HOWTO: Wireless Security - WPA1, WPA2, LEAP, etc.

[wieman01]

This guide was tested with:

Gutsy Gibbon (7.10)
Hardy Heron (8.04)
Intrepid Ibex (8.10)
Jaunty Jackalope (9.04)
--
Since it appears that very few people take wireless security seriously, I'd like to come up with my first HOWTO and explain how I was able to configure a secure home network using WPA2, the latest encryption & authentication standard. There are also other types of configuration (WPA1, mixed mode, LEAP, PEAP, DHCP, etc.) shown in the appendix. Feedback is much appreciated.

Common stumbling blocks - Make sure that:
1. Ethernet cable is unplugged.
2. No firewall & configuration tool is running (e.g. Firestarter).
3. MAC filtering is disabled.
4. NetworkManager, Wifi-Radar & similar wireless configuration tools are disabled/turned off and not in use.
5. Some cards/drivers (e.g. Madwifi) do not support WPA2 (AES). Try WPA1 (TKIP) if WPA2 secured connections fail.
6. Set router to BG-Only if using ndiswrapper (and perhaps Broadcom 43xx as I don't know about others).

My Requirements:
1. WPA2 / RSN
2. AES / CCMP
3. Hidden ESSID (no broadcast)
4. Static IP (because I use port forwarding & firewall, etc.)
5. Pre-shared key (no EAP)

If you want to know more about WPA / RSN & 802.11i security specification, I recommend this site.

Now let's get started (wpa-suplicant is usually installed by default):
0. Install "wpa-supplicant":

Quote:

sudo apt-get install wpasupplicant

1. Verify that your network device ("wlan0"?) is working & your wireless network is detected:

Quote:

iwconfig

Quote:

sudo iwlist scan

Your network device & wireless network should appear here.

2. Open "/etc/network/interfaces":

Quote:

sudo gedit /etc/network/interfaces

The content should look similar to this:

Quote:

auto lo iface lo inet loopback auto wlan0 iface wlan0 inet dhcp

3. Now replace the last 2 lines with the following using your own network settings (the sequence in which the lines appear is crucial):

Quote:

auto wlan0 iface wlan0 inet static address 192.168.168.40 gateway 192.168.168.230 dns-nameservers 192.168.168.230 netmask 255.255.255.0 wpa-driver wext wpa-ssid <your_essid> wpa-ap-scan 2 wpa-proto RSN wpa-pairwise CCMP wpa-group CCMP wpa-key-mgmt WPA-PSK wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]

• auto wlan0:
  Your network interface (e.g. wlan0, eth1, rausb0, ra0, etc.).

• iface wlan0 inet static:
  Self-explanatory... I am using a Static IP instead of DHCP. "iface wlan0" must correspond to your network interface (see above).

• address, netmask, [..], dns-nameservers:
  Also self-explanatory... Be aware that "broadcast" needs to end with ".255" for negotiation with the router. These lines need to be according to your own (static) network settings. For DHCP see further below.

• wpa-driver:
  Use "wext" only. All other drivers are outdated no longer used.
  [/QUOTE]

• wpa-ssid:
  Your network's ESSID (no quotes ""). Please avoid blanks/spaces as they will created problems during key generation (see below).

• wpa-ap-scan:
  "1" = Broadcast of ESSID.
  "2" = Hidden broadcast of ESSID.

• wpa-proto:
  "RSN" = WPA(2)
  "WPA" = WPA(1)

• wpa-pairwise & wpa-group:
  "CCMP" = AES cipher as part of WPA(2) standard.
  "TKIP" = TKIP cipher as part of WPA(1) standard.

• wpa-key-mgmt:
  "WPA-PSK" = Authentication via pre-shared key (see 'key generation' further below).
  "WPA-EAP" = Authentication via enterprise authentication server.

VERY IMPORTANT ("WPA PSK Key Generation"):
Now convert your WPA ASCII password using the following command:

Quote:

wpa_passphrase <your_essid> <your_ascii_key>

Resulting in an output like...

Quote:

network={ ssid="test" #psk="12345678" psk=fe727aa8b64ac9b3f54c72432da14faed933ea511ecab1 5bbc6c52e7522f709a }

Copy the "hex_key" (next to "psk=...") and replace <your_hex_key> in the "interfaces" files with it. Then save the file and restart your network:

Quote:

sudo /etc/init.d/networking restart

You should be connecting to your router now... However, I figured that a restart is sometimes necessary so that's what I usually do (I know this sounds a bit clumsy - see post #2 for startup script).


*****************************Revoking read-permission from 'others'*********************************

Quote:

sudo chmod o=-r /etc/network/interfaces

*****************************Revoking read-permission from 'others'*********************************

*****************************Sample configuration WPA2 & DHCP, ESSID broadcast enabled***************

Quote:

auto wlan0 iface wlan0 inet dhcp wpa-driver wext wpa-ssid <your_essid> wpa-ap-scan 1 wpa-proto RSN wpa-pairwise CCMP wpa-group CCMP wpa-key-mgmt WPA-PSK wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]

*****************************Sample configuration WPA2 & DHCP, ESSID broadcast enabled***************

*****************************Sample configuration WPA1 & DHCP, ESSID broadcast enabled***************

Quote:

auto wlan0 iface wlan0 inet dhcp wpa-driver wext wpa-ssid <your_essid> wpa-ap-scan 1 wpa-proto WPA wpa-pairwise TKIP wpa-group TKIP wpa-key-mgmt WPA-PSK wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]

*****************************Sample configuration WPA1 & DHCP, ESSID broadcast enabled***************

****************************Sample configuration mixed mode (WPA1, WPA2) & DHCP, ESSID broadcast*****

Quote:

auto wlan0 iface wlan0 inet dhcp wpa-driver wext wpa-ssid <your_essid> wpa-ap-scan 1 wpa-proto WPA RSN wpa-pairwise TKIP CCMP wpa-group TKIP CCMP wpa-key-mgmt WPA-PSK wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]

****************************Sample configuration mixed mode (WPA1, WPA2) & DHCP, ESSID broadcast*****

****************************Sample conf. LEAP, WEP, DHCP, ESSID broadcast***************************

Quote:

auto wlan0 iface wlan0 inet dhcp wpa-driver wext wpa-ssid <your_essid> wpa-ap-scan 1 wpa-eap LEAP wpa-key-mgmt IEEE8021X wpa-identity <your_user_name> wpa-password <your_password>

****************************Sample conf. LEAP, WEP, DHCP, ESSID broadcast***************************

****************************Sample conf. PEAP, AES, DHCP, ESSID broadcast***************************

Quote:

auto wlan0 iface wlan0 inet dhcp wpa-driver wext wpa-ssid <your_essid> wpa-ap-scan 1 wpa-proto RSN wpa-pairwise CCMP wpa-group CCMP wpa-eap PEAP wpa-key-mgmt WPA-EAP wpa-identity <your_identity> wpa-password <your_password>

****************************Sample conf. PEAP, AES, DHCP, ESSID broadcast***************************

*****************************Sample conf. TTLS, WEP, DHCP, ESSID broadcast**************************

Quote:

auto wlan0 iface wlan0 inet dhcp wpa-driver wext wpa-ssid <your_essid> wpa-ap-scan 1 wpa-eap TTLS wpa-key-mgmt IEEE8021X wpa-anonymous-identity <anonymous_identity> wpa-identity <your_identity> wpa-password <your_password> wpa-phase2 auth=PAP [Also: CHAP, MSCHAP, MSCHAPV2]

*****************************Sample conf. TTLS, WEP, DHCP, ESSID broadcast**************************

*****************************NOT TESTED: Sample conf. EAP-FAST, WPA1/WPA2, DHCP, ESSID broadcast****

Quote:

auto wlan0 iface wlan0 inet dhcp wpa-driver wext wpa-ssid <your_essid> wpa-ap-scan 1 wpa-proto RSN WPA wpa-pairwise CCMP TKIP wpa-group CCMP TKIP wpa-key-mgmt WPA-EAP wpa-eap FAST wpa-identity <your_user_name> wpa-password <your_password> wpa-phase1 fast_provisioning=1 wpa-pac-file /path/to/eap-pac-file

*****************************NOT TESTED: Sample conf. EAP-FAST, WPA1/WPA2, DHCP, ESSID broadcast****

*****************************Tested adapters****************************************** *********

Quote:

1. Linksys WUSB54G V4 (ndiswrapper; wpa-driver = wext) 2. Intel IPW2200 (Linux driver; wpa-driver = wext) 3. Linksys WPC54G (ndiswrapper; wpa-driver = wext) 4. D-Link WNA-2330 (Linux driver; wpa-driver = madwifi) 5. Linksys WMP54G V2 (ndiswrapper; wpa-driver = wext) 6. D-Link WDA-2320 (Linux driver; wpa-driver = madwifi) 7. Netgear WPN311 (Linux driver; wpa-driver = wext) 8. Netgear WG511v2 (ndiswrapper; wpa-driver = wext)

*****************************Tested adapters****************************************** *********

*****************************Post this if you are stumped******************************************

Quote:

# route # iwconfig # sudo iwlist scan # sudo lshw -C network # sudo cat /etc/network/interfaces # sudo ifdown -v <your_interface> # sudo ifup -v <your_interface>

