View Poll Results: Has this thread been helpful?

Voters
811. You may not vote on this poll
  • Yes

    550 67.82%
  • No

    104 12.82%
  • Somewhat

    157 19.36%
Page 1 of 49 12311 ... LastLast
Results 1 to 10 of 1832

Thread: HOWTO: Wireless Security - WPA1, WPA2, LEAP, etc.

Hybrid View

  1. #1
    Join Date
    May 2006
    Location
    100acrewood
    Beans
    7,480
    Distro
    Kubuntu 14.04 Trusty Tahr

    HOWTO: Wireless Security - WPA1, WPA2, LEAP, etc.

    This guide was tested with:

    Jaunty Jackalope (9.04)
    Oneiric Ocelot (11.10)

    --
    Since it appears that very few people take wireless security seriously, I'd like to come up with my first HOWTO and explain how I was able to configure a secure home network using WPA2, the latest encryption & authentication standard. There are also other types of configuration (WPA1, mixed mode, LEAP, PEAP, DHCP, etc.) shown in the appendix. Feedback is much appreciated.

    Common stumbling blocks - Make sure that:
    1. Ethernet cable is unplugged.
    2. No firewall & configuration tool is running (e.g. Firestarter).
    3. MAC filtering is disabled.
    4. NetworkManager, Wifi-Radar & similar wireless configuration tools are disabled/turned off and not in use.
    5. Some cards/drivers (e.g. Madwifi) do not support WPA2 (AES). Try WPA1 (TKIP) if WPA2 secured connections fail.
    6. Set router to BG-Only if using ndiswrapper (and perhaps Broadcom 43xx as I don't know about others).

    My Requirements:
    1. WPA2 / RSN
    2. AES / CCMP
    3. Hidden ESSID (no broadcast)
    4. Static IP (because I use port forwarding & firewall, etc.)
    5. Pre-shared key (no EAP)

    If you want to know more about WPA / RSN & 802.11i security specification, I recommend this site.

    Now let's get started (wpa-suplicant is usually installed by default):
    0. Install "wpa-supplicant":
    sudo apt-get install wpasupplicant
    1. Verify that your network device ("wlan0"?) is working & your wireless network is detected:
    iwconfig
    sudo iwlist scan
    Your network device & wireless network should appear here.

    2. Open "/etc/network/interfaces":
    sudo gedit /etc/network/interfaces
    The content should look similar to this:
    auto lo
    iface lo inet loopback

    auto wlan0
    iface wlan0 inet dhcp
    3. Now replace the last 2 lines with the following using your own network settings (the sequence in which the lines appear is crucial):
    auto wlan0
    iface wlan0 inet static
    address 192.168.168.40
    gateway 192.168.168.230
    dns-nameservers 192.168.168.230
    netmask 255.255.255.0

    wpa-driver wext
    wpa-ssid <your_essid>
    wpa-ap-scan 2
    wpa-proto RSN
    wpa-pairwise CCMP
    wpa-group CCMP
    wpa-key-mgmt WPA-PSK
    wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]
    • auto wlan0:
      Your network interface (e.g. wlan0, eth1, rausb0, ra0, etc.).

    • iface wlan0 inet static:
      Self-explanatory... I am using a Static IP instead of DHCP. "iface wlan0" must correspond to your network interface (see above).

    • address, netmask, [..], dns-nameservers:
      Also self-explanatory... Be aware that "broadcast" needs to end with ".255" for negotiation with the router. These lines need to be according to your own (static) network settings. For DHCP see further below.

    • wpa-driver:
      Use "wext" only. All other drivers are outdated no longer used.
      [/QUOTE]

    • wpa-ssid:
      Your network's ESSID (no quotes ""). Please avoid blanks/spaces as they will created problems during key generation (see below).

    • wpa-ap-scan:
      "1" = Broadcast of ESSID.
      "2" = Hidden broadcast of ESSID.

    • wpa-proto:
      "RSN" = WPA(2)
      "WPA" = WPA(1)

    • wpa-pairwise & wpa-group:
      "CCMP" = AES cipher as part of WPA(2) standard.
      "TKIP" = TKIP cipher as part of WPA(1) standard.

    • wpa-key-mgmt:
      "WPA-PSK" = Authentication via pre-shared key (see 'key generation' further below).
      "WPA-EAP" = Authentication via enterprise authentication server.

