openwrt/package/network/services/hostapd/files
Manuel Giganto d12eb103e8
hostapd: add ppsk option (private psk)
This PR allows a user to enable a private psk, where each station
may have it's own psk or use a common psk if it is not defined.
The private psk is defined using the sta's mac and a radius server
is required.

ppsk option should be enabled in the wireless configuration along with
radius server details. When using PPSK, the key is ignored, it will be
retrieved from radius server. SAE is not yet supported (private sae) in
hostapd.

Wireless example configuration:
	option encryption 'psk2+ccmp'
	option ppsk '1'
	option auth_server '127.0.0.1'
	option auth_secret 'radiusServerPassword'

If you want to use dynamic VLAN on PPSK also include:
	option dynamic_vlan '2'
	option vlan_tagged_interface 'eth0'
	option vlan_bridge 'br-vlan'
	option vlan_naming '0'

It works enabling mac address verification on radius server and
requiring the tunnel-password (the private psk) from radius server.

In the radius server we need to configure the users. In case of
freeradius: /etc/freeradius3/mods-config/files/authorize
The user and Cleartext-Password should be the mac lower case using the
format "aabbccddeeff"

<sta mac> Cleartext-Password := "<sta mac>"
	Tunnel-Password = <Private Password>

Example of a user configured in radius and using dynamic VLAN5:

8cb84a000000 Cleartext-Password := "8cb84a000000"
	Tunnel-Type = VLAN,
	Tunnel-Medium-Type = IEEE-802,
	Tunnel-Private-Group-ID = 5,
	Tunnel-Password = MyPrivPw

If we want to have a default or shared psk, used when the mac is not
found in the list, we need to add the following at the end of the radius
authorize file:

DEFAULT Auth-Type := Accept
	Tunnel-Password = SharedPw

And if using VLANs, for example VLAN6 for default users:
DEFAULT Auth-Type := Accept
	Tunnel-Type = VLAN,
	Tunnel-Medium-Type = IEEE-802,
	Tunnel-Private-Group-ID = 6,
	Tunnel-Password = SharedPw

Signed-off-by: Manuel Giganto <mgigantoregistros@gmail.com>
2022-07-15 08:20:36 +02:00
..
dhcp-get-server.sh hostapd: add support for specifying the FILS DHCP server 2021-12-10 11:33:49 +01:00
hostapd-basic.config hostapd: enable compilation of OCV and add build feature discovery 2022-07-03 20:25:38 +02:00
hostapd-full.config hostapd: enable compilation of OCV and add build feature discovery 2022-07-03 20:25:38 +02:00
hostapd-mini.config hostapd: enable proxy-arp support for hostapd-full 2021-08-28 01:31:15 +02:00
hostapd.sh hostapd: add ppsk option (private psk) 2022-07-15 08:20:36 +02:00
multicall.c packages: sort network related packages into package/network/ 2012-10-10 12:32:29 +00:00
wpa_supplicant-basic.config wpa_supplicant: compile with OCV support 2022-07-03 20:25:38 +02:00
wpa_supplicant-full.config wpa_supplicant: compile with OCV support 2022-07-03 20:25:38 +02:00
wpa_supplicant-mini.config hostapd: enable the epoll-based event loop 2020-11-23 03:02:21 +00:00
wpa_supplicant-p2p.config hostapd: update to 2022-05-08 2022-06-08 23:16:06 +02:00
wpad_acl.json hostapd: run as user 'network' if procd-ujail is installed 2021-01-14 00:52:50 +00:00
wpad.init hostapd: run as user 'network' if procd-ujail is installed 2021-01-14 00:52:50 +00:00
wpad.json hostapd: run as user 'network' if procd-ujail is installed 2021-01-14 00:52:50 +00:00
wps-hotplug.sh hostapd: add fallback for WPS on stations 2021-12-27 16:32:02 +00:00