This PR allows a user to enable a private psk, where each station
may have it's own psk or use a common psk if it is not defined.
The private psk is defined using the sta's mac and a radius server
is required.
ppsk option should be enabled in the wireless configuration along with
radius server details. When using PPSK, the key is ignored, it will be
retrieved from radius server. SAE is not yet supported (private sae) in
hostapd.
Wireless example configuration:
option encryption 'psk2+ccmp'
option ppsk '1'
option auth_server '127.0.0.1'
option auth_secret 'radiusServerPassword'
If you want to use dynamic VLAN on PPSK also include:
option dynamic_vlan '2'
option vlan_tagged_interface 'eth0'
option vlan_bridge 'br-vlan'
option vlan_naming '0'
It works enabling mac address verification on radius server and
requiring the tunnel-password (the private psk) from radius server.
In the radius server we need to configure the users. In case of
freeradius: /etc/freeradius3/mods-config/files/authorize
The user and Cleartext-Password should be the mac lower case using the
format "aabbccddeeff"
<sta mac> Cleartext-Password := "<sta mac>"
Tunnel-Password = <Private Password>
Example of a user configured in radius and using dynamic VLAN5:
8cb84a000000 Cleartext-Password := "8cb84a000000"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 5,
Tunnel-Password = MyPrivPw
If we want to have a default or shared psk, used when the mac is not
found in the list, we need to add the following at the end of the radius
authorize file:
DEFAULT Auth-Type := Accept
Tunnel-Password = SharedPw
And if using VLANs, for example VLAN6 for default users:
DEFAULT Auth-Type := Accept
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 6,
Tunnel-Password = SharedPw
Signed-off-by: Manuel Giganto <mgigantoregistros@gmail.com>
Operating Channel Validation (OCV) is a security feature designed to
prevent person-in-the-middle multi-channel attacks. Compile -basic and
-full variants with support for OCV. This feature can be configured in the
wireless config by setting ocv equal to one of the following values:
0 = disabled (hostapd/wpa_supplicant default)
1 = enabled if wpa_supplicant's SME in use. Otherwise enabled only when the
driver indicates support for operating channel validation.
Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>
Operating Channel Validation (OCV) is a security feature designed to
prevent person-in-the-middle multi-channel attacks. Compile the -basic and
-full variants of hostapd with this feature, and enable discovery of this
feature for future luci integration. OCV can be configured by setting ocv
equal to one of the following values in the wireless config:
0 = disabled (hostapd/wpa_supplicant default)
1 = enabled
2 = enabled in workaround mode - Allow STA that claims OCV capability to
connect even if the STA doesn't send OCI or negotiate PMF.
Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>
Enabling mbo by default on 802.11ax devices breaks for encryption types
that do not enable 802.11w by default. Disable mbo by default to fix
this. Enabling mbo by default on 802.11ax devices was not explained in
the commit message anyway.
Fixes: 6eee983656 ("hostapd: introduce mbo option")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Introduce a new option mbo to toggle Multi Band Operation aka Agile
Multiband for a BSS.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: David Bauer <mail@david-bauer.net>
commit c3a4cddaaf ("hostapd: remove hostapd-hs20 variant")
as well as
commit 9f1927173a ("hostapd: wpas: add missing config symbols")
indicate hostapd-full should support Hotspot 2.0 already, but only
wpa_supplicant (and wpad) do.
How this happened is not really clear, as no commit adding support for
Hotspot 2.0 is in the history.
Fix this and add Hotspot 2.0 capability to hostapd-full.
Signed-off-by: David Bauer <mail@david-bauer.net>
Update hostapd to Git HEAD from 2022-05-08. This allows us to take
advantage of background radar-detection as well as BSS color collision
detection.
Suggested-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
This patch allows the user to set `auth_server` and related settings on
non WPA2 Enterprise AP modes in `/etc/config/wireless`, too, so the
Radius Attributes for Dynamic VLAN Assignment can be fetched from Radius.
Without this patch, `auth_server` and other needed options are only
written to `hostapd-phy<n>.conf` when `option encryption wpa2` is set.
`hostapd` however supports "Station MAC address -based authentication" for
non WPA Enterprise Modes, too.
A classic approch is to use `accept_mac_file` which contains MAC addr
and VLAN-ID pairs. But, using `accept_mac_file` does not support
VLAN assignment for unknown stations.
