LI Nick X.com
Blog |Follow Nick on Mastodon| About
 

This is much simpler than I imagined...

Scenario

For my home Wi-Fi, I want a single SSID but I want to place devices (Such as IOT) into different VLANs, but since this is personal use I don't want the headache of certificates that comes with 802.1x / WPA-Enterprise, thus want to keep the simplicity of passwords (WPA2-PSK).

UniFi APs support Dynamic VLAN Assignment, but it wasn't obvious what needs to be done on the RADIUS side... well, it'd be simple for Cisco's ISE but I don't have that at home, so freeadius it is 😜

In this solution there's two key things:

  1. MAC Authorization isn't a security feature; it's more of a convenience feature, Windows & Linux easily allow changing the MAC address of a network card
  2. The config below has a default allow that is unknown Mac addresses are permitted

The idea is, I have one SSID for all my devices, new devices "just work" and they can be moved around afterwards. The security of the SSID hasn't changed the strength of the PSK is the key.

The example below assumes you have a working Wi-Fi, with working VLANs and a working firewall/router to connect them together, we start with installing freeradius onto OpenWRT.

Install Freeradius

On your OpenWRT box, install the default packages...

opkg update && opkg install freeradius3-default freeradius3-utils

Now, if you want to be fancy and install just the bare minimum you only need the below packages, this will exclude all the EAP stuff, but you'll have to hack about with the default site and config files to get the service to start properly... you've been warned! 

freeradius3 freeradius3-common freeradius3-mod-always freeradius3-mod-attr-filter freeradius3-mod-chap freeradius3-mod-detail freeradius3-mod-exec freeradius3-mod-expiration freeradius3-mod-files freeradius3-mod-logintime freeradius3-mod-pap freeradius3-mod-preprocess freeradius3-utils

Edit Config files

The first step is to define your RADIUS Clients, the things that send authentication requests. The file you need to edit is /etc/freeradius3/clients.conf; the RADIUS packets come directly from the Access-Point so you can either add them one at a time, or add a subnet like this:

Place at the bottom of the file.

client vlan1 {
        ipaddr = 192.168.1.0/24
        secret = correcthorsebatterystaple
}

Now, add the WI-FI Clients to /etc/freeradius3/mods-config/files/authorize

Place at the top of the file.

de:ad:be:ef:00:01       Cleartext-Password := "de:ad:be:ef:00:01"
                        Tunnel-Type = VLAN,
                        Tunnel-Medium-Type = 6,                         
                        Tunnel-Private-Group-Id = 2

DEFAULT                 Auth-Type := Accept
                        Tunnel-Type = VLAN,
                        Tunnel-Medium-Type = 6,
                        Tunnel-Private-Group-Id = 1

Where de:ad:be:ef:00:01 is the MAC Address of the device, such as your phone or notebook and Tunnel-Private-Group-Id = 2 places the device into VLAN 2. This example places all unknown MAC addresses into VLAN 1

Testing & Logging

With the config files changed, I recommend you stop the radius service : /etc/init.d/radiusd stop and then start freeradius in debug mode: radiusd -X

In debug mode, you'll need to keep your SSH open but you'll see the authentication requests on the screen, if you've made any mistakes it's easier to spot this way.

After testing is complete, you can run /etc/init.d/radiusd start to run it as a background service.

While you are running radiusd -X no logs are produced, the output is to the screen; by default when you re-enable the service the logs will output to disk: /var/log/radius.log. If you want to see the logs in luci then, edit /etc/freeradius3/radiusd.conf change destination = files ➡️ destination = syslog you may also want to set auth = yes so that you see both failed & passed authentications.

UniFi update the SSID

Before changing the SSID, a RADIUS server needs to be defined under Settings > Profiles > RADIUS . The secret is the same secret which was defined above in clients.conf; the IP address is that of your OpenWRT box. Account is optional, enable if logging disconnect events is important to you.

Screenshot of UniFi RADIUS Profile

Finally edit your SSID under Settings > Wireless Networks , scroll to the bottom and enable RADIUS MAC Auth, selecting the profile you just created.

Screenshot of UniFi SSID Mac Auth section

If you have freeradius running in debug mode you'll see events when devices try to connect!

/End

Adding new devices is as simple as putting entries into the authorize file with your desired VLAN.

References:

  • https://openwrt.org/docs/guide-user/network/wifi/freeradius
  • https://neilzone.co.uk/2021/09/using-freeradius-to-assign-vlans-for-unifi-wi-fi
  • https://help.ui.com/hc/en-us/articles/360015268353-UniFi-Gateway-Configuring-RADIUS-Server

 

 
Nick Bettison ©