Brief WPA Introduction

• Wi-Fi Protected Access (WPA) is a family of encryption methods used when connecting to a wireless access point. It is based on the technology that is used in Wired Equivalent Privacy (WEP) but provides stronger security. For more information on the subject you can see the [http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access WPA] entry on Wikipedia.

These instructions are targeted toward Ubuntu 5.10 (breezy). For Ubuntu 6.06 (dapper) see http://wiki.debian.org/WPA, section debian etch (testing/unstable).

For Ubuntu 6.06 this is a lot easier: If you do not see a network icon near your power information in gnome, you'll need to install network-manager-gnome. After installing the package logout and log back in (or re-start) and network manager should appear. Right click the network manager icon to enable network if necessary. Next, left click on the network manager icon and choose "Connect to other wireless network". Then, enter "YOUR-SSID" for the network name and choose your type "WPA ENTERPRISE" or "WPA PERSONAL" etc, etc ... for wireless security. Enter the password in the password text entry box. Click connect to attempt a connection.

The WPA supplicant

Before proceeding any further, it might be worthwhile to check wether your Wi-Fi Card is supported. [http://hostap.epitest.fi/wpa_supplicant/ wpa_supplicant website] This will save you lots of time and frustration - 20060303 casualprogrammer

• The WPA functionality is provided by wpasupplicant. This package can be found in universe (see UniversePackages). You can install it with apt-get, aptitude, Synaptic, or Adept.

    sudo apt-get install wpasupplicant

  You will then have to edit the /etc/wpa_supplicant.conf and /etc/default/wpasupplicant configuration files.

  Edit /etc/wpa_supplicant.conf to include your network. The info to include can be generated with wpa_passphrase (although this is optional, it saves the supplicant having to generate the preshared key (PSK) each time it is started):

attachment:IconsPage/IconExample48.png

•   dennis@mirage:~$ wpa_passphrase NetworkEssid TextPassphrase
    network={
          ssid="NetworkEssid"
          #psk="TextPassphrase"
          psk=945609a382413e64d57daef00eb5fab3ae228716e1e440981c004bc61dccc98c
    }

It's better to type: wpa_passphrase NetworkEssid, which will prompt you for a passphrase. This avoids entering your wireless passphrase into your shell history file. - 20060523 Kirby7

• Then add the following to the end of /etc/wpa_supplicant.conf:

    network={
          ssid="NetworkEssid"
          scan_ssid=1 # only needed if your access point uses a hidden ssid
          proto=WPA
          key_mgmt=WPA-PSK
          psk=945609a382413e64d57daef00eb5fab3ae228716e1e440981c004bc61dccc98c
    }

Also, you may not need to specify the proto and key_mgmt directives, as wpa_supplicant defaults to autodetecting the right protocol. - 20060107 DaniloPiazzalunga

Testing

• Next we test the WPA supplicant. To do this you first determine which driver you have. The supported drivers* are visible by running 'wpa_supplicant -h'. In this example I assume the madwifi driver.

* prism54 is currently not supported - 20060107 NaamanCampbell

You also need to know the name of your card's interface. In this example I assume ath0.

• Now simply start wpa_supplicant for testing:

    sudo wpa_supplicant -iath0 -c/etc/wpa_supplicant.conf -Dmadwifi -w

attachment:IconsPage/IconExample48.png

• You should see something like the following, but more verbose (if you get a different result, append -dd to the above command line and ask someone on #ubuntu for help):

    Trying to associate with 00:ff:00:1e:a7:7d (SSID='NetworkEssid' freq=0 MHz)
    Associated with 00:ff:00:1e:a7:7d
    WPA: Key negotiation completed with 00:ff:00:1e:a7:7d [PTK=TKIP GTK=TKIP]

  Now interrupt wpa_supplicant with <ctrl> C

Final installation

attachment:IconsPage/IconExample48.png

• Once wpa_supplicant works, you should edit /etc/network/interfaces to include wpa_supplicant. If prior to all of this, your /etc/network/interfaces looks like:

    auto ath0
    iface ath0 inet dhcp

  Simply change it to look like:

    auto ath0
    iface ath0 inet dhcp
    pre-up /etc/init.d/wpasupplicant start
    pre-up sleep 5

This looks like an optional step, too. As of 0.4.7-0ubuntu3, the /etc/network/if-pre-up.d/wpasupplicant script will take care of this step automatically. - 20060107 DaniloPiazzalunga

It is indeed optional and only relevant for Breezy systems. I made the change in Dapper's package. - 20060110 [DanielTChen]

• Finally, edit /etc/default/wpasupplicant to enable wpa_supplicant and provide its command line options. For our example setup, this would be:

