number 9

UPDATE: I’ve gone off the idea. I don’t roam, I don’t want all the family to have to know the WPA passphrase to use their laptop account, and I like wmii , where applets don’t really make any sense. I prefer the system-wide way of doing WPA myself.

Here’s the Ubuntu Dapper (or better) ‘WPA Howto’:

$ sudo apt-get install network-manager wpasupplicant
$ # edit out the NICs in /etc/network/interfaces
$ # that you want to be managed by NM
$ sudo reboot
$ # after reboot, run up 'nm-applet'

NetworkManager is great. The daemon runs in the background, watching for HAL events, and uses the best connection it can.

Plug in ethernet, it uses ethernet. Yank it out, it scans for WLANs.

If it needs help (e.g. unlocking the WPA-PSK or WEP keys stored in your keyring) it asks the user via a GNOME or KDE applet². It uses a local DNS forwarder and can notify apps (over DBUS) of network state changes.

This setup has a few implications. The most obvious is that you don’t get online until after you login to the GUI.
It also assumes the user is the one with the knowledge, not (whoever is root on) the laptop (suppose that’s how other OSes handle it anyway, just feels odd).

I imagine if you run many non-DBUSed servers that need a network at boot, or have hardcoded IPs in your firewall, it might piss you off a bit. But would you roam with that setup?

Although the applet is by default the font of all knowledge, you could easily run a non-GUI userland component as part of the usual boot If ubuntu-installer had one, WPA wireless users could net install at last.

¹ seems 256Mb isn’t enough RAM (!) to hibernate. Shut down firefox first and it’s fine.

² the applet works in fluxbox (and other window managers I presume) too, but it’ll ask you for the passphrase every boot. You can Google up some gnome-keyring voodoo if that drives you mad.

Despite our ups and downs, for me there’s still
only one choice for a server OS .

Luckily, FreeBSD 6.x now has WPA supplicant in the base,
along with ipi/ipw (Centrino 802.11b/g support), and word is
the 5.x wrinkles are ironed out.

So I thought I’d do a BSD version of the
WPA howto
I wrote the other day.

0: ingredients:

• FreeBSD 6.0
• a WPA capable supported wireless NIC (mainly 802.11g kit). I’m using a Cardbus NEC WL54AG - piece of crap but supported by ath and only 20 notes on ebay. Replace ath0 with ipw/ipi/ndis as appropriate.
• a computer
• an access point (should work on ad-hoc WLANs, too)
• a rootprompt

1: patch your kernel

Sod’s law -
since we’re securing our WLAN you might as well do it right.

2: get your modules on

If your card doesn’t show up in ’ifconfig -a’, check dmesg. Mine said:

cardbus0:  at device 0.0 (no driver attached)

until I kldload if_ath, then I got:

ath_hal: 0.9.14.9 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413)
ath0:  mem 0x88000000-0x8800ffff irq 12 at device 0.0 on cardbus0
ath0: Ethernet address: 00:0d:00:1d:41:1b
ath0: mac 5.9 phy 4.3 radio 3.6

3: setup /etc/wpa_supplicant.conf

If you’re accessing a pre-shared key WPA network, you should only need
to tweak the ‘psk=’, ‘proto=’ lines.

For anything else, read the (excellent)
wpa_supplicant.conf
manpage.

 # used by wpa_cli(8) (see 'troubleshooting' below)
 ctrl_interface=/var/run/wpa_supplicant
 ctrl_interface_group=0

 # boilerplate, essentially. see the example for a walkthrough
 eapol_version=1
 ap_scan=1
 fast_reauth=1

 # 'network' is a group of APs sharing a SSID
 network={
         ssid="YOURSSID"
         # 'RSN' == 'WPA2'
         proto=RSN WPA
         # that's 'pre-shared key'
         key_mgmt=WPA-PSK
         # lists ciphers to try. CCMP is AES
         # pairwise is for client <-> AP traffic, group is for broadcasts
         pairwise=CCMP TKIP
         group=CCMP TKIP
         psk="hail beastie, baby"
 }

4: setup your AP

(the faint-hearted should probably check they have ethernet access to it first)

You want to enable WPA-PSK and broadcast your SSID. On the WRT54G that goes:

• under ‘wireless’ → ‘basic wireless settings’
  • enable “SSID broadcast” (no need for security by obscurity)
• under ‘wireless’ → ‘wireless security’
  • set ‘security mode’ = ‘WPA2 personal’ (’enterprise’ needs a RADIUS server)
  • WPA algorithms = ‘AES’ or ‘TKIP + AES’ (I went for plain AES)
  • shared key = choose a long passphrase (it’s not like you’ll type it much)

Check you have everything you need (before you lose connectivity) and ‘save settings’.

