Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
technical:ppsk-hostapd [2024/04/22 08:25] – [wpa_psk_radius=3] systemtechnical:ppsk-hostapd [2024/04/30 08:22] (current) – [Key specific for VLAN] system
Line 5: Line 5:
  
 ----- -----
-====== Private PSK (PPSK) feature on hostapd ======+====== Private PSK (PPSK) function on hostapd ======
 ===== File or RADIUS ===== ===== File or RADIUS =====
-  * The PPSK feature in hostapd gives the user the choice of providing the PPSKs using a file or using RADIUS. +  * The PPSK function in hostapd gives the user the choice of providing the PPSKs via a file or via RADIUS. 
-  * Having the option of supplying the PPSKs in a text file allows for quick and simplified deployments.+  * The option to provide the PPSKs in a text file enables fast and simplified provisioning.
  
 ------ ------
 ===== FILE - Quick and dirty PPSK on OpenWrt ===== ===== FILE - Quick and dirty PPSK on OpenWrt =====
-  * We assume you are familiar with the UCI system in OpenWrt. +  * We assume that you are familiar with the UCI system in OpenWrt. 
-  * Configure SSID with WPA2 pre shared key.+  * Configure an SSID with WPA2 pre-shared key.
 <code bash> <code bash>
 config wifi-iface 'two' config wifi-iface 'two'
Line 27: Line 27:
    option ssid 'RADIUSdesk'    option ssid 'RADIUSdesk'
 </code>  </code> 
-  * Next we will replace the key which is a single value (12345678) with a file with multiple keys.+  * Nextwe will replace the keywhich is a single value (12345678)with a file with multiple keys.
 <code bash> <code bash>
 config wifi-iface 'two' config wifi-iface 'two'
Line 57: Line 57:
 wifi up wifi up
 </code> </code>
-  * hostapd will now go through the list in the PSK file and see if it can find a match when someone tries to connect to the SSID.+  * hostapd now goes through the list in the PSK file and checks whether it finds a match when someone tries to connect to the SSID.
  
 --------- ---------
  
 ===== FILE - Advanced PPSK on OpenWrt ===== ===== FILE - Advanced PPSK on OpenWrt =====
-  * The first section covered a very basic PPSK implementation. +  * The first section dealt with a very simple PPSK implementation. 
-  * This section will look at more advanced options including MAC and VLAN association with certain keys. +  * This section is about more advanced optionsincluding mapping MAC and VLAN to specific keys. 
-  * You can also visit [[https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696|this]] forum discussion which is where most of the info comes from.+  * You can also visit [[https://forum.openwrt.org/t/individual-per-passphrase-wifi-vlans-using-wpa-psk-file-no-radius-required/161696|this]] forum discussion where most of the information comes from.
 ==== Key specific for MAC ====   ==== Key specific for MAC ====  
   * If we look at the comments of the sample psk.list file we see the following   * If we look at the comments of the sample psk.list file we see the following
Line 75: Line 75:
 00:11:22:33:44:55 paperplane 00:11:22:33:44:55 paperplane
 </code> </code>
-  * The 256-bit hex value alternative is a hash that includes the specific SSID a user will be connecting to+  * The alternative 256-bit hex value is a hash that contains the specific SSID to which a user connects
-  * You can generate the value using this online JavaScript based utility from WireShark.(https://www.wireshark.org/tools/wpa-psk.html) +  * You can generate the value using this JavaScript-based online utility from WireShark.(https://www.wireshark.org/tools/wpa-psk.html) 
-  * If you specify a specific MAC Address for a certain device, keep the following in mind. +  * When you specify a specific MAC address for a specific device, you should keep the following in mind. 
-      * The MAC Address is the MAC Address of the WiFi radio trying to connect to the SSID and NOT the MAC Address of the Ethernet interface of a laptop for instance+      * The MAC address is the MAC address of the WiFi radio that is trying to connect to the SSID and NOT the MAC address of the Ethernet interface of e.g. a laptop. 
-      * If your phone has WiFi that supports both 2.4G and 5G, the device typically have a radio for each frequency band and then also a MAC Address for each radio. +      * If your phone has WiFi that supports both 2.4G and 5G, the device will usually have a radio for each frequency band and then also a MAC address for each radio. 
-      * Also remember there is a recent feature on Android and Apple phones of MAC randomisation which might also cause the MAC Address to change.+      * Also remember that there is a recent MAC randomisation feature on Android and Apple phones which can also cause the MAC address to change.
  
 ==== Key specific for VLAN ====   ==== Key specific for VLAN ====  
Line 90: Line 90:
 vlanid=4 00:00:00:00:00:00 piledriver vlanid=4 00:00:00:00:00:00 piledriver
 </code>  </code> 
-  * With the hostapd VLAN tagging feature there are a few extra steps we need to do for it to work as intended. +  * A few additional steps are required for the VLAN tagging function of hostapd to work as intended. 
- +  * We need to include a few options to instruct hostapd how to handle the VLANs. 
-<alert type="danger">TO BE COMPLETED</alert+  * Refer to this snippet from /etc/config/wireless 
 +<code bash> 
 +option wpa_psk_file '/etc/hostapd.wpa_psk' 
 +option vlan_file '/etc/hostapd.vlan' 
 +option vlan_tagged_interface 'eth0' 
 +option vlan_bridge 'br-vlan' 
 +option dynamic_vlan '1' 
 +</code
 +  * Then here is an example of hostapd.vlan 
 +<code bash> 
 +# VLAN ID to network interface mapping 
 +1 vlan1 
 +2 vlan2 
 +3 vlan3 
 +4 vlan4 
 +100 guest 
 +# Optional wildcard entry matching all VLAN IDs. The first # in the interface 
 +# name will be replaced with the VLAN ID. The network interfaces are created 
 +# (and removed) dynamically based on the use. 
 +* vlan# 
 +</code> 
 +  * hostapd will create a bridge with each VLAN and automatically create tagged interfaces and make them members of this bridge: 
 +<code bash> 
 +root@OpenWrt:~# brctl show 
 +bridge name     bridge id               STP enabled     interfaces 
 +br-vlan3        8000.4018b1eb3c80       no              vlan3 
 +                                                        eth0.3 
 +br-lan          7fff.4018b1eb3c80       no              eth0 
 +</code>
  
 ------ ------
 ===== RADIUS - PPSK on OpenWrt ===== ===== RADIUS - PPSK on OpenWrt =====
-  * This section will describe how to implement RADIUS based PPSK on OpenWrt. +  * This section describes how to implement RADIUS-based PPSK on OpenWrt. 
-  * The key part to enable RADIUS based PPSK lies in the following setting in **hostapd.conf**.+  * The key to enabling RADIUS-based PPSK lies in the following setting in **hostapd.conf**.
 <code bash> <code bash>
 # Optionally, WPA passphrase can be received from RADIUS authentication server # Optionally, WPA passphrase can be received from RADIUS authentication server
Line 116: Line 143:
 #wpa_psk_radius=0 #wpa_psk_radius=0
 </code> </code>
-  * Option **3** has been recently added and this option is of great help. +  * Option **3** was recently added and this option is great help. 
-  * OpenWrt generates the hostapd config files with the help of the /lib/netifd/hostapd.sh script. +  * OpenWrt generates the hostapd configuration files using the /lib/netifd/hostapd.sh script. 
-  * This script in turn reads and interprets the /etc/config/wireless file to get the information needed to formulate the hostapd config files. +  * This script in turn reads and interprets the /etc/config/wireless file to obtain the information needed to formulate the hostapd configuration files. 
-  * The hostapd.sh script currently set the **wpa_psk_radius** value to **2** when **option ppsk '1'** is set in /etc/config/wireless.+  * The hostapd.sh script currently sets the **wpa_psk_radius** value to **2** if the **ppsk '1' option** is set in /etc/config/wireless.
   * A better option would be to set it to **3**.   * A better option would be to set it to **3**.
-  * We can look for this section in hostapd.sh+  * We can search for this section in hostapd.sh
 <code bash> <code bash>
 if [ "$auth_type" = "psk" ] && [ "$ppsk" -ne 0 ] ; then if [ "$auth_type" = "psk" ] && [ "$ppsk" -ne 0 ] ; then
Line 143: Line 170:
 </code> </code>
  
-  * We will look at the reason why in the next section.+  * We will look at the reason for this in the next section.
  