    VERY IMPORTANT ("WPA PSK Key Generation"):
    Now convert your WPA ASCII password using the following command:
    wpa_passphrase <your_essid> <your_ascii_key>
    Resulting in an output like...
    network={
    ssid="test"
    #psk="12345678"
    psk=fe727aa8b64ac9b3f54c72432da14faed933ea511ecab1 5bbc6c52e7522f709a
    }
    Copy the "hex_key" (next to "psk=...") and replace <your_hex_key> in the "interfaces" files with it. Then save the file and restart your network:
    sudo /etc/init.d/networking restart
    You should be connecting to your router now... However, I figured that a restart is sometimes necessary so that's what I usually do (I know this sounds a bit clumsy - see post #2 for startup script).


    *****************************Revoking read-permission from 'others'*********************************
    sudo chmod o=-r /etc/network/interfaces
    *****************************Revoking read-permission from 'others'*********************************

    *****************************Sample configuration WPA2 & DHCP, ESSID broadcast enabled***************
    auto wlan0
    iface wlan0 inet dhcp
    wpa-driver wext
    wpa-ssid <your_essid>
    wpa-ap-scan 1
    wpa-proto RSN
    wpa-pairwise CCMP
    wpa-group CCMP
    wpa-key-mgmt WPA-PSK
    wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]
    *****************************Sample configuration WPA2 & DHCP, ESSID broadcast enabled***************

    *****************************Sample configuration WPA1 & DHCP, ESSID broadcast enabled***************
    auto wlan0
    iface wlan0 inet dhcp
    wpa-driver wext
    wpa-ssid <your_essid>
    wpa-ap-scan 1
    wpa-proto WPA
    wpa-pairwise TKIP
    wpa-group TKIP
    wpa-key-mgmt WPA-PSK
    wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]
    *****************************Sample configuration WPA1 & DHCP, ESSID broadcast enabled***************

    ****************************Sample configuration mixed mode (WPA1, WPA2) & DHCP, ESSID broadcast*****
    auto wlan0
    iface wlan0 inet dhcp
    wpa-driver wext
    wpa-ssid <your_essid>
    wpa-ap-scan 1
    wpa-proto WPA RSN
    wpa-pairwise TKIP CCMP
    wpa-group TKIP CCMP
    wpa-key-mgmt WPA-PSK
    wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]
    ****************************Sample configuration mixed mode (WPA1, WPA2) & DHCP, ESSID broadcast*****

    ****************************Sample conf. LEAP, WEP, DHCP, ESSID broadcast***************************
    auto wlan0
    iface wlan0 inet dhcp
    wpa-driver wext
    wpa-ssid <your_essid>
    wpa-ap-scan 1
    wpa-eap LEAP
    wpa-key-mgmt IEEE8021X
    wpa-identity <your_user_name>
    wpa-password <your_password>
    ****************************Sample conf. LEAP, WEP, DHCP, ESSID broadcast***************************

    ****************************Sample conf. PEAP, AES, DHCP, ESSID broadcast***************************
    auto wlan0
    iface wlan0 inet dhcp
    wpa-driver wext
    wpa-ssid <your_essid>
    wpa-ap-scan 1
    wpa-proto RSN
    wpa-pairwise CCMP
    wpa-group CCMP
    wpa-eap PEAP
    wpa-key-mgmt WPA-EAP
    wpa-identity <your_identity>
    wpa-password <your_password>
    ****************************Sample conf. PEAP, AES, DHCP, ESSID broadcast***************************

    *****************************Sample conf. TTLS, WEP, DHCP, ESSID broadcast**************************
    auto wlan0
    iface wlan0 inet dhcp
    wpa-driver wext
    wpa-ssid <your_essid>
    wpa-ap-scan 1
    wpa-eap TTLS
    wpa-key-mgmt IEEE8021X
    wpa-anonymous-identity <anonymous_identity>
    wpa-identity <your_identity>
    wpa-password <your_password>
    wpa-phase2 auth=PAP [Also: CHAP, MSCHAP, MSCHAPV2]
    *****************************Sample conf. TTLS, WEP, DHCP, ESSID broadcast**************************

