feat(ap01): enable fully RADIUS via internal RADIUS server

This adds two public keys.

For the private keys, heh…

Signed-off-by: Ryan Lahfa <ryan@dgnum.eu>
This commit is contained in:
Ryan Lahfa 2024-08-31 22:21:35 +02:00
parent 9d17167495
commit c678bbb8df
4 changed files with 112 additions and 12 deletions

View file

@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC6TCCAdECFEbjeqNNzKWyfs2GJekipWK+yO4uMA0GCSqGSIb3DQEBCwUAMHMx
NDAyBgNVBAMMK0RHTnVtIFRlc3QgQVAgQ0EgLS0gRE8gTk9UIFVTRSBPUiBHRVQg
RklSRUQxCzAJBgNVBAYTAkZSMQ4wDAYDVQQIDAVQYXJpczEOMAwGA1UEBwwFUGFy
aXMxDjAMBgNVBAoMBURHTnVtMB4XDTI0MDgyNjE5MDQxMFoXDTI2MDgyNjE5MDQx
MFowdzE4MDYGA1UEAwwvREdOdW0gVGVzdCBBUCBzZXJ2ZXIgLS0gRE8gTk9UIFVT
RSBPUiBHRVQgRklSRUQxCzAJBgNVBAYTAkZSMQ4wDAYDVQQIDAVQYXJpczEOMAwG
A1UEBwwFUGFyaXMxDjAMBgNVBAoMBURHTnVtMIGbMBAGByqGSM49AgEGBSuBBAAj
A4GGAAQBDrTf0SH/YOkOfvOSnB3BbICb80jSsxwQH50y4jylbXcrUZnegLYjW/lF
QknuMBzzE5fnE9lAeOxqsn0ec+sL3zEBrV0LSG2LgxhAkahZS9U4Spt9Qc84U7cG
AFQ3GXDMTEb/COHJSu7sIfV4gFRVesFez30gb94lMxckkq/6nkXXaEUwDQYJKoZI
hvcNAQELBQADggEBAEfPHMAXwftYQ0lDYPlr9b+GZDl7/JAavEfBXKzj1U8O0sJz
daNOHEX3a5ZOaQoean2zmBLROgQpDlwsjAFNA9dg0ef2f4RgJvr/l2fspHwG0Uaq
4JEOKTj3htd8aZX2i6AR02UC2oxCtf7ZVa+a6NOeeKl53QPzjduPO60ruz8tD2Xr
YnQwVinQX0fJo7TmyQKDIxwld/Q5pMoDMfVlS71M/vISFfQ/Rx1PqYvBQyG1dvIA
qn9cNNVnjEGrk7zXjCfehMYiCtDZ+D3VyXeZ6A7YZNpc6RUj8rbWcOtKLayRFlwf
DTjV3/nPqV0M2nU6jXFBMfQ47VSfB7ibINt94xo=
-----END CERTIFICATE-----

