diff options
| author | Christian Breunig <christian@breunig.cc> | 2023-08-20 14:56:12 +0200 |
|---|---|---|
| committer | Christian Breunig <christian@breunig.cc> | 2023-08-20 15:02:59 +0200 |
| commit | 0bfb81750045be9c8c82a8f8f7bb18f6e6136d94 (patch) | |
| tree | ffd0138878c409a3e620dad153170f60e5e9b395 /data/templates/wifi | |
| parent | ffb798b4678f3b1bd0a40cc42b1f0477470346dc (diff) | |
| download | vyos-1x-0bfb81750045be9c8c82a8f8f7bb18f6e6136d94.tar.gz vyos-1x-0bfb81750045be9c8c82a8f8f7bb18f6e6136d94.zip | |
wifi: T5491: allow white-/blacklisting station MAC addresses for security
Station MAC address-based authentication means:
* 'allow' accept all clients except the one on the deny list
* 'deny' accept only clients listed on the accept list
New CLI commands:
* set interfaces wireless wlan0 security station-address mode <accept|deny>
* set interfaces wireless wlan0 security station-address accept mac <mac>
* set interfaces wireless wlan0 security station-address deny mac <mac>
Diffstat (limited to 'data/templates/wifi')
| -rw-r--r-- | data/templates/wifi/hostapd.conf.j2 | 12 | ||||
| -rw-r--r-- | data/templates/wifi/hostapd_accept_station.conf.j2 | 7 | ||||
| -rw-r--r-- | data/templates/wifi/hostapd_deny_station.conf.j2 | 7 |
3 files changed, 24 insertions, 2 deletions
diff --git a/data/templates/wifi/hostapd.conf.j2 b/data/templates/wifi/hostapd.conf.j2 index f2312d2d4..613038597 100644 --- a/data/templates/wifi/hostapd.conf.j2 +++ b/data/templates/wifi/hostapd.conf.j2 @@ -430,14 +430,22 @@ ieee80211n={{ '1' if 'n' in mode or 'ac' in mode else '0' }} ignore_broadcast_ssid=1 {% endif %} -# Station MAC address -based authentication +{% if type is vyos_defined('access-point') %} +# Station MAC address-based authentication # Please note that this kind of access control requires a driver that uses # hostapd to take care of management frame processing and as such, this can be # used with driver=hostap or driver=nl80211, but not with driver=atheros. # 0 = accept unless in deny list # 1 = deny unless in accept list # 2 = use external RADIUS server (accept/deny lists are searched first) -macaddr_acl=0 +macaddr_acl={{ '0' if security.station_address.mode is vyos_defined('accept') else '1' }} + +# Accept/deny lists are read from separate files (containing list of +# MAC addresses, one per line). Use absolute path name to make sure that the +# files can be read on SIGHUP configuration reloads. +accept_mac_file={{ hostapd_accept_station_conf }} +deny_mac_file={{ hostapd_deny_station_conf }} +{% endif %} {% if max_stations is vyos_defined %} # Maximum number of stations allowed in station table. New stations will be diff --git a/data/templates/wifi/hostapd_accept_station.conf.j2 b/data/templates/wifi/hostapd_accept_station.conf.j2 new file mode 100644 index 000000000..a381c947c --- /dev/null +++ b/data/templates/wifi/hostapd_accept_station.conf.j2 @@ -0,0 +1,7 @@ +# List of MAC addresses that are allowed to authenticate (IEEE 802.11) +# with the AP +{% if security.station_address.accept.mac is vyos_defined %} +{% for mac in security.station_address.accept.mac %} +{{ mac | lower }} +{% endfor %} +{% endif %} diff --git a/data/templates/wifi/hostapd_deny_station.conf.j2 b/data/templates/wifi/hostapd_deny_station.conf.j2 new file mode 100644 index 000000000..fb2950dda --- /dev/null +++ b/data/templates/wifi/hostapd_deny_station.conf.j2 @@ -0,0 +1,7 @@ +# List of MAC addresses that are not allowed to authenticate +# (IEEE 802.11) with the access point +{% if security.station_address.deny.mac is vyos_defined %} +{% for mac in security.station_address.deny.mac %} +{{ mac | lower }} +{% endfor %} +{% endif %} |