Added preparations for Intel AMT 802.1x support.

This commit is contained in:
Ylian Saint-Hilaire 2022-03-18 13:49:54 -07:00
parent 8968048377
commit a1943e3df1
2 changed files with 210 additions and 17 deletions

View File

@ -64,30 +64,61 @@ module.exports.CreateAmtManager = function (parent) {
} }
// Check WIFI profiles // Check WIFI profiles
//var wifiAuthMethod = { 1: "Other", 2: "Open", 3: "Shared Key", 4: "WPA PSK", 5: "WPA 802.1x", 6: "WPA2 PSK", 7: "WPA2 802.1x", 32768: "WPA3 802.1x" }; //var wifiAuthMethod = { 1: "Other", 2: "Open", 3: "Shared Key", 4: "WPA PSK", 5: "WPA 802.1x", 6: "WPA2 PSK", 7: "WPA2 802.1x", 32768: "WPA3 SAE IEEE 802.1x", 32769: "WPA3 OWE IEEE 802.1x" };
//var wifiEncMethod = { 1: "Other", 2: "WEP", 3: "TKIP", 4: "CCMP", 5: "None" } //var wifiEncMethod = { 1: "Other", 2: "WEP", 3: "TKIP", 4: "CCMP", 5: "None" }
if (Array.isArray(domain.amtmanager.wifiprofiles) == true) { if (Array.isArray(domain.amtmanager.wifiprofiles) == true) {
var goodWifiProfiles = []; var goodWifiProfiles = [];
for (var i = 0; i < domain.amtmanager.wifiprofiles.length; i++) { for (var i = 0; i < domain.amtmanager.wifiprofiles.length; i++) {
var wifiProfile = domain.amtmanager.wifiprofiles[i]; var wifiProfile = domain.amtmanager.wifiprofiles[i];
if ((typeof wifiProfile.ssid == 'string') && (wifiProfile.ssid != '') && (typeof wifiProfile.password == 'string') && (wifiProfile.password != '')) { if ((typeof wifiProfile.ssid == 'string') && (wifiProfile.ssid != '') && (((typeof wifiProfile.password == 'string') && (wifiProfile.password != '')) || ((typeof wifiProfile['802.1x'] == 'object') && (wifiProfile['802.1x'] != null)))) {
if ((wifiProfile.name == null) || (wifiProfile.name == '')) { wifiProfile.name = wifiProfile.ssid; } if ((wifiProfile.name == null) || (wifiProfile.name == '')) { wifiProfile.name = wifiProfile.ssid; }
if (typeof wifiProfile.authentication == 'string') {
// Authentication
if (typeof wifiProfile.authentication == 'string') { wifiProfile.authentication = wifiProfile.authentication.toLowerCase(); }
if (wifiProfile.authentication == 'wpa-psk') { wifiProfile.authentication = 4; }
if (wifiProfile.authentication == 'wpa2-psk') { wifiProfile.authentication = 6; }
if (typeof wifiProfile.authentication != 'number') { wifiProfile.authentication = 6; } // Default to WPA2-PSK
// Encyption // Authentication
if (typeof wifiProfile.encryption == 'string') { wifiProfile.encryption = wifiProfile.encryption.toLowerCase(); } if (typeof wifiProfile.authentication == 'string') { wifiProfile.authentication = wifiProfile.authentication.toLowerCase(); }
if ((wifiProfile.encryption == 'ccmp-aes') || (wifiProfile.encryption == 'ccmp')) { wifiProfile.encryption = 4; } if (wifiProfile.authentication == 'wpa-psk') { wifiProfile.authentication = 4; }
if ((wifiProfile.encryption == 'tkip-rc4') || (wifiProfile.encryption == 'tkip')) { wifiProfile.encryption = 3; } if (wifiProfile.authentication == 'wpa2-psk') { wifiProfile.authentication = 6; }
if (typeof wifiProfile.encryption != 'number') { wifiProfile.encryption = 4; } // Default to CCMP-AES if (wifiProfile.authentication == 'wpa-8021x') { wifiProfile.authentication = 5; }
if (wifiProfile.authentication == 'wpa2-802.1x') { wifiProfile.authentication = 7; }
// Type if (wifiProfile.authentication == 'wpa3-sae-802.1x') { wifiProfile.authentication = 32768; }
wifiProfile.type = 3; // Infrastructure if (wifiProfile.authentication == 'wpa3-owe-802.1x') { wifiProfile.authentication = 32769; }
if (typeof wifiProfile.authentication != 'number') {
if (wifiProfile['802.1x']) { wifiProfile.authentication = 7; } // Default to WPA2-802.1x
else { wifiProfile.authentication = 6; } // Default to WPA2-PSK
} }
// Encyption
if (typeof wifiProfile.encryption == 'string') { wifiProfile.encryption = wifiProfile.encryption.toLowerCase(); }
if ((wifiProfile.encryption == 'ccmp-aes') || (wifiProfile.encryption == 'ccmp')) { wifiProfile.encryption = 4; }
if ((wifiProfile.encryption == 'tkip-rc4') || (wifiProfile.encryption == 'tkip')) { wifiProfile.encryption = 3; }
if (typeof wifiProfile.encryption != 'number') { wifiProfile.encryption = 4; } // Default to CCMP-AES
// Type
wifiProfile.type = 3; // Infrastructure
// Check authentication
if ([4, 6].indexOf(wifiProfile.authentication) >= 0) {
// Password authentication
if ((typeof wifiProfile.password != 'string') || (wifiProfile.password.length < 8) || (wifiProfile.password.length > 63)) continue;
} else if ([5, 7, 32768, 32769].indexOf(wifiProfile.authentication) >= 0) {
// 802.1x authentication
if ((wifiProfile['802.1x'] == null) && (typeof wifiProfile['802.1x'] != 'object')) continue;
const netAuthStrings = ['eap-tls', 'eap-ttls/mschapv2', 'peapv0/eap-mschapv2', 'peapv1/eap-gtc', 'eap-fast/mschapv2', 'eap-fast/gtc', 'eap-md5', 'eap-psk', 'eap-sim', 'eap-aka', 'eap-fast/tls'];
if (typeof wifiProfile['802.1x'].servercertificatename != 'string') {
delete wifiProfile['802.1x'].servercertificatenamecomparison;
const serverCertCompareStrings = ['', '', 'fullname', 'domainsuffix'];
if (typeof wifiProfile['802.1x'].servercertificatenamecomparison == 'string') {
wifiProfile['802.1x'].servercertificatenamecomparison = serverCertCompareStrings.indexOf(wifiProfile['802.1x'].servercertificatenamecomparison.toLowerCase());
if (wifiProfile['802.1x'].servercertificatenamecomparison == -1) { wifiProfile['802.1x'].servercertificatenamecomparison = 2; } // Default to full name compare
}
}
if (typeof wifiProfile['802.1x'].authenticationprotocol == 'string') {
wifiProfile['802.1x'].authenticationprotocol = netAuthStrings.indexOf(wifiProfile['802.1x'].authenticationprotocol.toLowerCase());
if (wifiProfile['802.1x'].authenticationprotocol == -1) continue;
}
}
goodWifiProfiles.push(wifiProfile); goodWifiProfiles.push(wifiProfile);
} }
} }
@ -95,6 +126,25 @@ module.exports.CreateAmtManager = function (parent) {
} else { } else {
delete domain.amtmanager.wifiprofiles; delete domain.amtmanager.wifiprofiles;
} }
// Check 802.1x wired profile if present
if ((domain.amtmanager['802.1x'] != null) && (typeof domain.amtmanager['802.1x'] == 'object')) {
const netAuthStrings = ['eap-tls', 'eap-ttls/mschapv2', 'peapv0/eap-mschapv2', 'peapv1/eap-gtc', 'eap-fast/mschapv2', 'eap-fast/gtc', 'eap-md5', 'eap-psk', 'eap-sim', 'eap-aka', 'eap-fast/tls'];
if (typeof domain.amtmanager['802.1x'].servercertificatename != 'string') {
delete domain.amtmanager['802.1x'].servercertificatenamecomparison;
const serverCertCompareStrings = ['', '', 'fullname', 'domainsuffix'];
if (typeof domain.amtmanager['802.1x'].servercertificatenamecomparison == 'string') {
domain.amtmanager['802.1x'].servercertificatenamecomparison = serverCertCompareStrings.indexOf(domain.amtmanager['802.1x'].servercertificatenamecomparison.toLowerCase());
if (domain.amtmanager['802.1x'].servercertificatenamecomparison == -1) { domain.amtmanager['802.1x'].servercertificatenamecomparison = 2; } // Default to full name compare
}
}
if (typeof domain.amtmanager['802.1x'].authenticationprotocol == 'string') {
domain.amtmanager['802.1x'].authenticationprotocol = netAuthStrings.indexOf(domain.amtmanager['802.1x'].authenticationprotocol.toLowerCase());
if (domain.amtmanager['802.1x'].authenticationprotocol == -1) { delete domain.amtmanager['802.1x']; }
}
}
} }
// Check if an Intel AMT device is being managed // Check if an Intel AMT device is being managed

View File

@ -682,7 +682,7 @@
"items": { "items": {
"type": "object", "type": "object",
"additionalProperties": false, "additionalProperties": false,
"required": [ "ssid", "password" ], "required": [ "ssid" ],
"properties": { "properties": {
"name": { "name": {
"description": "WIFI profile name, if not specified the SSID is used.", "description": "WIFI profile name, if not specified the SSID is used.",
@ -695,7 +695,7 @@
"authentication": { "authentication": {
"description": "WIFI authentication.", "description": "WIFI authentication.",
"type": "string", "type": "string",
"enum": [ "wpa2-psk", "wpa-psk" ], "enum": [ "wpa-psk", "wpa2-psk", "wpa-8021x", "wpa2-802.1x", "wpa3-sae-802.1x", "wpa3-owe-802.1x" ],
"default": "wpa2-psk" "default": "wpa2-psk"
}, },
"encryption": { "encryption": {
@ -709,9 +709,152 @@
"type": "string", "type": "string",
"minLength": 8, "minLength": 8,
"maxLength": 63 "maxLength": 63
},
"802.1x": {
"description": "802.1x settings for this WIFI profile. Only required if the WIFI authentication type has 802.1x",
"default": null,
"type": "object",
"additionalProperties": false,
"required": [ "authenticationProtocol" ],
"properties": {
"authenticationProtocol": {
"description": "Identifies the authentication protocol used to authenticate the access requestor to the AAA server.",
"type": [ "integer", "string" ],
"enum": [ "EAP-TLS", "EAP-TTLS/MSCHAPv2", "PEAPv0/EAP-MSCHAPv2", "PEAPv1/EAP-GTC", "EAP-FAST/MSCHAPv2", "EAP-FAST/GTC", "EAP-MD5", "EAP-PSK", "EAP-SIM", "EAP-AKA", "EAP-FAST/TLS", 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 ]
},
"serverCertificateNameComparison": {
"type": [ "integer", "string" ],
"default": "FullName",
"description": "Determines the comparison algorithm used between the ServerCertificateName value and the subject name field of the certificate presented by the AAA server.",
"enum": [ "FullName", "DomainSuffix", 2, 3 ]
},
"serverCertificateName": {
"type": "string",
"default": null,
"description": "The name compared against the subject name field in the certificate provided by the AAA server.",
"maxLength": 80
},
"availableInS0": {
"type": "boolean",
"default": true,
"description": "Indicates the activity setting of the 802.1X module in H0 state"
},
"protectedAccessCredentialHex": {
"type": "string",
"default": null,
"description": "A credential used by the supplicant and AAA server to establish a mutually authenticated encrypted tunnel for confidential user authentication.",
"maxLength": 64
},
"pacPassword": {
"type": "string",
"default": null,
"description": "Optional password to extract the PAC (Protected Access Credential) information from the PAC data.",
"maxLength": 256
},
"domain": {
"type": "string",
"default": null,
"description": "The domain within which Username is unique.",
"maxLength": 128
},
"username": {
"type": "string",
"default": null,
"description": "Within the domain specified by Domain, Identifies the user that is requesting access to the network.",
"maxLength": 128
},
"password": {
"type": "string",
"default": null,
"description": "The password associated with the user identified by Username and Domain.",
"maxLength": 32
},
"roamingIdentity": {
"type": "string",
"default": null,
"description": "A string presented to the authentication server in 802.1x protocol exchange",
"maxLength": 80
},
"pxeTimeoutInSeconds": {
"type": "integer",
"default": 120,
"description": "Timeout in seconds, in which the Intel(R) AMT will hold an authenticated 802.1X session."
}
}
} }
} }
} }
},
"802.1x": {
"description": "802.1x settings for the Intel AMT Wired interface. If set to false, any existing 802.1x wired profile will be removed from Intel AMT.",
"default": null,
"type": [ "object", "boolean" ],
"additionalProperties": false,
"required": [ "authenticationProtocol" ],
"properties": {
"authenticationProtocol": {
"description": "Identifies the authentication protocol used to authenticate the access requestor to the AAA server.",
"type": [ "integer", "string" ],
"enum": [ "EAP-TLS", "EAP-TTLS/MSCHAPv2", "PEAPv0/EAP-MSCHAPv2", "PEAPv1/EAP-GTC", "EAP-FAST/MSCHAPv2", "EAP-FAST/GTC", "EAP-MD5", "EAP-PSK", "EAP-SIM", "EAP-AKA", "EAP-FAST/TLS", 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 ]
},
"serverCertificateNameComparison": {
"type": [ "integer", "string" ],
"description": "Determines the comparison algorithm used between the ServerCertificateName value and the subject name field of the certificate presented by the AAA server.",
"enum": [ "FullName", "DomainSuffix", 2, 3 ]
},
"serverCertificateName": {
"type": "string",
"default": null,
"description": "The name compared against the subject name field in the certificate provided by the AAA server.",
"maxLength": 80
},
"availableInS0": {
"type": "boolean",
"default": true,
"description": "Indicates the activity setting of the 802.1X module in H0 state"
},
"protectedAccessCredentialHex": {
"type": "string",
"default": null,
"description": "A credential used by the supplicant and AAA server to establish a mutually authenticated encrypted tunnel for confidential user authentication.",
"maxLength": 64
},
"pacPassword": {
"type": "string",
"default": null,
"description": "Optional password to extract the PAC (Protected Access Credential) information from the PAC data.",
"maxLength": 256
},
"domain": {
"type": "string",
"default": null,
"description": "The domain within which Username is unique.",
"maxLength": 128
},
"username": {
"type": "string",
"default": null,
"description": "Within the domain specified by Domain, Identifies the user that is requesting access to the network.",
"maxLength": 128
},
"password": {
"type": "string",
"default": null,
"description": "The password associated with the user identified by Username and Domain.",
"maxLength": 32
},
"roamingIdentity": {
"type": "string",
"default": null,
"description": "A string presented to the authentication server in 802.1x protocol exchange",
"maxLength": 80
},
"pxeTimeoutInSeconds": {
"type": "integer",
"default": 120,
"description": "Timeout in seconds, in which the Intel(R) AMT will hold an authenticated 802.1X session."
}
}
} }
} }
}, },