This guide was tested with Dapper Drake, Feisty Fawn, Gutsy Gibbon, and Hardy Heron.
--
Since it appears that very few people take wireless security seriously, I'd like to come up with my first HOWTO and explain how I was able to configure a secure home network using WPA2, the latest encryption & authentication standard. There are also other types of configuration (WPA1, mixed mode, LEAP, PEAP, DHCP, etc.) shown in the appendix. Feedback is much appreciated.
Common stumbling blocks - Make sure that:
1. Ethernet cable is unplugged.
2. No firewall & configuration tool is running (e.g. Firestarter).
3. MAC filtering is disabled.
4. NetworkManager, Wifi-Radar & similar wireless configuration tools are disabled/turned off and not in use.
5. Some cards/drivers (e.g. Madwifi) do not support WPA2 (AES). Try WPA1 (TKIP) if WPA2 secured connections fail.
6. RTxxx (Ralink) drivers do not support this approach. Either install "ndiswrapper" replacing Serialmonkey's driver or visit this site.
7. Turn off "roaming" if you repeatedly fail to establish a connection.
My Requirements:
1. WPA2 / RSN
2. AES / CCMP
3. Hidden ESSID (no broadcast)
4. Static IP (because I use port forwarding & firewall, etc.)
5. Pre-shared key (no EAP)
If you want to know more about WPA / RSN & 802.11i security specification, I recommend this site.
Now let's get started:
0. Install "wpa-supplicant":
1. Verify that your network device ("wlan0"?) is working & your wireless network is detected:sudo apt-get install wpasupplicant
iwconfigYour network device & wireless network should appear here.iwlist scan
2. Open "/etc/network/interfaces":
The content should look similar to this:sudo gedit /etc/network/interfaces
3. Now replace the last 2 lines with the following using your own network settings (the sequence in which the lines appear is crucial):auto lo
iface lo inet loopback
auto wlan0
iface wlan0 inet dhcp
auto wlan0
iface wlan0 inet static
address 192.168.168.40
gateway 192.168.168.230
dns-nameservers 192.168.168.230
netmask 255.255.255.0
wpa-driver wext
wpa-ssid <your_essid>
wpa-ap-scan 2
wpa-proto RSN
wpa-pairwise CCMP
wpa-group CCMP
wpa-key-mgmt WPA-PSK
wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]
- auto wlan0:
Your network interface (e.g. wlan0, eth1, rausb0, ra0, etc.).
- iface wlan0 inet static:
Self-explanatory... I am using a Static IP instead of DHCP. "iface wlan0" must correspond to your network interface (see above).
- address, netmask, [..], dns-nameservers:
Also self-explanatory... Be aware that "broadcast" needs to end with ".255" for negotiation with the router. These lines need to be according to your own (static) network settings. For DHCP see further below.
- wpa-driver:
That's the wpa-driver for your card ('wext' is a generic driver that is applicable when using "ndiswrapper"). Leave it as it is. Other drivers are:
hostap = Host AP driver (Intersil Prism2/2.5/3)
atmel = ATMEL AT76C5XXx (USB, PCMCIA)
wext = Linux wireless extensions (generic)
madwifi = Atheros
wired = wpa_supplicant wired Ethernet driver
- wpa-ssid:
Your network's ESSID (no quotes "").
- wpa-ap-scan:
"1" = Broadcast of ESSID.
"2" = Hidden broadcast of ESSID.
- wpa-proto:
"RSN" = WPA(2)
"WPA" = WPA(1)
- wpa-pairwise & wpa-group:
"CCMP" = AES cipher as part of WPA(2) standard.
"TKIP" = TKIP cipher as part of WPA(1) standard.
- wpa-key-mgmt:
"WPA-PSK" = Authentication via pre-shared key (see 'key generation' further below).
"WPA-EAP" = Authentication via enterprise authentication server.
