HOWTO for using wpa_supplicant with ipw drivers Latest Version: http://www.bughost.org/ipw/wpa_howto.txt v0.1 04/07/2005 Salwan - first draft v0.2 04/12/2005 Salwan - corrected some typos v0.3 05/26/2005 Wang, Wei - corrected some configuration Copyright (c) 2004-2006 - Salwan Searty - Intel Corporation salwan.searty@intel.com, Wei Wang - Intel Corporation wei.z.wang@intel.com This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/). 0. Requirements: ---------------- 0.1 FreeRadius (Only needed for WPA with EAP. Not needed for WPA-PSK) - hardware - PC with ethernet adapter - software - FC3, default 2.6.9-1 kernel FreeRadius v1.1.0 OpenSSL openssl-0.9.7f The WPA Helper Package: http://www.bughost.org/ipw/wpa_helper_package.tar 0.2 Authenticator (AP): - hardware - Linksys WRT54GS 0.3 Wireless Client station: - hardware - Averatec 5110H Intel 2100 3B MiniPCI adapter or Intel 2195 ABG MiniPCI adapter - software - SuSE 9.2, SuSE 10 or FC4 (haven't been successful getting wpa_supplicant to work yet with FC3 for some reason.) OpenSSL openssl-0.9.7d-25.1 wpa_supplicant-0.4.6 ipw2100v1.1.0, ipw2200v1.0.2, ipw3945v0.0.70 The WPA Helper Package: http://www.bughost.org/ipw/wpa_helper_package.tar 1. Wireless client installation and configuration: -------------------------------------------------- 1.1 Install OSD mentioned above on client laptop. (Haven't been successful yet for FC3 for some reason.) 1.2 Install driver on client laptop. 1.3 Recompile kernel with the following configurations set to =y - CONFIG_NET_RADIO=y - CONFIG_CRYPTO_ARC4=y - CONFIG_CRC32=y - CONFIG_CRYPTO_MICHAEL_MIC=y - CONFIG_AES_586=y - CONFIG_FW_LOADER=y 1.4 Install ipw wireless driver on client laptop. 1.5 wpa_supplicant configuration and installation. - Get http://hostap.epitest.fi/releases/wpa_supplicant-0.4.6.tar.gz and untar it. (version 0.4.4 is the last version that I have tried and know works. For the latest kernel, if wpa_supplicant could not work, please try the latest version of wpa_supplicant such as 0.4.6) % wget http://hostap.epitest.fi/releases/wpa_supplicant-0.4.6.tar.gz % tar zxvf wpa_supplicant-0.4.6.tar.gz - Get the WPA Helper Package tarball and untar it to the directory of your choice, let's assume it's $BASE. This will contain the openssl certificates as well as wpa_supplicant configuration files that you need. % cd $BASE % wget http://www.bughost.org/ipw/wpa_helper_package.tar % tar xvf wpa_helper_package.tar - Copy the wpa_supplicant build-time configuration file provided the WPA Helper Package to the wpa_supplicant directory. % cd $BASE/wpa_supplicant-0.4.6/ % cp $BASE/wpa_supplicant/buid-time_dotconfig_file ./.config - Compile and install: % make % make install 1.6 Modify the wpa_supplicant configuration file you plan to use. - Specifically, modify the ssid line to reflect the name of your Access Point. - Also, where applicable, change the values of ca_cert, client_cert, and private_key variables to point to the paths to the certificates provided by the WPA Helper Package ($BASE/wpa_helper_package/certs/....) 2. FreeRadius Server installation and configuration: ---------------------------------------------------- NOTE: If you are using WPA-PSK, skip this section, as you won't be needing a FreeRadius authentication server. Otherwise, on your Authentication server machine, do the following: 2.0 Check whether freeradius of other versions has resided in the system, if yes remove it and its configurations. 