HOWTO: Wireless Security - WPA1, WPA2, LEAP, etc.

[wieman01]

This guide was tested with:

Gutsy Gibbon (7.10)
Hardy Heron (8.04)
Intrepid Ibex (8.10)
Jaunty Jackalope (9.04)
--
Since it appears that very few people take wireless security seriously, I'd like to come up with my first HOWTO and explain how I was able to configure a secure home network using WPA2, the latest encryption & authentication standard. There are also other types of configuration (WPA1, mixed mode, LEAP, PEAP, DHCP, etc.) shown in the appendix. Feedback is much appreciated.

Common stumbling blocks - Make sure that:
1. Ethernet cable is unplugged.
2. No firewall & configuration tool is running (e.g. Firestarter).
3. MAC filtering is disabled.
4. NetworkManager, Wifi-Radar & similar wireless configuration tools are disabled/turned off and not in use.
5. Some cards/drivers (e.g. Madwifi) do not support WPA2 (AES). Try WPA1 (TKIP) if WPA2 secured connections fail.
6. Set router to BG-Only if using ndiswrapper (and perhaps Broadcom 43xx as I don't know about others).

My Requirements:
1. WPA2 / RSN
2. AES / CCMP
3. Hidden ESSID (no broadcast)
4. Static IP (because I use port forwarding & firewall, etc.)
5. Pre-shared key (no EAP)

If you want to know more about WPA / RSN & 802.11i security specification, I recommend this site.

Now let's get started (wpa-suplicant is usually installed by default):
0. Install "wpa-supplicant":

Quote:

sudo apt-get install wpasupplicant

1. Verify that your network device ("wlan0"?) is working & your wireless network is detected:

Quote:

iwconfig

Quote:

sudo iwlist scan

Your network device & wireless network should appear here.

2. Open "/etc/network/interfaces":

Quote:

sudo gedit /etc/network/interfaces

The content should look similar to this:

Quote:

auto lo iface lo inet loopback auto wlan0 iface wlan0 inet dhcp

3. Now replace the last 2 lines with the following using your own network settings (the sequence in which the lines appear is crucial):

Quote:

auto wlan0 iface wlan0 inet static address 192.168.168.40 gateway 192.168.168.230 dns-nameservers 192.168.168.230 netmask 255.255.255.0 wpa-driver wext wpa-ssid <your_essid> wpa-ap-scan 2 wpa-proto RSN wpa-pairwise CCMP wpa-group CCMP wpa-key-mgmt WPA-PSK wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]

• auto wlan0:
  Your network interface (e.g. wlan0, eth1, rausb0, ra0, etc.).

• iface wlan0 inet static:
  Self-explanatory... I am using a Static IP instead of DHCP. "iface wlan0" must correspond to your network interface (see above).

• address, netmask, [..], dns-nameservers:
  Also self-explanatory... Be aware that "broadcast" needs to end with ".255" for negotiation with the router. These lines need to be according to your own (static) network settings. For DHCP see further below.

• wpa-driver:
  Use "wext" only. All other drivers are outdated no longer used.
  [/QUOTE]

• wpa-ssid:
  Your network's ESSID (no quotes ""). Please avoid blanks/spaces as they will created problems during key generation (see below).

• wpa-ap-scan:
  "1" = Broadcast of ESSID.
  "2" = Hidden broadcast of ESSID.

• wpa-proto:
  "RSN" = WPA(2)
  "WPA" = WPA(1)

• wpa-pairwise & wpa-group:
  "CCMP" = AES cipher as part of WPA(2) standard.
  "TKIP" = TKIP cipher as part of WPA(1) standard.

• wpa-key-mgmt:
  "WPA-PSK" = Authentication via pre-shared key (see 'key generation' further below).
  "WPA-EAP" = Authentication via enterprise authentication server.

VERY IMPORTANT ("WPA PSK Key Generation"):
Now convert your WPA ASCII password using the following command:

Quote:

wpa_passphrase <your_essid> <your_ascii_key>

Resulting in an output like...

