Using Uni-Münster Wireless LAN with WPA and wpa_supplicant
The first revision of this manual has been written by
David Vernazobres (
dv@uni-muenster.de)
January Weiner (
january@uni-muenster.de)
Institute for Evolution and Biodiversity.
Evolution of Biopolymers and Biochemical Pathways
The access to the Uni wireless is done using the wpa_supplicant package. We have only figured out the manual configuration via configuration files, requiring root privileges. This has the advantage that you can configure that on the computers you are administering for all users without the need to involve the users directly. However, you will have to provide a mechanism for the users to actually use the configuration (sudo mechanism, or making sure that the automatic roaming works and is started at launch time).
Possibly, a simpler solution exists using wpa_gui or the GNOME network management. We will update this document if such information becomes available. However, this solution means that every user of the laptop probably needs to set up her or his own configuration.
Further: you need to be
very patient. The authentication process can take sometimes as much as a couple of
minutes! You can use the command
wpa_cli status
to monitor what is happening.
Furthermore: sometimes, you do not get an IP via DHCP. You just do not get it, or there is some other problem, or otherwise. 1) Make sure that no dhclient process is running (pkill dhclient). 2) start dhclient manually: dhclient eth1
1. Prerequisites
1.1 Linux kernel version 2.6.14 or higher
You can find out your kernel version with
uname -a
1.2 wpasupplicant version 0.6.0, preferably CVS|GIT.
This branch is still in development (see "Appendix")
The wpasupplicant package from Debian / stable (etch), Ubuntu / dapper (Ubuntu version 6.06) or Ubuntu / edgy (Ubuntu version 6.10) does not work.
The working Debian packages is now in unstable (19th April 2007).
It will be available in Debian / testing (lenny) in the beginning of May 2007.
Make sure that you have the right wpasupplicant package (check the version!):
apt-cache policy wpasupplicant
apt-cache show wpasupplicant
- on RPM systems (RedHat, SuSE):
rpm -qi wpa_supplicant
2. WPA configuration for Uni-Muenster usage only
This configuration is simpler, but it makes wireless to work only for the Uni-Münster network. That is, in an alien environment (e.g. airport) you will not be able to use your wireless.
2.1. wpa_supplicant configuration
You need to edit the file
/etc/wpa_supplicant/wpa_supplicant.conf
and enter the following:
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
fast_reauth=1
network={
ssid="uni-ms"
key_mgmt=WPA-EAP
proto=WPA2
pairwise=CCMP
group=CCMP
eap=PEAP
identity="username"
password="password"
}
Replace "username" with your username and "password" with your net password ("Netzwerkzugangspasswort").
Note: only one wireless device will be able to access the wireless at a given time with the given username or password. That is, if you use it on two laptops, they will not be able to access network at the same time.
2.2 Configure the interfaces
The below works for Debian/Ubuntu. No idea what you have to do on SuSE / RedHat:
Edit
/etc/network/interfaces
Enter the following:
iface eth1 inet dhcp
wpa-driver wext
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf
Note: out-comment (precede with a '#' character) any other iface entries relating to eth1, assuming that eth1 is your wireless interface.
Note: "wpa-driver wext" You will need to pick the right wpa-driver values. Available values are list in link link[1]. The wext driver is the default, and you should be able to use it with modern laptops with no problems. Users with the madwifi drivers (atheros chip) need to read carefully the madwifi section in link[1].
2.3. Starting / closing the wireless:
To start the wireless, enter as root
ifup eth1
To close the wireless, enter as root
ifdown eth1
3. WPA configuration for "roaming"
In this configuration, any network other than uni-ms will also be accessible. However, there are two issues:
- the configuration is more troublesome
- the usage is more complicated
3.1. The wpa_supplicant configuration
You need to edit the file
/etc/wpa_supplicant/wpa_supplicant.conf
and enter the following:
# uni-ms WPA-CCMP/WPA2-TKIP using PEAP
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
fast_reauth=1
# association with open network
# wpa roaming daemon will call "ifup default"
network={
ssid=""
key_mgmt=NONE
}
# association with AES on uni-ms
# wpa roaming daemon will call "ifup aes_uni_ms"
network={
id_str="aes_uni_ms"
ssid="uni-ms"
key_mgmt=WPA-EAP
proto=WPA2
pairwise=CCMP
group=CCMP
eap=PEAP
identity="username"
password="password"
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}
# association with tkip on uni-ms
# wpa roaming daemon will call "ifup tkip_uni_ms"
network={
id_str="tkip_uni_ms"
ssid="uni-ms"
key_mgmt=WPA-EAP
proto=WPA
pairwise=TKIP
group=TKIP
eap=PEAP
identity="username"
password="password"
}
Replace "username" with your username and "password" with your net password ("Netzwerkzugangspasswort").
