| Rev | Author | # | Line |
|---|---|---|---|
| 3 | JohnMcPherson | 1 | Don't rely on [WEP] to secure your network. Even with 128-bit or 256-bit keys it is trivial to crack. |
| 13 | IanMcDonald | 2 | |
| 3 | If you want to ignore this because you are testing or don't care you can pass the [WEP] key to the driver as follows: | ||
| 4 | <verbatim> | ||
| 5 | iwconfig eth2 enc yourhexkey | ||
| 6 | </verbatim> | ||
| 1 | MattPurvis | 7 | |
| 3 | JohnMcPherson | 8 | !!! VPN/tunnel |
| 9 | Use a secure tunnel/[VPN] from wireless clients over the wireless network onto your real network. | ||
| 1 | MattPurvis | 10 | |
| 3 | JohnMcPherson | 11 | Put your WLAN hosts behind a firewall to protect your wired LAN from wireless intruders. Install [pptpd(8)] on this firewall box and force wireless hosts to securely tunnel into your wired LAN. See the WirelessNetworkSecurityHowto. |
| 1 | MattPurvis | 12 | |
| 3 | JohnMcPherson | 13 | |
| 14 | !!! WPA | ||
| 15 | To use the more secure [WPA] encryption rather than WEP, install the | ||
| 16 | [wpasupplicant|http://hostap.epitest.fi/wpa_supplicant/] package. This provides a program that encrypts data sent to your wireless card. Unfortunately it can be difficult to set up, partly because it uses a lot of acronyms that you need to understand, and partly because of incompatibilities between wireless equipment. There is a good mailing list accessible from the previous wpasupplicant link which is very helpful. | ||
| 17 | |||
| 18 | WPA-PSK means use a __P__re-__S__hared __K__ey - ie both the AccessPoint | ||
| 19 | and the client know a shared secret. | ||
| 20 | |||
| 21 | The main config file is /etc/wpa_supplicant.conf. | ||
| 22 | |||
| 23 | Here is an example config file. | ||
| 24 | <verbatim> | ||
| 25 | |||
| 26 | # my wireless card (Atheron-based) and AP (Asus 6030) don't get on very | ||
| 27 | # well if this is set to 2 | ||
| 28 | eapol_version=1 | ||
| 29 | |||
| 30 | # some default settings - see the example | ||
| 31 | # /usr/share/doc/wpasupplicant/examples/wpa_supplicant.conf.gz (debian) file | ||
| 32 | ap_scan=1 | ||
| 33 | fast_reauth=1 | ||
| 34 | |||
| 35 | network={ | ||
| 36 | ssid="MY SSID" | ||
| 37 | |||
| 38 | # priority that wpasupplicant should try to connect to this | ||
| 39 | # network block (out of all blocks listed in this config file) | ||
| 40 | # 9 is highest, 0 is lowest | ||
| 41 | priority=9 | ||
| 42 | |||
| 43 | # my AP is set up to require WPA-PSK authentication | ||
| 44 | # defaults to WPA-PSK WPA-EAP | ||
| 45 | key_mgmt=WPA-PSK | ||
| 46 | |||
| 47 | # The password to use for WPA-PSK authentication. | ||
| 48 | # this has to match the password on the AP, obviously | ||
| 49 | psk="shared secret password" | ||
| 50 | |||
| 51 | # the order to try encryption algorithms in. | ||
| 52 | #pairwise=AES TKIP | ||
| 53 | |||
| 54 | # broadcast/multicast group ciphers for WPA | ||
| 55 | # default is CCMP(AES counter) TKIP WEP104 WEP | ||
| 56 | # but my card/AP combination doesn't seem to work if it tries CCMP | ||
| 57 | # so I'll override this setting | ||
| 58 | group=TKIP | ||
| 59 | } | ||
| 60 | </verbatim> | ||
| 61 | |||
| 62 | Now after your card is running (but not configured), you can set up your | ||
| 63 | connection/configuration to use WPA encryption by running | ||
| 64 | <pre> | ||
| 65 | wpa_supplicant -B -i''ath0'' -D''madwifi'' | ||
| 66 | </pre> | ||
| 67 | replacing ''ath0'' with the correct interface (eth0, eth1, and so on) for | ||
| 68 | your machine, and ''madwifi'' with the correct driver for your wireless | ||
| 69 | card. -B means fork and go into the background. "__wpa_supplicant -h__" lists the following supported drivers: | ||
| 70 | * hostap | ||
| 71 | * prism54 | ||
| 72 | * madwifi | ||
| 73 | * atmel | ||
| 74 | * wext | ||
| 75 | * ndiswrapper | ||
| 14 | JohnMcPherson | 76 | * ipw |
| 3 | JohnMcPherson | 77 | |
| 78 | If you want to try and debug why things aren't working, you can try the following from the command line: | ||
| 79 | wpa_supplicant -dd -t -K -i''interface'' -D''device'' | ||
| 80 | |||
| 81 | !! Configuring your distro for WPA | ||
| 82 | ! Debian Sarge/Sid (and Ubuntu?) | ||
| 83 | |||
| 84 | <tt>apt-get install wpasupplicant</tt> | ||
| 85 | |||
| 86 | Create /etc/wpa_supplicant.conf either from the example above, or based | ||
| 87 | on /usr/share/doc/wpasupplicant/examples/wpa_supplicant.conf.gz. | ||
| 88 | |||
| 89 | Here is a snippet from my /etc/network/interfaces file. | ||
| 90 | (This __replaces__ the snippet for WEP you can find on the WirelessSetupNotes page.) | ||
| 91 | <verbatim> | ||
| 92 | iface ath0 inet dhcp | ||
| 93 | pre-up wpa_supplicant -B -iath0 -Dmadwifi | ||
| 94 | down skill wpa_supplicant | ||
| 95 | </verbatim> | ||
| 96 | Note that it probably isn't necessary to get rid of the wpa process after removing the interface, but it means that there aren't multiple processes if | ||
| 97 | you remove/insert the card several times. | ||
| 9 | JohnMcPherson | 98 | |
| 12 | JohnMcPherson | 99 | |
| 14 | JohnMcPherson | 100 | !Ubuntu 6.06 (Dapper) |
| 12 | JohnMcPherson | 101 | Instead of doing "<tt>pre-up wpa_supplicant ...</tt>", ubuntu starts wpa on boot. Edit the <tt>/etc/default/wpasupplicant</tt> file: |
| 102 | <verbatim> | ||
| 103 | ENABLED=1 | ||
| 104 | OPTIONS="-w -Dipw -ieth1 -c /etc/wpa_supplicant.conf" | ||
| 105 | </verbatim> | ||
| 106 | changing the option for -D and -i as appropriate. | ||
| 14 | JohnMcPherson | 107 | |
| 108 | In 6.06, my old config of using "-Dipw" for my Centrino-based laptop no longer worked - I had to use "-Dwext" instead for the generic wireless driver. | ||
| 109 | |||
| 110 | You could also try installing the __network-manager__ package, but this is a bit flaky for now. | ||
| 3 | JohnMcPherson | 111 | |
| 112 | !Other distros | ||
| 113 | People who use other distros should put stuff here. | ||
| 2 | DanielLawson | 114 | |
| 115 | ---- | ||
| 116 | |||
| 117 | Part of CategoryWireless |
lib/blame.php:177: Warning: Invalid argument supplied for foreach() (...repeated 2 times)