This is an old revision of the document!
Private PSK (PPSK) function on hostapd
File or RADIUS
- The PPSK function in hostapd gives the user the choice of providing the PPSKs via a file or via RADIUS.
- The option of providing the PPSKs in a text file enables fast and simplified provisioning.
FILE - Quick and dirty PPSK on OpenWrt
- We assume that you are familiar with the UCI system in OpenWrt.
- Configure an SSID with WPA2 pre-shared key.
config wifi-iface 'two' option ifname 'two0' option disabled '0' option encryption 'psk2' option isolate '0' option key '12345678' option mode 'ap' option network 'lan' option device 'radio0' option hidden '0' option ssid 'RADIUSdesk'
- Next, we will replace the key, which is a single value (12345678), with a file with multiple keys.
config wifi-iface 'two' option ifname 'two0' option disabled '0' option encryption 'psk2' option isolate '0' #option key '12345678' option wpa_psk_file /etc/psk.list option mode 'ap' option network 'lan' option device 'radio0' option hidden '0' option ssid 'RADIUSdesk'
- Here is the contents of the /etc/psk.list file
# Special MAC address 00:00:00:00:00:00 can be used to configure PSKs that # anyone can use. 00:00:00:00:00:00 highwaystar 00:00:00:00:00:00 blacknight 00:00:00:00:00:00 smokeonthewater 00:00:00:00:00:00 picturesofhome 00:00:00:00:00:00 childintime
- Restart the WiFi network
wifi down wifi up
- hostapd now goes through the list in the PSK file and checks whether it finds a match when someone tries to connect to the SSID.
FILE - Advanced PPSK on OpenWrt
- The first section dealt with a very basic PPSK implementation.
- This section is about more advanced options, including mapping MAC and VLAN to specific keys.
- You can also visit this forum discussion where most of the information comes from.
Key specific for MAC
- If we look at the comments of the sample psk.list file we see the following
# List of WPA PSKs. Each line, except for empty lines and lines starting # with #, must contain a MAC address and PSK separated with a space. # Special MAC address 00:00:00:00:00:00 can be used to configure PSKs that # anyone can use. PSK can be configured as an ASCII passphrase of 8..63 # characters or as a 256-bit hex PSK (64 hex digits). 00:11:22:33:44:55 paperplane
- The alternative 256-bit hex value is a hash that contains the specific SSID to which a user connects.
- You can generate the value using this JavaScript-based online utility from WireShark.(https://www.wireshark.org/tools/wpa-psk.html)
- When you specify a specific MAC address for a specific device, you should keep the following in mind.- The MAC address is the MAC address of the WiFi radio that is trying to connect to the SSID and NOT the MAC address of the Ethernet interface of e.g. a laptop.
- If your phone has WiFi that supports both 2.4G and 5G, the device will usually have a radio for each frequency band and then also a MAC address for each radio.
- Also remember that there is a recent MAC randomisation feature on Android and Apple phones which can also cause the MAC address to change.
 
Key specific for VLAN
- If we look at the comments of the sample psk.list file also we see the following
# An optional VLAN ID can be specified by prefixing the line with # vlanid=<VLAN ID>. vlanid=3 00:00:00:00:00:00 blueforyou vlanid=4 00:00:00:00:00:00 piledriver
- A few additional steps are required for the VLAN tagging function of hostapd to work as intended.
TO BE COMPLETED
RADIUS - PPSK on OpenWrt
- This section describes how to implement RADIUS-based PPSK on OpenWrt.
- The key to enabling RADIUS-based PPSK lies in the following setting in hostapd.conf.
# Optionally, WPA passphrase can be received from RADIUS authentication server # This requires macaddr_acl to be set to 2 (RADIUS) for wpa_psk_radius values # 1 and 2. # 0 = disabled (default) # 1 = optional; use default passphrase/psk if RADIUS server does not include # Tunnel-Password # 2 = required; reject authentication if RADIUS server does not include # Tunnel-Password # 3 = ask RADIUS server during 4-way handshake if there is no locally # configured PSK/passphrase for the STA # # The Tunnel-Password attribute in Access-Accept can contain either the # 8..63 character ASCII passphrase or a 64 hex character encoding of the PSK. # #wpa_psk_radius=0
- Option 3 was recently added and this option is a great help.
