nixos/hostapd: remove managementFrameProtection

This commit is contained in:
Tom Fitzhenry 2023-10-24 23:54:44 +11:00
parent 9f7335d449
commit 9e7c877de7

View file

@ -161,7 +161,6 @@ in {
mode = "wpa2-sha256";
wpaPassword = "a flakey password"; # Use wpaPasswordFile if possible.
};
managementFrameProtection = "optional";
};
};
}
@ -900,25 +899,6 @@ in {
'';
};
};
managementFrameProtection = mkOption {
default = "required";
type = types.enum ["disabled" "optional" "required"];
apply = x:
getAttr x {
"disabled" = 0;
"optional" = 1;
"required" = 2;
};
description = mdDoc ''
Management frame protection (MFP) authenticates management frames
to prevent deauthentication (or related) attacks.
- {var}`"disabled"`: No management frame protection
- {var}`"optional"`: Use MFP if a connection allows it
- {var}`"required"`: Force MFP for all clients
'';
};
};
config = let
@ -944,7 +924,8 @@ in {
# IEEE 802.11i (authentication) related configuration
# Encrypt management frames to protect against deauthentication and similar attacks
ieee80211w = bssCfg.managementFrameProtection;
ieee80211w = mkDefault 1;
sae_require_mfp = mkDefault 1;
# Only allow WPA by default and disable insecure WEP
auth_algs = mkDefault 1;
@ -1185,14 +1166,6 @@ in {
assertion = (length (attrNames radioCfg.networks) > 1) -> (bssCfg.bssid != null);
message = ''hostapd radio ${radio} bss ${bss}: bssid must be specified manually (for now) since this radio uses multiple BSS.'';
}
{
assertion = auth.mode == "wpa3-sae" -> bssCfg.managementFrameProtection == 2;
message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE which requires managementFrameProtection="required"'';
}
{
assertion = auth.mode == "wpa3-sae-transition" -> bssCfg.managementFrameProtection != 0;
message = ''hostapd radio ${radio} bss ${bss}: uses WPA3-SAE in transition mode with WPA2-SHA256, which requires managementFrameProtection="optional" or ="required"'';
}
{
assertion = countWpaPasswordDefinitions <= 1;
message = ''hostapd radio ${radio} bss ${bss}: must use at most one WPA password option (wpaPassword, wpaPasswordFile, wpaPskFile)'';