Hostapd:客户端定期重新验证而不会出现取消验证的情况
Hostapd: Client re-authenticates regularly without appearing to have been deauthenticated
I 运行 Rasbian Raspberry Pi 上的 Hostapd v1.0,使用 AWUS036NH 适配器作为 AP(芯片组 Ralink RT3070)。除了一个问题外,它运行良好且快速:
我的 Android phone 使用 VOIP(Media5-fone 应用程序,但不拨打任何电话)每 Nx10 分钟重新连接一次,但似乎没有被服务器取消身份验证。日志如下所示:
> Sep 17 07:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: authenticated
Sep 17 07:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: associated (aid 1)
Sep 17 07:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx RADIUS: starting accounting session 59BE12E5-00000001
Sep 17 07:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: pairwise key handshake completed (RSN)
> Sep 17 07:55:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: authenticated
Sep 17 07:55:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: associated (aid 1)
Sep 17 07:55:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx RADIUS: starting accounting session 59BE12E5-00000002
Sep 17 07:55:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: pairwise key handshake completed (RSN)
> Sep 17 08:05:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: authenticated
Sep 17 08:05:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: associated (aid 1)
Sep 17 08:05:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx RADIUS: starting accounting session 59BE12E5-00000003
Sep 17 08:05:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: pairwise key handshake completed (RSN)
Sep 17 08:15:04 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 08:25:03 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 08:35:01 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 08:45:01 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
> Sep 17 08:55:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: authenticated
Sep 17 08:55:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: associated (aid 1)
Sep 17 08:55:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx RADIUS: starting accounting session 59BE12E5-00000004
Sep 17 08:55:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: pairwise key handshake completed (RSN)
Sep 17 09:05:01 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 09:15:02 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 09:25:01 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 09:35:03 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
> Sep 17 09:45:07 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: authenticated
Sep 17 09:45:07 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: associated (aid 1)
Sep 17 09:45:07 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx RADIUS: starting accounting session 59BE12E5-00000005
Sep 17 09:45:07 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: pairwise key handshake completed (RSN)
Sep 17 09:55:02 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 10:05:04 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 10:15:04 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 10:25:02 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
> Sep 17 10:35:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: authenticated
Sep 17 10:35:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: associated (aid 1)
Sep 17 10:35:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx RADIUS: starting accounting session 59BE12E5-00000006
Sep 17 10:35:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: pairwise key handshake completed (RSN)
> Sep 17 10:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: authenticated
Sep 17 10:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: associated (aid 1)
Sep 17 10:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx RADIUS: starting accounting session 59BE12E5-00000007
Sep 17 10:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: pairwise key handshake completed (RSN)
Sep 17 10:55:02 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 11:05:03 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 11:15:03 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 11:25:04 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 11:35:02 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 11:45:03 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 11:55:03 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 12:05:02 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 12:15:02 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 12:25:04 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 12:35:03 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
> Sep 17 12:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: authenticated
Sep 17 12:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: associated (aid 1)
Sep 17 12:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx RADIUS: starting accounting session 59BE12E5-00000008
Sep 17 12:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: pairwise key handshake completed (RSN)
Sep 17 12:55:04 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
我的hostapd.conf:
interface=wlan0
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=TheWifiNetworkName
country_code=US
hw_mode=g
channel=3
beacon_int=100
dtim_period=2
max_num_sta=10
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wmm_enabled=1
wmm_ac_bk_cwmin=4
wmm_ac_bk_cwmax=10
wmm_ac_bk_aifs=7
wmm_ac_bk_txop_limit=0
wmm_ac_bk_acm=0
wmm_ac_be_aifs=3
wmm_ac_be_cwmin=4
wmm_ac_be_cwmax=10
wmm_ac_be_txop_limit=0
wmm_ac_be_acm=0
wmm_ac_vi_aifs=2
wmm_ac_vi_cwmin=3
wmm_ac_vi_cwmax=4
wmm_ac_vi_txop_limit=94
wmm_ac_vi_acm=0
wmm_ac_vo_aifs=2
wmm_ac_vo_cwmin=2
wmm_ac_vo_cwmax=3
wmm_ac_vo_txop_limit=47
wmm_ac_vo_acm=0
ap_max_inactivity=1800
eapol_key_index_workaround=0
eap_server=0
own_ip_addr=127.0.0.1
wpa=2
wpa_passphrase=ThePassword
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
ap_table_max_size=100
ap_table_expiration_time=1800
因为它总是以 10 分钟的倍数发生,所以我开始查看任何 600 秒的倍数的配置变量,这导致我们:
ap_max_inactivity=1800
ap_table_expiration_time=1800
但这并不能解释为什么 10 分钟...那是客户的事情 (Android) 吗?我所知道的是,当 Android VOIP 连接到另一个 WIFI 网络时,这不会发生。
我想补充一个额外的问题:您在我的配置中看到任何不那么智能的地方吗? (这是我第一次设置hostapd)
谢谢!
您应该在 /etc/hostapd/hostapd.conf
文件中设置 wpa_group_rekey
参数。
使用 CCMP/GCMP 作为组密码时默认为 86400 秒(每天一次),使用 TKIP 作为组密码时默认为 600 秒(每 10 分钟一次)。
组密钥(组瞬态密钥)是连接到同一 AP 的所有请求方之间的共享密钥,用于保护 multicast/broadcast 流量。它不用于正常的单播流量。成对临时密钥保护单播流量。
Group Key Renewal 控制更改 Group Transient Key 的频率。 Group Key Renewal 不控制 Pairwise Transient Key 的更新周期。每次请求方验证或重新验证时,成对临时密钥都会更改。
WPA 使用预共享密钥对受保护网络的设备进行身份验证。 WPA 会在一段时间后自动更改密钥。组密钥更新间隔是组密钥自动更改之间的时间段,网络上的所有设备共享。
Read this 关于与 GTK 相关的已知漏洞,但正如本文中提到的,hostapd 不存在漏洞。
鉴于此,您可以决定应该为 wpa_group_rekey
参数设置哪个值。请牢记网络环境的安全要求。
I 运行 Rasbian Raspberry Pi 上的 Hostapd v1.0,使用 AWUS036NH 适配器作为 AP(芯片组 Ralink RT3070)。除了一个问题外,它运行良好且快速:
我的 Android phone 使用 VOIP(Media5-fone 应用程序,但不拨打任何电话)每 Nx10 分钟重新连接一次,但似乎没有被服务器取消身份验证。日志如下所示:
> Sep 17 07:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: authenticated
Sep 17 07:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: associated (aid 1)
Sep 17 07:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx RADIUS: starting accounting session 59BE12E5-00000001
Sep 17 07:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: pairwise key handshake completed (RSN)
> Sep 17 07:55:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: authenticated
Sep 17 07:55:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: associated (aid 1)
Sep 17 07:55:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx RADIUS: starting accounting session 59BE12E5-00000002
Sep 17 07:55:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: pairwise key handshake completed (RSN)
> Sep 17 08:05:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: authenticated
Sep 17 08:05:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: associated (aid 1)
Sep 17 08:05:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx RADIUS: starting accounting session 59BE12E5-00000003
Sep 17 08:05:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: pairwise key handshake completed (RSN)
Sep 17 08:15:04 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 08:25:03 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 08:35:01 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 08:45:01 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
> Sep 17 08:55:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: authenticated
Sep 17 08:55:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: associated (aid 1)
Sep 17 08:55:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx RADIUS: starting accounting session 59BE12E5-00000004
Sep 17 08:55:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: pairwise key handshake completed (RSN)
Sep 17 09:05:01 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 09:15:02 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 09:25:01 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 09:35:03 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
> Sep 17 09:45:07 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: authenticated
Sep 17 09:45:07 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: associated (aid 1)
Sep 17 09:45:07 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx RADIUS: starting accounting session 59BE12E5-00000005
Sep 17 09:45:07 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: pairwise key handshake completed (RSN)
Sep 17 09:55:02 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 10:05:04 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 10:15:04 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 10:25:02 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
> Sep 17 10:35:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: authenticated
Sep 17 10:35:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: associated (aid 1)
Sep 17 10:35:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx RADIUS: starting accounting session 59BE12E5-00000006
Sep 17 10:35:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: pairwise key handshake completed (RSN)
> Sep 17 10:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: authenticated
Sep 17 10:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: associated (aid 1)
Sep 17 10:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx RADIUS: starting accounting session 59BE12E5-00000007
Sep 17 10:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: pairwise key handshake completed (RSN)
Sep 17 10:55:02 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 11:05:03 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 11:15:03 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 11:25:04 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 11:35:02 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 11:45:03 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 11:55:03 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 12:05:02 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 12:15:02 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 12:25:04 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
Sep 17 12:35:03 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
> Sep 17 12:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: authenticated
Sep 17 12:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: associated (aid 1)
Sep 17 12:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx RADIUS: starting accounting session 59BE12E5-00000008
Sep 17 12:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: pairwise key handshake completed (RSN)
Sep 17 12:55:04 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)
我的hostapd.conf:
interface=wlan0
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=TheWifiNetworkName
country_code=US
hw_mode=g
channel=3
beacon_int=100
dtim_period=2
max_num_sta=10
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wmm_enabled=1
wmm_ac_bk_cwmin=4
wmm_ac_bk_cwmax=10
wmm_ac_bk_aifs=7
wmm_ac_bk_txop_limit=0
wmm_ac_bk_acm=0
wmm_ac_be_aifs=3
wmm_ac_be_cwmin=4
wmm_ac_be_cwmax=10
wmm_ac_be_txop_limit=0
wmm_ac_be_acm=0
wmm_ac_vi_aifs=2
wmm_ac_vi_cwmin=3
wmm_ac_vi_cwmax=4
wmm_ac_vi_txop_limit=94
wmm_ac_vi_acm=0
wmm_ac_vo_aifs=2
wmm_ac_vo_cwmin=2
wmm_ac_vo_cwmax=3
wmm_ac_vo_txop_limit=47
wmm_ac_vo_acm=0
ap_max_inactivity=1800
eapol_key_index_workaround=0
eap_server=0
own_ip_addr=127.0.0.1
wpa=2
wpa_passphrase=ThePassword
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
ap_table_max_size=100
ap_table_expiration_time=1800
因为它总是以 10 分钟的倍数发生,所以我开始查看任何 600 秒的倍数的配置变量,这导致我们:
ap_max_inactivity=1800
ap_table_expiration_time=1800
但这并不能解释为什么 10 分钟...那是客户的事情 (Android) 吗?我所知道的是,当 Android VOIP 连接到另一个 WIFI 网络时,这不会发生。
我想补充一个额外的问题:您在我的配置中看到任何不那么智能的地方吗? (这是我第一次设置hostapd)
谢谢!
您应该在 /etc/hostapd/hostapd.conf
文件中设置 wpa_group_rekey
参数。
使用 CCMP/GCMP 作为组密码时默认为 86400 秒(每天一次),使用 TKIP 作为组密码时默认为 600 秒(每 10 分钟一次)。
组密钥(组瞬态密钥)是连接到同一 AP 的所有请求方之间的共享密钥,用于保护 multicast/broadcast 流量。它不用于正常的单播流量。成对临时密钥保护单播流量。
Group Key Renewal 控制更改 Group Transient Key 的频率。 Group Key Renewal 不控制 Pairwise Transient Key 的更新周期。每次请求方验证或重新验证时,成对临时密钥都会更改。
WPA 使用预共享密钥对受保护网络的设备进行身份验证。 WPA 会在一段时间后自动更改密钥。组密钥更新间隔是组密钥自动更改之间的时间段,网络上的所有设备共享。
Read this 关于与 GTK 相关的已知漏洞,但正如本文中提到的,hostapd 不存在漏洞。
鉴于此,您可以决定应该为 wpa_group_rekey
参数设置哪个值。请牢记网络环境的安全要求。