Here, I’m trying to set up a configuration for secure wireless based on Linux at both ends (initially).
The current configuration is unsecured 802.11? with private IP addresses, IPSec in transport mode authenticated with x.509? over that, and L2TP over that, which tunnels PPP so we can use RADIUS? and usernames for authentication and maybe usage billing. ^_^
Yeah, it’s pretty hopeful. I’m confident that it can be done, and made a non-administrative nightmare.
Anyway, I’m gonna put up both details and configuration files, so everyone can see what I’ve done to make it work. Or at least get as far as I have.
I’m doing WPA with my PowerBook’s built-in wireless device:
You’ll need the driver packages for both the bcm43xx and the network stack.
You’ll also need a wpa_supplicant package patched with the dscape patch… I’ll upload one sooner or later, but for now you can get the patch and apply it to the Debian package, and also modify debian/patches/01_config.dpatch to add “+CONFIG_DRIVER_DSCAPE=y”. Then rebuild the wpasupplicant package, and you’re right to go.
Firstly, I hope you’re using udev. Add the following to /etc/udev/local.rules:
# For bcm43xx with devicescape driver, run add_sta to create sta?
SUBSYSTEM=="net", KERNEL=="wlan0", SYSFS{address}=="00:0d:93:*", RUN+="/sbin/add_sta %k sta%n"
SUBSYSTEM==“net”, KERNEL==“wlan0.11″, SYSFS{address}==“00:0d:93:*”, RUN+=“/sbin/iwconfig wlan0.11 mode managed”
SUBSYSTEM==“net”, KERNEL==“wlan0.11″, SYSFS{address}==“00:0d:93:*”, RUN+=“/sbin/ip link set up %k”
and symlink it into /etc/udev/rules.d
Now add this to /etc/modprobe.d/local
install 80211 modprobe —ignore-install 80211 && modprobe rate_control
(I will eventually update the dscape package to do that last one for you)
Then you apply this patch to /etc/init.d/wpasupplicant: (Once I post wpasupplicant packages, this will be included too)
--- /home/tbble/code/wpa/wpasupplicant-0.4.6/debian/init.d/wpasupplicant 2006–01–06 20:09:12.000000000 +1300
+++ wpasupplicant 2006–01–29 10:36:06.000000000 +1300
@@ -15,6 +15,10 @@
CONFIG=“/etc/wpa_supplicant.conf”
PNAME=“wpa_supplicant”
+DAEMON_C=/usr/sbin/wpa_cli
+PIDFILE_C=“/var/run/wpa_cli.pid”
+PNAME_C=“wpa_cli”
+
# insane defaults
OPTIONS=“-Bw” # daemonize and wait for interface
ENABLED=0
@@ -38,12 +42,18 @@
echo -n “Starting wpa_supplicant: “
start-stop-daemon —start —name $PNAME \
—oknodo —startas $DAEMON — -B $OPTIONS
+ [ -x $CLI_SCRIPT ] && \
+ sleep 1 && \
+ start-stop-daemon —start —name $PNAME_C \
+ —oknodo —startas $DAEMON_C — -B -a $CLI_SCRIPT -P $PIDFILE_C
echo “done.”
;;
stop)
echo -n “Stopping wpa_supplicant: “
start-stop-daemon —stop —name $PNAME \
—oknodo
+ start-stop-daemon —stop —name $PNAME_C \
+ —oknodo —pidfile $PIDFILE_C -q
echo “done.”
if [ -f $PIDFILE ]; then
rm -f $PIDFILE;
@@ -59,11 +69,16 @@
echo -n “Restarting wpa_supplicant: “
start-stop-daemon —stop —name $PNAME \
—retry 5 —oknodo
+ start-stop-daemon —stop —name $PNAME_C \
+ —oknodo —pidfile $PIDFILE_C -q
if [ -f $PIDFILE ]; then
rm -f $PIDFILE;
fi
start-stop-daemon —start —name $PNAME \
—oknodo —startas $DAEMON — -B $OPTIONS
+ [ -x $CLI_SCRIPT ] && \
+ start-stop-daemon —start —name $PNAME_C \
+ —oknodo —startas $DAEMON_C — -B -a $CLI_SCRIPT -P $PIDFILE_C
echo “done.”
;;
*)
Then add this to the bottom of /etc/default/wpasupplicant:
# Script for wpa_cli to run when a network is either connected or disconnected CLI_SCRIPT=“/usr/local/sbin/wpa-action.sh”
Now create a /usr/local/sbin/wpa-action.sh:
#!/bin/sh
IFNAME=$1
CMD=$2
if [ “$CMD” == “CONNECTED” ]; then
SSID=`wpa_cli -i$IFNAME status | grep ^ssid= | cut -f2- -d=`
# configure network, signal DHCP client, etc.
ifup $IFNAME=SSID_$SSID
fi
if [ “$CMD” == “DISCONNECTED” ]; then
# remove network configuration, if needed
ifdown $IFNAME
fi
Finally, add interfaces to your /etc/network/interfaces file normally, but call them SSID_<ssid> like so:
iface SSID_HOMELAN inet dhcp
And you’re laughing. Modprobe bcm43xx, /etc/init.d/wpasupplicant start and you should see things happening in /var/log/syslog
Also, you can do this for non-WPA. It’s the same, except the wpasupplicant.conf file’s entry for that SSID won’t have a key or encryption set. All the other scripts are identical. This is the reason for using wpa_supplicant like this.
The stuff could use cleaning up. Specifically, the whole process is a little fragile, ifplugd has a setting that lets it ignore a second or two of lost link without downing and upping the interface.
But that’s more coding than I can be assed doing just now.