From a1943e3df199720955a374046a4acec0e5575063 Mon Sep 17 00:00:00 2001 From: Ylian Saint-Hilaire Date: Fri, 18 Mar 2022 13:49:54 -0700 Subject: [PATCH] Added preparations for Intel AMT 802.1x support. --- amtmanager.js | 80 ++++++++++++++---- meshcentral-config-schema.json | 147 ++++++++++++++++++++++++++++++++- 2 files changed, 210 insertions(+), 17 deletions(-) diff --git a/amtmanager.js b/amtmanager.js index 018af87c..d2f4944f 100644 --- a/amtmanager.js +++ b/amtmanager.js @@ -64,30 +64,61 @@ module.exports.CreateAmtManager = function (parent) { } // Check WIFI profiles - //var wifiAuthMethod = { 1: "Other", 2: "Open", 3: "Shared Key", 4: "WPA PSK", 5: "WPA 802.1x", 6: "WPA2 PSK", 7: "WPA2 802.1x", 32768: "WPA3 802.1x" }; + //var wifiAuthMethod = { 1: "Other", 2: "Open", 3: "Shared Key", 4: "WPA PSK", 5: "WPA 802.1x", 6: "WPA2 PSK", 7: "WPA2 802.1x", 32768: "WPA3 SAE IEEE 802.1x", 32769: "WPA3 OWE IEEE 802.1x" }; //var wifiEncMethod = { 1: "Other", 2: "WEP", 3: "TKIP", 4: "CCMP", 5: "None" } if (Array.isArray(domain.amtmanager.wifiprofiles) == true) { var goodWifiProfiles = []; for (var i = 0; i < domain.amtmanager.wifiprofiles.length; i++) { var wifiProfile = domain.amtmanager.wifiprofiles[i]; - if ((typeof wifiProfile.ssid == 'string') && (wifiProfile.ssid != '') && (typeof wifiProfile.password == 'string') && (wifiProfile.password != '')) { + if ((typeof wifiProfile.ssid == 'string') && (wifiProfile.ssid != '') && (((typeof wifiProfile.password == 'string') && (wifiProfile.password != '')) || ((typeof wifiProfile['802.1x'] == 'object') && (wifiProfile['802.1x'] != null)))) { if ((wifiProfile.name == null) || (wifiProfile.name == '')) { wifiProfile.name = wifiProfile.ssid; } - if (typeof wifiProfile.authentication == 'string') { - // Authentication - if (typeof wifiProfile.authentication == 'string') { wifiProfile.authentication = wifiProfile.authentication.toLowerCase(); } - if (wifiProfile.authentication == 'wpa-psk') { wifiProfile.authentication = 4; } - if (wifiProfile.authentication == 'wpa2-psk') { wifiProfile.authentication = 6; } - if (typeof wifiProfile.authentication != 'number') { wifiProfile.authentication = 6; } // Default to WPA2-PSK - // Encyption - if (typeof wifiProfile.encryption == 'string') { wifiProfile.encryption = wifiProfile.encryption.toLowerCase(); } - if ((wifiProfile.encryption == 'ccmp-aes') || (wifiProfile.encryption == 'ccmp')) { wifiProfile.encryption = 4; } - if ((wifiProfile.encryption == 'tkip-rc4') || (wifiProfile.encryption == 'tkip')) { wifiProfile.encryption = 3; } - if (typeof wifiProfile.encryption != 'number') { wifiProfile.encryption = 4; } // Default to CCMP-AES + // Authentication + if (typeof wifiProfile.authentication == 'string') { wifiProfile.authentication = wifiProfile.authentication.toLowerCase(); } + if (wifiProfile.authentication == 'wpa-psk') { wifiProfile.authentication = 4; } + if (wifiProfile.authentication == 'wpa2-psk') { wifiProfile.authentication = 6; } + if (wifiProfile.authentication == 'wpa-8021x') { wifiProfile.authentication = 5; } + if (wifiProfile.authentication == 'wpa2-802.1x') { wifiProfile.authentication = 7; } + if (wifiProfile.authentication == 'wpa3-sae-802.1x') { wifiProfile.authentication = 32768; } + if (wifiProfile.authentication == 'wpa3-owe-802.1x') { wifiProfile.authentication = 32769; } + if (typeof wifiProfile.authentication != 'number') { + if (wifiProfile['802.1x']) { wifiProfile.authentication = 7; } // Default to WPA2-802.1x + else { wifiProfile.authentication = 6; } // Default to WPA2-PSK + } - // Type - wifiProfile.type = 3; // Infrastructure + // Encyption + if (typeof wifiProfile.encryption == 'string') { wifiProfile.encryption = wifiProfile.encryption.toLowerCase(); } + if ((wifiProfile.encryption == 'ccmp-aes') || (wifiProfile.encryption == 'ccmp')) { wifiProfile.encryption = 4; } + if ((wifiProfile.encryption == 'tkip-rc4') || (wifiProfile.encryption == 'tkip')) { wifiProfile.encryption = 3; } + if (typeof wifiProfile.encryption != 'number') { wifiProfile.encryption = 4; } // Default to CCMP-AES + + // Type + wifiProfile.type = 3; // Infrastructure + + // Check authentication + if ([4, 6].indexOf(wifiProfile.authentication) >= 0) { + // Password authentication + if ((typeof wifiProfile.password != 'string') || (wifiProfile.password.length < 8) || (wifiProfile.password.length > 63)) continue; + } else if ([5, 7, 32768, 32769].indexOf(wifiProfile.authentication) >= 0) { + // 802.1x authentication + if ((wifiProfile['802.1x'] == null) && (typeof wifiProfile['802.1x'] != 'object')) continue; + const netAuthStrings = ['eap-tls', 'eap-ttls/mschapv2', 'peapv0/eap-mschapv2', 'peapv1/eap-gtc', 'eap-fast/mschapv2', 'eap-fast/gtc', 'eap-md5', 'eap-psk', 'eap-sim', 'eap-aka', 'eap-fast/tls']; + + if (typeof wifiProfile['802.1x'].servercertificatename != 'string') { + delete wifiProfile['802.1x'].servercertificatenamecomparison; + const serverCertCompareStrings = ['', '', 'fullname', 'domainsuffix']; + if (typeof wifiProfile['802.1x'].servercertificatenamecomparison == 'string') { + wifiProfile['802.1x'].servercertificatenamecomparison = serverCertCompareStrings.indexOf(wifiProfile['802.1x'].servercertificatenamecomparison.toLowerCase()); + if (wifiProfile['802.1x'].servercertificatenamecomparison == -1) { wifiProfile['802.1x'].servercertificatenamecomparison = 2; } // Default to full name compare + } + } + + if (typeof wifiProfile['802.1x'].authenticationprotocol == 'string') { + wifiProfile['802.1x'].authenticationprotocol = netAuthStrings.indexOf(wifiProfile['802.1x'].authenticationprotocol.toLowerCase()); + if (wifiProfile['802.1x'].authenticationprotocol == -1) continue; + } } + goodWifiProfiles.push(wifiProfile); } } @@ -95,6 +126,25 @@ module.exports.CreateAmtManager = function (parent) { } else { delete domain.amtmanager.wifiprofiles; } + + // Check 802.1x wired profile if present + if ((domain.amtmanager['802.1x'] != null) && (typeof domain.amtmanager['802.1x'] == 'object')) { + const netAuthStrings = ['eap-tls', 'eap-ttls/mschapv2', 'peapv0/eap-mschapv2', 'peapv1/eap-gtc', 'eap-fast/mschapv2', 'eap-fast/gtc', 'eap-md5', 'eap-psk', 'eap-sim', 'eap-aka', 'eap-fast/tls']; + + if (typeof domain.amtmanager['802.1x'].servercertificatename != 'string') { + delete domain.amtmanager['802.1x'].servercertificatenamecomparison; + const serverCertCompareStrings = ['', '', 'fullname', 'domainsuffix']; + if (typeof domain.amtmanager['802.1x'].servercertificatenamecomparison == 'string') { + domain.amtmanager['802.1x'].servercertificatenamecomparison = serverCertCompareStrings.indexOf(domain.amtmanager['802.1x'].servercertificatenamecomparison.toLowerCase()); + if (domain.amtmanager['802.1x'].servercertificatenamecomparison == -1) { domain.amtmanager['802.1x'].servercertificatenamecomparison = 2; } // Default to full name compare + } + } + + if (typeof domain.amtmanager['802.1x'].authenticationprotocol == 'string') { + domain.amtmanager['802.1x'].authenticationprotocol = netAuthStrings.indexOf(domain.amtmanager['802.1x'].authenticationprotocol.toLowerCase()); + if (domain.amtmanager['802.1x'].authenticationprotocol == -1) { delete domain.amtmanager['802.1x']; } + } + } } // Check if an Intel AMT device is being managed diff --git a/meshcentral-config-schema.json b/meshcentral-config-schema.json index c3dd97a4..8e1c7f3c 100644 --- a/meshcentral-config-schema.json +++ b/meshcentral-config-schema.json @@ -682,7 +682,7 @@ "items": { "type": "object", "additionalProperties": false, - "required": [ "ssid", "password" ], + "required": [ "ssid" ], "properties": { "name": { "description": "WIFI profile name, if not specified the SSID is used.", @@ -695,7 +695,7 @@ "authentication": { "description": "WIFI authentication.", "type": "string", - "enum": [ "wpa2-psk", "wpa-psk" ], + "enum": [ "wpa-psk", "wpa2-psk", "wpa-8021x", "wpa2-802.1x", "wpa3-sae-802.1x", "wpa3-owe-802.1x" ], "default": "wpa2-psk" }, "encryption": { @@ -709,9 +709,152 @@ "type": "string", "minLength": 8, "maxLength": 63 + }, + "802.1x": { + "description": "802.1x settings for this WIFI profile. Only required if the WIFI authentication type has 802.1x", + "default": null, + "type": "object", + "additionalProperties": false, + "required": [ "authenticationProtocol" ], + "properties": { + "authenticationProtocol": { + "description": "Identifies the authentication protocol used to authenticate the access requestor to the AAA server.", + "type": [ "integer", "string" ], + "enum": [ "EAP-TLS", "EAP-TTLS/MSCHAPv2", "PEAPv0/EAP-MSCHAPv2", "PEAPv1/EAP-GTC", "EAP-FAST/MSCHAPv2", "EAP-FAST/GTC", "EAP-MD5", "EAP-PSK", "EAP-SIM", "EAP-AKA", "EAP-FAST/TLS", 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 ] + }, + "serverCertificateNameComparison": { + "type": [ "integer", "string" ], + "default": "FullName", + "description": "Determines the comparison algorithm used between the ServerCertificateName value and the subject name field of the certificate presented by the AAA server.", + "enum": [ "FullName", "DomainSuffix", 2, 3 ] + }, + "serverCertificateName": { + "type": "string", + "default": null, + "description": "The name compared against the subject name field in the certificate provided by the AAA server.", + "maxLength": 80 + }, + "availableInS0": { + "type": "boolean", + "default": true, + "description": "Indicates the activity setting of the 802.1X module in H0 state" + }, + "protectedAccessCredentialHex": { + "type": "string", + "default": null, + "description": "A credential used by the supplicant and AAA server to establish a mutually authenticated encrypted tunnel for confidential user authentication.", + "maxLength": 64 + }, + "pacPassword": { + "type": "string", + "default": null, + "description": "Optional password to extract the PAC (Protected Access Credential) information from the PAC data.", + "maxLength": 256 + }, + "domain": { + "type": "string", + "default": null, + "description": "The domain within which Username is unique.", + "maxLength": 128 + }, + "username": { + "type": "string", + "default": null, + "description": "Within the domain specified by Domain, Identifies the user that is requesting access to the network.", + "maxLength": 128 + }, + "password": { + "type": "string", + "default": null, + "description": "The password associated with the user identified by Username and Domain.", + "maxLength": 32 + }, + "roamingIdentity": { + "type": "string", + "default": null, + "description": "A string presented to the authentication server in 802.1x protocol exchange", + "maxLength": 80 + }, + "pxeTimeoutInSeconds": { + "type": "integer", + "default": 120, + "description": "Timeout in seconds, in which the Intel(R) AMT will hold an authenticated 802.1X session." + } + } } } } + }, + "802.1x": { + "description": "802.1x settings for the Intel AMT Wired interface. If set to false, any existing 802.1x wired profile will be removed from Intel AMT.", + "default": null, + "type": [ "object", "boolean" ], + "additionalProperties": false, + "required": [ "authenticationProtocol" ], + "properties": { + "authenticationProtocol": { + "description": "Identifies the authentication protocol used to authenticate the access requestor to the AAA server.", + "type": [ "integer", "string" ], + "enum": [ "EAP-TLS", "EAP-TTLS/MSCHAPv2", "PEAPv0/EAP-MSCHAPv2", "PEAPv1/EAP-GTC", "EAP-FAST/MSCHAPv2", "EAP-FAST/GTC", "EAP-MD5", "EAP-PSK", "EAP-SIM", "EAP-AKA", "EAP-FAST/TLS", 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 ] + }, + "serverCertificateNameComparison": { + "type": [ "integer", "string" ], + "description": "Determines the comparison algorithm used between the ServerCertificateName value and the subject name field of the certificate presented by the AAA server.", + "enum": [ "FullName", "DomainSuffix", 2, 3 ] + }, + "serverCertificateName": { + "type": "string", + "default": null, + "description": "The name compared against the subject name field in the certificate provided by the AAA server.", + "maxLength": 80 + }, + "availableInS0": { + "type": "boolean", + "default": true, + "description": "Indicates the activity setting of the 802.1X module in H0 state" + }, + "protectedAccessCredentialHex": { + "type": "string", + "default": null, + "description": "A credential used by the supplicant and AAA server to establish a mutually authenticated encrypted tunnel for confidential user authentication.", + "maxLength": 64 + }, + "pacPassword": { + "type": "string", + "default": null, + "description": "Optional password to extract the PAC (Protected Access Credential) information from the PAC data.", + "maxLength": 256 + }, + "domain": { + "type": "string", + "default": null, + "description": "The domain within which Username is unique.", + "maxLength": 128 + }, + "username": { + "type": "string", + "default": null, + "description": "Within the domain specified by Domain, Identifies the user that is requesting access to the network.", + "maxLength": 128 + }, + "password": { + "type": "string", + "default": null, + "description": "The password associated with the user identified by Username and Domain.", + "maxLength": 32 + }, + "roamingIdentity": { + "type": "string", + "default": null, + "description": "A string presented to the authentication server in 802.1x protocol exchange", + "maxLength": 80 + }, + "pxeTimeoutInSeconds": { + "type": "integer", + "default": 120, + "description": "Timeout in seconds, in which the Intel(R) AMT will hold an authenticated 802.1X session." + } + } } } },