- OpenWrt generates the hostapd configuration files using the /lib/netifd/hostapd.sh script.
- This script in turn reads and interprets the /etc/config/wireless file to obtain the information needed to formulate the hostapd configuration files.
- The hostapd.sh script currently sets the wpa_psk_radius value to 2 if the ppsk '1' option is set in /etc/config/wireless.
- A better option would be to set it to 3.
- We can search for this section in hostapd.sh
if [ "$auth_type" = "psk" ] && [ "$ppsk" -ne 0 ] ; then json_get_vars auth_secret auth_port set_default auth_port 1812 json_for_each_item append_auth_server auth_server append bss_conf "macaddr_acl=2" "$N" append bss_conf "wpa_psk_radius=2" "$N" elif [ ${#key} -eq 64 ]; then
- And change it to:
if [ "$auth_type" = "psk" ] && [ "$ppsk" -ne 0 ] ; then json_get_vars auth_secret auth_port set_default auth_port 1812 json_for_each_item append_auth_server auth_server append bss_conf "macaddr_acl=2" "$N" append bss_conf "wpa_psk_radius=3" "$N" elif [ ${#key} -eq 64 ]; then
- We will look at the reason for this in the next section.
wpa_psk_radius=3
- If wpa_psk_radius=2 or wpa_psk_radius=3, the first request from hostapd to the RADIUS server looks like this:
(9) Received Access-Request Id 48 from 44.88.212.194:47297 to 164.160.89.129:1812 length 160 (9) User-Name = "ae0cd4e2c5ab" (9) User-Password = "ae0cd4e2c5ab" (9) NAS-Identifier = "m_hosta_51_74" (9) Called-Station-Id = "64-64-4A-D1-2D-69:PPSK-1" (9) NAS-Port-Type = Wireless-802.11 (9) Calling-Station-Id = "AE-0C-D4-E2-C5-AB" (9) Connect-Info = "CONNECT 11Mbps 802.11b" (9) Message-Authenticator = 0xeefd284dc6cf79df258e03b84791c2b8
- RADIUS will then typically reply with an Access Accept with the PPSK
(9) Sent Access-Accept Id 48 from 164.160.89.129:1812 to 44.88.212.194:47297 length 41 (9) Tunnel-Password := "77777777"
- The difference in behaviour between wpa_psk_radius=2 and wpa_psk_radius=3 occurs when the PPSK is not correct.
- If wpa_psk_radius=2, hostapd will NOT make any follow-up attempts.
- If wpa_psk_radius=3, hostapd will make a follow-up attempt with additional attributes:
(10) Received Access-Request Id 49 from 44.88.212.194:47297 to 164.160.89.129:1812 length 337 (10) User-Name = "ae0cd4e2c5ab" (10) User-Password = "ae0cd4e2c5ab" (10) NAS-Identifier = "m_hosta_51_74" (10) Called-Station-Id = "64-64-4A-D1-2D-69:PPSK-1" (10) NAS-Port-Type = Wireless-802.11 (10) Calling-Station-Id = "AE-0C-D4-E2-C5-AB" (10) Connect-Info = "CONNECT 11Mbps 802.11b" (10) WLAN-AKM-Suite = 1027074 (10) Attr-245.26.11344.1 = 0xc4b0e7ca5cba50304c28e6995068b4b58dfb7d82944cf9c6caba2276018debde (10) Attr-245.26.11344.2 = 0x0103007502010a0000000000000000000131a6c134eadc39dd97da1e4f9c0484e8b85d127f05edf553eb063248791ab0940000000000000000000000000000000000000000000000000000000000000000aad1fa6a0274d00e683b5947b4dc5e9d001630140100000fac040100000fac040100000fac020000 (10) Message-Authenticator = 0xd1ff97e6c9a794077c12e015e4f8e424
- RADIUSdesk then includes advanced features in FreeRADIUS to process these additional attributes and attempt to determine the user's PPSK based on hash comparisons.
- If a match is found, an access accept is returned with the plain text of the matching hash value.
(10) Sent Access-Accept Id 49 from 164.160.89.129:1812 to 44.88.212.194:47297 length 58 (10) Tunnel-Medium-Type = IEEE-802 (10) Tunnel-Type = VLAN (10) Tunnel-Private-Group-Id = "100" (10) Tunnel-Password = "11223344" (10) Finished request
- This behaviour enables PPSK in RADIUS, which does not require MAC address matching.
- To summarise once again:- If wpa_psk_radius=2, the RADIUS implementation has to work with MAC address matching and is very cumbersome.
- If wpa_psk_radius=3, the RADIUS implementation can work with the encrypted value of the PSK specified by the user to perform a hash comparison and is therefore much more flexible. RADIUSdesk supports this option.
- However, you will need to modify the /lib/netifd/hostapd.sh file to create the hostapd configuration with this option.
 
Heads-Up
- As a matter of interest, during a troubleshooting session I had FreeRADIUS running in debug mode for a day or two while sending requests from hostapd to it.
- At one stage, it would not receive the follow-up request no matter how many times I rebooted the access points.
- Eventually I restarted FreeRADIUS out of desperation and lo and behold the follow up requests came in again.
- So just a heads-up on FreeRADIUS.
Reference config
- Let us look at a simple reference configuration of /etc/config/wireless that has RADIUS based PPSK configured.
config wifi-iface 'zero' option ifname 'zero0' option disabled '0' option encryption 'psk2' option acct_interval '300' option isolate '0' option mode 'ap' option acct_secret 'testing123' option auth_server '164.160.89.129' option network 'lan' option radius_acct_req_attr '126:s:a_hosta_53_97_0_58' option device 'radio0' option nasid 'a_hosta_53_97' option hidden '0' option acct_server '164.160.89.129' option vlan_naming '0' option vlan_tagged_interface 'wan' option vlan_bridge 'br-ex_vlan' option dynamic_vlan '1' option ssid 'PPSK-APdesk-1' option ppsk '1' option auth_secret 'testing123' option radius_auth_req_attr '126:s:a_hosta_53_97_0_58'
- RADIUS based PPSK implementations typically has two components:- The private key which are used for authentication onto the WiFi network.
- VLAN assignment which are usually tied to the private key which the user provided.
 
- VLAN assignment is optional and if the RADIUS server did not specify a VLAN in the Access Accept, then hostapd will not do any vlan tagging on that client's connection.
- If there is a VLAN specified in the RADIUS reply, how hostapd will handle the VLAN assignment is determined with the following config options:
option vlan_naming '0' option vlan_tagged_interface 'wan' option vlan_bridge 'br-ex_vlan' option dynamic_vlan '1'
- With these settings, if a client connect and RADIUS for instance specifies VLAN 100, hostapd will dynamically create the following bridge:
brctl show
bridge name	bridge id		STP enabled	interfaces
br-ex_vlan100		7fff.ae7c588014f4	no	vlan100
							zero0.100
- The bridge name is formulated using the value of vlan_bridge and appending the VLAN number (100).
- The members of this bridge is the tagged WiFi client connection, zero0.100 and vlan100.
- The interface vlan100 needs a bit more explanation. Depending on the value of vlan_naming which can be 0 or 1, it will determine the name of the second interface.
- See this part from the hostapd documentation
# When hostapd creates a VLAN interface on vlan_tagged_interfaces, it needs # to know how to name it. # 0 = vlan<XXX>, e.g., vlan1 # 1 = <vlan_tagged_interface>.<XXX>, e.g. eth0.1 #vlan_naming=0
- If we thus changed our config to option vlan_naming '1', the bridge would like like this:
brctl show
bridge name	bridge id		STP enabled	interfaces
br-ex_vlan100		7fff.ae7c588014f4	no	wan.100
							zero0.100
- Remember for the VLAN to work correct you will also have to provide a DHCP server on the VLAN for the client to receive an IP address after the authenticated onto the WiFi network.
- If you do not have that available in your current network, you can easily do it in in MESHdesk and APdesk.
- The detail on those will be discussed in their respective wiki pages.