如何使用外部 RADIUS 服务器配置 hostapd 服务？

我正在尝试设置一个带有外部 RADIUS 服务器的 AP，每个服务使用两个 Linux 主机，hostapd并且freeradius相应地。这些主机和 Wi-Fi 客户端主机是运行 Ubuntu 22.04.4 LTS (jammy) 的 Raspberry Pi 4 设备。

所有主机都通过以太网连接到公共 LAN (10.1.0.0/24)：

• hostA - Wi-Fi AP（10.1.0.22 以太网、192.168.220.1 Wi-Fi）
• hostB - RADIUS 服务器（10.1.0.12 以太网）
• hostC - Wi-Fi 客户端（10.1.0.50 以太网、192.168.220.101 Wi-Fi）

我已经freeradius在 hostB 上配置了服务器，并且能够通过以太网 LAN 从 Wi-Fi 客户端测试它：

hostC:~$ radtest -x testUser1 testPassword1 10.1.0.12 0 testSecret1
Sent Access-Request Id 155 from 0.0.0.0:35529 to 10.1.0.12:1812 length 79
    User-Name = "testUser1"
    User-Password = "testPassword1"
    NAS-IP-Address = 10.1.0.50
    NAS-Port = 0
    Message-Authenticator = 0x00
    Cleartext-Password = "testPassword1"
Received Access-Accept Id 155 from 10.1.0.12:1812 to 10.1.0.50:35529 length 20

然后我调出配置了以下内容的 Wi-Fi AP (hostA) hostapd.conf：

    logger_syslog=-1
    logger_syslog_level=0
    ctrl_interface=/var/run/hostapd/
    interface=wlp1s0
    driver=nl80211
    country_code=CA
    ieee80211n=1
    hw_mode=g
    channel=6
    beacon_int=100
    dtim_period=2
    disassoc_low_ack=0
    ssid=testAP
    ieee80211w=0
    auth_algs=1
    wpa=0
    ignore_broadcast_ssid=0
    
    eap_server=0
    
    own_ip_addr=10.1.0.22
    auth_server_addr=10.1.0.12 #hostB
    auth_server_port=1812
    auth_server_shared_secret=testSecret1

该hostapd服务是根据分支中可用的最新代码构建的，main只需对文件进行以下修改defconfig即可禁用集成 RADIUS 服务器：

# Integrated EAP server
CONFIG_EAP=n

我可以看到服务hostapd正确启动，并相应地报告了 RADIUS 服务器配置：

hostA:/usr/src/hostap/hostapd$ sudo ./hostapd /etc/hostapd/hostapd.conf -i wlp1s0
wlp1s0: interface state UNINITIALIZED->COUNTRY_UPDATE
wlp1s0: RADIUS Authentication server 10.1.0.12:1812
wlp1s0: interface state COUNTRY_UPDATE->ENABLED
wlp1s0: AP-ENABLED 

我可以成功将 Wi-Fi 客户端 (hostC) 连接到 Wi-Fi AP (hostA)。但是，当我现在尝试通过 Wi-Fi 网络 (192.168.220.0/24) 进行 RADIUS 测试，目标 Wi-Fi AP 来处理 RADIUS 请求时，出现错误：

hostC:~$ radtest -x testUser1 testPassword1 10.1.0.22 0 testSecret1
Sent Access-Request Id 235 from 0.0.0.0:59778 to 10.1.0.22:1812 length 79
    User-Name = "testUser1"
    User-Password = "testPassword1"
    NAS-IP-Address = 10.1.0.50
    NAS-Port = 0
    Message-Authenticator = 0x00
    Cleartext-Password = "testPassword1"
Sent Access-Request Id 235 from 0.0.0.0:59778 to 10.1.0.22:1812 length 79
    User-Name = "testUser1"
    User-Password = "testPassword1"
    NAS-IP-Address = 10.1.0.50
    NAS-Port = 0
    Message-Authenticator = 0x00
    Cleartext-Password = "testPassword1"
Sent Access-Request Id 235 from 0.0.0.0:59778 to 10.1.0.22:1812 length 79
    User-Name = "testUser1"
    User-Password = "testPassword1"
    NAS-IP-Address = 10.1.0.50
    NAS-Port = 0
    Message-Authenticator = 0x00
    Cleartext-Password = "testPassword1"
(0) No reply from server for ID 235 socket 3

我捕获了 Wi-Fi 接口上的流量hostA，并看到它响应 ICMP 数据包，内容如下Destination unreachable (Port unreachable)：

