wpa-service

Eloi Primaux eloi at bliscat.org
Fri Mar 31 13:38:02 PST 2006


AUTHOR: Eloi Primaux eloi AT bliscat dot org

DATE: 2006-03-31

LICENSE: GNU Free Documentation License Version 2

SYNOPSIS: Setting up a wifi interface using wpa_supplicant and LFS IP
services

DESCRIPTION:

ATTACHMENTS:

http://www.linuxfromscratch.org/hints/downloads/attachments/wpa-service/wpa-service
http://www.linuxfromscratch.org/hints/downloads/attachments/wpa-service/wpa-service-conf
http://www.linuxfromscratch.org/hints/downloads/attachments/wpa-service/wpa-init
http://www.linuxfromscratch.org/hints/downloads/attachments/wpa-service/autopid-service


PREREQUISITES:

1)   A working LFS-6.1 system or newer with wireless capabilities  
1.a) Linux kernel 2.6.14 or newest                          (0)
1.b) Wireless Cards Drivers
2)   An IP service
2.a) Static IP service                                      (1)
2.b) Dynamic IP service                                     (1)
2.c) Static IP discovering helper                           (2)
3)   Wireless Networks helper programs
3.a) Wireless tools                           
3.b) wpa_supplicant    
4)   This hint with its 4 files                   
5)   A working firewall
5.a) Basic firewalling capabilities                         (1)(2)
5.b) Shoreline firewall                                     (2)

(0) The Linux kernels shipped with LFS-6.1 and 6.1.1 are too old,
    please consider upgrading to 2.14 or 2.16 kernels.
    The Linux kernel maintainers have changed some references in
    the 2.6.16 .config file, thus firewalling capabilities will be
disable
    when using a .config from a 2.14 kernel or older.
(1) See BLFS book
(2) Not needed but recommended
 
HINT:

1) A working LFS-6.1 system or newer with wireless capabilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1.a) The Wireless Capabilities of the Linux kernel
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Configuring the kernel:

Networking  ---> 
[*] Networking support
 <M>   Generic IEEE 802.11 Networking Stack
 <M>     IEEE 802.11 WEP encryption (802.1x)
 <M>     IEEE 802.11i CCMP support
 <M>     IEEE 802.11i TKIP encryption    
Device Drivers  --->
    Network device support  --->
        Wireless LAN (non-hamradio)  --->
        [*] Wireless LAN drivers (non-hamradio) & Wireless Extensions
   << and select your driver from the list if shipped with the Linux
Kernel >>
Cryptographic options  --->
 <M>   AES cipher algorithms

Now compile, install , enable your new kernel in your boot loader and
restart
using it.

1.b) The Wireless Cards Drivers
If your driver wasn't shipped with the Linux Kernel then you need to
install
a third party driver.

Be aware that most of those independent driver are in development stage
and
they probably won't be available in tarballs but from a CVS repository
or
from a subversion one. Then you will need those tools to download it,
both of
cvs and svn installations are explained in the BLFS book.

Please also consider reading the "Wireless LAN resources for Linux"
HOWTO for
chipsets driver name.

As an example, most Artheos cards are supported by the madwifi project:
link: http://madwifi.org/wiki
without doing advertising for them this wiki is full of information and
links
referring to WPA encrypted networks

2) The IP services
~~~~~~~~~~~~~~~~~~
You should know that networks interfaces need IP addresses and also that
some
networks have DHCP servers some other don't. Without explaining the
benefit of
having a DHCP server, i will just say that a DHCP server provides IP to
all
attached network interfaces (it also provides the IP of the gateway, the
network
mask and the IP of DNS servers)

Essentials IP services installation and configuration are in the BLFS
Book.
You will size the benefit of the wpa-service when you will understand
that this
service only attach your card to an wireless WPA network and when it did
it,
it simply launch the desired IP service as if your system were setting
up usual
network cards.

Then, you only have to know which IP service your network uses :
Is it a STATIC or a DYNAMIC network ?

2.a) Static IP service
~~~~~~~~~~~~~~~~~~~~~~
        IP service will be ipv4-static
This service is shipped with the LFS Book (6.1 and newer)

