qca-wifi-7: hostapd.sh: add missed functionality from ipq807x_v5.4

The main reason was adding missed functionality for Radius configuration which caused rejecting WiFi clients on authentication level. Still some changes not included: * AFC, * hs20_release, * multiple_bssid, * he_co_locate Fixes: WIFI-14459 Signed-off-by: Marek Kwaczynski <marek@shasta.cloud>
2025-10-30 18:07:52 +00:00 · 2025-04-17 14:10:44 +02:00
parent b5987cc2a7
commit ea3afcda56
1 changed files with 174 additions and 109 deletions
--- a/feeds/qca-wifi-7/hostapd/files/hostapd.sh
+++ b/feeds/qca-wifi-7/hostapd/files/hostapd.sh
@@ -126,12 +126,15 @@ hostapd_common_add_device_config() {
 	config_add_int maxassoc
 	config_add_int reg_power_type
 	config_add_boolean stationary_ap
+	config_add_boolean maxassoc_ignore_probe

 	config_add_string acs_chan_bias
+	config_add_boolean acs_exclude_dfs
 	config_add_array hostapd_options

 	config_add_int airtime_mode
 	config_add_int mbssid
+	config_add_boolean rnr_beacon ema

 	hostapd_add_log_config
 }
@@ -142,10 +145,11 @@ hostapd_prepare_device_config() {

 	local base_cfg=

-	json_get_vars country country3 country_ie beacon_int:100 doth require_mode legacy_rates \
+	json_get_vars country country3 country_ie beacon_int:100 dtim_period:2 doth require_mode legacy_rates \
 		acs_chan_bias local_pwr_constraint spectrum_mgmt_required airtime_mode cell_density \
 		rts_threshold beacon_rate rssi_reject_assoc_rssi rssi_ignore_probe_request maxassoc \
-		mbssid:0 band reg_power_type stationary_ap
+		rnr_beacon mbssid:0 band reg_power_type stationary_ap acs_exclude_dfs\
+		maxassoc_ignore_probe band

 	hostapd_set_log_options base_cfg

@@ -155,6 +159,9 @@ hostapd_prepare_device_config() {
 	set_default legacy_rates 0
 	set_default airtime_mode 0
 	set_default cell_density 0
+	set_default rnr_beacon 0
+	set_default ema 0
+	set_default acs_exclude_dfs 0

 	[ -n "$country" ] && {
 		append base_cfg "country_code=$country" "$N"
@@ -244,8 +251,14 @@ hostapd_prepare_device_config() {
 	[ -n "$brlist" ] && append base_cfg "basic_rates=$brlist" "$N"
 	append base_cfg "beacon_int=$beacon_int" "$N"
 	[ -n "$rts_threshold" ] && append base_cfg "rts_threshold=$rts_threshold" "$N"
+	append base_cfg "dtim_period=$dtim_period" "$N"
 	[ "$airtime_mode" -gt 0 ] && append base_cfg "airtime_mode=$airtime_mode" "$N"
 	[ -n "$maxassoc" ] && append base_cfg "iface_max_num_sta=$maxassoc" "$N"
+	[ "$maxassoc_ignore_probe" -gt 0 ] && append base_cfg "no_probe_resp_if_max_sta=1" "$N"
+	[ "$rnr_beacon" -gt 0 ] && append base_cfg "rnr_beacon=$rnr_beacon" "$N"
+	[ "$ema" -gt 0 ] && append base_cfg "ema=$ema" "$N"
+	[ "$acs_exclude_dfs" -gt 0 ] && append base_cfg "acs_exclude_dfs=$acs_exclude_dfs" "$N"
+
 	[ "$mbssid" -gt 0 ] && [ "$mbssid" -le 2 ] && append base_cfg "mbssid=$mbssid" "$N"

 	[ "$band" = "6g" ] && {
@@ -287,15 +300,24 @@ hostapd_common_add_bss_config() {
 	config_add_int ieee80211w
 	config_add_int eapol_version

-	config_add_array auth_server acct_server
-	config_add_string 'server:host'
+	config_add_string 'auth_server:host' 'server:host'
 	config_add_string auth_secret key
 	config_add_int 'auth_port:port' 'port:port'

+	config_add_string acct_server
 	config_add_string acct_secret
 	config_add_int acct_port
+
+	config_add_string acct_server_secondary
+	config_add_string acct_secret_secondary
+	config_add_int acct_port_secondary
+
 	config_add_int acct_interval

+	config_add_string auth_server_secondary
+	config_add_string auth_secret_secondary
+	config_add_int auth_port_secondary
+
 	config_add_int bss_load_update_period chan_util_avg_period

 	config_add_string dae_client
@@ -339,8 +361,8 @@ hostapd_common_add_bss_config() {
 	config_add_string lci civic

 	config_add_boolean ieee80211r pmk_r1_push ft_psk_generate_local ft_over_ds
-	config_add_int r0_key_lifetime reassociation_deadline
-	config_add_string mobility_domain r1_key_holder
+	config_add_int r0_key_lifetime reassociation_deadline ft_l2_refresh
+	config_add_string mobility_domain r1_key_holder ft_key
 	config_add_array r0kh r1kh

 	config_add_int ieee80211w_max_timeout ieee80211w_retry_timeout
@@ -391,14 +413,18 @@ hostapd_common_add_bss_config() {
 	config_add_array radius_auth_req_attr
 	config_add_array radius_acct_req_attr

-	config_add_int eap_server radius_server_auth_port
-	config_add_string eap_user_file ca_cert server_cert private_key private_key_passwd server_id radius_server_clients
+	config_add_int eap_server
+	config_add_string eap_user_file ca_cert server_cert private_key private_key_passwd server_id

 	config_add_boolean fils
 	config_add_string fils_dhcp

+	config_add_boolean ratelimit
 	config_add_int ocv

+	config_add_string uci_section
+	config_add_boolean dynamic_probe_resp
+
 	config_add_boolean apup
 	config_add_string apup_peer_ifname_prefix
 }
@@ -433,6 +459,7 @@ hostapd_set_psk() {
 	local ifname="$1"

 	rm -f /var/run/hostapd-${ifname}.psk
+	touch /var/run/hostapd-${ifname}.psk
 	for_each_station hostapd_set_psk_file ${ifname}
 }

@@ -549,187 +576,17 @@ append_airtime_sta_weight() {
 	[ -n "$1" ] && append bss_conf "airtime_sta_weight=$1" "$N"
 }

-append_auth_server() {
-	[ -n "$1" ] || return
-	append bss_conf "auth_server_addr=$1" "$N"
-	append bss_conf "auth_server_port=$auth_port" "$N"
-	[ -n "$auth_secret" ] && append bss_conf "auth_server_shared_secret=$auth_secret" "$N"
-}
+append_radius_server() {

