Commit Graph

265 Commits

Author SHA1 Message Date
Felix Fietkau
b8be20c7e8 hostapd: fix unused device removal on DBDC devices
Check the phy before removing unrelated netdevs on the same hw device

Reported-by: Hartmut Birr <e9hack@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-03 18:51:00 +02:00
Felix Fietkau
150e6d28f2 hostapd: fix undeclared variable in common.uc
Fixes: https://github.com/openwrt/openwrt/issues/13210
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-02 13:30:26 +02:00
Felix Fietkau
e56c5f7b27 hostapd: add ucode support, use ucode for the main ubus object
This implements vastly improved dynamic configuration reload support.
It can handle configuration changes on individual wifi interfaces, as well
as adding/removing interfaces.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-01 10:08:03 +02:00
Felix Fietkau
57fbbf15cd hostapd: add experimental radius server
This can be used to run a standalone EAP server that can be used from
other APs. It uses json as user database format and can automatically
handle reload.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-08-01 10:05:13 +02:00
Stijn Tintel
b57703264f hostapd: add UCI option for Multiple BSSID
Add an UCI option to enable Multiple BSSID Advertisement. Enabling this
will announce all BSSIDS on a phy in a single beacon frame. The
interface that is brought up first will be the transmitting profile, all
others are non-transmitting profiles and will be advertised in the
Multiple BSSID element in Beacon and Probe Response frames of the first
interface.

This depends on driver and client support. Enabling this will result in
all but the first interface not being visible at all for clients that do
not support it.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2023-06-16 02:42:04 +03:00
Felix Fietkau
67e8cc07f9 hostapd: remove unused legacy wireless extension support
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-05-26 13:33:45 +02:00
Felix Fietkau
635d177ac9 hostapd: enable radius server support
This is useful in combination with the built-in eap server support

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-03-07 10:24:05 +01:00
Felix Fietkau
d10e1b4a71 hostapd: add support for defining multiple acct/auth servers
This allows adding backup servers, in case the primary ones fail.
Assume that port and shared secret are going to be the same.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-03-07 10:24:05 +01:00
Leon M. Busch-George
ae751535de
hostapd: always use sae_password for mesh/SAE auth
This patch fixes a corner case when using passwords that are exactly 64
characters in length with mesh mode or passwords longer than 63 characters
with SAE because 'psk' is used instead of 'sae_password'.
SAE is obligatory for 802.11s (mesh point).

The 'psk' option for hostapd is suited for WPA2 and enforces length
restrictions on passwords. Values of 64 characters are treated as PMKs.
With SAE, PMKs are always generated during the handshake and there are no
length restrictions.
The 'sae_password' option is more suited for SAE and should be used
instead.

Before this patch, the 'sae_password' option is only used with mesh mode
passwords that are not 64 characters long.
As a consequence:
- mesh passwords can't be 64 characters in length
- SAE only works with passwords with lengths >8 and <=63 (due to psk
  limitation).

Fix this by always using 'sae_password' with SAE/mesh and applying the PMK
differentiation only when PSK is used.

Fixes: #11324
Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
[ improve commit description ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-02-19 19:43:57 +01:00
Leon M. Busch-George
3c10c42ddd
hostapd: add quotes in assignments
It's generally advised to use quotes for variable assignments in bash.

Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
2023-02-19 19:43:54 +01:00
Felix Fietkau
581f2b15b2 hostapd: enable coredumps
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-12-16 14:32:47 +01:00
Felix Fietkau
c2fde432b3 hostapd: always set a default for the nas identifier
It is used for both 802.11r and WPA enterprise.
Setting it when not needed is harmless

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-12-16 14:32:47 +01:00
Felix Fietkau
2fb38b77a2 hostapd: add support for automatically setting RADIUS own-ip dynamically
Some servers use the NAS-IP-Address attribute as a destination address

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-12-16 14:32:47 +01:00
Felix Fietkau
a797f0e82a hostapd: use wpa_supplicant for unencrypted mesh connections
It's more reliable than using iw

