number 9

Here’s how I got an 11Mbit Centrino (ipw2100) to work with WPA2.
This should apply to 54Mbit cards too (e.g. for Atheros, use ‘madwifi’ for the driver and ‘ath0’ for the interface).

before you read on

If you’re on Feisty (Ubuntu 7.04) or better, network manager is now in the base and can handle WPA for you. It interferes with the config below, so choose 1 howto and stick to that.

Personally I don’t need roaming and I like setting up the passphrase laptop-wise (so my kids don’t need to know it), so I’ve come to prefer this way.

WPA and Centrino

I always thought WPA was 802.11g only and 11Mb peasants were stuck with WEP.
Turns out that’s not the case -
11Mbit access points are older, so usually only support WEP, but some 11Mb cards just need a firmware bump.

Other reasons for solidarity with my 802.11b brothers:

• found out pensioners in my street run WLANs (when d-i insisted my SSID was ‘NETGEAR’) – I need some sort of security pronto and WEP isn’t worth having
• the 54Mbit NIC I have is a big, grey, ugly PCCARD thing – my 11mb is builtin
• NTL lied. The ‘free’ 10Mbit upgrade costs an extra tenner a month, so I’m sticking with a 4Mb link. 802.11g wouldn’t make the Net any faster.
• there are no servers on the WLAN now – I don’t really need 802.11g bandwidth

I’m not even supposed to be here today

I don’t pretend to fully understand WPA, but this is works nicely for me and is quick to do.
I was ‘getting round to’ IPSEC for 4 years (while Granny Jenkins at no. 25 leeched my bandwidth on Kazaa, probably). ‘Better’ security isn’t, if it’s too hard to setup.

Besides, I’m fed up of HOWTOs that run ‘WEP is a worthless piece of crap. You should use IPSEC or something. Anyway, here’s how to use WEP.’

I’m sure your eyes are glazing over by now, so let’s get on with it.

kit

I used:

• a Linksys WRT54G access point
  • cheap, runs ‘teh linuks’ and supports WPA2. Skill.
• Ubuntu (Breezy Badger or better)
  • me and Debian had words. No, I don’t want to talk about it
• Intel Pro Wireless 2100 wireless NIC (Centrino)
  • non-free driver, but ubuntu sees it out of the box
• some other way of talking to your AP
  • for when this howto ruins your wireless link

setup the AP

Enable SSID broadcast and WPA shared key auth. On the WRT54G that goes:

• under ‘wireless’ → ‘basic wireless settings’
  • enable ‘SSID broadcast’ ( simplifies the client end. Not that big a deal )
• under ‘wireless’ → ‘wireless security’
  • security mode = WPA2 personal (shared key deal like WEP, only without the shit crypto. ‘enterprise’ needs a RADIUS server. I’m not going there)
  • WPA algorithms = ‘AES’ or ‘TKIP + AES’ ( the letters ‘AES’ give me a fuzzy glow, so I skipped TKIP )
  • shared key = “a long passphrase , it’s not like you’ll type it often” (seriously, don’t skimp on this.)

Non-WPA authed clients (i.e. you) will be ‘unplugged’ when you click ‘save settings’.

the client end

Meet wpa\supplicant
- a daemon that will speak WPA to the AP for us
(it means : ‘one who begs for mercy’ – I don’t know if that’s supposed to be a joke or not).
In Breezy, you’ll need to enable the ‘universe’ sources to get it.

The config file, /etc/wpa_supplicant.conf, holds WLAN definitions. wpa_supplicant will try
each in turn until it finds a match. I don’t know about you, but I just have the one WLAN at the moment.

The best advice in this whole post is: skim through the examples (they should be in /usr/share/doc/wpasupplicant/examples/wpa_supplicant.conf.gz, that path might vary). I wasted hours on google before resorting to reading that file, and it’s probably all you’ll need.

For the settings above, mine goes:

# see wpa_cli stuff below
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0

# boilerplate, essentially. see the example for a walkthrough
eapol_version=1
ap_scan=1
fast_reauth=1

# 'network' is a group of APs sharing a SSID
network={
        ssid="YOURSSID"
        # 'RSN' == 'WPA2'
        proto=RSN WPA
        # that's 'pre-shared key'
        key_mgmt=WPA-PSK
        # lists ciphers to try. CCMP is AES
        # pairwise is for client -> AP, group is for broadcasts
        pairwise=CCMP TKIP
        group=CCMP TKIP
        # this can be made faster.see wpa_passphrase(1)
        psk="maybe your christmas list?"
}

now ‘simply’ run wpa_supplicant

First reset the interface

 $ sudo ifconfig eth1 down
 $ sudo killall dhclient
 $ sudo ifconfig eth1 up 0.0.0.0

then try running the supplicant in the foreground with max debugging (-dd)

 $ sudo wpa_supplicant -Dipw -ieth1 -dd -c/etc/wpa_supplicant.conf

-Ddrivername, (despite what the manpage says) is ESSENTIAL: without it, wpa_supplicant
will pick one, and in my experience it’s crap at guessing.

