From 182c5c808315dd542a57277e3d9726d6a1c5f53d Mon Sep 17 00:00:00 2001 From: michael Date: Thu, 19 Jul 2018 18:21:02 +0200 Subject: [PATCH 01/10] added stand alone EAP mode --- README.md | 6 ++++ create_ap | 91 +++++++++++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 95 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a56e643..bd70ba3 100644 --- a/README.md +++ b/README.md @@ -74,6 +74,12 @@ ### Client Isolation: create_ap --isolate-clients wlan0 eth0 MyAccessPoint MyPassPhrase +### Enterprise Network built-in RADIUS + create_ap --enterprise --enterprise-eapfile=./users.eap_hosts --certificates=./certificates wlan0 eth0 MyAccessPoint + + + ## Systemd service Using the persistent [systemd](https://wiki.archlinux.org/index.php/systemd#Basic_systemctl_usage) service ### Start service immediately: diff --git a/create_ap b/create_ap index 8fa6671..95a4435 100755 --- a/create_ap +++ b/create_ap @@ -73,6 +73,19 @@ usage() { echo " --mkconfig Store configs in conf_file" echo " --config Load configs from conf_file" echo + echo "Enterprise Options:" + echo " --eap Enable Enterprise (EAP) wireless settings" + echo " --eap-user-file Path to EAP user file" + echo " Example my be found at:" + echo " https://w1.fi/cgit/hostap/plain/hostapd/hostapd.eap_user" + echo " --eap-cert-path Path to wireless certificates" + echo " Name of the certs at the location:" + echo " - ca.pem" + echo " - server.pem" + echo " - server.key" + echo " You will be prompted to generate a cert if no path is provided" + echo " --eap-key-passwd If key requires a password" + echo echo "Non-Bridging Options:" echo " --no-dns Disable dnsmasq DNS server" echo " --no-dnsmasq Disable dnsmasq server completely" @@ -99,6 +112,7 @@ usage() { echo " "$PROGNAME" --driver rtl871xdrv wlan0 eth0 MyAccessPoint MyPassPhrase" echo " "$PROGNAME" --daemon wlan0 eth0 MyAccessPoint MyPassPhrase" echo " "$PROGNAME" --stop wlan0" + echo " "$PROGNAME" --eap --eap-user-file /etc/hostapd/hostapd.eap_user wlan0 eth0 MyAccessPoint" } # on success it echos a non-zero unused FD @@ -616,6 +630,10 @@ DNS_PORT= HIDDEN=0 MAC_FILTER=0 MAC_FILTER_ACCEPT=/etc/hostapd/hostapd.accept +ENTERPRISE=0 +ENTERPRISE_CERTIFICATES_LOCATION= +ENTERPRISE_EAPUSER_FILE= +ENTERPRISE_PRIVATE_KEY_PASSWD= ISOLATE_CLIENTS=0 SHARE_METHOD=nat IEEE80211N=0 @@ -637,7 +655,7 @@ REDIRECT_TO_LOCALHOST=0 CONFIG_OPTS=(CHANNEL GATEWAY WPA_VERSION ETC_HOSTS DHCP_DNS NO_DNS NO_DNSMASQ HIDDEN MAC_FILTER MAC_FILTER_ACCEPT ISOLATE_CLIENTS SHARE_METHOD IEEE80211N IEEE80211AC HT_CAPAB VHT_CAPAB DRIVER NO_VIRT COUNTRY FREQ_BAND NEW_MACADDR DAEMONIZE NO_HAVEGED WIFI_IFACE INTERNET_IFACE - SSID PASSPHRASE USE_PSK) + SSID PASSPHRASE USE_PSK ENTERPRISE ENTERPRISE_CERTIFICATES_LOCATION ENTERPRISE_EAPUSER_FILE ENTERPRISE_PRIVATE_KEY_PASSWD) FIX_UNMANAGED=0 LIST_RUNNING=0 @@ -1028,7 +1046,7 @@ for ((i=0; i<$#; i++)); do fi done -GETOPT_ARGS=$(getopt -o hc:w:g:de:nm: -l "help","hidden","hostapd-debug:","redirect-to-localhost","mac-filter","mac-filter-accept:","isolate-clients","ieee80211n","ieee80211ac","ht_capab:","vht_capab:","driver:","no-virt","fix-unmanaged","country:","freq-band:","mac:","dhcp-dns:","daemon","stop:","list","list-running","list-clients:","version","psk","no-haveged","no-dns","no-dnsmasq","mkconfig:","config:" -n "$PROGNAME" -- "$@") +GETOPT_ARGS=$(getopt -o hc:w:g:de:nm: -l "eap","eap-user-file:","eap-cert-path:","eap-key-passwd:","help","hidden","hostapd-debug:","redirect-to-localhost","mac-filter","mac-filter-accept:","isolate-clients","ieee80211n","ieee80211ac","ht_capab:","vht_capab:","driver:","no-virt","fix-unmanaged","country:","freq-band:","mac:","dhcp-dns:","daemon","stop:","list","list-running","list-clients:","version","psk","no-haveged","no-dns","no-dnsmasq","mkconfig:","config:" -n "$PROGNAME" -- "$@") [[ $? -ne 0 ]] && exit 1 eval set -- "$GETOPT_ARGS" @@ -1046,6 +1064,25 @@ while :; do shift HIDDEN=1 ;; + --eap) + shift + ENTERPRISE=1 + ;; + --eap-user-file) + shift + ENTERPRISE_EAPUSER_FILE="$1" + shift + ;; + --eap-cert-path) + shift + ENTERPRISE_CERTIFICATES_LOCATION="$1" + shift + ;; + --eap-key-passwd) + shift + ENTERPRISE_PRIVATE_KEY_PASSWD="$1" + shift + ;; --mac-filter) shift MAC_FILTER=1 @@ -1634,6 +1671,56 @@ ht_capab=${HT_CAPAB} EOF fi +if [[ $ENTERPRISE -eq 1 ]] && [[ -z $ENTERPRISE_CERTIFICATES_LOCATION ]]; then + echo "Please Provide Certificate Details" + $(which openssl) req -nodes -new -x509 -keyout $CONFDIR/server.key -out $CONFDIR/server.pem + cp $CONFDIR/server.pem $CONFDIR/ca.pem + ENTERPRISE_CERTIFICATES_LOCATION=$CONFDIR +fi + +if [[ $ENTERPRISE -eq 1 ]] && [[ -z $ENTERPRISE_EAPUSER_FILE ]]; then + echo "Using Example EAP User file" + echo "Please see $CONFDIR/hostapd.eap_user to create your own" + # I am uncertain if /usr/share/doc/hostapd/hostapd.eap_user is static on all dists. + cat << EOF >> $CONFDIR/hostapd.eap_user +# Outer (phase 1) identities +# Wildcard for all other identities +"peap" PEAP +"ttls" TTLS +* PEAP,TTLS,TLS,SIM,AKA + +# Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users +"md5" MD5 "p" [2] +"chap" MSCHAPV2 "p" [2] +#"t-gtc" GTC "p" [2] +"peap" MSCHAPV2 "p" [2] +"user" MD5,GTC,MSCHAPV2 "p" [2] +"ttls" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2 "p" [2] +EOF + ENTERPRISE_EAPUSER_FILE=$CONFDIR/hostapd.eap_user +fi + +if [[ $ENTERPRISE -eq 1 ]]; then + cat << EOF >> $CONFDIR/hostapd.conf +eap_server=1 +eap_user_file=${ENTERPRISE_EAPUSER_FILE} +ca_cert=${ENTERPRISE_CERTIFICATES_LOCATION}/ca.pem +server_cert=${ENTERPRISE_CERTIFICATES_LOCATION}/server.pem +private_key=${ENTERPRISE_CERTIFICATES_LOCATION}/server.key +private_key_passwd=${ENTERPRISE_PRIVATE_KEY_PASSWD} +# pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f +# eap_fast_a_id=101112131415161718191a1b1c1d1e1f +# eap_fast_a_id_info=test server +# eap_fast_prov=3 +# pac_key_lifetime=604800 +# pac_key_refresh_time=86400 + +wpa=${WPA_VERSION} +wpa_key_mgmt=WPA-EAP +wpa_pairwise=TKIP CCMP +EOF +fi + if [[ $IEEE80211AC -eq 1 ]]; then echo "ieee80211ac=1" >> $CONFDIR/hostapd.conf fi From de5f253fb53f16439242932c441f29af34ddf960 Mon Sep 17 00:00:00 2001 From: michael Date: Thu, 19 Jul 2018 18:36:53 +0200 Subject: [PATCH 02/10] updated readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bd70ba3..719c86c 100644 --- a/README.md +++ b/README.md @@ -75,7 +75,7 @@ create_ap --isolate-clients wlan0 eth0 MyAccessPoint MyPassPhrase ### Enterprise Network built-in RADIUS - create_ap --enterprise --enterprise-eapfile=./users.eap_hosts --certificates=./certificates wlan0 eth0 MyAccessPoint + create_ap --eap --eap-user-file /tmp/users.eap_hosts --eap-cert-path /tmp/certificates wlan0 eth0 MyAccessPoint From 854363a03b622dd406b228af63c64f30c532422d Mon Sep 17 00:00:00 2001 From: michael Date: Thu, 19 Jul 2018 19:03:17 +0200 Subject: [PATCH 03/10] specified paths more clearly --- create_ap | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/create_ap b/create_ap index 95a4435..ec5f6c9 100755 --- a/create_ap +++ b/create_ap @@ -75,10 +75,10 @@ usage() { echo echo "Enterprise Options:" echo " --eap Enable Enterprise (EAP) wireless settings" - echo " --eap-user-file Path to EAP user file" + echo " --eap-user-file Full path to EAP user file" echo " Example my be found at:" echo " https://w1.fi/cgit/hostap/plain/hostapd/hostapd.eap_user" - echo " --eap-cert-path Path to wireless certificates" + echo " --eap-cert-path Full path to wireless certificates" echo " Name of the certs at the location:" echo " - ca.pem" echo " - server.pem" From 81d3b416fa1e46b6c4cafc5cf8e3278045f1e9c9 Mon Sep 17 00:00:00 2001 From: cablethief Date: Fri, 20 Jul 2018 00:08:58 +0200 Subject: [PATCH 04/10] added remote RADIUS support --- README.md | 5 +++-- create_ap | 47 +++++++++++++++++++++++++++++++++++++++-------- 2 files changed, 42 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 719c86c..3647686 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,7 @@ ## Features * Create an AP (Access Point) at any channel. * Choose one of the following encryptions: WPA, WPA2, WPA/WPA2, Open (no encryption). +* Support for Enterprise setups * Hide your SSID. * Disable communication between clients (client isolation). * IEEE 802.11n & 802.11ac support @@ -77,8 +78,8 @@ ### Enterprise Network built-in RADIUS create_ap --eap --eap-user-file /tmp/users.eap_hosts --eap-cert-path /tmp/certificates wlan0 eth0 MyAccessPoint - +### Enterprise Network Remote RADIUS + create_ap --eap --radius-server 192.168.1.1:1812 --radius-secret=P@ssw0rd wlan0 eth0 MyAccessPoint ## Systemd service Using the persistent [systemd](https://wiki.archlinux.org/index.php/systemd#Basic_systemctl_usage) service diff --git a/create_ap b/create_ap index ec5f6c9..fd7ceef 100755 --- a/create_ap +++ b/create_ap @@ -75,6 +75,9 @@ usage() { echo echo "Enterprise Options:" echo " --eap Enable Enterprise (EAP) wireless settings" + echo " Default is to use built in RADIUS server" + echo + echo " *Built in RADIUS server*" echo " --eap-user-file Full path to EAP user file" echo " Example my be found at:" echo " https://w1.fi/cgit/hostap/plain/hostapd/hostapd.eap_user" @@ -86,6 +89,12 @@ usage() { echo " You will be prompted to generate a cert if no path is provided" echo " --eap-key-passwd If key requires a password" echo + echo " *Use external RADIUS server*" + echo " --radius-server Use an external RADIUS server rather than built in" + echo " Default port is 1812" + echo " --remote-radius [:port]" + echo " --radius-secret Provide shared RADIUS secret" + echo echo "Non-Bridging Options:" echo " --no-dns Disable dnsmasq DNS server" echo " --no-dnsmasq Disable dnsmasq server completely" @@ -1046,7 +1055,7 @@ for ((i=0; i<$#; i++)); do fi done -GETOPT_ARGS=$(getopt -o hc:w:g:de:nm: -l "eap","eap-user-file:","eap-cert-path:","eap-key-passwd:","help","hidden","hostapd-debug:","redirect-to-localhost","mac-filter","mac-filter-accept:","isolate-clients","ieee80211n","ieee80211ac","ht_capab:","vht_capab:","driver:","no-virt","fix-unmanaged","country:","freq-band:","mac:","dhcp-dns:","daemon","stop:","list","list-running","list-clients:","version","psk","no-haveged","no-dns","no-dnsmasq","mkconfig:","config:" -n "$PROGNAME" -- "$@") +GETOPT_ARGS=$(getopt -o hc:w:g:de:nm: -l "eap","eap-user-file:","eap-cert-path:","eap-key-passwd:","radius-server:","radius-secret:","help","hidden","hostapd-debug:","redirect-to-localhost","mac-filter","mac-filter-accept:","isolate-clients","ieee80211n","ieee80211ac","ht_capab:","vht_capab:","driver:","no-virt","fix-unmanaged","country:","freq-band:","mac:","dhcp-dns:","daemon","stop:","list","list-running","list-clients:","version","psk","no-haveged","no-dns","no-dnsmasq","mkconfig:","config:" -n "$PROGNAME" -- "$@") [[ $? -ne 0 ]] && exit 1 eval set -- "$GETOPT_ARGS" @@ -1083,6 +1092,15 @@ while :; do ENTERPRISE_PRIVATE_KEY_PASSWD="$1" shift ;; + --radius-server) + shift + read RADIUS_SERVER RADIUS_PORT <<< "${1//:/ }" + shift + ;; + --radius-secret) + shift + RADIUS_SECRET="$1" + shift --mac-filter) shift MAC_FILTER=1 @@ -1701,26 +1719,39 @@ EOF fi if [[ $ENTERPRISE -eq 1 ]]; then - cat << EOF >> $CONFDIR/hostapd.conf + if [[ -z $RADIUS_SERVER ]]; then + cat << EOF >> $CONFDIR/hostapd.conf eap_server=1 eap_user_file=${ENTERPRISE_EAPUSER_FILE} ca_cert=${ENTERPRISE_CERTIFICATES_LOCATION}/ca.pem server_cert=${ENTERPRISE_CERTIFICATES_LOCATION}/server.pem private_key=${ENTERPRISE_CERTIFICATES_LOCATION}/server.key private_key_passwd=${ENTERPRISE_PRIVATE_KEY_PASSWD} -# pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f -# eap_fast_a_id=101112131415161718191a1b1c1d1e1f -# eap_fast_a_id_info=test server -# eap_fast_prov=3 -# pac_key_lifetime=604800 -# pac_key_refresh_time=86400 wpa=${WPA_VERSION} wpa_key_mgmt=WPA-EAP wpa_pairwise=TKIP CCMP EOF + else + if [[ -z $RADIUS_PORT ]]; then + $RADIUS_PORT=1812 + fi + cat << EOF >> $CONFDIR/hostapd.conf +eap_server=0 + +auth_server_addr=${RADIUS_SERVER} +auth_server_port=${RADIUS_PORT} +auth_server_shared_secret=${RADIUS_SECRET} + +wpa=${WPA_VERSION} +wpa_key_mgmt=WPA-EAP +wpa_pairwise=TKIP CCMP +EOF + fi fi +if [[ $ENTERPRISE -eq 1 ]] && [[ ]] + if [[ $IEEE80211AC -eq 1 ]]; then echo "ieee80211ac=1" >> $CONFDIR/hostapd.conf fi From 115e1de8f81c5b360c64c40b184db609eddc9009 Mon Sep 17 00:00:00 2001 From: cablethief Date: Fri, 20 Jul 2018 00:42:03 +0200 Subject: [PATCH 05/10] added radius to config file --- create_ap | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/create_ap b/create_ap index fd7ceef..064fea6 100755 --- a/create_ap +++ b/create_ap @@ -664,7 +664,8 @@ REDIRECT_TO_LOCALHOST=0 CONFIG_OPTS=(CHANNEL GATEWAY WPA_VERSION ETC_HOSTS DHCP_DNS NO_DNS NO_DNSMASQ HIDDEN MAC_FILTER MAC_FILTER_ACCEPT ISOLATE_CLIENTS SHARE_METHOD IEEE80211N IEEE80211AC HT_CAPAB VHT_CAPAB DRIVER NO_VIRT COUNTRY FREQ_BAND NEW_MACADDR DAEMONIZE NO_HAVEGED WIFI_IFACE INTERNET_IFACE - SSID PASSPHRASE USE_PSK ENTERPRISE ENTERPRISE_CERTIFICATES_LOCATION ENTERPRISE_EAPUSER_FILE ENTERPRISE_PRIVATE_KEY_PASSWD) + SSID PASSPHRASE USE_PSK ENTERPRISE ENTERPRISE_CERTIFICATES_LOCATION ENTERPRISE_EAPUSER_FILE ENTERPRISE_PRIVATE_KEY_PASSWD + RADIUS_SERVER RADIUS_SECRET) FIX_UNMANAGED=0 LIST_RUNNING=0 @@ -1750,7 +1751,6 @@ EOF fi fi -if [[ $ENTERPRISE -eq 1 ]] && [[ ]] if [[ $IEEE80211AC -eq 1 ]]; then echo "ieee80211ac=1" >> $CONFDIR/hostapd.conf From 94d973a908eae7d910e8622ef809d85cc062f9d9 Mon Sep 17 00:00:00 2001 From: michael Date: Fri, 20 Jul 2018 08:53:16 +0200 Subject: [PATCH 06/10] missing ;; --- create_ap | 1 + 1 file changed, 1 insertion(+) diff --git a/create_ap b/create_ap index 064fea6..5bc339e 100755 --- a/create_ap +++ b/create_ap @@ -1102,6 +1102,7 @@ while :; do shift RADIUS_SECRET="$1" shift + ;; --mac-filter) shift MAC_FILTER=1 From 5862310795eaaeb1d4e434312a506735c1c3ba62 Mon Sep 17 00:00:00 2001 From: michael Date: Fri, 20 Jul 2018 11:17:18 +0200 Subject: [PATCH 07/10] I dont know... --- create_ap | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/create_ap b/create_ap index 5bc339e..ca26943 100755 --- a/create_ap +++ b/create_ap @@ -83,9 +83,10 @@ usage() { echo " https://w1.fi/cgit/hostap/plain/hostapd/hostapd.eap_user" echo " --eap-cert-path Full path to wireless certificates" echo " Name of the certs at the location:" - echo " - ca.pem" - echo " - server.pem" - echo " - server.key" + echo " - hostapd.ca.pem" + echo " - hostapd.dh.pem" + echo " - hostapd.cert.pem" + echo " - hostapd.key.pem" echo " You will be prompted to generate a cert if no path is provided" echo " --eap-key-passwd If key requires a password" echo @@ -1693,8 +1694,9 @@ fi if [[ $ENTERPRISE -eq 1 ]] && [[ -z $ENTERPRISE_CERTIFICATES_LOCATION ]]; then echo "Please Provide Certificate Details" - $(which openssl) req -nodes -new -x509 -keyout $CONFDIR/server.key -out $CONFDIR/server.pem - cp $CONFDIR/server.pem $CONFDIR/ca.pem + $(which openssl) req -nodes -new -x509 -keyout $CONFDIR/hostapd.key.pem -out $CONFDIR/hostapd.cert.pem + $(which openssl) dhparam -out $CONFDIR/hostapd.dh.pem 1024 + cp $CONFDIR/hostapd.cert.pem $CONFDIR/hostapd.ca.pem ENTERPRISE_CERTIFICATES_LOCATION=$CONFDIR fi @@ -1721,18 +1723,23 @@ EOF fi if [[ $ENTERPRISE -eq 1 ]]; then + [[ "$WPA_VERSION" == "1+2" ]] && WPA_VERSION=3 if [[ -z $RADIUS_SERVER ]]; then cat << EOF >> $CONFDIR/hostapd.conf +eapol_key_index_workaround=0 +ieee8021x=1 eap_server=1 eap_user_file=${ENTERPRISE_EAPUSER_FILE} -ca_cert=${ENTERPRISE_CERTIFICATES_LOCATION}/ca.pem -server_cert=${ENTERPRISE_CERTIFICATES_LOCATION}/server.pem -private_key=${ENTERPRISE_CERTIFICATES_LOCATION}/server.key +ca_cert=${ENTERPRISE_CERTIFICATES_LOCATION}/hostapd.ca.pem +server_cert=${ENTERPRISE_CERTIFICATES_LOCATION}/hostapd.cert.pem +dh_file=${ENTERPRISE_CERTIFICATES_LOCATION}/hostapd.dh.pem +private_key=${ENTERPRISE_CERTIFICATES_LOCATION}/hostapd.key.pem private_key_passwd=${ENTERPRISE_PRIVATE_KEY_PASSWD} +auth_algs=3 wpa=${WPA_VERSION} wpa_key_mgmt=WPA-EAP -wpa_pairwise=TKIP CCMP +wpa_pairwise=CCMP EOF else if [[ -z $RADIUS_PORT ]]; then @@ -1745,7 +1752,7 @@ auth_server_addr=${RADIUS_SERVER} auth_server_port=${RADIUS_PORT} auth_server_shared_secret=${RADIUS_SECRET} -wpa=${WPA_VERSION} +wpa=2 wpa_key_mgmt=WPA-EAP wpa_pairwise=TKIP CCMP EOF From 05410556d68db0ea839d58595fade8487835dc32 Mon Sep 17 00:00:00 2001 From: michael Date: Fri, 20 Jul 2018 12:32:56 +0200 Subject: [PATCH 08/10] fix radius options --- create_ap | 51 +++++++++++++++++++++++++++++++-------------------- 1 file changed, 31 insertions(+), 20 deletions(-) diff --git a/create_ap b/create_ap index ca26943..ec30cbd 100755 --- a/create_ap +++ b/create_ap @@ -644,6 +644,9 @@ ENTERPRISE=0 ENTERPRISE_CERTIFICATES_LOCATION= ENTERPRISE_EAPUSER_FILE= ENTERPRISE_PRIVATE_KEY_PASSWD= +RADIUS_SERVER= +RADIUS_SECRET= +NAS_IDENT= ISOLATE_CLIENTS=0 SHARE_METHOD=nat IEEE80211N=0 @@ -666,7 +669,7 @@ CONFIG_OPTS=(CHANNEL GATEWAY WPA_VERSION ETC_HOSTS DHCP_DNS NO_DNS NO_DNSMASQ HI SHARE_METHOD IEEE80211N IEEE80211AC HT_CAPAB VHT_CAPAB DRIVER NO_VIRT COUNTRY FREQ_BAND NEW_MACADDR DAEMONIZE NO_HAVEGED WIFI_IFACE INTERNET_IFACE SSID PASSPHRASE USE_PSK ENTERPRISE ENTERPRISE_CERTIFICATES_LOCATION ENTERPRISE_EAPUSER_FILE ENTERPRISE_PRIVATE_KEY_PASSWD - RADIUS_SERVER RADIUS_SECRET) + RADIUS_SERVER RADIUS_SECRET NAS_IDENT) FIX_UNMANAGED=0 LIST_RUNNING=0 @@ -1057,7 +1060,7 @@ for ((i=0; i<$#; i++)); do fi done -GETOPT_ARGS=$(getopt -o hc:w:g:de:nm: -l "eap","eap-user-file:","eap-cert-path:","eap-key-passwd:","radius-server:","radius-secret:","help","hidden","hostapd-debug:","redirect-to-localhost","mac-filter","mac-filter-accept:","isolate-clients","ieee80211n","ieee80211ac","ht_capab:","vht_capab:","driver:","no-virt","fix-unmanaged","country:","freq-band:","mac:","dhcp-dns:","daemon","stop:","list","list-running","list-clients:","version","psk","no-haveged","no-dns","no-dnsmasq","mkconfig:","config:" -n "$PROGNAME" -- "$@") +GETOPT_ARGS=$(getopt -o hc:w:g:de:nm: -l "eap","eap-user-file:","eap-cert-path:","eap-key-passwd:","radius-server:","radius-secret:","nas-ident:","help","hidden","hostapd-debug:","redirect-to-localhost","mac-filter","mac-filter-accept:","isolate-clients","ieee80211n","ieee80211ac","ht_capab:","vht_capab:","driver:","no-virt","fix-unmanaged","country:","freq-band:","mac:","dhcp-dns:","daemon","stop:","list","list-running","list-clients:","version","psk","no-haveged","no-dns","no-dnsmasq","mkconfig:","config:" -n "$PROGNAME" -- "$@") [[ $? -ne 0 ]] && exit 1 eval set -- "$GETOPT_ARGS" @@ -1104,6 +1107,11 @@ while :; do RADIUS_SECRET="$1" shift ;; + --nas-ident) + shift + NAS_IDENT="$1" + shift + ;; --mac-filter) shift MAC_FILTER=1 @@ -1724,10 +1732,28 @@ fi if [[ $ENTERPRISE -eq 1 ]]; then [[ "$WPA_VERSION" == "1+2" ]] && WPA_VERSION=3 - if [[ -z $RADIUS_SERVER ]]; then + if [[ -n $RADIUS_SERVER ]]; then + [[ -z $RADIUS_PORT ]] && RADIUS_PORT="1812" + [[ -z $NAS_IDENT ]] && NAS_IDENT=$(uuidgen) cat << EOF >> $CONFDIR/hostapd.conf -eapol_key_index_workaround=0 ieee8021x=1 +eap_server=0 + +nas_identifier=${NAS_IDENT} + +auth_server_addr=${RADIUS_SERVER} +auth_server_port=${RADIUS_PORT} +auth_server_shared_secret=${RADIUS_SECRET} + +auth_algs=3 +wpa=${WPA_VERSION} +wpa_key_mgmt=WPA-EAP +wpa_pairwise=CCMP TKIP +EOF + else + cat << EOF >> $CONFDIR/hostapd.conf +ieee8021x=1 +eapol_key_index_workaround=0 eap_server=1 eap_user_file=${ENTERPRISE_EAPUSER_FILE} ca_cert=${ENTERPRISE_CERTIFICATES_LOCATION}/hostapd.ca.pem @@ -1739,22 +1765,7 @@ private_key_passwd=${ENTERPRISE_PRIVATE_KEY_PASSWD} auth_algs=3 wpa=${WPA_VERSION} wpa_key_mgmt=WPA-EAP -wpa_pairwise=CCMP -EOF - else - if [[ -z $RADIUS_PORT ]]; then - $RADIUS_PORT=1812 - fi - cat << EOF >> $CONFDIR/hostapd.conf -eap_server=0 - -auth_server_addr=${RADIUS_SERVER} -auth_server_port=${RADIUS_PORT} -auth_server_shared_secret=${RADIUS_SECRET} - -wpa=2 -wpa_key_mgmt=WPA-EAP -wpa_pairwise=TKIP CCMP +wpa_pairwise=CCMP TKIP EOF fi fi From 19d7c5e925c0a2d42d871d700b82867283b32d44 Mon Sep 17 00:00:00 2001 From: michael Date: Fri, 20 Jul 2018 12:35:03 +0200 Subject: [PATCH 09/10] Dont gen certs for radius --- create_ap | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/create_ap b/create_ap index ec30cbd..beb58ac 100755 --- a/create_ap +++ b/create_ap @@ -1700,7 +1700,7 @@ ht_capab=${HT_CAPAB} EOF fi -if [[ $ENTERPRISE -eq 1 ]] && [[ -z $ENTERPRISE_CERTIFICATES_LOCATION ]]; then +if [[ $ENTERPRISE -eq 1 ]] && [[ -z $ENTERPRISE_CERTIFICATES_LOCATION ]] && [[ -z $RADIUS_SERVER ]]; then echo "Please Provide Certificate Details" $(which openssl) req -nodes -new -x509 -keyout $CONFDIR/hostapd.key.pem -out $CONFDIR/hostapd.cert.pem $(which openssl) dhparam -out $CONFDIR/hostapd.dh.pem 1024 @@ -1708,7 +1708,7 @@ if [[ $ENTERPRISE -eq 1 ]] && [[ -z $ENTERPRISE_CERTIFICATES_LOCATION ]]; then ENTERPRISE_CERTIFICATES_LOCATION=$CONFDIR fi -if [[ $ENTERPRISE -eq 1 ]] && [[ -z $ENTERPRISE_EAPUSER_FILE ]]; then +if [[ $ENTERPRISE -eq 1 ]] && [[ -z $ENTERPRISE_EAPUSER_FILE ]] && [[ -z $RADIUS_SERVER ]]; then echo "Using Example EAP User file" echo "Please see $CONFDIR/hostapd.eap_user to create your own" # I am uncertain if /usr/share/doc/hostapd/hostapd.eap_user is static on all dists. From 7885f62ce302b4b05a7813df10bf1cafd7b6ce1a Mon Sep 17 00:00:00 2001 From: michael Date: Fri, 20 Jul 2018 15:56:28 +0200 Subject: [PATCH 10/10] Added NAS IDent help --- create_ap | 1 + 1 file changed, 1 insertion(+) diff --git a/create_ap b/create_ap index beb58ac..b60cb44 100755 --- a/create_ap +++ b/create_ap @@ -95,6 +95,7 @@ usage() { echo " Default port is 1812" echo " --remote-radius [:port]" echo " --radius-secret Provide shared RADIUS secret" + echo " --nas-ident Provide NAS identity" echo echo "Non-Bridging Options:" echo " --no-dns Disable dnsmasq DNS server"