Eloi Primaux eloi at bliscat.org
Fri Mar 31 13:38:02 PST 2006

AUTHOR: Eloi Primaux eloi AT bliscat dot org

DATE: 2006-03-31

LICENSE: GNU Free Documentation License Version 2

SYNOPSIS: Setting up a wifi interface using wpa_supplicant and LFS IP





1)   A working LFS-6.1 system or newer with wireless capabilities  
1.a) Linux kernel 2.6.14 or newest                          (0)
1.b) Wireless Cards Drivers
2)   An IP service
2.a) Static IP service                                      (1)
2.b) Dynamic IP service                                     (1)
2.c) Static IP discovering helper                           (2)
3)   Wireless Networks helper programs
3.a) Wireless tools                           
3.b) wpa_supplicant    
4)   This hint with its 4 files                   
5)   A working firewall
5.a) Basic firewalling capabilities                         (1)(2)
5.b) Shoreline firewall                                     (2)

(0) The Linux kernels shipped with LFS-6.1 and 6.1.1 are too old,
    please consider upgrading to 2.14 or 2.16 kernels.
    The Linux kernel maintainers have changed some references in
    the 2.6.16 .config file, thus firewalling capabilities will be
    when using a .config from a 2.14 kernel or older.
(1) See BLFS book
(2) Not needed but recommended

1) A working LFS-6.1 system or newer with wireless capabilities
1.a) The Wireless Capabilities of the Linux kernel
Configuring the kernel:

Networking  ---> 
[*] Networking support
 <M>   Generic IEEE 802.11 Networking Stack
 <M>     IEEE 802.11 WEP encryption (802.1x)
 <M>     IEEE 802.11i CCMP support
 <M>     IEEE 802.11i TKIP encryption    
Device Drivers  --->
    Network device support  --->
        Wireless LAN (non-hamradio)  --->
        [*] Wireless LAN drivers (non-hamradio) & Wireless Extensions
   << and select your driver from the list if shipped with the Linux
Kernel >>
Cryptographic options  --->
 <M>   AES cipher algorithms

Now compile, install , enable your new kernel in your boot loader and
using it.

1.b) The Wireless Cards Drivers
If your driver wasn't shipped with the Linux Kernel then you need to
a third party driver.

Be aware that most of those independent driver are in development stage
they probably won't be available in tarballs but from a CVS repository
from a subversion one. Then you will need those tools to download it,
both of
cvs and svn installations are explained in the BLFS book.

Please also consider reading the "Wireless LAN resources for Linux"
chipsets driver name.

As an example, most Artheos cards are supported by the madwifi project:
link: http://madwifi.org/wiki
without doing advertising for them this wiki is full of information and
referring to WPA encrypted networks

2) The IP services
You should know that networks interfaces need IP addresses and also that
networks have DHCP servers some other don't. Without explaining the
benefit of
having a DHCP server, i will just say that a DHCP server provides IP to
attached network interfaces (it also provides the IP of the gateway, the
mask and the IP of DNS servers)

Essentials IP services installation and configuration are in the BLFS
You will size the benefit of the wpa-service when you will understand
that this
service only attach your card to an wireless WPA network and when it did
it simply launch the desired IP service as if your system were setting
up usual
network cards.

Then, you only have to know which IP service your network uses :
Is it a STATIC or a DYNAMIC network ?

2.a) Static IP service
        IP service will be ipv4-static
This service is shipped with the LFS Book (6.1 and newer)

2.b) Dynamic IP service
        IP service will be dhcpcd
This service is described in the BLFS Book (6.1 and newer)

2.c) Static IP discovering helper (Zeroconf like)
Use it when you really don't know what to do
        IP service will be autoipd-service
This service is not yet shipped anywhere for LFS systems then i did it

2.c.1) The Howl installation
Refer you to :
link: http://www.porchdogsoft.com/products/howl/InstallUnix.html
But set the prefix to /usr

Now copy the autoipd-service to the network service directory:

cp autoipd-service /etc/sysconfig/network-devices/services
And make it executable:

chmod 755 -c /etc/sysconfig/network-devices/services/autoipd-service

3) Wireless Networks helper programs
3.a) Wireless tools
This helper is not need by the wpa-service but can be really helpful.

download the latest development version of this tool named
execute the following command in its directory :

find ./ -name 'Makefile' -exec sed 's,/usr/local,/usr,g' &&
make &&
make install

3.b) wpa_supplicant 'The core'
This is NOT an usual step if you omit something here you won't be able
to attach
your device to any access point

