Difference between revisions of "WPA Supplicant (Español)"

From ArchWiki
Jump to: navigation, search
(Created page with '{{translateme}} {{i18n_links_start}} {{i18n_entry|English|WPA Supplicant}} {{i18n_entry|简体中文|WPA 客户端}} {{i18n_entry|Русский|WPA Supplicant (Русский)}…')
 
(No difference)

Revision as of 14:50, 11 February 2010

Tango-preferences-desktop-locale.pngThis article or section needs to be translated.Tango-preferences-desktop-locale.png

Notes: please use the first argument of the template to provide more detailed indications. (Discuss in Talk:WPA Supplicant (Español)#)
Template:I18n links start

Template:I18n entry Template:I18n entry Template:I18n entry Template:I18n entry Template:I18n links end

Una red protegida por una llave WEP estatica puede ser facilmente comprometida por un hacker motivado. WPA corrige el problema de la llave estática, by changing it at a packet transmitted/recieved frequency, o después que haya pasado determinado tiempo. Este proceso es realizado por un demonio que esta altamente ligado al hardware wireless.

Drivers inferiores (particularmente aquellos usados mediante ndiswrapper) pueden causar mucha frustración cuando son usados con WPA supplicant, por lo que dentro de lo posible hay que usar hardware con un soporte adecuado y drivers de alta calidad.

Consideraciones

Este articulo asume que estas familiarizado con tu hardware, y eras capaz de encontrar el camino a travez de archivos de configuración y configurando el sistema. Es también crítico que hayas "leído y entendido" el artículo de Wireless Setup, ya que es la base de todo lo que se explicará aqui.

La versión anterior de este artículo se expandió en el uso de Arch Build System y los Perfiles de Red mencionados en Wireless Setup. Asumo que un mejor entendimiento del sistema siempre ayuda, pero tiende a desviar los objetivos, y finalmente afecta el ámbito del documento.

Finalmente, este documento no es un prerequisito si tu hardware funciona out of the box y es manejado por un demonio como networkmanager o similar. Si prefieres conectarte a la red utilizando una herramienta gráfica no deberias estar leyendo esto.

Instalación

Instala el demonio:

# pacman -S wpa_supplicant

Este paquete a sido construido para soportar un amplio rango de hardware wireless. Para tu información, aqui presento una lista, que puede ser obtenida ejecutando 'Template:Codeline':

# wpa_supplicant
...

Driver list:

*HostAP
*Prism54
*Madwifi
*NDISWrapper
*AMTEL
*IPW (both 2100 and 2200 drivers)
*WEXT (Generic Linux wireless extensions)
*Wired ethernet

La mayoría del hardware wireless es soportado por wpa_supplicant por defecto. Aún si el fabricante del chipset no esta listado (que es el caso mas probable), puedes hacer uso de las Extensiones Wireless Genericas para conectarte a una red segura con WPA. Basado en mi experiencia particular, un 75% del hardware es soportado por WEXT, un 20% es compatible recompilando wpa_supplicant/drivers de hardware; desafortunadamente, el 5% restante es definitivamente incompatible. Hablaré de las incompatibilidades mas adelante, sin embargo si estas completamente desesperado, ABS siempre es una opción. WPA Supplicant está disponible en: /var/abs/core/support/wpa_supplicant.

Configurando y conectandose

/etc/wpa_supplicant.conf contiene toda las opciones de configuración para wpa_supplicant. Sus contenidos son bastante simples. aunque el archivo de ejemplo provisto es horriblemente obtuso. Para propositos de simplificación, logueate como root, y renombra el wpa_supplicant.conf por defecto. No es necesario en este punto.

# mv /etc/wpa_supplicant.conf /etc/wpa_supplicant.conf.original

Método dinamico: 'wpa_gui', 'wpa_cli'

Es posible configurar wpa_supplicant justo lo suficiente para que puedas configurar las conexiones de red con wpa_gui o wpa_cli (mira en "Gestión"), en vez de definir tus bloques de red en wpa_supplicant.conf. Necesitaras un archivo de configuración con las lineas:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=network
update_config=1

Esta configuración permitira a los usuarios en el grupo "network" controlar wpa_supplicant mediante las interfases wpa_gui o wpa_cli, la variable "update_config=1" permite a estos programas (wpa_cli, wpa_gui) modificar wpa_supplicant.conf para guardar nuevas redes o modificaciónes de redes existentes. Ahora debes iniciar wpa_supplicant:

# wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf -B

donde la opción -D especifica el driver wireless (que casi siempre es wext), -i la interfase (reemplaza wlan0 con el nombre de tu interfase wireless) y -c el archivo de configuración. -B le dice a wpa_supplicant que se ejecute como demonio. Deberas ejecutar wpa_supplicant como root (o con sudo), pero cualquier usuario en el grupo network puede ejecutar wpa_cli o wpa_gui.

Entonces ya deberias poder ejecutar wpa_cli o wpa_gui y agregar algunes redes para conectarte. Si prefieres ejecutar el archivo de configuración manualmente sigue leyendo. De hecho, parte de la siguiente información es algo importante aún si no defines tus redes en wpa_supplicant.conf, asi que deberias leerla de todas formas.

