Table of Contents


Private PSK (PPSK) function on hostapd

File or RADIUS


FILE - Quick and dirty PPSK on OpenWrt

config wifi-iface 'two'
   option ifname 'two0'
   option disabled '0'
   option encryption 'psk2'
   option isolate '0'
   option key '12345678'
   option mode 'ap'
   option network 'lan'
   option device 'radio0'
   option hidden '0'
   option ssid 'RADIUSdesk'
config wifi-iface 'two'
   option ifname 'two0'
   option disabled '0'
   option encryption 'psk2'
   option isolate '0'
   #option key '12345678'
   option wpa_psk_file /etc/psk.list
   option mode 'ap'
   option network 'lan'
   option device 'radio0'
   option hidden '0'
   option ssid 'RADIUSdesk'
# Special MAC address 00:00:00:00:00:00 can be used to configure PSKs that
# anyone can use.
00:00:00:00:00:00 highwaystar
00:00:00:00:00:00 blacknight
00:00:00:00:00:00 smokeonthewater
00:00:00:00:00:00 picturesofhome
00:00:00:00:00:00 childintime
wifi down
wifi up

FILE - Advanced PPSK on OpenWrt

Key specific for MAC

# List of WPA PSKs. Each line, except for empty lines and lines starting
# with #, must contain a MAC address and PSK separated with a space.
# Special MAC address 00:00:00:00:00:00 can be used to configure PSKs that
# anyone can use. PSK can be configured as an ASCII passphrase of 8..63
# characters or as a 256-bit hex PSK (64 hex digits).
00:11:22:33:44:55 paperplane

Key specific for VLAN

# An optional VLAN ID can be specified by prefixing the line with
# vlanid=<VLAN ID>.
vlanid=3 00:00:00:00:00:00 blueforyou
vlanid=4 00:00:00:00:00:00 piledriver
option wpa_psk_file '/etc/hostapd.wpa_psk'
option vlan_file '/etc/hostapd.vlan'
option vlan_tagged_interface 'eth0'
option vlan_bridge 'br-vlan'
option dynamic_vlan '1'
# VLAN ID to network interface mapping
1	vlan1
2	vlan2
3	vlan3
4	vlan4
100	guest
# Optional wildcard entry matching all VLAN IDs. The first # in the interface
# name will be replaced with the VLAN ID. The network interfaces are created
# (and removed) dynamically based on the use.
*	vlan#
root@OpenWrt:~# brctl show
bridge name     bridge id               STP enabled     interfaces
br-vlan3        8000.4018b1eb3c80       no              vlan3
                                                        eth0.3
br-lan          7fff.4018b1eb3c80       no              eth0

RADIUS - PPSK on OpenWrt

# Optionally, WPA passphrase can be received from RADIUS authentication server
# This requires macaddr_acl to be set to 2 (RADIUS) for wpa_psk_radius values
# 1 and 2.
# 0 = disabled (default)
# 1 = optional; use default passphrase/psk if RADIUS server does not include
#	Tunnel-Password
# 2 = required; reject authentication if RADIUS server does not include
#	Tunnel-Password
# 3 = ask RADIUS server during 4-way handshake if there is no locally
#	configured PSK/passphrase for the STA
#
# The Tunnel-Password attribute in Access-Accept can contain either the
# 8..63 character ASCII passphrase or a 64 hex character encoding of the PSK.
#
#wpa_psk_radius=0
if [ "$auth_type" = "psk" ] && [ "$ppsk" -ne 0 ] ; then
	json_get_vars auth_secret auth_port
	set_default auth_port 1812
	json_for_each_item append_auth_server auth_server
	append bss_conf "macaddr_acl=2" "$N"
	append bss_conf "wpa_psk_radius=2" "$N"
elif [ ${#key} -eq 64 ]; then
if [ "$auth_type" = "psk" ] && [ "$ppsk" -ne 0 ] ; then
	json_get_vars auth_secret auth_port
	set_default auth_port 1812
	json_for_each_item append_auth_server auth_server
	append bss_conf "macaddr_acl=2" "$N"
	append bss_conf "wpa_psk_radius=3" "$N"
elif [ ${#key} -eq 64 ]; then

