Last active
December 9, 2025 02:33
-
-
Save Fail-Safe/e08fab5c7016a22dbf34360f72639027 to your computer and use it in GitHub Desktop.
Fifth, revised attempt at fixing the issue where PSK-to-VLAN mapping is mishandled during FT events
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- a/src/ap/ieee802_11.c | |
| +++ b/src/ap/ieee802_11.c | |
| @@ -38,6 +38,7 @@ | |
| #include "sta_info.h" | |
| #include "ieee802_1x.h" | |
| #include "wpa_auth.h" | |
| +#include "wpa_auth_i.h" | |
| #include "pmksa_cache_auth.h" | |
| #include "wmm.h" | |
| #include "ap_list.h" | |
| @@ -466,6 +467,36 @@ static void handle_auth_ft_finish(void *ctx, const u8 *dst, | |
| if (status != WLAN_STATUS_SUCCESS) | |
| return; | |
| + /* Reapply per-PSK VLAN mapping for FT roam (dynamic VLAN only) */ | |
| + if (hapd->conf->ssid.dynamic_vlan && sta && sta->wpa_sm) { | |
| + const u8 *pmk; | |
| + int pmk_len; | |
| + struct hostapd_wpa_psk *psk; | |
| + | |
| + pmk = wpa_auth_get_pmk(sta->wpa_sm, &pmk_len); | |
| + if (pmk && pmk_len == PMK_LEN) { | |
| + for (psk = hapd->conf->ssid.wpa_psk; psk; psk = psk->next) { | |
| + if (os_memcmp(pmk, psk->psk, PMK_LEN) == 0) { | |
| + if (psk->vlan_id && psk->vlan_id != sta->vlan_id) { | |
| + struct vlan_description vlan_desc = { .notempty = 1, .untagged = | |
| + psk->vlan_id }; | |
| + | |
| + wpa_printf(MSG_INFO, | |
| + "FT: PSK VLAN reassignment " MACSTR " %d->%d", | |
| + MAC2STR(sta->addr), sta->vlan_id, psk->vlan_id); | |
| + | |
| + if (ap_sta_set_vlan(hapd, sta, &vlan_desc) < 0) { | |
| + wpa_printf(MSG_INFO, | |
| + "FT: PSK VLAN reassignment failed for " MACSTR " (%d->%d)", | |
| + MAC2STR(sta->addr), sta->vlan_id, psk->vlan_id); | |
| + } | |
| + } | |
| + break; | |
| + } | |
| + } | |
| + } | |
| + } | |
| + | |
| hostapd_logger(hapd, dst, HOSTAPD_MODULE_IEEE80211, | |
| HOSTAPD_LEVEL_DEBUG, "authentication OK (FT)"); | |
| sta->flags |= WLAN_STA_AUTH; |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@pajadam Thanks for the feedback!
I'm happy to let you know this patch should no longer be needed. See here for more details: https://forum.openwrt.org/t/individual-per-passphrase-per-mac-wifi-vlans-using-wpa-psk-file-no-radius-required/161696/290?u=_failsafe@pajadam
Looks like the commit I linked to has not actually solved the issue as I thought. So, for now I'm back using my patch. I'm going to update it with a few tweaks and it will be more verbose by default.