使用 Raspberry Pi 作为 Wifi AP:WPA[2]​​-PSK 有效,但 EAP-TLS 导致“3/4 消息中的 IE 与 Beacon/ProbeResp 中的 IE 不匹配”

使用 Raspberry Pi 作为 Wifi AP:WPA[2]​​-PSK 有效,但 EAP-TLS 导致“3/4 消息中的 IE 与 Beacon/ProbeResp 中的 IE 不匹配”

为了进行一些测试,我尝试使用 EAP-TLS 设置 WPA2-Enterprise 网络,并从 Android 手机连接到该网络。我使用运行 Raspbian 的 Raspberry Pi 4B 来托管网络,它具有内置无线适配器。我使用它hostapd来设置无线网络,并使用其集成的 EAP 服务器(而不是单独的 RADIUS 服务器)。这是我的hostapd.conf

country_code=GB
interface=wlan0
ssid=Pi
hw_mode=g
channel=7
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2 # WPA2 only
ieee8021x=1
wpa_key_mgmt=WPA-EAP
rsn_pairwise=CCMP
wme_enabled=1
ieee80211w=0
ctrl_interface=/var/run/hostapd

eap_server=1 # Use integrated EAP server instead of external
eap_user_file=/etc/hostapd/hostapd.eap_user

ca_cert=/etc/hostapd/keys/ca-cert-selfsigned.pem
server_cert=/etc/hostapd/keys/server-cert-signed-by-ca.pem
private_key=/etc/hostapd/keys/server-unencrypted-private-key.pem


# Logging:
logger_syslog=-1
logger_syslog_level=0
logger_stdout=-1
logger_stdout_level=0

这是我的hostapd.eap_user

"alice" TLS

我的证书设置如下:我生成了三个密钥对,分别用于 CA、服务器和单个客户端。它们都由 CA 签名(因此 CA 证书是自签名的)。CA 证书作为受信任的根证书安装在 Raspberry Pi 上。在设置 wifi 网络时,我在 Android 设备上为其提供 CA 证书以及客户端的私钥和证书。

当我尝试从 Android 设备连接它时,它失败了。以下是wpa_supplicant我在 Android 上看到的日志:

wlan0: Trying to associate with SSID 'Pi'
wlan0: CTRL-EVENT-REGDOM-CHANGE init=USER type=COUNTRY alpha2=00
wlan0: Associated with <REDACTED MAC ADDRESS>
wlan0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
wlan0: CTRL-EVENT-EAP-STARTED EAP authentication started
wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
TLS - SSL error: error:0900006e:PEM routines:OPENSSL_internal:NO_START_LINE
wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
wlan0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/CN=PiNetworkRoot' hash=1406e3c8badbc11b69936fee60ef3ee138cd08ce5c4fcfc0a0a23e4aba89bb50
wlan0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/CN=PiNetworkServer' hash=d62843124235b66100f4c23de52eb4eed76224b094c7917c1be3b5082b6e7a74
wlan0: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
wlan0: PMKSA-CACHE-ADDED <REDACTED MAC ADDRESS> 0
wlan0: WPA: IE in 3/4 msg does not match with IE in Beacon/ProbeResp (src=<REDACTED MAC ADDRESS>)
WPA: RSN IE in Beacon/ProbeResp - hexdump(len=22): 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 01 0d 00
WPA: RSN IE in 3/4 msg - hexdump(len=22): 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 01 0c 00
wlan0: CTRL-EVENT-DISCONNECTED bssid=<REDACTED MAC ADDRESS> reason=17 locally_generated=1

