OpenWrt 802.1X Wireless User Authentication

网上很多资料感觉有点过时了,本文记录一下在 OpenWrt 上配置 802.1X 无线用户认证的过程。

安装必要的软件包

1
2
3
4
5
opkg update
opkg remove wpad-mini # Or wpad-basic
opkg install wpad-openssl

reboot # 建议重启

网上很多资料说要安装的是 wpad,但实际用下来 wpad 在连接有证书的 802.1X 无线时会 AUTH_FAILED。(甚至可能 segfault上游 Radius 服务器!)

所以建议安装:

  • wpad-supplicant-openssl:Station mode only
  • wpad-openssl:Both Station and AP mode
  • wpa-supplicant-wolfssl: like wpad-supplicant-openssl but uses wolfSSL instead of OpenSSL
  • wpad-wolfssl: like wpad-openssl but uses wolfSSL instead of OpenSSL

配置无线网络

在 LuCI 里配也行,直接编辑 /etc/config/wireless 文件也行。

一个典型的配置如下:

1
2
3
4
5
6
7
8
9
10
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'sta'
option network 'wwan wwan6'
option ssid '[SSID]'
option encryption 'wpa2'
option eap_type 'peap'
option auth 'EAP-GTC'
option identity '[your-username]'
option password '[your-password]'

连接时可通过 logread -f 查看日志。

能看到证书信息一般就说明 ssl 支持正常。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
Tue Jul  8 09:49:38 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: CTRL-EVENT-REGDOM-CHANGE init=DRIVER type=COUNTRY alpha2=CN
Tue Jul 8 09:49:38 2025 daemon.notice netifd: Wireless device 'radio0' is now up
Tue Jul 8 09:49:41 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: Trying to associate with 94:b4:0f:99:e4:f0 (SSID='wrd-dot1x' freq=5765 MHz)
Tue Jul 8 09:49:41 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: CTRL-EVENT-STARTED-CHANNEL-SWITCH freq=5765 ht_enabled=1 ch_offset=-1 ch_width=80 MHz cf1=5775 cf2=0
Tue Jul 8 09:49:41 2025 daemon.notice netifd: Network device 'phy0-sta0' link is up
Tue Jul 8 09:49:41 2025 daemon.notice netifd: Interface 'wwan' has link connectivity
Tue Jul 8 09:49:41 2025 daemon.notice netifd: Interface 'wwan' is setting up now
Tue Jul 8 09:49:41 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: Associated with 94:b4:0f:99:e4:f0
Tue Jul 8 09:49:41 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Tue Jul 8 09:49:41 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: CTRL-EVENT-EAP-STARTED EAP authentication started
Tue Jul 8 09:49:41 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
Tue Jul 8 09:49:41 2025 daemon.notice wpa_supplicant[1699]: tls_connection_set_params: Clearing pending SSL error: error:12800067:DSO support routines::could not load the shared library
Tue Jul 8 09:49:41 2025 daemon.notice wpa_supplicant[1699]: tls_connection_set_params: Clearing pending SSL error: error:12800067:DSO support routines::could not load the shared library
Tue Jul 8 09:49:41 2025 daemon.notice wpa_supplicant[1699]: tls_connection_set_params: Clearing pending SSL error: error:07880025:common libcrypto routines::reason(524325)
Tue Jul 8 09:49:41 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
Tue Jul 8 09:49:41 2025 daemon.notice netifd: wwan (7582): udhcpc: started, v1.36.1
Tue Jul 8 09:49:41 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=CN/ST=Radius/L=Somewhere/O=Example Inc./[email protected]/CN=Example Certificate Authority' hash=1398d42eabfb9de5337f82af5374ef11cac931bdf7213609836eab674258e4bf
Tue Jul 8 09:49:41 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=CN/ST=Radius/L=Somewhere/O=Example Inc./[email protected]/CN=Example Certificate Authority' hash=1398d42eabfb9de5337f82af5374ef11cac931bdf7213609836eab674258e4bf
Tue Jul 8 09:49:42 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=CN/ST=Radius/O=Example Inc./CN=Example Server Certificate/[email protected]' hash=9a346e75e5ec859c6072e55a474a92cf5a88d9d18a88c05ba8da6caf762831b4
Tue Jul 8 09:49:42 2025 daemon.notice netifd: wwan (7582): udhcpc: broadcasting discover
Tue Jul 8 09:49:42 2025 daemon.notice wpa_supplicant[1699]: EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed
Tue Jul 8 09:49:42 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
Tue Jul 8 09:49:42 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: PMKSA-CACHE-ADDED 94:b4:0f:99:e4:f0 0
Tue Jul 8 09:49:42 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: WPA: Key negotiation completed with 94:b4:0f:99:e4:f0 [PTK=CCMP GTK=CCMP]
Tue Jul 8 09:49:42 2025 daemon.notice wpa_supplicant[1699]: phy0-sta0: CTRL-EVENT-CONNECTED - Connection to 94:b4:0f:99:e4:f0 completed [id=0 id_str=]
Tue Jul 8 09:49:42 2025 kern.info kernel: [ 216.759156] IPv6: ADDRCONF(NETDEV_CHANGE): phy0-sta0: link becomes ready
Tue Jul 8 09:49:43 2025 daemon.info avahi-daemon[2871]: Joining mDNS multicast group on interface phy0-sta0.IPv6 with address fe80::f06a:ddff:fe4d:9b4b.
Tue Jul 8 09:49:43 2025 daemon.info avahi-daemon[2871]: New relevant interface phy0-sta0.IPv6 for mDNS.
Tue Jul 8 09:49:43 2025 daemon.info avahi-daemon[2871]: Registering new address record for fe80::f06a:ddff:fe4d:9b4b on phy0-sta0.*.
Tue Jul 8 09:49:45 2025 daemon.notice netifd: Interface 'wwan' is now up
Tue Jul 8 09:49:45 2025 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto