diff --git a/README.md b/README.md index a56e643..3647686 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,7 @@ ## Features * Create an AP (Access Point) at any channel. * Choose one of the following encryptions: WPA, WPA2, WPA/WPA2, Open (no encryption). +* Support for Enterprise setups * Hide your SSID. * Disable communication between clients (client isolation). * IEEE 802.11n & 802.11ac support @@ -74,6 +75,12 @@ ### Client Isolation: create_ap --isolate-clients wlan0 eth0 MyAccessPoint MyPassPhrase +### Enterprise Network built-in RADIUS + create_ap --eap --eap-user-file /tmp/users.eap_hosts --eap-cert-path /tmp/certificates wlan0 eth0 MyAccessPoint + +### Enterprise Network Remote RADIUS + create_ap --eap --radius-server 192.168.1.1:1812 --radius-secret=P@ssw0rd wlan0 eth0 MyAccessPoint + ## Systemd service Using the persistent [systemd](https://wiki.archlinux.org/index.php/systemd#Basic_systemctl_usage) service ### Start service immediately: diff --git a/create_ap b/create_ap index 8fa6671..b60cb44 100755 --- a/create_ap +++ b/create_ap @@ -73,6 +73,30 @@ usage() { echo " --mkconfig Store configs in conf_file" echo " --config Load configs from conf_file" echo + echo "Enterprise Options:" + echo " --eap Enable Enterprise (EAP) wireless settings" + echo " Default is to use built in RADIUS server" + echo + echo " *Built in RADIUS server*" + echo " --eap-user-file Full path to EAP user file" + echo " Example my be found at:" + echo " https://w1.fi/cgit/hostap/plain/hostapd/hostapd.eap_user" + echo " --eap-cert-path Full path to wireless certificates" + echo " Name of the certs at the location:" + echo " - hostapd.ca.pem" + echo " - hostapd.dh.pem" + echo " - hostapd.cert.pem" + echo " - hostapd.key.pem" + echo " You will be prompted to generate a cert if no path is provided" + echo " --eap-key-passwd If key requires a password" + echo + echo " *Use external RADIUS server*" + echo " --radius-server Use an external RADIUS server rather than built in" + echo " Default port is 1812" + echo " --remote-radius [:port]" + echo " --radius-secret Provide shared RADIUS secret" + echo " --nas-ident Provide NAS identity" + echo echo "Non-Bridging Options:" echo " --no-dns Disable dnsmasq DNS server" echo " --no-dnsmasq Disable dnsmasq server completely" @@ -99,6 +123,7 @@ usage() { echo " "$PROGNAME" --driver rtl871xdrv wlan0 eth0 MyAccessPoint MyPassPhrase" echo " "$PROGNAME" --daemon wlan0 eth0 MyAccessPoint MyPassPhrase" echo " "$PROGNAME" --stop wlan0" + echo " "$PROGNAME" --eap --eap-user-file /etc/hostapd/hostapd.eap_user wlan0 eth0 MyAccessPoint" } # on success it echos a non-zero unused FD @@ -616,6 +641,13 @@ DNS_PORT= HIDDEN=0 MAC_FILTER=0 MAC_FILTER_ACCEPT=/etc/hostapd/hostapd.accept +ENTERPRISE=0 +ENTERPRISE_CERTIFICATES_LOCATION= +ENTERPRISE_EAPUSER_FILE= +ENTERPRISE_PRIVATE_KEY_PASSWD= +RADIUS_SERVER= +RADIUS_SECRET= +NAS_IDENT= ISOLATE_CLIENTS=0 SHARE_METHOD=nat IEEE80211N=0 @@ -637,7 +669,8 @@ REDIRECT_TO_LOCALHOST=0 CONFIG_OPTS=(CHANNEL GATEWAY WPA_VERSION ETC_HOSTS DHCP_DNS NO_DNS NO_DNSMASQ HIDDEN MAC_FILTER MAC_FILTER_ACCEPT ISOLATE_CLIENTS SHARE_METHOD IEEE80211N IEEE80211AC HT_CAPAB VHT_CAPAB DRIVER NO_VIRT COUNTRY FREQ_BAND NEW_MACADDR DAEMONIZE NO_HAVEGED WIFI_IFACE INTERNET_IFACE - SSID PASSPHRASE USE_PSK) + SSID PASSPHRASE USE_PSK ENTERPRISE ENTERPRISE_CERTIFICATES_LOCATION ENTERPRISE_EAPUSER_FILE ENTERPRISE_PRIVATE_KEY_PASSWD + RADIUS_SERVER RADIUS_SECRET NAS_IDENT) FIX_UNMANAGED=0 LIST_RUNNING=0 @@ -1028,7 +1061,7 @@ for ((i=0; i<$#; i++)); do fi done -GETOPT_ARGS=$(getopt -o hc:w:g:de:nm: -l "help","hidden","hostapd-debug:","redirect-to-localhost","mac-filter","mac-filter-accept:","isolate-clients","ieee80211n","ieee80211ac","ht_capab:","vht_capab:","driver:","no-virt","fix-unmanaged","country:","freq-band:","mac:","dhcp-dns:","daemon","stop:","list","list-running","list-clients:","version","psk","no-haveged","no-dns","no-dnsmasq","mkconfig:","config:" -n "$PROGNAME" -- "$@") +GETOPT_ARGS=$(getopt -o hc:w:g:de:nm: -l "eap","eap-user-file:","eap-cert-path:","eap-key-passwd:","radius-server:","radius-secret:","nas-ident:","help","hidden","hostapd-debug:","redirect-to-localhost","mac-filter","mac-filter-accept:","isolate-clients","ieee80211n","ieee80211ac","ht_capab:","vht_capab:","driver:","no-virt","fix-unmanaged","country:","freq-band:","mac:","dhcp-dns:","daemon","stop:","list","list-running","list-clients:","version","psk","no-haveged","no-dns","no-dnsmasq","mkconfig:","config:" -n "$PROGNAME" -- "$@") [[ $? -ne 0 ]] && exit 1 eval set -- "$GETOPT_ARGS" @@ -1046,6 +1079,40 @@ while :; do shift HIDDEN=1 ;; + --eap) + shift + ENTERPRISE=1 + ;; + --eap-user-file) + shift + ENTERPRISE_EAPUSER_FILE="$1" + shift + ;; + --eap-cert-path) + shift + ENTERPRISE_CERTIFICATES_LOCATION="$1" + shift + ;; + --eap-key-passwd) + shift + ENTERPRISE_PRIVATE_KEY_PASSWD="$1" + shift + ;; + --radius-server) + shift + read RADIUS_SERVER RADIUS_PORT <<< "${1//:/ }" + shift + ;; + --radius-secret) + shift + RADIUS_SECRET="$1" + shift + ;; + --nas-ident) + shift + NAS_IDENT="$1" + shift + ;; --mac-filter) shift MAC_FILTER=1 @@ -1634,6 +1701,77 @@ ht_capab=${HT_CAPAB} EOF fi +if [[ $ENTERPRISE -eq 1 ]] && [[ -z $ENTERPRISE_CERTIFICATES_LOCATION ]] && [[ -z $RADIUS_SERVER ]]; then + echo "Please Provide Certificate Details" + $(which openssl) req -nodes -new -x509 -keyout $CONFDIR/hostapd.key.pem -out $CONFDIR/hostapd.cert.pem + $(which openssl) dhparam -out $CONFDIR/hostapd.dh.pem 1024 + cp $CONFDIR/hostapd.cert.pem $CONFDIR/hostapd.ca.pem + ENTERPRISE_CERTIFICATES_LOCATION=$CONFDIR +fi + +if [[ $ENTERPRISE -eq 1 ]] && [[ -z $ENTERPRISE_EAPUSER_FILE ]] && [[ -z $RADIUS_SERVER ]]; then + echo "Using Example EAP User file" + echo "Please see $CONFDIR/hostapd.eap_user to create your own" + # I am uncertain if /usr/share/doc/hostapd/hostapd.eap_user is static on all dists. + cat << EOF >> $CONFDIR/hostapd.eap_user +# Outer (phase 1) identities +# Wildcard for all other identities +"peap" PEAP +"ttls" TTLS +* PEAP,TTLS,TLS,SIM,AKA + +# Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users +"md5" MD5 "p" [2] +"chap" MSCHAPV2 "p" [2] +#"t-gtc" GTC "p" [2] +"peap" MSCHAPV2 "p" [2] +"user" MD5,GTC,MSCHAPV2 "p" [2] +"ttls" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2 "p" [2] +EOF + ENTERPRISE_EAPUSER_FILE=$CONFDIR/hostapd.eap_user +fi + +if [[ $ENTERPRISE -eq 1 ]]; then + [[ "$WPA_VERSION" == "1+2" ]] && WPA_VERSION=3 + if [[ -n $RADIUS_SERVER ]]; then + [[ -z $RADIUS_PORT ]] && RADIUS_PORT="1812" + [[ -z $NAS_IDENT ]] && NAS_IDENT=$(uuidgen) + cat << EOF >> $CONFDIR/hostapd.conf +ieee8021x=1 +eap_server=0 + +nas_identifier=${NAS_IDENT} + +auth_server_addr=${RADIUS_SERVER} +auth_server_port=${RADIUS_PORT} +auth_server_shared_secret=${RADIUS_SECRET} + +auth_algs=3 +wpa=${WPA_VERSION} +wpa_key_mgmt=WPA-EAP +wpa_pairwise=CCMP TKIP +EOF + else + cat << EOF >> $CONFDIR/hostapd.conf +ieee8021x=1 +eapol_key_index_workaround=0 +eap_server=1 +eap_user_file=${ENTERPRISE_EAPUSER_FILE} +ca_cert=${ENTERPRISE_CERTIFICATES_LOCATION}/hostapd.ca.pem +server_cert=${ENTERPRISE_CERTIFICATES_LOCATION}/hostapd.cert.pem +dh_file=${ENTERPRISE_CERTIFICATES_LOCATION}/hostapd.dh.pem +private_key=${ENTERPRISE_CERTIFICATES_LOCATION}/hostapd.key.pem +private_key_passwd=${ENTERPRISE_PRIVATE_KEY_PASSWD} + +auth_algs=3 +wpa=${WPA_VERSION} +wpa_key_mgmt=WPA-EAP +wpa_pairwise=CCMP TKIP +EOF + fi +fi + + if [[ $IEEE80211AC -eq 1 ]]; then echo "ieee80211ac=1" >> $CONFDIR/hostapd.conf fi