因此,看起来 EAP 身份验证已成功完成,但还存在其他问题。以下是hostapd相关日志:

wlan0: STA <MAC ADDRESS REDACTED> IEEE 802.11: associated
wlan0: STA <MAC ADDRESS REDACTED> WPA: event 1 notification
wlan0: STA <MAC ADDRESS REDACTED> IEEE 802.1X: start authentication
wlan0: STA <MAC ADDRESS REDACTED> WPA: start authentication
wlan0: STA <MAC ADDRESS REDACTED> IEEE 802.1X: unauthorizing port
wlan0: STA <MAC ADDRESS REDACTED> IEEE 802.1X: Sending EAP Packet (identifier 81)
wlan0: STA <MAC ADDRESS REDACTED> IEEE 802.1X: received EAP packet (code=2 id=81 len=10) from STA: EAP Response-Identity (1)
wlan0: STA <MAC ADDRESS REDACTED> IEEE 802.1X: Sending EAP Packet (identifier 82)
wlan0: STA <MAC ADDRESS REDACTED> IEEE 802.1X: received EAP packet (code=2 id=82 len=145) from STA: EAP Response-TLS (13)
wlan0: STA <MAC ADDRESS REDACTED> IEEE 802.1X: Sending EAP Packet (identifier 83)
wlan0: STA <MAC ADDRESS REDACTED> IEEE 802.1X: received EAP packet (code=2 id=83 len=6) from STA: EAP Response-TLS (13)
wlan0: STA <MAC ADDRESS REDACTED> IEEE 802.1X: Sending EAP Packet (identifier 84)
wlan0: STA <MAC ADDRESS REDACTED> IEEE 802.1X: received EAP packet (code=2 id=84 len=1408) from STA: EAP Response-TLS (13)
wlan0: STA <MAC ADDRESS REDACTED> IEEE 802.1X: Sending EAP Packet (identifier 85)
wlan0: STA <MAC ADDRESS REDACTED> IEEE 802.1X: received EAP packet (code=2 id=85 len=473) from STA: EAP Response-TLS (13)
wlan0: STA <MAC ADDRESS REDACTED> IEEE 802.1X: Sending EAP Packet (identifier 86)
wlan0: STA <MAC ADDRESS REDACTED> IEEE 802.1X: received EAP packet (code=2 id=86 len=6) from STA: EAP Response-TLS (13)
wlan0: STA <MAC ADDRESS REDACTED> IEEE 802.1X: Sending EAP Packet (identifier 86)
wlan0: STA <MAC ADDRESS REDACTED> WPA: sending 1/4 msg of 4-Way Handshake
wlan0: STA <MAC ADDRESS REDACTED> WPA: received EAPOL-Key frame (2/4 Pairwise)
wlan0: STA <MAC ADDRESS REDACTED> WPA: sending 3/4 msg of 4-Way Handshake
wlan0: STA <MAC ADDRESS REDACTED> IEEE 802.11: disassociated
wlan0: STA <MAC ADDRESS REDACTED> WPA: event 2 notification

我尝试在 Google 上搜索“3/4 消息中的 IE 与 Beacon/ProbeResp 中的 IE 不匹配”,结果找到了几个结果,其中一些结果已经过时了。有些提到了wme_enabled=0,所以我试了一下,但问题依然存在。讨论了相关但不同的问题上的 PMF,从此我得到了 ieee80211w=1。我也试过了(有/没有ieee80211w=1和的所有 4 种组合wme_enabled=0)。但在所有情况下都是相同的错误。有什么想法可以解决这个问题吗?

更改wpa=2wpa=1使连接成功,这足以满足我的测试目的,但根据要求可能无法实际使用。

这个错误可能是相关的。


如果我使用 PSK 而不是 EAP-TLS,wifi 网络就可以工作,如下所示hostapd.conf

country_code=GB
interface=wlan0
ssid=Pi_PSK
hw_mode=g
channel=7
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=Foobar
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

我可以从同一个 Android 设备成功连接到该网络。

答案1

我在装有 Pi OS 的 Pi4/ModelB 上遇到了同样的问题。RSN IE 的差异仅在于位 0(Pre-Auth 功能)。因此我添加了以下内容:

rsn_preauth=1
rsn_preauth_interface=eth0

这很好用。我会尝试使用 USB WiFi 适配器来调查驱动程序的错误。

相关内容