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-12-10 12:38:46 +01:00
Felix Fietkau
ddf736e543 hostapd: remove invalid dtim_period option processing
dtim_period is a bss property, not a device one.
It is already handled properly in mac80211.sh

Fixes: 30c64825c7 ("hostapd: add dtim_period, local_pwr_constraint, spectrum_mgmt_required")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-11-10 13:09:18 +01:00
Felix Fietkau
09ea1db93b hostapd: rename hostapd multicast_to_unicast option to multicast_to_unicast_all
There are two feature currently altered by the multicast_to_unicast option.
1. bridge level multicast_to_unicast via IGMP snooping
2. hostapd/mac80211 config multicast_to_unicast setting

The hostapd/mac80211 setting has the side effect of converting *all* multicast
or broadcast traffic into per-station duplicated unicast traffic, which can
in some cases break expectations of various protocols.
It also has been observed to cause ARP lookup failure between stations
connected to the same interface.

The bridge level feature is much more useful, since it only covers actual
multicast traffic managed by IGMP, and it implicitly defaults to 1 already.

Renaming the hostapd/mac80211 option to multicast_to_unicast_all should avoid
unintentionally enabling this feature

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-09-06 12:15:48 +02:00
Felix Fietkau
2984a04206 mac80211: disable ft-over-ds by default
Testing has shown it to be very unreliable in variety of configurations.
It is not mandatory, so let's disable it by default until we have a better
solution.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-08-30 10:58:20 +02:00
Joerg Werner
9fbb76c047 hostapd: fix WPA3 enterprise keys and ciphers
WPA3 enterprise requires group_mgmt_cipher=BIP-GMAC-256 and if 802.11r is
active also wpa_key_mgmt FT-EAP-SHA384. This commit also requires
corresponding changes in netifd.

Signed-off-by: Joerg Werner <schreibubi@gmail.com>
2022-08-20 22:56:12 +02:00
Manuel Giganto
d12eb103e8
hostapd: add ppsk option (private psk)
This PR allows a user to enable a private psk, where each station
may have it's own psk or use a common psk if it is not defined.
The private psk is defined using the sta's mac and a radius server
is required.

ppsk option should be enabled in the wireless configuration along with
radius server details. When using PPSK, the key is ignored, it will be
retrieved from radius server. SAE is not yet supported (private sae) in
hostapd.

Wireless example configuration:
	option encryption 'psk2+ccmp'
	option ppsk '1'
	option auth_server '127.0.0.1'
	option auth_secret 'radiusServerPassword'

If you want to use dynamic VLAN on PPSK also include:
	option dynamic_vlan '2'
	option vlan_tagged_interface 'eth0'
	option vlan_bridge 'br-vlan'
	option vlan_naming '0'

It works enabling mac address verification on radius server and
requiring the tunnel-password (the private psk) from radius server.

In the radius server we need to configure the users. In case of
freeradius: /etc/freeradius3/mods-config/files/authorize
The user and Cleartext-Password should be the mac lower case using the
format "aabbccddeeff"

<sta mac> Cleartext-Password := "<sta mac>"
	Tunnel-Password = <Private Password>

Example of a user configured in radius and using dynamic VLAN5:

8cb84a000000 Cleartext-Password := "8cb84a000000"
	Tunnel-Type = VLAN,
	Tunnel-Medium-Type = IEEE-802,
	Tunnel-Private-Group-ID = 5,
	Tunnel-Password = MyPrivPw

If we want to have a default or shared psk, used when the mac is not
found in the list, we need to add the following at the end of the radius
authorize file:

DEFAULT Auth-Type := Accept
	Tunnel-Password = SharedPw

And if using VLANs, for example VLAN6 for default users:
DEFAULT Auth-Type := Accept
	Tunnel-Type = VLAN,
	Tunnel-Medium-Type = IEEE-802,
	Tunnel-Private-Group-ID = 6,
	Tunnel-Password = SharedPw

Signed-off-by: Manuel Giganto <mgigantoregistros@gmail.com>
2022-07-15 08:20:36 +02:00
Michael Yartys
442708dfe2 wpa_supplicant: compile with OCV support
Operating Channel Validation (OCV) is a security feature designed to
prevent person-in-the-middle multi-channel attacks. Compile -basic and
-full variants with support for OCV. This feature can be configured in the
wireless config by setting ocv equal to one of the following values:

0 = disabled (hostapd/wpa_supplicant default)
1 = enabled if wpa_supplicant's SME in use. Otherwise enabled only when the
    driver indicates support for operating channel validation.

Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>
2022-07-03 20:25:38 +02:00
Michael Yartys
f60628f33c hostapd: enable compilation of OCV and add build feature discovery
Operating Channel Validation (OCV) is a security feature designed to
prevent person-in-the-middle multi-channel attacks. Compile the -basic and
-full variants of hostapd with this feature, and enable discovery of this
feature for future luci integration. OCV can be configured by setting ocv
equal to one of the following values in the wireless config:

0 = disabled (hostapd/wpa_supplicant default)
1 = enabled
2 = enabled in workaround mode - Allow STA that claims OCV capability to
    connect even if the STA doesn't send OCI or negotiate PMF.

Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>
2022-07-03 20:25:38 +02:00
Stijn Tintel
6556cad99d hostapd: disable mbo by default
Enabling mbo by default on 802.11ax devices breaks for encryption types
that do not enable 802.11w by default. Disable mbo by default to fix
this. Enabling mbo by default on 802.11ax devices was not explained in
the commit message anyway.

Fixes: 6eee983656 ("hostapd: introduce mbo option")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-06-28 22:16:47 +03:00
Stijn Tintel
6eee983656 hostapd: introduce mbo option
Introduce a new option mbo to toggle Multi Band Operation aka Agile
Multiband for a BSS.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: David Bauer <mail@david-bauer.net>
2022-06-28 03:23:51 +03:00
David Bauer
574539ee2c hostapd: add owe_transition_ifname
Add the owe_transition_ifname config option to wifi-ifaces.

This allows to configure OWE transition VAPs without adding SSID / BSSID
to the uci conifg but instead autodiscovering these parameters from
other networks on the same PHY.

The following configuration creates a OWE transition mode network
constellation.

config wifi-iface 'open0'
	option device 'radio0'
	option ifname 'open0'
	option network 'lan'
	option mode 'ap'
	option ssid 'FreeNet'
	option encryption 'none'
	option owe_transition_ifname 'owe0'

config wifi-iface 'owe0'
	option device 'radio0'
	option ifname 'owe0'
	option network 'lan'
	option mode 'ap'
	option ssid 'owe_tm.FreeNet'
	option encryption 'owe'
	option hidden '1'
	option owe_transition_ifname 'open0'

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-06-16 11:07:19 +02:00
David Bauer
b72c7db229 hostapd: fix missing HS20 support for hostapd-full
commit c3a4cddaaf ("hostapd: remove hostapd-hs20 variant")
as well as
commit 9f1927173a ("hostapd: wpas: add missing config symbols")
indicate hostapd-full should support Hotspot 2.0 already, but only
wpa_supplicant (and wpad) do.

How this happened is not really clear, as no commit adding support for
Hotspot 2.0 is in the history.

Fix this and add Hotspot 2.0 capability to hostapd-full.

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-06-08 23:17:09 +02:00
David Bauer
c35ff1affe hostapd: update to 2022-05-08
Update hostapd to Git HEAD from 2022-05-08. This allows us to take
advantage of background radar-detection as well as BSS color collision
detection.

Suggested-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-06-08 23:16:06 +02:00
Bernd Naumann
98d91e4d5e hostapd: Radius based VLANs on AP with PSK
This patch allows the user to set `auth_server` and related settings on
non WPA2 Enterprise AP modes in `/etc/config/wireless`, too, so the
Radius Attributes for Dynamic VLAN Assignment can be fetched from Radius.