2.b) Dynamic IP service
~~~~~~~~~~~~~~~~~~~~~~~
        IP service will be dhcpcd
This service is described in the BLFS Book (6.1 and newer)

2.c) Static IP discovering helper (Zeroconf like)
Use it when you really don't know what to do
        IP service will be autoipd-service
This service is not yet shipped anywhere for LFS systems then i did it

2.c.1) The Howl installation
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Refer you to :
link: http://www.porchdogsoft.com/products/howl/InstallUnix.html
But set the prefix to /usr

Now copy the autoipd-service to the network service directory:

cp autoipd-service /etc/sysconfig/network-devices/services
And make it executable:

chmod 755 -c /etc/sysconfig/network-devices/services/autoipd-service

3) Wireless Networks helper programs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
3.a) Wireless tools
~~~~~~~~~~~~~~~~~~~
This helper is not need by the wpa-service but can be really helpful.

Then,
download the latest development version of this tool named
'wireless_tools'
execute the following command in its directory :

find ./ -name 'Makefile' -exec sed 's,/usr/local,/usr,g' &&
make &&
make install

3.b) wpa_supplicant 'The core'
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is NOT an usual step if you omit something here you won't be able
to attach
your device to any access point

Please use the 0.4.8 version or newer and NOT the 0.4.7, available at:
link: http://hostap.epitest.fi/wpa_supplicant

Again, i strongly recommend you to read its README before doing
anything.
wpa_supplicant may need the source of your drivers then edit the .config
file
as described in the README and set all constants according to your
system.
also when ready install it by executing :

find ./ -name 'Makefile' -exec sed 's,/usr/local,/usr,g' &&
make &&
make install

4) This Hints
~~~~~~~~~~~~~
wpa_supplicant is designed to be a "daemon" program that runs in the
background
and acts as the back-end component controlling the wireless connection.
wpa_supplicant supports separate front-end programs and a text-based
front-end (wpa_cli) is included with wpa_supplicant.

4.1) The wpa-init file
~~~~~~~~~~~~~~~~~~~~~~
The wpa-service will use the text-based front-end to controls the
wpa_supplicant
daemon. This requires wpa_supplicant daemon running. Thus copy the
wpa-init file
to the init script directory and make it executable:

cp wpa-init /etc/rc.d/init.d
chmod 755 -c /etc/rc.d/init.d/wpa-init

According to the last lfs-bootscript, link it to some run levels:

ln -sv /etc/rc.d/init.d/wpa-init /etc/rc.d/rc3.d/S15wpa-init
ln -sv /etc/rc.d/init.d/wpa-init /etc/rc.d/rc5.d/S15wpa-init
ln -sv /etc/rc.d/init.d/wpa-init /etc/rc.d/rc0.d/K75wpa-init
ln -sv /etc/rc.d/init.d/wpa-init /etc/rc.d/rc6.d/K65wpa-init

4.2) The wpa-service file
~~~~~~~~~~~~~~~~~~~~~~~~~

This step is similar to the autoipd-service:

Copy the wpa-service to the network service directory:

cp wpa-service /etc/sysconfig/network-devices/services

And make it executable:

chmod 755 -c /etc/sysconfig/network-devices/services/wpa-service


4.3) Configuring the wireless interface
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4.3.a) The wireless network config file wpa-service-conf
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

According to your driver manual, you should have a specific device name
for your
interface, it could be eth[X],wlan[X],ath[X],... (where [X] is a number)
  
Following the LFS Book, you need to create a directory in the network
directory
where will be placed the wpa-service-conf, here is an example:
create the directory /etc/sysconfig/network-devices/ifconfig.wlan[X] :

install -d /etc/sysconfig/network-devices/ifconfig.wlan[X]

copy the sample config file wpa-service-conf to the upper created
directory:

cp wpa-service-conf /etc/sysconfig/network-devices/ifconfig.wlan[X]

Edit this file to fit with your driver and IP service with the services
names
proposed in section 2)

4.3.b) The wpa_supplicant.conf (The network description) 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

a) Limitations
~~~~~~~~~~~~~~
The wpa_supplicant README and wiki explain the composition of this file.
But
wpa-service have some limitation due to strings substitution. Indeed
password or
protocol list can comport space characters, which may be altered by the
service
script if not correctly quoted and then mess up the wpa_cli front-end. I
did'nt
yet found a script solution but if you take care to correctly quote
strings
containing space characters you won't have any trouble.