wpa_psk_radius=3

(9) Received Access-Request Id 48 from 44.88.212.194:47297 to 164.160.89.129:1812 length 160
(9)   User-Name = "ae0cd4e2c5ab"
(9)   User-Password = "ae0cd4e2c5ab"
(9)   NAS-Identifier = "m_hosta_51_74"
(9)   Called-Station-Id = "64-64-4A-D1-2D-69:PPSK-1"
(9)   NAS-Port-Type = Wireless-802.11
(9)   Calling-Station-Id = "AE-0C-D4-E2-C5-AB"
(9)   Connect-Info = "CONNECT 11Mbps 802.11b"
(9)   Message-Authenticator = 0xeefd284dc6cf79df258e03b84791c2b8
(9) Sent Access-Accept Id 48 from 164.160.89.129:1812 to 44.88.212.194:47297 length 41
(9)   Tunnel-Password := "77777777"
(10) Received Access-Request Id 49 from 44.88.212.194:47297 to 164.160.89.129:1812 length 337
(10)   User-Name = "ae0cd4e2c5ab"
(10)   User-Password = "ae0cd4e2c5ab"
(10)   NAS-Identifier = "m_hosta_51_74"
(10)   Called-Station-Id = "64-64-4A-D1-2D-69:PPSK-1"
(10)   NAS-Port-Type = Wireless-802.11
(10)   Calling-Station-Id = "AE-0C-D4-E2-C5-AB"
(10)   Connect-Info = "CONNECT 11Mbps 802.11b"
(10)   WLAN-AKM-Suite = 1027074
(10)   Attr-245.26.11344.1 = 0xc4b0e7ca5cba50304c28e6995068b4b58dfb7d82944cf9c6caba2276018debde
(10)   Attr-245.26.11344.2 = 0x0103007502010a0000000000000000000131a6c134eadc39dd97da1e4f9c0484e8b85d127f05edf553eb063248791ab0940000000000000000000000000000000000000000000000000000000000000000aad1fa6a0274d00e683b5947b4dc5e9d001630140100000fac040100000fac040100000fac020000
(10)   Message-Authenticator = 0xd1ff97e6c9a794077c12e015e4f8e424
(10) Sent Access-Accept Id 49 from 164.160.89.129:1812 to 44.88.212.194:47297 length 58
(10)   Tunnel-Medium-Type = IEEE-802
(10)   Tunnel-Type = VLAN
(10)   Tunnel-Private-Group-Id = "100"
(10)   Tunnel-Password = "11223344"
(10) Finished request

Reference config

config wifi-iface 'zero'
        option ifname 'zero0'
        option encryption 'psk2'
        option acct_interval '300'
        option mode 'ap'
        option nasid 'a_hosta_53_97'
        option acct_server '164.160.89.129'
        option acct_secret 'testing123'
        option auth_server '164.160.89.129'
        option auth_secret 'testing123'  
        option network 'lan'
        option device 'radio0'
        option ssid 'PPSK-APdesk-1'           
        option ppsk '1'      
        option vlan_naming '0'
        option vlan_tagged_interface 'wan'
        option vlan_bridge 'br-ex_vlan'
        option dynamic_vlan '1'        
option vlan_naming '0'                                                                                                                                                                                                                                                  
option vlan_tagged_interface 'wan'                                                                                                                                                                                                                                      
option vlan_bridge 'br-ex_vlan'                                                                                                                                                                                                                                         
option dynamic_vlan '1' 
brctl show
bridge name	bridge id		STP enabled	interfaces
br-ex_vlan100		7fff.ae7c588014f4	no	vlan100
							zero0.100
# When hostapd creates a VLAN interface on vlan_tagged_interfaces, it needs
# to know how to name it.
# 0 = vlan<XXX>, e.g., vlan1
# 1 = <vlan_tagged_interface>.<XXX>, e.g. eth0.1
#vlan_naming=0
brctl show
bridge name	bridge id		STP enabled	interfaces
br-ex_vlan100		7fff.ae7c588014f4	no	wan.100
							zero0.100