Frame 2: 155 bytes on wire (1240 bits), 155 bytes captured (1240 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Apr  2, 2024 18:18:11.473305000 PDT
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1712107091.473305000 seconds
    [Time delta from previous captured frame: 0.000101000 seconds]
    [Time delta from previous displayed frame: 0.000101000 seconds]
    [Time since reference or first frame: 0.000101000 seconds]
    Frame Number: 2
    Frame Length: 155 bytes (1240 bits)
    Capture Length: 155 bytes (1240 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:icmp:ip:udp:radius]
    [Coloring Rule Name: ICMP errors]
    [Coloring Rule String: icmp.type eq 3 || icmp.type eq 4 || icmp.type eq 5 || icmp.type eq 11 || icmpv6.type eq 1 || icmpv6.type eq 2 || icmpv6.type eq 3 || icmpv6.type eq 4]
Ethernet II, Src: IntelCor_05:02:62 (80:45:dd:05:02:62), Dst: IntelCor_de:58:55 (3c:9c:0f:de:58:55)
    Destination: IntelCor_de:58:55 (3c:9c:0f:de:58:55)
        Address: IntelCor_de:58:55 (3c:9c:0f:de:58:55)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Source: IntelCor_05:02:62 (80:45:dd:05:02:62)
        Address: IntelCor_05:02:62 (80:45:dd:05:02:62)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.220.1, Dst: 192.168.220.101
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0xc0 (DSCP: CS6, ECN: Not-ECT)
        1100 00.. = Differentiated Services Codepoint: Class Selector 6 (48)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 141
    Identification: 0xa48f (42127)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    ...0 0000 0000 0000 = Fragment Offset: 0
    Time to Live: 64
    Protocol: ICMP (1)
    Header Checksum: 0x9b68 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.220.1
    Destination Address: 192.168.220.101
Internet Control Message Protocol
    Type: 3 (Destination unreachable)
    Code: 3 (Port unreachable)
    Checksum: 0x3724 [correct]
    [Checksum Status: Good]
    Unused: 00000000
    Internet Protocol Version 4, Src: 192.168.220.101, Dst: 192.168.220.1
        0100 .... = Version: 4
        .... 0101 = Header Length: 20 bytes (5)
        Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
            0000 00.. = Differentiated Services Codepoint: Default (0)
            .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
        Total Length: 113
        Identification: 0xc1e8 (49640)
        Flags: 0x00
            0... .... = Reserved bit: Not set
            .0.. .... = Don't fragment: Not set
            ..0. .... = More fragments: Not set
        ...0 0000 0000 0000 = Fragment Offset: 0
        Time to Live: 64
        Protocol: UDP (17)
        Header Checksum: 0x7edb [validation disabled]
        [Header checksum status: Unverified]
        Source Address: 192.168.220.101
        Destination Address: 192.168.220.1
    User Datagram Protocol, Src Port: 40929, Dst Port: 1812
        Source Port: 40929
        Destination Port: 1812
        Length: 93
        Checksum: 0xbfa6 [unverified]
        [Checksum Status: Unverified]
        [Stream index: 0]
        UDP payload (85 bytes)
RADIUS Protocol
    Code: Access-Request (1)
    Packet identifier: 0x95 (149)
    Length: 85
    Authenticator: 2cc8f534dfcac17c947a03ced3daf62f
    Attribute Value Pairs
        AVP: t=User-Name(1) l=11 val=testUser1
            Type: 1
            Length: 11
            User-Name: testUser1
        AVP: t=User-Password(2) l=18 val=Encrypted
            Type: 2
            Length: 18
            User-Password (encrypted): 986ed23c9a832e3a98a328697e8fab38
        AVP: t=NAS-IP-Address(4) l=6 val=192.168.220.101
            Type: 4
            Length: 6
            NAS-IP-Address: 192.168.220.101
        AVP: t=NAS-Port(5) l=6 val=0
            Type: 5
            Length: 6
            NAS-Port: 0
        AVP: t=Message-Authenticator(80) l=18 val=b4669b2314a4738a956f683b59b645c4
            Type: 80
            Length: 18
            Message-Authenticator: b4669b2314a4738a956f683b59b645c4
        AVP: t=Framed-Protocol(7) l=6 val=PPP(1)
            Type: 7
            Length: 6
            Framed-Protocol: PPP (1)

我在这里想念什么？