Below is a quick addendum to the current Hostapd Quick Install Guide. Hopefully it will help new users looking to leverage the flexibility of OpenWRT (aka LEDE) with the powerful captive portal functionality of Packetfence.
There is a great guide from Inverse, and this email just adds a few missing bits that will help keep hostapd related posts out of the list. Instead invest that savings in some professional services from Inverse. The Guide https://packetfence.org/doc/PacketFence_OpenWrt-Hostapd- 15-05_Quick_Install_Guide.html Hostapd 15.05 is dead and old. At this time, 17.01.4 is current. With hostapd, you have to pick a band (i.e 5G or 2.4G) as CoA only works with one radio. Below are some additions to the guide that should be helpful based on a configuration with a packetfence server with an IP of 192.168.10.10 on the management VLAN70, registration VLAN71, isolation VLAN72 and an out-of-band user/normal VLAN76 (PF server does nothing on VLAN76 and does not see it). The hostapd AP running LEDE/OpenWRT 17.01.4 has an IP of 192.168.10.19 on the management VLAN70. Step 4.1: Have your Internet connected to the WAN port of a default OpenWRT configuration for staging and connect to one of the LAN ports on 192.168.1.1. If your network is 192.168.1.X, you might consider making a change you your local lan to make this type of access easier. The actual steps to update the packages: #opkg update #opkg remove wpad-mini hostapd #opkg install hostapd-common wpad We typically dump a bunch of useful tools and stuff too; none of this is required # opkg install ipset screen iftop tcpdump curl mtr wget diffutils iperf3 iwinfo snmpd kmod-gpio-button-hotplug We like to bring all the packages up to the latest version as well (also not required) #opkg update #opkg list-upgradable | awk -F ' - ' '{print $1}' | xargs opkg upgrade Step 4.2: Most people choose to run on 5G for increased bandwidth and control of range. Usually this is wlan0, but on some hardware (i.e. WD N600) it will be wlan1. You can use iwinfo to see which device is your 5G radio. Step 4.3: Attached script is a modified version of the 17.04.1 hostapd.sh Step 4.4: The example is not for the scenario where you just have an open SSID where you are providing access via WISPr/Captive Portal. It also has some issues; it is missing "wifi-iface" on the PF-Open SSID, uses the 2.4G radio (which is often not wlan0), and has vlan_naming set to '0', where we find '1' is the preferred option. Below is an updated example with a single open SSID 'Public WiFi'. Some notes on where yours might differ for the radio (wifi-device): 1) the 5G radio 'path' is specific to the device (in this case a TP-Link C2600) 2) The country 'CA' is Canada (that's where we are) 3) The channel is '149' ; Higher channels deliver more power on some devices. DFS channels like '100', when supported are typically very clear. Checkout 'iw list' output for power and channel support. Some notes on where yours might differ for the interface (wifi-iface): 1) The 192.168.10.10 address should be your PF server on the management subnet. We like to leave the default 192.168.1.1 on the lan interface for local configuration and access, and so it is not used for any PF vlans (management/registration/isolation/normal). 2) The vlan_tagged_interface 'eth0' should be the interface where your tagged/trunked vlans are connected for registration/isolation/normal that clients will be connecting to. Typically this is connected to the "Internet" port. In some rare cases this eth1 is the "Internet" port, depending on the hardware. You need to know your hardware. 3) option network 'lan' should be removed, it is the default where wifi interfaces normally are bridged to the lan 4) vlan_naming '1' seems to produce less bridge naming warnings in our experience, though both '1' and '0' work. 5) Note that radio1 (2.4G) is set with option disabled '1' - we are not using it config wifi-device 'radio0' option type 'mac80211' option hwmode '11a' option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0' option htmode 'VHT80' option disabled '0' option country 'CA' option channel '149' config wifi-iface 'default_radio0' option device 'radio0' option mode 'ap' option encryption 'none' option vlan_file '/etc/config/hostapd.vlan' option vlan_bridge 'br-vlan' option vlan_naming '1' option dynamic_vlan '2' option auth_port '1812' option auth_server '192.168.10.10' option auth_secret 's3cr3t' option acct_port '1813' option acct_server '192.168.10.10' option acct_secret 's3cr3t' option dae_port '3799' option dae_client '192.168.10.10' option dae_secret 's3cr3t' option nasid 'Lobby AP' option ssid 'Public WiFi' option vlan_tagged_interface 'eth0' config wifi-device 'radio1' option type 'mac80211' option channel '11' option hwmode '11g' option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0' option htmode 'HT20' option disabled '1' config wifi-iface 'default_radio1' option device 'radio1' option network 'lan' option mode 'ap' option ssid 'LEDE' option encryption 'none' 4.4b) Network and VLANs As always, the network configuration is up to you. If you had your management VLAN on 70, registration on 71, isolation on 72 and user/normal on 76, on a TP-Link C2600 your network config would look something like this: Some notes on where yours might differ: 1) Your ula_prefix will be different (and should be on every device). If you are copying betwen devices, be sure to change this. 2) We leave the lan alone, making it easy to connect directly via 192.168.1.1. We disable NAT/MASQ though in the firewall (not here) so users can't jack in directly and bypass the wifi for Internet access. 3) VLANs must be named vlanXX to work with the vlan switching as set with vlan_ options in wireless - your VLANs will probably be different 4) Your DNS and Management Network IPs will likely be different 5) The ports in the switch_vlan config are hardware specific. You need to know your hardware and understand VLAN tagging and trunking. config interface 'loopback' option ifname 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' config globals 'globals' option ula_prefix 'fdc4:80c6:e78f::/48' config interface 'lan' option type 'bridge' option ifname 'eth1' option proto 'static' option ipaddr '192.168.1.1' option netmask '255.255.255.0' config interface 'wan' option ifname 'eth0.70' option proto 'static' option ipaddr '192.168.10.19' option netmask '255.255.255.0' option gateway '192.168.10.1' list dns '8.8.8.8' list dns '8.8.4.4' config switch option name 'switch0' option reset '1' option enable_vlan '1' config switch_vlan option device 'switch0' option vlan '1' option ports '1 2 3 4 6' config interface 'vlan71' option type 'bridge' option ifname 'eth0.71' config interface 'vlan72' option type 'bridge' option ifname 'eth0.72' config interface 'vlan76' option type 'bridge' option ifname 'eth0.76' config switch_vlan 'pf_mgmt' option device 'switch0' option vlan '70' option ports '0t 5t' config switch_vlan 'pf_reg' option device 'switch0' option vlan '71' option ports '0t 5t' config switch_vlan 'pf_iso' option device 'switch0' option vlan '72' option ports '0t 5t' config switch_vlan 'pf_user' option device 'switch0' option vlan '76' option ports '0t 5t' 4.4c) Firewall Configuration. If you don't let your device accept packets from the PF management server, you are going to have problems. You may also set option masq '0' in your wan zone to disable Internet via the lan ports, restricting them for management as described earlier. The firewall rules are PF1/PF2 - Radius inbound from PF server PF3 - CoA inbound from PF server PF4/PF5/PF6 - ICMP/SSH/Web access from the Management subnet ; you may also add SNMP for monitoring. config rule option name 'PF1' option src 'wan' option src_ip '192.168.10.10/32' option family 'ipv4' option proto 'udp' option dest_port '1813' option target 'ACCEPT' config rule option name 'PF2' option src 'wan' option src_ip '192.168.10.10/32' option family 'ipv4' option proto 'udp' option dest_port '1812' option target 'ACCEPT' config rule option name 'PF3' option src 'wan' option src_ip '192.168.10.10/32' option family 'ipv4' option proto 'udp' option dest_port '3799' option target 'ACCEPT' config rule option name 'PF4' option src 'wan' option src_ip '192.168.10.0/24' option family 'ipv4' option proto 'icmp' option target 'ACCEPT' config rule option name 'PF5' option src 'wan' option src_ip '192.168.10.0/24' option family 'ipv4' option proto 'tcp' option dest_port '22' option target 'ACCEPT' config rule option name 'PF6' option src 'wan' option src_ip '192.168.10.0/24' option family 'ipv4' option proto 'tcp' option dest_port '80' option target 'ACCEPT' 4.5: Hostapd has a 30s timer between Access-Requests, independant of CoA's, so we need to make sure Packetfence waits long enough after clients have joined the Registration VLAN before sending the CoA to bump them over to the Normal VLAN after activation in the portal. So we add this to pf.conf. [fencing] # # fencing.wait_for_redirect # # How many seconds should the WebAPI sleep before actually triggering the VLAN change. # This is meant to give the device enough time to fetch the redirection page before # switching VLAN. wait_for_redirect = 20 4.6: "logread" and "logread -f" are very useful to see what is going on. Issuing 'wifi' on the commandling reloads all the wireless related configuration - no nead to restart the device when changing wireless settings. Use "swconfig dev switch0 help" to determine the highest supported VLAN by the switchchip. Note that here the AR8337 chip in the C2600 only lets us use VLANS 1-128. So a registration VLAN129 is not going to work and probably drive you crazy. Don't be confused by the fact that it says (0-4094) next to the vid .. that is generic text. vlans:128 is the important device specific limitation. Many devices only support 16. It is not the number of vlans, but the highest index. # swconfig dev switch0 help switch0: gpio-0(Atheros AR8337), ports: 7 (cpu @ 0), vlans: 128 --switch Attribute 1 (int): enable_vlan (Enable VLAN mode) Attribute 2 (none): reset_mibs (Reset all MIB counters) Attribute 3 (int): enable_mirror_rx (Enable mirroring of RX packets) Attribute 4 (int): enable_mirror_tx (Enable mirroring of TX packets) Attribute 5 (int): mirror_monitor_port (Mirror monitor port) Attribute 6 (int): mirror_source_port (Mirror source port) Attribute 7 (int): arl_age_time (ARL age time (secs)) Attribute 8 (string): arl_table (Get ARL table) Attribute 9 (none): flush_arl_table (Flush ARL table) Attribute 10 (int): igmp_snooping (Enable IGMP Snooping) Attribute 11 (int): igmp_v3 (Enable IGMPv3 support) Attribute 12 (none): apply (Activate changes in the hardware) Attribute 13 (none): reset (Reset the switch) --vlan Attribute 1 (int): vid (VLAN ID (0-4094)) Attribute 2 (ports): ports (VLAN port mapping) --port Attribute 1 (none): reset_mib (Reset single port MIB counters) Attribute 2 (string): mib (Get port's MIB counters) Attribute 3 (int): enable_eee (Enable EEE PHY sleep mode) Attribute 4 (none): flush_arl_table (Flush port's ARL table entries) Attribute 5 (int): igmp_snooping (Enable port's IGMP Snooping) Attribute 6 (int): pvid (Primary VLAN ID) Attribute 7 (unknown): link (Get port link information) Also some devices (like Archer C7 v4) only have one ethernet port, so VLANs are used for lan and wan interface internally on the device. (i.e. WAN eth0.1 and LAN eth0.2). These work great too, but will have a very different default network configuration. Make sure your VLANs in the switch configuration Roles match your network configuration as seen by the AP.
17-01-4_hostapd.sh
Description: application/shellscript
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