2.1 Get the FreeRadius package and untar it inside an a directory of your choice, let's refer to it as $BASE. % cd $BASE % wget ftp://ftp.freeradius.org/pub/radius/freeradius-1.1.0.tar.gz % tar zxvf freeradius-1.1.0.tar.gz 2.2 Configure, Compile and install steps % cd $BASE/freeradius-1.1.0 % ./configure --prefix=$FREERADIUS_PREFIX_DIR % make % make install 2.3 Get the WPA Helper Package tarball and untar it to the directory of your choice, let's assume it's $BASE again. % cd $BASE % wget http://www.bughost.org/ipw/wpa_helper_package.tar % tar xvf wpa_helper_package.tar 2.4 Replace FreeRadius's configuration directory - $FREERADIUS_PREFIX_DIR/etc/raddb - with the one that is provided in the WPA Helper Package. % cd $FREERADIUS_PREFIX_DIR/etc/ % mv raddb raddb.save % ln -s $BASE/wpa_helper_package/freeradius/raddb raddb or just cp it. 2.5 Modify the file $FREERADIUS_PREFIX_DIR/etc/raddb/clients.conf: just replace the string "192.168.2.0" with whatever the subnet of your access point is. 2.6 Create a certs link from the raddb configuration directory to the certs directory provided in the WPA Helper Package % cd $FREERADIUS_PREFIX_DIR/etc/raddb % ln -s $BASE/wpa_helper_package/certs ./certs or just cp it. 2.7 Change "prefix = $FREERADIUS_PREFIX_DIR" in file $FREERADIUS_PREFIX_DIR/etc/raddb/radiusd.conf 3. Association and Authentication: ---------------------------------- 3.1 Configuring the AP: If you're doing a WPA-PSK configuration, set the wireless security settings of the Access Point as follows: Security Mode: PSK (Pre-Shared Key) WPA Algorithm: TKIP or AES WPA Shared Key: make sure that that this string exactly matches the psk line in $BASE/wpa_helper_package/wpa_supplicant/wpasupplicant-psk.conf (on your wireless client) match exactly. If you're using a FreeRadius authentication server, connect the AP to the FreeRadius server via ethernet cable. - Obtain an IP address from the AP, and note that IP address as you need it in the following step. - Set the wireless security settings of the Access Point as follows: Security Mode: PSK RADIUS WPA Algorithm: TKIP or AES RADIUS Server Address: Enter the IP Address obtained in the preceding step. RADIUS Port: 1812 Shared Secret: make sure it is identical with the secret field of one of the *client* section(see the following) in file $FREERADIUS_PREFIX_DIR/etc/raddb/clients.conf. -------------------------------------------------- client 192.168.1.0/24 { secret = sharedsecret shortname = private-network-2 login = !root password = wireless } -------------------------------------------------- Shared Key: make sure that that this string and the psk line in $BASE/wpa_helper_package/wpa_supplicant/WPA_PSK_xxx.conf (on your wireless client) match exactly. - NOTE: By default, the FreeRadius clients.conf file assumes that AP will be assigning IP addresses within the 192.168.2.0 network. If your ap is configured otherwise, you will need to either change the ap settings or modify the clients.conf file on the FreeRadius server. 3.2 If you're using a FreeRadius server, load the radiusd daemon as follows: % radiusd -X NOTE: Append the "-d " to the above line if necessary. 3.3 On the wireless client: - Make sure that the SSID in WPA_xxx.conf is consistent with SSID name of the AP. - Make sure fields "ca_cert" "client_cert" and "private_key" etc. in WPA_xxx.conf are pointing to the right place in local "certs" directory. - load the driver % modprobe ipw2x00 - load the sw kill switch module - if any % modprobe (if applicable) - Kill your dhcp client app % killall dhcpcd (or dhclient or whatever it's called) - bring up the interface: % ifconfig eth0 up - run wpa_supplicant, using one of the wpa_supplicant configuration files that are provided in the WPA Helper Package: -- For ipw2100: % wpa_supplicant -iethX \ -c $BASE/wpa_helper_package/wpa_supplicant/ \ -d -Dipw -- For ipw2200, ipw3945: % wpa_supplicant -iethX \ -c $BASE/wpa_helper_package/wpa_supplicant/ \ -d -Dwext From the standard output of wpa_supplicant, verify that the authentication succeeds - request or config an ip address: % dhcpd ethX or % ifconfig ethX up - Verify that you get an ip address and can ping the AP and the FreeRadius server % ifconfig ethX % ping % ping