diff options
author | Christian Breunig <christian@breunig.cc> | 2023-08-23 20:20:23 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-08-23 20:20:23 +0200 |
commit | db67bc204e77fb2dd7d4a76672c63bc9bbfc07e1 (patch) | |
tree | b7e61ea893f7ff0768abbdb8f02f7c7842b3a4c4 /data/templates/wifi | |
parent | f25e1c9fa166c22d2a329ae435ae8be4f80985ef (diff) | |
parent | 35a46e4abfcece1beefb898ebd7fcb688fc55de5 (diff) | |
download | vyos-1x-db67bc204e77fb2dd7d4a76672c63bc9bbfc07e1.tar.gz vyos-1x-db67bc204e77fb2dd7d4a76672c63bc9bbfc07e1.zip |
Merge pull request #2159 from c-po/t5491-wifi
wifi: T5491: allow white-/blacklisting station MAC addresses for security
Diffstat (limited to 'data/templates/wifi')
-rw-r--r-- | data/templates/wifi/hostapd.conf.j2 | 12 | ||||
-rw-r--r-- | data/templates/wifi/hostapd_accept_station.conf.j2 | 7 | ||||
-rw-r--r-- | data/templates/wifi/hostapd_deny_station.conf.j2 | 7 |
3 files changed, 24 insertions, 2 deletions
diff --git a/data/templates/wifi/hostapd.conf.j2 b/data/templates/wifi/hostapd.conf.j2 index f2312d2d4..613038597 100644 --- a/data/templates/wifi/hostapd.conf.j2 +++ b/data/templates/wifi/hostapd.conf.j2 @@ -430,14 +430,22 @@ ieee80211n={{ '1' if 'n' in mode or 'ac' in mode else '0' }} ignore_broadcast_ssid=1 {% endif %} -# Station MAC address -based authentication +{% if type is vyos_defined('access-point') %} +# Station MAC address-based authentication # Please note that this kind of access control requires a driver that uses # hostapd to take care of management frame processing and as such, this can be # used with driver=hostap or driver=nl80211, but not with driver=atheros. # 0 = accept unless in deny list # 1 = deny unless in accept list # 2 = use external RADIUS server (accept/deny lists are searched first) -macaddr_acl=0 +macaddr_acl={{ '0' if security.station_address.mode is vyos_defined('accept') else '1' }} + +# Accept/deny lists are read from separate files (containing list of +# MAC addresses, one per line). Use absolute path name to make sure that the +# files can be read on SIGHUP configuration reloads. +accept_mac_file={{ hostapd_accept_station_conf }} +deny_mac_file={{ hostapd_deny_station_conf }} +{% endif %} {% if max_stations is vyos_defined %} # Maximum number of stations allowed in station table. New stations will be diff --git a/data/templates/wifi/hostapd_accept_station.conf.j2 b/data/templates/wifi/hostapd_accept_station.conf.j2 new file mode 100644 index 000000000..a381c947c --- /dev/null +++ b/data/templates/wifi/hostapd_accept_station.conf.j2 @@ -0,0 +1,7 @@ +# List of MAC addresses that are allowed to authenticate (IEEE 802.11) +# with the AP +{% if security.station_address.accept.mac is vyos_defined %} +{% for mac in security.station_address.accept.mac %} +{{ mac | lower }} +{% endfor %} +{% endif %} diff --git a/data/templates/wifi/hostapd_deny_station.conf.j2 b/data/templates/wifi/hostapd_deny_station.conf.j2 new file mode 100644 index 000000000..fb2950dda --- /dev/null +++ b/data/templates/wifi/hostapd_deny_station.conf.j2 @@ -0,0 +1,7 @@ +# List of MAC addresses that are not allowed to authenticate +# (IEEE 802.11) with the access point +{% if security.station_address.deny.mac is vyos_defined %} +{% for mac in security.station_address.deny.mac %} +{{ mac | lower }} +{% endfor %} +{% endif %} |