Without this patch, `auth_server` and other needed options are only
written to `hostapd-phy<n>.conf` when `option encryption wpa2` is set.

`hostapd` however supports "Station MAC address -based authentication" for
non WPA Enterprise Modes, too.

A classic approch is to use `accept_mac_file` which contains MAC addr
and VLAN-ID pairs. But, using `accept_mac_file` does not support
VLAN assignment for unknown stations.

This is a sample `freeradius3` config, where a known station
("7e:a6:a7:2a:93:d2") is assigned to VLAN `65` and unknown stations are
assigned to VLAN `67`.

```
"7ea6a72a93d2" Cleartext-Password := "7ea6a72a93d2"
        Tunnel-Type = "VLAN",
        Tunnel-Medium-Type = "IEEE-802",
        Tunnel-Private-Group-Id = 65

DEFAULT Cleartext-Password := "%{User-Name}"
        Tunnel-Type = "VLAN",
        Tunnel-Medium-Type = "IEEE-802",
        Tunnel-Private-Group-Id = 67
```

Other option is to configure known stations via `accept_mac_file` and
using only Radius for unknown stations.

I tested this patch only with `wpa_key_mgmt=WPA-PSK`, and assumed that
it should work with other Encryption/Access Mode, too.

Signed-off-by: Bernd Naumann <bernd.naumann@kr217.de>
2022-06-08 16:04:04 +02:00
Nick Lowe
e8d048c5e0 hostapd: SAE - Enable hunting-and-pecking and H2E
Enable both the hunting-and-pecking loop and hash-to-element mechanisms
by default in OpenWRT with SAE.

Commercial Wi-Fi solutions increasingly frequently now ship with both
hunting-and-pecking and hash-to-element (H2E) enabled by default as this
is more secure and more performant than offering hunting-and-pecking
alone for H2E capable clients.

The hunting and pecking loop mechanism is inherently fragile and prone to
timing-based side channels in its design and is more computationally
intensive to perform. Hash-to-element (H2E) is its long-term
replacement to address these concerns.

For clients that only support the hunting-and-pecking loop mechanism,
this is still available to use by default.

For clients that in addition support, or were to require, the
hash-to-element (H2E) mechanism, this is then available for use.

Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
2022-02-24 18:04:05 +01:00
Eneas U de Queiroz
e6df13d0e1 hostapd: fallback to psk when generating r0kh/r1kh
The 80211r r0kh and r1kh defaults are generated from the md5sum of
"$mobility_domain/$auth_secret".  auth_secret is only set when using EAP
authentication, but the default key is used for SAE/PSK as well.  In
this case,  auth_secret is empty, and the default value of the key can
be computed from the SSID alone.

Fallback to using $key when auth_secret is empty.  While at it, rename
the variable holding the generated key from 'key' to 'ft_key', to avoid
clobbering the PSK.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
[make ft_key local]
Signed-off-by: David Bauer <mail@david-bauer.net>
2022-02-19 16:14:52 +01:00
Raphaël Mélotte
69ce75fb12 hostapd: add fallback for WPS on stations
Up to now the WPS script triggered WPS on the stations only if it
could not trigger it successfully on any hostapd instance.

In a Multi-AP context, there can be a need (to establish a new
wireless backhaul link) to trigger WPS on the stations, regardless of
whether there is already a hostapd instance configured or not. The
current script makes it impossible, as if hostapd is running and
configured, WPS would always be triggered on hostapd only.

To allow both possibilities, the following changes are made:

- Change the "pressed" action to "release", so that we can make use of
the "$SEEN" variables (to know for how long the button was pressed).

- If the button is pressed for less than 3 seconds, keep the original
behavior.

- If the button is pressed for 3 seconds or more, trigger WPS on the
stations, regardless of the status of any running hostapd instance.

- Add comments explaining both behaviors.

- While at it, replace the usage of '-a' with a '[] && []'
construct (see [1]).

This gives users a "fallback" mechanism to onboard a device to a
Multi-AP network, even if the device already has a configured hostapd
instance running.

