Wireless Network
Configuring Wireless Networking on Linux
Note: Please ensure that you are using the wireless drivers and firmware available for your hardware. If you are unsure whether you are using the latest drivers please visit your distibution or manufacturer's website.
Introduction
There are two separate sets of instructions below. Those users who understand how to configure wireless network interfaces and WPA security under Linux can consult the manual configuration instructions section below. Those who would prefer to have as much of the work as possible done for them should consult the semi-automatic installer section.
Contents
Semi-automatic installation
What this software is for
This software automates most of the work which is needed to configure a Linux PC to connect to Lboro - the Loughborough University Wireless Network. In order to do this it needs to carry our a number of steps which are detailed below.
This installer first searches for the wpa_supplicant, wpa_cli and dhclient binaries on your system and prompts you to enter their location if it cannot find them, it then prompts you for a few configuration details before then building a customised configuration file and creating an initialisation script to bring the wireless interface up and configure it appropriately.
Requirements
These instructions have been written with Redhat Fedora Core in mind and tested mainly on PCs running Fedora Core. As long as your chosen distribution has the necessary programs available then this installation script should still work though. The requirements of this installation script are:
-
A wireless card (PCMCIA, PCI, mini-PCI, USB etc.) that is capable of performing WPA Enterprise encryption and which is installed and working under your installation of Linux.
-
wpa_supplicant and wpa_cli must be installed, working with your chosen wireless hardware and in root's path.
-
dhclient must be in root's path.
-
You will need to know what the interface name of your wireless card is (e.g. eth1, ath0, wifi0 etc) and which driver wpa_supplicant must use to control it (e.g. ipw, wext etc) - consult the documentation supplied with wpa_supplicant for further details regarding this.
-
Access to the root account on the PC.
Installation instructions
Note: The installation script must be run
as the root user and will check that it has been done so before doing anything
else. If you are using su to get root
privileges please ensure you get a login shell by using the
-l option (and so reset your
PATH environment variable
accordingly).
Download the Lboro custom
Linux installation script from
www.lboro.ac.uk/it/wireless/files/linux-install.sh,
and make it executable (e.g. by typing
chmod a+x linux-install.sh).
The installation script must be run from a terminal (e.g. a virtual
terminal or xterm from within X) rather than being double clicked
upon.
The installation script takes one, optional, arguement which
is the install prefix for the files it creates. By default the installation
script will use / as the install prefix
and install the configuration files in
/etc/wpa_supplicant/lboro/ and
the initialisation script in /sbin/.
If you wished to install everything under
/usr/local (a common install prefix
for custom software) you would type:
# ./linux-install /usr/local
Many users may wish to run the installation script with
/tmp/ as the install prefix so they
can check what will be done before going on to install the software under
a more sensible location afterwards.
The installation script runs through a number of different tasks, most of which should be invisible to most users.
-
First of all it checks to see whether it is running as the root user and will not continue if it detects that it is not running as root. If you used
suto get root privilages please ensure that you used the-loption to get a login shell (and so reset yourPATHenvironment variable accordingly). -
Next it will look for the wpa_supplicant, wpa_cli and dhclient binaries on your system (note that it only checks in the current
PATHlocations, so please ensure that they are in one of the appropriate folders). If it cannot find them then it will prompt you to enter their location if it cannot find them. It will verify the locations you give it and exit if they are incorrect. -
Now it will prompt you for your wireless network's interface name, this is usually something like
eth1,ath0orwifi0. If you are unsure then the output of/sbin/ifconfig -amay assist you in finding the interface name. If this setting is incorrect then the wireless network connection will not work correctly. -
Now you will be asked to supply the name of the driver which wpa_supplicant should use to configure your wireless network interface. Examples of common drivers are
wext,ipwandmadwifi. If this setting is incorrect then the wireless network connection will not work correctly. -
At this stage the installer is ready to build your custom configuration and will show you all the details it has detected or you have supplied and ask you to confirm that they are correct. e.g.
Prefix for installation: /usr/local
WPA Supplicant path : /usr/sbin/wpa_supplicant
WPA CLI path : /usr/sbin/wpa_cli
dhclient path : /sbin/dhclient
Wireless interface : eth1
WPA Supplicant driver : wext
Are these details correct? (Y/N):If the details are correct then press
Y<enter>to continue. -
The installation script will now build a custom configuration script for wpa_supplicant, extract the Loughborough Certificate Authority (used to confirm the identity of the server when connecting to the wireless network) and then build a custom initialisation script before telling you how to go about executing this script. e.g.
To initiate the wireless link type
/usr/local/sbin/wifi-lboro.sh
at a terminal command prompt and enter your Lboro AD username and password when requested
At this stage the settings should have been
installed and you can now execute the initialisation script
(/usr/local/sbin/wifi-lboro.sh in
the example above). This script will need to be executed as a user with
the necessary permissions to configure the network card, this is normally
the root user.
How to log into the Lboro wireless network
To log into the Lboro wireless network you
need to execute the initialisation script which the installer
created (by default this is called
/usr/local/sbin/wifi-lboro.sh as
shown in the example above). When you execute this script you will be prompted
for your Active Directory Username and Password (please note that your password
is hidden when you type it in for security reasons). Once you have entered
these two pieces of information the initialisation script will then start
to connect to the wireless network, authenticate you and then use DHCP to
get an IP address. An example connection session is given below:
[root@example ~]# /usr/local/sbin/wifi-lboro.sh
Enter your Lboro AD username: ccwl
Enter your Lboro AD password:
Please wait while the connection is established...
Using interface eth1 with IP address 131.231.180.234
Lboro wireless network should now be enabled
[root@example ~]#
What to do if you have problems with the semi-automatic method
Note that when you execute the initialisation script, it can take up to a minute or so for the connection to establish fully.
If after that period you do not get an output similar to that above or find that your wireless network connection is not working after the initialisation script exits then you can add either -d or -v as a parameter to the initialisation script and it will be a lot more verbose while it is executing its tasks. If you are still unable to find the problem, or believe that there is a problem with the initialisation script, please send the output of the initialisation script to IT.Services@lboro.ac.uk with the words "Lboro Linux Wireless Installer" in the subject line to ensure that it gets passed onto the correct people. An example of the sort of output you should get when running in verbose mode is given below:
[root@example ~]# /usr/local/sbin/wifi-lboro.sh -v
Debugging output enabled
Enter your Lboro AD username: ccwl
Enter your Lboro AD password:
Killing any occurrences of wpa_supplicant or dhclient
Sleeping for two seconds
Starting wpa_supplicant
Initializing interface 'eth1' conf '/usr/local/etc/wpa_supplicant/lboro/wpa_supplicant.lboro.conf' driver 'wext' ctrl_interface 'N/A'
Configuration file '/usr/local/etc/wpa_supplicant/lboro/wpa_supplicant.lboro.conf' -> '/usr/local/etc/wpa_supplicant/lboro/wpa_supplicant.lboro.conf'
Reading configuration file '/usr/local/etc/wpa_supplicant/lboro/wpa_supplicant.lboro.conf'
ctrl_interface='/var/run/wpa_supplicant'
ctrl_interface_group=0
eapol_version=1
ap_scan=1
fast_reauth=1
Priority group 0
id=0 ssid='lboro'
Initializing interface (2) 'eth1'
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
SIOCGIWRANGE: WE(compiled)=20 WE(source)=18 enc_capa=0xf
capabilities: key_mgmt 0xf enc 0xf
Own MAC address: 00:15:00:33:73:33
wpa_driver_wext_set_wpa
wpa_driver_wext_set_key: alg=0 key_idx=0 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_key: alg=0 key_idx=1 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_key: alg=0 key_idx=2 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_key: alg=0 key_idx=3 set_tx=0 seq_len=0 key_len=0
wpa_driver_wext_set_countermeasures
wpa_driver_wext_set_drop_unencrypted
Setting scan request: 0 sec 100000 usec
Added interface eth1
Daemonize..
Sending your username to wpa_supplicant
Selected interface 'eth1'
OK
Sending your password to wpa_supplicant
Selected interface 'eth1'
OK
Enabling the connection in wpa_supplicant
Selected interface 'eth1'
OK
Getting an IP address
Internet Systems Consortium DHCP Client V3.0.3-RedHat
Copyright 2004-2005 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/products/DHCP
Listening on LPF/eth1/00:15:00:33:73:33
Sending on LPF/eth1/00:15:00:33:73:33
Sending on Socket/fallback
DHCPREQUEST on eth1 to 255.255.255.255 port 67
DHCPREQUEST on eth1 to 255.255.255.255 port 67
DHCPACK from 1.1.1.1
bound to 131.231.180.234 -- renewal in 33374 seconds.
Lboro wireless network should now be enabled
Using interface eth1 with IP address 131.231.180.234
[root@example ~]#
Manual configuration
Requirements
Although these instructions should be applicable to almost any Linux based system, there are still a few universal requirements:
-
A wireless card (PCMCIA, PCI, mini-PCI, USB etc.) that is capable of performing WPA Enterprise encryption and which is installed and working under your installation of Linux.