VERY IMPORTANT ("WPA PSK Key Generation"):
Now convert your WPA ASCII password using the following command:
Resulting in an output like...wpa_passphrase <your_essid> <your_ascii_key>
Copy the "hex_key" (next to "psk=...") and replace <your_hex_key> in the "interfaces" files with it. Then save the file and restart your network:network={
ssid="test"
#psk="12345678"
psk=fe727aa8b64ac9b3f54c72432da14faed933ea511ecab1 5bbc6c52e7522f709a
}
You should be connecting to your router now... However, I figured that a restart is sometimes necessary so that's what I usually do (I know this sounds a bit clumsy - see post #2 for startup script).sudo /etc/init.d/networking restart
*****************************Revoking read-permission from 'others'*********************************
*****************************Revoking read-permission from 'others'*********************************sudo chmod o=-r /etc/network/interfaces
*****************************Sample configuration WPA2 & DHCP, ESSID broadcast enabled***************
*****************************Sample configuration WPA2 & DHCP, ESSID broadcast enabled***************auto wlan0
iface wlan0 inet dhcp
wpa-driver wext
wpa-ssid <your_essid>
wpa-ap-scan 1
wpa-proto RSN
wpa-pairwise CCMP
wpa-group CCMP
wpa-key-mgmt WPA-PSK
wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]
*****************************Sample configuration WPA1 & DHCP, ESSID broadcast enabled***************
*****************************Sample configuration WPA1 & DHCP, ESSID broadcast enabled***************auto wlan0
iface wlan0 inet dhcp
wpa-driver wext
wpa-ssid <your_essid>
wpa-ap-scan 1
wpa-proto WPA
wpa-pairwise TKIP
wpa-group TKIP
wpa-key-mgmt WPA-PSK
wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]
****************************Sample configuration mixed mode (WPA1, WPA2) & DHCP, ESSID broadcast*****
****************************Sample configuration mixed mode (WPA1, WPA2) & DHCP, ESSID broadcast*****auto wlan0
iface wlan0 inet dhcp
wpa-driver wext
wpa-ssid <your_essid>
wpa-ap-scan 1
wpa-proto WPA RSN
wpa-pairwise TKIP CCMP
wpa-group TKIP CCMP
wpa-key-mgmt WPA-PSK
wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]
****************************Sample conf. LEAP, WEP, DHCP, ESSID broadcast***************************
****************************Sample conf. LEAP, WEP, DHCP, ESSID broadcast***************************auto wlan0
iface wlan0 inet dhcp
wpa-driver wext
wpa-ssid <your_essid>
wpa-ap-scan 1
wpa-eap LEAP
wpa-key-mgmt IEEE8021X
wpa-identity <your_user_name>
wpa-password <your_password>
****************************Sample conf. PEAP, AES, DHCP, ESSID broadcast***************************
****************************Sample conf. PEAP, AES, DHCP, ESSID broadcast***************************auto wlan0
iface wlan0 inet dhcp
wpa-driver wext
wpa-ssid <your_essid>
wpa-ap-scan 1
wpa-proto RSN
wpa-pairwise CCMP
wpa-group CCMP
wpa-eap PEAP
wpa-key-mgmt WPA-EAP
wpa-identity <your_identity>
wpa-password <your_password>
*****************************Sample conf. TTLS, WEP, DHCP, ESSID broadcast**************************
*****************************Sample conf. TTLS, WEP, DHCP, ESSID broadcast**************************auto wlan0
iface wlan0 inet dhcp
wpa-driver wext
wpa-ssid <your_essid>
wpa-ap-scan 1
wpa-eap TTLS
wpa-key-mgmt IEEE8021X
wpa-anonymous-identity <anonymous_identity>
wpa-identity <your_identity>
wpa-password <your_password>
wpa-phase2 auth=PAP [Also: CHAP, MSCHAP, MSCHAPV2]
*****************************NOT TESTED: Sample conf. EAP-FAST, WPA1/WPA2, DHCP, ESSID broadcast****
*****************************NOT TESTED: Sample conf. EAP-FAST, WPA1/WPA2, DHCP, ESSID broadcast****auto wlan0
iface wlan0 inet dhcp
wpa-driver wext
wpa-ssid <your_essid>
wpa-ap-scan 1
wpa-proto RSN WPA
wpa-pairwise CCMP TKIP
wpa-group CCMP TKIP
