mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-29 18:19:02 +00:00
d12eb103e8
This PR allows a user to enable a private psk, where each station may have it's own psk or use a common psk if it is not defined. The private psk is defined using the sta's mac and a radius server is required. ppsk option should be enabled in the wireless configuration along with radius server details. When using PPSK, the key is ignored, it will be retrieved from radius server. SAE is not yet supported (private sae) in hostapd. Wireless example configuration: option encryption 'psk2+ccmp' option ppsk '1' option auth_server '127.0.0.1' option auth_secret 'radiusServerPassword' If you want to use dynamic VLAN on PPSK also include: option dynamic_vlan '2' option vlan_tagged_interface 'eth0' option vlan_bridge 'br-vlan' option vlan_naming '0' It works enabling mac address verification on radius server and requiring the tunnel-password (the private psk) from radius server. In the radius server we need to configure the users. In case of freeradius: /etc/freeradius3/mods-config/files/authorize The user and Cleartext-Password should be the mac lower case using the format "aabbccddeeff" <sta mac> Cleartext-Password := "<sta mac>" Tunnel-Password = <Private Password> Example of a user configured in radius and using dynamic VLAN5: 8cb84a000000 Cleartext-Password := "8cb84a000000" Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 5, Tunnel-Password = MyPrivPw If we want to have a default or shared psk, used when the mac is not found in the list, we need to add the following at the end of the radius authorize file: DEFAULT Auth-Type := Accept Tunnel-Password = SharedPw And if using VLANs, for example VLAN6 for default users: DEFAULT Auth-Type := Accept Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 6, Tunnel-Password = SharedPw Signed-off-by: Manuel Giganto <mgigantoregistros@gmail.com> |
||
---|---|---|
.. | ||
config | ||
ipv6 | ||
services | ||
utils |