-append_acct_server() {
-	[ -n "$1" ] || return
-	append bss_conf "acct_server_addr=$1" "$N"
-	append bss_conf "acct_server_port=$acct_port" "$N"
-	[ -n "$acct_secret" ] && append bss_conf "acct_server_shared_secret=$acct_secret" "$N"
-}
-
-hostapd_set_bss_options() {
-	local var="$1"
-	local phy="$2"
-	local vif="$3"
-
-	wireless_vif_parse_encryption
-
-	local bss_conf bss_md5sum ft_key
-	local wep_rekey wpa_group_rekey wpa_pair_rekey wpa_master_rekey wpa_key_mgmt
-
-	json_get_vars \
-		wep_rekey wpa_group_rekey wpa_pair_rekey wpa_master_rekey wpa_strict_rekey \
-		wpa_disable_eapol_key_retries tdls_prohibit \
-		maxassoc max_inactivity disassoc_low_ack isolate auth_cache \
-		wps_pushbutton wps_label ext_registrar wps_pbc_in_m1 wps_ap_setup_locked \
-		wps_independent wps_device_type wps_device_name wps_manufacturer wps_pin \
-		macfilter ssid utf8_ssid wmm uapsd hidden short_preamble rsn_preauth \
-		iapp_interface eapol_version dynamic_vlan ieee80211w nasid \
-		acct_secret acct_port acct_interval \
-		bss_load_update_period chan_util_avg_period sae_require_mfp sae_pwe \
-		multi_ap multi_ap_backhaul_ssid multi_ap_backhaul_key skip_inactivity_poll \
-		ppsk airtime_bss_weight airtime_bss_limit airtime_sta_weight \
-		multicast_to_unicast_all proxy_arp per_sta_vif \
-		eap_server eap_user_file ca_cert server_cert private_key private_key_passwd server_id radius_server_clients radius_server_auth_port \
-		vendor_elements fils ocv apup multi_psk
-
-	set_default fils 0
-	set_default isolate 0
-	set_default maxassoc 0
-	set_default max_inactivity 0
-	set_default short_preamble 1
-	set_default disassoc_low_ack 1
-	set_default skip_inactivity_poll 0
-	set_default hidden 0
-	set_default wmm 1
-	set_default uapsd 1
-	set_default wpa_disable_eapol_key_retries 0
-	set_default multi_psk $multi_psk
-	set_default tdls_prohibit 0
-	set_default eapol_version $((wpa & 1))
-	set_default acct_port 1813
-	set_default bss_load_update_period 60
-	set_default chan_util_avg_period 600
-	set_default utf8_ssid 1
-	set_default multi_ap 0
-	set_default ppsk 0
-	set_default airtime_bss_weight 0
-	set_default airtime_bss_limit 0
-	set_default eap_server 0
-	set_default apup 0
-
-	/usr/sbin/hostapd -vfils || fils=0
-
-	append bss_conf "ctrl_interface=/var/run/hostapd"
-	if [ "$isolate" -gt 0 ]; then
-		append bss_conf "ap_isolate=$isolate" "$N"
-	fi
-	if [ "$maxassoc" -gt 0 ]; then
-		append bss_conf "max_num_sta=$maxassoc" "$N"
-	fi
-	if [ "$max_inactivity" -gt 0 ]; then
-		append bss_conf "ap_max_inactivity=$max_inactivity" "$N"
-	fi
-
-	[ "$airtime_bss_weight" -gt 0 ] && append bss_conf "airtime_bss_weight=$airtime_bss_weight" "$N"
-	[ "$airtime_bss_limit" -gt 0 ] && append bss_conf "airtime_bss_limit=$airtime_bss_limit" "$N"
-	json_for_each_item append_airtime_sta_weight airtime_sta_weight
-
-	append bss_conf "bss_load_update_period=$bss_load_update_period" "$N"
-	append bss_conf "chan_util_avg_period=$chan_util_avg_period" "$N"
-	append bss_conf "disassoc_low_ack=$disassoc_low_ack" "$N"
-	append bss_conf "skip_inactivity_poll=$skip_inactivity_poll" "$N"
-	append bss_conf "preamble=$short_preamble" "$N"
-	append bss_conf "wmm_enabled=$wmm" "$N"
-	append bss_conf "ignore_broadcast_ssid=$hidden" "$N"
-	append bss_conf "uapsd_advertisement_enabled=$uapsd" "$N"
-	append bss_conf "utf8_ssid=$utf8_ssid" "$N"
-	append bss_conf "multi_ap=$multi_ap" "$N"
-	[ -n "$vendor_elements" ] && append bss_conf "vendor_elements=$vendor_elements" "$N"
-
-	[ "$tdls_prohibit" -gt 0 ] && append bss_conf "tdls_prohibit=$tdls_prohibit" "$N"
-
-	[ "$wpa" -gt 0 ] && {
-		[ -n "$wpa_group_rekey"  ] && append bss_conf "wpa_group_rekey=$wpa_group_rekey" "$N"
-		[ -n "$wpa_pair_rekey"   ] && append bss_conf "wpa_ptk_rekey=$wpa_pair_rekey"    "$N"
-		[ -n "$wpa_master_rekey" ] && append bss_conf "wpa_gmk_rekey=$wpa_master_rekey"  "$N"
-		[ -n "$wpa_strict_rekey" ] && append bss_conf "wpa_strict_rekey=$wpa_strict_rekey" "$N"
-	}
-
-	[ -n "$nasid" ] && append bss_conf "nas_identifier=$nasid" "$N"
-
-	[ -n "$acct_interval" ] && \
-		append bss_conf "radius_acct_interim_interval=$acct_interval" "$N"
-	json_for_each_item append_acct_server acct_server
-	json_for_each_item append_radius_acct_req_attr radius_acct_req_attr
-
-	[ -n "$ocv" ] && append bss_conf "ocv=$ocv" "$N"
-
-	case "$auth_type" in
-		sae|owe|eap2|eap192)
-			set_default ieee80211w 2
-			set_default sae_require_mfp 1
-			[ "$ppsk" -eq 0 ] && set_default sae_pwe 2
-		;;
-		psk-sae|psk2-radius|eap-eap2)
-			set_default ieee80211w 1
-			set_default sae_require_mfp 1
-			[ "$ppsk" -eq 0 ] && set_default sae_pwe 2
-		;;
-	esac
-	[ -n "$sae_require_mfp" ] && append bss_conf "sae_require_mfp=$sae_require_mfp" "$N"
-	[ -n "$sae_pwe" ] && append bss_conf "sae_pwe=$sae_pwe" "$N"
-
-	local vlan_possible=""
-
-	case "$auth_type" in
-		none|owe)
-			json_get_vars owe_transition_bssid owe_transition_ssid owe_transition_ifname
-
-			[ -n "$owe_transition_ssid" ] && append bss_conf "owe_transition_ssid=\"$owe_transition_ssid\"" "$N"
-			[ -n "$owe_transition_bssid" ] && append bss_conf "owe_transition_bssid=$owe_transition_bssid" "$N"
-			[ -n "$owe_transition_ifname" ] && append bss_conf "owe_transition_ifname=$owe_transition_ifname" "$N"
-
-			wps_possible=1
-			# Here we make the assumption that if we're in open mode
-			# with WPS enabled, we got to be in unconfigured state.
-			wps_not_configured=1
-		;;
-		psk|sae|psk-sae)
-			json_get_vars key wpa_psk_file
-			if [ "$ppsk" -ne 0 ]; then
-				json_get_vars auth_secret auth_port
-				set_default auth_port 1812
-				json_for_each_item append_auth_server auth_server
-				append bss_conf "macaddr_acl=2" "$N"
-				append bss_conf "wpa_psk_radius=2" "$N"
-			elif [ ${#key} -eq 64 ]; then
-				append bss_conf "wpa_psk=$key" "$N"
-			elif [ ${#key} -ge 8 ] && [ ${#key} -le 63 ]; then
-				append bss_conf "wpa_passphrase=$key" "$N"
-			elif [ -n "$key" ] || [ -z "$wpa_psk_file" ]; then
-				wireless_setup_vif_failed INVALID_WPA_PSK
-				return 1
-			fi
-			[ -z "$wpa_psk_file" ] && set_default wpa_psk_file /var/run/hostapd-$ifname.psk
-			[ -n "$wpa_psk_file" ] && {
-				[ -e "$wpa_psk_file" ] || touch "$wpa_psk_file"
-				append bss_conf "wpa_psk_file=$wpa_psk_file" "$N"
-			}
-			[ "$eapol_version" -ge "1" -a "$eapol_version" -le "2" ] && append bss_conf "eapol_version=$eapol_version" "$N"
-
-			set_default dynamic_vlan 0
-			vlan_possible=1
-			wps_possible=1
-		;;
-		eap|eap2|eap-eap2|eap192)
 	json_get_vars \
 		auth_server auth_secret auth_port \
+		auth_server_secondary auth_secret_secondary auth_port_secondary \
 		dae_client dae_secret dae_port \
 		dynamic_ownip ownip radius_client_addr \
 		eap_reauth_period request_cui \
 		erp_domain mobility_domain \
 		fils_realm fils_dhcp

