Hostapd：客戶端定期重新認證而不顯示已被取消身份驗證

我使用AWUS036NH適配器作爲AP（芯片集Ralink RT3070）在Rasbian Raspberry Pi上運行Hostapd v1.0。它工作正常，除了一個問題：Hostapd：客戶端定期重新認證而不顯示已被取消身份驗證

我的Android手機使用VOIP（Media5-fone應用程序，但不進行任何調用）每隔Nx10分鐘重新連接，而不會顯示已被服務器取消身份驗證。在這裏，日誌怎麼樣子：

> Sep 17 07:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: authenticated 
Sep 17 07:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: associated (aid 1) 
Sep 17 07:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx RADIUS: starting accounting session 59BE12E5-00000001 
Sep 17 07:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: pairwise key handshake completed (RSN) 
> Sep 17 07:55:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: authenticated 
Sep 17 07:55:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: associated (aid 1) 
Sep 17 07:55:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx RADIUS: starting accounting session 59BE12E5-00000002 
Sep 17 07:55:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: pairwise key handshake completed (RSN) 
> Sep 17 08:05:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: authenticated 
Sep 17 08:05:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: associated (aid 1) 
Sep 17 08:05:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx RADIUS: starting accounting session 59BE12E5-00000003 
Sep 17 08:05:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: pairwise key handshake completed (RSN) 
Sep 17 08:15:04 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN) 
Sep 17 08:25:03 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN) 
Sep 17 08:35:01 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN) 
Sep 17 08:45:01 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN) 
> Sep 17 08:55:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: authenticated 
Sep 17 08:55:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: associated (aid 1) 
Sep 17 08:55:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx RADIUS: starting accounting session 59BE12E5-00000004 
Sep 17 08:55:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: pairwise key handshake completed (RSN) 
Sep 17 09:05:01 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN) 
Sep 17 09:15:02 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN) 
Sep 17 09:25:01 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN) 
Sep 17 09:35:03 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN) 
> Sep 17 09:45:07 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: authenticated 
Sep 17 09:45:07 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: associated (aid 1) 
Sep 17 09:45:07 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx RADIUS: starting accounting session 59BE12E5-00000005 
Sep 17 09:45:07 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: pairwise key handshake completed (RSN) 
Sep 17 09:55:02 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN) 
Sep 17 10:05:04 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN) 
Sep 17 10:15:04 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN) 
Sep 17 10:25:02 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN) 
> Sep 17 10:35:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: authenticated 
Sep 17 10:35:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: associated (aid 1) 
Sep 17 10:35:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx RADIUS: starting accounting session 59BE12E5-00000006 
Sep 17 10:35:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: pairwise key handshake completed (RSN) 
> Sep 17 10:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: authenticated 
Sep 17 10:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: associated (aid 1) 
Sep 17 10:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx RADIUS: starting accounting session 59BE12E5-00000007 
Sep 17 10:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: pairwise key handshake completed (RSN) 
Sep 17 10:55:02 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN) 
Sep 17 11:05:03 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN) 
Sep 17 11:15:03 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN) 
Sep 17 11:25:04 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN) 
Sep 17 11:35:02 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN) 
Sep 17 11:45:03 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN) 
Sep 17 11:55:03 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN) 
Sep 17 12:05:02 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN) 
Sep 17 12:15:02 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN) 
Sep 17 12:25:04 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN) 
Sep 17 12:35:03 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN) 
> Sep 17 12:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: authenticated 
Sep 17 12:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx IEEE 802.11: associated (aid 1) 
Sep 17 12:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx RADIUS: starting accounting session 59BE12E5-00000008 
Sep 17 12:45:06 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: pairwise key handshake completed (RSN) 
Sep 17 12:55:04 wifi1 hostapd: wlan0: STA a0:10:81:67:xx:xx WPA: group key handshake completed (RSN)

我hostapd.conf：

interface=wlan0 
logger_syslog=-1 
logger_syslog_level=2 
logger_stdout=-1 
logger_stdout_level=2 
ctrl_interface=/var/run/hostapd 
ctrl_interface_group=0 
ssid=TheWifiNetworkName 
country_code=US 
hw_mode=g 
channel=3 
beacon_int=100 
dtim_period=2 
max_num_sta=10 
macaddr_acl=0 
auth_algs=1 
ignore_broadcast_ssid=0 
wmm_enabled=1 
wmm_ac_bk_cwmin=4 
wmm_ac_bk_cwmax=10 
wmm_ac_bk_aifs=7 
wmm_ac_bk_txop_limit=0 
wmm_ac_bk_acm=0 
wmm_ac_be_aifs=3 
wmm_ac_be_cwmin=4 
wmm_ac_be_cwmax=10 
wmm_ac_be_txop_limit=0 
wmm_ac_be_acm=0 
wmm_ac_vi_aifs=2 
wmm_ac_vi_cwmin=3 
wmm_ac_vi_cwmax=4 
wmm_ac_vi_txop_limit=94 
wmm_ac_vi_acm=0 
wmm_ac_vo_aifs=2 
wmm_ac_vo_cwmin=2 
wmm_ac_vo_cwmax=3 
wmm_ac_vo_txop_limit=47 
wmm_ac_vo_acm=0 
ap_max_inactivity=1800 
eapol_key_index_workaround=0 
eap_server=0 
own_ip_addr=127.0.0.1 
wpa=2 
wpa_passphrase=ThePassword 
wpa_key_mgmt=WPA-PSK 
wpa_pairwise=TKIP 
rsn_pairwise=CCMP 
ap_table_max_size=100 
ap_table_expiration_time=1800

那麼既然總是在10分鐘的倍數發生了，我開始看任何配置變量，它是600的倍數秒，導致我們到：

ap_max_inactivity=1800 
ap_table_expiration_time=1800

但是，這並不能解釋爲什麼10分鐘...這是一個客戶端的東西（Android）？我所知道的是，當Android VOIP連接到另一個WIFI網絡時，不會發生這種情況。

我想添加一個額外的問題：你有沒有在我的配置中看到任何不那麼聰明的東西？（這是我第一次安裝hostapd）

謝謝！

來源

2017-09-17 FlorianB

你嘗試設置'wpa_group_rekey'參數嗎？ –

@RomanMindlin：那似乎是的，謝謝！我第一次嘗試了300秒，這使得手機每5分鐘重新連接一次。然後我將它設置爲604800（7天），並且在幾個小時後仍然沒有嘗試重新連接。您能否以此作爲答案並解釋它的真實含義，工作原理，原因，以及是否通過提高價值來解決安全問題，以及是否還有其他有用的配置選項？另外，我們真的需要設置一個瘋狂的高價值，還是有另一種方式，以便它永遠不必重新連接？謝謝。 – FlorianB

您應該在您的/etc/hostapd/hostapd.conf文件中設置wpa_group_rekey參數。

使用CCMP/GCMP作爲組密碼時，默認爲86400秒（每天一次），使用TKIP作爲組密碼時，默認爲600秒（每10分鐘一次）。

組密鑰（組瞬時密鑰）是連接到同一AP的所有Supplicant中的共享密鑰，用於保護多播/廣播流量。它不用於正常的單播流量。配對瞬態密鑰可確保單播流量。

組密鑰更新控制組瞬時密鑰更改的頻率。組密鑰更新不控制配對瞬態密鑰的更新週期。每次Supplicant驗證或重新驗證時，Pairwise瞬態密鑰都會更改。

WPA使用預共享密鑰來驗證設備到受保護的網絡。 WPA會在一段時間後自動更改密鑰。組更新間隔是網絡中所有設備共享的組密鑰自動更改之間的時間段。

Read this關於已知的與GTK相關的漏洞，但正如它在本文中提到的，hostapd不是脆弱的。

鑑於此，您可以決定將哪個值設置爲wpa_group_rekey參數。請記住您的網絡環境的安全要求。

來源

2017-09-19 18:05:28

非常感謝，我把它設置爲31536000（1年），所以它不會再打擾我了。 – FlorianB

Hostapd：客戶端定期重新認證而不顯示已被取消身份驗證

回答

相關問題