    *****************************NOT TESTED: Sample conf. EAP-FAST, WPA1/WPA2, DHCP, ESSID broadcast****
    auto wlan0
    iface wlan0 inet dhcp
    wpa-driver wext
    wpa-ssid <your_essid>
    wpa-ap-scan 1
    wpa-proto RSN WPA
    wpa-pairwise CCMP TKIP
    wpa-group CCMP TKIP
    wpa-key-mgmt WPA-EAP
    wpa-eap FAST
    wpa-identity <your_user_name>
    wpa-password <your_password>
    wpa-phase1 fast_provisioning=1
    wpa-pac-file /path/to/eap-pac-file
    *****************************NOT TESTED: Sample conf. EAP-FAST, WPA1/WPA2, DHCP, ESSID broadcast****

    *****************************Tested adapters****************************************** *********
    1. Linksys WUSB54G V4 (ndiswrapper; wpa-driver = wext)
    2. Intel IPW2200 (Linux driver; wpa-driver = wext)
    3. Linksys WPC54G (ndiswrapper; wpa-driver = wext)
    4. D-Link WNA-2330 (Linux driver; wpa-driver = madwifi)
    5. Linksys WMP54G V2 (ndiswrapper; wpa-driver = wext)
    6. D-Link WDA-2320 (Linux driver; wpa-driver = madwifi)
    7. Netgear WPN311 (Linux driver; wpa-driver = wext)
    8. Netgear WG511v2 (ndiswrapper; wpa-driver = wext)
    *****************************Tested adapters****************************************** *********

    *****************************Post this if you are stumped******************************************
    # route
    # iwconfig
    # sudo iwlist scan
    # sudo lshw -C network
    # sudo cat /etc/network/interfaces
    # sudo ifdown -v <your_interface>
    # sudo ifup -v <your_interface>
    *****************************Post this if you are stumped******************************************

    *****************************Other useful commands****************************************** ***
    # Ubuntu version & kernel >> uname -a
    # Root file access >> alt F2 then 'gksudo nautilus' in cli
    # Get IP Address or Renew >> sudo dhclient wlan0 [or whatever your wl adapter is]
    # Get wireless info >> iwconfig
    # Get AP info >> iwlist scan
    # Get wireless info >> iwlist (lots of options will list)
    # Routes if wlan0 working >> route
    # DNS resolving via eth1 >> cat /etc/resolv.conf
    # List devices/modules >> lspci, lsusb, lshw, lsmod
    # Restart network >> sudo /etc/init.d/networking restart
    # Boot messages >> dmesg
    # Kill NWM >> sudo killall NetworkManager
    # Events from your wl >> iwevent
    # Restart all daemons >> sudo /etc/init.d/dbus restart
    # Restart network >> sudo /etc/init.d/networking restart
    *****************************Other useful commands****************************************** ***

    CHANGE LOG:
    08/11/2006: Added section "Post this if you are stumped" (SquibT).
    08/11/2006: Added sample configuration for WPA2 with DHCP & ESSID broadcast (Wieman01).
    08/11/2006: Added sample configuration for WPA1 with DHCP & ESSID broadcast (Wieman01).
    08/11/2006: Added section "Tested adapters" (Wieman01).
    08/11/2006: Added section "Useful commands" (SquibT).
    08/11/2006: Added section "Common stumbling blocks" (Wieman01).
    08/11/2006: Changed section "wpa-driver" and added new drivers (Wieman01).
    08/11/2006: Added section "Revoking read-permission from group 'others'" (Wieman01).
    09/11/2006: Minor changes in layout (Wieman01).
    09/11/2006: Added sample configuration for mixed mode (WPA1, WPA2) with DHCP & ESSID broadcast (Wieman01).
    09/11/2006: Added experimental sample configuration for LEAP with WEP, DHCP & ESSID broadcast (Wieman01).
    09/11/2006: Added section "Install wpa-supplicant" (Wieman01).
    10/11/2006: Added experimental sample configuration for TTLS with WEP, DHCP & ESSID broadcast (Wieman01).
    15/11/2006: Added experimental sample configuration for EAP-FAST with WPA1/WPA2, DHCP & ESSID broadcast (Wieman01).
    04/12/2006: Changed "wpa_passphrase" section & added quotes ("") for encryption keys containing special characters (Wieman01).
    04/01/2007: Added various security options (Wieman01).
    15/01/2007: Added valid script for EAP-LEAP (Wieman01).
    31/01/2007: Added valid script for EAP-PEAP (Wieman01).
    21/04/2007: Removed "wpa-conf" for Edgy Eft (Wieman01).
    22/04/2007: Simplified section concerning static network settings (Wieman01).
    02/05/2007: Added note concerning WPA2 support for Atheros cards & drivers (Wieman01).
    13/05/2007: Added note on Ralink drivers (Wieman01).
    15/04/2008: Tested with HardyHeron (Wieman01).
    04/09/2008: Added note on wireless B/G/N (Wieman01).
    06/12/2008: Note for Intrepid Ibex users (Wieman01).
    07/03/2009: Closed thread (Wieman01).
    05/04/2009: Re-opened and enhanced thread (Wieman01).
    Last edited by wieman01; March 1st, 2012 at 07:40 PM.