3.2 Configure the interfaces
Edit
/etc/network/interfaces
Enter the following:
iface eth1 inet manual
wireless-mode Managed
wpa-driver wext
wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp
iface tkip_uni_ms inet dhcp
iface aes_uni_ms inet dhcp
Note: out-comment (precede with a '#' character) any other iface entries relating to eth1, assuming again that eth1 is your wireless interface.
Note: "wpa-driver wext" You will need to pick the right wpa-driver values. Available values are list in link[1]. The wext driver is the default, and you should be able to use it with modern laptops with no problems. Users with the madwifi drivers (atheros chip) need to read carefully the madwifi section in link[1].
3.3. Starting / closing the wireless:
To start the wireless, enter as root
ifup eth1
once started, the wireless daemon from wpasupplicant has taken over the ifup/ifdown interface. It will automatically call ifup/ifdown when a network is discovered. From now on, you should not use ifup/ifdown. Instead, you need to use wpa_action. For example, to stop the eth1, you need to issue (as root)
wpa_action eth1 stop
Note: on Debian lenny, an ifdown eth1 is also working. But this functionality is provided by some Debian script.
You can follow the wpa-authentication with the following command:
wpa_cli status
Note: To simplify the day to day work with the wireless, you can use the sudo command on ifup|ifdown, wpa_action, wpa_cli, wpa_gui. See the sudo manual.
3.5 Adding additional networks
The above configuration allows you to browse through three networks:
- any network with no authentication (anything goes) ii. the uni-ms network with AES authentication, which is preferred over the TKIP authentication iii. the uni-ms network with TKIP authentication (in case there are problems with the AES authentication; the Uni provides both methods)
If you wish to add another configuration, for example a network at home with ssid "myhome" and a static network address, you need to first edit the file /etc/wpa_supplicant/wpa_supplicant.conf and add the following:
network={
ssid="myhome"
# this id_str will notify /sbin/wpa_action to 'ifup home_static'
id_str="home_static"
# psk is your private secure key
psk=123456789...
}
Then you need to modify /etc/network/interfaces. Add the logical interface "home_static" with the parameters of your network at home, for example:
# id_str="home_static"
iface home_static inet static
address 192.168.0.20
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
Now, when the roaming client detects the network with ssid "myhome", it automatically calls ifup on home_static.
4. Links
[1]:
http://hostap.epitest.fi/wpa_supplicant/
[2]:
http://manual.sidux.com/en/internet-connecting-wpa-en.htm
5. Notes
22.5.2007, b
we seem to have problems with the CCMP authentication. Apparently, although the connection seems to be established, no DHCP offers are being received at a later stage.
22.5.2007
We seem to have troubles getting the wireless to always work. Currently, what works for me (January Weiner) is a completly manual configuration:
- start the interface manually
ifconfig eth1 up
- launch the wpa_supplicant
wpa_supplicant -d wext -c /etc/wpa_supplicant/wpa_supplicant.conf -i eth1
- from another terminal, start DHCP
dhclient eth1
6. Das Zertifikat muss verifiziert werden
Sie sollten zudem das Root-Zertifikat angeben (ca_cert="......."), um den Ursprung des WLANs zu verifizieren.
Um die CA-Zertifikats-Datei (= Root-Zertifikat der deutschen Telekom Root CA2) eintragen zu können, muss sie auf Ihrem Rechner vorliegen. Hinweise zum Download und zu Zertifikaten allgemein finden Sie hier
Hinweise zur Verwendung von Zertifikaten an der WWU.
7. Appendix
Instruction for all distribution based on Debian (Ubuntu, Knoppix, Kanotix,...)
If your WPA package is too old, you can just compile it from source, using the Debian package (available from
http://packages.debian.org/ and search for wpasupplicant in all release.)
unpack the source and build the package.
apt-get install build-essential
untar the archive, and cd to the directory.
dpkg-buildpackage -rfakeroot -us -uc
Package for Ubuntu/dapper and Ubuntu/Edgy were build successfully.
If not source are available for your distribution, ...
... you will need to download the source available from the link[
1].
You can either take a Snapshot releases archive or download it using, the CVS or the GIT versioning system.
Most common problems
- Most of the problems with a not working wpa authentication appear when several wpa_supplicant daemons are running on the computer. You should have used the wpa_action to stop all the wpa_supplicant daemons. When all wpa_supplicant daemons are stopped, start again with an ifup eth1 cycle.
- In theory, you do not need to do it (apart with some buggy drivers). If you want to relaunch the wpa association, use the command wpa_cli reassociation
- For more information, see the manual pages for wpa_cli and wpa_action.