Classic method: wpa_supplicant.conf

The specified ssid and passphrase for your wpa encrypted wireless network must be encoded into a hexadecimal string. Achieving this is quite simple, by utilizing the wpa_passphrase utility, which is supplied as part of the wpa_supplicant package. Use the syntax wpa_passphrase [ssid] "[passphrase]"

  • An example exercise:
# wpa_passphrase mywireless "secretpassphrase"

this should generate something like the below:

network={
       ssid="mywireless"
       #psk="secretpassphrase"
       psk=7b271c9a7c8a6ac07d12403a1f0792d7d92b5957ff8dfd56481ced43ec6a6515
}

This is the basic configuration required to get wpa working. The first line is the opening statement for the network, the second is the ssid of the base station you are wanting to connect to, the third line the passphrase, and the fourth the hex key which is required to connect.

  • Utilizing wpa_passphrase, specify your actual ssid and passphrase, and redirect the output to /etc/wpa_supplicant.conf:
# wpa_passphrase mywireless "secretpassphrase" > /etc/wpa_supplicant.conf

changing the details where applicable to your own specific information. This will then create a basic /etc/wpa_supplicant.conf from the output of the wpa_passphrase command.

For example if you use the WPA2-personal protocol you will have to add a few lines in the network section:

network={
       ssid="mywireless"
       proto=RSN
       key_mgmt=WPA-PSK
       pairwise=CCMP TKIP
       group=CCMP TKIP 
       psk=7b271c9a7c8a6ac07d12403a1f0792d7d92b5957ff8dfd56481ced43ec6a6515
}
Note: Your network information will be stored in plain text format, so you should change the permissions on the newly created /etc/wpa_supplicant.conf file (e.g. chmod 0600 /etc/wpa_supplicant.conf to make it readable by root only), depending upon how security conscious you are.

Adding an additional WPA encrypted network can be achieved like so:

# wpa_passphrase additional_ssid "additional_passphrase" >> /etc/wpa_supplicant.conf

The '>>' will redirect and append the output to /etc/wpa_supplicant.conf, without overwriting.

There are a large number of options which are available to set under the network which you can investigate by looking at the original configuration file. In most cases you can use the defaults, and not specify anything further in that section at the moment.

Lastly, specify these additional lines at the top of /etc/wpa_supplicant.conf, with your editor of choice:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel

If you need to connect to several networks, just define another network block in the same file. Change the priority at will, recalling that priorities with big numbers are tried first.

Now you can try connecting manually.

First, bring the wifi interface up. For the purposes of this example we will use interface wlan0.

#  ifconfig wlan0 up

Next, direct the interface to associate with the access point ssid:

# iwconfig wlan0 essid [ssid]

Once ssid association is successful, (after about 10 seconds on average), you need to run wpa_supplicant to complete the encrypted association. Typically, you will be able to use the Wireless EXTensions driver for wpa_supplicant, if you cannot, then you might need to check how to do it with your wireless device on the internet.

Issue the following as root:

# wpa_supplicant -B -Dwext -i wlan0 -c /etc/wpa_supplicant.conf 

The previous syntax tells wpa_supplicant to use its default hardware configuration (WEXT - Linux Wireless EXTensions) and to associate with the ssid which is specified in /etc/wpa_supplicant.conf. Also, this association should be performed through the wlan0 wireless interface and the process should move to the background, (-B). For verbose output, add -d or -dd (for debug) to dump more information to the console. You can find additional examples here wpa_supplicant.

In the console output, there should be a line that reads 'Associated:' followed by a MAC address. All that is required now is an IP address. s As root, issue:

# dhcpcd wlan0
  • Note: *Do not* request the IP inmediately! You must wait to ensure proper asociation. If you use a script, you can use "sleep 10s" to wait for 10 seconds.

Verify the interface has received an IP address using ifconfig:

# ifconfig wlan0

wlan0     Link encap:Ethernet  HWaddr 00:1C:BF:66:4E:E0 
         inet addr:192.168.0.62  Bcast:192.168.0.255  Mask:255.255.255.0
         inet6 addr: fe80::21c:bfff:fe66:4ee0/64 Scope:Link
         UP BROADCAST MULTICAST  MTU:1500  Metric:1
         RX packets:140387 errors:0 dropped:0 overruns:0 frame:0
         TX packets:96902 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:125513183 (119.6 Mb)  TX bytes:12299192 (11.7 Mb)

If the output is close to the above, you are now connected. If so you can investigate using the netcfg2 scripts to setup this on a more permanent arrangement and get it working when you start the machine. Depending to the approach you've chosen to configure your wireless adapter, you can decide to use a graphical --but not invasive-- tool like Wicd or pick the network profiles provided by netcfg.

More sophisticated configurations, like EAPOL or RADIUS authentication are very well detailed in the wpa_supplicant.conf manpage. These configurations fall out of the scope of this document.

Fallback: Recompiling wpa_supplicant

Grab a copy of wpa_supplicant source from the homepage or from the ABS. Once downloaded and untarred, have a look at the file '.config' (yeah, it's hidden). The file looks like a kernel config, only much smaller. Have a look at the sections named CONFIG_DRIVER_DRIVERNAME and choose yes or no, depending upon your driver. Be careful with the options chosen, because you will need to specify an additional path to your wireless drivers' source in order to correctly compile the low-level association component. Some weird atheros cards may need a fresh wpa_supplicant build compiled against the latest madwifi-svn relase available. If this is the case, here is an example to enlighten you through the compilation process:

madwifi example: edit the following lines in the config file to look like this. This assumes that you have built madwifi with abs and that the source from the build is stored in /var/abs/local/madwifi/src/.

#Driver interface for madwifi driver
CONFIG_DRIVER_MADWIFI=y
#Change include directories to match with the local settings
CFLAGS += -I/var/abs/local/madwifi/src/madwifi

Once configured, you can proceed with makepkg as usual.

Management

netcfg

The easiest way to have wpa_supplicant start at boot is to use netcfg. It is not necessary to specify which network SSID you want to connect to (typically you can't do that anyways since the desired network will vary depending on location), wpa_supplicant will automatically connect to an available network from those specified in Template:Filename.

So, install netcfg if it is not already installed and then create a network profile configuration by copying the example file:

# cp /etc/network.d/examples/wireless-wpa-config /etc/network.d/wpa_suppl

Edit the new file to make sure it specifies the right interface, e.g.

INTERFACE="wlan0"

The rest of the file should be left as it is. Next, edit Template:Filename. Add the network profile to the NETWORKS array:

NETWORKS=(wpa_suppl)

And, add the net-profiles daemon to the list of daemons started at boot:

DAEMONS=(... @net-profiles)

That's it. On the next reboot, the wireless interface will be brought up and wpa_supplicant started. If a known network is available, a connection will be established. For more information on netcfg see Network Profiles.

Wireless management only

As mentioned above, there are two frontends to wpa_supplicant actually written by the wpa_supplicant developers themselves, "wpa_cli", and "wpa_gui". wpa_cli is, as you might expect, a command line front end, while "wpa_gui" is a qt-based frontend to wpa_supplicant. wpa_cli is include with the wpa_supplicant package, wpa_supplicant_gui is it's own package. The details on how to setup wpa supplicant to work w/ either wpa_cli or wpa_supplicant are in section #Dynamic method:'wpa_gui', 'wpa_cli'.

wpa_cli, when invoked without options, will give you a prompt environment, try typing "help" for help.

wpa_gui is pretty straightforward, If you hit "scan" you will be presented with a list of detected SSIDs, you can double click to add one, you will be given a dialogue box that will let you enter information that you need to associate with your network, most likely, you will only have to enter your PSK if you use wpa/wpa2 or your "key0" for a WEP connection. The protocal for WPA/WPA2/WEP/Unencrypted should be autodetected. Things like 802.1x will require a bit more configuration.

After you add a network you can modify it if you do something like changing the PSK, switch to the 'Manage Networks' tab and select the network you want to Edit / Remove. You can also add a network without scanning, which you will need to do if you don't broadcast your SSID.

Note: wpa_cli and wpa_gui will not get you an ip address or set up a proper routeing table, they will only associate you with a wireless access point. The wpa_auto scripts from the aur can be used to start wpa_supplicant at boot and automatically run dhcp to configure your network connection after you associate to a wireless network, or you might right your own scripts. Higher level, wireless/network management utilites are also available, that are capable of managing both wireless connections and wired connections:

Wicd

Install Wicd:

# pacman -S wicd

Wicd is very straightforward; scan for networks, fill in the required data and connect. You might need to add Template:Filename to init and power management scripts for reconnecting to networks if auto-connection behavior is expected.

Troubleshooting

Most of the issues are related to the association. So, have a deep look at wpa_supplicant's output when you suspect it's misbehaving. Add '-d' (for debug) to increase the verbosity. Usually '-dd' is enough. '-dddd' might be overkill.

When you're inspecting the log, have a look at entries like this one:

ioctl[WHATEVER]: Operation not supported

If this is the case, you're experiencing a driver issue. Upgrade drivers, or change the -D parameter.

Another common problem is No suitable AP found messages. Wpa_supplicant seems to have trouble finding hidden essids. Usually setting scan_ssid=1 in your network block will take care of this.


No IP from DHCP Server

The following is a personal experience. I don't know why it works this way but maybe orthers have the same issue: After

ifconfig wlan0
iwconfig wlan0 essid "myEssid"
wpa_supplicant -B -D wext  -i wlan0 -c /etc/wpa_supplicant.conf
sleep 15; dhcpcd wlan0 #or dhclient wlan0

I don't get an IP adress. I use this Workaround (after the stuff just mentioned has been done):

killall wpa_supplicant -SIGHUP
iwconfig wlan0 essid "myEssid" key on #maybe "key on" is optional
sleep 15; dhcpcd wlan0

When I do

ps aux | grep wpa

I get a running wpa_supplicant even though i just killed it. Seems like iwconfig started the service for me.

My wireless card:

Intel Corporation PRO/Wireless 3945ABG [Golan] Network Connection (rev 02)