ap_setup_locked is named wps_ap_setup_locked in uci for consistency with other
wps related uci options.
Signed-off-by: Steven Honson <steven@honson.id.au>
The hostapd_append_wpa_key_mgmt() procedure uses the possibly uninitialized
$ieee80211r and $ieee80211w variables in a numerical comparisation, leading
to stray "netifd: radio0 (0000): sh: out of range" errors in logread when
WPA-PSK security is enabled.
Ensure that those variables are substituted with a default value in order to
avoid emitting this (harmless) shell error.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
wpa_supplicant allows only SAE as the key management
type for mesh mode. The recent key_mgmt rework unconditionally
added WPA-PSK - this breaks interface bringup and wpa_s
throws this error message:
Line 10: key_mgmt for mesh network should be open or SAE
Line 10: failed to parse network block.
Failed to read or parse configuration '/var/run/wpa_supplicant-wlan0.conf
Fix this by making sure that only SAE is used for mesh.
Signed-off-by: Sujith Manoharan <m.sujith@gmail.com>
Enable support for stronger SHA256-based algorithms in hostapd and
wpa_supplicant when using WPA-EAP or WPA-PSK with 802.11w enabled.
We cannot unconditionally enable it, as it requires hostapd to be
compiled with 802.11w support, which is disabled in the -mini variants.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Tested-by: Sebastian Kemper <sebastian_ml@gmx.net>
Now that wpa_key_mgmt handling for hostapd and wpa_supplicant are
consistent, we can move parts of it to a dedicated function.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Tested-by: Sebastian Kemper <sebastian_ml@gmx.net>
Rework wpa_key_mgmt handling for wpa_supplicant to be consistent with
how it is done for hostapd.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Tested-by: Sebastian Kemper <sebastian_ml@gmx.net>
RADIUS accounting can be used even when RADIUS authentication is not
used. Move the accounting configuration outside of the EAP-exclusive
sections.
Signed-off-by: Petko Bordjukov <bordjukov@gmail.com>
The wpa_supplicant supports an "anonymous_identity" field, which some
EAP networks require. From the documentation:
anonymous_identity: Anonymous identity string for EAP (to be used as the
unencrypted identity with EAP types that support different tunnelled
identity, e.g., EAP-TTLS).
This change modifies the hostapd.sh script to propagate this field
from the UCI config to the wpa_supplicant.conf file.
Signed-off-by: Kevin O'Connor <kevin@koconnor.net>
Reviewed-by: Manuel Munz <freifunk@somakoma.de>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 49181
Introduce config options client_cert2, priv_key2 and priv_key2_pwd
used for EAP-TLS phase2 authentication in WPA-EAP client mode.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 48345
WPA-EAP supports several phase2 (=inner) authentication methods when
using EAP-TTLS, EAP-PEAP or EAP-FAST (the latter is added as a first
step towards the UCI model supporting EAP-FAST by this commit)
The value of the auth config variable was previously expected to be
directly parseable as the content of the 'phase2' option of
wpa_supplicant.
This exposed wpa_supplicant's internals, leaving it to view-level to
set the value properly. Unfortunately, this is currently not the case,
as LuCI currently allows values like 'PAP', 'CHAP', 'MSCHAPV2'.
Users thus probably diverged and set auth to values like
'auth=MSCHAPV2' as a work-around.
This behaviour isn't explicitely documented anywhere and is not quite
intuitive...
The phase2-string is now generated according to $eap_type and $auth,
following the scheme also found in hostap's test-cases:
http://w1.fi/cgit/hostap/tree/tests/hwsim/test_ap_eap.py
The old behaviour is also still supported for the sake of not breaking
existing, working configurations.
Examples:
eap_type auth
'ttls' 'EAP-MSCHAPV2' -> phase2="autheap=MSCHAPV2"
'ttls' 'MSCHAPV2' -> phase2="auth=MSCHAPV2"
'peap' 'EAP-GTC' -> phase2="auth=GTC"
Deprecated syntax supported for compatibility:
'ttls' 'autheap=MSCHAPV2' -> phase2="autheap=MSCHAPV2"
I will suggest a patch to LuCI adding EAP-MSCHAPV2, EAP-GTC, ... to
the list of Authentication methods available.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 48309
In sta-only configuration, wpa_supplicant needs correct regulatory
domain because otherwise it may skip channel of its AP during scan.
