WPA

From LQWiki
Jump to navigation Jump to search

Wi-Fi Protected Access or WPA is a powerful, standards-based, interoperable security technology for Wi-Fi networks. It provides strong data protection by using encryption as well as strong access controls and user authentication. WPA utilizes 128-bit encryption keys and dynamic session keys to ensure your wireless network's privacy and enterprise security.

WPA2 (Wi-Fi Protected Access 2) provides network administrators with a high level of assurance that only authorized users can access the network. Based on the ratified IEEE 802.11i standard, WPA2 provides government grade security by implementing the National Institute of Standards and Technology (NIST) FIPS 140-2 compliant AES encryption algorithm. WPA2 is backward compatible with WPA.

How to use WPA

You will need the wpa-supplicant that enables the communication with a WPA-secured access point. Start the wpa-supplicant like this:

wpa_supplicant -ieth1 -c/etc/wpa_supplicant.conf -d

In this example, your password is contained in /etc/wpa_supplicant.conf. That file might look like this:

ctrl_interface=/var/run/wpa_supplicant
eapol_version=1
network={
ssid="FOO"
scan_ssid=1
priority=5
proto=WPA
key_mgmt=WPA-PSK
pairwise=CCMP TKIP
group=CCMP TKIP WEP104 WEP40
    psk=7b7267507f40f82bef91a6d2442e7313f9757aaccf788fab9eabe66dbc4e17fe
}

The password is encoded in the line with

    psk=7b7267507f40f82bef91a6d2442e7313f9757aaccf788fab9eabe66dbc4e17fe

You can encode your password with the command wpa_passphrase.

Examples

SUSE

Using SUSE 10.2 and an ipw3945 WLAN card. The WLAN router has the IP 192.168.0.1/24.

Note: This example is for teaching purposes only. If you want to set this up, you can do it in a few clicks using Yast2. However, if you want to look behind the scenes, read on...

First let's see what the WLAN network device is:

santosh:~ # iwconfig
lo        no wireless extensions. 

eth2      no wireless extensions.

eth3      unassociated  ESSID:"FOOLAN"  Nickname:"santosh"
          Mode:Managed  Frequency=nan kHz  Access Point: Not-Associated
          Bit Rate:0 kb/s   Tx-Power:16 dBm
          Retry limit:15   RTS thr:off   Fragment thr:off
          Encryption key:2102-2630-0BF8-AFA7-0E48-6EBE-F5   Security mode:restricted
          Power Management:off
          Link Quality:0  Signal level:0  Noise level:0
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:7   Missed beacon:0

sit0      no wireless extensions.

santosh:~ # 

eth3 is the WLAN card. Now let's set a passphrase:

santosh:~ # wpa_passphrase FOOLAN mypassword
network={
        ssid="FOOLAN"
        #psk="mypassword"
        psk=1bb95e189e8196745abfa4e5dfeae03d3c634e1e1e75ea013e7125507fbef715
}
santosh:~ # cat >/etc/wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
eapol_version=1
network={
ssid="FOOLAN"
scan_ssid=1
priority=5
proto=WPA
key_mgmt=WPA-PSK
pairwise=CCMP TKIP
group=CCMP TKIP WEP104 WEP40
    psk=sorryIoverwritethisbetterblahblahbahblahblahblahblahblahblafdfff
}
santosh:~ #     

Now get it connected:

$ wpa_supplicant -i eth3 -c /etc/wpa_supplicant.conf -D wext
CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys
Trying to associate with 00:0f:c9:01:f5:f4 (SSID='FOOLAN' freq=0 MHz)
Associated with 00:0f:c9:01:f5:f4
WPA: Key negotiation completed with 00:0f:c9:01:f5:f4 [PTK=TKIP GTK=TKIP]
CTRL-EVENT-CONNECTED - Connection to 00:0f:c9:01:f5:f4 completed (auth)

In a parallel console session:

ifconfig eth3 192.168.0.70

Attention: dhcpcd does not work here.

Now iwconfig eth3 shows me something like:

eth3      IEEE 802.11g  ESSID:"FOOLAN"  Nickname:"santosh"
          Mode:Managed  Frequency:2.457 GHz  Access Point: 00:0F:C9:01:F5:F4
          Bit Rate:24 Mb/s   Tx-Power:15 dBm
          Retry limit:15   RTS thr:off   Fragment thr:off
          Encryption key:F523-EBFF-0012-23D1-6F72-FE22-FDBE-C493-68BC-CFA4-F981-B984-48BB-E2AF-4878-0E59   Security mode:open
          Power Management:off
          Link Quality=72/100  Signal level=-62 dBm  Noise level=-70 dBm
          Rx invalid nwid:0  Rx invalid crypt:1  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:52   Missed beacon:0

Test your connection:

santosh:~ # ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=0.970 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=1.00 ms

--- 192.168.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.970/0.989/1.009/0.037 ms
santosh:~ # route add default gw 192.168.0.1
santosh:~ # ping wiki.linuxquestions.org
PING wiki.linuxquestions.org (207.44.182.114) 56(84) bytes of data.
64 bytes from mx.linuxquestions.org (207.44.182.114): icmp_seq=1 ttl=53 time=171 ms