Guest WiFi VLAN using RADIUS
Background
It is possible to have ClearOS use Hostapd to automatically assign unknown WiFi devices to a separate VLAN which can be configured as a HotLAN to isolate the devices from the LAN and ClearOS.
The objective is for trusted clients (e.g. laptops) with a recognised MAC address to join the trusted LAN, whereas anything else (mobile phones, Amazon Echo etc.) goes into an untrusted “Hot LAN” where they can access the Internet, and each other, but not much else. This avoids having to have multiple SSIDs on the wireless AP, and minimises the impact if the passphrase does get compromised. This does not cover setting up RADIUS for WPA-EAP or LDAP user authentication - though that could no doubt be done as well.
Details
Packages required
hostapd and Radius are required. you can install these with:
yum install app-wireless app-radius
Pre-configuration check
In this guide a bridged interface, br0, was already configured containing all the physical Ethernet NICs on the firewall/router + the wireless AP running on hostapd. br0 is the single internal LAN, using DHCP for IP address assignment (with permanent leases for known MAC addresses).
First of all check your gateway wireless NIC supports VLANs - run “iw list” and look for “AP/VLAN” under “Supported interface modes:”:
iw list : Supported interface modes: * IBSS * managed * AP * AP/VLAN * monitor * P2P-client
Hostapd
In /etc/hostapd/hostapd.conf leave the “bridge=” and “interface=” settings unaltered:
# Customize these for your local configuration... bridge=br0 interface=wlp6s0 hw_mode=g channel=9 ssid=MySSID
br0 will still be used for the trusted wireless clients.
Enter the general configuration details for the RADIUS server. As this is located on the ClearOS gateway it uses the loopback IP address:
# RADIUS authentication server own_ip_addr=127.0.0.1 auth_server_addr=127.0.0.1 auth_server_port=1812 auth_server_shared_secret=ItsASecret
Now enter the VLAN configuration:
# VLAN Configuration # # # Dynamic VLAN mode; allow RADIUS authentication server to decide which VLAN # is used for the stations. This information is parsed from following RADIUS # attributes based on RFC 3580 and RFC 2868: Tunnel-Type (value 13 = VLAN), # Tunnel-Medium-Type (value 6 = IEEE 802), Tunnel-Private-Group-ID (value # VLANID as a string). Optionally, the local MAC ACL list (accept_mac_file) can # be used to set static client MAC address to VLAN ID mapping. # 0 = disabled (default) # 1 = option; use default interface if RADIUS server does not include VLAN ID # 2 = required; reject authentication if RADIUS server does not include VLAN ID dynamic_vlan=1 # Station MAC address -based authentication # 0 = accept unless in deny list # 1 = deny unless in accept list # 2 = use external RADIUS server (accept/deny lists are searched first) macaddr_acl=2 # Bridge (prefix) to add the wifi and the tagged interface to. This gets the # VLAN ID appended. It defaults to brvlan%d if no tagged interface is given # and br%s.%d if a tagged interface is given, provided %s = tagged interface # and %d = VLAN ID. vlan_bridge=br # VLAN interface list for dynamic VLAN mode is read from a separate text file. # This list is used to map VLAN ID from the RADIUS server to a network # interface. Each station is bound to one interface in the same way as with # multiple BSSIDs or SSIDs. Each line in this text file is defining a new # interface and the line must include VLAN ID and interface name separated by # white space (space or tab). # If no entries are provided by this file, the station is statically mapped # to. interfaces. # Each line can optionally also contain the name of a bridge to add the VLAN to vlan_file=/etc/hostapd/hostapd.vlan
“macaddr_acl=2” tells hostapd to use RADIUS for MAC authentication, rather than an accept/deny file, and “dynamic_vlan=1” tells it to leave recognised MACs (which don't get a VLAN tag) on the default wireless LAN. hostapd automatically creates a bridge for each wireless VLAN and “vlan_bridge=br” overrides the default prefix used together with the VLAN ID from RADIUS to form the name. “vlan_file=/etc/hostapd/hostapd.vlan” tells hostapd where the VLAN definition file is located.
The hostapd.vlan contains a single line
* wlan0.#
This creates a separate dynamic VLAN for each VLAN ID it gets from RADIUS. This will only create the VLAN(s) if there is anything to go into them; a line like “1 wlan0.1” would create wlan0.1 unconditionally.
RADIUS
In the /etc/raddb/users file (actually a symlink to /etc/raddb/mods-config/files/authorize) comment out the line “$INCLUDE /etc/raddb/clearos-users”. This is the only line in the ClearOS factory implementation, which is oriented for LDAP user authentication. Then add a line for each trusted wireless client MAC address, followed by a default section to assign a VLAN tag to unrecognised/untrusted MACs.
# $INCLUDE /etc/raddb/clearos-users # List trusted MAC addresses here 801f02611e88 Auth-Type := Accept # Edimax Nano USB 002314c4cc90 Auth-Type := Accept # My Dell laptop MAC-address3 Auth-Type := Accept # Your next device MAC-address4 Auth-Type := Accept # Your next device etc..... DEFAULT Auth-Type := Accept Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 1
RADIUS is very sensitive to correct syntax (including indentation) and the trusted MAC addresses must come before the “DEFAULT” section. Any trusted MAC address is accepted and joins the default wireless LAN. Anything else is accepted and tagged with VLAN ID1, and added by hostapd to VLAN wlan0.1 and bridge br1. NB: “Default” in hostapd refers to recognised MAC addresses, whereas in RADIUS “DEFAULT” refers to the unrecognised ones. Also, in this setup RADIUS doesn't do any further authentication of supplicants who know the PSK, but just determines which interface they connect to.
Networking
Since in this configuration RADIUS will only ever assign devices to a single VLAN, with VLAN ID “1”, we can configure that as the “guest” LAN as normal in /etc/sysconfig/network-scripts/ifcfg-br1. Create the file /etc/sysconfig/network-scripts/ifcfg-br1 and in it put:
DEVICE=br1 TYPE="Bridge" ONBOOT="yes" USERCTL="no" BOOTPROTO="static" IPADDR="192.168.a.b" NETMASK="255.255.p.q"
Choose a suitable IPADDR and NETMASK so the br1 interface does not overlap with any other interface.
Add br1 to /etc/clearos/network.conf e.g:
# Network interface roles EXTIF="ppp0" LANIF="br0" DMZIF="" HOTIF="br1"
You should now see the correct interfaces in each bridge:
[root@gateway ~]# brctl show bridge name bridge id STP enabled interfaces br0 8000.00301806f618 no eno1 enp2s0 enp3s0 enp4s0 enp5s0 enp7s0 wlp6s0 br1 8000.6c3b6be6cccc no wlan0.1