b) Specific quoting
~~~~~~~~~~~~~~~~~~~
A space string MUST be quoted like that:
'"This is a string containing some space characters"'

c) File syntax
~~~~~~~~~~~~~~
The file syntax is the wpa_supplicant.conf file syntax, it is specific
to the
wpa_supplicant program and only depend of the programmer choice, thus
instead of
explaining you of how this file is read, i will show you a set of
command to
create a config file with wpa_supplicant.

in a bash shell execute:

wpa_passphrase <ssid> [passphrase] > wpa_supplicant.conf

Where <ssid> is the name of the access point and where [pasphrase] is
your ...
pass-phrase.

Now edit the newly created wpa_supplicant.conf file:
Which should contains something similar to:

network={
        ssid="ssid"
        #psk="passphrase"

psk=2b1d17284c5410ee5eaae7151290e9744af2182b0eb8af20dd4ebb415928f726
}

Please quote correctly the strings containing the space characters

you will directly see that you can define more than one network in this
file,
that's why wpa_supplicant is very nice: it chooses automatically in its
configuration file the best (aka secure and available) network to
connect.

But at this time your network need to be tuned:

open a new console and launch in the foreground wpa_supplicant in debug
mode:

wpa_supplicant -g/var/run/wpa_supplicant-global \
               -P/var/run/wpa_supplicant.pid -ddd

this will make wpa_supplicant to output anything to us.

Now start the wpa_cli :

wpa_cli -g/var/run/wpa_supplicant-global interface_add wlan[X]
"" [driver] \
        /var/run/wpa_supplicant

Where wlan[X] is the device name of your network interface and where
[driver] is
the name of your driver

examples:
wpa_cli -g/var/run/wpa_supplicant-global interface_add ath0 "" madwifi \
        /var/run/wpa_supplicant
wpa_cli -g/var/run/wpa_supplicant-global interface_add eth1 "" wext \
        /var/run/wpa_supplicant

if it fail, please have a look to the output of the wpa_supplicant
daemon

wpa_cli -iwlan[X] -p/var/run/wpa_supplicant

Then in wpa_cli type :

scan

and after some seconds type

scan_result

This will output a list of available networks.

As an example:


root at bliscat:/home/eloi# wpa_cli -iath0 -p/var/run/wpa_supplicant
wpa_cli v0.4.8
Copyright (c) 2004-2005, Jouni Malinen <jkmaline at cc.hut.fi> and
contributors

This program is free software. You can distribute it and/or modify it
under the terms of the GNU General Public License version 2.

Alternatively, this software may be distributed under the terms of the
BSD license. See README and COPYING for more details.


Selected interface 'ath0'

Interactive mode

> scan
OK
> scan_result
bssid / frequency / signal level / flags / ssid
00:0f:b5:ee:af:8f       2437    212     [WPA2-PSK-CCMP-preauth] MY_net
00:10:c6:eb:95:11       2457    205     [WEP]   Wanadoo_5441


you can see that my network 'My_net' use WPA2-PSK-CCMP which is WPA-PSK
with CCMP as group and pairwise

type exit to quit wpa_cli


With this output we can now feed the wpa_supplicant.conf file:

network={
        ssid="ssid"
        ssid='essid' # please quote '""' when you have a space character
        scan_ssid=1
        key_mgmt=WPA-PSK
        proto=WPA2
        pairwise=CCMP
        group=CCMP
        #psk='"passphrase"'

psk=2b1d17284c5410ee5eaae7151290e9744af2182b0eb8af20dd4ebb415928f726
character
}


Note if you wish you can only use the human readable pass-phrase, then
uncomment
it and comment the hexadecimal pass-phrase