[1]: https://github.com/koalaman/shellcheck/wiki/SC2166

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
2021-12-27 16:32:02 +00:00
Felix Fietkau
ea49690ff4 hostapd: add support for specifying the FILS DHCP server
The 'fils_dhcp' option can be set to '*' in order to autodetect the DHCP server
For proto=dhcp networks, the discovered dhcp server will be used
For all other networks, udhcpc is called to discover the address

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-12-10 11:33:49 +01:00
Felix Fietkau
b7d9bced30 hostapd: add support for enabling FILS on AP and client interfaces
This is only supported with WPA-enterprise

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-12-10 11:33:49 +01:00
Felix Fietkau
5b66dfaf6c hostapd: enable FILS support in the full config and add build feature discovery
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-12-10 11:33:49 +01:00
Felix Fietkau
a5e3def182 hostapd: add wmm qos map set by default
This implements the mapping recommendations from RFC8325, with an
update from RFC8622. This ensures that DSCP marked packets are properly
sorted into WMM classes.
The map can be disabled by setting iw_qos_map_set to something invalid
like 'none'

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-03 22:47:55 +01:00
Felix Fietkau
da4be02fcd hostapd: fix a race condition on adding AP mode wds sta interfaces
Both hostapd and netifd attempt to add a VLAN device to a bridge.
Depending on which one wins the race, bridge vlan settings might be incomplete,
or hostapd might run into an error and refuse to service the client.
Fix this by preventing hostapd from adding interfaces to the bridge and
instead rely entirely on netifd handling this properly

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-10-21 11:31:53 +02:00
David Bauer
ec2078e3ef hostapd: enable proxy-arp support for hostapd-full
The hostapd.sh script already has support for configuring proxy-ARP,
however no built variant has support for it enabled.

Enable proxy-ARP support for hostapd-full builds in order to allow users
to actually use this feature.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-08-28 01:31:15 +02:00
Felix Fietkau
c26d741d07 hostapd: enable ht40 in wpa_supplicant when using wider HE modes
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-08-24 17:35:45 +02:00
Jesus Fernandez Manzano
af83e3ce0f hostapd: respect fixed channel BW in HE20 mode
When using htmode 'HE20' with a radio mode that uses wpa-supplicant
(like mesh or sta), it will default to 40 MHz bw if disable_ht40 is not
set. This commit fixes this behaviour.

Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.net>
2021-08-08 19:50:46 +02:00
Felix Fietkau
7b46377a0c hostapd: make the snooping interface (for proxyarp) configurable
Use the VLAN interface instead of the bridge, to ensure that hostapd receives
untagged DHCP packets

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-07-28 05:55:11 +02:00
Felix Fietkau
1818b038d7 hostapd: add support for providing vendor specific IE elements
They can be added as hex digit strings via the 'vendor_elements' option

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-06-24 15:56:46 +02:00
Raphaël Mélotte
acdb7c38c6 hostapd: add default_disabled option to the supplicant
With the default configuration we generate, the supplicant starts
scanning and tries to connect to any open network when the interface
is enabled.

In some cases it can be desirable to prevent the supplicant from
scanning by itself. For example, if on the same radio an AP is
configured and an unconfigured STA is added (to be configured with
WPS), the AP might not be able to beacon until the STA stops
scanning.

In such a case, the STA configuration can still be required to set
specific settings (e.g. multi_ap_backhaul_sta) so it can't be set to
"disabled" in uci (because that would prevent the supplicant from
being run at all). The alternative is to add the "disabled" parameter
to the default network block in the supplicant configuration.

This patch adds a "default_disabled" setting in UCI which, when set,
adds the "disabled" parameter to the supplicant default network block.