View file

@ -0,0 +1,23 @@
-----BEGIN CERTIFICATE-----
MIIDxzCCAq+gAwIBAgIUPuHEZeZoCidp+w5ME2CrkZEn3T8wDQYJKoZIhvcNAQEL
BQAwczE0MDIGA1UEAwwrREdOdW0gVGVzdCBBUCBDQSAtLSBETyBOT1QgVVNFIE9S
IEdFVCBGSVJFRDELMAkGA1UEBhMCRlIxDjAMBgNVBAgMBVBhcmlzMQ4wDAYDVQQH
DAVQYXJpczEOMAwGA1UECgwFREdOdW0wHhcNMjQwODI2MTg1ODQ4WhcNMjkwODI2
MTg1ODQ4WjBzMTQwMgYDVQQDDCtER051bSBUZXN0IEFQIENBIC0tIERPIE5PVCBV
U0UgT1IgR0VUIEZJUkVEMQswCQYDVQQGEwJGUjEOMAwGA1UECAwFUGFyaXMxDjAM
BgNVBAcMBVBhcmlzMQ4wDAYDVQQKDAVER051bTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAKLgCNXLI6FQWJY5JQDqZcO1hmZpp0upT59/JvJXmEl4St1O
FF3frSAoFcgn2Bv3kYQQ6wEhD3S7JBxRmoDtx/7sqsXthNpBaymVdphb9XhnVOC2
NDBKV4WH06Hr06oKVfDSBhIldPJr1vfQLehOnz6uqK7walqPvid3tMv0lwt7mHZ9
qQpgC2C/tkHwD1kh1RszoIZKIQWDnSNXPhYnB3X/DMCUWIKiz6P/0rVANEDDZER6
b6eJRjv2l8jPlOt7CUTAOrsoJGCnSg2SV4lgr1u3mE/2AvmLdO0l5Dz0qCuQNbb3
uWqYUonooR8rox171On/Rd0zvtihycSDxofVJ+MCAwEAAaNTMFEwHQYDVR0OBBYE
FIPUT3v8AoeBS6VbcEvgVc1dC38hMB8GA1UdIwQYMBaAFIPUT3v8AoeBS6VbcEvg
Vc1dC38hMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBACX1aqYU
9PIwZ/dBS7cpsBsCm9M0ueInTlQpvv6xioKuPhIet40YgawTRakxniAr0WXHTBV5
a8ZQ4ff4uI+sdaxN7Ueufr4ltWVLuSc9DfIxjLVZ+41G6Ehy9Xc2zoDBfYURrXjd
ISvPSXIKjM0yuS/249C77HOdzwbliS65Io2zubQStGfSaZ3sLAfPJoig+QiVyOtG
sPoYzzrjXDBym+plfGTWqHv+gwo6DZarXrK4yaMn4hYkkf95NsY2ywwHzcy/4hsu
+bMm4IeCrB9uNOZtQrqW81/+4oxjGiKLbhnFPNQOg2pzb+iOJTPKVicAqKDSCnou
WXG5pjBKzojPvxU=
-----END CERTIFICATE-----

