openwrt 有线 802.1X 认证
分类:Network 标签:Openwrt
WHAT
车间里的网口不是默认 DHCP 的,是有线 802.1X 认证的。
openwrt 默认不支持有线 802.1X 认证,只能 hack 一下了。
HOW
创建 /etc/config/wpa_supplicant.802.1x.conf 配置文件:
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=root
ap_scan=0
network={
key_mgmt=IEEE8021X
eap=PEAP
phase2="autheap=MSCHAPV2"
identity="...username..."
password="...password..."
priority=2
}
注意:根据自己的 有线 wan 网口 修改下面脚本对应的网卡设备名:
# uci show network.wan.ifname
network.wan.ifname='eth0.2'
手动执行确认 802.1X 认证是否正常:
# wpa_supplicant -D wired -i eth0.2 -c /etc/config/wpa_supplicant.802.1x.conf -dd -t
1617066480.560461: Successfully initialized wpa_supplicant
1617066480.702295: eth0.2: Associated with 06:80:e2:00:00:03
1617066480.702474: eth0.2: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
1617066509.104670: eth0.2: CTRL-EVENT-EAP-STARTED EAP authentication started
1617066509.114050: eth0.2: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 -> NAK
1617066509.118585: eth0.2: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
1617066509.118804: eth0.2: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
1617066509.147293: eth0.2: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='C=CN, ST=..., L=.., O=..., OU=..., '
1617066509.219356: EAP-MSCHAPV2: Authentication succeeded
1617066510.271884: eth0.2: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
1617066510.272061: eth0.2: CTRL-EVENT-CONNECTED - Connection to 06:80:e2:00:00:03 completed [id=0 id_str=]
创建开机启动脚本:
#!/bin/sh /etc/rc.common
START=99
start() {
echo start
pgrep -f wpa_supplicant.802.1x.conf|xargs kill
wpa_supplicant -D wired -i eth0.2 -c /etc/config/wpa_supplicant.802.1x.conf -dd -t &
}
脚本增加 可执行 权限:
# chmod +x /etc/init.d/wpa-autostart
# /etc/init.d/wpa-autostart enable
# ls -lh /etc/init.d/wpa-autostart
-rwxr-xr-x 1 root root 199 Mar 30 10:04 /etc/init.d/wpa-autostart
crontab
发现连接不太稳定,每隔一段时间会断一次,所以写了一个脚本通过 crontab 自动检查:
#!/bin/sh
export PATH=/usr/sbin:/usr/bin:/sbin:/bin
# uci show network.wan.ifname
wan=eth0.2
time=$(date +'%F %T')
ipaddr=$(ip -o a s $wan)
if [ -n "$ipaddr" ]
then
ip=$(ip -o a s $wan|awk '{print $4}')
echo "__INFO: $(basename "$0") $time OK $wan IP: $ip"
else
echo "__INFO: $(basename "$0") $time ERROR $wan IP missing"
if pgrep -af wpa_supplicant.802.1x.conf
then
pgrep -f wpa_supplicant.802.1x.conf|xargs kill
fi
echo "$time $(basename "$0")" >> /tmp/802.1x-restart.log
wpa_supplicant -D wired -i $wan -c /etc/config/wpa_supplicant.802.1x.conf -dd -t &
fi
添加 crontab 任务,每隔 1 分钟检查一次:
# crontab -l
* * * * * /bin/sh -x /etc/config/check.802.1x.sh &> /tmp/check.802.1x.log
启动 crontab 服务观察执行日志:
# /etc/init.d/cron enable
# /etc/init.d/cron start
# pgrep -af cron
400 /usr/sbin/crond -f -c /etc/crontabs -l 5
# logread -e cron
Tue Mar 30 10:11:08 2021 cron.info crond[400]: crond (busybox 1.30.1) started, log level 5
Tue Mar 30 10:12:00 2021 cron.info crond[400]: USER root pid 7003 cmd /bin/sh -x /etc/config/check.802.1x.sh &> /tmp/check.802.1x.log
Tue Mar 30 10:13:00 2021 cron.info crond[400]: USER root pid 10108 cmd /bin/sh -x /etc/config/check.802.1x.sh &> /tmp/check.802.1x.log
Tue Mar 30 10:14:00 2021 cron.info crond[400]: USER root pid 13235 cmd /bin/sh -x /etc/config/check.802.1x.sh &> /tmp/check.802.1x.log
reference
How to configure OpenWRT router as 802.1X wired access client 2017-12-04
OpenWrt-router as 802.1x-client 2020-12-08
Connect router (Archer C50) to a 802.1X EAP network 2019-04-04