diff options
Diffstat (limited to 'nixos/modules/services/networking/hostapd.nix')
-rw-r--r-- | nixos/modules/services/networking/hostapd.nix | 34 |
1 files changed, 4 insertions, 30 deletions
diff --git a/nixos/modules/services/networking/hostapd.nix b/nixos/modules/services/networking/hostapd.nix index 4ec066c2ec9..5bd8e1d4d7a 100644 --- a/nixos/modules/services/networking/hostapd.nix +++ b/nixos/modules/services/networking/hostapd.nix @@ -116,10 +116,10 @@ in { options = { services.hostapd = { enable = mkEnableOption (mdDoc '' - Whether to enable hostapd. hostapd is a user space daemon for access point and + hostapd, a user space daemon for access point and authentication servers. It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP Authenticators, RADIUS client, EAP server, and RADIUS - authentication server. + authentication server ''); package = mkPackageOption pkgs "hostapd" {}; @@ -899,25 +899,6 @@ in { ''; }; }; - - managementFrameProtection = mkOption { - default = "required"; - type = types.enum ["disabled" "optional" "required"]; - apply = x: - getAttr x { - "disabled" = 0; - "optional" = 1; - "required" = 2; - }; - description = mdDoc '' - Management frame protection (MFP) authenticates management frames - to prevent deauthentication (or related) attacks. - - - {var}`"disabled"`: No management frame protection - - {var}`"optional"`: Use MFP if a connection allows it - - {var}`"required"`: Force MFP for all clients - ''; - }; }; config = let @@ -943,7 +924,8 @@ in { # IEEE 802.11i (authentication) related configuration # Encrypt management frames to protect against deauthentication and similar attacks - ieee80211w = bssCfg.managementFrameProtection; + ieee80211w = mkDefault 1; + sae_require_mfp = mkDefault 1; # Only allow WPA by default and disable insecure WEP auth_algs = mkDefault 1; @@ -1185,14 +1167,6 @@ in { message = ''hostapd radio ${radio} bss ${bss}: bssid must be specified manually (for now) since this radio uses multiple BSS.''; } { - assertion = auth.mode == "wpa3-sae" -> bssCfg.managementFrameProtection == 2; - message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE which requires managementFrameProtection="required"''; - } - { - assertion = auth.mode == "wpa3-sae-transition" -> bssCfg.managementFrameProtection != 0; - message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE in transition mode with WPA2-SHA256, which requires managementFrameProtection="optional" or ="required"''; - } - { assertion = countWpaPasswordDefinitions <= 1; message = ''hostapd radio ${radio} bss ${bss}: must use at most one WPA password option (wpaPassword, wpaPasswordFile, wpaPskFile)''; } |