我希望hostapd能够根据MAC地址为每个站点分配一个给定的VLAN。顺便说一下,我的网络很小。使用RADIUS就太过分了。
根据主机手册的说法:
可以选择使用本地MAC ACL列表(accept_mac_file)将静态客户端MAC地址设置为VLAN映射。
假设我只有一个站点(带有MAC DE:AD:BE:EF:CA:FE)。我创建了一个VLAN,它使用:
sudo ip link add link wlan0 name vlan.100 type vlan id 100
sudo ip addr add 192.168.100.1/24 brd 192.168.100.255 dev vlan.100
sudo ip link set dev vlan.100 up
在hostapd.conf上我使用:
# Interface to use
interface=wlan0
# Driver
driver=nl80211
# Name of the network
ssid=YaddaYadda
# Use the 2.4GHz band: g = IEEE 802.11g (2.4 GHz)
hw_mode=g
# Use channel 6
channel=6
# Enable 802.11n
ieee80211n=1
# Enable 40MHz channels with 20ns guard interval
ht_capab=[HT40][SHORT-GI-20][DSSS_CCK-40]
# Accept only known MAC addresses
macaddr_acl=1
accept_mac_file=/etc/hostapd/accept
# Use WPA authentication
auth_algs=1
# Send empty SSID in beacons and ignore probe request frames that do not specify full SSID
ignore_broadcast_ssid=1
# Use WPA2
wpa=2
# Use a pre-shared key
wpa_key_mgmt=WPA-PSK
# Enable the wireless multimedia extensions
wmm_enabled=1
# The network hashed passphrase
wpa_psk=786451648446NotReallyTheHashedPassphrase849989654651651651654564
# Use AES, instead of TKIP
rsn_pairwise=CCMP
# Isolate Clients
ap_isolate=1
# HOSTAPD event logger configuration
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
# Country code
country_code=NO
在文件/etc/hostapd/accept中,我包含了以下内容:
DE:AD:BE:EF:CA:FE vlan.100
hostapd开始时没有任何问题。但是,在我的站点连接到MAC DE:AD:BE:EF:CA:FE之后,我仍然在wlan0上获得所有的流量,而不是vlan.100.
hostapd没有提到文件accept_mac_file应该如何映射MAC <-> VLAN。
有人能让这个MAC <-> VLAN映射工作吗?
发布于 2019-07-08 04:34:35
查看hostapd
源代码,我发现config_file.c
中有一个hostapd_config_read_maclist()
函数解析accept_mac_file
和deny_mac_file
配置值引用的文件:
static int hostapd_config_read_maclist(const char *fname,
struct mac_acl_entry **acl, int *num)
{
FILE *f;
char buf[128], *pos;
int line = 0;
u8 addr[ETH_ALEN];
int vlan_id;
f = fopen(fname, "r");
if (!f) {
wpa_printf(MSG_ERROR, "MAC list file '%s' not found.", fname);
return -1;
}
while (fgets(buf, sizeof(buf), f)) {
int rem = 0;
line++;
if (buf[0] == '#')
continue;
pos = buf;
while (*pos != '\0') {
if (*pos == '\n') {
*pos = '\0';
break;
}
pos++;
}
if (buf[0] == '\0')
continue;
pos = buf;
if (buf[0] == '-') {
rem = 1;
pos++;
}
if (hwaddr_aton(pos, addr)) {
wpa_printf(MSG_ERROR, "Invalid MAC address '%s' at "
"line %d in '%s'", pos, line, fname);
fclose(f);
return -1;
}
if (rem) {
hostapd_remove_acl_mac(acl, num, addr);
continue;
}
vlan_id = 0;
pos = buf;
while (*pos != '\0' && *pos != ' ' && *pos != '\t')
pos++;
while (*pos == ' ' || *pos == '\t')
pos++;
if (*pos != '\0')
vlan_id = atoi(pos);
if (hostapd_add_acl_maclist(acl, num, vlan_id, addr) < 0) {
fclose(f);
return -1;
}
}
fclose(f);
if (*acl)
qsort(*acl, *num, sizeof(**acl), hostapd_acl_comp);
return 0;
}
我还没有(还)测试这一点来确认,但是根据上面的代码,*_mac_file
文件的规则如下所示:
#
开头的行将被忽略。:
分隔。-
作为前缀,以便从列表中删除所有出现的情况。0
,未指定,或者不是整数,则将其视为无VLAN。基于这些规则,我认为将MAC地址DE:AD:BE:EF:CA:FE
映射到名为vlan.100
和ID 100
的VLAN的方法如下:
DE:AD:BE:EF:CA:FE 100
也就是说,只有VLAN关系到hostapd
,而不是VLAN。
https://serverfault.com/questions/937595
复制相似问题