From 491f53a8ce4a4a76fcaa4b1b99ec85e5f00b2ee5 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Tue, 21 Dec 2021 13:15:35 +0100 Subject: [PATCH] hotspot-to-wpa: support settings from template --- doc/hotspot-to-wpa.md | 24 +++++++++++++++++++++--- global-config | 2 +- global-config-overlay | 2 +- global-config.changes | 1 + global-functions | 2 +- hotspot-to-wpa | 33 +++++++++++++++++++++++++++++++-- 6 files changed, 56 insertions(+), 8 deletions(-) diff --git a/doc/hotspot-to-wpa.md b/doc/hotspot-to-wpa.md index 13f307a..f3dccdb 100644 --- a/doc/hotspot-to-wpa.md +++ b/doc/hotspot-to-wpa.md @@ -49,14 +49,32 @@ On first run a disabled access list entry acting as marker (with comment "`--- hotspot-to-wpa above ---`") is added. Move this entry to define where new entries are to be added. -Usage and invocation --------------------- - Create hotspot login credentials: / ip hotspot user add add comment="Test User 1" name=user1 password=v3ry; / ip hotspot user add add comment="Test User 2" name=user2 password=s3cr3t; +Additionally templates can be created to give more options for access list: + +* `private-passphrase`: do **not** use passphrase from hotspot's user + credentials, but given one - or unset (use default passphrase) with + special word `ignore` +* `ssid-regexp`: set a different SSID regular expression to match +* `vlan-id`: connect device to specific VLAN +* `vlan-mode`: set the VLAN mode for device + +For a hotspot called `example` the template could look like this: + + / caps-man access-list add comment="hotspot-to-wpa template example" disabled=yes private-passphrase="ignore" ssid-regexp="^example\$" vlan-id=10 vlan-mode=use-tag; + +The same settings are available in hotspot user's comment and take precedence +over the template settings: + + / ip hotspot user add comment="private-passphrase=ignore, ssid-regexp=^example\\\$, vlan-id=10, vlan-mode=use-tag" name=user password=v3ry-s3cr3t; + +Usage and invocation +-------------------- + Now let the users connect and login to the hotspot. After that the devices (identified by MAC address) can connect to the WPA2 network, using the passphrase from hotspot credentials. diff --git a/global-config b/global-config index feccf55..024e52f 100644 --- a/global-config +++ b/global-config @@ -8,7 +8,7 @@ # Make sure all configuration properties are up to date and this # value is in sync with value in script 'global-functions'! -:global GlobalConfigVersion 73; +:global GlobalConfigVersion 74; # This is used for DNS and backup file. :global Domain "example.com"; diff --git a/global-config-overlay b/global-config-overlay index 89b74e4..37f78cf 100644 --- a/global-config-overlay +++ b/global-config-overlay @@ -8,7 +8,7 @@ # Make sure all configuration properties are up to date and this # value is in sync with value in script 'global-functions'! # Comment or remove to disable news and change notifications. -:global GlobalConfigVersion 73; +:global GlobalConfigVersion 74; # Copy configuration from global-config here and modify it. diff --git a/global-config.changes b/global-config.changes index 0325ac5..a070ecd 100644 --- a/global-config.changes +++ b/global-config.changes @@ -77,6 +77,7 @@ 71="MikroTik is pushing RouterOS v7 even more, in parallel branches. If you want to keep RouterOS v6 for some time see https://git.eworm.de/cgit/routeros-scripts/about/#changes-for-routeros-v6"; 72="Introduced new script 'netwatch-dns' to manage DNS and DoH servers from netwatch."; 73="Renamed backup scripts ('cloud-backup' -> 'backup-cloud', 'email-backup' -> 'backup-email', 'upload-backup' -> 'backup-upload')."; + 74="Extended 'hotspot-to-wpa', it can now read additional configuration from templates and hotspot users."; }; # Migration steps to be applied on script updates diff --git a/global-functions b/global-functions index a6f31c8..625bbe4 100644 --- a/global-functions +++ b/global-functions @@ -8,7 +8,7 @@ # https://git.eworm.de/cgit/routeros-scripts/about/ # expected configuration version -:global ExpectedConfigVersion 73; +:global ExpectedConfigVersion 74; # global variables not to be changed by user :global GlobalFunctionsReady false; diff --git a/hotspot-to-wpa b/hotspot-to-wpa index b573b3f..c40e08a 100644 --- a/hotspot-to-wpa +++ b/hotspot-to-wpa @@ -10,12 +10,15 @@ :global GlobalFunctionsReady; :while ($GlobalFunctionsReady != true) do={ :delay 500ms; } +:global EitherOr; :global LogPrintExit2; +:global ParseKeyValueStore; :local MacAddress $"mac-address"; :local UserName $username; :local Date [ / system clock get date ]; -:local PassWord [ / ip hotspot user get [ find where name=$UserName ] password ]; +:local Hotspot [ / ip hotspot host get [ find where mac-address=$MacAddress authorized ] server ]; +:local UserVal [ / ip hotspot user get [ find where name=$UserName ] ]; :if ([ :len [ / caps-man access-list find where comment="--- hotspot-to-wpa above ---" disabled ] ] = 0) do={ / caps-man access-list add comment="--- hotspot-to-wpa above ---" disabled=yes; @@ -28,4 +31,30 @@ $LogPrintExit2 info $0 ("Adding/updating accesslist entry for mac address " . $M / caps-man access-list remove [ find where mac-address=$MacAddress comment~"^hotspot-to-wpa: " ]; / caps-man access-list add comment=("hotspot-to-wpa: " . $UserName . ", " . $MacAddress . ", " . $Date) \ - mac-address=$MacAddress private-passphrase=$PassWord ssid-regexp="-wpa\$" place-before=$PlaceBefore; + mac-address=$MacAddress private-passphrase=($UserVal->"password") ssid-regexp="-wpa\$" place-before=$PlaceBefore; + +:local Template [ / caps-man access-list get ([ find where comment=("hotspot-to-wpa template " . $Hotspot) disabled ]->0) ]; +:local UserInfo [ $ParseKeyValueStore ($UserVal->"comment") ]; +:local Entry [ / caps-man access-list find where mac-address=$MacAddress \ + comment=("hotspot-to-wpa: " . $UserName . ", " . $MacAddress . ", " . $Date) ]; + +:local PrivatePassphrase [ $EitherOr ($UserInfo->"private-passphrase") ($Template->"private-passphrase") ]; +:if ([ :len $PrivatePassphrase ] > 0) do={ + :if ($PrivatePassphrase = "ignore") do={ + / caps-man access-list set $Entry !private-passphrase; + } else={ + / caps-man access-list set $Entry private-passphrase=$PrivatePassphrase; + } +} +:local SsidRegexp [ $EitherOr ($UserInfo->"ssid-regexp") ($Template->"ssid-regexp") ]; +:if ([ :len $SsidRegexp ] > 0) do={ + / caps-man access-list set $Entry ssid-regexp=$SsidRegexp; +} +:local VlanId [ $EitherOr ($UserInfo->"vlan-id") ($Template->"vlan-id") ]; +:if ([ :len $VlanId ] > 0) do={ + / caps-man access-list set $Entry vlan-id=$VlanId; +} +:local VlanMode [ $EitherOr ($UserInfo->"vlan-mode") ($Template->"vlan-mode") ]; +:if ([ :len $VlanMode] > 0) do={ + / caps-man access-list set $Entry vlan-mode=$VlanMode; +}