-			# radius can provide VLAN ID for clients
-			vlan_possible=1
-
 	set_default dynamic_ownip 1

 	# legacy compatibility
@@ -762,10 +619,23 @@ hostapd_set_bss_options() {
 	}

 	set_default auth_port 1812
+	set_default auth_port_secondary 1812
 	set_default dae_port 3799
 	set_default request_cui 0

-			[ "$eap_server" -eq 0 ] && json_for_each_item append_auth_server auth_server
+	[ "$eap_server" -eq 0  -a -n "$auth_server" ] && {
+		append bss_conf "auth_server_addr=$auth_server" "$N"
+		append bss_conf "auth_server_port=$auth_port" "$N"
+		append bss_conf "auth_server_shared_secret=$auth_secret" "$N"
+	}
+
+	[ -n "$auth_server_secondary" ] && {
+		append bss_conf "auth_server_addr=$auth_server_secondary" "$N"
+		append bss_conf "auth_server_port=$auth_port_secondary" "$N"
+		[ -n "$auth_secret_secondary" ] && \
+			append bss_conf "auth_server_shared_secret=$auth_secret_secondary" "$N"
+	}
+
 	[ "$request_cui" -gt 0 ] && append bss_conf "radius_request_cui=$request_cui" "$N"
 	[ -n "$eap_reauth_period" ] && append bss_conf "eap_reauth_period=$eap_reauth_period" "$N"

