[Feature request] Blacklist access points.

[ghost]

I keep encountering bad access points on Eduroam which have no internet access, and every time my machine switches over to them I have to restart netctl-auto.

It would be nice to have a way to block such "rogue" access points based on BSSID.

[ghost]

Anyone? PLEASE HELP!

[joukewitteveen]

Questions have a better chance of getting an answer in the Arch forums, but let me try to help you.
So you have a profile for Eduroam and some networks with an Eduroam SSID don't work, correct? One thing I can think of is that you list those APs that do work for you and use their BSSIDs in profiles for them. You could keep a general Eduroam profile around and add an ExcludeAuto=yes line to it.

[ghost]

Thanks, I will try and ask the question there.

The problem with "whitelisting" the BSSIDs which work is, every time you go to a new place (or probably even another part of the same building) you will have to manually add more BSSIDs to the list. And then have to maintain and prune the list as it grows over time.

[joukewitteveen]

Let me know when you find a solution! I just found that wpa_supplicant has the ability to blacklist BSSIDs and your use case is a good reason to support such a blacklist. I would be interested in adding support to netctl(-auto). Any suggestions as to how this functionality should be exposed are welcome!

Note: it is currently possible to start netctl-auto and then use wpa_cli -i <interface> blacklist <BSSID> to add BSSIDs to the blacklist. You could put a few of these statements in a script:

#! /bin/bash

for bssid in \
  <BSSID> \
  <BSSID> \
  ... \
  <BSSID> \
; do
    wpa_cli ${1:+-i $1} blacklist $bssid
done

and run this script each time after starting netctl_auto (supply the interface as an argument to the script).

[ghost]

Thank you, I will try it out! Strangely there is no way to make this persistent with wpa_supplicant.conf, meaning you can not simply use WPAConfigSection and have to run external command every time. Maybe there is a way to wrap that command with another netctl line -- or would it be better to try and patch in wpa_supplicant's .conf handling?

…

On Wed, Jun 05, 2019 at 01:36:19AM -0700, Jouke Witteveen wrote: Let me know when you find a solution! I just found that wpa_supplicant has the ability to blacklist BSSIDs and your use case is a good reason to support such a blacklist. I would be interested in adding support to `netctl(-auto)`. Any suggestions as to how this functionality should be exposed are welcome! Note: it is currently possible to start netctl-auto and then use `wpa_cli -i <interface> blacklist <BSSID>` to add BSSIDs to the blacklist. You could put a few of these statements in a script: ``` #! /bin/bash for bssid in \ <BSSID> \ <BSSID> \ ... \ <BSSID> \ ; do wpa_cli ${1:+-i $1} blacklist $bssid done ``` and run this script each time after starting `netctl_auto` (supply the interface as an argument to the script). -- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: #170 (comment)

[joukewitteveen]

Have you tried including something like

Security=wpa-configsection
WPAConfigSection=(
    'ssid="eduroam"'
    'key_mgmt=WPA-EAP'
    'eap=PEAP'
    'pairwise=TKIP CCMP'
    'anonymous_identity="anonymous"'
    'identity="<USERNAME>"'
    'password="<PASSWORD>"'
    'bssid_blacklist=<BSSID> <BSSID> ... <BSSID>'
)

in your profile?

[ghost]

Wow, thanks, according to $ strings '/usr/bin/wpa_supplicant' |grep -i bssid_blacklist it seems to be there. Strange that neither manpages nor my Internet searches had shown it to me. I will definitely give it a try today!

The external-script solution seems to work more or less, and it can be used on the systems whose wpa_supplicant is old and does not include this feature yet, and I improved the script to accept input with comments:
`
#!/bin/sh --

sed -E -e'/^#/d' -e's/#.*//' ${@:?} |while read bssid; do
wpa_cli blacklist "${bssid}"
done
`

[ghost]

The output of $ wpa_cli blacklist is only Selected interface 'wlp2s0' meaning it does not work somehow?..

[joukewitteveen]

It looks like the blacklist you set in the config section does not show up in the output of wpa_cli blacklist. This would be a bug in wpa_cli and (if so) should be reported upstream.

[ghost]

The setting does have effect, that means wpa_cli is indeed bugged.