Skip to content

Instantly share code, notes, and snippets.

@Fail-Safe

Fail-Safe/999-ft-psk-vlan-reassignment-v5.patch

Last active December 9, 2025 02:33
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Fail-Safe/e08fab5c7016a22dbf34360f72639027 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Fail-Safe/e08fab5c7016a22dbf34360f72639027 to your computer and use it in GitHub Desktop.
Download ZIP
Fifth, revised attempt at fixing the issue where PSK-to-VLAN mapping is mishandled during FT events
Raw
999-ft-psk-vlan-reassignment-v5.patch
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -38,6 +38,7 @@
#include "sta_info.h"
#include "ieee802_1x.h"
#include "wpa_auth.h"
+#include "wpa_auth_i.h"
#include "pmksa_cache_auth.h"
#include "wmm.h"
#include "ap_list.h"
@@ -466,6 +467,36 @@ static void handle_auth_ft_finish(void *ctx, const u8 *dst,
if (status != WLAN_STATUS_SUCCESS)
return;
+ /* Reapply per-PSK VLAN mapping for FT roam (dynamic VLAN only) */
+ if (hapd->conf->ssid.dynamic_vlan && sta && sta->wpa_sm) {
+ const u8 *pmk;
+ int pmk_len;
+ struct hostapd_wpa_psk *psk;
+
+ pmk = wpa_auth_get_pmk(sta->wpa_sm, &pmk_len);
+ if (pmk && pmk_len == PMK_LEN) {
+ for (psk = hapd->conf->ssid.wpa_psk; psk; psk = psk->next) {
+ if (os_memcmp(pmk, psk->psk, PMK_LEN) == 0) {
+ if (psk->vlan_id && psk->vlan_id != sta->vlan_id) {
+ struct vlan_description vlan_desc = { .notempty = 1, .untagged =
+ psk->vlan_id };
+
+ wpa_printf(MSG_INFO,
+ "FT: PSK VLAN reassignment " MACSTR " %d->%d",
+ MAC2STR(sta->addr), sta->vlan_id, psk->vlan_id);
+
+ if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0) {
+ wpa_printf(MSG_INFO,
+ "FT: PSK VLAN reassignment failed for " MACSTR " (%d->%d)",
+ MAC2STR(sta->addr), sta->vlan_id, psk->vlan_id);
+ }
+ }
+ break;
+ }
+ }
+ }
+ }
+
hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211,
HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)");
sta->flags |= WLAN_STA_AUTH;
@Fail-Safe
Copy link
Author

Fail-Safe commented Nov 20, 2025
edited
Loading

Fifth revision for testing! Let me know ASAP if you notice any regression.

@pajadam
Copy link

pajadam commented Dec 8, 2025

Seems to be working just fine for mediatek/filogic (Cudy AP 3000) 24.10.4. The only weird thing I noticed is that the debug message is not shown for some reason. But I guess that's some kind of log level thing.

The process of recompilation is not that easy though, if you want more people to test it out would be nice to write down some instructions for it. I used OpenWRT SDK for my platform in Docker, took me a whole weekend to figure it out.

Thanks for this patch! Good job!

@Fail-Safe
Copy link
Author

Fail-Safe commented Dec 8, 2025
edited
Loading

@pajadam Thanks for the feedback! I'm happy to let you know this patch should no longer be needed. See here for more details: https://forum.openwrt.org/t/individual-per-passphrase-per-mac-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/290?u=_failsafe

@pajadam
Looks like the commit I linked to has not actually solved the issue as I thought. So, for now I'm back using my patch. I'm going to update it with a few tweaks and it will be more verbose by default.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment