summaryrefslogtreecommitdiff
path: root/data
diff options
context:
space:
mode:
Diffstat (limited to 'data')
-rw-r--r--data/configd-include.json3
-rw-r--r--data/templates/wifi/hostapd.conf.tmpl42
-rw-r--r--data/templates/wifi/wpa_supplicant.conf.tmpl70
3 files changed, 102 insertions, 13 deletions
diff --git a/data/configd-include.json b/data/configd-include.json
index 95aef65ad..da6fb915f 100644
--- a/data/configd-include.json
+++ b/data/configd-include.json
@@ -48,7 +48,6 @@
"system-options.py",
"system-syslog.py",
"system-timezone.py",
-"system-wifi-regdom.py",
"system_console.py",
"system_lcd.py",
"task_scheduler.py",
@@ -59,4 +58,4 @@
"vrf.py",
"vrrp.py",
"vyos_cert.py"
-] \ No newline at end of file
+]
diff --git a/data/templates/wifi/hostapd.conf.tmpl b/data/templates/wifi/hostapd.conf.tmpl
index c5e4240d1..16d9f7c98 100644
--- a/data/templates/wifi/hostapd.conf.tmpl
+++ b/data/templates/wifi/hostapd.conf.tmpl
@@ -23,7 +23,10 @@ interface={{ ifname }}
# added to the bridge automatically (brctl may refuse to do this before hostapd
# has been started to change the interface mode). If needed, the bridge
# interface is also created.
-bridge={{ is_bridge_member }}
+{# as there can only be one bridge interface it is save to loop #}
+{% for bridge in is_bridge_member %}
+bridge={{ bridge }}
+{% endfor %}
{% endif %}
# Driver interface type (hostap/wired/none/nl80211/bsd);
@@ -69,18 +72,18 @@ ssid={{ ssid }}
channel={{ channel }}
{% endif %}
-{% if mode %}
+{% if mode is defined and mode is not none %}
# Operation mode (a = IEEE 802.11a (5 GHz), b = IEEE 802.11b (2.4 GHz),
# g = IEEE 802.11g (2.4 GHz), ad = IEEE 802.11ad (60 GHz); a/g options are used
# with IEEE 802.11n (HT), too, to specify band). For IEEE 802.11ac (VHT), this
-# needs to be set to hw_mode=a. For IEEE 802.11ax (HE) on 6 GHz this needs
-# to be set to hw_mode=a. When using ACS (see channel parameter), a
+# needs to be set to hw_mode a. For IEEE 802.11ax (HE) on 6 GHz this needs
+# to be set to hw_mode a. When using ACS (see channel parameter), a
# special value "any" can be used to indicate that any support band can be used.
# This special case is currently supported only with drivers with which
# offloaded ACS is used.
-{% if 'n' in mode %}
+{% if mode == 'n' %}
hw_mode=g
-{% elif 'ac' in mode %}
+{% elif mode == 'ac' %}
hw_mode=a
ieee80211h=1
ieee80211ac=1
@@ -529,10 +532,13 @@ wep_key{{ loop.index -1 }}={{ security.wep.key }}
# and/or WPA2 (full IEEE 802.11i/RSN):
# bit0 = WPA
# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)
+# Note that WPA3 is also configured with bit1 since it uses RSN just like WPA2.
+# In other words, for WPA3, wpa 2 is used the configuration (and
+# wpa_key_mgmt=SAE for WPA3-Personal instead of wpa_key_mgmt=WPA-PSK).
{% if security.wpa.mode is defined %}
-{% if security.wpa.mode == 'both' %}
+{% if security.wpa.mode == 'wpa+wpa2' %}
wpa=3
-{% elif security.wpa.mode == 'wpa2' %}
+{% elif security.wpa.mode == 'wpa2' or security.wpa.mode == 'wpa3' %}
wpa=2
{% elif security.wpa.mode == 'wpa' %}
wpa=1
@@ -592,7 +598,15 @@ wpa_passphrase={{ security.wpa.passphrase }}
# added to enable SHA256-based stronger algorithms.
# WPA-PSK = WPA-Personal / WPA2-Personal
# WPA-PSK-SHA256 = WPA2-Personal using SHA256
-wpa_key_mgmt=WPA-PSK
+# WPA-EAP = WPA-Enterprise / WPA2-Enterprise
+# WPA-EAP-SHA256 = WPA2-Enterprise using SHA256
+# SAE = SAE (WPA3-Personal)
