我正在尝试设置一个带有外部 RADIUS 服务器的 AP,每个服务使用两个 Linux 主机,hostapd
并且freeradius
相应地。这些主机和 Wi-Fi 客户端主机是运行 Ubuntu 22.04.4 LTS (jammy) 的 Raspberry Pi 4 设备。
所有主机都通过以太网连接到公共 LAN (10.1.0.0/24):
- hostA - Wi-Fi AP(10.1.0.22 以太网、192.168.220.1 Wi-Fi)
- hostB - RADIUS 服务器(10.1.0.12 以太网)
- hostC - Wi-Fi 客户端(10.1.0.50 以太网、192.168.220.101 Wi-Fi)
我已经freeradius
在 hostB 上配置了服务器,并且能够通过以太网 LAN 从 Wi-Fi 客户端测试它:
hostC:~$ radtest -x testUser1 testPassword1 10.1.0.12 0 testSecret1
Sent Access-Request Id 155 from 0.0.0.0:35529 to 10.1.0.12:1812 length 79
User-Name = "testUser1"
User-Password = "testPassword1"
NAS-IP-Address = 10.1.0.50
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "testPassword1"
Received Access-Accept Id 155 from 10.1.0.12:1812 to 10.1.0.50:35529 length 20
然后我调出配置了以下内容的 Wi-Fi AP (hostA) hostapd.conf
:
logger_syslog=-1
logger_syslog_level=0
ctrl_interface=/var/run/hostapd/
interface=wlp1s0
driver=nl80211
country_code=CA
ieee80211n=1
hw_mode=g
channel=6
beacon_int=100
dtim_period=2
disassoc_low_ack=0
ssid=testAP
ieee80211w=0
auth_algs=1
wpa=0
ignore_broadcast_ssid=0
eap_server=0
own_ip_addr=10.1.0.22
auth_server_addr=10.1.0.12 #hostB
auth_server_port=1812
auth_server_shared_secret=testSecret1
该hostapd
服务是根据分支中可用的最新代码构建的,main
只需对文件进行以下修改defconfig
即可禁用集成 RADIUS 服务器:
# Integrated EAP server
CONFIG_EAP=n
我可以看到服务hostapd
正确启动,并相应地报告了 RADIUS 服务器配置:
hostA:/usr/src/hostap/hostapd$ sudo ./hostapd /etc/hostapd/hostapd.conf -i wlp1s0
wlp1s0: interface state UNINITIALIZED->COUNTRY_UPDATE
wlp1s0: RADIUS Authentication server 10.1.0.12:1812
wlp1s0: interface state COUNTRY_UPDATE->ENABLED
wlp1s0: AP-ENABLED
我可以成功将 Wi-Fi 客户端 (hostC) 连接到 Wi-Fi AP (hostA)。但是,当我现在尝试通过 Wi-Fi 网络 (192.168.220.0/24) 进行 RADIUS 测试,目标 Wi-Fi AP 来处理 RADIUS 请求时,出现错误:
hostC:~$ radtest -x testUser1 testPassword1 10.1.0.22 0 testSecret1
Sent Access-Request Id 235 from 0.0.0.0:59778 to 10.1.0.22:1812 length 79
User-Name = "testUser1"
User-Password = "testPassword1"
NAS-IP-Address = 10.1.0.50
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "testPassword1"
Sent Access-Request Id 235 from 0.0.0.0:59778 to 10.1.0.22:1812 length 79
User-Name = "testUser1"
User-Password = "testPassword1"
NAS-IP-Address = 10.1.0.50
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "testPassword1"
Sent Access-Request Id 235 from 0.0.0.0:59778 to 10.1.0.22:1812 length 79
User-Name = "testUser1"
User-Password = "testPassword1"
NAS-IP-Address = 10.1.0.50
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "testPassword1"
(0) No reply from server for ID 235 socket 3
我捕获了 Wi-Fi 接口上的流量hostA
,并看到它响应 ICMP 数据包,内容如下Destination unreachable (Port unreachable)
:
Frame 2: 155 bytes on wire (1240 bits), 155 bytes captured (1240 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Apr 2, 2024 18:18:11.473305000 PDT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1712107091.473305000 seconds
[Time delta from previous captured frame: 0.000101000 seconds]
[Time delta from previous displayed frame: 0.000101000 seconds]
[Time since reference or first frame: 0.000101000 seconds]
Frame Number: 2
Frame Length: 155 bytes (1240 bits)
Capture Length: 155 bytes (1240 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:icmp:ip:udp:radius]
[Coloring Rule Name: ICMP errors]
[Coloring Rule String: icmp.type eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq 11 || icmpv6.type eq 1 || icmpv6.type eq 2 || icmpv6.type eq 3 || icmpv6.type eq 4]
Ethernet II, Src: IntelCor_05:02:62 (80:45:dd:05:02:62), Dst: IntelCor_de:58:55 (3c:9c:0f:de:58:55)
Destination: IntelCor_de:58:55 (3c:9c:0f:de:58:55)
Address: IntelCor_de:58:55 (3c:9c:0f:de:58:55)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: IntelCor_05:02:62 (80:45:dd:05:02:62)
Address: IntelCor_05:02:62 (80:45:dd:05:02:62)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.220.1, Dst: 192.168.220.101
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 141
Identification: 0xa48f (42127)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 64
Protocol: ICMP (1)
Header Checksum: 0x9b68 [validation disabled]
[Header checksum status: Unverified]
Source Address: 192.168.220.1
Destination Address: 192.168.220.101
Internet Control Message Protocol
Type: 3 (Destination unreachable)
Code: 3 (Port unreachable)
Checksum: 0x3724 [correct]
[Checksum Status: Good]
Unused: 00000000
Internet Protocol Version 4, Src: 192.168.220.101, Dst: 192.168.220.1
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 113
Identification: 0xc1e8 (49640)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 64
Protocol: UDP (17)
Header Checksum: 0x7edb [validation disabled]
[Header checksum status: Unverified]
Source Address: 192.168.220.101
Destination Address: 192.168.220.1
User Datagram Protocol, Src Port: 40929, Dst Port: 1812
Source Port: 40929
Destination Port: 1812
Length: 93
Checksum: 0xbfa6 [unverified]
[Checksum Status: Unverified]
[Stream index: 0]
UDP payload (85 bytes)
RADIUS Protocol
Code: Access-Request (1)
Packet identifier: 0x95 (149)
Length: 85
Authenticator: 2cc8f534dfcac17c947a03ced3daf62f
Attribute Value Pairs
AVP: t=User-Name(1) l=11 val=testUser1
Type: 1
Length: 11
User-Name: testUser1
AVP: t=User-Password(2) l=18 val=Encrypted
Type: 2
Length: 18
User-Password (encrypted): 986ed23c9a832e3a98a328697e8fab38
AVP: t=NAS-IP-Address(4) l=6 val=192.168.220.101
Type: 4
Length: 6
NAS-IP-Address: 192.168.220.101
AVP: t=NAS-Port(5) l=6 val=0
Type: 5
Length: 6
NAS-Port: 0
AVP: t=Message-Authenticator(80) l=18 val=b4669b2314a4738a956f683b59b645c4
Type: 80
Length: 18
Message-Authenticator: b4669b2314a4738a956f683b59b645c4
AVP: t=Framed-Protocol(7) l=6 val=PPP(1)
Type: 7
Length: 6
Framed-Protocol: PPP (1)
我在这里想念什么?