WPA supplicant
From ArchWiki
i18n |
---|
English |
简体中文 |
Russian |
A network protected by a static WEP key can quite easily be compromised by a motivated hacker. WPA corrects the problem of the static key, by changing it at a packet transmitted/recieved frequency, or once a certain amount of time has passed. This process is performed by a daemon which is tightly bound to your wireless hardware.
Inferior drivers (in particular those used through ndiswrapper) can provide much frustration when used in conjunction with WPA supplicant so, if at all possible, use hardware with proper support and high quality drivers.
Contents |
Considerations
This article assumes that you are familiar with your hardware, and are capable of finding your way around configuration files and configuring your system. It is also critical you have *read and understood* the Wireless Setup article, because it is the basis for all that we are going to explain here.
The previous version of this article expanded on the use of the Arch Build System and the Network Profiles mentioned on Wireless Setup. I suppose that a better understanding of the system always helps, but tends to divert objectives, and finally affects the scope of the document.
Finally, this document is not a prerequisite if your hardware works out of the box and is handled through a connection daemon like networkmanager or the like. If you prefer to connect to the network using a graphical tool, you shouldn't be reading this.
Installation
Install the daemon:
# pacman -S wpa_supplicant
This package has been built for supporting a very broad range of wireless hardware. For your information, here is the list, which can be obtained by executing 'wpa_supplicant':
# wpa_supplicant ... Driver list: *HostAP *Prism54 *Madwifi *NDISWrapper *AMTEL *IPW (both 2100 and 2200 drivers) *WEXT (Generic Linux wireless extensions) *Wired ethernet
Most wireless hardware is supported by default by wpa_supplicant. Even if your chipset manufacturer isn't listed (which is the most probable case), you can still make use of the Generic Wireless Extensions to connect to a WPA-secured network. Based on my particular experience, 75% of hardware is supported by WEXT, about 20% is compatible by recompiling wpa_supplicant/hw drivers from scratch and, unfortunately the missing 5% which is definitely incompatible. I'll talk about the incompatibilities later, however if you're completely desperate, ABS is always an option. WPA Supplicant is available at: /var/abs/core/support/wpa_supplicant.
Configuring and connecting
/etc/wpa_supplicant.conf contains all configuration settings for wpa_supplicant. Its contents are quite simple, although the sample file that is provided is horribly obtuse. For the purpose of simplifying, login as root, and rename the default wpa_supplicant.conf file. It is not needed at this point.
# mv /etc/wpa_supplicant.conf /etc/wpa_supplicant.conf.original
Dynamic method: 'wpa_gui', 'wpa_cli'
It possible to configure wpa_supplicant just enough that you can use wpa_gui or wpa_cli (see "Management") to actually configure your network connections, instead of defining your network blocks in the wpa_supplicant.conf file. You will need a config file along the lines of:
ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=network update_config=1
This configuration will allow users in the "network" group to control wpa_supplicant via the wpa_gui, wpa_cli frontends, the "update_config=1" variable allows these programs (wpa_cli,wpa_gui) to modify the wpa_supplicant.conf file, to save new networks or modifications to existing networks. Now you'll need to start wpa_supplicant:
# wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf -B
where the -D option specifies your wireless driver (which is almost always wext), -i specifies interface (replace wlan0 with your wireless interface's name) and -c specifies the conf file. -B tell wpa_supplicant to run as a deamon. You will have to run wpa_supplicant as root (or with sudo), but any user in the network group can run wpa_gui or wpa_cli.
So now you should be able to start up wpa_gui, or wpa_cli and add some networks to connect to. If you'd rather edit the config file manually, read on. In fact, some of the following information is kind of important even if you don't manually define your networks in wpa_supplicant.conf, so you should probably read it anyway.
Classic method: wpa_supplicant.conf
The specified ssid and passphrase for your wpa encrypted wireless network must be encoded into a hexadecimal string. Achieving this is quite simple, by utilizing the wpa_passphrase utility, which is supplied as part of the wpa_supplicant package. Use the syntax wpa_passphrase [ssid] "[passphrase]"
- An example exercise:
# wpa_passphrase mywireless "secretpassphrase"
this should generate something like the below:
network={ ssid="mywireless" #psk="secretpassphrase" psk=7b271c9a7c8a6ac07d12403a1f0792d7d92b5957ff8dfd56481ced43ec6a6515 }
This is the basic configuration required to get wpa working. The first line is the opening statement for the network, the second is the ssid of the base station you are wanting to connect to, the third line the passphrase, and the fourth the hex key which is required to connect.
- Utilizing wpa_passphrase, specify your actual ssid and passphrase, and redirect the output to /etc/wpa_supplicant.conf:
# wpa_passphrase mywireless "secretpassphrase" > /etc/wpa_supplicant.conf
changing the details where applicable to your own specific information. This will then create a basic /etc/wpa_supplicant.conf from the output of the wpa_passphrase command.
For example if you use the WPA2-personal protocol you will have to add a few lines in the network section:
network={ ssid="mywireless" proto=RSN key_mgmt=WPA-PSK pairwise=CCMP TKIP group=CCMP TKIP psk=7b271c9a7c8a6ac07d12403a1f0792d7d92b5957ff8dfd56481ced43ec6a6515 }
Adding an additional WPA encrypted network can be achieved like so:
# wpa_passphrase additional_ssid "additional_passphrase" >> /etc/wpa_supplicant.conf
The '>>' will redirect and append the output to /etc/wpa_supplicant.conf, without overwriting.
There are a large number of options which are available to set under the network which you can investigate by looking at the original configuration file. In most cases you can use the defaults, and not specify anything further in that section at the moment.
Lastly, specify these additional lines at the top of /etc/wpa_supplicant.conf, with your editor of choice:
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
If you need to connect to several networks, just define another network block in the same file. Change the priority at will, recalling that priorities with big numbers are tried first.
Now you can try connecting manually.
First, bring the wifi interface up. For the purposes of this example we will use interface wlan0.
# ifconfig wlan0 up
Next, direct the interface to associate with the access point ssid:
# iwconfig wlan0 essid [ssid]
Once ssid association is successful, (after about 10 seconds on average), you need to run wpa_supplicant to complete the encrypted association. Typically, you will be able to use the Wireless EXTensions driver for wpa_supplicant, if you cannot, then you might need to check how to do it with your wireless device on the internet.
Issue the following as root:
# wpa_supplicant -B -Dwext -i wlan0 -c /etc/wpa_supplicant.conf
The previous syntax tells wpa_supplicant to use its default hardware configuration (WEXT - Linux Wireless EXTensions) and to associate with the ssid which is specified in /etc/wpa_supplicant.conf. Also, this association should be performed through the wlan0 wireless interface and the process should move to the background, (-B). For verbose output, add -d or -dd (for debug) to dump more information to the console. You can find additional examples here wpa_supplicant.
In the console output, there should be a line that reads 'Associated:' followed by a MAC address. All that is required now is an IP address. s As root, issue:
# dhcpcd wlan0
- Note: *Do not* request the IP inmediately! You must wait to ensure proper asociation. If you use a script, you can use "sleep 10s" to wait for 10 seconds.
Verify the interface has received an IP address using ifconfig:
# ifconfig wlan0 wlan0 Link encap:Ethernet HWaddr 00:1C:BF:66:4E:E0 inet addr:192.168.0.62 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::21c:bfff:fe66:4ee0/64 Scope:Link UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:140387 errors:0 dropped:0 overruns:0 frame:0 TX packets:96902 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:125513183 (119.6 Mb) TX bytes:12299192 (11.7 Mb)
If the output is close to the above, you are now connected. If so you can investigate using the netcfg2 scripts to setup this on a more permanent arrangement and get it working when you start the machine. Depending to the approach you've chosen to configure your wireless adapter, you can decide to use a graphical --but not invasive-- tool like Wicd or pick the network profiles provided by netcfg.
More sophisticated configurations, like EAPOL or RADIUS authentication are very well detailed in the wpa_supplicant.conf manpage. These configurations fall out of the scope of this document.
Fallback: Recompiling wpa_supplicant
Grab a copy of wpa_supplicant source from the homepage or from the ABS. Once downloaded and untarred, have a look at the file '.config' (yeah, it's hidden). The file looks like a kernel config, only much smaller. Have a look at the sections named CONFIG_DRIVER_DRIVERNAME and choose yes or no, depending upon your driver. Be careful with the options chosen, because you will need to specify an additional path to your wireless drivers' source in order to correctly compile the low-level association component. Some weird atheros cards may need a fresh wpa_supplicant build compiled against the latest madwifi-svn relase available. If this is the case, here is an example to enlighten you through the compilation process:
madwifi example: edit the following lines in the config file to look like this. This assumes that you have built madwifi with abs and that the source from the build is stored in /var/abs/local/madwifi/src/.
#Driver interface for madwifi driver CONFIG_DRIVER_MADWIFI=y #Change include directories to match with the local settings CFLAGS += -I/var/abs/local/madwifi/src/madwifi
Once configured, you can proceed with makepkg as usual.
Management
Wireless management only
As mentioned above, there are two frontends to wpa_supplicant actually written by the wpa_supplicant developers themselves, "wpa_cli", and "wpa_gui". wpa_cli is, as you might expect, a command line front end, while "wpa_gui" is a qt-based frontend to wpa_supplicant. wpa_cli is include with the wpa_supplicant package, wpa_supplicant_gui is it's own package. The details on how to setup wpa supplicant to work w/ either wpa_cli or wpa_supplicant are in section #Dynamic method:'wpa_gui', 'wpa_cli'.
wpa_cli, when invoked without options, will give you a prompt environment, try typing "help" for help.
wpa_gui is pretty straightforward, If you hit "scan" you will be presented with a list of detected SSIDs, you can double click to add one, you will be given a dialogue box that will let you enter information that you need to associate with your network, most likely, you will only have to enter your PSK if you use wpa/wpa2 or your "key0" for a WEP connection. The protocal for WPA/WPA2/WEP/Unencrypted should be autodetected. Things like 802.1x will require a bit more configuration.
After you add a network you can modify it if you do something like changing the PSK, switch to the 'Manage Networks' tab and select the network you want to Edit / Remove. You can also add a network without scanning, which you will need to do if you don't broadcast your SSID.
Note: wpa_cli and wpa_gui will not get you an ip address or set up a proper routeing table, they will only associate you with a wireless access point. The wpa_auto scripts from the aur can be used to start wpa_supplicant at boot and automatically run dhcp to configure your network connection after you associate to a wireless network, or you might right your own scripts. Higher level, wireless/network management utilites are also available, that are capable of managing both wireless connections and wired connections:
Wicd
Install Wicd:
# pacman -S wicd
Wicd is very straightforward; scan for networks, fill in the required data and connect. You might need to add
/usr/lib/wicd/autoconnect.py to init and power management scripts for reconnecting to networks if auto-connection behavior is expected.
netcfg
See: Network Profiles
Troubleshooting
Most of the issues are related to the association. So, have a deep look at wpa_supplicant's output when you suspect it's misbehaving. Add '-d' (for debug) to increase the verbosity. Usually '-dd' is enough. '-dddd' might be overkill.
When you're inspecting the log, have a look at entries like this one:
ioctl[WHATEVER]: Operation not supported
If this is the case, you're experiencing a driver issue. Upgrade drivers, or change the -D parameter.
Another common problem is No suitable AP found messages. Wpa_supplicant seems to have trouble finding hidden essids. Usually setting scan_ssid=1 in your network block will take care of this.