I have a device running LEDE set up as an access point. As I have 4 additional ethernet ports available, I would like to use them to connect devices, extending the ports available in my router, and using 802.1X for client authentication and VLAN assignment.
My understanding is that hostapd can be used for this purpose using the 'wired' driver. I have set up the switch in my router so that the 'LAN' ports are tagged and can carry the VIDs used for my network. However, I haven't been able to find much information about getting this setup to work, let alone using LEDE or OpenWRT.
I have tried using hostapd this way, but when I connect a device(*) to one of the LAN ethernet ports and try to use 802.1X, nothing really happens. I see nothing in the hostapd output, and my RADIUS server does not report any authentication attempts.
So, I have a few questions:
- Am I doing something wrong in the configuration of my AP's switch or of hostapd that is causing this not to work?
- While creating a custom init script to run hostapd on the wired port is not really an issue, it would be so much cleaner to let LEDE handle generating the configuration file and running hostapd. Is there any way this can currently be done? I was thinking along the lines of (ab)using the /etc/config/wireless file for this, although then LEDE would try to do wireless-related things to the interface, like assigning it a channel.
(*) The device I tried was a MacBook running macOS, and the procedure was connecting it to the port and pressing the 'Connect' button next to 802.1X under the ethernet settings. Maybe trying a Linux device with WPA Supplicant would yield different results, but I haven't tested this yet.
/etc/config/network
Sample of my network configuration file. In this case, VLAN 2 is used only internally by the device (connected to the WAN), while VLAN 1 can be shared through the LAN ports. This configuration works when devices are connected directly to the AP and they are set to use the correct VLAN.
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
option mirror_source_port '0'
option mirror_monitor_port '0'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 1t 2t 3t 4t 5t 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option vid '2'
option ports '1t 6t'
hostapd.conf
eth1 corresponds to the LAN port, where client devices are to be connected.
eth0 corresponds to the WAN port, which is connected to the router actually handling the network. This file is based on the hostapd.conf file generated for my wireless network, with irrelevant fields removed and some minor changes (like interface names and the driver used.)
driver=wired
interface=eth1
logger_syslog=127
logger_syslog_level=2
logger_stdout=127
logger_stdout_level=2
ctrl_interface=/var/run/hostapd
auth_server_addr=10.0.0.2
auth_server_port=1812
auth_server_shared_secret=secret
ieee8021x=1
use_pae_group_addr=1
eap_reauth_period=3600
dynamic_vlan=2
vlan_naming=1
vlan_bridge=br-vlan
vlan_tagged_interface=eth0