Skip to content

Commit

Permalink
[change] OpenWrt: updated WPA enterprise settings #291
Browse files Browse the repository at this point in the history
- Generate "auth_sever", "auth_port" and "auth_secret" options
  from "server", "port" and "key" properties
- Set "acct_secret" to the value of "key" if it is not configured
  in NetJSON
- Add new options: "acct_inverval", "dae_client", "dae_port", "dae_secret"

Closes #291
  • Loading branch information
pandafy committed Jan 24, 2024
1 parent 571af14 commit c45cf89
Show file tree
Hide file tree
Showing 3 changed files with 95 additions and 9 deletions.
37 changes: 28 additions & 9 deletions netjsonconfig/backends/openwrt/converters/wireless.py
Original file line number Diff line number Diff line change
Expand Up @@ -124,15 +124,18 @@ def __intermediate_encryption(self, wireless):
if protocol == 'wep_open':
uci['key1'] = 's:{0}'.format(uci['key1'])
else:
if (
'enterprise' in protocol
and 'eap_type' in uci
and uci['eap_type'] == 'tls'
and 'auth' in uci
):
# remove auth if not needed
# (not applicable to EAP-TLS)
del uci['auth']
if 'enterprise' in protocol:
if 'eap_type' in uci and uci['eap_type'] == 'tls' and 'auth' in uci:
# remove auth if not needed
# (not applicable to EAP-TLS)
del uci['auth']
if wireless['mode'] == 'ap':
for option in ['server', 'port']:
if option in encryption:
uci[f'auth_{option}'] = encryption[option]
uci['auth_secret'] = encryption['key']
if 'acct_secret' not in encryption:
uci['acct_secret'] = encryption['key']
if 'key' in encryption:
uci['key'] = encryption['key']
# add ciphers
Expand Down Expand Up @@ -251,6 +254,8 @@ def __netjson_wifi_typecast(self, wifi):
'auth_cache',
'acct_port',
'acct_server',
'acct_secret',
'acct_interval',
'nasid',
'ownip',
'dae_client',
Expand Down Expand Up @@ -325,6 +330,16 @@ def __netjson_encryption(self, wifi): # noqa: C901
if key.startswith('s:'):
key = key[2:]
settings['key'] = key
if 'enterprise' in settings['protocol']:
if 'auth_secret' in settings:
settings['key'] = settings.pop('auth_secret')
if settings.get('acct_secret') and settings['acct_secret'] == settings.get(
'key'
):
settings.pop('acct_secret')
for option in ['server', 'port']:
if f'auth_{option}' in settings:
settings[option] = settings.pop(f'auth_{option}')
# Management Frame Protection
if 'ieee80211w' in wifi:
settings['ieee80211w'] = wifi.pop('ieee80211w')
Expand All @@ -337,6 +352,10 @@ def __netjson_encryption_typecast(self, encryption):
encryption['port'] = int(encryption['port'])
if 'acct_port' in encryption:
encryption['acct_port'] = int(encryption['acct_port'])
if 'dae_port' in encryption:
encryption['dae_port'] = int(encryption['dae_port'])
if 'acct_interval' in encryption:
encryption['acct_interval'] = int(encryption['acct_interval'])
if 'wps_label' in encryption:
encryption['wps_label'] = encryption['wps_label'] == '1'
if 'wps_pushbutton' in encryption:
Expand Down
42 changes: 42 additions & 0 deletions netjsonconfig/backends/openwrt/schema.py
Original file line number Diff line number Diff line change
Expand Up @@ -704,6 +704,48 @@
{"$ref": "#/definitions/radio_60g_band"},
]
},
"encryption_wpa_enterprise_ap_base_settings": {
"properties": {
"acct_secret": {
"title": "accounting shared secret",
"type": "string",
"propertyOrder": 9,
},
"acct_interval": {
"type": "integer",
"title": "accounting interval",
"default": 600,
"propertyOrder": 10,
},
"dae_client": {
"title": "DAE client",
"type": "string",
"description": (
"Dynamic Authorization Extension client."
" This client can send \"Disconnect-Request\" or \"CoA-Request\" packets to forcibly disconnect a client or change connection parameters."
),
"propertyOrder": 11,
},
"dae_port": {
"type": "integer",
"title": "DAE port",
# "description": "port the Dynamic Authorization Extension server listens on.",
"default": 3799,
"propertyOrder": 12,
},
"dae_secret": {
"title": "DAE secret",
"type": "string",
"propertyOrder": 13,
},
"nasid": {
"title": "NAS ID",
"type": "string",
"description": "NAS ID for RADIUS authentication requests",
"propertyOrder": 13,
},
}
},
},
"properties": {
"general": {
Expand Down
25 changes: 25 additions & 0 deletions tests/openwrt/test_encryption.py
Original file line number Diff line number Diff line change
Expand Up @@ -288,6 +288,9 @@ def test_parse_wpa_personal(self):
package wireless
config wifi-iface 'wifi_wlan0'
option acct_secret 'radius_secret'
option auth_secret 'radius_secret'
option auth_server '192.168.0.1'
option device 'radio0'
option encryption 'wpa3-mixed+ccmp'
option ieee80211w '1'
Expand Down Expand Up @@ -325,6 +328,10 @@ def test_parse_wpa2_enterprise_mixed_ap(self):
"port": 1812,
"acct_server": "192.168.0.2",
"acct_port": 1813,
"acct_interval": 300,
"dae_client": "192.168.0.2",
"dae_port": 3799,
"dae_secret": "radius_secret",
"nasid": "2",
"wpa_group_rekey": "350",
"ieee80211w": "2",
Expand All @@ -345,8 +352,16 @@ def test_parse_wpa2_enterprise_mixed_ap(self):
package wireless
config wifi-iface 'wifi_wlan0'
option acct_interval '300'
option acct_port '1813'
option acct_secret 'radius_secret'
option acct_server '192.168.0.2'
option auth_port '1812'
option auth_secret 'radius_secret'
option auth_server '192.168.0.1'
option dae_client '192.168.0.2'
option dae_port '3799'
option dae_secret 'radius_secret'
option device 'radio0'
option encryption 'wpa3+ccmp'
option ieee80211w '2'
Expand Down Expand Up @@ -407,7 +422,11 @@ def test_parse_wpa3_enterprise(self):
config wifi-iface 'wifi_wlan0'
option acct_port '1813'
option acct_secret 'radius_secret'
option acct_server '192.168.0.2'
option auth_port '1812'
option auth_secret 'radius_secret'
option auth_server '192.168.0.1'
option device 'radio0'
option encryption 'wpa2+tkip'
option ifname 'wlan0'
Expand Down Expand Up @@ -461,6 +480,9 @@ def test_parse_wpa2_enterprise(self):
package wireless
config wifi-iface 'wifi_wlan0'
option acct_secret 'radius_secret'
option auth_secret 'radius_secret'
option auth_server '192.168.0.1'
option device 'radio0'
option encryption 'wpa-mixed'
option ifname 'wlan0'
Expand Down Expand Up @@ -511,6 +533,9 @@ def test_parse_wpa_enterprise_mixed_ap(self):
package wireless
config wifi-iface 'wifi_wlan0'
option acct_secret 'radius_secret'
option auth_secret 'radius_secret'
option auth_server '192.168.0.1'
option device 'radio0'
option encryption 'wpa+ccmp'
option ifname 'wlan0'
Expand Down

0 comments on commit c45cf89

Please sign in to comment.