Another alternative is to fix "iw reg set" in mac80211 netifd script.
Currently it fails if some phy has private regulatory domain which
matches configured one.
Signed-off-by: Dmitry Ivanov <dima@ubnt.com>
SVN-Revision: 48099
The scripts for authsae and iw use the option mesh_id to get set the
"meshid" during a mesh join. But the script for wpad-mesh ignores the
option mesh_id and instead uses the option ssid. Unify the mesh
configuration and let the wpa_supplicant script also use the mesh_id from
the configuration.
Signed-off-by: Sven Eckelmann <sven@open-mesh.com>
SVN-Revision: 47615
r46861 introduced a new option eapol_version to hostapd, but did not
provide a default value. When the option value is evaluated,
the non-existing value causes errors to the systen log:
"netifd: radio0: sh: out of range"
Add a no-op default value 0 for eapol_version. Only values 1 or 2 are
actually passed on, so 0 will not change the default action in hostapd.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 47361
Add eapol_version to the openwrt wireless config ssid section.
Only eapol_version=1 and 2 will get passed to hostapd, the default
in hostapd is 2.
This is only useful for really old client devices that don't
accept eapol_version=2.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
SVN-Revision: 46861
Other VLAN related options are already being processed in netifd.sh
but the vlan_file option is missing. This option allows the mapping
of vlan IDs to network interfaces and will be used in dynamic VLAN
feature for binding stations to interfaces based on VLAN
assignments. The change is done similarly to the wpa_psk_file
option.
Signed-off-by: Gong Cheng <chengg11@yahoo.com>
SVN-Revision: 46652
Add 802.11r client support to wpa_supplicant. It's only enabled in
wpa_supplicant-full. hostapd gained 802.11r support in commit r45051.
Tested on a TP-Link TL-WR710N sta psk client with two 802.11r enabled
openwrt accesspoints (TP-Link TL-WDR3600).
Signed-off-by: Stefan Hellermann <stefan@the2masters.de>
SVN-Revision: 46377
Two errors "netifd: radio0: sh: bad number" have recently surfaced in system
log in trunk when wifi interfaces come up. I tracked the errors to checking
numerical values of some config options without ensuring that the option has
any value.
The errors I see have apparently been introduced by r45051 (ieee80211r in
hostapd) and r45326 (start_disabled in mac80211). My patches fix two
instances of "bad number", but there may be a third one, as the original
report in bug 19345 pre-dates r45326 and already has two "bad number" errors
for radio0.
https://dev.openwrt.org/ticket/19345
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 45380
To enable 802.11r, wpa_key_mgmt should contain FT-EAP or FT-PSK. Allow
multiple key management algorithms to make this possible.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
SVN-Revision: 45050
The 802.11r implementation in hostapd uses nas_identifier as PMK-R0 Key
Holder identifier. As 802.11r can also be used with WPA Personal, nasid
should be appended to the hostapd config for all WPA types.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
SVN-Revision: 45049
This change adds the configuration options "bssid_whitelist" and
"bssid_blacklist" used to limit the AP selection of a network to a
specified (finite) set or discard certain APs.
This can be useful for environments where multiple networks operate
using the same SSID and roaming between those is not desired. It is also
useful to ignore a faulty or otherwise unwanted AP.
In many applications it is useful not just to enumerate a group of well
known access points, but to use a address/mask notation to match an
entire set of addresses (ca:ff:ee:00:00:00/ff:ff:ff:00:00:00).
This is especially useful if an OpenWrt device with two radios is used to
retransmit the same network (one in AP mode for other clients, one as STA for
the uplink); the following configuration prevents the device from associating
with itself, given that the own AP to be avoided is using the bssid
'C0:FF:EE:D0:0D:42':
config wifi-iface
option device 'radio2'
option network 'uplink'
option mode 'sta'
option ssid 'MyNetwork'
option encryption 'none'
list bssid_blacklist 'C0:FF:EE:D0:0D:42/00:FF:FF:FF:FF:FF'
This change consists of the following cherry-picked upstream commits:
b3d6a0a8259002448a29f14855d58fe0a624ab76
b83e455451a875ba233b3b8ac29aff8b62f064f2
79cd993a623e101952b81fa6a29c674cd858504f
(squashed to implement bssid_{white,black}lists)
0047306bc9ab7d46e8cc22ff9a3e876c47626473
(Add os_snprintf_error() helper)
Signed-off-by: Stefan Tomanek <stefan.tomanek+openwrt@wertarbyte.de>
SVN-Revision: 44438
The uapsd option sets the uapsd_advertisement_enabled flag in hostapd.
