From: Manuel Giganto Date: Mon, 12 Oct 2020 09:44:09 +0000 (+0000) Subject: hostapd: add ppsk option (private psk) X-Git-Tag: v23.05.0-rc1~2966 X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=d12eb103e875ea85c2f1e9a2e9a2922859ec9896;p=openwrt%2Fstaging%2Fpepe2k.git hostapd: add ppsk option (private psk) This PR allows a user to enable a private psk, where each station may have it's own psk or use a common psk if it is not defined. The private psk is defined using the sta's mac and a radius server is required. ppsk option should be enabled in the wireless configuration along with radius server details. When using PPSK, the key is ignored, it will be retrieved from radius server. SAE is not yet supported (private sae) in hostapd. Wireless example configuration: option encryption 'psk2+ccmp' option ppsk '1' option auth_server '127.0.0.1' option auth_secret 'radiusServerPassword' If you want to use dynamic VLAN on PPSK also include: option dynamic_vlan '2' option vlan_tagged_interface 'eth0' option vlan_bridge 'br-vlan' option vlan_naming '0' It works enabling mac address verification on radius server and requiring the tunnel-password (the private psk) from radius server. In the radius server we need to configure the users. In case of freeradius: /etc/freeradius3/mods-config/files/authorize The user and Cleartext-Password should be the mac lower case using the format "aabbccddeeff" Cleartext-Password := "" Tunnel-Password = Example of a user configured in radius and using dynamic VLAN5: 8cb84a000000 Cleartext-Password := "8cb84a000000" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 5, Tunnel-Password = MyPrivPw If we want to have a default or shared psk, used when the mac is not found in the list, we need to add the following at the end of the radius authorize file: DEFAULT Auth-Type := Accept Tunnel-Password = SharedPw And if using VLANs, for example VLAN6 for default users: DEFAULT Auth-Type := Accept Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 6, Tunnel-Password = SharedPw Signed-off-by: Manuel Giganto --- diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh index f11b40702c..72ff65b4f1 100644 --- a/package/network/services/hostapd/files/hostapd.sh +++ b/package/network/services/hostapd/files/hostapd.sh @@ -246,7 +246,7 @@ EOF hostapd_common_add_bss_config() { config_add_string 'bssid:macaddr' 'ssid:string' - config_add_boolean wds wmm uapsd hidden utf8_ssid + config_add_boolean wds wmm uapsd hidden utf8_ssid ppsk config_add_int maxassoc max_inactivity config_add_boolean disassoc_low_ack isolate short_preamble skip_inactivity_poll @@ -543,7 +543,7 @@ hostapd_set_bss_options() { acct_server acct_secret acct_port acct_interval \ bss_load_update_period chan_util_avg_period sae_require_mfp sae_pwe \ multi_ap multi_ap_backhaul_ssid multi_ap_backhaul_key skip_inactivity_poll \ - airtime_bss_weight airtime_bss_limit airtime_sta_weight \ + ppsk airtime_bss_weight airtime_bss_limit airtime_sta_weight \ multicast_to_unicast proxy_arp per_sta_vif \ eap_server eap_user_file ca_cert server_cert private_key private_key_passwd server_id \ vendor_elements fils ocv @@ -566,6 +566,7 @@ hostapd_set_bss_options() { set_default chan_util_avg_period 600 set_default utf8_ssid 1 set_default multi_ap 0 + set_default ppsk 0 set_default airtime_bss_weight 0 set_default airtime_bss_limit 0 set_default eap_server 0 @@ -653,7 +654,15 @@ hostapd_set_bss_options() { ;; psk|sae|psk-sae) json_get_vars key wpa_psk_file - if [ ${#key} -eq 64 ]; then + if [ "$auth_type" = "psk" ] && [ "$ppsk" -ne 0 ] ; then + json_get_vars auth_server auth_secret auth_port + set_default auth_port 1812 + append bss_conf "auth_server_addr=$auth_server" "$N" + append bss_conf "auth_server_port=$auth_port" "$N" + append bss_conf "auth_server_shared_secret=$auth_secret" "$N" + append bss_conf "macaddr_acl=2" "$N" + append bss_conf "wpa_psk_radius=2" "$N" + elif [ ${#key} -eq 64 ]; then append bss_conf "wpa_psk=$key" "$N" elif [ ${#key} -ge 8 ] && [ ${#key} -le 63 ]; then append bss_conf "wpa_passphrase=$key" "$N"