*****************************Post this if you are stumped******************************************

*****************************Other useful commands****************************************** ***

Quote:

# Ubuntu version & kernel >> uname -a # Root file access >> alt F2 then 'gksudo nautilus' in cli # Get IP Address or Renew >> sudo dhclient wlan0 [or whatever your wl adapter is] # Get wireless info >> iwconfig # Get AP info >> iwlist scan # Get wireless info >> iwlist (lots of options will list) # Routes if wlan0 working >> route # DNS resolving via eth1 >> cat /etc/resolv.conf # List devices/modules >> lspci, lsusb, lshw, lsmod # Restart network >> sudo /etc/init.d/networking restart # Boot messages >> dmesg # Kill NWM >> sudo killall NetworkManager # Events from your wl >> iwevent # Restart all daemons >> sudo /etc/init.d/dbus restart # Restart network >> sudo /etc/init.d/networking restart

*****************************Other useful commands****************************************** ***

CHANGE LOG:
08/11/2006: Added section "Post this if you are stumped" (SquibT).
08/11/2006: Added sample configuration for WPA2 with DHCP & ESSID broadcast (Wieman01).
08/11/2006: Added sample configuration for WPA1 with DHCP & ESSID broadcast (Wieman01).
08/11/2006: Added section "Tested adapters" (Wieman01).
08/11/2006: Added section "Useful commands" (SquibT).
08/11/2006: Added section "Common stumbling blocks" (Wieman01).
08/11/2006: Changed section "wpa-driver" and added new drivers (Wieman01).
08/11/2006: Added section "Revoking read-permission from group 'others'" (Wieman01).
09/11/2006: Minor changes in layout (Wieman01).
09/11/2006: Added sample configuration for mixed mode (WPA1, WPA2) with DHCP & ESSID broadcast (Wieman01).
09/11/2006: Added experimental sample configuration for LEAP with WEP, DHCP & ESSID broadcast (Wieman01).
09/11/2006: Added section "Install wpa-supplicant" (Wieman01).
10/11/2006: Added experimental sample configuration for TTLS with WEP, DHCP & ESSID broadcast (Wieman01).
15/11/2006: Added experimental sample configuration for EAP-FAST with WPA1/WPA2, DHCP & ESSID broadcast (Wieman01).
04/12/2006: Changed "wpa_passphrase" section & added quotes ("") for encryption keys containing special characters (Wieman01).
04/01/2007: Added various security options (Wieman01).
15/01/2007: Added valid script for EAP-LEAP (Wieman01).
31/01/2007: Added valid script for EAP-PEAP (Wieman01).
21/04/2007: Removed "wpa-conf" for Edgy Eft (Wieman01).
22/04/2007: Simplified section concerning static network settings (Wieman01).
02/05/2007: Added note concerning WPA2 support for Atheros cards & drivers (Wieman01).
13/05/2007: Added note on Ralink drivers (Wieman01).
15/04/2008: Tested with HardyHeron (Wieman01).
04/09/2008: Added note on wireless B/G/N (Wieman01).
06/12/2008: Note for Intrepid Ibex users (Wieman01).
07/03/2009: Closed thread (Wieman01).
05/04/2009: Re-opened and enhanced thread (Wieman01).

[wieman01]

Some users reported (including myself) that the network has to be restarted every time after startup... Apparently this is a bug.

Here is a workaround that helps restart the network during boot so that one does not have to do it manually after logging on to the system.

Create startup script:

Quote:

sudo gedit /etc/init.d/wireless-network

Add this line & save file:

Quote:

/etc/init.d/networking restart

Change permission (executable):

Quote:

sudo chmod +x /etc/init.d/wireless-network

Create symbolic link:

Quote:

sudo ln -s /etc/init.d/wireless-network /etc/rcS.d/S40wireless-network

[Note: You may have to choose a boot sequence other than S40.]

Restart...

[sionghua]

How to adapt this to WPA(1)?

I got everything setup and running ok, except that it is not automated even though I included the wpa_supplicant command in /etc/network/interfaces so everytime I start my computer I need to run wpa_supplicant manually and then dhclient manually as well in order to access to internet. Any idea why automation is not working?

my interfaces file as follow:

Quote:

auto wlan0 iface wlan0 inet dhcp wireless-mode Managed wireless-essid bplus1 pre-up wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf -Bw post-down killall -q wpa_supplicant

By the way I notice that I need to completely shut down my computer before I login to ubuntu again to make sure the usb adapter refresh, if I simply restart it will not be detected.

[wieman01]

For WPA1 my example would look like this:

Quote:

auto wlan0 iface wlan0 inet dhcp wpa-driver wext wpa-conf managed wpa-ssid your_essid wpa-ap-scan 1 wpa-proto WPA wpa-pairwise TKIP wpa-group TKIP wpa-key-mgmt WPA-PSK wpa-psk your_wpa_psk

I have never bothered to setup wpa_supplicant outside of "interfaces" because I don't think it is nice. So I cannot give you any advice there. However, I am having a similar issue as you whereby I need to initialize my wireless network at startup, then immediately bring it down & restart it. For some reason the network would remain disconnected if I did not restart it.

So my advice is to follow post #2 and restart the network during the boot process. Not sure if this is a bug but I have not found a solution ever since.

[wieman01]

By the way... This also works for Atheros chipsets ("ath0") as shown in here:http://www.ubuntuforums.org/showthread.php?t=225290

[sionghua]

I followed all the instructions but it won't connect, when issuing iwconfig i get

essid: off/any

[sionghua]

here's my wpa_supplicant.conf

Quote:

ctrl_interface=/var/run/wpa_supplicant network={ ssid="bplus1" psk=xxxxxxx key_mgmt=WPA-PSK proto=WPA pairwise=TKIP }

[sionghua]

Commands that i use to invoke wpa_supplicant is
sudo wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf -Bw
and for dhcp
sudo dhclient wlan0

I invoke this commands with

Quote:

auto wlan0 iface wlan0 inet dhcp wireless-mode Managed wireless-essid bplus1

in the interfaces file than it works

[squibT]

@weiman01,

Hi again weiman01...I reinstalled Edgy just to get a fresh start and tried to use this guide to setup my Interfaces file and not use the wpa_supplicant.conf file. If you recall I did have the wpa_supplicant.conf file working and connecting but I wanted to go your route with the Interfaces file.

Good news and bad...My (Linksys wpc54gs)lsbcmnds drivers work fine and report as installed and present, card lights up and flashes connectivity, "iwlist wlan0 scan" reports my AP info correctly (encryption on, correct ESSID ****, etc...) I have a wireless signal meter on the taskbar 100%
This is with the Networking GUI though...and a etc/init.d/network restart reports the key is wrong (obviously..no wpa- in front of any items in the Interfaces file yet.

After setting up your/my Interfaces file (see below):

No internet access, can't get a ping reply from my AP, Iwlist wlan0 scan shows no results .
I have the Interfaces file shown below taken from this HowToo (my IPs are different):

auto wlan0
iface wlan0 inet static
wpa-driver wext (tried ndiswrapper also)
wpa-conf managed
wpa-ssid <my_essid>
wpa-ap-scan 2
wpa-proto RSN
wpa-pairwise CCMP
wpa-group CCMP
wpa-key-mgmt WPA-PSK
wpa-psk <my_64_hex_key>
address 192.168.168.40
netmask 255.255.255.0
network 192.168.168.0
broadcast 192.168.168.255
gateway 192.168.168.230
dns-nameservers 192.168.168.230

I tried enabeling wireless via the GUI. Are you also using the Networking GUI and enabling your wireless there also? When I do and I enter the basic information it writes in to the bottom of your/my Interfaces file this:

My_ip_information....
wireless-essid <my-essid>
wireless-key <my-hex-key>

auto wlan0

Basically adding these lines again...incorrectly.

If I modify the file it does not work...

And "/etc/init.d/network restart" cant read the Interfaces file.

And if I just use your/my config file exactly as you wrote it, "/etc/init.d/network restart" reads the Interfaces file OK but still no connection...like it is not communicating with WPA_Supplicant...or my router....router is setup correctly though.
Iwconfig shows not associated with AP ( of course)
Iwlist wlan0 scan shows no results.

Your file seems to be the closest I have got to getting this going...no errors when I "/etc/init.d/network restart"...just says Reconfiguring then OK which is great.

Using just a basic Interfaces file with no security "iwlist wlan0 scan" reports my AP info correctly (encryption on, correct ESSID ****, etc...) I have a wireless signal meter on the taskbar 100%...

I am missing something...

Any ideas? I dont want to take a lot of your time but if you can think of anything I am missing let me know.

Thanx,

squibt

[squibT]

Success!

I was using my 64 char hex key from my router (WPA-PSK AES) and not using the directions on page 4 of your instructions. I entered my hex key and it would not work in the Network-Applet Hex box or in the Interfaces file. It seems I have to use an Ascii pass-phrase like BillyBob on my router and then in the Network-Applet enter my info and then run wpa_passphrase <my-essid> <BillyBob (my ascii-key)> to generate a psk hex key....this new key is entered into your Interfaces file like you state on page 4.

Let me experiment with this a little and get back to you...gonna try to use my hex key as a ascii key and regenerate it.

BTW...nice HowToo...if you follow it....

squibt