    # Useful flags:
    #  -D <driver>          Wireless drive, typically optional.
    #  -i <ifname>          Interface
    #  -c <config file>     Configuration file
    #  -d                   Debugging (-dd for more)
    #  -w                   Wait for interface to come up
  
    # See the manual page wpa_supplicant(1) for more options and information.
  
    ENABLED=1
    OPTIONS="-iath0 -c/etc/wpa_supplicant.conf -Dmadwifi -w"

Note that in Dapper, because of a newer kernel (2.6.15) and a newer wpasupplicant package (0.4.7), your wireless driver may already support the kernel's wireless extensions interface. Please consult the README.Debian. - 20060110 [DanielTChen]

I placed the "ENABLED=1" setting directly above the "OPTIONS" setting; it was easy to miss that setting when it was above the comment section in the file. - 20060129 [Scott]

If you have an ipw2200 wirless card and a kernel 2.6.16 or newer, you maybe have to use "wext" driver instead of "ipw"

Integration with DHCP

Note that the instructions below are deprecated. The changes that I made in Dapper's wpasupplicant package already take care of this case. [DanielTChen]

• If you want your wireless card to aquire a new IP address using DHCP when wpa_supplicant associates with an access point, use the wpa_cli utility as documented in the wpa_supplicant [http://hostap.epitest.fi/cgi-bin/viewcvs.cgi/*checkout*/hostap/wpa_supplicant/README?rev=HEAD&content-type=text/plain README]:

    wpa_cli can used to run external programs whenever wpa_supplicant
    connects or disconnects from a network. This can be used, e.g., to
    update network configuration and/or trigget DHCP client to update IP
    addresses, etc.

  The wpa_cli utility can automatically execute a script whenever wpa_supplicant connects or disconnects from an access point. For this, use the -a switch like so:

    wpa_cli -a<my-script>

  The script will be invoked like this:

    my-script $IF $CONN

  Where $IF is the interface (eth0, ath0, etc), and $CONN is the event - either "CONNECTED" or "DISCONNECTED".

attachment:IconsPage/IconExample48.png

• The simplest thing to do is write a script that invokes ifup or ifdown. I've put it in /sbin/wpa_action:

    #! /bin/bash 
  
    IFNAME=$1
    CMD=$2
  
    if [ "$CMD" == "CONNECTED" ]; then
      SSID=`wpa_cli -i$IFNAME status | grep ^ssid= | cut -f2- -d=`
      logger "WiFi: Connecting `$IFNAME' to network `$SSID'"
      ifup $IFNAME
    elif [ "$CMD" == "DISCONNECTED" ]; then
      logger "WiFi: Disconnecting `$IFNAME'"
      ifdown $IFNAME
    fi

  Then, edit /etc/init.d/wpasupplicant to run wpa_cli appropriately. Look for these lines:

    case "$1" in
          start)
                  echo -n "Starting wpa_supplicant: "
                  start-stop-daemon --start --name $PNAME 
                          --oknodo --startas $DAEMON -- -B $OPTIONS
                  echo "done."
                  ;;
          stop)

  Insert a sleep and wpa_cli call below the start-stop-daemon call:

     case "$1" in
          start)
                  echo -n "Starting wpa_supplicant: "
                  start-stop-daemon --start --name $PNAME 
                          --oknodo --startas $DAEMON -- -B $OPTIONS
                  sleep 1
                  wpa_cli -a/sbin/wpa_action -B
                  echo "done."
                  ;;
          stop)

  If you are using DHCP exclusively to configure your wireless interface, then make sure you have this line for your wireless interface in /etc/network/interfaces:

    iface eth0 inet dhcp

  Where "eth0" is your wireless interface. And you'll want to make sure that your computer doesn't try to automatically start the interface up without an associated AP, so remove your wireless interface from the 'auto' line in /etc/network/interfaces:

    auto lo eth0 eth1

  So it becomes

    auto lo eth1

  Listing only those interfaces that you want to configure on startup. (Obviously, your 'auto' line will look different, depending on what network interfaces you have on your system.) Now, whenever you associate with a new wireless access point, your wireless interface will have an IP automatically configured and you'll be fully connected to the network. (YAY!)

Troubleshooting

Connects, Disconnects, ...

• This can be caused by Network Manager. Apparently when Network Manager scans for APs, wpa_supplicant will disconnect. Disabling Network Manager allows WPA to work, but you loose the NM function of automatic connections.

Links and Resources

[http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access WPA] [http://hostap.epitest.fi/wpa_supplicant/ wpa_supplicant website]

CategoryCleanup CategoryDocumentation