RADIUS-assigned VLANs

itservicesx · July 7, 2023, 2:20pm

Hi,

Could someone please confirm whether the new Alta Labs APs properly support RADIUS-assigned VLANs when using WPA2-Enterprise on an SSID?

I presume it would with no problems, especially as Ubiquiti UniFi and like APs all support this. However, I do not see any tickbox or option in the Alta Labs cloud console to explicitly enable this feature, which there is on UniFi. Therefore, I would assume that the APs have this enabled by default, but I wanted to check if anyone else has tested this before I purchase the APs for myself.

Thanks

Alta-Stephen · July 7, 2023, 3:16pm

Hi @itservicesx thanks for posting! Yes, we support RADIUS assigned VLANS automatically. No extra configuration is needed.

itservicesx · July 8, 2023, 11:54am

Brilliant, glad to hear. How about RADIUS controlled MPA for multi-passwords on a single SSID? I believe TP-Link Omada supports this, where an admin can configure the AP to either host the passwords locally, or use a RADIUS server instead.

Does the Alta Labs cloud management platform support this?

Alta-Jeff · July 9, 2023, 3:12am

@itservicesx Yes, you should just be able to point the AP to the RADIUS server, and the RADIUS server can handle the authentication directly with the station.

aglabs · July 25, 2023, 10:34pm

are there specific attributes that should be sent on access-accept?

I tried the generic attributes that work with most vendors, but always get stuck onto the default vlan:

radiusd:1053:1690323127.353635:Tue Jul 25 15:12:07 2023: Tue Jul 25 15:12:07 2023 : Debug: (16) Sent Access-Accept Id 40 from 172.16.16.11:1812 to 172.16.91.104:59217 length 0
...
radiusd:1053:1690323127.353734:Tue Jul 25 15:12:07 2023: Tue Jul 25 15:12:07 2023 : Debug: (16)   User-Name := "host/hostname.local.domain"
radiusd:1053:1690323127.353750:Tue Jul 25 15:12:07 2023: Tue Jul 25 15:12:07 2023 : Debug: (16)   Tunnel-Private-Group-Id += "201"
radiusd:1053:1690323127.353765:Tue Jul 25 15:12:07 2023: Tue Jul 25 15:12:07 2023 : Debug: (16)   Tunnel-Type += VLAN
radiusd:1053:1690323127.353784:Tue Jul 25 15:12:07 2023: Tue Jul 25 15:12:07 2023 : Debug: (16)   Tunnel-Medium-Type += IEEE-802

Alta-Jeff · July 26, 2023, 1:50am

@aglabs If you can grab /var/log/messages right after the client connected (via ssh/scp), perhaps we can understand why it’s not assigning the desired VLAN in your case.

aglabs · July 26, 2023, 2:18am

First things first, huge fan of how easy it was to figure out how to ssh to the AP and setup SSH keys.

messages log from connection attempt:

Jul 26 02:14:41 OpenWrt kern.warn kernel: [  343.282883] 5eBPVRYKrl: STA f0:9e:4a:b2:07:7d, VLAN4, Type 0
Jul 26 02:14:41 OpenWrt daemon.info hostapd: 5eBPVRYKrl: STA f0:9e:4a:b2:07:7d RADIUS: VLAN ID 4
Jul 26 02:14:41 OpenWrt daemon.info hostapd: 5eBPVRYKrl: STA f0:9e:4a:b2:07:7d IEEE 802.11: authenticated
Jul 26 02:14:41 OpenWrt daemon.info hostapd: 5eBPVRYKrl: STA f0:9e:4a:b2:07:7d IEEE 802.11: associated (aid 1)
Jul 26 02:14:41 OpenWrt daemon.notice hostapd: wpa_driver_nl80211_set_key: ifindex=15 (5eBPVRYKrl) alg=0 addr=0x124a438 key_idx=0 set_tx=1 seq_len=0 key_len=0 key_flag=0x20
Jul 26 02:14:41 OpenWrt daemon.notice hostapd: wpa_driver_nl80211_set_key: ifindex=15 (5eBPVRYKrl) alg=8 addr=0x595566 key_idx=1 set_tx=1 seq_len=0 key_len=32 key_flag=0x1a
Jul 26 02:14:41 OpenWrt daemon.notice hostapd: wpa_driver_nl80211_set_key: ifindex=15 (5eBPVRYKrl) alg=11 addr=0x595566 key_idx=4 set_tx=1 seq_len=0 key_len=32 key_flag=0x1a
Jul 26 02:14:41 OpenWrt daemon.err hostapd: no such r0 nor r1 for: f0:9e:4a:b2:07:7d
Jul 26 02:14:41 OpenWrt daemon.notice hostapd: wpa_driver_nl80211_set_key: ifindex=15 (5eBPVRYKrl) alg=0 addr=0x124a438 key_idx=0 set_tx=1 seq_len=0 key_len=0 key_flag=0x20
Jul 26 02:14:41 OpenWrt daemon.notice hostapd: wpa_driver_nl80211_set_key: ifindex=15 (5eBPVRYKrl) alg=0 addr=0x124a438 key_idx=0 set_tx=1 seq_len=0 key_len=0 key_flag=0x20
Jul 26 02:14:41 OpenWrt daemon.notice hostapd: wpa_driver_nl80211_set_key: ifindex=15 (5eBPVRYKrl) alg=8 addr=0x595566 key_idx=1 set_tx=1 seq_len=0 key_len=32 key_flag=0x1a
Jul 26 02:14:41 OpenWrt daemon.notice hostapd: wpa_driver_nl80211_set_key: ifindex=15 (5eBPVRYKrl) alg=11 addr=0x595566 key_idx=4 set_tx=1 seq_len=0 key_len=32 key_flag=0x1a
Jul 26 02:14:41 OpenWrt daemon.notice hostapd: 5eBPVRYKrl: CTRL-EVENT-EAP-STARTED f0:9e:4a:b2:07:7d
Jul 26 02:14:41 OpenWrt daemon.notice hostapd: 5eBPVRYKrl: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
Jul 26 02:14:44 OpenWrt daemon.notice hostapd: RADIUS: Retry attempts :2 Maximum retry attempts :10
Jul 26 02:14:44 OpenWrt daemon.info hostapd: 5eBPVRYKrl: STA f0:9e:4a:b2:07:7d RADIUS: VLAN ID 4
Jul 26 02:14:44 OpenWrt daemon.err hostapd: no such r0 nor r1 for: f0:9e:4a:b2:07:7d
Jul 26 02:14:44 OpenWrt daemon.notice hostapd: 5eBPVRYKrl: CTRL-EVENT-EAP-SUCCESS2 f0:9e:4a:b2:07:7d
Jul 26 02:14:44 OpenWrt daemon.info hostapd: 5eBPVRYKrl: STA f0:9e:4a:b2:07:7d WPA: sending 1/4 msg of 4-Way Handshake
Jul 26 02:14:44 OpenWrt daemon.info hostapd: 5eBPVRYKrl: STA f0:9e:4a:b2:07:7d WPA: received EAPOL-Key frame (2/4 Pairwise)
Jul 26 02:14:44 OpenWrt daemon.info hostapd: 5eBPVRYKrl: STA f0:9e:4a:b2:07:7d WPA: sending 3/4 msg of 4-Way Handshake
Jul 26 02:14:44 OpenWrt daemon.info hostapd: 5eBPVRYKrl: STA f0:9e:4a:b2:07:7d WPA: received EAPOL-Key frame (4/4 Pairwise)
Jul 26 02:14:44 OpenWrt daemon.notice hostapd: wpa_driver_nl80211_set_key: ifindex=15 (5eBPVRYKrl) alg=8 addr=0x124a438 key_idx=0 set_tx=1 seq_len=0 key_len=32 key_flag=0x2c
Jul 26 02:14:44 OpenWrt daemon.info hostapd: 5eBPVRYKrl: STA f0:9e:4a:b2:07:7d WPA: pairwise key handshake completed (RSN)
Jul 26 02:14:44 OpenWrt daemon.notice hostapd: 5eBPVRYKrl: EAPOL-4WAY-HS-COMPLETED f0:9e:4a:b2:07:7d
Jul 26 02:14:44 OpenWrt daemon.notice hostapd: 5eBPVRYKrl: AP-STA-CONNECTED f0:9e:4a:b2:07:7d
Jul 26 02:14:44 OpenWrt daemon.info hostapd: 5eBPVRYKrl: STA f0:9e:4a:b2:07:7d RADIUS: starting accounting session 81EC9125053A08BA
Jul 26 02:14:44 OpenWrt daemon.info hostapd: 5eBPVRYKrl: STA f0:9e:4a:b2:07:7d IEEE 802.1X: authenticated - EAP type: 13 (TLS)

accompanying lab radius server logs on the access-accept packet (its a modified freeradius build):

