[openwrt/openwrt] hostapd: add ppsk option (private psk)

LEDE Commits lede-commits at lists.infradead.org
Fri Jul 15 05:48:36 PDT 2022 

ansuel pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/d12eb103e875ea85c2f1e9a2e9a2922859ec9896

commit d12eb103e875ea85c2f1e9a2e9a2922859ec9896
Author: Manuel Giganto <mgigantoregistros at gmail.com>
AuthorDate: Mon Oct 12 09:44:09 2020 +0000

    hostapd: add ppsk option (private psk)
    
    This PR allows a user to enable a private psk, where each station
    may have it's own psk or use a common psk if it is not defined.
    The private psk is defined using the sta's mac and a radius server
    is required.
    
    ppsk option should be enabled in the wireless configuration along with
    radius server details. When using PPSK, the key is ignored, it will be
    retrieved from radius server. SAE is not yet supported (private sae) in
    hostapd.
    
    Wireless example configuration:
            option encryption 'psk2+ccmp'
            option ppsk '1'
            option auth_server '127.0.0.1'
            option auth_secret 'radiusServerPassword'
    
    If you want to use dynamic VLAN on PPSK also include:
            option dynamic_vlan '2'
            option vlan_tagged_interface 'eth0'
            option vlan_bridge 'br-vlan'
            option vlan_naming '0'
    
    It works enabling mac address verification on radius server and
    requiring the tunnel-password (the private psk) from radius server.
    
    In the radius server we need to configure the users. In case of
    freeradius: /etc/freeradius3/mods-config/files/authorize
    The user and Cleartext-Password should be the mac lower case using the
    format "aabbccddeeff"
    
    <sta mac> Cleartext-Password := "<sta mac>"
            Tunnel-Password = <Private Password>
    
    Example of a user configured in radius and using dynamic VLAN5:
    
    8cb84a000000 Cleartext-Password := "8cb84a000000"
            Tunnel-Type = VLAN,
            Tunnel-Medium-Type = IEEE-802,
            Tunnel-Private-Group-ID = 5,
            Tunnel-Password = MyPrivPw
    
    If we want to have a default or shared psk, used when the mac is not
    found in the list, we need to add the following at the end of the radius
    authorize file:
    
    DEFAULT Auth-Type := Accept
            Tunnel-Password = SharedPw
    
    And if using VLANs, for example VLAN6 for default users:
    DEFAULT Auth-Type := Accept
            Tunnel-Type = VLAN,
            Tunnel-Medium-Type = IEEE-802,
            Tunnel-Private-Group-ID = 6,
            Tunnel-Password = SharedPw
    
    Signed-off-by: Manuel Giganto <mgigantoregistros at gmail.com>
---
 package/network/services/hostapd/files/hostapd.sh | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh
index f11b40702c..72ff65b4f1 100644
--- a/package/network/services/hostapd/files/hostapd.sh
+++ b/package/network/services/hostapd/files/hostapd.sh
@@ -246,7 +246,7 @@ EOF
 
 hostapd_common_add_bss_config() {
 	config_add_string 'bssid:macaddr' 'ssid:string'
-	config_add_boolean wds wmm uapsd hidden utf8_ssid
+	config_add_boolean wds wmm uapsd hidden utf8_ssid ppsk
 
 	config_add_int maxassoc max_inactivity
 	config_add_boolean disassoc_low_ack isolate short_preamble skip_inactivity_poll
@@ -543,7 +543,7 @@ hostapd_set_bss_options() {
 		acct_server acct_secret acct_port acct_interval \
 		bss_load_update_period chan_util_avg_period sae_require_mfp sae_pwe \
 		multi_ap multi_ap_backhaul_ssid multi_ap_backhaul_key skip_inactivity_poll \
-		airtime_bss_weight airtime_bss_limit airtime_sta_weight \
+		ppsk airtime_bss_weight airtime_bss_limit airtime_sta_weight \
 		multicast_to_unicast proxy_arp per_sta_vif \
 		eap_server eap_user_file ca_cert server_cert private_key private_key_passwd server_id \
 		vendor_elements fils ocv
@@ -566,6 +566,7 @@ hostapd_set_bss_options() {
 	set_default chan_util_avg_period 600
 	set_default utf8_ssid 1
 	set_default multi_ap 0
+	set_default ppsk 0
 	set_default airtime_bss_weight 0
 	set_default airtime_bss_limit 0
 	set_default eap_server 0
@@ -653,7 +654,15 @@ hostapd_set_bss_options() {
 		;;
 		psk|sae|psk-sae)
 			json_get_vars key wpa_psk_file
-			if [ ${#key} -eq 64 ]; then
+			if [ "$auth_type" = "psk" ] && [ "$ppsk" -ne 0 ] ; then
+				json_get_vars auth_server auth_secret auth_port
+				set_default auth_port 1812
+				append bss_conf "auth_server_addr=$auth_server" "$N"
+				append bss_conf "auth_server_port=$auth_port" "$N"
+				append bss_conf "auth_server_shared_secret=$auth_secret" "$N"
+				append bss_conf "macaddr_acl=2" "$N"
+				append bss_conf "wpa_psk_radius=2" "$N"
+			elif [ ${#key} -eq 64 ]; then
 				append bss_conf "wpa_psk=$key" "$N"
 			elif [ ${#key} -ge 8 ] && [ ${#key} -le 63 ]; then
 				append bss_conf "wpa_passphrase=$key" "$N"

More information about the lede-commits mailing list