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
2021-06-23 14:52:16 -10:00
Timo Sigurdsson
bf98faaac8 hostapd: make wnm_sleep_mode_no_keys configurable
In the aftermath of the KRACK attacks, hostapd gained an AP-side workaround
against WNM-Sleep Mode GTK/IGTK reinstallation attacks. WNM Sleep Mode is not
enabled by default on OpenWrt, but it is configurable through the option
wnm_sleep_mode. Thus, make the AP-side workaround configurable as well by
exposing the option wnm_sleep_mode_no_keys. If you use the option
wpa_disable_eapol_key_retries and have wnm_sleep_mode enabled, you might
consider using this workaround.

Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
2021-06-22 11:10:06 -10:00
Timo Sigurdsson
85ce590705 hostapd: fix handling of the channel utilization options
Commit 0a7657c ("hostapd: add channel utilization as config option") added the
two new uci options bss_load_update_period and chan_util_avg_period. However,
the corresponding "config_add_int" calls for these options weren't added, so
attempting to actually use these options and change their values is bound to
fail - they always stay at their defaults. Add the missing code to actually
make these options work.

Fixes: 0a7657c ("hostapd: add channel utilization as config option")
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
2021-06-21 19:04:06 -10:00
Timo Sigurdsson
9f09c1936a hostapd: make country3 option configurable
The country3 option in hostapd.conf allows the third octet of the country
string to be set. It can be used e.g. to indicate indoor or outdoor use (see
hostapd.conf for further details). Make this option configurable but optional
in OpenWrt.

Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
2021-06-21 19:02:33 -10:00
Michael Yartys
b9b4aef4f2 hostapd: add support for setting sae_pwe
Make it possible to specify the SAE mechanism for PWE derivation. The
following values are possible:

0 = hunting-and-pecking loop only
1 = hash-to-element only
2 = both hunting-and-pecking loop and hash-to-element enabled

hostapd currently defaults to hunting-and-pecking loop only.

Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>
2021-06-20 15:42:52 -10:00
Felix Fietkau
305c1b8d74 hostapd: configure inter-AP communication interface for 802.11r
In setups using VLAN bridge filtering, hostapd may need to communicate using
a VLAN interface on top of the bridge, instead of using the bridge directly

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-06-05 06:53:29 +02:00
John Crispin
96e9c81aab hostapd: fix radius problem due to invalid attributes
The offending commit caused the configuration file to contain:
  radius_auth_req_attr=
  radius_acct_req_attr=
which cause hostapd to add an ATTR of type 0 into the messages.

hostapd: RADIUS message: code=4 (Accounting-Request) identifier=0 length=93
hostapd:    Attribute 40 (Acct-Status-Type) length=6
hostapd:       Value: 7
hostapd:    Attribute 30 (Called-Station-Id) length=28
hostapd:       Value: 'C4-41-1E-F5-2D-55:OpenWifi'
hostapd:    Attribute 61 (NAS-Port-Type) length=6
hostapd:       Value: 19
hostapd:    Attribute 0 (?Unknown?) length=3    <----------------
hostapd:    Attribute 55 (Event-Timestamp) length=6
hostapd:       Value: 1622726457
hostapd:    Attribute 41 (Acct-Delay-Time) length=6
hostapd:       Value: 0
hostapd:    Attribute 44 (Acct-Session-Id) length=18
hostapd:       Value: '9B5961E7235AAEC6'

Fixes: 3bd6c8c728 (hostapd: add additional radius options)
Signed-off-by: John Crispin <john@phrozen.org>
2021-06-03 16:00:51 +02:00
John Crispin
98621c9782 hostapd: add eap_server support
This makes it possible to avoid using a RADIUS server for WPA enterprise authentication

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-06-02 09:33:12 +02:00
Felix Fietkau
704ab6a002 hostapd: add default values for r0kh/r1kh
This allows WPA enterprise roaming in the same mobility domain without any
manual key configuration (aside from radius credentials)

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-06-02 09:33:12 +02:00
Felix Fietkau
ec223cf724 hostapd: add support for specifying the maxassoc parameter as a device option
It allows enforcing a limit on associated stations to be enforced for the
full device, e.g. in order to deal with hardware/driver limitations

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-06-02 09:33:12 +02:00