Please use the 0.4.8 version or newer and NOT the 0.4.7, available at:
link: http://hostap.epitest.fi/wpa_supplicant

Again, i strongly recommend you to read its README before doing
wpa_supplicant may need the source of your drivers then edit the .config
as described in the README and set all constants according to your
also when ready install it by executing :

find ./ -name 'Makefile' -exec sed 's,/usr/local,/usr,g' &&
make &&
make install

4) This Hints
wpa_supplicant is designed to be a "daemon" program that runs in the
and acts as the back-end component controlling the wireless connection.
wpa_supplicant supports separate front-end programs and a text-based
front-end (wpa_cli) is included with wpa_supplicant.

4.1) The wpa-init file
The wpa-service will use the text-based front-end to controls the
daemon. This requires wpa_supplicant daemon running. Thus copy the
wpa-init file
to the init script directory and make it executable:

cp wpa-init /etc/rc.d/init.d
chmod 755 -c /etc/rc.d/init.d/wpa-init

According to the last lfs-bootscript, link it to some run levels:

ln -sv /etc/rc.d/init.d/wpa-init /etc/rc.d/rc3.d/S15wpa-init
ln -sv /etc/rc.d/init.d/wpa-init /etc/rc.d/rc5.d/S15wpa-init
ln -sv /etc/rc.d/init.d/wpa-init /etc/rc.d/rc0.d/K75wpa-init
ln -sv /etc/rc.d/init.d/wpa-init /etc/rc.d/rc6.d/K65wpa-init

4.2) The wpa-service file

This step is similar to the autoipd-service:

Copy the wpa-service to the network service directory:

cp wpa-service /etc/sysconfig/network-devices/services

And make it executable:

chmod 755 -c /etc/sysconfig/network-devices/services/wpa-service

4.3) Configuring the wireless interface
4.3.a) The wireless network config file wpa-service-conf

According to your driver manual, you should have a specific device name
for your
interface, it could be eth[X],wlan[X],ath[X],... (where [X] is a number)
Following the LFS Book, you need to create a directory in the network
where will be placed the wpa-service-conf, here is an example:
create the directory /etc/sysconfig/network-devices/ifconfig.wlan[X] :

install -d /etc/sysconfig/network-devices/ifconfig.wlan[X]

copy the sample config file wpa-service-conf to the upper created

cp wpa-service-conf /etc/sysconfig/network-devices/ifconfig.wlan[X]

Edit this file to fit with your driver and IP service with the services
proposed in section 2)

4.3.b) The wpa_supplicant.conf (The network description) 

a) Limitations
The wpa_supplicant README and wiki explain the composition of this file.
wpa-service have some limitation due to strings substitution. Indeed
password or
protocol list can comport space characters, which may be altered by the
script if not correctly quoted and then mess up the wpa_cli front-end. I
yet found a script solution but if you take care to correctly quote
containing space characters you won't have any trouble.

b) Specific quoting
A space string MUST be quoted like that:
'"This is a string containing some space characters"'

c) File syntax
The file syntax is the wpa_supplicant.conf file syntax, it is specific
to the
wpa_supplicant program and only depend of the programmer choice, thus
instead of
explaining you of how this file is read, i will show you a set of
command to
create a config file with wpa_supplicant.

in a bash shell execute:

wpa_passphrase <ssid> [passphrase] > wpa_supplicant.conf

Where <ssid> is the name of the access point and where [pasphrase] is
your ...

Now edit the newly created wpa_supplicant.conf file:
Which should contains something similar to:



Please quote correctly the strings containing the space characters

you will directly see that you can define more than one network in this
that's why wpa_supplicant is very nice: it chooses automatically in its
configuration file the best (aka secure and available) network to

But at this time your network need to be tuned:

open a new console and launch in the foreground wpa_supplicant in debug

wpa_supplicant -g/var/run/wpa_supplicant-global \
               -P/var/run/wpa_supplicant.pid -ddd

this will make wpa_supplicant to output anything to us.

Now start the wpa_cli :

wpa_cli -g/var/run/wpa_supplicant-global interface_add wlan[X]
"" [driver] \

Where wlan[X] is the device name of your network interface and where
[driver] is
the name of your driver

wpa_cli -g/var/run/wpa_supplicant-global interface_add ath0 "" madwifi \
wpa_cli -g/var/run/wpa_supplicant-global interface_add eth1 "" wext \

if it fail, please have a look to the output of the wpa_supplicant

wpa_cli -iwlan[X] -p/var/run/wpa_supplicant

Then in wpa_cli type :


and after some seconds type


This will output a list of available networks.

As an example:

root at bliscat:/home/eloi# wpa_cli -iath0 -p/var/run/wpa_supplicant
wpa_cli v0.4.8
Copyright (c) 2004-2005, Jouni Malinen <jkmaline at cc.hut.fi> and

This program is free software. You can distribute it and/or modify it
under the terms of the GNU General Public License version 2.

Alternatively, this software may be distributed under the terms of the
BSD license. See README and COPYING for more details.

Selected interface 'ath0'

Interactive mode

> scan
> scan_result
bssid / frequency / signal level / flags / ssid
00:0f:b5:ee:af:8f       2437    212     [WPA2-PSK-CCMP-preauth] MY_net
00:10:c6:eb:95:11       2457    205     [WEP]   Wanadoo_5441

you can see that my network 'My_net' use WPA2-PSK-CCMP which is WPA-PSK
with CCMP as group and pairwise

type exit to quit wpa_cli

With this output we can now feed the wpa_supplicant.conf file:

        ssid='essid' # please quote '""' when you have a space character


Note if you wish you can only use the human readable pass-phrase, then
it and comment the hexadecimal pass-phrase

Now kill the last instance of the wpa_supplicant:

killall wpa_supplicant

And test your new configuration file:

wpa_supplicant -dmadwifi -iath0 -c./wpa_supplicant.conf -dd

If you see something like SUCCESS it's done, kill it again and copy the
file to a secure directory:

install -d /etc/sysconfig/wpa_supplicant
chmod 700 -c /etc/sysconfig/wpa_supplicant
cp wpa_supplicant.conf /etc/sysconfig/wpa_supplicant/wpa_supplicant.conf
chmod 600 -c /etc/sysconfig/wpa_supplicant/wpa_supplicant.conf

5) The firewall
You should understand that connecting to a network is never secure
(even with a WPA encrypted network) especially without firewall. Then
having a
firewall will ever be a good thing, i strongly recommend the use of
You will find lots of help on its website.

6) The End

/etc/rc.d./init.d/wpa-init restart
/etc/rc.d/init.d/network restart

if there is no errors, and your system is connected, then you can safely
your computer to see it setting up your wireless card at boot time.

 The wireless hint
 The Wireless HOWTO
 wpa_supplicant README
 The madwifi wiki
 The LFS/BLFS Books

2006 03 10 Second release, first send to lfshint
2006 03 16 added some words to help wpa-supplicant.conf writing
2006 03 18 fix wrong paths
2006 03 31 Rewritten and try to match the LFS-standard thank's to
archaic's help

-------------- next part --------------
A non-text attachment was scrubbed...
Name: autoipd-service
Type: application/x-shellscript
Size: 1648 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hints/attachments/20060331/e13d3e09/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wpa-init
Type: application/x-shellscript
Size: 1838 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hints/attachments/20060331/e13d3e09/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wpa-service
Type: application/x-shellscript
Size: 3657 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hints/attachments/20060331/e13d3e09/attachment-0002.bin>
-------------- next part --------------

 # the ip settings (note: only the debug version will print something)
        IP_SERVICE_NAME="dhcpcd" # , autoipd-service or ipv4-static ... 
                                 #copy their conf here
 # This is the dhcpcd configuration taken from the BLFS Book
        DHCP_START="-d "
        DHCP_STOP="-k "
 # Set PRINTIP="yes" to have the script print
 # the DHCP assigned IP address
 # Set PRINTALL="yes" to print the DHCP assigned values for
 # IP, SM, DG, and 1st NS. This requires PRINTIP="yes".
 # This is the autoipd-service sample configuration
 #AUTOIPD_START="-d -s -m 10:0E:B5:8E:79:48 "
 # -s : to start at this ip
 # -m : to set this mac address

 # The wpa settings

 #the name of the wpa_supplicant client if it changes
 # here is the directory where wpa_supplicant.conf should be
 # here is the name of your wpa_supplicant.conf file

# Here you have to define which wpa driver wpa_supplicant will use for
this interface

# To avoid boot freezing on this service (truly true with the debug
# one cycle each 5 seconds

More information about the hints mailing list