+# WPA-EAP-SUITE-B-192 = WPA3-Enterprise with 192-bit security/CNSA suite
+{% if security.wpa.mode is defined and security.wpa.mode == 'wpa3' %}
+wpa_key_mgmt=SAE
+{% else %}
+wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256
+{% endif %}
{% elif security.wpa.radius is defined %}
##### IEEE 802.1X-2004 related configuration ##################################
@@ -602,9 +616,17 @@ ieee8021x=1
# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The
# entries are separated with a space. WPA-PSK-SHA256 and WPA-EAP-SHA256 can be
# added to enable SHA256-based stronger algorithms.
+# WPA-PSK = WPA-Personal / WPA2-Personal
+# WPA-PSK-SHA256 = WPA2-Personal using SHA256
# WPA-EAP = WPA-Enterprise / WPA2-Enterprise
# WPA-EAP-SHA256 = WPA2-Enterprise using SHA256
-wpa_key_mgmt=WPA-EAP
+# SAE = SAE (WPA3-Personal)
+# WPA-EAP-SUITE-B-192 = WPA3-Enterprise with 192-bit security/CNSA suite
+{% if security.wpa.mode is defined and security.wpa.mode == 'wpa3' %}
+wpa_key_mgmt=WPA-EAP-SUITE-B-192
+{% else %}
+wpa_key_mgmt=WPA-EAP WPA-EAP-SHA256
+{% endif %}
{% if security.wpa.radius.server is defined %}
# RADIUS client forced local IP address for the access point
diff --git a/data/templates/wifi/wpa_supplicant.conf.tmpl b/data/templates/wifi/wpa_supplicant.conf.tmpl
index f84892dc0..20b4f7976 100644
--- a/data/templates/wifi/wpa_supplicant.conf.tmpl
+++ b/data/templates/wifi/wpa_supplicant.conf.tmpl
@@ -4,10 +4,78 @@
# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
network={
+ # ssid: SSID (mandatory); network name in one of the optional formats:
+ # - an ASCII string with double quotation
+ # - a hex string (two characters per octet of SSID)
+ # - a printf-escaped ASCII string P"<escaped string>"
+ #
ssid="{{ ssid }}"
+
+ # scan_ssid:
+ # 0 = do not scan this SSID with specific Probe Request frames (default)
+ # 1 = scan with SSID-specific Probe Request frames (this can be used to
+ # find APs that do not accept broadcast SSID or use multiple SSIDs;
+ # this will add latency to scanning, so enable this only when needed)
scan_ssid=1
+
{% if security is defined and security.wpa is defined and security.wpa.passphrase is defined %}
- key_mgmt=WPA-PSK
+ # ieee80211w: whether management frame protection is enabled
+ # 0 = disabled (default unless changed with the global pmf parameter)
+ # 1 = optional
+ # 2 = required
+ # The most common configuration options for this based on the PMF (protected
+ # management frames) certification program are:
+ # PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256
+ # PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256
+ # (and similarly for WPA-PSK and WPA-PSK-SHA256 if WPA2-Personal is used)
+ # WPA3-Personal-only mode: ieee80211w=2 and key_mgmt=SAE
+ ieee80211w=1
+
+ # key_mgmt: list of accepted authenticated key management protocols
+ # WPA-PSK = WPA pre-shared key (this requires 'psk' field)
+ # WPA-EAP = WPA using EAP authentication
+ # IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically
+ # generated WEP keys
+ # NONE = WPA is not used; plaintext or static WEP could be used
+ # WPA-NONE = WPA-None for IBSS (deprecated; use proto=RSN key_mgmt=WPA-PSK
+ # instead)
+ # FT-PSK = Fast BSS Transition (IEEE 802.11r) with pre-shared key
+ # FT-EAP = Fast BSS Transition (IEEE 802.11r) with EAP authentication
+ # FT-EAP-SHA384 = Fast BSS Transition (IEEE 802.11r) with EAP authentication
+ # and using SHA384
+ # WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms
+ # WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms
+ # SAE = Simultaneous authentication of equals; pre-shared key/password -based
+ # authentication with stronger security than WPA-PSK especially when using
+ # not that strong password; a.k.a. WPA3-Personal
+ # FT-SAE = SAE with FT
+ # WPA-EAP-SUITE-B = Suite B 128-bit level
+ # WPA-EAP-SUITE-B-192 = Suite B 192-bit level
+ # OSEN = Hotspot 2.0 Rel 2 online signup connection
+ # FILS-SHA256 = Fast Initial Link Setup with SHA256
+ # FILS-SHA384 = Fast Initial Link Setup with SHA384
+ # FT-FILS-SHA256 = FT and Fast Initial Link Setup with SHA256
+ # FT-FILS-SHA384 = FT and Fast Initial Link Setup with SHA384
+ # OWE = Opportunistic Wireless Encryption (a.k.a. Enhanced Open)
+ # DPP = Device Provisioning Protocol
+ # If not set, this defaults to: WPA-PSK WPA-EAP
+{% if security.wpa.mode is defined and security.wpa.mode == 'wpa3' %}
+ key_mgmt=SAE
+{% else %}
+ key_mgmt=WPA-PSK WPA-PSK-SHA256
+{% endif %}
+
+ # psk: WPA preshared key; 256-bit pre-shared key
+ # The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e.,
+ # 32 bytes or as an ASCII passphrase (in which case, the real PSK will be
+ # generated using the passphrase and SSID). ASCII passphrase must be between
+ # 8 and 63 characters (inclusive). ext:<name of external PSK field> format can
+ # be used to indicate that the PSK/passphrase is stored in external storage.
+ # This field is not needed, if WPA-EAP is used.
+ # Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys
+ # from ASCII passphrase. This process uses lot of CPU and wpa_supplicant
+ # startup and reconfiguration time can be optimized by generating the PSK only
+ # only when the passphrase or SSID has actually changed.
psk="{{ security.wpa.passphrase }}"
{% else %}
key_mgmt=NONE