Dynamic VLAN on 5 GHz wifi broken with ath10k driver on LEDE

by cmur2 on 2017-02-23 in Linux

I recently set up my Ubiquiti UniFi AP AC Lite with a snapshot release of the OpenWrt successor LEDE (“Linux Embedded Development Environment”) since I want to avoid Ubiquiti’s proprietary controller software. After reading the wiki and other blogs I was confident to get a nice and fast wifi AP with all major features (POE, 2.4 and 5 GHz wifi, 802.11ac compatibility) mainly using open-source software. I used a good part of the installation instructions from this gist and added my own bits like SNMP support, valid SSL certificate for luci-ssl, admin access only via management VLAN, NTP and syslog servers, nicer LED color, etc.

My last step was the wifi configuration and with this AP I finally wanted to try 802.1x authentication (WPA2 Enterprise) against a central FreeRADIUS server that provides dynamic VLAN assignment for e.g. transparently handling guest users without need for separate SSIDs (scales better, conserves air time). By using distinct credentials per device it’s easier to change password(s) when a device or user get’s compromised. Additionally, the devices are now able to cryptographically verify the identity of the wifi AP they are connecting to.

On LEDE one needs to remove the wpad-mini package and install the full hostapd package to get wireless 802.1x support. My /etc/config/wireless file looks like this:

config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11g'
option path 'platform/qca956x_wmac'
option htmode 'HT20'
option country 'DE'
option channel '1'
option txpower '20'
#option log_level '1'
config wifi-iface 'radio0_x24'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'x'
option encryption 'wpa2'
option auth_server '10.0.0.1'
option auth_port '1812'
option acct_server '10.0.0.1'
option acct_port '1813'
option auth_secret 'password'
option acct_secret 'password'
option nasid 'my_unique_ap_id_1'
option dynamic_vlan '1'
option vlan_bridge 'br-vlan'
config wifi-device 'radio1'
option type 'mac80211'
option hwmode '11a'
option path 'pci0000:00/0000:00:00.0'
option country 'DE'
option txpower '20'
option htmode 'VHT80'
option channel '36'
#option log_level '1'
config wifi-iface 'radio1_x5'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'x'
option encryption 'wpa2'
option auth_server '10.0.0.1'
option auth_port '1812'
option acct_server '10.0.0.1'
option acct_port '1813'
option auth_secret 'password'
option acct_secret 'password'
option nasid 'my_unique_ap_id_1'
option dynamic_vlan '1'
option vlan_bridge 'br-vlan'

A suitable configuration snippet for /etc/config/network to e.g. bridge wifi clients dynamically assigned to VLAN 10 trunked to eth0:

config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option ipaddr '10.0.0.2'
option netmask '255.255.255.0'
option gateway '10.0.0.1'
option dns '10.0.0.1'
config interface 'vlan10'
option type 'bridge'
option ifname 'br-lan.10'
option proto 'none'

Everything works fine except when a client connecting on the 5 GHz wifi is dynamically assigned to a VLAN because then as indicated by detailed hostapd logs the VLAN can somehow not be created in the ath10k driver (needed for 802.11ac compatible chipsets like the one in UAP AC Lite) and eventually the association fails. This bug is known since May 2016 and still present in my snapshot of LEDE from early January 2017.

The post »Dynamic VLAN on 5 GHz wifi broken with ath10k driver on LEDE«
is licensed under Creative Commons BY-NC-SA 3.0.

cmur2

https://www.mycrobase.de/

GitHub