Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
technical:ppsk-hostapd [2024/04/22 07:28] – system | technical:ppsk-hostapd [2024/04/30 08:22] (current) – [Key specific for VLAN] system | ||
---|---|---|---|
Line 5: | Line 5: | ||
----- | ----- | ||
- | ====== Private PSK (PPSK) | + | ====== Private PSK (PPSK) |
===== File or RADIUS ===== | ===== File or RADIUS ===== | ||
- | * The PPSK feature | + | * The PPSK function |
- | * Having the option | + | * The option |
------ | ------ | ||
===== FILE - Quick and dirty PPSK on OpenWrt ===== | ===== FILE - Quick and dirty PPSK on OpenWrt ===== | ||
- | * We assume you are familiar with the UCI system in OpenWrt. | + | * We assume |
- | * Configure | + | * Configure |
<code bash> | <code bash> | ||
config wifi-iface ' | config wifi-iface ' | ||
Line 27: | Line 27: | ||
| | ||
</ | </ | ||
- | * Next we will replace the key which is a single value (12345678) with a file with multiple keys. | + | * Next, we will replace the key, which is a single value (12345678), with a file with multiple keys. |
<code bash> | <code bash> | ||
config wifi-iface ' | config wifi-iface ' | ||
Line 57: | Line 57: | ||
wifi up | wifi up | ||
</ | </ | ||
- | * hostapd | + | * hostapd now goes through the list in the PSK file and checks whether |
--------- | --------- | ||
===== FILE - Advanced PPSK on OpenWrt ===== | ===== FILE - Advanced PPSK on OpenWrt ===== | ||
- | * The first section | + | * The first section |
- | * This section | + | * This section |
- | * You can also visit [[https:// | + | * You can also visit [[https:// |
==== Key specific for MAC ==== | ==== Key specific for MAC ==== | ||
* If we look at the comments of the sample psk.list file we see the following | * If we look at the comments of the sample psk.list file we see the following | ||
Line 75: | Line 75: | ||
00: | 00: | ||
</ | </ | ||
- | * The 256-bit hex value alternative | + | * The alternative |
- | * You can generate the value using this online | + | * You can generate the value using this JavaScript-based online |
- | * If you specify a specific MAC Address | + | * When you specify a specific MAC address |
- | * The MAC Address | + | * The MAC address |
- | * If your phone has WiFi that supports both 2.4G and 5G, the device | + | * If your phone has WiFi that supports both 2.4G and 5G, the device |
- | * Also remember there is a recent feature on Android and Apple phones | + | * Also remember |
==== Key specific for VLAN ==== | ==== Key specific for VLAN ==== | ||
Line 90: | Line 90: | ||
vlanid=4 00: | vlanid=4 00: | ||
</ | </ | ||
- | * With the hostapd | + | * A few additional steps are required for the VLAN tagging |
- | + | * We need to include a few options to instruct hostapd how to handle the VLANs. | |
- | <alert type=" | + | * Refer to this snippet from / |
+ | <code bash> | ||
+ | option wpa_psk_file '/ | ||
+ | option vlan_file '/ | ||
+ | option vlan_tagged_interface ' | ||
+ | option vlan_bridge ' | ||
+ | option dynamic_vlan ' | ||
+ | </code> | ||
+ | * Then here is an example of hostapd.vlan | ||
+ | <code bash> | ||
+ | # VLAN ID to network interface mapping | ||
+ | 1 vlan1 | ||
+ | 2 vlan2 | ||
+ | 3 vlan3 | ||
+ | 4 vlan4 | ||
+ | 100 guest | ||
+ | # Optional wildcard entry matching all VLAN IDs. The first # in the interface | ||
+ | # name will be replaced with the VLAN ID. The network interfaces are created | ||
+ | # (and removed) dynamically based on the use. | ||
+ | * vlan# | ||
+ | </ | ||
+ | * hostapd will create a bridge with each VLAN and automatically create tagged interfaces and make them members of this bridge: | ||
+ | <code bash> | ||
+ | root@OpenWrt: | ||
+ | bridge name | ||
+ | br-vlan3 | ||
+ | eth0.3 | ||
+ | br-lan | ||
+ | </ | ||
------ | ------ | ||
===== RADIUS - PPSK on OpenWrt ===== | ===== RADIUS - PPSK on OpenWrt ===== | ||
- | * This section | + | * This section |
- | * The key part to enable | + | * The key to enabling |
<code bash> | <code bash> | ||
# Optionally, WPA passphrase can be received from RADIUS authentication server | # Optionally, WPA passphrase can be received from RADIUS authentication server | ||
Line 116: | Line 143: | ||
# | # | ||
</ | </ | ||
- | * Option **3** has been recently added and this option is of great help. | + | * Option **3** was recently added and this option is a great help. |
- | * OpenWrt generates the hostapd | + | * OpenWrt generates the hostapd |
- | * This script in turn reads and interprets the / | + | * This script in turn reads and interprets the / |
- | * The hostapd.sh script currently | + | * The hostapd.sh script currently |
* A better option would be to set it to **3**. | * A better option would be to set it to **3**. | ||
- | * We can look for this section in hostapd.sh | + | * We can search |
<code bash> | <code bash> | ||
if [ " | if [ " | ||
Line 143: | Line 170: | ||
</ | </ | ||
- | * We will look at the reason | + | * We will look at the reason |