Quote:

network={ ssid="test" #psk="12345678" psk=fe727aa8b64ac9b3f54c72432da14faed933ea511ecab1 5bbc6c52e7522f709a }

Copy the "hex_key" (next to "psk=...") and replace <your_hex_key> in the "interfaces" files with it. Then save the file and restart your network:

Quote:

sudo /etc/init.d/networking restart

You should be connecting to your router now... However, I figured that a restart is sometimes necessary so that's what I usually do (I know this sounds a bit clumsy - see post #2 for startup script).


*****************************Revoking read-permission from 'others'*********************************

Quote:

sudo chmod o=-r /etc/network/interfaces

*****************************Revoking read-permission from 'others'*********************************

*****************************Sample configuration WPA2 & DHCP, ESSID broadcast enabled***************

Quote:

auto wlan0 iface wlan0 inet dhcp wpa-driver wext wpa-ssid <your_essid> wpa-ap-scan 1 wpa-proto RSN wpa-pairwise CCMP wpa-group CCMP wpa-key-mgmt WPA-PSK wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]

*****************************Sample configuration WPA2 & DHCP, ESSID broadcast enabled***************

*****************************Sample configuration WPA1 & DHCP, ESSID broadcast enabled***************

Quote:

auto wlan0 iface wlan0 inet dhcp wpa-driver wext wpa-ssid <your_essid> wpa-ap-scan 1 wpa-proto WPA wpa-pairwise TKIP wpa-group TKIP wpa-key-mgmt WPA-PSK wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]

*****************************Sample configuration WPA1 & DHCP, ESSID broadcast enabled***************

****************************Sample configuration mixed mode (WPA1, WPA2) & DHCP, ESSID broadcast*****

Quote:

auto wlan0 iface wlan0 inet dhcp wpa-driver wext wpa-ssid <your_essid> wpa-ap-scan 1 wpa-proto WPA RSN wpa-pairwise TKIP CCMP wpa-group TKIP CCMP wpa-key-mgmt WPA-PSK wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]

****************************Sample configuration mixed mode (WPA1, WPA2) & DHCP, ESSID broadcast*****

****************************Sample conf. LEAP, WEP, DHCP, ESSID broadcast***************************

Quote:

auto wlan0 iface wlan0 inet dhcp wpa-driver wext wpa-ssid <your_essid> wpa-ap-scan 1 wpa-eap LEAP wpa-key-mgmt IEEE8021X wpa-identity <your_user_name> wpa-password <your_password>

****************************Sample conf. LEAP, WEP, DHCP, ESSID broadcast***************************

****************************Sample conf. PEAP, AES, DHCP, ESSID broadcast***************************

Quote:

auto wlan0 iface wlan0 inet dhcp wpa-driver wext wpa-ssid <your_essid> wpa-ap-scan 1 wpa-proto RSN wpa-pairwise CCMP wpa-group CCMP wpa-eap PEAP wpa-key-mgmt WPA-EAP wpa-identity <your_identity> wpa-password <your_password>

****************************Sample conf. PEAP, AES, DHCP, ESSID broadcast***************************

*****************************Sample conf. TTLS, WEP, DHCP, ESSID broadcast**************************

Quote:

auto wlan0 iface wlan0 inet dhcp wpa-driver wext wpa-ssid <your_essid> wpa-ap-scan 1 wpa-eap TTLS wpa-key-mgmt IEEE8021X wpa-anonymous-identity <anonymous_identity> wpa-identity <your_identity> wpa-password <your_password> wpa-phase2 auth=PAP [Also: CHAP, MSCHAP, MSCHAPV2]

*****************************Sample conf. TTLS, WEP, DHCP, ESSID broadcast**************************

*****************************NOT TESTED: Sample conf. EAP-FAST, WPA1/WPA2, DHCP, ESSID broadcast****

Quote:

auto wlan0 iface wlan0 inet dhcp wpa-driver wext wpa-ssid <your_essid> wpa-ap-scan 1 wpa-proto RSN WPA wpa-pairwise CCMP TKIP wpa-group CCMP TKIP wpa-key-mgmt WPA-EAP wpa-eap FAST wpa-identity <your_user_name> wpa-password <your_password> wpa-phase1 fast_provisioning=1 wpa-pac-file /path/to/eap-pac-file

*****************************NOT TESTED: Sample conf. EAP-FAST, WPA1/WPA2, DHCP, ESSID broadcast****

*****************************Tested adapters****************************************** *********

Quote:

1. Linksys WUSB54G V4 (ndiswrapper; wpa-driver = wext) 2. Intel IPW2200 (Linux driver; wpa-driver = wext) 3. Linksys WPC54G (ndiswrapper; wpa-driver = wext) 4. D-Link WNA-2330 (Linux driver; wpa-driver = madwifi) 5. Linksys WMP54G V2 (ndiswrapper; wpa-driver = wext) 6. D-Link WDA-2320 (Linux driver; wpa-driver = madwifi) 7. Netgear WPN311 (Linux driver; wpa-driver = wext) 8. Netgear WG511v2 (ndiswrapper; wpa-driver = wext)

*****************************Tested adapters****************************************** *********

*****************************Post this if you are stumped******************************************

Quote:

# route # iwconfig # sudo iwlist scan # sudo lshw -C network # sudo cat /etc/network/interfaces # sudo ifdown -v <your_interface> # sudo ifup -v <your_interface>

*****************************Post this if you are stumped******************************************

*****************************Other useful commands****************************************** ***

Quote:

# Ubuntu version & kernel >> uname -a # Root file access >> alt F2 then 'gksudo nautilus' in cli # Get IP Address or Renew >> sudo dhclient wlan0 [or whatever your wl adapter is] # Get wireless info >> iwconfig # Get AP info >> iwlist scan # Get wireless info >> iwlist (lots of options will list) # Routes if wlan0 working >> route # DNS resolving via eth1 >> cat /etc/resolv.conf # List devices/modules >> lspci, lsusb, lshw, lsmod # Restart network >> sudo /etc/init.d/networking restart # Boot messages >> dmesg # Kill NWM >> sudo killall NetworkManager # Events from your wl >> iwevent # Restart all daemons >> sudo /etc/init.d/dbus restart # Restart network >> sudo /etc/init.d/networking restart

*****************************Other useful commands****************************************** ***

CHANGE LOG:
08/11/2006: Added section "Post this if you are stumped" (SquibT).
08/11/2006: Added sample configuration for WPA2 with DHCP & ESSID broadcast (Wieman01).
08/11/2006: Added sample configuration for WPA1 with DHCP & ESSID broadcast (Wieman01).
08/11/2006: Added section "Tested adapters" (Wieman01).
08/11/2006: Added section "Useful commands" (SquibT).
08/11/2006: Added section "Common stumbling blocks" (Wieman01).
08/11/2006: Changed section "wpa-driver" and added new drivers (Wieman01).
08/11/2006: Added section "Revoking read-permission from group 'others'" (Wieman01).
09/11/2006: Minor changes in layout (Wieman01).
09/11/2006: Added sample configuration for mixed mode (WPA1, WPA2) with DHCP & ESSID broadcast (Wieman01).
09/11/2006: Added experimental sample configuration for LEAP with WEP, DHCP & ESSID broadcast (Wieman01).
09/11/2006: Added section "Install wpa-supplicant" (Wieman01).
10/11/2006: Added experimental sample configuration for TTLS with WEP, DHCP & ESSID broadcast (Wieman01).
15/11/2006: Added experimental sample configuration for EAP-FAST with WPA1/WPA2, DHCP & ESSID broadcast (Wieman01).
04/12/2006: Changed "wpa_passphrase" section & added quotes ("") for encryption keys containing special characters (Wieman01).
04/01/2007: Added various security options (Wieman01).
15/01/2007: Added valid script for EAP-LEAP (Wieman01).
31/01/2007: Added valid script for EAP-PEAP (Wieman01).
21/04/2007: Removed "wpa-conf" for Edgy Eft (Wieman01).
22/04/2007: Simplified section concerning static network settings (Wieman01).
02/05/2007: Added note concerning WPA2 support for Atheros cards & drivers (Wieman01).
13/05/2007: Added note on Ralink drivers (Wieman01).
15/04/2008: Tested with HardyHeron (Wieman01).
04/09/2008: Added note on wireless B/G/N (Wieman01).
06/12/2008: Note for Intrepid Ibex users (Wieman01).
07/03/2009: Closed thread (Wieman01).
05/04/2009: Re-opened and enhanced thread (Wieman01).