diff options
| author | Michele Guerini Rocco <rnhmjoj@users.noreply.github.com> | 2023-11-06 11:17:07 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-11-06 11:17:07 +0100 |
| commit | 8beca974f9838ff727c949d373ea9e77f4a1ba79 (patch) | |
| tree | b9b3650b9b0ab3e49ef3c9ee8d0f2e9f557a36d3 /nixos | |
| parent | ba774d337e70aa2f961e1d1545faa4981f9416aa (diff) | |
| parent | 9e7c877de75835018551bbd3029ac4d83f3e31cc (diff) | |
| download | nixlib-8beca974f9838ff727c949d373ea9e77f4a1ba79.tar nixlib-8beca974f9838ff727c949d373ea9e77f4a1ba79.tar.gz nixlib-8beca974f9838ff727c949d373ea9e77f4a1ba79.tar.bz2 nixlib-8beca974f9838ff727c949d373ea9e77f4a1ba79.tar.lz nixlib-8beca974f9838ff727c949d373ea9e77f4a1ba79.tar.xz nixlib-8beca974f9838ff727c949d373ea9e77f4a1ba79.tar.zst nixlib-8beca974f9838ff727c949d373ea9e77f4a1ba79.zip | |
Merge pull request #263138 from tomfitzhenry/hostapd-optional-managementframeprotection
nixos/hostapd: remove managementFrameProtection in favour of clearer default
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/networking/hostapd.nix | 30 |
1 files changed, 2 insertions, 28 deletions
diff --git a/nixos/modules/services/networking/hostapd.nix b/nixos/modules/services/networking/hostapd.nix index ffb154463053..5bd8e1d4d7a0 100644 --- a/nixos/modules/services/networking/hostapd.nix +++ b/nixos/modules/services/networking/hostapd.nix @@ -899,25 +899,6 @@ in { ''; }; }; - - managementFrameProtection = mkOption { - default = "required"; - type = types.enum ["disabled" "optional" "required"]; - apply = x: - getAttr x { - "disabled" = 0; - "optional" = 1; - "required" = 2; - }; - description = mdDoc '' - Management frame protection (MFP) authenticates management frames - to prevent deauthentication (or related) attacks. - - - {var}`"disabled"`: No management frame protection - - {var}`"optional"`: Use MFP if a connection allows it - - {var}`"required"`: Force MFP for all clients - ''; - }; }; config = let @@ -943,7 +924,8 @@ in { # IEEE 802.11i (authentication) related configuration # Encrypt management frames to protect against deauthentication and similar attacks - ieee80211w = bssCfg.managementFrameProtection; + ieee80211w = mkDefault 1; + sae_require_mfp = mkDefault 1; # Only allow WPA by default and disable insecure WEP auth_algs = mkDefault 1; @@ -1185,14 +1167,6 @@ in { message = ''hostapd radio ${radio} bss ${bss}: bssid must be specified manually (for now) since this radio uses multiple BSS.''; } { - assertion = auth.mode == "wpa3-sae" -> bssCfg.managementFrameProtection == 2; - message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE which requires managementFrameProtection="required"''; - } - { - assertion = auth.mode == "wpa3-sae-transition" -> bssCfg.managementFrameProtection != 0; - message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE in transition mode with WPA2-SHA256, which requires managementFrameProtection="optional" or ="required"''; - } - { assertion = countWpaPasswordDefinitions <= 1; message = ''hostapd radio ${radio} bss ${bss}: must use at most one WPA password option (wpaPassword, wpaPasswordFile, wpaPskFile)''; } |