From 9f7335d44912c5af97e7dc01caba7c6340442f82 Mon Sep 17 00:00:00 2001 From: Tom Fitzhenry Date: Tue, 24 Oct 2023 23:44:51 +1100 Subject: [PATCH 1/2] nixos/hostapd: document that legacy example should have optional MFP Thinkpad x230, for example, is unable to connect to the legacy example if managementFrameProtection is required. --- nixos/modules/services/networking/hostapd.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/nixos/modules/services/networking/hostapd.nix b/nixos/modules/services/networking/hostapd.nix index ffb1544630531..eb70d98357aad 100644 --- a/nixos/modules/services/networking/hostapd.nix +++ b/nixos/modules/services/networking/hostapd.nix @@ -161,6 +161,7 @@ in { mode = "wpa2-sha256"; wpaPassword = "a flakey password"; # Use wpaPasswordFile if possible. }; + managementFrameProtection = "optional"; }; }; } From 9e7c877de75835018551bbd3029ac4d83f3e31cc Mon Sep 17 00:00:00 2001 From: Tom Fitzhenry Date: Tue, 24 Oct 2023 23:54:44 +1100 Subject: [PATCH 2/2] nixos/hostapd: remove managementFrameProtection --- nixos/modules/services/networking/hostapd.nix | 31 ++----------------- 1 file changed, 2 insertions(+), 29 deletions(-) diff --git a/nixos/modules/services/networking/hostapd.nix b/nixos/modules/services/networking/hostapd.nix index eb70d98357aad..5bd8e1d4d7a0f 100644 --- a/nixos/modules/services/networking/hostapd.nix +++ b/nixos/modules/services/networking/hostapd.nix @@ -161,7 +161,6 @@ in { mode = "wpa2-sha256"; wpaPassword = "a flakey password"; # Use wpaPasswordFile if possible. }; - managementFrameProtection = "optional"; }; }; } @@ -900,25 +899,6 @@ in { ''; }; }; - - managementFrameProtection = mkOption { - default = "required"; - type = types.enum ["disabled" "optional" "required"]; - apply = x: - getAttr x { - "disabled" = 0; - "optional" = 1; - "required" = 2; - }; - description = mdDoc '' - Management frame protection (MFP) authenticates management frames - to prevent deauthentication (or related) attacks. - - - {var}`"disabled"`: No management frame protection - - {var}`"optional"`: Use MFP if a connection allows it - - {var}`"required"`: Force MFP for all clients - ''; - }; }; config = let @@ -944,7 +924,8 @@ in { # IEEE 802.11i (authentication) related configuration # Encrypt management frames to protect against deauthentication and similar attacks - ieee80211w = bssCfg.managementFrameProtection; + ieee80211w = mkDefault 1; + sae_require_mfp = mkDefault 1; # Only allow WPA by default and disable insecure WEP auth_algs = mkDefault 1; @@ -1185,14 +1166,6 @@ in { assertion = (length (attrNames radioCfg.networks) > 1) -> (bssCfg.bssid != null); message = ''hostapd radio ${radio} bss ${bss}: bssid must be specified manually (for now) since this radio uses multiple BSS.''; } - { - assertion = auth.mode == "wpa3-sae" -> bssCfg.managementFrameProtection == 2; - message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE which requires managementFrameProtection="required"''; - } - { - assertion = auth.mode == "wpa3-sae-transition" -> bssCfg.managementFrameProtection != 0; - message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE in transition mode with WPA2-SHA256, which requires managementFrameProtection="optional" or ="required"''; - } { assertion = countWpaPasswordDefinitions <= 1; message = ''hostapd radio ${radio} bss ${bss}: must use at most one WPA password option (wpaPassword, wpaPasswordFile, wpaPskFile)'';