The check for phy support is already implemented here in hostapd since 2011:
http://w1.fi/cgit/hostap/commit/?id=70619a5d8a3d32faa43d66bcb1b670cacf0c243e
So this can be safely set to 1 as default.
Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>
SVN-Revision: 43846
In r41872 and r42787 Dynamic VLAN support was reintroduced, but the vlan_bridge
parameter is not read while setting up the config, so the default is used which
is undesirable for some uses.
Signed-off-by: Ben Franske <ben.mm@franske.com>
SVN-Revision: 43473
The wpa_psk_file option offers the possibility to use a different WPA-PSK key for each client. The directive points to a file with the following syntax:
mac_address wpa_passphrase_or_hex_key
Example:
00:11:22:33:44:55 passphrase_for_client_1
00:11:22:33:44:67 passphrase_for_client_2
00:11:22:33:44:89 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
So it is possible to specify both ASCII passphrases and raw 64-chars hex keys.
Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>
SVN-Revision: 43001
In r41872 Dynamic VLAN support was reintroduced, but the vlan_naming
parameter is not read while setting up the config, so it always
defaults to 1.
Signed-off-by: Reiner Herrmann <reiner@reiner-h.de>
SVN-Revision: 42787
This patch brings full dynamic vlan support to netifd that existed in hostapd.sh in Attitude Adjustment.
Signed-off-by: Joseph CG Walker <Joe@ChubbyPenguin.net>
[jow@openwrt.org: changed commit message, rebased on top of current hostapd.sh]
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 41872
rsn_preauth is used outside of "case $auth_type", so if it is set
for an EAP-enabled SSID, it would also be set for the following
non-EAP-enabled SSIDs, because it would not be read again.
Signed-off-by: Reiner Herrmann <reiner@reiner-h.de>
SVN-Revision: 41012
`own_ip_addr` is used by hostapd as NAS-IP-Address.
This is used to identify the AP that is requesting the authentication of the
user and could be used to define which AP's can authenticate users.
Some vendors implement only NAS-Identifier or NAS-IP-Address and not both.
This patch adds ownip as an optional parameter in /etc/config/wireless.
Signed-off-by: Thomas Wouters <thomaswouters@gmail.com>
SVN-Revision: 40934
This patch implements support for 802.11s protected mesh wireless networks (using authsae) in the netifd framework.
Until meshd-nl80211 implements a proper -P option for the PID file, this uses shell backgrounding in order to be able to get the PID for the process.
Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>
SVN-Revision: 40497
r39995 introduced a new parameter wps_pbc_in_m1 to wifi wps config, but
apparently did not provide a default value 0.
When that option's non-existing value is later evaluated in
/lib/netifd/hostapd.sh, it causes the "bad number" error to be logged in
syslog if user has not set the wps_pbc_in_m1 option. The error materialises
only if user has enabled wps.
Sat Apr 12 13:25:01 2014 daemon.notice netifd: radio1 (1254): sh: bad number
Sat Apr 12 13:25:01 2014 daemon.notice netifd: radio0 (1253): sh: bad number
Discussion in bug 15508: https://dev.openwrt.org/ticket/15508#comment:3
Error is caused by line 282:
https://dev.openwrt.org/browser/trunk/package/network/services/hostapd/files/netifd.sh#L282
My patch sets the parameter's default value to 0, which does nothing. The
default might also be set a bit later in the function, but this felt like the
most clear place to do that.
Signed-off-by hnyman <hannu.nyman@iki.fi>
SVN-Revision: 40469
Option pbc_in_m1 is being used as a WPS capability discovery
workaround for PBC with Windows 7.
Add possibility to enable this workaround from UCI.
To enable it, turn on wps and set wps_pbc_in_m1 parameter to 1.
Signed-off-by: Pawel Kulakowski <pawel.kulakowski@tieto.com>
SVN-Revision: 39995