Using Uni-Münster Wireless LAN with WPA and wpa_supplicant
The first revision of this manual has been written by David Vernazobres (dv@uni-muenster.de)January Weiner (january@uni-muenster.de)
Institute for Evolution and Biodiversity.
Evolution of Biopolymers and Biochemical Pathways The access to the Uni wireless is done using the wpa_supplicant package. We have only figured out the manual configuration via configuration files, requiring root privileges. This has the advantage that you can configure that on the computers you are administering for all users without the need to involve the users directly. However, you will have to provide a mechanism for the users to actually use the configuration (sudo mechanism, or making sure that the automatic roaming works and is started at launch time). Possibly, a simpler solution exists using wpa_gui or the GNOME network management. We will update this document if such information becomes available. However, this solution means that every user of the laptop probably needs to set up her or his own configuration. Further: you need to be very patient. The authentication process can take sometimes as much as a couple of minutes! You can use the command
wpa_cli statusto monitor what is happening. Furthermore: sometimes, you do not get an IP via DHCP. You just do not get it, or there is some other problem, or otherwise. 1) Make sure that no dhclient process is running (pkill dhclient). 2) start dhclient manually: dhclient eth1
Contents
1. Prerequisites
1.1 Linux kernel version 2.6.14 or higher
You can find out your kernel version withuname -a
1.2 wpasupplicant version 0.6.0, preferably CVS|GIT.
This branch is still in development (see "Appendix") The wpasupplicant package from Debian / stable (etch), Ubuntu / dapper (Ubuntu version 6.06) or Ubuntu / edgy (Ubuntu version 6.10) does not work. The working Debian packages is now in unstable (19th April 2007). It will be available in Debian / testing (lenny) in the beginning of May 2007. Make sure that you have the right wpasupplicant package (check the version!):- on Debian systems:
apt-cache policy wpasupplicant apt-cache show wpasupplicant
- on RPM systems (RedHat, SuSE):
rpm -qi wpa_supplicant
2. WPA configuration for Uni-Muenster usage only
This configuration is simpler, but it makes wireless to work only for the Uni-Münster network. That is, in an alien environment (e.g. airport) you will not be able to use your wireless.2.1. wpa_supplicant configuration
You need to edit the file/etc/wpa_supplicant/wpa_supplicant.conf and enter the following:
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
fast_reauth=1
network={
ssid="uni-ms"
key_mgmt=WPA-EAP
proto=WPA2
pairwise=CCMP
group=CCMP
eap=PEAP
identity="username"
password="password"
}
Replace "username" with your username and "password" with your net password ("Netzwerkzugangspasswort").
Note: only one wireless device will be able to access the wireless at a given time with the given username or password. That is, if you use it on two laptops, they will not be able to access network at the same time.
2.2 Configure the interfaces
The below works for Debian/Ubuntu. No idea what you have to do on SuSE / RedHat: Edit/etc/network/interfaces
Enter the following:
iface eth1 inet dhcp wpa-driver wext wpa-conf /etc/wpa_supplicant/wpa_supplicant.confNote: out-comment (precede with a '#' character) any other iface entries relating to eth1, assuming that eth1 is your wireless interface. Note: "wpa-driver wext" You will need to pick the right wpa-driver values. Available values are list in link link[1]. The wext driver is the default, and you should be able to use it with modern laptops with no problems. Users with the madwifi drivers (atheros chip) need to read carefully the madwifi section in link[1].
2.3. Starting / closing the wireless:
To start the wireless, enter as rootifup eth1To close the wireless, enter as root
ifdown eth1
3. WPA configuration for "roaming"
In this configuration, any network other than uni-ms will also be accessible. However, there are two issues:- the configuration is more troublesome
- the usage is more complicated
3.1. The wpa_supplicant configuration
You need to edit the file/etc/wpa_supplicant/wpa_supplicant.conf and enter the following:
# uni-ms WPA-CCMP/WPA2-TKIP using PEAP
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
fast_reauth=1
# association with open network
# wpa roaming daemon will call "ifup default"
network={
ssid=""
key_mgmt=NONE
}
# association with AES on uni-ms
# wpa roaming daemon will call "ifup aes_uni_ms"
network={
id_str="aes_uni_ms"
ssid="uni-ms"
key_mgmt=WPA-EAP
proto=WPA2
pairwise=CCMP
group=CCMP
eap=PEAP
identity="username"
password="password"
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}
# association with tkip on uni-ms
# wpa roaming daemon will call "ifup tkip_uni_ms"
network={
id_str="tkip_uni_ms"
ssid="uni-ms"
key_mgmt=WPA-EAP
proto=WPA
pairwise=TKIP
group=TKIP
eap=PEAP
identity="username"
password="password"
}
Replace "username" with your username and "password" with your net password ("Netzwerkzugangspasswort").
3.2 Configure the interfaces
Edit/etc/network/interfaces
Enter the following:
iface eth1 inet manual wireless-mode Managed wpa-driver wext wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf iface default inet dhcp iface tkip_uni_ms inet dhcp iface aes_uni_ms inet dhcpNote: out-comment (precede with a '#' character) any other iface entries relating to eth1, assuming again that eth1 is your wireless interface. Note: "wpa-driver wext" You will need to pick the right wpa-driver values. Available values are list in link[1]. The wext driver is the default, and you should be able to use it with modern laptops with no problems. Users with the madwifi drivers (atheros chip) need to read carefully the madwifi section in link[1].
3.3. Starting / closing the wireless:
To start the wireless, enter as rootifup eth1once started, the wireless daemon from wpasupplicant has taken over the ifup/ifdown interface. It will automatically call ifup/ifdown when a network is discovered. From now on, you should not use ifup/ifdown. Instead, you need to use wpa_action. For example, to stop the eth1, you need to issue (as root)
wpa_action eth1 stopNote: on Debian lenny, an ifdown eth1 is also working. But this functionality is provided by some Debian script. You can follow the wpa-authentication with the following command:
wpa_cli statusNote: To simplify the day to day work with the wireless, you can use the sudo command on ifup|ifdown, wpa_action, wpa_cli, wpa_gui. See the sudo manual.
3.5 Adding additional networks
The above configuration allows you to browse through three networks:- any network with no authentication (anything goes) ii. the uni-ms network with AES authentication, which is preferred over the TKIP authentication iii. the uni-ms network with TKIP authentication (in case there are problems with the AES authentication; the Uni provides both methods)
network={
ssid="myhome"
# this id_str will notify /sbin/wpa_action to 'ifup home_static'
id_str="home_static"
# psk is your private secure key
psk=123456789...
}
Then you need to modify /etc/network/interfaces. Add the logical interface "home_static" with the parameters of your network at home, for example:
# id_str="home_static"
iface home_static inet static
address 192.168.0.20
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
Now, when the roaming client detects the network with ssid "myhome", it automatically calls ifup on home_static.
4. Links
[1]: http://hostap.epitest.fi/wpa_supplicant/
[2]: http://manual.sidux.com/en/internet-connecting-wpa-en.htm
5. Notes
22.5.2007, b
we seem to have problems with the CCMP authentication. Apparently, although the connection seems to be established, no DHCP offers are being received at a later stage.22.5.2007
We seem to have troubles getting the wireless to always work. Currently, what works for me (January Weiner) is a completly manual configuration:- start the interface manually
ifconfig eth1 up
- launch the wpa_supplicant
wpa_supplicant -d wext -c /etc/wpa_supplicant/wpa_supplicant.conf -i eth1
- from another terminal, start DHCP
dhclient eth1
6. Das Zertifikat muss verifiziert werden
Sie sollten zudem das Root-Zertifikat angeben (ca_cert="......."), um den Ursprung des WLANs zu verifizieren. Um die CA-Zertifikats-Datei (= Root-Zertifikat der deutschen Telekom Root CA2) eintragen zu können, muss sie auf Ihrem Rechner vorliegen. Hinweise zum Download und zu Zertifikaten allgemein finden Sie hier Hinweise zur Verwendung von Zertifikaten an der WWU.7. Appendix
Instruction for all distribution based on Debian (Ubuntu, Knoppix, Kanotix,...)
If your WPA package is too old, you can just compile it from source, using the Debian package (available from http://packages.debian.org/ and search for wpasupplicant in all release.)
unpack the source and build the package.
apt-get install build-essential untar the archive, and cd to the directory. dpkg-buildpackage -rfakeroot -us -ucPackage for Ubuntu/dapper and Ubuntu/Edgy were build successfully.
If not source are available for your distribution, ...
... you will need to download the source available from the link[1]. You can either take a Snapshot releases archive or download it using, the CVS or the GIT versioning system.Most common problems
- Most of the problems with a not working wpa authentication appear when several wpa_supplicant daemons are running on the computer. You should have used the wpa_action to stop all the wpa_supplicant daemons. When all wpa_supplicant daemons are stopped, start again with an ifup eth1 cycle.
- In theory, you do not need to do it (apart with some buggy drivers). If you want to relaunch the wpa association, use the command wpa_cli reassociation
- For more information, see the manual pages for wpa_cli and wpa_action.
This topic: Anleitungen > Main > FunkLANHome > WirelessLANSetupDebian
Topic revision: r12 - 2013-05-24 - ArneScheffer
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding ZIVwiki? Send feedback
Datenschutzerklärung Impressum