This guide was tested with:
Jaunty Jackalope (9.04)
Oneiric Ocelot (11.10)
--
Since it appears that very few people take wireless security seriously, I'd like to come up with my first HOWTO and explain how I was able to configure a secure home network using WPA2, the latest encryption & authentication standard. There are also other types of configuration (WPA1, mixed mode, LEAP, PEAP, DHCP, etc.) shown in the appendix. Feedback is much appreciated.
Common stumbling blocks - Make sure that:
1. Ethernet cable is unplugged.
2. No firewall & configuration tool is running (e.g. Firestarter).
3. MAC filtering is disabled.
4. NetworkManager, Wifi-Radar & similar wireless configuration tools are disabled/turned off and not in use.
5. Some cards/drivers (e.g. Madwifi) do not support WPA2 (AES). Try WPA1 (TKIP) if WPA2 secured connections fail.
6. Set router to BG-Only if using ndiswrapper (and perhaps Broadcom 43xx as I don't know about others).
My Requirements:
1. WPA2 / RSN
2. AES / CCMP
3. Hidden ESSID (no broadcast)
4. Static IP (because I use port forwarding & firewall, etc.)
5. Pre-shared key (no EAP)
If you want to know more about WPA / RSN & 802.11i security specification, I recommend this site.
Now let's get started (wpa-suplicant is usually installed by default):
0. Install "wpa-supplicant":
1. Verify that your network device ("wlan0"?) is working & your wireless network is detected:sudo apt-get install wpasupplicant
iwconfigYour network device & wireless network should appear here.sudo iwlist scan
2. Open "/etc/network/interfaces":
The content should look similar to this:sudo gedit /etc/network/interfaces
3. Now replace the last 2 lines with the following using your own network settings (the sequence in which the lines appear is crucial):auto lo
iface lo inet loopback
auto wlan0
iface wlan0 inet dhcp
auto wlan0
iface wlan0 inet static
address 192.168.168.40
gateway 192.168.168.230
dns-nameservers 192.168.168.230
netmask 255.255.255.0
wpa-driver wext
wpa-ssid <your_essid>
wpa-ap-scan 2
wpa-proto RSN
wpa-pairwise CCMP
wpa-group CCMP
wpa-key-mgmt WPA-PSK
wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]
- auto wlan0:
Your network interface (e.g. wlan0, eth1, rausb0, ra0, etc.).
- iface wlan0 inet static:
Self-explanatory... I am using a Static IP instead of DHCP. "iface wlan0" must correspond to your network interface (see above).
- address, netmask, [..], dns-nameservers:
Also self-explanatory... Be aware that "broadcast" needs to end with ".255" for negotiation with the router. These lines need to be according to your own (static) network settings. For DHCP see further below.
- wpa-driver:
Use "wext" only. All other drivers are outdated no longer used.
[/QUOTE]
- wpa-ssid:
Your network's ESSID (no quotes ""). Please avoid blanks/spaces as they will created problems during key generation (see below).
- wpa-ap-scan:
"1" = Broadcast of ESSID.
"2" = Hidden broadcast of ESSID.
- wpa-proto:
"RSN" = WPA(2)
"WPA" = WPA(1)
- wpa-pairwise & wpa-group:
"CCMP" = AES cipher as part of WPA(2) standard.
"TKIP" = TKIP cipher as part of WPA(1) standard.
- wpa-key-mgmt:
"WPA-PSK" = Authentication via pre-shared key (see 'key generation' further below).
"WPA-EAP" = Authentication via enterprise authentication server.
VERY IMPORTANT ("WPA PSK Key Generation"):
Now convert your WPA ASCII password using the following command:
Resulting in an output like...wpa_passphrase <your_essid> <your_ascii_key>
Copy the "hex_key" (next to "psk=...") and replace <your_hex_key> in the "interfaces" files with it. Then save the file and restart your network:network={
ssid="test"
#psk="12345678"
psk=fe727aa8b64ac9b3f54c72432da14faed933ea511ecab1 5bbc6c52e7522f709a
}
You should be connecting to your router now... However, I figured that a restart is sometimes necessary so that's what I usually do (I know this sounds a bit clumsy - see post #2 for startup script).sudo /etc/init.d/networking restart
*****************************Revoking read-permission from 'others'*********************************
*****************************Revoking read-permission from 'others'*********************************sudo chmod o=-r /etc/network/interfaces
*****************************Sample configuration WPA2 & DHCP, ESSID broadcast enabled***************
*****************************Sample configuration WPA2 & DHCP, ESSID broadcast enabled***************auto wlan0
iface wlan0 inet dhcp
wpa-driver wext
wpa-ssid <your_essid>
wpa-ap-scan 1
wpa-proto RSN
wpa-pairwise CCMP
wpa-group CCMP
wpa-key-mgmt WPA-PSK
wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]
*****************************Sample configuration WPA1 & DHCP, ESSID broadcast enabled***************
*****************************Sample configuration WPA1 & DHCP, ESSID broadcast enabled***************auto wlan0
iface wlan0 inet dhcp
wpa-driver wext
wpa-ssid <your_essid>
wpa-ap-scan 1
wpa-proto WPA
wpa-pairwise TKIP
wpa-group TKIP
wpa-key-mgmt WPA-PSK
wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]
****************************Sample configuration mixed mode (WPA1, WPA2) & DHCP, ESSID broadcast*****
****************************Sample configuration mixed mode (WPA1, WPA2) & DHCP, ESSID broadcast*****auto wlan0
iface wlan0 inet dhcp
wpa-driver wext
wpa-ssid <your_essid>
wpa-ap-scan 1
wpa-proto WPA RSN
wpa-pairwise TKIP CCMP
wpa-group TKIP CCMP
wpa-key-mgmt WPA-PSK
wpa-psk <your_hex_key> [IMPORTANT: See "WPA-PSK key generation"]
****************************Sample conf. LEAP, WEP, DHCP, ESSID broadcast***************************
****************************Sample conf. LEAP, WEP, DHCP, ESSID broadcast***************************auto wlan0
iface wlan0 inet dhcp
wpa-driver wext
wpa-ssid <your_essid>
wpa-ap-scan 1
wpa-eap LEAP
wpa-key-mgmt IEEE8021X
wpa-identity <your_user_name>
wpa-password <your_password>
****************************Sample conf. PEAP, AES, DHCP, ESSID broadcast***************************
****************************Sample conf. PEAP, AES, DHCP, ESSID broadcast***************************auto wlan0
iface wlan0 inet dhcp
wpa-driver wext
wpa-ssid <your_essid>
wpa-ap-scan 1
wpa-proto RSN
wpa-pairwise CCMP
wpa-group CCMP
wpa-eap PEAP
wpa-key-mgmt WPA-EAP
wpa-identity <your_identity>
wpa-password <your_password>
*****************************Sample conf. TTLS, WEP, DHCP, ESSID broadcast**************************
*****************************Sample conf. TTLS, WEP, DHCP, ESSID broadcast**************************auto wlan0
iface wlan0 inet dhcp
wpa-driver wext
wpa-ssid <your_essid>
wpa-ap-scan 1
wpa-eap TTLS
wpa-key-mgmt IEEE8021X
wpa-anonymous-identity <anonymous_identity>
wpa-identity <your_identity>
wpa-password <your_password>
wpa-phase2 auth=PAP [Also: CHAP, MSCHAP, MSCHAPV2]
*****************************NOT TESTED: Sample conf. EAP-FAST, WPA1/WPA2, DHCP, ESSID broadcast****
*****************************NOT TESTED: Sample conf. EAP-FAST, WPA1/WPA2, DHCP, ESSID broadcast****auto wlan0
iface wlan0 inet dhcp
wpa-driver wext
wpa-ssid <your_essid>
wpa-ap-scan 1
wpa-proto RSN WPA
wpa-pairwise CCMP TKIP
wpa-group CCMP TKIP
wpa-key-mgmt WPA-EAP
wpa-eap FAST
wpa-identity <your_user_name>
wpa-password <your_password>
