Wireless AP - WPA and MAC-Filtering



  • Hi All,

    I'm using 1.2-RC3 and thought I'd pick your brains about this one (sorry for the "War and Peace" in advance).

    I've made the following changes for MAC-Filtering to be enabled:
    –------------------------------------------------------------------

    *** taken from http://cvstrac.pfsense.com/tktview?tn=684 ***
    only the following steps were performed.

    find this section in /usr/local/www/interfaces_wlan.inc :

    Enable MAC Filtering

    Setting this option will enable the use of a mac filterlist to allow/deny association based on mac address

    <select name="macaddr_acl" class="formfld" id="macaddr_acl">                        <option <?="" if="" ($pconfig['macaddr_acl']="=" '0')="" echo="" "selected";?="">value="0">Allow</option> <option <?="" if="" ($pconfig['macaddr_acl']="=" '1')="" echo="" "selected";?="">value="1">Deny</option> <option <?="" if="" ($pconfig['macaddr_acl']="=" '2')="" echo="" "selected";?="">value="2">Radius</option></select>

    Setting this to "Allow" will allow all clients in not in deny list, while "Deny" will deny all clients not in allow list.
    Radius will cause allow and deny list to be searched and then query radius.

    */ ?>

    **and deletethe comment and end comment lines:

    Then edit /etc/inc/interfaces.inc

    and find this section:**
    $wpa .= <<<eod<br>interface={$if}
    driver=bsd
    logger_syslog=-1
    logger_syslog_level=0
    logger_stdout=-1
    logger_stdout_level=0
    dump_file={$g['tmp_path']}/hostapd_{$if}.dump
    ctrl_interface={$g['varrun_path']}/hostapd
    ctrl_interface_group=wheel
    #accept_mac_file={$g['tmp_path']}/hostapd_{$if}.accept
    #deny_mac_file={$g['tmp_path']}/hostapd_{$if}.deny
    #macaddr_acl={$wlcfg['wpa']['macaddr_acl']}
    ssid={$wlcfg['ssid']}
    debug={$wlcfg['wpa']['debug_mode']}
    auth_algs={$wlcfg['wpa']['auth_algs']}
    wpa={$wlcfg['wpa']['wpa_mode']}
    wpa_key_mgmt={$wlcfg['wpa']['wpa_key_mgmt']}
    wpa_pairwise={$wlcfg['wpa']['wpa_pairwise']}
    wpa_group_rekey={$wlcfg['wpa']['wpa_group_rekey']}
    wpa_gmk_rekey={$wlcfg['wpa']['wpa_gmk_rekey']}
    wpa_strict_rekey={$wlcfg['wpa']['wpa_strict_rekey']}
    wpa_passphrase={$wlcfg['wpa']['passphrase']}
    ieee8021x={$wlcfg['wpa']['ieee8021x']}
    #Enable the next lines for preauth when roaming. Interface = wired or wireless interface talking to the AP you want to roam from/to
    #rsn_preauth=1
    #rsn_preauth_interfaces=eth0
    EOD;

    then remove the # from these lines:

    #accept_mac_file={$g['tmp_path']}/hostapd_{$if}.accept

    #deny_mac_file={$g['tmp_path']}/hostapd_{$if}.deny

    #macaddr_acl={$wlcfg['wpa']['macaddr_acl']}

    then create the following files in /tmp/:

    hostapd_ath0.accept (assuming your interface is named ath0)

    hostapd_ath0.deny (you need to create both even if you only intend to use one of them, however one or both can be empty)

    then insert mac address(es) into the file(s).

    –------------------------------------------------------------------

    some of my config:

    LAN: fxp0 (192.168.1.100)
    WAN: fxp1 (PPPoE) (DHCP - assigned from ISP)
    OPT1(WIRELESS): ath0  (D-Link DWL-G520)

    WIRELESS Config:
    Type: Static
    Bridge with: LAN
    Standard: 802.11g
    Mode: Access Point (should this be Infrastructure or Ad-hoc ??)
    Allow intra-BSS communication: enabled
    Enable WME: enabled
    Transmit Power: 99
    Channel: 11b/g - 6
    WEP: DISABLED
    WPA: ENABLED (PSK: ....)
    WPA Mode: Both  (should this be one or the other???)
    WPA Key Management Mode: Pre Shared Key
    Enable MAC Filtering: enabled (Deny selected)
    Authentication: Open System Authentication
    WPA Pairwise: Both  (should this be one or the other???)

    All other settings have been left as their default value.

    I've setup WPA along with MAC-Filtering. It all works OK (frankly, exactly as I want) until restarted. After restart, all works OK still, however WPA (still enabled in GUI) appears to be ignored. It says that MAC-Filtering is still enabled and I have "Deny" selected. Any wireless PC/Laptop can then connect and it says it is "unsecured"

    I go to "Diagnostics" -> "Edit File", then try and load either (without quotes) "/tmp/hostapd_ath0.accept" OR "/tmp/hostapd_ath0.deny", to my surprise they have each disappeared. I've recreated both, put an entry in "hostapd_ath0.accept" of the form xx:xx:xx:xx:xx:xx  (not sure if case sesitive). After a short time it is OK again but after the it is restarted again they are gone again. Hopefully this back-end will be a front-end in the near future.

    Am I missing something or is it a combination of settings it doesn't like?
    Should the accept and deny files be located elsewhere, eg. /etc/tmp/ ?
    Any suggestions on what is the best method or methods for doing this ?

    I don't want to lock it down too much via DHCP as other PCs and Laptops will come and go in my absence - these won't be wireless.
    I can created separate firewall rules for each allowed wireless client, but I don't think I should have to.

    ....maybe I have to live with it until the next full or beta version?

    Finally, has anyone used the "freeradius" addon package? I don't know much about this but is it worth looking into?

    Cheers...in advance.</eod<br>



  • MAC-Filtering does not work with my atheros-card…

    or it's because i noted the MAC like xx:xx:xx:... in the files, but it should be correct, or not ?


Log in to reply