This is a sample `freeradius3` config, where a known station
("7e:a6:a7:2a:93:d2") is assigned to VLAN `65` and unknown stations are
assigned to VLAN `67`.
```
"7ea6a72a93d2" Cleartext-Password := "7ea6a72a93d2"
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-Id = 65
DEFAULT Cleartext-Password := "%{User-Name}"
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-Id = 67
```
Other option is to configure known stations via `accept_mac_file` and
using only Radius for unknown stations.
I tested this patch only with `wpa_key_mgmt=WPA-PSK`, and assumed that
it should work with other Encryption/Access Mode, too.
Signed-off-by: Bernd Naumann <bernd.naumann@kr217.de>
Enable both the hunting-and-pecking loop and hash-to-element mechanisms
by default in OpenWRT with SAE.
Commercial Wi-Fi solutions increasingly frequently now ship with both
hunting-and-pecking and hash-to-element (H2E) enabled by default as this
is more secure and more performant than offering hunting-and-pecking
alone for H2E capable clients.
The hunting and pecking loop mechanism is inherently fragile and prone to
timing-based side channels in its design and is more computationally
intensive to perform. Hash-to-element (H2E) is its long-term
replacement to address these concerns.
For clients that only support the hunting-and-pecking loop mechanism,
this is still available to use by default.
For clients that in addition support, or were to require, the
hash-to-element (H2E) mechanism, this is then available for use.
Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
The 80211r r0kh and r1kh defaults are generated from the md5sum of
"$mobility_domain/$auth_secret". auth_secret is only set when using EAP
authentication, but the default key is used for SAE/PSK as well. In
this case, auth_secret is empty, and the default value of the key can
be computed from the SSID alone.
Fallback to using $key when auth_secret is empty. While at it, rename
the variable holding the generated key from 'key' to 'ft_key', to avoid
clobbering the PSK.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
[make ft_key local]
Signed-off-by: David Bauer <mail@david-bauer.net>
Up to now the WPS script triggered WPS on the stations only if it
could not trigger it successfully on any hostapd instance.
In a Multi-AP context, there can be a need (to establish a new
wireless backhaul link) to trigger WPS on the stations, regardless of
whether there is already a hostapd instance configured or not. The
current script makes it impossible, as if hostapd is running and
configured, WPS would always be triggered on hostapd only.
To allow both possibilities, the following changes are made:
- Change the "pressed" action to "release", so that we can make use of
the "$SEEN" variables (to know for how long the button was pressed).
- If the button is pressed for less than 3 seconds, keep the original
behavior.
- If the button is pressed for 3 seconds or more, trigger WPS on the
stations, regardless of the status of any running hostapd instance.
- Add comments explaining both behaviors.
- While at it, replace the usage of '-a' with a '[] && []'
construct (see [1]).
This gives users a "fallback" mechanism to onboard a device to a
Multi-AP network, even if the device already has a configured hostapd
instance running.
[1]: https://github.com/koalaman/shellcheck/wiki/SC2166
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
The 'fils_dhcp' option can be set to '*' in order to autodetect the DHCP server
For proto=dhcp networks, the discovered dhcp server will be used
For all other networks, udhcpc is called to discover the address
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This implements the mapping recommendations from RFC8325, with an
update from RFC8622. This ensures that DSCP marked packets are properly
sorted into WMM classes.
The map can be disabled by setting iw_qos_map_set to something invalid
like 'none'
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Both hostapd and netifd attempt to add a VLAN device to a bridge.
Depending on which one wins the race, bridge vlan settings might be incomplete,
or hostapd might run into an error and refuse to service the client.
Fix this by preventing hostapd from adding interfaces to the bridge and
instead rely entirely on netifd handling this properly
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The hostapd.sh script already has support for configuring proxy-ARP,
however no built variant has support for it enabled.
Enable proxy-ARP support for hostapd-full builds in order to allow users
to actually use this feature.
Signed-off-by: David Bauer <mail@david-bauer.net>
When using htmode 'HE20' with a radio mode that uses wpa-supplicant
(like mesh or sta), it will default to 40 MHz bw if disable_ht40 is not
set. This commit fixes this behaviour.
Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.net>
With the default configuration we generate, the supplicant starts
scanning and tries to connect to any open network when the interface
is enabled.
