This PR allows a user to enable a private psk, where each station
may have it's own psk or use a common psk if it is not defined.
The private psk is defined using the sta's mac and a radius server
is required.
ppsk option should be enabled in the wireless configuration along with
radius server details. When using PPSK, the key is ignored, it will be
retrieved from radius server. SAE is not yet supported (private sae) in
hostapd.
Wireless example configuration:
option encryption 'psk2+ccmp'
option ppsk '1'
option auth_server '127.0.0.1'
option auth_secret 'radiusServerPassword'
If you want to use dynamic VLAN on PPSK also include:
option dynamic_vlan '2'
option vlan_tagged_interface 'eth0'
option vlan_bridge 'br-vlan'
option vlan_naming '0'
It works enabling mac address verification on radius server and
requiring the tunnel-password (the private psk) from radius server.
In the radius server we need to configure the users. In case of
freeradius: /etc/freeradius3/mods-config/files/authorize
The user and Cleartext-Password should be the mac lower case using the
format "
aabbccddeeff"
<sta mac> Cleartext-Password := "<sta mac>"
Tunnel-Password = <Private Password>
Example of a user configured in radius and using dynamic VLAN5:
8cb84a000000 Cleartext-Password := "
8cb84a000000"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 5,
Tunnel-Password = MyPrivPw
If we want to have a default or shared psk, used when the mac is not
found in the list, we need to add the following at the end of the radius
authorize file:
DEFAULT Auth-Type := Accept
Tunnel-Password = SharedPw
And if using VLANs, for example VLAN6 for default users:
DEFAULT Auth-Type := Accept
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 6,
Tunnel-Password = SharedPw
Signed-off-by: Manuel Giganto <mgigantoregistros@gmail.com>
hostapd_common_add_bss_config() {
config_add_string 'bssid:macaddr' 'ssid:string'
- config_add_boolean wds wmm uapsd hidden utf8_ssid
+ config_add_boolean wds wmm uapsd hidden utf8_ssid ppsk
config_add_int maxassoc max_inactivity
config_add_boolean disassoc_low_ack isolate short_preamble skip_inactivity_poll
acct_server acct_secret acct_port acct_interval \
bss_load_update_period chan_util_avg_period sae_require_mfp sae_pwe \
multi_ap multi_ap_backhaul_ssid multi_ap_backhaul_key skip_inactivity_poll \
- airtime_bss_weight airtime_bss_limit airtime_sta_weight \
+ ppsk airtime_bss_weight airtime_bss_limit airtime_sta_weight \
multicast_to_unicast proxy_arp per_sta_vif \
eap_server eap_user_file ca_cert server_cert private_key private_key_passwd server_id \
vendor_elements fils ocv
set_default chan_util_avg_period 600
set_default utf8_ssid 1
set_default multi_ap 0
+ set_default ppsk 0
set_default airtime_bss_weight 0
set_default airtime_bss_limit 0
set_default eap_server 0
;;
psk|sae|psk-sae)
json_get_vars key wpa_psk_file
- if [ ${#key} -eq 64 ]; then
+ if [ "$auth_type" = "psk" ] && [ "$ppsk" -ne 0 ] ; then
+ json_get_vars auth_server auth_secret auth_port
+ set_default auth_port 1812
+ append bss_conf "auth_server_addr=$auth_server" "$N"
+ append bss_conf "auth_server_port=$auth_port" "$N"
+ append bss_conf "auth_server_shared_secret=$auth_secret" "$N"
+ append bss_conf "macaddr_acl=2" "$N"
+ append bss_conf "wpa_psk_radius=2" "$N"
+ elif [ ${#key} -eq 64 ]; then
append bss_conf "wpa_psk=$key" "$N"
elif [ ${#key} -ge 8 ] && [ ${#key} -le 63 ]; then
append bss_conf "wpa_passphrase=$key" "$N"