diff options
author | Christian Breunig <christian@breunig.cc> | 2023-08-20 14:56:12 +0200 |
---|---|---|
committer | Christian Breunig <christian@breunig.cc> | 2023-08-20 15:02:59 +0200 |
commit | 0bfb81750045be9c8c82a8f8f7bb18f6e6136d94 (patch) | |
tree | ffd0138878c409a3e620dad153170f60e5e9b395 /smoketest/scripts/cli | |
parent | ffb798b4678f3b1bd0a40cc42b1f0477470346dc (diff) | |
download | vyos-1x-0bfb81750045be9c8c82a8f8f7bb18f6e6136d94.tar.gz vyos-1x-0bfb81750045be9c8c82a8f8f7bb18f6e6136d94.zip |
wifi: T5491: allow white-/blacklisting station MAC addresses for security
Station MAC address-based authentication means:
* 'allow' accept all clients except the one on the deny list
* 'deny' accept only clients listed on the accept list
New CLI commands:
* set interfaces wireless wlan0 security station-address mode <accept|deny>
* set interfaces wireless wlan0 security station-address accept mac <mac>
* set interfaces wireless wlan0 security station-address deny mac <mac>
Diffstat (limited to 'smoketest/scripts/cli')
-rwxr-xr-x | smoketest/scripts/cli/test_interfaces_wireless.py | 44 |
1 files changed, 43 insertions, 1 deletions
diff --git a/smoketest/scripts/cli/test_interfaces_wireless.py b/smoketest/scripts/cli/test_interfaces_wireless.py index 875ca9dc6..f8686edd8 100755 --- a/smoketest/scripts/cli/test_interfaces_wireless.py +++ b/smoketest/scripts/cli/test_interfaces_wireless.py @@ -234,9 +234,51 @@ class WirelessInterfaceTest(BasicInterfaceTest.TestCase): self.assertIn(interface, bridge_members) self.cli_delete(bridge_path) - self.cli_delete(self._base_path) + + def test_wireless_security_station_address(self): + interface = 'wlan0' + ssid = 'VyOS-ACL' + + hostapd_accept_station_conf = f'/run/hostapd/{interface}_station_accept.conf' + hostapd_deny_station_conf = f'/run/hostapd/{interface}_station_deny.conf' + + accept_mac = ['00:00:00:00:ac:01', '00:00:00:00:ac:02', '00:00:00:00:ac:03', '00:00:00:00:ac:04'] + deny_mac = ['00:00:00:00:de:01', '00:00:00:00:de:02', '00:00:00:00:de:03', '00:00:00:00:de:04'] + + self.cli_set(self._base_path + [interface, 'ssid', ssid]) + self.cli_set(self._base_path + [interface, 'country-code', 'se']) + self.cli_set(self._base_path + [interface, 'type', 'access-point']) + self.cli_set(self._base_path + [interface, 'security', 'station-address', 'mode', 'accept']) + + for mac in accept_mac: + self.cli_set(self._base_path + [interface, 'security', 'station-address', 'accept', 'mac', mac]) + for mac in deny_mac: + self.cli_set(self._base_path + [interface, 'security', 'station-address', 'deny', 'mac', mac]) + self.cli_commit() + # in accept mode all addresses are allowed unless specified in the deny list + tmp = get_config_value(interface, 'macaddr_acl') + self.assertEqual(tmp, '0') + + accept_list = read_file(hostapd_accept_station_conf) + for mac in accept_mac: + self.assertIn(mac, accept_list) + + deny_list = read_file(hostapd_deny_station_conf) + for mac in deny_mac: + self.assertIn(mac, deny_list) + + # Switch mode accept -> deny + self.cli_set(self._base_path + [interface, 'security', 'station-address', 'mode', 'deny']) + self.cli_commit() + # In deny mode all addresses are denied unless specified in the allow list + tmp = get_config_value(interface, 'macaddr_acl') + self.assertEqual(tmp, '1') + + # Check for running process + self.assertTrue(process_named_running('hostapd')) + if __name__ == '__main__': check_kmod('mac80211_hwsim') unittest.main(verbosity=2) |