Wpa supplicant
From Zenwalk Wiki
 This article is part of the Zenwalk HOWTO. |
| Installing/Setting Up | Internationalisation | Networks | Software | Package Management | Misc |
[edit] How to get a wireless network running with WPA-Encryption
This how-to describes the procedure necessary in establishing a wireless connection to a WPA-PSK enabled accespoint using wpa_supplicant.
First of all, the wireless card has to be up and running. Basically, all you have to do is tell Zenwalk to load the correct module. There are two scenarios: 1)Your card is supported out of the box by the Zenwalk kernel (some Prism and Intel cards). Simply edit /etc/rc.d/rc.modules and uncomment the corresponding line (/sbin/modprobe [module]). Most probably udev will already have loaded the module at startup, so you shouldn't need it.
2)You had to compile the driver against the kernel. This means there's no corresponding line in /etc/rc.d/rc.modules. You can either choose to add it yourself there, or – if you prefer it cleaner - you can add the modprobe command to /etc/rc.d/rc.local. That way, you won't loose the command when upgrading your kernel (since that replaces rc.modules without prompting). Again, the module should have been loaded automatically by udev. So you shouldn't need this either :-).
If the module is loaded properly your card's light(s) should blink when plugged.
Now we have to bring the wireless interface up. Since wireless on Linux is quite do-it-yourself for now, there is no single interface name you can call - i.e. your interface can be named wlan0 (ndiswrapper), ra0 (Ralink cards), ath0 (Atheros cards), and so on... It can even be plain eth0.
To find out what your wireless interface is, run# iwconfigThis will show you all network interfaces (whether active or not). Iwconfig will explicitly tell you which ones have wireless network capabilities and which have not (ie wired ethernet interfaces). Select your interface and bring it up using
# ifconfig [interface] up
After that re-run
# ifconfig
to see whether it is up or not.
If you want to check what networks your card finds and to which ones you can connect, run
# iwlist [interface] scan
It should give you detailed info about the networks your wireless card detected (like their strenght, encryption, and so on. Please note running this scan as a regular user will also return you results - they can be deceiving however, since it seems only the results from the last scan done as root are returned! This is documented behaviour.
Now to the complex bit. Wpa_supplicant.
It comes installed with Zenwalk, in a state where you have to use the generic 'wext' driver for most of the cards. The drivers which come installed are: wext (generic), hostap (Prism 2/2.5/3), atmel (ATMEL AT76C5XXx) and wired. Most of the time you will use 'wext' though... Despite its name, wpa_supplicant can also manage WEP connections (although, if your hardware supports WPA, we warmly recommend to switch to WPA – WEP can be cracked in as few as 15 minutes). As we speak (november 2008) scientists seem to have success hacking WPA setups (not WPA2 ones) in lab conditions (ie for a normal person it would take far too long to crack a network to be useful), so if you can migrate your WLAN to WPA2, please do so. Also, use a random key - it doesn't matter if you can't memorise it; what matters is that it's hard to crack (the longer the key the lower the chance of compromising your setup, the more random it is/looks, the better, because it diminishes those chances equally). WPA2 is internally different from WPA, so there's no need to be worried too much yet (although any good sysadmin will recommend encryption over a WLAN ever if it is already secured - don't take anything for granted.
Now, you will need a wpa_supplicant.conf to run wpa_supplicant. You have to write it yourself to suit your WLAN.
Ok, we'll start off by using wpa_passphrase to encrypt our password with PSK (a pre-shared key). This will convert your key (preferably a complex one – i.e. not just letters, digits, but also other symbols) to an equivalent, hexadecimal (hex) wpa_supplicant key. Don't worry, this doesn't weaken your security :-).
# wpa_passphrase [ssid] [password]
This just prints it out. Instead of copying it, just send it straight to a new wpa_supplicant.conf:
# wpa_passphrase [ssid] [password] > /etc/wpa_supplicant.conf
You should have something like this if you cat your wpa_supplicant.conf:
# cat wpa_supplicant.conf
network={
ssid="[ssid]"
#psk="[passwd]"
psk="[encrypted password]"
}
I only had to add two lines to get it working with my router:
key_mgmt=WPA-PSK proto=WPA
This means any WPA-PSK enabled connection will be allowed (whether it be TKIP, AES, ...). If you want to restrict on the type of encryption, add
pairwise=[encryption type] group=[encryption type]
lines to your configuration. This applies only to WPA to my knowledge (WEP not supporting multiple encryption protocols as opposed to WPA)
These lines need to be between the curly brackets. If you want you can specify multiple networks here. Wpa_supplicant will connect to the first one it can find (people who use their laptop at work, home, hotspots, ... will need this). Each network you add to your config file needs an own network={} section. Furthermore, you can also specify multiple encryption types for one single network:
network={
ssid="MyNetwork"
key_mgmt=WPA-PSK
proto=WPA
pairwise=CCMP TKIP
group=CCMP TKIP
#psk="blabla"
psk=encryptedblabla
}
This config will only allow WPA-PSK AES ('CCMP') and TKIP connections. For those who are curious: AES is even better than TKIP, and is part of the WPA2 spec. If you want WPA2, you need to specify proto=WPA2
Save your changes and here we go! Well, almost. You have to start wpa_supplicant with the right arguments.
Mine looks like this:
wpa_supplicant -i wlan0 -D wext -c /etc/wpa_supplicant.conf -B
-i means which interface wpa_supplicant has to use; -D indicates the driver (wext most of the time); -c should be followed by the absolute path to the config file; -B makes wpa_supplicant run as a daemon.
This line should be put in /etc/rc.d/rc.local.
Example config files can be found in usr/share/doc/wpasupplicant/examples. Don't be daft – check them, it will help you a lot :-).
After this you can configure you IPs etc. as usual through DHCP (dhcpcd) or ifconfig.
Enjoy.
Thanks to Borromini for all his help.
[edit] Enable WPA at boot
In order for 'rc.inet1' to recognise WPA support, the 'rc.inet1' system script must be made aware that a wireless interface exists, and the 'rc.wireless' script must be informed that WPA is being used (and how to get the configuration data). A few modifications must be made to 2 configuration files, similar to having WEP support at boot time. The files involved are:
- /etc/rc.d/rc.inet1.conf
- /etc/wpa_supplicant.conf
The principle is to allow 'rc.inet1' and 'rc.wireless' to recognize '/etc/wpa_supplicant.conf' as well as initializing the interface at boot.
Oftentimes, people will choose to not broadcast their essid in an attempt to increase security. This makes a network difficult to find if you do not know the essid by name. In order to force the interface to look for a network that can't be scanned, add the following to the 'network' section of 'wpa_supplicant.conf':
scan_ssid=1
In the 'rc.inet1.conf' file, uncomment the following and add:
IFNAME[4]="wlan0" # or whatever your interface name is IPADDR[4]="" NETMASK[4]="" USE_DHCP[4]="yes" DHCP_HOSTNAME[4]="" WLAN_WPACONF[4]="/etc/wpa_supplicant.conf" # add this line WLAN_ESSID[4]=mywifinetwork WLAN_MODE[4]=Managed WLAN_RATE[4]="54M auto" WLAN_WPA[4]="wpa_supplicant" WLAN_WPADRIVER[4]="wext" # or e.g. "madwifi" for Atheros
For reference, you can check the default Slackware settings for the /etc/rc.d/rc.inet1.conf file
http://www.slackware.com/~alien/rc_scripts/rc.inet1.conf Remember, your network may not require all parameters so uncomment only what is needed.
This should allow you to obtain a DHCP lease at boot time without having to add anything to the '/etc/rc.d/rc.local' file.