In some cases it can be desirable to prevent the supplicant from
scanning by itself. For example, if on the same radio an AP is
configured and an unconfigured STA is added (to be configured with
WPS), the AP might not be able to beacon until the STA stops
scanning.
In such a case, the STA configuration can still be required to set
specific settings (e.g. multi_ap_backhaul_sta) so it can't be set to
"disabled" in uci (because that would prevent the supplicant from
being run at all). The alternative is to add the "disabled" parameter
to the default network block in the supplicant configuration.
This patch adds a "default_disabled" setting in UCI which, when set,
adds the "disabled" parameter to the supplicant default network block.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
In the aftermath of the KRACK attacks, hostapd gained an AP-side workaround
against WNM-Sleep Mode GTK/IGTK reinstallation attacks. WNM Sleep Mode is not
enabled by default on OpenWrt, but it is configurable through the option
wnm_sleep_mode. Thus, make the AP-side workaround configurable as well by
exposing the option wnm_sleep_mode_no_keys. If you use the option
wpa_disable_eapol_key_retries and have wnm_sleep_mode enabled, you might
consider using this workaround.
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
Commit 0a7657c ("hostapd: add channel utilization as config option") added the
two new uci options bss_load_update_period and chan_util_avg_period. However,
the corresponding "config_add_int" calls for these options weren't added, so
attempting to actually use these options and change their values is bound to
fail - they always stay at their defaults. Add the missing code to actually
make these options work.
Fixes: 0a7657c ("hostapd: add channel utilization as config option")
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
The country3 option in hostapd.conf allows the third octet of the country
string to be set. It can be used e.g. to indicate indoor or outdoor use (see
hostapd.conf for further details). Make this option configurable but optional
in OpenWrt.
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
Make it possible to specify the SAE mechanism for PWE derivation. The
following values are possible:
0 = hunting-and-pecking loop only
1 = hash-to-element only
2 = both hunting-and-pecking loop and hash-to-element enabled
hostapd currently defaults to hunting-and-pecking loop only.
Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>
In setups using VLAN bridge filtering, hostapd may need to communicate using
a VLAN interface on top of the bridge, instead of using the bridge directly
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This makes it possible to avoid using a RADIUS server for WPA enterprise authentication
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This allows WPA enterprise roaming in the same mobility domain without any
manual key configuration (aside from radius credentials)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
It allows enforcing a limit on associated stations to be enforced for the
full device, e.g. in order to deal with hardware/driver limitations
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Airtime policy configuration is extremely useful in multiple BSS scenarios.
Since nowadays most people configure both private and guest networks (at
least), it makes sense to enable it by default, except for the most limited
of the variants.
Size of the hostapd-basic-openssl binary (mipsel 24Kc -O2):
543944 bytes (airtime policy disabled)
548040 bytes (airtime policy enabled)
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Acked-by: Daniel Golle <daniel@makrotopia.org>
With encryption disabled, it was intended to set wpa_state=1 (enabled,
not configured) through the 'wps_not_configured' flag.
The flag is set appropriately but the condition using it is broken.
Instead, 'wps_configured' is checked and wpa_state is always 2 (enabled,
configured). Fix it by using the correct variable name.
Fixes: 498d84fc4e ("netifd: add wireless configuration support
and port mac80211 to the new framework")
Signed-off-by: Leon M. George <leon@georgemail.eu>
[commit title/message improvements]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The key_mgmt variable was mistyped when checking against "WPS", so
the if clause was never entered.
Fixes: f5753aae23 ("hostapd: add support for WPS pushbutton station")
Signed-off-by: Leon M. George <leon@georgemail.eu>
[add commit message, bump PKG_RELEASE]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
'base' was never used.
Fixes: 498d84fc4e ("netifd: add wireless configuration support
and port mac80211 to the new framework")
Signed-off-by: Leon M. George <leon@georgemail.eu>
'enc_str' was never used.
Fixes: 498d84fc4e ("netifd: add wireless configuration support
and port mac80211 to the new framework")
Signed-off-by: Leon M. George <leon@georgemail.eu>
Granting capabilities CAP_NET_ADMIN and CAP_NET_RAW allows running
hostapd and wpa_supplicant without root priviledges.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This allows configuration of multicast_to_unicast and per_sta_vif options.
- multicast_to_unicast requests multicast-to-unicast conversion.
- per_sta_vif assigns each station its own AP_VLAN interface.
Signed-off-by: Etan Kissling <etan_kissling@apple.com>