 ==== wpa_psk_radius=3 ==== ==== wpa_psk_radius=3 ====
-  * When wpa_psk_radius=2 or wpa_psk_radius=3 the first request from hostapd to the RADIUS server will look like this:+  * If wpa_psk_radius=2 or wpa_psk_radius=3the first request from hostapd to the RADIUS server looks like this:
 <code bash> <code bash>
 (9) Received Access-Request Id 48 from 44.88.212.194:47297 to 164.160.89.129:1812 length 160 (9) Received Access-Request Id 48 from 44.88.212.194:47297 to 164.160.89.129:1812 length 160
Line 163: Line 190:
 (9)   Tunnel-Password := "77777777" (9)   Tunnel-Password := "77777777"
 </code> </code>
-  * The difference in behaviour between wpa_psk_radius=2 and wpa_psk_radius=3 comes in when the PPSK is not correct. +  * The difference in behaviour between wpa_psk_radius=2 and wpa_psk_radius=3 occurs when the PPSK is not correct. 
-  * When wpa_psk_radius=3, hostapd will do a follow-up attempt with additional attributes:+  * If wpa_psk_radius=2, hostapd does **NOT** make any follow-up attempts. 
 +  * If wpa_psk_radius=3, hostapd makes a follow-up attempt with additional attributes:
 <code bash> <code bash>
 (10) Received Access-Request Id 49 from 44.88.212.194:47297 to 164.160.89.129:1812 length 337 (10) Received Access-Request Id 49 from 44.88.212.194:47297 to 164.160.89.129:1812 length 337
Line 179: Line 207:
 (10)   Message-Authenticator = 0xd1ff97e6c9a794077c12e015e4f8e424 (10)   Message-Authenticator = 0xd1ff97e6c9a794077c12e015e4f8e424
 </code> </code>
-  * RADIUSdesk then includes extended functionality in FreeRADIUS to process these additional attributes to try and determine the user's PPSK based on hash comparisons. +  * RADIUSdesk then includes advanced features in FreeRADIUS to process these additional attributes and attempt to determine the user's PPSK based on hash comparisons. 
-  * If a match is found an access accept is returns with the clear text of that matching hash.+  * If a match is foundan access accept is returned with the plain text of the matching hash value.
 <code bash> <code bash>
 (10) Sent Access-Accept Id 49 from 164.160.89.129:1812 to 44.88.212.194:47297 length 58 (10) Sent Access-Accept Id 49 from 164.160.89.129:1812 to 44.88.212.194:47297 length 58
Line 189: Line 217:
 (10) Finished request (10) Finished request
 </code> </code>
-  * This behaviour makes it possible to have PPSK in RADIUS that does not require MAC Address matching. +  * This behaviour enables PPSK in RADIUS, which does not require MAC address matching. 
-  * So to recap+  * To summarise once again
-        * When **wpa_psk_radius=2**, the RADIUS implementation will have to work on MAC Address matching and are very tedious+        *  If **wpa_psk_radius=2**, the RADIUS implementation has to work with MAC address matching and is very cumbersome
-        * When **wpa_psk_radius=3**, the RADIUS implementation can work on the encrypted value of the PSK which the user provided in order to do a hash comparison and is much more flexible. RADIUSdesk supports this option. +        *  If **wpa_psk_radius=3**, the RADIUS implementation can work with the encrypted value of the PSK specified by the user to perform a hash comparison and is therefore much more flexible. RADIUSdesk supports this option. 
 +        * However, you will need to modify the /lib/netifd/hostapd.sh file to create the hostapd configuration with this option. 
 + 
 + 
 +<alert type="warning"> 
 +=== Heads-Up === 
 + 
 + 
 +  * Interestingly, during a troubleshooting session, I left FreeRADIUS running in debug mode for a day or two while sending requests to it from hostapd. 
 +  * At some point, it stopped receiving the follow-up request no matter how many times I restarted the access points. 
 +  * Finally, out of desperation, I restarted FreeRADIUS and lo and behold, the follow-up requests started coming in again. 
 +  * Just a heads up about FreeRADIUS. 
 +</alert> 
 + 
 + 
 +==== Reference config ==== 