@@ -782,6 +652,187 @@ hostapd_set_bss_options() {
 	fi

 	[ -n "$radius_client_addr" ] && append bss_conf "radius_client_addr=$radius_client_addr" "$N"
+	[ "$macfilter" = radius ] && append bss_conf "macaddr_acl=2" "$N"
+}
+
+hostapd_set_bss_options() {
+	local var="$1"
+	local phy="$2"
+	local vif="$3"
+
+	wireless_vif_parse_encryption
+
+	local bss_conf bss_md5sum
+	local wep_rekey wpa_group_rekey wpa_pair_rekey wpa_master_rekey wpa_key_mgmt
+
+	json_get_vars \
+		wep_rekey wpa_group_rekey wpa_pair_rekey wpa_master_rekey wpa_strict_rekey \
+		wpa_disable_eapol_key_retries tdls_prohibit \
+		maxassoc max_inactivity disassoc_low_ack isolate auth_cache \
+		wps_pushbutton wps_label ext_registrar wps_pbc_in_m1 wps_ap_setup_locked \
+		wps_independent wps_device_type wps_device_name wps_manufacturer wps_pin \
+		macfilter ssid utf8_ssid wmm uapsd hidden short_preamble rsn_preauth \
+		iapp_interface eapol_version dynamic_vlan ieee80211w nasid \
+		acct_server acct_secret acct_port acct_interval \
+		acct_server_secondary acct_secret_secondary acct_port_secondary \
+		bss_load_update_period chan_util_avg_period sae_require_mfp sae_pwe \
+		multi_ap multi_ap_backhaul_ssid multi_ap_backhaul_key skip_inactivity_poll \
+		ppsk airtime_bss_weight airtime_bss_limit airtime_sta_weight \
+		multicast_to_unicast_all proxy_arp per_sta_vif \
+		eap_server eap_user_file ca_cert server_cert private_key private_key_passwd server_id radius_server_clients radius_server_auth_port \
+		vendor_elements fils ocv apup uci_section dynamic_probe_resp multi_psk
+
+	set_default fils 0
+	set_default isolate 0
+	set_default maxassoc 0
+	set_default max_inactivity 0
+	set_default short_preamble 1
+	set_default disassoc_low_ack 1
+	set_default skip_inactivity_poll 0
+	set_default hidden 0
+	set_default wmm 1
+	set_default uapsd 1
+	set_default wpa_disable_eapol_key_retries 0
+	set_default multi_psk $multi_psk
+	set_default tdls_prohibit 0
+	set_default eapol_version $((wpa & 1))
+	set_default acct_port 1813
+	set_default acct_port_secondary 1813
+	set_default bss_load_update_period 60
+	set_default chan_util_avg_period 600
+	set_default utf8_ssid 1
+	set_default multi_ap 0
+	set_default ppsk 0
+	set_default airtime_bss_weight 0
+	set_default airtime_bss_limit 0
+	set_default eap_server 0
+	set_default dynamic_probe_resp 0
+	set_default apup 0
+
+	/usr/sbin/hostapd -vfils || fils=0
+
+	append bss_conf "ctrl_interface=/var/run/hostapd"
+	if [ "$isolate" -gt 0 ]; then
+		append bss_conf "ap_isolate=$isolate" "$N"
+	fi
+	if [ "$maxassoc" -gt 0 ]; then
+		append bss_conf "max_num_sta=$maxassoc" "$N"
+	fi
+	if [ "$max_inactivity" -gt 0 ]; then
+		append bss_conf "ap_max_inactivity=$max_inactivity" "$N"
+	fi
+
+	[ "$airtime_bss_weight" -gt 0 ] && append bss_conf "airtime_bss_weight=$airtime_bss_weight" "$N"
+	[ "$airtime_bss_limit" -gt 0 ] && append bss_conf "airtime_bss_limit=$airtime_bss_limit" "$N"
+	json_for_each_item append_airtime_sta_weight airtime_sta_weight
+
+	append bss_conf "bss_load_update_period=$bss_load_update_period" "$N"
+	append bss_conf "chan_util_avg_period=$chan_util_avg_period" "$N"
+	append bss_conf "disassoc_low_ack=$disassoc_low_ack" "$N"
+	append bss_conf "skip_inactivity_poll=$skip_inactivity_poll" "$N"
+	append bss_conf "preamble=$short_preamble" "$N"
+	append bss_conf "wmm_enabled=$wmm" "$N"
+	append bss_conf "ignore_broadcast_ssid=$hidden" "$N"
+	append bss_conf "dynamic_probe_resp=$dynamic_probe_resp" "$N"
+	append bss_conf "uapsd_advertisement_enabled=$uapsd" "$N"
+	append bss_conf "utf8_ssid=$utf8_ssid" "$N"
+	append bss_conf "multi_ap=$multi_ap" "$N"
+	[ -n "$vendor_elements" ] && append bss_conf "vendor_elements=$vendor_elements" "$N"
+
+	[ "$tdls_prohibit" -gt 0 ] && append bss_conf "tdls_prohibit=$tdls_prohibit" "$N"
+
+	[ "$wpa" -gt 0 ] && {
+		[ -n "$wpa_group_rekey"  ] && append bss_conf "wpa_group_rekey=$wpa_group_rekey" "$N"
+		[ -n "$wpa_pair_rekey"   ] && append bss_conf "wpa_ptk_rekey=$wpa_pair_rekey"    "$N"
+		[ -n "$wpa_master_rekey" ] && append bss_conf "wpa_gmk_rekey=$wpa_master_rekey"  "$N"
+		[ -n "$wpa_strict_rekey" ] && append bss_conf "wpa_strict_rekey=$wpa_strict_rekey" "$N"
+	}
+
+	[ -n "$nasid" ] && append bss_conf "nas_identifier=$nasid" "$N"
+
+	[ -n "$acct_server" ] && {
+		append bss_conf "acct_server_addr=$acct_server" "$N"
+		append bss_conf "acct_server_port=$acct_port" "$N"
+		[ -n "$acct_secret" ] && \
+			append bss_conf "acct_server_shared_secret=$acct_secret" "$N"
+		[ -n "$acct_interval" ] && \
+			append bss_conf "radius_acct_interim_interval=$acct_interval" "$N"
+		json_for_each_item append_radius_acct_req_attr radius_acct_req_attr
+	}
+
+	[ -n "$acct_server_secondary" ] && {
+		append bss_conf "acct_server_addr=$acct_server_secondary" "$N"
+		append bss_conf "acct_server_port=$acct_port_secondary" "$N"
+		[ -n "$acct_secret_secondary" ] && \
+			append bss_conf "acct_server_shared_secret=$acct_secret_secondary" "$N"
+	}
+
+	[ -n "$ocv" ] && append bss_conf "ocv=$ocv" "$N"
+
+	case "$auth_type" in
+		sae|owe|eap2|eap192)
+			set_default ieee80211w 2
+			set_default sae_require_mfp 1
+			[ "$ppsk" -eq 0 ] && set_default sae_pwe 2
+		;;
+		psk-sae|psk2-radius|eap-eap2)
+			set_default ieee80211w 1
+			set_default sae_require_mfp 1
+			[ "$ppsk" -eq 0 ] && set_default sae_pwe 2
+		;;
+	esac
+	[ -n "$sae_require_mfp" ] && append bss_conf "sae_require_mfp=$sae_require_mfp" "$N"
+	[ -n "$sae_pwe" ] && append bss_conf "sae_pwe=$sae_pwe" "$N"
+
+	local vlan_possible=""
+
+	case "$auth_type" in
+		none|owe)
+			json_get_vars owe_transition_bssid owe_transition_ssid owe_transition_ifname
+
+			[ -n "$owe_transition_ssid" ] && append bss_conf "owe_transition_ssid=\"$owe_transition_ssid\"" "$N"
+			[ -n "$owe_transition_bssid" ] && append bss_conf "owe_transition_bssid=$owe_transition_bssid" "$N"
+			[ -n "$owe_transition_ifname" ] && append bss_conf "owe_transition_ifname=$owe_transition_ifname" "$N"
+
+			wps_possible=1
+			# Here we make the assumption that if we're in open mode
+			# with WPS enabled, we got to be in unconfigured state.
+			wps_not_configured=1
+			vlan_possible=1
+			append_radius_server
+		;;
+		psk|sae|psk-sae)
+			json_get_vars key wpa_psk_file
+			if [ "$ppsk" -ne 0 ]; then
+				json_get_vars auth_secret auth_port
+				set_default auth_port 1812
+				json_for_each_item append_auth_server auth_server
+				append bss_conf "macaddr_acl=2" "$N"
+				append bss_conf "wpa_psk_radius=2" "$N"
+			elif [ ${#key} -eq 64 ]; then
+				append bss_conf "wpa_psk=$key" "$N"
+			elif [ ${#key} -ge 8 ] && [ ${#key} -le 63 ]; then
+				append bss_conf "wpa_passphrase=$key" "$N"
+			elif [ -n "$key" ] || [ -z "$wpa_psk_file" ]; then
+				wireless_setup_vif_failed INVALID_WPA_PSK
+				return 1
+			fi
+			[ -z "$wpa_psk_file" ] && set_default wpa_psk_file /var/run/hostapd-$ifname.psk
+			[ -n "$wpa_psk_file" ] && {
+				[ -e "$wpa_psk_file" ] || touch "$wpa_psk_file"
+				append bss_conf "wpa_psk_file=$wpa_psk_file" "$N"
+			}
+			[ "$eapol_version" -ge "1" -a "$eapol_version" -le "2" ] && append bss_conf "eapol_version=$eapol_version" "$N"
+
+			append_radius_server
+			set_default dynamic_vlan 0
+			vlan_possible=1
+			wps_possible=1
+		;;
+		eap|eap192|eap-eap2|eap2)
+			append_radius_server
+			# radius can provide VLAN ID for clients
+			vlan_possible=1
 			append bss_conf "eapol_key_index_workaround=1" "$N"
 			append bss_conf "ieee8021x=1" "$N"

@@ -798,6 +849,7 @@ hostapd_set_bss_options() {
 			append bss_conf "wpa_psk_radius=3" "$N"
 			append_radius_server
 			vlan_possible=1
+		;;
 	esac

 	case "$auth_type" in
@@ -921,45 +973,42 @@ hostapd_set_bss_options() {
 		}
 	fi

+	if [ "$wpa" -ge "1" ]; then
 		json_get_vars ieee80211r
 		set_default ieee80211r 0
-	if [ "$wpa" -ge "1" ]; then
-		if [ "$fils" -gt 0 ]; then
-			json_get_vars fils_realm
-			set_default fils_realm "$(echo "$ssid" | md5sum | head -c 8)"
-		fi

-		append bss_conf "wpa_disable_eapol_key_retries=$wpa_disable_eapol_key_retries" "$N"
-
-		hostapd_append_wpa_key_mgmt
-		[ -n "$wpa_key_mgmt" ] && append bss_conf "wpa_key_mgmt=$wpa_key_mgmt" "$N"
-	fi
-
-	if [ "$wpa" -ge "2" ]; then
 		if [ "$ieee80211r" -gt "0" ]; then
-			json_get_vars mobility_domain ft_psk_generate_local ft_over_ds reassociation_deadline
+			json_get_vars mobility_domain ft_psk_generate_local ft_over_ds reassociation_deadline ft_l2_refresh

 			set_default mobility_domain "$(echo "$ssid" | md5sum | head -c 4)"
-			set_default ft_over_ds 0
+			set_default ft_over_ds 1
+			set_default ft_l2_refresh 30
 			set_default reassociation_deadline 1000
+			skip_kh_setup=0

 			case "$auth_type" in
-				psk)
+				psk|psk-sae)
 					set_default ft_psk_generate_local 1
+					skip_kh_setup="$ft_psk_generate_local"
 				;;
 				*)
 					set_default ft_psk_generate_local 0
 				;;
 			esac

+			case "$auth_type" in
+				*sae*) skip_kh_setup=0;;
+			esac
+
 			[ -n "$network_ifname" ] && append bss_conf "ft_iface=$network_ifname" "$N"
 			append bss_conf "mobility_domain=$mobility_domain" "$N"
 			append bss_conf "ft_psk_generate_local=$ft_psk_generate_local" "$N"
 			append bss_conf "ft_over_ds=$ft_over_ds" "$N"
 			append bss_conf "reassociation_deadline=$reassociation_deadline" "$N"
+			[ -n "$ft_l2_refresh" ] && append bss_conf "ft_l2_refresh=$ft_l2_refresh" "$N"

-			if [ "$ft_psk_generate_local" -eq "0" ]; then
-				json_get_vars r0_key_lifetime r1_key_holder pmk_r1_push
+			if [ "$skip_kh_setup" -eq "0" ]; then
+				json_get_vars r0_key_lifetime r1_key_holder pmk_r1_push ft_key
 				json_get_values r0kh r0kh
 				json_get_values r1kh r1kh

@@ -971,12 +1020,15 @@ hostapd_set_bss_options() {
 						wireless_setup_vif_failed FT_KEY_CANT_BE_DERIVED
 						return 1
 					fi
-					ft_key=`echo -n "$mobility_domain/${auth_secret:-${key}}" | md5sum | awk '{print $1}'`
+					[ -z "$ft_key" ] && {
+						key=`echo -n "$mobility_domain/$auth_secret" | md5sum | awk '{print $1}'`

-					set_default r0kh "ff:ff:ff:ff:ff:ff,*,$ft_key"
-					set_default r1kh "00:00:00:00:00:00,00:00:00:00:00:00,$ft_key"
+						set_default r0kh "ff:ff:ff:ff:ff:ff,*,$key"
+						set_default r1kh "00:00:00:00:00:00,00:00:00:00:00:00,$key"
+					}
 				}

+				[ -n "$ft_key" ] && append bss_conf "ft_key=$ft_key" "$N"
 				[ -n "$r1_key_holder" ] && append bss_conf "r1_key_holder=$r1_key_holder" "$N"
 				append bss_conf "r0_key_lifetime=$r0_key_lifetime" "$N"
 				append bss_conf "pmk_r1_push=$pmk_r1_push" "$N"
@@ -989,7 +1041,18 @@ hostapd_set_bss_options() {
 				done
 			fi
 		fi
+		if [ "$fils" -gt 0 ]; then
+			json_get_vars fils_realm
+			set_default fils_realm "$(echo "$ssid" | md5sum | head -c 8)"
+		fi

+		append bss_conf "wpa_disable_eapol_key_retries=$wpa_disable_eapol_key_retries" "$N"
+
+		hostapd_append_wpa_key_mgmt
+		[ -n "$wpa_key_mgmt" ] && append bss_conf "wpa_key_mgmt=$wpa_key_mgmt" "$N"
+	fi
+
+	if [ "$wpa" -ge "2" ]; then
 		if [ -n "$network_bridge" -a "$rsn_preauth" = 1 ]; then
 			set_default auth_cache 1
 			append bss_conf "rsn_preauth=1" "$N"
@@ -1189,6 +1252,8 @@ hostapd_set_bss_options() {
 		append bss_conf "per_sta_vif=$per_sta_vif" "$N"
 	fi

+	[ -n "$uci_section" ] && append bss_conf "uci_section=$uci_section" "$N"
+
 	if [ "$apup" -gt 0 ]; then
 		append bss_conf "apup=$apup" "$N"