Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WPA3 Enterprise WiFi | OpenWRT AP with Pfsense Router, Firewall, and RADIUS Server

    Scheduled Pinned Locked Moved Wireless
    7 Posts 4 Posters 96 Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      alphilon
      last edited by

      Just bought a GL-MT6000 router and installed OpenWRT on it for use as a dumb AP. The AP is connected to my Protectli FW4B running Pfsense. The Pfsense box serves as the main router and firewall.

      I have a physical port on the Pfsense box connected to one of the GL-MT6000 LAN ports. This port is divided into 5 different VLANs with tags synchronized between AP and router. I have 4 wireless SSIDs each using its own interface tied to one of the VLANs. The fifth VLAN serves as Ethernet connection.

      Everything on the above seems to be functioning just fine with two SSIDs setup to use WPA2-PSK working well.

      My other two SSIDs were created for WPA3 Enterprise WiFi utilizing the Pfsense box as a RADIUS server. This is the reason for the extensive VLAN isolation as I don't want mixing between weak security and strong security networks.

      Anyways, I setup a test WPA3-E network and I can't seem to get a client to connect. The Pfsense RADIUS server is listening on all interfaces port 1812. The firewall for this WiFi network's VLAN interface allows all TCP/UDP IPv4 traffic with port 1812 destination. On the Pfsense side I have tried adding both the OpenWRT AP full subnet and the full VLAN interface subnet to the list of FreeRADIUS clients. On the OpenWRT side I have tried setting the RADIUS server IP to both the Pfsense firewall IP and the VLAN interface IP. OpenWRT and Pfsense FreeRADIUS have the same RADIUS Authentication Secret.

      I am not sure what I am doing wrong here. Could the VLANs be causing issues?

      keyserK 1 Reply Last reply Reply Quote 0
      • keyserK Offline
        keyser Rebel Alliance @alphilon
        last edited by

        @alphilon You very likely have some basic flaw in the setup. Generally these are the points to look for:

        1: The OpenWRT AP should only have one IP address - in the Management VLAN, likely your wired Ethernet VLAN.
        2: Set the OpenWRT AP to use a Radius with the IP of your PFsense’s Interface IP in that management VLAN (Again probably your Wired VLAN)
        3: Make sure to have a firewall rule allowing traffic on UDP 1812 from the OpenWRT IP to the pfSense Interface IP (LAN address builtin alias fx)
        4: Make sure Freeradius is setup and bound to listen to that interface IP address.

        If still not working/no log entries, make a packet capture on the Management Interface and see if any Radius packets are recieved from OpenWRT. Then you know if its OpenWRT or your pfSense/Freeradius config that has issues.

        Love the no fuss of using the official appliances :-)

        A 1 Reply Last reply Reply Quote 2
        • stephenw10S Online
          stephenw10 Netgate Administrator
          last edited by

          Yup I expect to see that radius traffic on the mgmt vlan not the ssid vlan clients connect to. So that's where you need the firewall rules to pass it.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator @stephenw10
            last edited by

            Yeah I run wpa3 enterprise on one of my networks, with freerad running on pfsense. I am using unifi, but I do have a gl.inet router I use when I travel I could fire up, it uses openwrt.

            But yeah common mistake is the firewall rules on the management network that your AP would be talking to the freerad server running on pfsense. @keyser hit all the points I do believe.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07 | Lab VMs 2.8, 25.07

            1 Reply Last reply Reply Quote 0
            • A Offline
              alphilon @keyser
              last edited by

              @keyser Indeed this was the issue. I had to allow access to the freeRADIUS port on the mgmt VLAN insteads of the SSID VLAN.

              Given this revelation, can anyone confirm that I have setup proper isolation between the various SSIDs? I have firewall rules that prevent their VLANs from cross-talking but given that they are all using the mgmt VLAN for RADIUS authentication, I am unsure.

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator @alphilon
                last edited by johnpoz

                @alphilon the clients on your specific vlans are not using it - the AP is.

                The client via wifi talks to the AP, says hey I want to connect - here is my auth creds. The AP says ok, let me go check with this guy over here (radius) to see if you are allowed.

                Here is an auth from my iphone.. Notice the radius server got the info from my AP on 192.168.2.2, after it validated that that AP can talk to it, etc.

                Aug 6 10:11:48 	radiusd 	97858 	(4) Login OK: [JohnsIphone/<via Auth-Type = eap>] (from client uap-pro port 0 cli DC-B5-4F-E0-CB-0A) 192.168.2.2 Auth-Type: eap
Aug 6 10:11:48 	radiusd 	97858 	!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Aug 6 10:11:48 	radiusd 	97858 	Please set "require_message_authenticator = true" for client uap-pro
Aug 6 10:11:48 	radiusd 	97858 	The packet contains Message-Authenticator.
Aug 6 10:11:48 	radiusd 	97858 	!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Aug 6 10:11:48 	radiusd 	97858 	Setting "limit_proxy_state = true" for client uap-pro
Aug 6 10:11:48 	radiusd 	97858 	BlastRADIUS check: Received packet without Proxy-State.
Aug 6 10:11:48 	radiusd 	97858 	!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07 | Lab VMs 2.8, 25.07

                A 1 Reply Last reply Reply Quote 1
                • A Offline
                  alphilon @johnpoz
                  last edited by

                  @johnpoz Thank you! Now I think I understand.

                  This actually seems better than how I thought it worked before because I was nervous about having an open port on the WiFi VLANs.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.