relay if not local to those VLANs), a DNS server, and 802.1Q capable switches hooking everything together.
Note on WR710N Recovery
If you lock yourself out of the device, particularly around the switch config, the unit can be booted in recovery mode by powering up, then pressing and holding the reset button when the light starts flashing until it flashes at high speed. We can then telnet to the device on 192.168.1.1 and correct the config.