 +  * Let us take a look at a simple reference configuration of /etc/config/wireless in which RADIUS-based PPSK is configured. 
 +<code bash> 
 +config wifi-iface 'zero' 
 +        option ifname 'zero0' 
 +        option encryption 'psk2' 
 +        option acct_interval '300' 
 +        option mode 'ap' 
 +        option nasid 'a_hosta_53_97' 
 +        option acct_server '164.160.89.129' 
 +        option acct_secret 'testing123' 
 +        option auth_server '164.160.89.129' 
 +        option auth_secret 'testing123'   
 +        option network 'lan' 
 +        option device 'radio0' 
 +        option ssid 'PPSK-APdesk-1'            
 +        option ppsk '1'       
 +        option vlan_naming '0' 
 +        option vlan_tagged_interface 'wan' 
 +        option vlan_bridge 'br-ex_vlan' 
 +        option dynamic_vlan '1'         
 +</code> 
 +  * RADIUS-based PPSK implementations usually consist of two components: 
 +      * The private key, which is used for authentication on the WiFi network. 
 +      * The VLAN assignment, which is usually bound to the private key specified by the user. 
 +  * The VLAN assignment is optional. If the RADIUS server has not specified a VLAN in the access acceptance, hostapd does not perform VLAN tagging for the connection of this client. 
 +  * If a VLAN is specified in the RADIUS response, the following configuration options determine how hostapd handles the VLAN assignment: 
 +<code> 
 +option vlan_naming '0'                                                                                                                                                                                                                                                   
 +option vlan_tagged_interface 'wan'                                                                                                                                                                                                                                       
 +option vlan_bridge 'br-ex_vlan'                                                                                                                                                                                                                                          
 +option dynamic_vlan '1'  
 +</code> 
 +  * If a client establishes a connection and RADIUS specifies VLAN 100, for example, hostapd dynamically creates the following bridge: 
 +<code bash> 
 +brctl show 
 +bridge name bridge id STP enabled interfaces 
 +br-ex_vlan100 7fff.ae7c588014f4 no vlan100 
 + zero0.100 
 + 
 +</code> 
 +  * The name  of the bridge is formulated with the value of **vlan_bridge** and the appending of the VLAN number (100). 
 +  * The members of this bridge are the tagged WiFi client connection, zero0.100 and vlan100. 
 +  * The **vlan100** interface requires a little more explanation. Depending on the value of **vlan_naming**, which can be 0 or 1, the name of the second interface is determined. 
 +  * Have a look at this part of the hostapd documentation 
 +<code bash> 
 +# When hostapd creates a VLAN interface on vlan_tagged_interfaces, it needs 
 +# to know how to name it. 
 +# 0 = vlan<XXX>, e.g., vlan1 
 +# 1 = <vlan_tagged_interface>.<XXX>, e.g. eth0.1 
 +#vlan_naming=0 
 +</code> 
 +  * So if we change our configuration to the **vlan_naming '1'** option, the bridge would look like this: 
 +<code bash> 
 +brctl show 
 +bridge name bridge id STP enabled interfaces 
 +br-ex_vlan100 7fff.ae7c588014f4 no wan.100 
 + zero0.100 
 + 
 +</code> 
 +  * Remember that for the VLAN to work correctly, you must also provide a DHCP server in the VLAN so that the client receives an IP address after it has authenticated itself in the WiFi network. 
 +  * If you do not have such a server in your current network, you can easily do this in MESHdesk and APdesk. 
 +  * The details are explained on the corresponding wiki pages. 
  • technical/ppsk-hostapd.1713767120.txt.gz
  • Last modified: 2024/04/22 08:25
  • by system