diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2022-09-15 00:18:28 +0200 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2022-09-15 01:48:23 +0200 |
| commit | 243117389cca916b2b9bd57a550f2a27a628ce15 (patch) | |
| tree | 12aa3c395bc18fd3b24b3e1728f2625c4434f405 | |
| parent | ch-router: upgrade to openwrt 22.03 and enable ntp-server for mgmt vlan (diff) | |
accesspoints: initial tests with 802.11r
| -rw-r--r-- | chaos-at-home/group_vars/chaos-at-home-ap.yml | 9 | ||||
| -rw-r--r-- | filter_plugins/crypto.py | 13 | ||||
| -rw-r--r-- | inventory/group_vars/accesspoints/vars.yml | 21 | ||||
| -rw-r--r-- | inventory/group_vars/chaos-at-home-ap/vars.yml | 16 |
4 files changed, 57 insertions, 2 deletions
diff --git a/chaos-at-home/group_vars/chaos-at-home-ap.yml b/chaos-at-home/group_vars/chaos-at-home-ap.yml new file mode 100644 index 00000000..3d179c52 --- /dev/null +++ b/chaos-at-home/group_vars/chaos-at-home-ap.yml @@ -0,0 +1,9 @@ +$ANSIBLE_VAULT;1.2;AES256;chaos-at-home +34343266646162383261313564646365393233643565356364386134663862646534383562336666 +6639633332613539663132383336343436396636306161370a323231653336376533636631373363 +36373865653863363338663762623164626631623739386561653935316430666132356662383863 +3666343965333939310a303530373037363636346639356561333264346466383462633533306538 +63373532636563333530333339306331343933383038633638346636326332366565306638376164 +65343761363162386331353731383437613462656538643638353464306230316662643366643561 +31623731366234666364343432373062336266336334366263333938623538393163333131636633 +65346230623634306362 diff --git a/filter_plugins/crypto.py b/filter_plugins/crypto.py index b3dc32c4..54547a34 100644 --- a/filter_plugins/crypto.py +++ b/filter_plugins/crypto.py @@ -2,6 +2,7 @@ from __future__ import (absolute_import, division, print_function) __metaclass__ = type import hashlib +from binascii import hexlify from passlib.utils.binary import Base64Engine, HASH64_CHARS, BCRYPT_CHARS from ansible.module_utils._text import to_bytes, to_text from ansible import errors @@ -41,6 +42,17 @@ def bcrypt_salt(seed): raise errors.AnsibleFilterError("bcrypt_salt(): %s" % str(e)) +def wifi_80211r_key(seed): + ''' generate keys 802.11r r0kh and r1kh keys based on seed-value ''' + try: + h = hashlib.new('sha256') + h.update(to_bytes(seed, errors='surrogate_or_strict')) + return to_text(hexlify(h.digest())) + + except Exception as e: + raise errors.AnsibleFilterError("wifi_80211r_key(): %s" % str(e)) + + class FilterModule(object): ''' crypto helpers ''' @@ -49,6 +61,7 @@ class FilterModule(object): 'sha256_salt': sha2_crypt_salt, 'sha512_salt': sha2_crypt_salt, 'bcrypt_salt': bcrypt_salt, + 'wifi_80211r_key': wifi_80211r_key, } def filters(self): diff --git a/inventory/group_vars/accesspoints/vars.yml b/inventory/group_vars/accesspoints/vars.yml index 7abe0582..3a11205c 100644 --- a/inventory/group_vars/accesspoints/vars.yml +++ b/inventory/group_vars/accesspoints/vars.yml @@ -91,22 +91,39 @@ accesspoint_wireless_devices_yaml: | accesspoint_wireless_ifaces: "{{ accesspoint_wireless_ifaces_yaml | from_yaml }}" accesspoint_wireless_ifaces_yaml: | {% for zone in accesspoint_zones.keys() %} + {% set outer_loop = loop %} {% for band in accesspoint_wireless_frequency_bands %} - name: wifi-iface '{{ zone }}{{ band }}' options: device: 'radio{{ band }}' network: '{{ zone }}' mode: 'ap' - disassoc_low_ack: '1' - rsn_preauth: '1' ssid: '{{ accesspoint_zones[zone].ssid }}' encryption: '{{ accesspoint_zones[zone].encryption }}' key: '{{ accesspoint_zones[zone].key }}' + disassoc_low_ack: '1' + rsn_preauth: '1' + {% if accesspoint_80211r is defined %} + ieee80211r: '1' + mobility_domain: '{{ '%04x' % (accesspoint_80211r.mobility_domain_base[band] + outer_loop.index0) }}' + nasid: '{{ accesspoint_wifi_mac_addr[band][inventory_hostname] | replace(':', '') }}' + ft_psk_generate_local: '0' + r1_key_holder: '{{ accesspoint_wifi_mac_addr[band][inventory_hostname] }}' + r0kh: + {% for ap in accesspoint_wifi_mac_addr[band] %} + - '{{ accesspoint_wifi_mac_addr[band][ap] }},{{ accesspoint_wifi_mac_addr[band][ap] | replace(':', '') }},{{ [accesspoint_80211r.key_seed,band,zone] | join(':') | wifi_80211r_key }}' + {% endfor %} + r1kh: + {% for ap in accesspoint_wifi_mac_addr[band] %} + - '{{ accesspoint_wifi_mac_addr[band][ap] }},{{ accesspoint_wifi_mac_addr[band][ap] }},{{ [accesspoint_80211r.key_seed,band,zone] | join(':') | wifi_80211r_key }}' + {% endfor %} + {% endif %} {% endfor %} {% endfor %} + openwrt_arch: ath79 openwrt_target: generic openwrt_profile: ubnt_unifiac-lite diff --git a/inventory/group_vars/chaos-at-home-ap/vars.yml b/inventory/group_vars/chaos-at-home-ap/vars.yml index 83925639..c36ab953 100644 --- a/inventory/group_vars/chaos-at-home-ap/vars.yml +++ b/inventory/group_vars/chaos-at-home-ap/vars.yml @@ -10,6 +10,22 @@ accesspoint_wifi_channels: ch-ap1: 48 ch-ap2: 40 +accesspoint_wifi_mac_addr: + 2g: + ch-ap0: 18:e8:29:aa:43:c2 + ch-ap1: 18:e8:29:aa:44:07 + 5g: + ch-ap0: 18:e8:29:ab:43:c2 + ch-ap1: 18:e8:29:ab:44:07 + ch-ap2: 80:2a:a8:ee:f6:d5 + +accesspoint_80211r: + mobility_domain_base: + 2g: 0x2400 + 5g: 0x5000 + key_seed: "{{ vault_accesspoint_80211r.key_seed }}" + + accesspoint_zones: lan: "{{ network_zones.lan.wifi }}" iot: "{{ network_zones.iot.wifi }}" |