Назад | Перейти на главную страницу

WPA-EAP FAST между wpa_supplicant и hostapd

Я пытаюсь использовать WPA-EAP FAST методы аутентификации для подключения клиента Wi-Fi (с использованием wpa_supplicant) к AP (обслуживается hostapd), но не может заставить его работать.

Поскольку в Интернете можно найти не так много информации, я прошу помощи здесь. Любой ответ будет оценен.

hostapd.conf

##### EAP-FAST configuration ##########################################

# dh_file: File path to DH/DSA parameters file (in PEM format)
# ephemeral DH key exchange.
# This parameter is required if anonymous EAP-FAST is used.
# You can generate DH parameters file with OpenSSL, e.g.,
# "openssl dhparam -out /etc/hostapd.dh.pem 2048"
# $ openssl dhparam -out /etc/hostapd/hostapd.dh.pem 2048
dh_file=/etc/hostapd/hostapd.dh.pem

# Encryption key for EAP-FAST PAC-Opaque values. This key must be a secret,
# random value. It is configured as a 16-octet value in hex format. It can be
# generated, e.g.
# od -tx1 -v -N16 /dev/random | colrm 1 8 | tr -d ' '
pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f

# EAP-FAST authority identity (A-ID)
# A-ID indicates the identity of the authority that issues PACs. The A-ID
# should be unique across all issuing servers.
# It is strongly recommended to use 16 octets in length for the interoperability.
# This field is configured in hex format.
eap_fast_a_id=101112131415161718191a1b1c1d1e1f

# EAP-FAST authority identifier information (A-ID-Info)
# This is a user-friendly name for the A-ID. This field is encoded as UTF-8.
eap_fast_a_id_info=eap_fast_server

# Enable/disable different EAP-FAST provisioning modes:
#0 = provisioning disabled
#1 = only anonymous provisioning allowed
#2 = only authenticated provisioning allowed
#3 = both provisioning modes allowed (default)
eap_fast_prov=3

# EAP-FAST PAC-Key lifetime in seconds (hard limit)
pac_key_lifetime=604800

# EAP-FAST PAC-Key refresh time in seconds (soft limit on remaining hard
# limit). The server will generate a new PAC-Key when this number of seconds
# (or fewer) of the lifetime remains.
pac_key_refresh_time=86400

hostapd.eap_user

"ml_user_fast" FAST
"ml_user_fast" MSCHAPV2,TTLS-MSCHAPV2,TTLS,TTLS-CHAP,GTC,TTLS-PAP,TTLS-MSCHAP,MD5  "RPI3B_plus" [2]

wpa_supplicant.conf

network={
    ssid="RPI3B_plus"
    key_mgmt=WPA-EAP
    eap=FAST
    ## phase1
    anonymous_identity="ml_user_fast"
    phase1="fast_provisioning=3"
    pac_file="/etc/wpa_supplicant/wpa_supplicant.eap-fast-pac"
    ## phase2
    identity="ml_user_fast"
    password="RPI3B_plus"
    id_str="RPI3B_plus_WPA-EAP-FAST"
}

Когда я использую wpa_cli чтобы подключиться к AP, я получил следующие ошибки ...

# wpa_cli 
> interface wlan0
Connected to interface 'wlan0.
> list_networks
network id / ssid / bssid / flags
0   CL-6e1a07   any 
1   Rpi3B-AP    any [CURRENT]
2   HomeE8EA    any 
3   wifi-guest  any 
4   ATT-MINIONS any 
5   wifi-demo   any 
6   RPI3B_plus  any 
> select_network 6
OK
<3>CTRL-EVENT-DISCONNECTED bssid=b8:27:eb:c8:a6:35 reason=3 locally_generated=1
<3>CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
<3>CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=US
<3>CTRL-EVENT-SCAN-STARTED 
<3>CTRL-EVENT-SCAN-RESULTS 
<3>WPS-AP-AVAILABLE 
<3>Trying to associate with SSID 'RPI3B_plus'
<3>Associated with 74:da:38:59:f8:bc
<3>CTRL-EVENT-EAP-STARTED EAP authentication started
<3>CTRL-EVENT-EAP-STATUS status='started' parameter=''
<3>CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
<3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=43
<3>CTRL-EVENT-EAP-STATUS status='accept proposed method' parameter='FAST'
<3>CTRL-EVENT-EAP-METHOD EAP vendor 0 method 43 (FAST) selected
<4>EAP-MSCHAPV2: failure message: 'FAILED' (retry not allowed, error 691)
<3>CTRL-EVENT-EAP-STATUS status='completion' parameter='failure'
<3>CTRL-EVENT-EAP-FAILURE EAP authentication failed
<3>Authentication with 74:da:38:59:f8:bc timed out.
<3>CTRL-EVENT-DISCONNECTED bssid=74:da:38:59:f8:bc reason=3 locally_generated=1
<3>CTRL-EVENT-SSID-TEMP-DISABLED id=6 ssid="RPI3B_plus" auth_failures=1 duration=10 reason=AUTH_FAILED
<3>CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
<3>CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=US
<3>CTRL-EVENT-SCAN-STARTED 
<3>CTRL-EVENT-SCAN-RESULTS 
<3>WPS-AP-AVAILABLE 
<3>CTRL-EVENT-SCAN-STARTED 
<3>CTRL-EVENT-SCAN-RESULTS 
<3>WPS-AP-AVAILABLE 
<3>CTRL-EVENT-SSID-REENABLED id=6 ssid="RPI3B_plus"
<3>Trying to associate with SSID 'RPI3B_plus'
<3>Associated with 74:da:38:59:f8:bc
<3>CTRL-EVENT-EAP-STARTED EAP authentication started
<3>CTRL-EVENT-EAP-STATUS status='started' parameter=''
<3>CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
<3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=43
<3>CTRL-EVENT-EAP-STATUS status='accept proposed method' parameter='FAST'
<3>CTRL-EVENT-EAP-METHOD EAP vendor 0 method 43 (FAST) selected
<4>EAP-MSCHAPV2: failure message: 'FAILED' (retry not allowed, error 691)
<3>CTRL-EVENT-EAP-STATUS status='completion' parameter='failure'
<3>CTRL-EVENT-EAP-FAILURE EAP authentication failed
<3>Authentication with 74:da:38:59:f8:bc timed out.
<3>CTRL-EVENT-DISCONNECTED bssid=74:da:38:59:f8:bc reason=3 locally_generated=1
<3>CTRL-EVENT-SSID-TEMP-DISABLED id=6 ssid="RPI3B_plus" auth_failures=2 duration=37 reason=AUTH_FAILED
<3>CTRL-EVENT-SSID-TEMP-DISABLED id=6 ssid="RPI3B_plus" auth_failures=3 duration=55 reason=CONN_FAILED
<3>CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
<3>CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=US
<3>CTRL-EVENT-SCAN-STARTED 
<3>CTRL-EVENT-SCAN-RESULTS 
<3>WPS-AP-AVAILABLE