diff options
| author | Tom Fitzhenry <tom@tom-fitzhenry.me.uk> | 2023-10-24 23:54:44 +1100 |
|---|---|---|
| committer | Tom Fitzhenry <tom@tom-fitzhenry.me.uk> | 2023-10-24 23:54:44 +1100 |
| commit | 9e7c877de75835018551bbd3029ac4d83f3e31cc (patch) | |
| tree | b83b18c26c5bbccf9bcdadfc113ff1704abdfce7 /nixos | |
| parent | 9f7335d44912c5af97e7dc01caba7c6340442f82 (diff) | |
| download | nixlib-9e7c877de75835018551bbd3029ac4d83f3e31cc.tar nixlib-9e7c877de75835018551bbd3029ac4d83f3e31cc.tar.gz nixlib-9e7c877de75835018551bbd3029ac4d83f3e31cc.tar.bz2 nixlib-9e7c877de75835018551bbd3029ac4d83f3e31cc.tar.lz nixlib-9e7c877de75835018551bbd3029ac4d83f3e31cc.tar.xz nixlib-9e7c877de75835018551bbd3029ac4d83f3e31cc.tar.zst nixlib-9e7c877de75835018551bbd3029ac4d83f3e31cc.zip | |
nixos/hostapd: remove managementFrameProtection
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/networking/hostapd.nix | 31 |
1 files changed, 2 insertions, 29 deletions
diff --git a/nixos/modules/services/networking/hostapd.nix b/nixos/modules/services/networking/hostapd.nix index eb70d98357aa..5bd8e1d4d7a0 100644 --- a/nixos/modules/services/networking/hostapd.nix +++ b/nixos/modules/services/networking/hostapd.nix @@ -161,7 +161,6 @@ in { mode = "wpa2-sha256"; wpaPassword = "a flakey password"; # Use wpaPasswordFile if possible. }; - managementFrameProtection = "optional"; }; }; } @@ -900,25 +899,6 @@ in { ''; }; }; - - managementFrameProtection = mkOption { - default = "required"; - type = types.enum ["disabled" "optional" "required"]; - apply = x: - getAttr x { - "disabled" = 0; - "optional" = 1; - "required" = 2; - }; - description = mdDoc '' - Management frame protection (MFP) authenticates management frames - to prevent deauthentication (or related) attacks. - - - {var}`"disabled"`: No management frame protection - - {var}`"optional"`: Use MFP if a connection allows it - - {var}`"required"`: Force MFP for all clients - ''; - }; }; config = let @@ -944,7 +924,8 @@ in { # IEEE 802.11i (authentication) related configuration # Encrypt management frames to protect against deauthentication and similar attacks - ieee80211w = bssCfg.managementFrameProtection; + ieee80211w = mkDefault 1; + sae_require_mfp = mkDefault 1; # Only allow WPA by default and disable insecure WEP auth_algs = mkDefault 1; @@ -1186,14 +1167,6 @@ in { message = ''hostapd radio ${radio} bss ${bss}: bssid must be specified manually (for now) since this radio uses multiple BSS.''; } { - assertion = auth.mode == "wpa3-sae" -> bssCfg.managementFrameProtection == 2; - message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE which requires managementFrameProtection="required"''; - } - { - assertion = auth.mode == "wpa3-sae-transition" -> bssCfg.managementFrameProtection != 0; - message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE in transition mode with WPA2-SHA256, which requires managementFrameProtection="optional" or ="required"''; - } - { assertion = countWpaPasswordDefinitions <= 1; message = ''hostapd radio ${radio} bss ${bss}: must use at most one WPA password option (wpaPassword, wpaPasswordFile, wpaPskFile)''; } |