5: gentlemen, start your NICs

As root, try this:

/etc/rc.d/wpa_supplicant forcestart ath0
/sbin/dhclient ath0 # or just 'ifconfig ath0 .....'

and hopefully you’re back online.

Since I told my supplicant to try CCMP, then TKIP (the ’pairwise=…’ .conf line),
I was asked to kldload
wlan_ccmp
and restart the supplicant. If it fell through to TKIP it presumably want
wlan_tkip
.

6: automatic for the people

Assuming our /etc/wpa_supplicant.conf was good, we now want this
to start at boot.

First the loader has to pull in our modules. For my case, that’s

 cat >> /boot/loader.conf
 if_ath_load="YES"
 wlan_ccmp_load="YES"
 wlan_tkip_load="YES"# can't hurt
 EOF

Now you just flag the interface as using WPA and DHCP:

 cat >> /etc/rc.conf
 ifconfig_ath0="WPA DHCP"
 EOF

7: troubleshooting

wpa_supplicant will give you more detail than you could possibly want if you pass it
a ’-dd’ argument. A ’ps awwux|grep supplicant’ should give you the full command you’re
using, just add ’-dd’ to those arguments.

That should give you some idea where it’s failing, or at least get you a string to google for.

I also highly recommend
wpa_cli
for those who a) don’t want to hardcode a PSK in a cfg file, b) need to debug their connection or c) like talking to network processes for some reason.

8: homework schools out

Laptop users might want to play with devd and have the start_if.ath0 script run when you insert your NIC should be pleased to find you can now just plug in your card and devd will fire it up correctly for you. It even kills off wpa_supplicant and dhclient neatly when you eject the card.

Here’s how I got an 11Mbit Centrino (ipw2100) to work with WPA2.
This should apply to 54Mbit cards too (e.g. for Atheros, use ‘madwifi’ for the driver and ‘ath0’ for the interface).

before you read on

If you’re on Feisty (Ubuntu 7.04) or better, network manager is now in the base and can handle WPA for you. It interferes with the config below, so choose 1 howto and stick to that.

Personally I don’t need roaming and I like setting up the passphrase laptop-wise (so my kids don’t need to know it), so I’ve come to prefer this way.

WPA and Centrino

I always thought WPA was 802.11g only and 11Mb peasants were stuck with WEP.
Turns out that’s not the case -
11Mbit access points are older, so usually only support WEP, but some 11Mb cards just need a firmware bump.

Other reasons for solidarity with my 802.11b brothers:

• found out pensioners in my street run WLANs (when d-i insisted my SSID was ‘NETGEAR’) – I need some sort of security pronto and WEP isn’t worth having
• the 54Mbit NIC I have is a big, grey, ugly PCCARD thing – my 11mb is builtin
• NTL lied. The ‘free’ 10Mbit upgrade costs an extra tenner a month, so I’m sticking with a 4Mb link. 802.11g wouldn’t make the Net any faster.
• there are no servers on the WLAN now – I don’t really need 802.11g bandwidth

I’m not even supposed to be here today

I don’t pretend to fully understand WPA, but this is works nicely for me and is quick to do.
I was ‘getting round to’ IPSEC for 4 years (while Granny Jenkins at no. 25 leeched my bandwidth on Kazaa, probably). ‘Better’ security isn’t, if it’s too hard to setup.

Besides, I’m fed up of HOWTOs that run ‘WEP is a worthless piece of crap. You should use IPSEC or something. Anyway, here’s how to use WEP.’

I’m sure your eyes are glazing over by now, so let’s get on with it.

kit

I used:

• a Linksys WRT54G access point
  • cheap, runs ‘teh linuks’ and supports WPA2. Skill.
• Ubuntu (Breezy Badger or better)
  • me and Debian had words. No, I don’t want to talk about it
• Intel Pro Wireless 2100 wireless NIC (Centrino)
  • non-free driver, but ubuntu sees it out of the box
• some other way of talking to your AP
  • for when this howto ruins your wireless link

setup the AP

Enable SSID broadcast and WPA shared key auth. On the WRT54G that goes:

• under ‘wireless’ → ‘basic wireless settings’
  • enable ‘SSID broadcast’ ( simplifies the client end. Not that big a deal )
• under ‘wireless’ → ‘wireless security’
  • security mode = WPA2 personal (shared key deal like WEP, only without the shit crypto. ‘enterprise’ needs a RADIUS server. I’m not going there)
  • WPA algorithms = ‘AES’ or ‘TKIP + AES’ ( the letters ‘AES’ give me a fuzzy glow, so I skipped TKIP )
  • shared key = “a long passphrase , it’s not like you’ll type it often” (seriously, don’t skimp on this.)

Non-WPA authed clients (i.e. you) will be ‘unplugged’ when you click ‘save settings’.

the client end

Meet wpa\supplicant
- a daemon that will speak WPA to the AP for us
(it means : ‘one who begs for mercy’ – I don’t know if that’s supposed to be a joke or not).
In Breezy, you’ll need to enable the ‘universe’ sources to get it.

The config file, /etc/wpa_supplicant.conf, holds WLAN definitions. wpa_supplicant will try
each in turn until it finds a match. I don’t know about you, but I just have the one WLAN at the moment.

The best advice in this whole post is: skim through the examples (they should be in /usr/share/doc/wpasupplicant/examples/wpa_supplicant.conf.gz, that path might vary). I wasted hours on google before resorting to reading that file, and it’s probably all you’ll need.

For the settings above, mine goes:

# see wpa_cli stuff below
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0

# boilerplate, essentially. see the example for a walkthrough
eapol_version=1
ap_scan=1
fast_reauth=1

# 'network' is a group of APs sharing a SSID
network={
        ssid="YOURSSID"
        # 'RSN' == 'WPA2'
        proto=RSN WPA
        # that's 'pre-shared key'
        key_mgmt=WPA-PSK
        # lists ciphers to try. CCMP is AES
        # pairwise is for client -> AP, group is for broadcasts
        pairwise=CCMP TKIP
        group=CCMP TKIP
        # this can be made faster.see wpa_passphrase(1)
        psk="maybe your christmas list?"
}

now ‘simply’ run wpa_supplicant

First reset the interface

 $ sudo ifconfig eth1 down
 $ sudo killall dhclient
 $ sudo ifconfig eth1 up 0.0.0.0

then try running the supplicant in the foreground with max debugging (-dd)

 $ sudo wpa_supplicant -Dipw -ieth1 -dd -c/etc/wpa_supplicant.conf

-Ddrivername, (despite what the manpage says) is ESSENTIAL: without it, wpa_supplicant
will pick one, and in my experience it’s crap at guessing.

If you see lots of ’ioctl[PRISM2_IOCTL_HOSTAPD]: Operation not supported’ errors,
try a few drivers – see wpa_supplicant -h for a list.

Once I told it to use the IPW driver, I got one error

ioctl[SIOCSIWPMKSA]: Operation not supported
SIOCGIWRANGE: too old (short) data - assuming WPA is not supported

(the card can’t do WPA itself, so the supplicant takes care of it for us)
Then:

EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state SUCCESS
EAPOL: SUPP_PAE entering state AUTHENTICATED
EAPOL: SUPP_BE entering state IDLE

Now the WLAN is up (the equivalent of having ethernet plugged in).
Just run ‘dhclient eth1’ or configure IP by hand.

making it stick

edit /etc/default/wpasupplicant to say:

# /etc/default/wpasupplicant
# WARNING! Make sure you have a configuration file!
ENABLED=1
#  -w                   Wait for interface to come up
OPTIONS="-w -Dipw -ieth1 -c /etc/wpa_supplicant.conf"

Even with the ’-w’ flag, recent Breezys seem to start dhclient too soon. To fix this, edit the /etc/network/interfaces entry for your wireless NIC so it looks like:

 iface eth1 inet dhcp
    pre-up /etc/init.d/wpasupplicant start
    pre-up sleep 5
    post-down killall -q wpa_supplicant

this is the last song I will ever sing

Your security now rests in that shared secret, and it’s brute forcable,
so make sure it’s long, and that you change it regularly.

One last tip for debugging – wpa_cli(1) is a shell to talk to a running
supplicant. Handy for tweaking without constantly bouncing
the daemon, and it can even update your config file for you.

rasputnik@lumpfish:~$ sudo wpa_cli
wpa_cli v0.4.5
...some license stuff here...
Selected interface 'eth1'

Interactive mode

> status
bssid=<mac of the ap you are talking to>
ssid=YOURSSIDHOPEFULLY
pairwise_cipher=CCMP
group_cipher=CCMP
key_mgmt=WPA2-PSK
wpa_state=COMPLETED
ip_address=your.ip.addr.ess
Supplicant PAE state=AUTHENTICATED
suppPortStatus=Authorized
EAP state=SUCCESS
> quit

Please let me know if I made any major mistakes (either comment or mail me, my username is ‘rasputnik’ and I have a GMail account) .