Difference between revisions of "WPA supplicant"

From ArchWiki
Jump to: navigation, search
m (Procedure)
(netcfg: no wonder it didnt work, that config was a mess.... redirect to updated and more accurate info.)
Line 145: Line 145:
 
===netcfg===
 
===netcfg===
  
This is a very minimalist option which works most times. I say 'most times' due to the fact that I have seen some connection issues in some setups which I have been unable to debug. Most of these issues are DHCP related (timeouts) which can be fixed reissuing the dhcpcd command. YMMV.
+
See [[Network Profiles]]
 
+
The profile configuration is pretty straightforward. Edit the profile according to your needs paying special attention to:
+
SECURITY="wpa"
+
KEY="yourpassphrase"
+
 
+
This configuration should work on most systems. If your hardware is showing any sign of resistance, you might consider changing the value associated with the wpa_supplicant driver.
+
 
+
'''Example profile using ralink card connecting to the wekonet network on channel 11'''
+
#
+
# Network Profile
+
#
+
+
DESCRIPTION="Example WPA Network Profile"
+
+
# Network Settings
+
INTERFACE=ra0
+
HOSTNAME=wekonet
+
+
# Interface Settings (use IFOPTS="dhcp" for DHCP)
+
IFOPTS="dhcp"
+
#GATEWAY=192.168.0.1
+
+
# DNS Settings (optional)
+
#DOMAIN=localdomain
+
#DNS1=192.168.0.1
+
#DNS2=
+
+
# Wireless Settings (optional)
+
ESSID=wekonet
+
#KEY=
+
IWOPTS="mode managed essid $ESSID channel 11"
+
+
#WIFI_INTERFACE=wlan0  # use this if you have a special wireless interface
+
                        # that is linked to the real $INTERFACE
+
+
#WIFI_WAIT=5            # seconds to wait for the wireless card to
+
                        # associate before bringing the interface up
+
+
USEWPA="yes"            # start wpa_supplicant with the profile
+
WPAOPTS="-D ralink"    # use "" for normal operation or specify additional
+
                        # options (eg, "-D ipw")
+
                        # see /etc/wpa_supplicant.conf for configuration
+
  
 
==Common Issues==
 
==Common Issues==

Revision as of 10:46, 3 June 2009

Template:I18n links start Template:I18n entry Template:I18n entry Template:I18n entry Template:I18n links end

Read This First

This article assumes that you are familiar with your hardware, and are capable of finding your way around configuration files and configuring your system. It is also critical you have *read and understood* the Wireless Setup article, because it is the basis for all that we are going to explain here.

The previous version of this article expanded on the use of ABS - The Arch Build System and the Network Profiles mentioned on Wireless Setup. I suppose that a better understanding of the system always helps, but tends to divert objectives, and finally affects the scope of the document.

Finally, this document is not a prerequisite if your hardware works out of the box and is handled through a connection daemon like networkmanager or the like. If you prefer to connect to the network using a graphical tool, you shouldn't be reading this.

What is WPA Supplicant?

You have probably heard about WEP and its inherent weaknesses. A network protected by a static WEP key can quite easily be compromised by a motivated hacker. WPA corrects the problem of the static key, by changing it at a packet transmitted/recieved frequency, or once a certain amount of time has passed. This process is performed by a daemon which is tightly bound to your wireless hardware.

Inferior drivers (in particular those used through ndiswrapper) can provide much frustration when used in conjunction with wpa_supplicant so, if at all possible, use hardware with proper support and high quality drivers.

For further information, WPA Supplicant's homepage is reachable at: http://hostap.epitest.fi/wpa_supplicant/

Installation

wpa_supplicant is in the package group base-devel from the repositories. Invoking pacman, the package can be installed explicitly:

pacman -S wpa_supplicant

This package has been built for supporting a very broad range of wireless hardware. For your information, here is the list, which can be obtained by executing 'wpa_supplicant', without quotes, from your bash prompt:

# wpa_supplicant
...

Driver list:

*HostAP
*Prism54
*Madwifi
*NDISWrapper
*AMTEL
*IPW (both 2100 and 2200 drivers)
*WEXT (Generic Linux wireless extensions)
*Wired ethernet

Most wireless hardware is supported by default by wpa_supplicant. Even if your chipset manufacturer isn't listed (which is the most probable case), you can still make use of the Generic Wireless Extensions to connect to a WPA-secured network. Based on my particular experience, 75% of hardware is supported by WEXT, about 20% is compatible by recompiling wpa_supplicant/hw drivers from scratch and, unfortunately the missing 5% which is definitely incompatible. I'll talk about the incompatibilities later, however if you're completely desperate, ABS is always an option. WPA Supplicant is available at: /var/abs/core/support/wpa_supplicant.

Procedure

/etc/wpa_supplicant.conf contains all configuration settings for wpa_supplicant. Its contents are quite simple, although the sample file that is provided is horribly obtuse. For the purpose of simplifying, login as root, and rename the default wpa_supplicant.conf file. It is not needed at this point.

# mv /etc/wpa_supplicant.conf /etc/wpa_supplicant.conf.original

The specified ssid and passphrase for your wpa encrypted wireless network must be encoded into a hexadecimal string. Achieving this is quite simple, by utilizing the wpa_passphrase utility, which is supplied as part of the wpa_supplicant package. Use the syntax wpa_passphrase [ssid] [passphrase]

  • An example exercise:
# wpa_passphrase mywireless secretpassphrase

this should generate something like the below:

network={
       ssid="mywireless"
       #psk="secretpassphrase"
       psk=b90e230f1f2f5361a9b2d3acf276745ee3c751c0724a3b0052d6df15ec420e69
}

This is the basic configuration required to get wpa working. The first line is the opening statement for the network, the second is the ssid of the base station you are wanting to connect to, the third line the passphrase, and the fourth the hex key which is required to connect.