- | ====== wpa_psk_radius=3 | + | ==== wpa_psk_radius=3 ==== |
- | * When wpa_psk_radius=2 the request from hostapd to the RADIUS server | + | * If wpa_psk_radius=2 |
+ | <code bash> | ||
+ | (9) Received Access-Request Id 48 from 44.88.212.194: | ||
+ | (9) | ||
+ | (9) | ||
+ | (9) | ||
+ | (9) | ||
+ | (9) | ||
+ | (9) | ||
+ | (9) | ||
+ | (9) | ||
+ | </ | ||
+ | * RADIUS will then typically reply with an Access Accept with the PPSK | ||
+ | <code bash> | ||
+ | (9) Sent Access-Accept Id 48 from 164.160.89.129: | ||
+ | (9) | ||
+ | </ | ||
+ | * The difference in behaviour between wpa_psk_radius=2 and wpa_psk_radius=3 occurs when the PPSK is not correct. | ||
+ | * If wpa_psk_radius=2, | ||
+ | * If wpa_psk_radius=3, | ||
+ | <code bash> | ||
+ | (10) Received Access-Request Id 49 from 44.88.212.194: | ||
+ | (10) | ||
+ | (10) | ||
+ | (10) | ||
+ | (10) | ||
+ | (10) | ||
+ | (10) | ||
+ | (10) | ||
+ | (10) | ||
+ | (10) | ||
+ | (10) | ||
+ | (10) | ||
+ | </ | ||
+ | * RADIUSdesk then includes advanced features in FreeRADIUS to process these additional attributes and attempt to determine the user's PPSK based on hash comparisons. | ||
+ | * If a match is found, an access accept is returned with the plain text of the matching hash value. | ||
+ | <code bash> | ||
+ | (10) Sent Access-Accept Id 49 from 164.160.89.129: | ||
+ | (10) | ||
+ | (10) | ||
+ | (10) | ||
+ | (10) | ||
+ | (10) Finished request | ||
+ | </ | ||
+ | * This behaviour enables PPSK in RADIUS, which does not require MAC address matching. | ||
+ | * To summarise once again: | ||
+ | * If **wpa_psk_radius=2**, | ||
+ | * If **wpa_psk_radius=3**, | ||
+ | * However, you will need to modify the / | ||
+ | |||
+ | <alert type=" | ||
+ | === Heads-Up === | ||
+ | |||
+ | |||
+ | * Interestingly, | ||
+ | * At some point, it stopped receiving the follow-up request no matter how many times I restarted the access points. | ||
+ | * Finally, out of desperation, | ||
+ | * Just a heads up about FreeRADIUS. | ||
+ | </ | ||
+ | |||
+ | |||
+ | ==== Reference config ==== | ||
+ | * Let us take a look at a simple reference configuration of / | ||
+ | <code bash> | ||
+ | config wifi-iface ' | ||
+ | option ifname ' | ||
+ | option encryption ' | ||
+ | option acct_interval ' | ||
+ | option mode ' | ||
+ | option nasid ' | ||
+ | option acct_server ' | ||
+ | option acct_secret ' | ||
+ | option auth_server ' | ||
+ | option auth_secret ' | ||
+ | option network ' | ||
+ | option device ' | ||
+ | option ssid ' | ||
+ | option ppsk ' | ||
+ | option vlan_naming ' | ||
+ | option vlan_tagged_interface ' | ||
+ | option vlan_bridge ' | ||
+ | option dynamic_vlan ' | ||
+ | </ | ||
+ | * RADIUS-based PPSK implementations usually consist of two components: | ||
+ | * The private key, which is used for authentication on the WiFi network. | ||
+ | * The VLAN assignment, which is usually bound to the private key specified by the user. | ||
+ | * The VLAN assignment is optional. If the RADIUS server has not specified a VLAN in the access acceptance, hostapd does not perform VLAN tagging for the connection of this client. | ||
+ | * If a VLAN is specified in the RADIUS response, the following configuration options determine how hostapd handles the VLAN assignment: | ||
+ | < | ||
+ | option vlan_naming ' | ||
+ | option vlan_tagged_interface ' | ||
+ | option vlan_bridge ' | ||
+ | option dynamic_vlan ' | ||
+ | </ | ||
+ | * If a client establishes a connection and RADIUS specifies VLAN 100, for example, hostapd dynamically creates the following bridge: | ||
+ | <code bash> | ||
+ | brctl show | ||
+ | bridge name bridge id STP enabled interfaces | ||
+ | br-ex_vlan100 7fff.ae7c588014f4 no vlan100 | ||
+ | zero0.100 | ||
+ | |||
+ | </ | ||
+ | * The name of the bridge is formulated with the value of **vlan_bridge** and the appending of the VLAN number (100). | ||
+ | * The members of this bridge are the tagged WiFi client connection, zero0.100 and vlan100. | ||
+ | * The **vlan100** interface requires a little more explanation. Depending on the value of **vlan_naming**, | ||
+ | * Have a look at this part of the hostapd documentation | ||
+ | <code bash> | ||
+ | # When hostapd creates a VLAN interface on vlan_tagged_interfaces, | ||
+ | # to know how to name it. | ||
+ | # 0 = vlan< | ||
+ | # 1 = < | ||
+ | # | ||
+ | </ | ||
+ | * So if we change our configuration to the **vlan_naming ' | ||
+ | <code bash> | ||
+ | brctl show | ||
+ | bridge name bridge id STP enabled interfaces | ||
+ | br-ex_vlan100 7fff.ae7c588014f4 no wan.100 | ||
+ | zero0.100 | ||
+ | |||
+ | </ | ||
+ | * Remember that for the VLAN to work correctly, you must also provide a DHCP server in the VLAN so that the client receives an IP address after it has authenticated itself in the WiFi network. | ||
+ | * If you do not have such a server in your current network, you can easily do this in MESHdesk and APdesk. | ||
+ | * The details are explained on the corresponding wiki pages. | ||