Now kill the last instance of the wpa_supplicant:

killall wpa_supplicant

And test your new configuration file:

wpa_supplicant -dmadwifi -iath0 -c./wpa_supplicant.conf -dd

If you see something like SUCCESS it's done, kill it again and copy the
config
file to a secure directory:

install -d /etc/sysconfig/wpa_supplicant
chmod 700 -c /etc/sysconfig/wpa_supplicant
cp wpa_supplicant.conf /etc/sysconfig/wpa_supplicant/wpa_supplicant.conf
chmod 600 -c /etc/sysconfig/wpa_supplicant/wpa_supplicant.conf

5) The firewall
~~~~~~~~~~~~~~~
You should understand that connecting to a network is never secure
(even with a WPA encrypted network) especially without firewall. Then
having a
firewall will ever be a good thing, i strongly recommend the use of
Shorewall.
You will find lots of help on its website.


6) The End
~~~~~~~~~~
execute:

/etc/rc.d./init.d/wpa-init restart
/etc/rc.d/init.d/network restart

if there is no errors, and your system is connected, then you can safely
restart
your computer to see it setting up your wireless card at boot time.

ACKNOWLEDGMENTS:
 The wireless hint
 The Wireless HOWTO
 wpa_supplicant README
 The madwifi wiki
 The LFS/BLFS Books


CHANGELOG:
2006 03 10 Second release, first send to lfshint
2006 03 16 added some words to help wpa-supplicant.conf writing
2006 03 18 fix wrong paths
2006 03 31 Rewritten and try to match the LFS-standard thank's to
archaic's help

-------------- next part --------------
A non-text attachment was scrubbed...
Name: autoipd-service
Type: application/x-shellscript
Size: 1648 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hints/attachments/20060331/e13d3e09/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wpa-init
Type: application/x-shellscript
Size: 1838 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hints/attachments/20060331/e13d3e09/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wpa-service
Type: application/x-shellscript
Size: 3657 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hints/attachments/20060331/e13d3e09/attachment-0002.bin>
-------------- next part --------------
ONBOOT="yes"
SERVICE="wpa-service"

 # the ip settings (note: only the debug version will print something)
        IP_SERVICE_NAME="dhcpcd" # , autoipd-service or ipv4-static ... 
                                 #copy their conf here
 # This is the dhcpcd configuration taken from the BLFS Book
        DHCP_START="-d "
        DHCP_STOP="-k "
 # Set PRINTIP="yes" to have the script print
 # the DHCP assigned IP address
        PRINTIP="no"
 # Set PRINTALL="yes" to print the DHCP assigned values for
 # IP, SM, DG, and 1st NS. This requires PRINTIP="yes".
        PRINTALL="no"
 # This is the autoipd-service sample configuration
 #AUTOIPD_START="-d -s 10.0.0.25 -m 10:0E:B5:8E:79:48 "
 # -s : to start at this ip
 # -m : to set this mac address

 # The wpa settings

 #the name of the wpa_supplicant client if it changes
        WPA_CLIENT_NAME="wpa_cli"
 # here is the directory where wpa_supplicant.conf should be
        WPA_CONFIG_DIR="/etc/sysconfig/wpa_supplicant"
 # here is the name of your wpa_supplicant.conf file
        WPA_CONFIG_FILE="wpa_supplicant.conf"

# Here you have to define which wpa driver wpa_supplicant will use for
this interface
        WPA_DRIVER="madwifi"

# To avoid boot freezing on this service (truly true with the debug
version)
# one cycle each 5 seconds
        WPA_MAXCYCLE=10


More information about the hints mailing list