Rev | Author | # | Line |
---|---|---|---|
3 | JohnMcPherson | 1 | Don't rely on [WEP] to secure your network. Even with 128-bit or 256-bit keys it is trivial to crack. |
13 | IanMcDonald | 2 | |
3 | If you want to ignore this because you are testing or don't care you can pass the [WEP] key to the driver as follows: | ||
4 | <verbatim> | ||
5 | iwconfig eth2 enc yourhexkey | ||
6 | </verbatim> | ||
1 | MattPurvis | 7 | |
3 | JohnMcPherson | 8 | !!! VPN/tunnel |
9 | Use a secure tunnel/[VPN] from wireless clients over the wireless network onto your real network. | ||
1 | MattPurvis | 10 | |
3 | JohnMcPherson | 11 | Put your WLAN hosts behind a firewall to protect your wired LAN from wireless intruders. Install [pptpd(8)] on this firewall box and force wireless hosts to securely tunnel into your wired LAN. See the WirelessNetworkSecurityHowto. |
1 | MattPurvis | 12 | |
3 | JohnMcPherson | 13 | |
14 | !!! WPA | ||
6 | JohnMcPherson | 15 | To use the more secure [WPA] encryption rather than WEP, install the |
8 | IanMcDonald | 16 | [wpasupplicant|http://hostap.epitest.fi/wpa_supplicant/] package. This provides a program that encrypts data sent to your wireless card. Unfortunately it can be difficult to set up, partly because it uses a lot of acronyms that you need to understand, and partly because of incompatibilities between wireless equipment. There is a good mailing list accessible from the previous wpasupplicant link which is very helpful. |
3 | JohnMcPherson | 17 | |
18 | WPA-PSK means use a __P__re-__S__hared __K__ey - ie both the AccessPoint | ||
19 | and the client know a shared secret. | ||
20 | |||
21 | The main config file is /etc/wpa_supplicant.conf. | ||
22 | |||
23 | Here is an example config file. | ||
24 | <verbatim> | ||
25 | |||
26 | # my wireless card (Atheron-based) and AP (Asus 6030) don't get on very | ||
27 | # well if this is set to 2 | ||
28 | eapol_version=1 | ||
29 | |||
30 | # some default settings - see the example | ||
31 | # /usr/share/doc/wpasupplicant/examples/wpa_supplicant.conf.gz (debian) file | ||
32 | ap_scan=1 | ||
33 | fast_reauth=1 | ||
34 | |||
35 | network={ | ||
36 | ssid="MY SSID" | ||
37 | |||
38 | # priority that wpasupplicant should try to connect to this | ||
39 | # network block (out of all blocks listed in this config file) | ||
40 | # 9 is highest, 0 is lowest | ||
41 | priority=9 | ||
42 | |||
43 | # my AP is set up to require WPA-PSK authentication | ||
44 | # defaults to WPA-PSK WPA-EAP | ||
45 | key_mgmt=WPA-PSK | ||
46 | |||
47 | # The password to use for WPA-PSK authentication. | ||
48 | # this has to match the password on the AP, obviously | ||
49 | psk="shared secret password" | ||
50 | |||
51 | # the order to try encryption algorithms in. | ||
52 | #pairwise=AES TKIP | ||
53 | |||
54 | # broadcast/multicast group ciphers for WPA | ||
55 | # default is CCMP(AES counter) TKIP WEP104 WEP | ||
56 | # but my card/AP combination doesn't seem to work if it tries CCMP | ||
57 | # so I'll override this setting | ||
58 | group=TKIP | ||
59 | } | ||
60 | </verbatim> | ||
61 | |||
62 | Now after your card is running (but not configured), you can set up your | ||
63 | connection/configuration to use WPA encryption by running | ||
7 | JohnMcPherson | 64 | <pre> |
3 | JohnMcPherson | 65 | wpa_supplicant -B -i''ath0'' -D''madwifi'' |
7 | JohnMcPherson | 66 | </pre> |
3 | JohnMcPherson | 67 | replacing ''ath0'' with the correct interface (eth0, eth1, and so on) for |
68 | your machine, and ''madwifi'' with the correct driver for your wireless | ||
69 | card. -B means fork and go into the background. "__wpa_supplicant -h__" lists the following supported drivers: | ||
70 | * hostap | ||
71 | * prism54 | ||
72 | * madwifi | ||
73 | * atmel | ||
74 | * wext | ||
75 | * ndiswrapper | ||
14 | JohnMcPherson | 76 | * ipw |
3 | JohnMcPherson | 77 | |
78 | If you want to try and debug why things aren't working, you can try the following from the command line: | ||
79 | wpa_supplicant -dd -t -K -i''interface'' -D''device'' | ||
80 | |||
81 | !! Configuring your distro for WPA | ||
82 | ! Debian Sarge/Sid (and Ubuntu?) | ||
83 | |||
84 | <tt>apt-get install wpasupplicant</tt> | ||
85 | |||
86 | Create /etc/wpa_supplicant.conf either from the example above, or based | ||
87 | on /usr/share/doc/wpasupplicant/examples/wpa_supplicant.conf.gz. | ||
88 | |||
89 | Here is a snippet from my /etc/network/interfaces file. | ||
90 | (This __replaces__ the snippet for WEP you can find on the WirelessSetupNotes page.) | ||
91 | <verbatim> | ||
92 | iface ath0 inet dhcp | ||
93 | pre-up wpa_supplicant -B -iath0 -Dmadwifi | ||
94 | down skill wpa_supplicant | ||
95 | </verbatim> | ||
96 | Note that it probably isn't necessary to get rid of the wpa process after removing the interface, but it means that there aren't multiple processes if | ||
97 | you remove/insert the card several times. | ||
9 | JohnMcPherson | 98 | |
12 | JohnMcPherson | 99 | |
14 | JohnMcPherson | 100 | !Ubuntu 6.06 (Dapper) |
12 | JohnMcPherson | 101 | Instead of doing "<tt>pre-up wpa_supplicant ...</tt>", ubuntu starts wpa on boot. Edit the <tt>/etc/default/wpasupplicant</tt> file: |
102 | <verbatim> | ||
103 | ENABLED=1 | ||
104 | OPTIONS="-w -Dipw -ieth1 -c /etc/wpa_supplicant.conf" | ||
105 | </verbatim> | ||
106 | changing the option for -D and -i as appropriate. | ||
14 | JohnMcPherson | 107 | |
108 | In 6.06, my old config of using "-Dipw" for my Centrino-based laptop no longer worked - I had to use "-Dwext" instead for the generic wireless driver. | ||
109 | |||
110 | You could also try installing the __network-manager__ package, but this is a bit flaky for now. | ||
3 | JohnMcPherson | 111 | |
112 | !Other distros | ||
113 | People who use other distros should put stuff here. | ||
2 | DanielLawson | 114 | |
115 | ---- | ||
116 | |||
117 | Part of CategoryWireless |
lib/blame.php:177: Warning: Invalid argument supplied for foreach() (...repeated 2 times)