Я пытаюсь использовать WPA-EAP FAST
методы аутентификации для подключения клиента Wi-Fi (с использованием wpa_supplicant
) к AP (обслуживается hostapd
), но не может заставить его работать.
Поскольку в Интернете можно найти не так много информации, я прошу помощи здесь. Любой ответ будет оценен.
hostapd
конфигурация:hostapd.conf
##### EAP-FAST configuration ##########################################
# dh_file: File path to DH/DSA parameters file (in PEM format)
# ephemeral DH key exchange.
# This parameter is required if anonymous EAP-FAST is used.
# You can generate DH parameters file with OpenSSL, e.g.,
# "openssl dhparam -out /etc/hostapd.dh.pem 2048"
# $ openssl dhparam -out /etc/hostapd/hostapd.dh.pem 2048
dh_file=/etc/hostapd/hostapd.dh.pem
# Encryption key for EAP-FAST PAC-Opaque values. This key must be a secret,
# random value. It is configured as a 16-octet value in hex format. It can be
# generated, e.g.
# od -tx1 -v -N16 /dev/random | colrm 1 8 | tr -d ' '
pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f
# EAP-FAST authority identity (A-ID)
# A-ID indicates the identity of the authority that issues PACs. The A-ID
# should be unique across all issuing servers.
# It is strongly recommended to use 16 octets in length for the interoperability.
# This field is configured in hex format.
eap_fast_a_id=101112131415161718191a1b1c1d1e1f
# EAP-FAST authority identifier information (A-ID-Info)
# This is a user-friendly name for the A-ID. This field is encoded as UTF-8.
eap_fast_a_id_info=eap_fast_server
# Enable/disable different EAP-FAST provisioning modes:
#0 = provisioning disabled
#1 = only anonymous provisioning allowed
#2 = only authenticated provisioning allowed
#3 = both provisioning modes allowed (default)
eap_fast_prov=3
# EAP-FAST PAC-Key lifetime in seconds (hard limit)
pac_key_lifetime=604800
# EAP-FAST PAC-Key refresh time in seconds (soft limit on remaining hard
# limit). The server will generate a new PAC-Key when this number of seconds
# (or fewer) of the lifetime remains.
pac_key_refresh_time=86400
hostapd.eap_user
"ml_user_fast" FAST
"ml_user_fast" MSCHAPV2,TTLS-MSCHAPV2,TTLS,TTLS-CHAP,GTC,TTLS-PAP,TTLS-MSCHAP,MD5 "RPI3B_plus" [2]
wpa_supplicant
конфигурация:wpa_supplicant.conf
network={
ssid="RPI3B_plus"
key_mgmt=WPA-EAP
eap=FAST
## phase1
anonymous_identity="ml_user_fast"
phase1="fast_provisioning=3"
pac_file="/etc/wpa_supplicant/wpa_supplicant.eap-fast-pac"
## phase2
identity="ml_user_fast"
password="RPI3B_plus"
id_str="RPI3B_plus_WPA-EAP-FAST"
}
Когда я использую wpa_cli
чтобы подключиться к AP, я получил следующие ошибки ...
# wpa_cli
> interface wlan0
Connected to interface 'wlan0.
> list_networks
network id / ssid / bssid / flags
0 CL-6e1a07 any
1 Rpi3B-AP any [CURRENT]
2 HomeE8EA any
3 wifi-guest any
4 ATT-MINIONS any
5 wifi-demo any
6 RPI3B_plus any
> select_network 6
OK
<3>CTRL-EVENT-DISCONNECTED bssid=b8:27:eb:c8:a6:35 reason=3 locally_generated=1
<3>CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
<3>CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=US
<3>CTRL-EVENT-SCAN-STARTED
<3>CTRL-EVENT-SCAN-RESULTS
<3>WPS-AP-AVAILABLE
<3>Trying to associate with SSID 'RPI3B_plus'
<3>Associated with 74:da:38:59:f8:bc
<3>CTRL-EVENT-EAP-STARTED EAP authentication started
<3>CTRL-EVENT-EAP-STATUS status='started' parameter=''
<3>CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
<3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=43
<3>CTRL-EVENT-EAP-STATUS status='accept proposed method' parameter='FAST'
<3>CTRL-EVENT-EAP-METHOD EAP vendor 0 method 43 (FAST) selected
<4>EAP-MSCHAPV2: failure message: 'FAILED' (retry not allowed, error 691)
<3>CTRL-EVENT-EAP-STATUS status='completion' parameter='failure'
<3>CTRL-EVENT-EAP-FAILURE EAP authentication failed
<3>Authentication with 74:da:38:59:f8:bc timed out.
<3>CTRL-EVENT-DISCONNECTED bssid=74:da:38:59:f8:bc reason=3 locally_generated=1
<3>CTRL-EVENT-SSID-TEMP-DISABLED id=6 ssid="RPI3B_plus" auth_failures=1 duration=10 reason=AUTH_FAILED
<3>CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
<3>CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=US
<3>CTRL-EVENT-SCAN-STARTED
<3>CTRL-EVENT-SCAN-RESULTS
<3>WPS-AP-AVAILABLE
<3>CTRL-EVENT-SCAN-STARTED
<3>CTRL-EVENT-SCAN-RESULTS
<3>WPS-AP-AVAILABLE
<3>CTRL-EVENT-SSID-REENABLED id=6 ssid="RPI3B_plus"
<3>Trying to associate with SSID 'RPI3B_plus'
<3>Associated with 74:da:38:59:f8:bc
<3>CTRL-EVENT-EAP-STARTED EAP authentication started
<3>CTRL-EVENT-EAP-STATUS status='started' parameter=''
<3>CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
<3>CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=43
<3>CTRL-EVENT-EAP-STATUS status='accept proposed method' parameter='FAST'
<3>CTRL-EVENT-EAP-METHOD EAP vendor 0 method 43 (FAST) selected
<4>EAP-MSCHAPV2: failure message: 'FAILED' (retry not allowed, error 691)
<3>CTRL-EVENT-EAP-STATUS status='completion' parameter='failure'
<3>CTRL-EVENT-EAP-FAILURE EAP authentication failed
<3>Authentication with 74:da:38:59:f8:bc timed out.
<3>CTRL-EVENT-DISCONNECTED bssid=74:da:38:59:f8:bc reason=3 locally_generated=1
<3>CTRL-EVENT-SSID-TEMP-DISABLED id=6 ssid="RPI3B_plus" auth_failures=2 duration=37 reason=AUTH_FAILED
<3>CTRL-EVENT-SSID-TEMP-DISABLED id=6 ssid="RPI3B_plus" auth_failures=3 duration=55 reason=CONN_FAILED
<3>CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
<3>CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=US
<3>CTRL-EVENT-SCAN-STARTED
<3>CTRL-EVENT-SCAN-RESULTS
<3>WPS-AP-AVAILABLE