  • Utilizing wpa_passphrase, specify your actual ssid and passphrase, and redirect the output to /etc/wpa_supplicant.conf:
# wpa_passphrase myssid mypassphrase > /etc/wpa_supplicant.conf

changing the details where applicable to your own specific information. This will then create a basic /etc/wpa_supplicant.conf from the output of the wpa_passphrase command. Template:Box Note

Adding an additional WPA encrypted network can be achieved like so:

# wpa_passphrase additional_ssid additional_passphrase >> /etc/wpa_supplicant.conf

The '>>' will redirect and append the output to /etc/wpa_supplicant.conf, without overwriting.

There are a large number of options which are available to set under the network which you can investigate by looking at the original configuration file. In most cases you can use the defaults, and not specify anything further in that section at the moment.

Lastly, specify these additional lines at the top of /etc/wpa_supplicant.conf, with your editor of choice:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel

If you need to connect to several networks, just define another network block in the same file. Change the priority at will, recalling that priorities with big numbers are tried first.

Now you can try connecting manually.

First, bring the wifi interface up. For the purposes of this example we will use interface wlan0.

#  ifconfig wlan0 up

Next, direct the interface to associate with the access point ssid:

# iwconfig wlan0 essid [ssid]

Once ssid association is successful, (after about 10 seconds on average), you need to run wpa_supplicant to complete the encrypted association. Typically, you will be able to use the Wireless EXTensions driver for wpa_supplicant, if you cannot, then you might need to check how to do it with your wireless device on the internet.

Issue the following as root:

# wpa_supplicant -B -Dwext -i wlan0 -c /etc/wpa_supplicant.conf 

The previous syntax tells wpa_supplicant to use its default hardware configuration (WEXT - Linux Wireless EXTensions) and to associate with the ssid which is specified in /etc/wpa_supplicant.conf. Also, this association should be performed through the wlan0 wireless interface and the process should move to the background, (-B). For verbose output, add -d or -dd (for debug) to dump more information to the console. You can find additional examples here wpa_supplicant.

In the console output, there should be a line that reads 'Associated:' followed by a MAC address. All that is required now is an IP address. s As root, issue:

# dhcpcd wlan0
  • Note: *Do not* request the IP inmediately! You must wait to ensure proper asociation. If you use a script, you can use "sleep 10s" to wait for 10 seconds.

Verify the interface has received an IP address using ifconfig:

# ifconfig wlan0

wlan0     Link encap:Ethernet  HWaddr 00:1C:BF:66:4E:E0 
         inet addr:192.168.0.62  Bcast:192.168.0.255  Mask:255.255.255.0
         inet6 addr: fe80::21c:bfff:fe66:4ee0/64 Scope:Link
         UP BROADCAST MULTICAST  MTU:1500  Metric:1
         RX packets:140387 errors:0 dropped:0 overruns:0 frame:0
         TX packets:96902 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000
         RX bytes:125513183 (119.6 Mb)  TX bytes:12299192 (11.7 Mb)

If the output is close to the above, you are now connected. If so you can investigate using the netcfg2 scripts to setup this on a more permanent arrangement and get it working when you start the machine. Depending to the approach you've chosen to configure your wireless adapter, you can decide to use a graphical --but not invasive-- tool like Wicd or pick the network profiles provided by netcfg.

More sophisticated configurations, like EAPOL or RADIUS authentication are very well detailed in the wpa_supplicant.conf manpage. These configurations fall out of the scope of this document.

But man, that didn't work for me - (Rebuilding wpa_supplicant from scratch)

Grab a copy of wpa_supplicant source from the homepage or from the ABS. Once downloaded and untarred, have a look at the file '.config' (yeah, it's hidden). The file looks like a kernel config, only much smaller. Have a look at the sections named CONFIG_DRIVER_DRIVERNAME and choose yes or no, depending upon your driver. Be careful with the options chosen, because you will need to specify an additional path to your wireless drivers' source in order to correctly compile the low-level association component. Some weird atheros cards may need a fresh wpa_supplicant build compiled against the latest madwifi-svn relase available. If this is the case, here is an example to enlighten you through the compilation process:

madwifi example: edit the following lines in the config file to look like this. This assumes that you have built madwifi with abs and that the source from the build is stored in /var/abs/local/madwifi/src/.

#Driver interface for madwifi driver
CONFIG_DRIVER_MADWIFI=y
#Change include directories to match with the local settings
CFLAGS += -I/var/abs/local/madwifi/src/madwifi

Once configured, you can proceed with makepkg as usual.

Management

Wicd

Installation:

# pacman -S wicd 

Very straightforward. Scan for networks, fill in the required data and connect. You might need to add

/usr/lib/wicd/autoconnect.py

to your init and power-managing scripts to reconnect to those networks if autoconnection behavior is expected.

netcfg

See Network Profiles

Common Issues

99.9% of the issues are related to the association. So, have a deep look at wpa_supplicant's output when you suspect its misbehaving. Add '-d' (for debug) to increase the verbosity. Usually '-dd' is enough. '-dddd' might be overkill.

When you're inspecting the log, have a look at entries like this one:

ioctl[WHATEVER]: Operation not supported

If this is the case, you're experiencing a driver issue. Upgrade drivers, or change the -D parameter.

Another common problem is No suitable AP found messages. Wpa_supplicant seems to have trouble finding hidden essids. Usually setting scan_ssid=1 in your network block will take care of this.