View file

@ -15,11 +15,9 @@ let
svc = config.system.service; svc = config.system.service;
secrets-1 = { secrets-1 = {
ssid = "DGNum 2G prototype (N)"; ssid = "DGNum 2G prototype (N)";
wpa_passphrase = "diamond dogs";
}; };
secrets-2 = { secrets-2 = {
ssid = "DGNum 5G prototype (AX)"; ssid = "DGNum 5G prototype (AX)";
wpa_passphrase = "diamond dogs";
}; };
baseParams = { baseParams = {
country_code = "FR"; country_code = "FR";
@ -30,11 +28,14 @@ let
ht_capab = "[LDPC][GF][HT40-][HT40+][SHORT-GI-40][MAX-AMSDU-7935][TX-STBC]"; ht_capab = "[LDPC][GF][HT40-][HT40+][SHORT-GI-40][MAX-AMSDU-7935][TX-STBC]";
auth_algs = 1; auth_algs = 1;
wpa = 2; wpa = 2;
wpa_key_mgmt = "WPA-PSK";
wpa_pairwise = "TKIP CCMP"; wpa_pairwise = "TKIP CCMP";
rsn_pairwise = "CCMP"; rsn_pairwise = "CCMP";
}; };
radiusKeyMgmt = {
wpa_key_mgmt = "WPA-EAP";
};
modernParams = { modernParams = {
hw_mode = "a"; hw_mode = "a";
he_su_beamformer = 1; he_su_beamformer = 1;
@ -54,13 +55,60 @@ let
he_oper_centr_freq_seg0_idx = 42; he_oper_centr_freq_seg0_idx = 42;
require_vht = 1; require_vht = 1;
}; };
clientRadius = {
ieee8021x = 1;
eapol_version = 2;
use_pae_group_addr = 1;
dynamic_vlan = 0;
vlan_tagged_interface = "lan";
};
serverRadius = {
radius_server_clients = pkgs.writeText "clients" ''
0.0.0.0/0 dgnum
'';
radius_server_auth_port = 1812;
radius_server_ipv6 = 1;
};
localRadius = {
eap_server = 1;
eap_user_file = pkgs.writeText "user.db" ''
# anonymous login in phase 1
* PEAP
# password based in the secure tunnel in phase 2
"test" MSCHAPV2 "diamond dogs" [2]
'';
# DGNum CA certificate.
ca_cert = builtins.toFile "dgnum-test-ap-ca" (
builtins.readFile ../../keys/certs/dgnum-test-ap-ca.crt
);
# Server certificate for this AP.
server_cert = builtins.toFile "dgnum-ap-server" (
builtins.readFile ../../keys/certs/dgnum-ap-server.crt
);
private_key = builtins.toFile "dgnum-ap-server-pkey" (
builtins.readFile ../../keys/certs/dgnum-ap-server.key.pem
);
};
# externalRadius = {
# own_ip_addr = "";
# nas_identifier = "";
# auth_server_addr = "";
# auth_server_port = 1812;
# auth_server_shared_secret = "dgnum";
# };
mkWifiSta = mkWifiSta =
params: interface: secrets: params: interface: secrets:
svc.hostapd.build { svc.hostapd.build {
inherit interface; inherit interface;
params = params // { package = pkgs.hostapd-radius;
inherit (secrets) ssid wpa_passphrase; params = params // secrets;
};
}; };
in in
rec { rec {
@ -72,6 +120,8 @@ rec {
"${modulesPath}/ntp" "${modulesPath}/ntp"
"${modulesPath}/vlan" "${modulesPath}/vlan"
"${modulesPath}/bridge" "${modulesPath}/bridge"
"${modulesPath}/jitter-rng"
"${modulesPath}/pki"
../../modules/dgn-access-control.nix ../../modules/dgn-access-control.nix
# TODO: god that's so a fucking hack. # TODO: god that's so a fucking hack.
(import "${modulesPath}/../devices/zyxel-nwa50ax").module (import "${modulesPath}/../devices/zyxel-nwa50ax").module
@ -79,6 +129,13 @@ rec {
hostname = "ap01-prototype"; hostname = "ap01-prototype";
security.pki = {
installCACerts = true;
certificateFiles = [
../../keys/certs/dgnum-test-ap-ca.crt
];
};
# SSH keys are handled by the access control module. # SSH keys are handled by the access control module.
dgn-access-control.enable = true; dgn-access-control.enable = true;
users.root = { users.root = {
@ -126,10 +183,12 @@ rec {
}; };
# wlan0 is the 2.4GHz interface. # wlan0 is the 2.4GHz interface.
services.hostap-1 = mkWifiSta baseParams config.hardware.networkInterfaces.wlan0 secrets-1; services.hostap-1 = mkWifiSta (
baseParams // clientRadius // localRadius // serverRadius // radiusKeyMgmt
) config.hardware.networkInterfaces.wlan0 secrets-1;
# wlan1 is the 5GHz interface, e.g. AX capable. # wlan1 is the 5GHz interface, e.g. AX capable.
services.hostap-2 = mkWifiSta ( services.hostap-2 = mkWifiSta (
baseParams // modernParams baseParams // clientRadius // localRadius // serverRadius // radiusKeyMgmt // modernParams
) config.hardware.networkInterfaces.wlan1 secrets-2; ) config.hardware.networkInterfaces.wlan1 secrets-2;
defaultProfile.packages = with pkgs; [ defaultProfile.packages = with pkgs; [

View file

@ -130,10 +130,10 @@
"type": "Git", "type": "Git",
"url": "https://git.dgnum.eu/DGNum/liminix.git" "url": "https://git.dgnum.eu/DGNum/liminix.git"
}, },
"branch": "main", "branch": "strong-tftp",
"revision": "7206fea4b4e9a5e50be91cce39c09da602cdb694", "revision": "a906301aebab47f11b2d2e762af8b65b8fc1040a",
"url": null, "url": null,
"hash": "0dd7r80skjamx1sppsl6mdmjhr355lbmc72g0l0356xs67mg8w5p" "hash": "0c744qyjhcf6s474r4g6z5jww2dzgl857q320d9lm153ambz7rjh"
}, },
"linkal": { "linkal": {
"type": "Git", "type": "Git",
@ -332,4 +332,4 @@
} }
}, },
"version": 3 "version": 3
} }