-
A WPA supplicant (e.g. wpa_supplicant) capable of working with your chosen wireless hardware.
-
A user account with the necessary permissions to configure the wireless network interface.
Configuration details
There are two files require to manually configure your PC to connect to the Lboro wireless network, a wpa supplicant configuration file and the Loughborough Certificate Authority file.
Download the Loughborough University Certificate Authority from www.lboro.ac.uk/it/wireless/files/lboro-ca.crt.
Example wpa_supplicant.conf file - Download the example wpa_supplicant.conf file from www.lboro.ac.uk/it/wireless/files/example-wpa_supplicant.conf.
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=1
ap_scan=1
fast_reauth=1
network={
ssid="lboro"
key_mgmt=WPA-EAP
# Uncomment the following line to FORCE WPA2 only otherwise it will
# autonegotiate the protocol (and use WPA2 if possible otherwise WPA)
# proto=WPA2
eap=PEAP
anonymous_identity="anonymous@lboro.ac.uk"
# Disable the network for now...
disabled=1
ca_cert="/etc/wpa_supplicant/lboro-ca.crt"
priority=0
phase2="auth=MSCHAPV2"
}
The configuration above has been proven to work
with the Lboro wireless network, although some experienced users
may wish to alter the configuration above. The line starting
ca_cert= will need adjusting
to point to wherever you choose to download and store the
Loughborough University Certificate Authority file.
Assuming that you save the wpa_supplicant.conf file
shown above to
/etc/wpa_supplicant/wpa_supplicant-lboro.conf and
download the Loughborough University Certificate Authority to
/etc/wpa_supplicant/lboro-ca.crt then
you can start wpa_supplicant with a command such as:
[root@example ~]# wpa_supplicant -B -c /etc/wpa_supplicant/wpa_supplicant-lboro.conf -i<interface name> -D<driver name>
Substituting in the appropriate interface name (e.g. eth1) and wireless driver (e.g. wext - see the README file supplied with wpa_supplicant) where shown.
At this stage wpa_supplicant is running but now needs
to know the authentication details to pass onto the RADIUS server. A tool
called wpa_cli comes bundled with wpa_supplicant
which allows the user to interact with a daemonised occurance of wpa_supplicant
using a control socket (see the line starting
ctrl_interface= in
the example configuration file above), although other utilities
have been written to do the same task. One drawback of using wpa_cli though
is that it means you will be leaving your AD username and password in a
location which other users of your PC may be able to find it (although depending
on the exact configuration of your PC, this may require root privilages).
To use wpa_cli to pass your AD username and password to wpa_supplicant
you can use commands along the lines of:
[root@example ~]# wpa_cli identity 0 <AD username>
[root@example ~]# wpa_cli password 0 <AD password>
After doing this you will then need to get wpa_supplicant
to enable the network configuration (it was disabled at startup by the
disabled=1 line in the configuration
because no username or password had been supplied).
Enabling the network is done with a command such as:
[root@example ~]# wpa_cli enable_network 0
At this stage wpa_supplicant will begin the authentication
process and after a few seconds should have completed this and the interface
will be ready to have an IP address added to it. As with most networks on
campus, we use DHCP to allocate IP addresses, so all you should need to do is
fire off your favourite DHCP client and it will get an IP address. If you need
to check wpa_supplicant's progress at any stage you can use
wpa_cli status which produce output
such as:
[root@example ~]# wpa_cli status
Selected interface 'eth1'
bssid=00:17:df:2d:69:90
ssid=lboro
pairwise_cipher=CCMP
group_cipher=TKIP
key_mgmt=WPA2/IEEE 802.1X/EAP
wpa_state=COMPLETED
ip_address=131.231.180.234
Supplicant PAE state=AUTHENTICATED
suppPortStatus=Authorized
EAP state=SUCCESS
selectedMethod=25 (EAP-PEAP)
EAP TLS cipher=DHE-RSA-AES256-SHA
EAP-PEAPv0 Phase2 method=MSCHAPV2
[root@example ~]#
Other than the special wpa_supplicant handling above,
your wireless network interface should behave as any other network interface
under Linux and so can be looked at and interacted with using normal Linux
tools (e.g. to down the interface you can use
ifdown <interface
name>).
Problems, comments or feedback
If you have any comments, problems or feedback regarding this software package please send an e-mail to IT.Services@lboro.ac.uk with the words "Lboro Linux Wireless Installer" in the subject line to ensure that it gets passed onto the correct people.