radiusd:14899:1690337684.627970:Tue Jul 25 19:14:44 2023: Tue Jul 25 19:14:44 2023 : Debug: (21) Sent Access-Accept Id 42 from 172.16.16.11:1812 to 172.16.91.104:39266 length 0
radiusd:14899:1690337684.628002:Tue Jul 25 19:14:44 2023: Tue Jul 25 19:14:44 2023 : Debug: (21)   MS-MPPE-Recv-Key = 0x907ed592f67625f2c0e186964e261feddaf475452ed489fbbe0a82e90d672419
radiusd:14899:1690337684.628027:Tue Jul 25 19:14:44 2023: Tue Jul 25 19:14:44 2023 : Debug: (21)   MS-MPPE-Send-Key = 0x6d35e9087ba66cb9d08f086e248dad6966a09b0bd2d7d3606bb73e65c2eb8620
radiusd:14899:1690337684.628061:Tue Jul 25 19:14:44 2023: Tue Jul 25 19:14:44 2023 : Debug: (21)   EAP-Message = 0x03f50004
radiusd:14899:1690337684.628087:Tue Jul 25 19:14:44 2023: Tue Jul 25 19:14:44 2023 : Debug: (21)   Message-Authenticator = 0x00000000000000000000000000000000
radiusd:14899:1690337684.628120:Tue Jul 25 19:14:44 2023: Tue Jul 25 19:14:44 2023 : Debug: (21)   User-Name := "host/butters.ag.home.lab"
radiusd:14899:1690337684.628155:Tue Jul 25 19:14:44 2023: Tue Jul 25 19:14:44 2023 : Debug: (21)   Tunnel-Private-Group-Id += "201"
radiusd:14899:1690337684.628184:Tue Jul 25 19:14:44 2023: Tue Jul 25 19:14:44 2023 : Debug: (21)   Tunnel-Type += VLAN
radiusd:14899:1690337684.628255:Tue Jul 25 19:14:44 2023: Tue Jul 25 19:14:44 2023 : Debug: (21)   Tunnel-Medium-Type += IEEE-802

endpoint should be on vlan 201 according to radius, but ended up on vlan 4 which is default for the ssid.

Niels · July 26, 2023, 9:59am

Is there a tutorial available to connect with SSH?

Alta-Jeff · July 26, 2023, 1:08pm

@Niels Yes: How To Use SSH Keys For Management : Please let me know if you have any questions!

Niels · July 26, 2023, 5:06pm

@Alta-Jeff Thanks!

aglabs · August 1, 2023, 1:15am

Hi @Niels have you had a chance to look at the logs I provided, anything I should try different?

Niels · August 1, 2023, 8:00am

Hi @aglabs,

I think you need @Alta-Jeff to inspect your logs

aglabs · August 9, 2023, 3:24am

Hi @Alta-Jeff, was the log output I provided what you needed? any feedback on how I can get dynamic VLAN assignments working?

Alta-Jeff · August 9, 2023, 3:22pm

@aglabs From my testing, it works great as long as you set the tunnel type to 13 (VLAN), and the tunnel medium type to 6 (802). Did you try setting the default VLAN to 1? Obviously not a long-term solution but might help narrow down what’s going on.

aglabs · August 9, 2023, 4:15pm

@Alta-Jeff Thanks for the hints Did a bit of playing, Found two things:

First: It appears setting default vlan to 1 allows radius dynamic vlan to work with WPA2.

Not saying this is an issue/bug, but definitely not typical for ap/switch to override radius accept with its own settings if they arent default (maybe a documentation opportunity)

Second: Additionally what might be a bug, is when wpa3 is used (default vlan is 1 still), dynamic vlan no longer works.

Alta-Jeff · August 9, 2023, 4:31pm

@aglabs Thanks for digging! Ideally it should use your defined VLAN as a fallback, so we’ll get this working as you had originally expected, and look into WPA3.

dragon2611 · March 16, 2024, 3:17pm

@Alta-Jeff Did you get anywhere with WPA3, was just testing WPA-Enterprise with a Ubiquiti Cloud gateway ultra as the radius server and could only get dynamic VLAN working if I disabled WPA3 and set the vlan to 1.

Alta-Jeff · March 16, 2024, 5:50pm

@dragon2611 Can you confirm that it’s working with WPA2 at least? If you can gather logs from the AP during the WPA3 authentication, that would help.

dragon2611 · March 16, 2024, 6:42pm

It did as long as the vlan in the ap settings was 1.
When it was wpa2 with vlan 1 set I got put on vlan 15 (which is what I’d set in radius) but if the default vlan on the ap was set to 5 that’s where I got placed regardless of what radius was saying

Alta-Jeff · March 18, 2024, 1:33pm

@dragon2611 Any chance you can capture the RADIUS exchange for WPA3-enterprise, and the AP logs during authentication?