As you have found, the IP Settings WiFi interface has unfortunately gone. I hope it will reappear sometime in the future, but it is not going to happen for the moment.

I don't really know either Radius or hostpad. I have managed to get hostapd working in the past, and I have had the app-radius working as well, with independent access points and a domain, but please see bug 19821. It is so broken from what was intended that it just about works!

If hostapd is creating the vlans, and you are only going to have a couple, can you manually add them to the bridge using brctl? Or check if hostapd is adding them with a "brctl show".

If I comment out the line

$INCLUDE /etc/raddb/clearos-users

at the top of the RADIUS users file the MAC addresses get checked properly and both VLANs are created. That clearos-users file contains just

DEFAULT LDAP-Group != "allusers", Auth-Type := Reject

As I'm not currently using LDAP for individual user authentication I guess I don't need to worry for now about what it is supposed to do.

I'm still not entirely clear about now stations are assigned to VLANs, and still need to sort out the bridge interfaces so I can use DHCP and firewall rules with them, but definitely progress.

The ClearOS implementation has been designed for user authentication, so connects to LDAP. I think there are a few places where it refers to LDAP ("grep -i ldap /etc/raddb/* -r"), but many of the references are only used if the sites or modules are enabled by symlinking to the ???-enabled folders.

To be honest, you best source of information is probably gong to be the freeradius mailing list. Did you also know that you can run Radius in debug mode? I found this essential when troubleshooting the domain implementation, and you will be required to do this if you use the mailing list. There is an even more verbose debug mode but you should not need it unless asked (and they can get upset if you give it initially).

If you do get to the end of your set up, it would be great if you could post back with a howto .

Turns out (as usual) to be less complicated than I had expected.

Leave the normal bridge settings in hostapd - while it's possible to put the trusted MAC addresses into a VLAN you don't have to, and leaving this means that they go into the trusted LAN bridge where they can communicate with wired NICs.

The hostapd.vlan file only needs one line, to define a single dynamic VLAN for any unrecognised MACs:

*       wlan0.#

If I make the dynamic VLAN tag in the RADIUS users file to be "1"...

DEFAULT Auth-Type := Accept

        Tunnel-Type = VLAN,

        Tunnel-Medium-Type = IEEE-802,

        Tunnel-Private-Group-ID = 1

...and set the bridge prefix for VLANs in hostapd.conf to be "br"...

# Bridge (prefix) to add the wifi and the tagged interface to. This gets the

# VLAN ID appended. It defaults to brvlan%d if no tagged interface is given

# and br%s.%d if a tagged interface is given, provided %s = tagged interface

# and %d = VLAN ID.

vlan_bridge=br

...then the dynamic VLAN automatically gets added to br1, which I can configure as normal in /etc/sysconfig/network-scripts/ifcfg-br1

DEVICE=br1

TYPE="Bridge"

ONBOOT="yes"

USERCTL="no"

BOOTPROTO="static"

IPADDR="192.168.a.b"

NETMASK="255.255.p.q"

In my case the "Hot LAN" role is exactly what I want (untrusted devices can access the Internet, and each other at TCP/IP level and above, but nothing else) so I set that in /etc/clearos/network.conf:

# Network interface roles

EXTIF="ppp0"

LANIF="br0"

DMZIF=""

HOTIF="br1"

I can now see the correct interfaces in each bridge:

[root@gateway ~]# brctl show

bridge name     bridge id               STP enabled     interfaces

br0             8000.00301806f618       no              eno1

                                                        enp2s0

                                                        enp3s0

                                                        enp4s0

                                                        enp5s0

                                                        enp7s0

                                                        wlp6s0

br1             8000.6c3b6be6cccc       no              wlan0.1

You can't see the wireless interfaces in ClearOS IP Settings as that currently doesn't display wireless NICs.

I'll do a cleaned up version of the saga as a how-to guide in case it is useful for anyone else.

Thanks for this. I have a couple of questions:
1 - Do you need to create br1 or does hostapd do it for you
2 - How do you identify your known devices to br0?

1) With this config hostapd would create br1 automatically, but it wouldn't be much use. I define it in /etc/sysconfig/network-scripts so I can assign IP address, set up DHCP etc.
2) All the individual NIC config files (/etc/sysconfig/network-scripts/ifcfg-eno1 etc.) contain a line "BRIDGE=br0". The setup in 1) above also means that I could have a wired port(s) in the untrusted "Hot" LAN this way if necessary.

UPDATE: If 2) means "how do I identify known wireless MACs" these are listed in the RADIUS users file before the "DEFAULT" section that assigns the VLAN ID e.g.

# $INCLUDE /etc/raddb/clearos-users



# List trusted MAC addresses here

002314c4cc90    Auth-Type := Accept     # Andrew Dell laptop



DEFAULT Auth-Type := Accept

        Tunnel-Type = VLAN,

        Tunnel-Medium-Type = IEEE-802,

        Tunnel-Private-Group-ID = 1

I guess it would be possible to put the known stations into a VLAN as well but no need if you just want a binary separation.

HOWTO - Guest WiFi VLAN using RADIUS

This is how I set up a dynamic wireless VLAN using MAC address RADIUS authentication for "guest" access. The objective is for trusted clients (e.g. laptops) with a recognised MAC address to join the trusted LAN, whereas anything else (mobile phones, Amazon Echo etc.) goes into an untrusted "Hot LAN" where they can access the Internet, and each other, but not much else. This avoids having to have multiple SSIDs on the wireless AP, and minimises the impact if the passphrase does get compromised. This does not cover setting up RADIUS for WPA-EAP or LDAP user authentication - though that could no doubt be done as well. I followed guidance here Wi-Fi: Hostapd VLAN for guest network and here Dynamic VLAN Tagging but this is what worked for me in the context of ClearOS 7.

hostapd and RADIUS both need to be installed, as well as utilities such as iw and brctl if not already present. I already have a bridge (br0) containing all the physical Ethernet NICs on the firewall/router + the wireless AP running on hostapd. br0 is the single internal LAN, using DHCP for IP address assignment (with permanent leases for known MAC addresses).

First of all check your gateway wireless NIC supports VLANs - run "iw list" and look for "AP/VLAN" under "Supported interface modes:":

iw list

:

        Supported interface modes:

                 * IBSS

                 * managed

                 * AP

                 * AP/VLAN

                 * monitor

                 * P2P-client

In hostapd.conf leave the "bridge=" and "interface=" settings unaltered:

# Customize these for your local configuration...

bridge=br0

interface=wlp6s0

hw_mode=g

channel=9

ssid=MySSID

br0 will still be used for the trusted wireless clients.

Enter the general configuration details for the RADIUS server. As this is located on the ClearOS gateway it uses the loopback IP address:

# RADIUS authentication server

own_ip_addr=127.0.0.1

auth_server_addr=127.0.0.1

auth_server_port=1812

auth_server_shared_secret=ItsASecret

Now enter the VLAN configuration:

