diff --git a/salt-pillar/cpe/aps.sls b/salt-pillar/cpe/aps.sls
index 262e48c..796718f 100644
--- a/salt-pillar/cpe/aps.sls
+++ b/salt-pillar/cpe/aps.sls
@@ -101,6 +101,11 @@ cpe:
               rA==
               =TEEI
               -----END PGP MESSAGE-----
+         'C3D2.eap':
+           net: c3d2
+           wpa-eap:
+            server: radius.hq.c3d2.de
+            port: 1812
 
   ap3:
     password: |
@@ -163,6 +168,11 @@ cpe:
               rA==
               =TEEI
               -----END PGP MESSAGE-----
+         'C3D2.eap':
+           net: c3d2
+           wpa-eap:
+            server: radius.hq.c3d2.de
+            port: 1812
 
   ap4:
     password: |
diff --git a/salt/cpe/ap.sh b/salt/cpe/ap.sh
index ea16177..a9ecf21 100644
--- a/salt/cpe/ap.sh
+++ b/salt/cpe/ap.sh
@@ -322,6 +322,10 @@ set wireless.wifi{{ ifnum }}.network={{ ssidconf['net'] }}
 {%-     if ssidconf.get('psk') %}
 set wireless.wifi{{ ifnum }}.encryption=psk2
 set wireless.wifi{{ ifnum }}.key='{{ ssidconf['psk'] }}'
+{%-     elif ssidconf.get('wpa-eap') %}
+set wireless.wifi({ ifnum }).encryption=wpa2
+set wireless.wifi({ ifnum }).server='{{ ssidconf['wpa-eap']['server'] }}'
+set wireless.wifi({ ifnum }).port='{{ ssidconf['wpa-eap']['port'] }}'
 {%-     else %}
 set wireless.wifi{{ ifnum }}.encryption=none
 {%-     endif %}
diff --git a/salt/firewall/mgmt-gw.sh b/salt/firewall/mgmt-gw.sh
index be3c9f7..c247a3f 100644
--- a/salt/firewall/mgmt-gw.sh
+++ b/salt/firewall/mgmt-gw.sh
@@ -19,6 +19,8 @@ ip6tables -A FORWARD -i $IFACE -p udp --dport 25826 -j ACCEPT
 # downloads.lede-project.org
 iptables -A FORWARD -i $IFACE --dest 148.251.78.235 -j ACCEPT
 ip6tables -A FORWARD -i $IFACE --dest 2a01:4f8:202:43ea::3 -j ACCEPT
+# radius.hq.c3d2.de
+iptables -A FORWARD -i $IFACE --dest 172.22.99.22 -j ACCEPT
 # Deny by default
 iptables -A FORWARD -j REJECT
 ip6tables -A FORWARD -j REJECT