View Poll Results: Has this thread been helpful?

Voters
811. You may not vote on this poll
  • Yes

    550 67.82%
  • No

    104 12.82%
  • Somewhat

    157 19.36%
Results 1 to 10 of 1832

Thread: HOWTO: Wireless Security - WPA1, WPA2, LEAP, etc.

Threaded View

  1. #1
    Join Date
    May 2006
    Location
    100acrewood
    Beans
    7,480
    Distro
    Kubuntu 14.04 Trusty Tahr

    HOWTO: Wireless Security - WPA1, WPA2, LEAP, etc.

    This guide was tested with:

    Jaunty Jackalope (9.04)
    Oneiric Ocelot (11.10)

    --
    Since it appears that very few people take wireless security seriously, I'd like to come up with my first HOWTO and explain how I was able to configure a secure home network using WPA2, the latest encryption & authentication standard. There are also other types of configuration (WPA1, mixed mode, LEAP, PEAP, DHCP, etc.) shown in the appendix. Feedback is much appreciated.

    Common stumbling blocks - Make sure that:
    1. Ethernet cable is unplugged.
    2. No firewall & configuration tool is running (e.g. Firestarter).
    3. MAC filtering is disabled.
    4. NetworkManager, Wifi-Radar & similar wireless configuration tools are disabled/turned off and not in use.
    5. Some cards/drivers (e.g. Madwifi) do not support WPA2 (AES). Try WPA1 (TKIP) if WPA2 secured connections fail.
    6. Set router to BG-Only if using ndiswrapper (and perhaps Broadcom 43xx as I don't know about others).

    My Requirements:
    1. WPA2 / RSN
    2. AES / CCMP
    3. Hidden ESSID (no broadcast)
    4. Static IP (because I use port forwarding & firewall, etc.)
    5. Pre-shared key (no EAP)

    If you want to know more about WPA / RSN & 802.11i security specification, I recommend this site.

    Now let's get started (wpa-suplicant is usually installed by default):
    0. Install "wpa-supplicant":
    sudo apt-get install wpasupplicant
    1. Verify that your network device ("wlan0"?) is working & your wireless network is detected:
    iwconfig
    sudo iwlist scan
    Your network device & wireless network should appear here.

    2. Open "/etc/network/interfaces":
    sudo gedit /etc/network/interfaces
    The content should look similar to this:
    auto lo
    iface lo inet loopback

    auto wlan0
    iface wlan0 inet dhcp
    3. Now replace the last 2 lines with the following using your own network settings (the sequence in which the lines appear is crucial):
    auto wlan0
    iface wlan0 inet static
    address 192.168.168.40
    gateway 192.168.168.230
    dns-nameservers 192.168.168.230
    netmask 255.255.255.0

    wpa-driver wext
    wpa-ssid <your_essid>
    wpa-ap-scan 2
    wpa-proto RSN
    wpa-pairwise CCMP
    wpa-group CCMP
    wpa-key-mgmt WPA-PSK
    wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]
    • auto wlan0:
      Your network interface (e.g. wlan0, eth1, rausb0, ra0, etc.).

    • iface wlan0 inet static:
      Self-explanatory... I am using a Static IP instead of DHCP. "iface wlan0" must correspond to your network interface (see above).

    • address, netmask, [..], dns-nameservers:
      Also self-explanatory... Be aware that "broadcast" needs to end with ".255" for negotiation with the router. These lines need to be according to your own (static) network settings. For DHCP see further below.

    • wpa-driver:
      Use "wext" only. All other drivers are outdated no longer used.
      [/QUOTE]

    • wpa-ssid:
      Your network's ESSID (no quotes ""). Please avoid blanks/spaces as they will created problems during key generation (see below).

    • wpa-ap-scan:
      "1" = Broadcast of ESSID.
      "2" = Hidden broadcast of ESSID.

    • wpa-proto:
      "RSN" = WPA(2)
      "WPA" = WPA(1)

    • wpa-pairwise & wpa-group:
      "CCMP" = AES cipher as part of WPA(2) standard.
      "TKIP" = TKIP cipher as part of WPA(1) standard.

    • wpa-key-mgmt:
      "WPA-PSK" = Authentication via pre-shared key (see 'key generation' further below).
      "WPA-EAP" = Authentication via enterprise authentication server.

    VERY IMPORTANT ("WPA PSK Key Generation"):
    Now convert your WPA ASCII password using the following command:
    wpa_passphrase <your_essid> <your_ascii_key>
    Resulting in an output like...
    network={
    ssid="test"
    #psk="12345678"
    psk=fe727aa8b64ac9b3f54c72432da14faed933ea511ecab1 5bbc6c52e7522f709a
    }
    Copy the "hex_key" (next to "psk=...") and replace <your_hex_key> in the "interfaces" files with it. Then save the file and restart your network:
    sudo /etc/init.d/networking restart
    You should be connecting to your router now... However, I figured that a restart is sometimes necessary so that's what I usually do (I know this sounds a bit clumsy - see post #2 for startup script).


    *****************************Revoking read-permission from 'others'*********************************
    sudo chmod o=-r /etc/network/interfaces
    *****************************Revoking read-permission from 'others'*********************************

    *****************************Sample configuration WPA2 & DHCP, ESSID broadcast enabled***************
    auto wlan0
    iface wlan0 inet dhcp
    wpa-driver wext
    wpa-ssid <your_essid>
    wpa-ap-scan 1
    wpa-proto RSN
    wpa-pairwise CCMP
    wpa-group CCMP
    wpa-key-mgmt WPA-PSK
    wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]
    *****************************Sample configuration WPA2 & DHCP, ESSID broadcast enabled***************

    *****************************Sample configuration WPA1 & DHCP, ESSID broadcast enabled***************
    auto wlan0
    iface wlan0 inet dhcp
    wpa-driver wext
    wpa-ssid <your_essid>
    wpa-ap-scan 1
    wpa-proto WPA
    wpa-pairwise TKIP
    wpa-group TKIP
    wpa-key-mgmt WPA-PSK
    wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]
    *****************************Sample configuration WPA1 & DHCP, ESSID broadcast enabled***************

    ****************************Sample configuration mixed mode (WPA1, WPA2) & DHCP, ESSID broadcast*****
    auto wlan0
    iface wlan0 inet dhcp
    wpa-driver wext
    wpa-ssid <your_essid>
    wpa-ap-scan 1
    wpa-proto WPA RSN
    wpa-pairwise TKIP CCMP
    wpa-group TKIP CCMP
    wpa-key-mgmt WPA-PSK
    wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]
    ****************************Sample configuration mixed mode (WPA1, WPA2) & DHCP, ESSID broadcast*****

    ****************************Sample conf. LEAP, WEP, DHCP, ESSID broadcast***************************
    auto wlan0
    iface wlan0 inet dhcp
    wpa-driver wext
    wpa-ssid <your_essid>
    wpa-ap-scan 1
    wpa-eap LEAP
    wpa-key-mgmt IEEE8021X
    wpa-identity <your_user_name>
    wpa-password <your_password>
    ****************************Sample conf. LEAP, WEP, DHCP, ESSID broadcast***************************

    ****************************Sample conf. PEAP, AES, DHCP, ESSID broadcast***************************
    auto wlan0
    iface wlan0 inet dhcp
    wpa-driver wext
    wpa-ssid <your_essid>
    wpa-ap-scan 1
    wpa-proto RSN
    wpa-pairwise CCMP
    wpa-group CCMP
    wpa-eap PEAP
    wpa-key-mgmt WPA-EAP
    wpa-identity <your_identity>
    wpa-password <your_password>
    ****************************Sample conf. PEAP, AES, DHCP, ESSID broadcast***************************

    *****************************Sample conf. TTLS, WEP, DHCP, ESSID broadcast**************************
    auto wlan0
    iface wlan0 inet dhcp
    wpa-driver wext
    wpa-ssid <your_essid>
    wpa-ap-scan 1
    wpa-eap TTLS
    wpa-key-mgmt IEEE8021X
    wpa-anonymous-identity <anonymous_identity>
    wpa-identity <your_identity>
    wpa-password <your_password>
    wpa-phase2 auth=PAP [Also: CHAP, MSCHAP, MSCHAPV2]
    *****************************Sample conf. TTLS, WEP, DHCP, ESSID broadcast**************************

    *****************************NOT TESTED: Sample conf. EAP-FAST, WPA1/WPA2, DHCP, ESSID broadcast****
    auto wlan0
    iface wlan0 inet dhcp
    wpa-driver wext
    wpa-ssid <your_essid>
    wpa-ap-scan 1
    wpa-proto RSN WPA
    wpa-pairwise CCMP TKIP
    wpa-group CCMP TKIP
    wpa-key-mgmt WPA-EAP
    wpa-eap FAST
    wpa-identity <your_user_name>
    wpa-password <your_password>
    wpa-phase1 fast_provisioning=1
    wpa-pac-file /path/to/eap-pac-file
    *****************************NOT TESTED: Sample conf. EAP-FAST, WPA1/WPA2, DHCP, ESSID broadcast****

    *****************************Tested adapters****************************************** *********
    1. Linksys WUSB54G V4 (ndiswrapper; wpa-driver = wext)
    2. Intel IPW2200 (Linux driver; wpa-driver = wext)
    3. Linksys WPC54G (ndiswrapper; wpa-driver = wext)
    4. D-Link WNA-2330 (Linux driver; wpa-driver = madwifi)
    5. Linksys WMP54G V2 (ndiswrapper; wpa-driver = wext)
    6. D-Link WDA-2320 (Linux driver; wpa-driver = madwifi)
    7. Netgear WPN311 (Linux driver; wpa-driver = wext)
    8. Netgear WG511v2 (ndiswrapper; wpa-driver = wext)
    *****************************Tested adapters****************************************** *********

    *****************************Post this if you are stumped******************************************
    # route
    # iwconfig
    # sudo iwlist scan
    # sudo lshw -C network
    # sudo cat /etc/network/interfaces
    # sudo ifdown -v <your_interface>
    # sudo ifup -v <your_interface>
    *****************************Post this if you are stumped******************************************

    *****************************Other useful commands****************************************** ***
    # Ubuntu version & kernel >> uname -a
    # Root file access >> alt F2 then 'gksudo nautilus' in cli
    # Get IP Address or Renew >> sudo dhclient wlan0 [or whatever your wl adapter is]
    # Get wireless info >> iwconfig
    # Get AP info >> iwlist scan
    # Get wireless info >> iwlist (lots of options will list)
    # Routes if wlan0 working >> route
    # DNS resolving via eth1 >> cat /etc/resolv.conf
    # List devices/modules >> lspci, lsusb, lshw, lsmod
    # Restart network >> sudo /etc/init.d/networking restart
    # Boot messages >> dmesg
    # Kill NWM >> sudo killall NetworkManager
    # Events from your wl >> iwevent
    # Restart all daemons >> sudo /etc/init.d/dbus restart
    # Restart network >> sudo /etc/init.d/networking restart
    *****************************Other useful commands****************************************** ***

    CHANGE LOG:
    08/11/2006: Added section "Post this if you are stumped" (SquibT).
    08/11/2006: Added sample configuration for WPA2 with DHCP & ESSID broadcast (Wieman01).
    08/11/2006: Added sample configuration for WPA1 with DHCP & ESSID broadcast (Wieman01).
    08/11/2006: Added section "Tested adapters" (Wieman01).
    08/11/2006: Added section "Useful commands" (SquibT).
    08/11/2006: Added section "Common stumbling blocks" (Wieman01).
    08/11/2006: Changed section "wpa-driver" and added new drivers (Wieman01).
    08/11/2006: Added section "Revoking read-permission from group 'others'" (Wieman01).
    09/11/2006: Minor changes in layout (Wieman01).
    09/11/2006: Added sample configuration for mixed mode (WPA1, WPA2) with DHCP & ESSID broadcast (Wieman01).
    09/11/2006: Added experimental sample configuration for LEAP with WEP, DHCP & ESSID broadcast (Wieman01).
    09/11/2006: Added section "Install wpa-supplicant" (Wieman01).
    10/11/2006: Added experimental sample configuration for TTLS with WEP, DHCP & ESSID broadcast (Wieman01).
    15/11/2006: Added experimental sample configuration for EAP-FAST with WPA1/WPA2, DHCP & ESSID broadcast (Wieman01).
    04/12/2006: Changed "wpa_passphrase" section & added quotes ("") for encryption keys containing special characters (Wieman01).
    04/01/2007: Added various security options (Wieman01).
    15/01/2007: Added valid script for EAP-LEAP (Wieman01).
    31/01/2007: Added valid script for EAP-PEAP (Wieman01).
    21/04/2007: Removed "wpa-conf" for Edgy Eft (Wieman01).
    22/04/2007: Simplified section concerning static network settings (Wieman01).
    02/05/2007: Added note concerning WPA2 support for Atheros cards & drivers (Wieman01).
    13/05/2007: Added note on Ralink drivers (Wieman01).
    15/04/2008: Tested with HardyHeron (Wieman01).
    04/09/2008: Added note on wireless B/G/N (Wieman01).
    06/12/2008: Note for Intrepid Ibex users (Wieman01).
    07/03/2009: Closed thread (Wieman01).
    05/04/2009: Re-opened and enhanced thread (Wieman01).
    Last edited by wieman01; March 1st, 2012 at 07:40 PM.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •