summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2023-08-20 14:56:12 +0200
committerChristian Breunig <christian@breunig.cc>2023-08-20 15:02:59 +0200
commit0bfb81750045be9c8c82a8f8f7bb18f6e6136d94 (patch)
treeffd0138878c409a3e620dad153170f60e5e9b395 /data
parentffb798b4678f3b1bd0a40cc42b1f0477470346dc (diff)
downloadvyos-1x-0bfb81750045be9c8c82a8f8f7bb18f6e6136d94.tar.gz
vyos-1x-0bfb81750045be9c8c82a8f8f7bb18f6e6136d94.zip
wifi: T5491: allow white-/blacklisting station MAC addresses for security
Station MAC address-based authentication means: * 'allow' accept all clients except the one on the deny list * 'deny' accept only clients listed on the accept list New CLI commands: * set interfaces wireless wlan0 security station-address mode <accept|deny> * set interfaces wireless wlan0 security station-address accept mac <mac> * set interfaces wireless wlan0 security station-address deny mac <mac>
Diffstat (limited to 'data')
-rw-r--r--data/templates/wifi/hostapd.conf.j212
-rw-r--r--data/templates/wifi/hostapd_accept_station.conf.j27
-rw-r--r--data/templates/wifi/hostapd_deny_station.conf.j27
3 files changed, 24 insertions, 2 deletions
diff --git a/data/templates/wifi/hostapd.conf.j2 b/data/templates/wifi/hostapd.conf.j2
index f2312d2d4..613038597 100644
--- a/data/templates/wifi/hostapd.conf.j2
+++ b/data/templates/wifi/hostapd.conf.j2
@@ -430,14 +430,22 @@ ieee80211n={{ '1' if 'n' in mode or 'ac' in mode else '0' }}
ignore_broadcast_ssid=1
{% endif %}
-# Station MAC address -based authentication
+{% if type is vyos_defined('access-point') %}
+# Station MAC address-based authentication
# Please note that this kind of access control requires a driver that uses
# hostapd to take care of management frame processing and as such, this can be
# used with driver=hostap or driver=nl80211, but not with driver=atheros.
# 0 = accept unless in deny list
# 1 = deny unless in accept list
# 2 = use external RADIUS server (accept/deny lists are searched first)
-macaddr_acl=0
+macaddr_acl={{ '0' if security.station_address.mode is vyos_defined('accept') else '1' }}
+
+# Accept/deny lists are read from separate files (containing list of
+# MAC addresses, one per line). Use absolute path name to make sure that the
+# files can be read on SIGHUP configuration reloads.
+accept_mac_file={{ hostapd_accept_station_conf }}
+deny_mac_file={{ hostapd_deny_station_conf }}
+{% endif %}
{% if max_stations is vyos_defined %}
# Maximum number of stations allowed in station table. New stations will be
diff --git a/data/templates/wifi/hostapd_accept_station.conf.j2 b/data/templates/wifi/hostapd_accept_station.conf.j2
new file mode 100644
index 000000000..a381c947c
--- /dev/null
+++ b/data/templates/wifi/hostapd_accept_station.conf.j2
@@ -0,0 +1,7 @@
+# List of MAC addresses that are allowed to authenticate (IEEE 802.11)
+# with the AP
+{% if security.station_address.accept.mac is vyos_defined %}
+{% for mac in security.station_address.accept.mac %}
+{{ mac | lower }}
+{% endfor %}
+{% endif %}
diff --git a/data/templates/wifi/hostapd_deny_station.conf.j2 b/data/templates/wifi/hostapd_deny_station.conf.j2
new file mode 100644
index 000000000..fb2950dda
--- /dev/null
+++ b/data/templates/wifi/hostapd_deny_station.conf.j2
@@ -0,0 +1,7 @@
+# List of MAC addresses that are not allowed to authenticate
+# (IEEE 802.11) with the access point
+{% if security.station_address.deny.mac is vyos_defined %}
+{% for mac in security.station_address.deny.mac %}
+{{ mac | lower }}
+{% endfor %}
+{% endif %}