  2. #2
    Join Date
    May 2006
    Location
    100acrewood
    Beans
    7,480
    Distro
    Kubuntu 14.04 Trusty Tahr

    HOWTO: Wireless Security - WPA1, WPA2, LEAP, etc.

    Some users reported (including myself) that the network has to be restarted every time after startup... Apparently this is a bug.

    Here is a workaround that helps restart the network during boot so that one does not have to do it manually after logging on to the system.

    Create startup script:
    sudo gedit /etc/init.d/wireless-network
    Add this line & save file:
    /etc/init.d/networking restart
    Change permission (executable):
    sudo chmod +x /etc/init.d/wireless-network
    Create symbolic link:
    sudo ln -s /etc/init.d/wireless-network /etc/rcS.d/S40wireless-network
    [Note: You may have to choose a boot sequence other than S40.]

    Restart...
    Last edited by wieman01; April 7th, 2009 at 07:23 PM.

  3. #3
    Join Date
    Sep 2006
    Beans
    40

    Re: WPA2 / RSN, NDiswrapper, Static IP, Hidden ESSID, WUSB54G V4

    How to adapt this to WPA(1)?

    I got everything setup and running ok, except that it is not automated even though I included the wpa_supplicant command in /etc/network/interfaces so everytime I start my computer I need to run wpa_supplicant manually and then dhclient manually as well in order to access to internet. Any idea why automation is not working?

    my interfaces file as follow:

    auto wlan0
    iface wlan0 inet dhcp
    wireless-mode Managed
    wireless-essid bplus1
    pre-up wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf -Bw
    post-down killall -q wpa_supplicant
    By the way I notice that I need to completely shut down my computer before I login to ubuntu again to make sure the usb adapter refresh, if I simply restart it will not be detected.

  4. #4
    Join Date
    May 2006
    Location
    100acrewood
    Beans
    7,480
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: WPA2 / RSN, NDiswrapper, Static IP, Hidden ESSID, WUSB54G V4

    For WPA1 my example would look like this:
    auto wlan0
    iface wlan0 inet dhcp
    wpa-driver wext
    wpa-conf managed
    wpa-ssid your_essid
    wpa-ap-scan 1
    wpa-proto WPA
    wpa-pairwise TKIP
    wpa-group TKIP
    wpa-key-mgmt WPA-PSK
    wpa-psk your_wpa_psk
    I have never bothered to setup wpa_supplicant outside of "interfaces" because I don't think it is nice. So I cannot give you any advice there. However, I am having a similar issue as you whereby I need to initialize my wireless network at startup, then immediately bring it down & restart it. For some reason the network would remain disconnected if I did not restart it.

    So my advice is to follow post #2 and restart the network during the boot process. Not sure if this is a bug but I have not found a solution ever since.

  5. #5
    Join Date
    May 2006
    Location
    100acrewood
    Beans
    7,480
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: WPA2 / RSN, NDiswrapper, Static IP, Hidden ESSID, WUSB54G V4

    By the way... This also works for Atheros chipsets ("ath0") as shown in here:http://www.ubuntuforums.org/showthread.php?t=225290

  6. #6
    Join Date
    Sep 2006
    Beans
    40

    Re: WPA2 / RSN, NDiswrapper, Static IP, Hidden ESSID, WUSB54G V4

    I followed all the instructions but it won't connect, when issuing iwconfig i get

    essid: off/any

  7. #7
    Join Date
    Nov 2007
    Location
    New York, NY
    Beans
    38
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: WPA2 / RSN, NDiswrapper, Static IP, Hidden ESSID, WUSB54G V4

    Quote Originally Posted by wieman01 View Post
    For WPA1 my example would look like this:

    I have never bothered to setup wpa_supplicant outside of "interfaces" because I don't think it is nice. So I cannot give you any advice there. However, I am having a similar issue as you whereby I need to initialize my wireless network at startup, then immediately bring it down & restart it. For some reason the network would remain disconnected if I did not restart it.

    So my advice is to follow post #2 and restart the network during the boot process. Not sure if this is a bug but I have not found a solution ever since.
    Thanks wieman! I used your post before to get my WPA working for linksys wusb54gv4 but had to manually restart the network EVERY time. I totally missed the second post which explains this bug.

    I did this to update the links for all the rc folders.
    Code:
    sudo update-rc.d wireless-networking defaults 40
    Thanks again. Very informative how-to...

    PS. I'm not sure if you or anyone else had this problem, but when I updated to Hardy and used WPA, my system would sometimes instantly shut down. This did not happen using WEP on hardy. I updated my bios and the kernel as it wouldn't even boot after the shutdown had occurred unless I switched voltage on my computer and cycle power a few times. Hasn't happened since. whew!
    Mobo: ECS-K8M890-M; 2GB DDR2; AMD Athlon64X2 AM2 2.2Ghz;
    OS: Leo, W7, Jaunty; AV: AC97; Sapphire X1650 256MB DDR2
    HD: WD40GB IDE (OSX) & Seagate160GB SATA (Win/Linux)
    WLAN: Linksys WUSB54Gv4 (rt2x00) & Asus USB-N11 (???)

  8. #8
    Join Date
    Jul 2008
    Beans
    7

    Re: HOWTO: Wireless Security - WPA1, WPA2, LEAP, etc.

    Thanks for your post is very detailed. I'm not sure if you or anyone else had this problem, but when I install Hardy and used WPA, my system would not connect. The wireless without WPA or WEP works fine. But as long as I enabled security on route, wireless doesn't work. (the same machine booted to vista can access the same route with WPA/WEP without any issue.)

    I started a post :Wireless with WPA/WEP doesn't work
    http://ubuntuforums.org/showthread.p...57#post5425857

    Any suggestion to my issue?

  9. #9
    Join Date
    Aug 2005
    Location
    Gold Coast, Queensland,AU
    Beans
    224
    Distro
    Ubuntu 11.04 Natty Narwhal

    Talking Re: WPA2 / RSN, NDiswrapper, Static IP, Hidden ESSID, WUSB54G V4

    This thread resulted in my getting a Broadcom 4318 wireless installed and running with WPA(1) under Edgy. I am basically using your example '*Sample configuration WPA1 & DHCP, ESSID broadcast enabled*' from your message #1. Thanks very much.

    A slight improvement on this is that actually, to get wireless up at bootup, all you need is to do this as root:
    echo 'ifdown wlan0' >/etc/init.d/WlanDown
    chmod +x /etc/init.d/WlanDown
    ln -s ../init.d/WlanDown /etc/rcS.d/S40WlanDown
    This runs S40WlanDown just before S40networking, so tidies up something in the wlan setup. Then S40networking runs ../init.d/networking which runs 'ifup -a' which successfully starts wlan0 and all other interfaces.

    The source problem is a bug whereby at shutdown 'ifdown -a' does not seem to run (successfully) :not effectively doing an 'ifdown wlan0'.

    Now I just gotta find again (for the record) where is the other forum message that told me where to get a tarball, that had the driver, and a script to do a lot of the work for me.
    Last edited by DavidTangye; November 23rd, 2006 at 10:52 PM. Reason: .
    The last great frontier is In Your Mind!

  10. #10
    Join Date
    May 2006
    Location
    100acrewood
    Beans
    7,480
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: WPA2 / RSN, NDiswrapper, Static IP, Hidden ESSID, WUSB54G V4

    Quote Originally Posted by DavidTangye View Post
    This thread resulted in my getting a Broadcom 4318 wireless installed and running with WPA(1) under Edgy. I am basically using your example '*Sample configuration WPA1 & DHCP, ESSID broadcast enabled*' from your message #1. Thanks very much.

    A slight improvement on this is that actually, to get wireless up at bootup, all you need is

    This runs S40WlanDown just before S40networking, so tidies up something in the wlan setup. Then S40networking runs ../init.d/networking which runs 'ifup -a' which successfully starts wlan0 and all other interfaces.
    Great. Thank you as well for the script. I will try it out sometime this week & update the guide.

    Would you mind sharing your configuration with us? So the I can take a glance at the "wpa-driver", etc. Just curious, and it it perhaps helpful for others with Broadcom chipsets as well.

Page 1 of 49 12311 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •