How to set `auth_server` without `encryption 'wpa2'`?

_bernd · February 15, 2022, 7:54pm

I want to set auth_server and auth_secret in /etc/config/wireless BUT without encryption 'wpa2'.

But when I do not use encryption 'wpa2' then auth_server and auth_secret are not written to hostapd-phy0.conf. If I set auth_server_addr and auth_server_shared_secret afterwards in hostapd.conf and reload hostapd I get the desired behavior:

Edit: macaddr_acl=2 is needed too. ("use external RADIUS server")

The station authenticates with PSK on the AP
The AP sends an auth(?) request to the radius server
Radius does a lookup on

"f8adcb20793X" Cleartext-Password := "f8adcb20793X"
        Tunnel-Type = "VLAN",
        Tunnel-Medium-Type = "IEEE-802",
        Tunnel-Private-Group-Id = 66

DEFAULT Cleartext-Password := "%{User-Name}"
        Tunnel-Type = "VLAN",
        Tunnel-Medium-Type = "IEEE-802",
        Tunnel-Private-Group-Id = 67

The station is assigned to the correct VLAN.

My test is with an Android Phone, one time I use the device mac address, and the other time I let Android choose a random one.

My preferred way would be a patch on the UCI wrapper which writes the hostapd config. In the meantime I probably will need to use a hotplug script to attach the needed two lines of config to hostapd.conf.

To state a specific question: I do not understand where in /lib exactly /etc/config/wireless is parsed, and hostapd.conf is build, and how to add the config options?

And yes, for now I do not want to do "proper" WPA2 with self-sign-cert-dance-and-clapping. This is not about anything secure, but more on convenience. And I would want to avoid to create a bunch of SSIDs and make airtime even worst.

mk24 · February 15, 2022, 9:20pm

/lib/netifd/hostapd.sh. This file is provided by package hostapd-common.

I think there is a provision for:
list hostapd_option 'any_key any_value'
if you want to unconditionally stuff something into the hostapd.conf file.

I don't think that hostapd itself can do what you are wanting to do though.

_bernd · February 15, 2022, 9:36pm

I'm doing this already. I just want to make it clean and avoid that I need to update hostapd.conf via a shell script and trigger kill -SIGHUP $( pidof hostapd ) to reload the modified config.
But PSK + dynamic VLAN just works fine

_bernd · February 15, 2022, 9:37pm

Thanks. I will check this out. So far I could not wrap my head around lib/netifd/hostapd.sh

_bernd · February 16, 2022, 9:13pm

This applies only to options on the wifi-device and not to wifi-iface, so it does not work.

How ever.
In /lib/netifd/hostapd.sh at the case "$auth_type" in block, for psk|sae|psk-sae) the following addition works

json_get_vars \
    auth_server \
    auth_port \
    auth_secret \
    ownip \
    radius_client_addr

[ -n "$auth_server" ] && {
        append bss_conf "auth_server_addr=$auth_server" "$N"
        set_default auth_port 1812
        [ -n "$auth_port" ] && append bss_conf "auth_server_port=$auth_port" "$N"
        [ -n "$auth_secret" ] && append bss_conf "auth_server_shared_secret=$auth_secret" "$N"
        [ -n "$ownip" ] && append bss_conf "own_ip_addr=$ownip" "$N"
        [ -n "$radius_client_addr" ] && append bss_conf "radius_client_addr=$radius_client_addr" "$N"
        [ -n "$auth_server" ] && append bss_conf "macaddr_acl=2" "$N"
}