wpa-key-mgmt WPA-EAP
wpa-eap FAST
wpa-identity <your_user_name>
wpa-password <your_password>
wpa-phase1 fast_provisioning=1
wpa-pac-file /path/to/eap-pac-file
*****************************Tested adapters****************************************** *********
*****************************Tested adapters****************************************** *********1. Linksys WUSB54G V4 (ndiswrapper; wpa-driver = wext)
2. Intel IPW2200 (Linux driver; wpa-driver = wext)
3. Linksys WPC54G (ndiswrapper; wpa-driver = wext)
4. D-Link WNA-2330 (Linux driver; wpa-driver = madwifi)
5. Linksys WMP54G V2 (ndiswrapper; wpa-driver = wext)
6. D-Link WDA-2320 (Linux driver; wpa-driver = madwifi)
7. Netgear WPN311 (Linux driver; wpa-driver = wext)
8. Netgear WG511v2 (ndiswrapper; wpa-driver = wext)
*****************************Post this if you are stumped******************************************
*****************************Post this if you are stumped******************************************# route
# iwconfig
# sudo iwlist scan
# sudo lshw -C network
# sudo cat /etc/network/interfaces
# sudo ifdown -v <your_interface>
# sudo ifup -v <your_interface>
*****************************Other useful commands****************************************** ***
*****************************Other useful commands****************************************** ***# Ubuntu version & kernel >> uname -a
# Root file access >> alt F2 then 'gksudo nautilus' in cli
# Get IP Address or Renew >> sudo dhclient wlan0 [or whatever your wl adapter is]
# Get wireless info >> iwconfig
# Get AP info >> iwlist scan
# Get wireless info >> iwlist (lots of options will list)
# Routes if wlan0 working >> route
# DNS resolving via eth1 >> cat /etc/resolv.conf
# List devices/modules >> lspci, lsusb, lshw, lsmod
# Restart network >> sudo /etc/init.d/networking restart
# Boot messages >> dmesg
# Kill NWM >> sudo killall NetworkManager
# Events from your wl >> iwevent
# Restart all daemons >> sudo /etc/init.d/dbus restart
# Restart network >> sudo /etc/init.d/networking restart
CHANGE LOG:
08/11/2006: Added section "Post this if you are stumped" (SquibT).
08/11/2006: Added sample configuration for WPA2 with DHCP & ESSID broadcast (Wieman01).
08/11/2006: Added sample configuration for WPA1 with DHCP & ESSID broadcast (Wieman01).
08/11/2006: Added section "Tested adapters" (Wieman01).
08/11/2006: Added section "Useful commands" (SquibT).
08/11/2006: Added section "Common stumbling blocks" (Wieman01).
08/11/2006: Changed section "wpa-driver" and added new drivers (Wieman01).
08/11/2006: Added section "Revoking read-permission from group 'others'" (Wieman01).
09/11/2006: Minor changes in layout (Wieman01).
09/11/2006: Added sample configuration for mixed mode (WPA1, WPA2) with DHCP & ESSID broadcast (Wieman01).
09/11/2006: Added experimental sample configuration for LEAP with WEP, DHCP & ESSID broadcast (Wieman01).
09/11/2006: Added section "Install wpa-supplicant" (Wieman01).
10/11/2006: Added experimental sample configuration for TTLS with WEP, DHCP & ESSID broadcast (Wieman01).
15/11/2006: Added experimental sample configuration for EAP-FAST with WPA1/WPA2, DHCP & ESSID broadcast (Wieman01).
04/12/2006: Changed "wpa_passphrase" section & added quotes ("") for encryption keys containing special characters (Wieman01).
04/01/2007: Added various security options (Wieman01).
15/01/2007: Added valid script for EAP-LEAP (Wieman01).
31/01/2007: Added valid script for EAP-PEAP (Wieman01).
21/04/2007: Removed "wpa-conf" for Edgy Eft (Wieman01).
22/04/2007: Simplified section concerning static network settings (Wieman01).
02/05/2007: Added note concerning WPA2 support for Atheros cards & drivers (Wieman01).
13/05/2007: Added note on Ralink drivers (Wieman01).
15/04/2008: Tested with Hardy Heron (Wieman01).
Bookmarks