# VLAN Configuration #

#

# Dynamic VLAN mode; allow RADIUS authentication server to decide which VLAN

# is used for the stations. This information is parsed from following RADIUS

# attributes based on RFC 3580 and RFC 2868: Tunnel-Type (value 13 = VLAN),

# Tunnel-Medium-Type (value 6 = IEEE 802), Tunnel-Private-Group-ID (value

# VLANID as a string). Optionally, the local MAC ACL list (accept_mac_file) can

# be used to set static client MAC address to VLAN ID mapping.

# 0 = disabled (default)

# 1 = option; use default interface if RADIUS server does not include VLAN ID

# 2 = required; reject authentication if RADIUS server does not include VLAN ID

dynamic_vlan=1



# Station MAC address -based authentication

# 0 = accept unless in deny list

# 1 = deny unless in accept list

# 2 = use external RADIUS server (accept/deny lists are searched first)

macaddr_acl=2



# Bridge (prefix) to add the wifi and the tagged interface to. This gets the

# VLAN ID appended. It defaults to brvlan%d if no tagged interface is given

# and br%s.%d if a tagged interface is given, provided %s = tagged interface

# and %d = VLAN ID.

vlan_bridge=br



# VLAN interface list for dynamic VLAN mode is read from a separate text file.

# This list is used to map VLAN ID from the RADIUS server to a network

# interface. Each station is bound to one interface in the same way as with

# multiple BSSIDs or SSIDs. Each line in this text file is defining a new

# interface and the line must include VLAN ID and interface name separated by

# white space (space or tab).

# If no entries are provided by this file, the station is statically mapped

# to <bss-iface>.<vlan-id> interfaces.

# Each line can optionally also contain the name of a bridge to add the VLAN to

vlan_file=/etc/hostapd/hostapd.vlan

"macaddr_acl=2" tells hostapd to use RADIUS for MAC authentication, rather than an accept/deny file, and "dynamic_vlan=1" tells it to leave recognised MACs (which don't get a VLAN tag) on the default wireless LAN. hostapd automatically creates a bridge for each wireless VLAN and "vlan_bridge=br" overrides the default prefix used together with the VLAN ID from RADIUS to form the name. "vlan_file=/etc/hostapd/hostapd.vlan" tells hostapd where the VLAN definition file is located. My hostapd.vlan contains a single line

*       wlan0.#

which creates a separate dynamic VLAN for each VLAN ID it gets from RADIUS. This will only create the VLAN(s) if there is anything to go into them; a line like "1 wlan0.1" would create wlan0.1 unconditionally.

In the /etc/raddb/users file (actually a symlink to /etc/raddb/mods-config/files/authorize) comment out the line "$INCLUDE /etc/raddb/clearos-users". This is the only line in the ClearOS factory implementation, which is oriented for LDAP user authentication. Then add a line for each trusted wireless client MAC address, followed by a default section to assign a VLAN tag to unrecognised/untrusted MACs.

# $INCLUDE /etc/raddb/clearos-users



# List trusted MAC addresses here

:

801f02611e88    Auth-Type := Accept     # Edimax Nano USB

002314c4cc90    Auth-Type := Accept     # Andrew Dell laptop

:



DEFAULT Auth-Type := Accept

        Tunnel-Type = VLAN,

        Tunnel-Medium-Type = IEEE-802,

        Tunnel-Private-Group-ID = 1

RADIUS is very sensitive to correct syntax (including indentation) and the trusted MAC addresses must come before the "DEFAULT" section. Any trusted MAC address is accepted and joins the default wireless LAN. Anything else is accepted and tagged with VLAN ID1, and added by hostapd to VLAN wlan0.1 and bridge br1. NB: "Default" in hostapd refers to recognised MAC addresses, whereas in RADIUS "DEFAULT" refers to the unrecognised ones. Also, in this setup RADIUS doesn't do any further authentication of supplicants who know the PSK, but just determines which interface they connect to.

As I know which bridge any unrecognised/untrusted MACs will go into (br1) I can configure that as my "guest" LAN as normal in /etc/sysconfig/network-scripts/ifcfg-br1

DEVICE=br1

TYPE="Bridge"

ONBOOT="yes"

USERCTL="no"

BOOTPROTO="static"

IPADDR="192.168.a.b"

NETMASK="255.255.p.q"

This setup means that I could also have a wired port(s) in the "guest" LAN this way if necessary, by having a line "BRIDGE=br1" in their ifcfg file. In my case the "Hot LAN" role is exactly what I want (untrusted devices can access the Internet, and each other at TCP/IP level and above, but nothing else) so I set that in /etc/clearos/network.conf:

# Network interface roles

EXTIF="ppp0"

LANIF="br0"

DMZIF=""

HOTIF="br1"

I can now see the correct interfaces in each bridge:

[root@gateway ~]# brctl show

bridge name     bridge id               STP enabled     interfaces

br0             8000.00301806f618       no              eno1

                                                        enp2s0

                                                        enp3s0

                                                        enp4s0

                                                        enp5s0

                                                        enp7s0

                                                        wlp6s0

br1             8000.6c3b6be6cccc       no              wlan0.1

You can't see the wireless interfaces in ClearOS IP Settings as that currently doesn't display wireless NICs.

Obviously this will only work if the trusted clients have static MAC addresses, so MAC address randomisation needs to be disabled on these. If using Network Manager in Fedora add

[connection]

wifi.cloned-mac-address=permanent

to /etc/NetworkManager/NetworkManager.conf to force use of the physical MAC address. It would be nice to use physical MAC with the "home" SSID and randomise otherwise, but I don't think that is possible.

Can you look at the draft howto here and give feedback. I have copied and pasted where possible.

Unless it is automatic, how does wlan0.1 know it has to attach itself to br1?

I replied directly to Nick with comments on the draft "howto".

In this configuration RADIUS will only ever assign devices to a single VLAN, with VLAN ID "1", and as the default name prefix for bridged VLAN interfaces in Hostapd is "br", we know that any unrecognised/untrusted MACs will go into VLAN wlan0.1 and that that will be added to bridge br1. Apparently it should be possible to assign VLANs to bridge interfaces directly in hostapd.vlan but I can't get that to work or find any documentation. But in any case this method is probably better as it is automatic and ensures systematic naming.

Doesn't the VLAN ID "1" just indicate the .1 after wlan0, so wlan0.1? I don't think it indicates the 1 in br1. If for example you already have br0, br1,and br2 defines and the base WiFi is allocated to br1, what tells this set up to use br3? Or will it still use (incorrectly) br1 or even br2. I am not following the logic of how the bridged interface is chosen.

Not having tried it as I don't have the set up, but shouldn't either vlan_tagged_interface be set to br1, or the * should be something to indicate br1 in /etc/hostapd.vlan? ..... or is that the function of "Tunnel-Private-Group-ID = 1"?

Everything to do with the naming of the guest VLAN/bridge is governed by the Tunnel-Private-Group-ID setting in RADIUS. wlan0.1 is named so because "1" is what comes from RADIUS, and the

* wlan0.#

in hostapd.vlan dynamically creates the VLAN using that ID. The "1" is also appended to "br" to get the bridge interface name.

If I change the ID to "99" in RADIUS

DEFAULT Auth-Type := Accept

        Tunnel-Type = VLAN,

        Tunnel-Medium-Type = IEEE-802,

        Tunnel-Private-Group-ID = 99

everything is created using "99" in the name.

[root@gateway hostapd]# brctl show

bridge name     bridge id               STP enabled     interfaces

br0             8000.00301806f618       no              eno1

                                                        enp2s0

                                                        enp3s0

                                                        enp4s0

                                                        enp5s0

                                                        enp7s0

                                                        wlp6s0

br1             8000.000000000000       no

br99            8000.6c3b6be6cccc       no              wlan0.99

The bridge interface is normally statically defined as well in order to set IP address, DHCP etc. Hostapd doesn't seem to mind - if the bridge is already defined it brings it up and joins it, if not it creates it automatically (although without IP settings it can't do much). This is pretty much what happenes anyway in default Hostapd without any VLANs - there isn't a "ifcfg-wlp6s0" file as the bridge used by the wireless LAN is set in hostapd.conf, and any wired NICs that belong have a "BRIDGE=" line in their ifcfg file.

As mentioned previously it should be possible to assign the bridge directly in hostapd.vlan (though I can't get that to work) and also to define VLAN names statically. However if only simple setup is needed this is much simpler and more reliable - if I need to "move" the guest LAN to a different name there are only a couple of places I need to make a simple change ("Tunnel-Private-Group-ID" value in RADIUS, and the name of the "ifcfg-br" file).