If you see lots of ’ioctl[PRISM2_IOCTL_HOSTAPD]: Operation not supported’ errors,
try a few drivers – see wpa_supplicant -h for a list.

Once I told it to use the IPW driver, I got one error

ioctl[SIOCSIWPMKSA]: Operation not supported
SIOCGIWRANGE: too old (short) data - assuming WPA is not supported

(the card can’t do WPA itself, so the supplicant takes care of it for us)
Then:

EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state SUCCESS
EAPOL: SUPP_PAE entering state AUTHENTICATED
EAPOL: SUPP_BE entering state IDLE

Now the WLAN is up (the equivalent of having ethernet plugged in).
Just run ‘dhclient eth1’ or configure IP by hand.

making it stick

edit /etc/default/wpasupplicant to say:

# /etc/default/wpasupplicant
# WARNING! Make sure you have a configuration file!
ENABLED=1
#  -w                   Wait for interface to come up
OPTIONS="-w -Dipw -ieth1 -c /etc/wpa_supplicant.conf"

Even with the ’-w’ flag, recent Breezys seem to start dhclient too soon. To fix this, edit the /etc/network/interfaces entry for your wireless NIC so it looks like:

 iface eth1 inet dhcp
    pre-up /etc/init.d/wpasupplicant start
    pre-up sleep 5
    post-down killall -q wpa_supplicant

this is the last song I will ever sing

Your security now rests in that shared secret, and it’s brute forcable,
so make sure it’s long, and that you change it regularly.

One last tip for debugging – wpa_cli(1) is a shell to talk to a running
supplicant. Handy for tweaking without constantly bouncing
the daemon, and it can even update your config file for you.

rasputnik@lumpfish:~$ sudo wpa_cli
wpa_cli v0.4.5
...some license stuff here...
Selected interface 'eth1'

Interactive mode

> status
bssid=<mac of the ap you are talking to>
ssid=YOURSSIDHOPEFULLY
pairwise_cipher=CCMP
group_cipher=CCMP
key_mgmt=WPA2-PSK
wpa_state=COMPLETED
ip_address=your.ip.addr.ess
Supplicant PAE state=AUTHENTICATED
suppPortStatus=Authorized
EAP state=SUCCESS
> quit

Please let me know if I made any major mistakes (either comment or mail me, my username is ‘rasputnik’ and I have a GMail account) .

After a few false starts I
finally got stitch onto davie so I can replace my aging NetBSD box
with the WRT54g I bought ages ago (it’s is still someones backup MX, but a day off won’t kill anyone).

I set aside an hour last night to do it before I went bed. It took about 3 minutes.

the good

• boots in 4 seconds
• is silent ( as in ‘makes no noise at all’, rather than ‘mini-itx silent’ )
• managed feels a lot faster than ad-hoc (even without squid)
• doesn’t insist on being your DHCP server
• MAC address spoofs its WAN port (don’t have to reboot your CM)
• bridges between WLAN and wired clients
• dinky enough to stick on a shelf
• sturdy enough to survive a fall from the shelf
• HTTPS access to the web ui
• lots of wireless options to tweak
• decent wireless security WPA/WPA2 with or without RADIUS auth (need a separate server for RADIUS, though )
• half decent firewall – DMZ, traffic shaping, port forwarding etc (I only need the last one myself)

the bad

• doesn’t do static DHCP entries (just assign a static IP to the box, no biggy)
• getting dyndns working with custom DNS was badly doced in the web ui
• an embedded DNS server would have been nice (you can send one to DHCP clients, though I’d rather take it as an excuse to play with mDNS/zeroconf)
• According to wikipedia , the WRT54G blocks access to the firmware link below¹

I resisted custom firmware images – then it stops being something that Just Works and becomes Yet Another Server To Break. Nice to know they’re available, but I’m not touching them unless I have a real need.

Need to choose which of the two epia servers to ebay, and get WPA2 working.

¹ turns out that’s a crock.