wpa-phase1 fast_provisioning=1
wpa-pac-file /path/to/eap-pac-file
*****************************Tested adapters****************************************** *********
*****************************Tested adapters****************************************** *********1. Linksys WUSB54G V4 (ndiswrapper; wpa-driver = wext)
2. Intel IPW2200 (Linux driver; wpa-driver = wext)
3. Linksys WPC54G (ndiswrapper; wpa-driver = wext)
4. D-Link WNA-2330 (Linux driver; wpa-driver = madwifi)
5. Linksys WMP54G V2 (ndiswrapper; wpa-driver = wext)
6. D-Link WDA-2320 (Linux driver; wpa-driver = madwifi)
7. Netgear WPN311 (Linux driver; wpa-driver = wext)
8. Netgear WG511v2 (ndiswrapper; wpa-driver = wext)
*****************************Post this if you are stumped******************************************
*****************************Post this if you are stumped******************************************# route
# iwconfig
# sudo iwlist scan
# sudo lshw -C network
# sudo cat /etc/network/interfaces
# sudo ifdown -v <your_interface>
# sudo ifup -v <your_interface>
*****************************Other useful commands****************************************** ***
*****************************Other useful commands****************************************** ***# Ubuntu version & kernel >> uname -a
# Root file access >> alt F2 then 'gksudo nautilus' in cli
# Get IP Address or Renew >> sudo dhclient wlan0 [or whatever your wl adapter is]
# Get wireless info >> iwconfig
# Get AP info >> iwlist scan
# Get wireless info >> iwlist (lots of options will list)
# Routes if wlan0 working >> route
# DNS resolving via eth1 >> cat /etc/resolv.conf
# List devices/modules >> lspci, lsusb, lshw, lsmod
# Restart network >> sudo /etc/init.d/networking restart
# Boot messages >> dmesg
# Kill NWM >> sudo killall NetworkManager
# Events from your wl >> iwevent
# Restart all daemons >> sudo /etc/init.d/dbus restart
# Restart network >> sudo /etc/init.d/networking restart
CHANGE LOG:
08/11/2006: Added section "Post this if you are stumped" (SquibT).
08/11/2006: Added sample configuration for WPA2 with DHCP & ESSID broadcast (Wieman01).
08/11/2006: Added sample configuration for WPA1 with DHCP & ESSID broadcast (Wieman01).
08/11/2006: Added section "Tested adapters" (Wieman01).
08/11/2006: Added section "Useful commands" (SquibT).
08/11/2006: Added section "Common stumbling blocks" (Wieman01).
08/11/2006: Changed section "wpa-driver" and added new drivers (Wieman01).
08/11/2006: Added section "Revoking read-permission from group 'others'" (Wieman01).
09/11/2006: Minor changes in layout (Wieman01).
09/11/2006: Added sample configuration for mixed mode (WPA1, WPA2) with DHCP & ESSID broadcast (Wieman01).
09/11/2006: Added experimental sample configuration for LEAP with WEP, DHCP & ESSID broadcast (Wieman01).
09/11/2006: Added section "Install wpa-supplicant" (Wieman01).
10/11/2006: Added experimental sample configuration for TTLS with WEP, DHCP & ESSID broadcast (Wieman01).
15/11/2006: Added experimental sample configuration for EAP-FAST with WPA1/WPA2, DHCP & ESSID broadcast (Wieman01).
04/12/2006: Changed "wpa_passphrase" section & added quotes ("") for encryption keys containing special characters (Wieman01).
04/01/2007: Added various security options (Wieman01).
15/01/2007: Added valid script for EAP-LEAP (Wieman01).
31/01/2007: Added valid script for EAP-PEAP (Wieman01).
21/04/2007: Removed "wpa-conf" for Edgy Eft (Wieman01).
22/04/2007: Simplified section concerning static network settings (Wieman01).
02/05/2007: Added note concerning WPA2 support for Atheros cards & drivers (Wieman01).
13/05/2007: Added note on Ralink drivers (Wieman01).
15/04/2008: Tested with HardyHeron (Wieman01).
04/09/2008: Added note on wireless B/G/N (Wieman01).
06/12/2008: Note for Intrepid Ibex users (Wieman01).
07/03/2009: Closed thread (Wieman01).
05/04/2009: Re-opened and enhanced thread (Wieman01).
Bookmarks