网上很多资料感觉有点过时了,本文记录一下在 OpenWrt 上配置 802.1X 无线用户认证的过程。
安装必要的软件包
1 2 3 4 5
| opkg update opkg remove wpad-mini opkg install wpad-openssl
reboot
|
网上很多资料说要安装的是 wpad
,但实际用下来 wpad
在连接有证书的 802.1X 无线时会 AUTH_FAILED。(甚至可能 segfault上游 Radius 服务器!)
所以建议安装:
wpad-supplicant-openssl
:Station mode onlywpad-openssl
:Both Station and AP modewpa-supplicant-wolfssl
: like wpad-supplicant-openssl
but uses wolfSSL instead of OpenSSLwpad-wolfssl
: like wpad-openssl
but uses wolfSSL instead of OpenSSL
配置无线网络
在 LuCI 里配也行,直接编辑 /etc/config/wireless
文件也行。
一个典型的配置如下:
1 2 3 4 5 6 7 8 9 10
| config wifi-iface 'wifinet0' option device 'radio0' option mode 'sta' option network 'wwan wwan6' option ssid '[SSID]' option encryption 'wpa2' option eap_type 'peap' option auth 'EAP-GTC' option identity '[your-username]' option password '[your-password]'
|
连接时可通过 logread -f
查看日志。
能看到证书信息一般就说明 ssl
支持正常。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
| Tue Jul 8 09:49:38 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: CTRL-EVENT-REGDOM-CHANGE init=DRIVER type=COUNTRY alpha2=CN Tue Jul 8 09:49:38 2025 daemon.notice netifd: Wireless device 'radio0' is now up Tue Jul 8 09:49:41 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: Trying to associate with 94:b4:0f:99:e4:f0 (SSID='wrd-dot1x' freq=5765 MHz) Tue Jul 8 09:49:41 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: CTRL-EVENT-STARTED-CHANNEL-SWITCH freq=5765 ht_enabled=1 ch_offset=-1 ch_width=80 MHz cf1=5775 cf2=0 Tue Jul 8 09:49:41 2025 daemon.notice netifd: Network device 'phy0-sta0' link is up Tue Jul 8 09:49:41 2025 daemon.notice netifd: Interface 'wwan' has link connectivity Tue Jul 8 09:49:41 2025 daemon.notice netifd: Interface 'wwan' is setting up now Tue Jul 8 09:49:41 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: Associated with 94:b4:0f:99:e4:f0 Tue Jul 8 09:49:41 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0 Tue Jul 8 09:49:41 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: CTRL-EVENT-EAP-STARTED EAP authentication started Tue Jul 8 09:49:41 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 Tue Jul 8 09:49:41 2025 daemon.notice wpa_supplicant[1699]: tls_connection_set_params: Clearing pending SSL error: error:12800067:DSO support routines::could not load the shared library Tue Jul 8 09:49:41 2025 daemon.notice wpa_supplicant[1699]: tls_connection_set_params: Clearing pending SSL error: error:12800067:DSO support routines::could not load the shared library Tue Jul 8 09:49:41 2025 daemon.notice wpa_supplicant[1699]: tls_connection_set_params: Clearing pending SSL error: error:07880025:common libcrypto routines::reason(524325) Tue Jul 8 09:49:41 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected Tue Jul 8 09:49:41 2025 daemon.notice netifd: wwan (7582): udhcpc: started, v1.36.1 Tue Jul 8 09:49:41 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=CN/ST=Radius/L=Somewhere/O=Example Inc./[email protected]/CN=Example Certificate Authority' hash=1398d42eabfb9de5337f82af5374ef11cac931bdf7213609836eab674258e4bf Tue Jul 8 09:49:41 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=CN/ST=Radius/L=Somewhere/O=Example Inc./[email protected]/CN=Example Certificate Authority' hash=1398d42eabfb9de5337f82af5374ef11cac931bdf7213609836eab674258e4bf Tue Jul 8 09:49:42 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=CN/ST=Radius/O=Example Inc./CN=Example Server Certificate/[email protected]' hash=9a346e75e5ec859c6072e55a474a92cf5a88d9d18a88c05ba8da6caf762831b4 Tue Jul 8 09:49:42 2025 daemon.notice netifd: wwan (7582): udhcpc: broadcasting discover Tue Jul 8 09:49:42 2025 daemon.notice wpa_supplicant[1699]: EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed Tue Jul 8 09:49:42 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully Tue Jul 8 09:49:42 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: PMKSA-CACHE-ADDED 94:b4:0f:99:e4:f0 0 Tue Jul 8 09:49:42 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: WPA: Key negotiation completed with 94:b4:0f:99:e4:f0 [PTK=CCMP GTK=CCMP] Tue Jul 8 09:49:42 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: CTRL-EVENT-CONNECTED - Connection to 94:b4:0f:99:e4:f0 completed [id=0 id_str=] Tue Jul 8 09:49:42 2025 kern.info kernel: [ 216.759156] IPv6: ADDRCONF(NETDEV_CHANGE): phy0-sta0: link becomes ready Tue Jul 8 09:49:43 2025 daemon.info avahi-daemon[2871]: Joining mDNS multicast group on interface phy0-sta0.IPv6 with address fe80::f06a:ddff:fe4d:9b4b. Tue Jul 8 09:49:43 2025 daemon.info avahi-daemon[2871]: New relevant interface phy0-sta0.IPv6 for mDNS. Tue Jul 8 09:49:43 2025 daemon.info avahi-daemon[2871]: Registering new address record for fe80::f06a:ddff:fe4d:9b4b on phy0-sta0.*. Tue Jul 8 09:49:45 2025 daemon.notice netifd: Interface 'wwan' is now up Tue Jul 8 09:49:45 2025 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
|