hostapd: add eap_server support
authorJohn Crispin <john@phrozen.org>
Tue, 6 Apr 2021 12:59:41 +0000 (14:59 +0200)
committerFelix Fietkau <nbd@nbd.name>
Tue, 23 Nov 2021 17:30:05 +0000 (18:30 +0100)
This makes it possible to avoid using a RADIUS server for WPA enterprise authentication

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from 98621c97822eb20a80ab2248a253972051ea6f08)

package/network/services/hostapd/files/hostapd.sh

index 24fc7c3cca17814b46abdd3f1f8108b0b42488e4..c61654e6e813eca204242c6d8f64b3ac34ebef9c 100644 (file)
@@ -347,6 +347,9 @@ hostapd_common_add_bss_config() {
        config_add_boolean request_cui
        config_add_array radius_auth_req_attr
        config_add_array radius_acct_req_attr
+
+       config_add_int eap_server
+       config_add_string eap_user_file ca_cert server_cert private_key private_key_passwd server_id
 }
 
 hostapd_set_vlan_file() {
@@ -517,7 +520,8 @@ hostapd_set_bss_options() {
                bss_load_update_period chan_util_avg_period sae_require_mfp \
                multi_ap multi_ap_backhaul_ssid multi_ap_backhaul_key skip_inactivity_poll \
                airtime_bss_weight airtime_bss_limit airtime_sta_weight \
-               multicast_to_unicast per_sta_vif
+               multicast_to_unicast per_sta_vif \
+               eap_server eap_user_file ca_cert server_cert private_key private_key_passwd server_id
 
        set_default isolate 0
        set_default maxassoc 0
@@ -538,6 +542,7 @@ hostapd_set_bss_options() {
        set_default multi_ap 0
        set_default airtime_bss_weight 0
        set_default airtime_bss_limit 0
+       set_default eap_server 0
 
        append bss_conf "ctrl_interface=/var/run/hostapd"
        if [ "$isolate" -gt 0 ]; then
@@ -651,9 +656,11 @@ hostapd_set_bss_options() {
                        set_default dae_port 3799
                        set_default request_cui 0
 
-                       append bss_conf "auth_server_addr=$auth_server" "$N"
-                       append bss_conf "auth_server_port=$auth_port" "$N"
-                       append bss_conf "auth_server_shared_secret=$auth_secret" "$N"
+                       [ "$eap_server" -eq 0 ] && {
+                               append bss_conf "auth_server_addr=$auth_server" "$N"
+                               append bss_conf "auth_server_port=$auth_port" "$N"
+                               append bss_conf "auth_server_shared_secret=$auth_secret" "$N"
+                       }
 
                        [ "$request_cui" -gt 0 ] && append bss_conf "radius_request_cui=$request_cui" "$N"
                        [ -n "$eap_reauth_period" ] && append bss_conf "eap_reauth_period=$eap_reauth_period" "$N"
@@ -1010,6 +1017,16 @@ hostapd_set_bss_options() {
                json_for_each_item append_operator_icon operator_icon
        fi
 
+       if [ "$eap_server" = "1" ]; then
+               append bss_conf "eap_server=1" "$N"
+               [ -n "$eap_user_file" ] && append bss_conf "eap_user_file=$eap_user_file" "$N"
+               [ -n "$ca_cert" ] && append bss_conf "ca_cert=$ca_cert" "$N"
+               [ -n "$server_cert" ] && append bss_conf "server_cert=$server_cert" "$N"
+               [ -n "$private_key" ] && append bss_conf "private_key=$private_key" "$N"
+               [ -n "$private_key_passwd" ] && append bss_conf "private_key_passwd=$private_key_passwd" "$N"
+               [ -n "$server_id" ] && append bss_conf "server_id=$server_id" "$N"
+       fi
+
        set_default multicast_to_unicast 0
        if [ "$multicast_to_unicast" -gt 0 ]; then
                append bss_conf "multicast_to_unicast=$multicast_to_unicast" "$N"