60
63
The Intel Pro Wireless adapters (ipw2100, ipw2200 and ipw3945) all use the
61
64
'wext' backend, unless your kernel is older than 2.6.14.
63
Madwifi supports both the 'wext' and 'madwifi' driver backends, but 'wext' is
66
Madwifi supports both the 'wext' and 'madwifi' driver backends. 'wext' is
67
preferred, however 'madwifi' may work better in some circumstances.
66
69
Ndiswrapper NO LONGER SUPPORTS the 'ndiswrapper' driver backend as of version
67
1.16. Therefore, 'wext' must be used unless you use an outdated ndiswrapper
70
1.16. Therefore, 'wext' must be used unless you use an antiquated ndiswrapper
70
73
Set the driver type in the interfaces(5) stanza for your device with the
92
NOTE: the 'wpa-psk' value is only valid if:
93
1) It is a plaintext (ascii) string between 8 and 63 characters in
95
2) It is a hexadecimal string of 64 characters
97
# Connect to access point of ssid 'NETBEER' with an encryption type of
98
# WPA-PSK/WPA2-PSK. It assumes the driver will use the 'wext' driver backend
99
# of wpa_supplicant because no wpa-driver option has been specified.
100
# The passphrase is given as a ASCII (plaintext) string. DHCP is used to
101
# obtain a network address.
103
iface wlan0 inet dhcp
105
# plaintext passphrase
106
wpa-psk PlainTextSecret
89
108
# Connect to access point of ssid 'homezone' with an encryption type of
90
# WPA-PSK/WPA2-PSK, using the the 'wext' driver backend of wpa_supplicant
91
# The psk is given as a hexadecimal string, without quotes. DHCP is used to
92
# obtain a network address.
109
# WPA-PSK/WPA2-PSK, using the 'wext' driver backend of wpa_supplicant.
110
# The psk is given as an encoded hexadecimal string. DHCP is used to obtain
93
113
iface wlan0 inet dhcp
116
# hexadecimal psk is encoded from a plaintext passphrase
96
117
wpa-psk 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
98
119
# Connect to access point of ssid 'HotSpot1' and bssid of '00:1a:2b:3c:4d:5e'
99
120
# with an encryption type of WPA-PSK/WPA2-PSK, using the the 'madwifi' driver
100
# backend of wpa_supplicant. The passphrase is given as a plaintext string,
101
# without quotes. A static network address assignment is used.
121
# backend of wpa_supplicant. The passphrase is given as a plaintext string.
122
# A static network address assignment is used.
102
124
iface ath0 inet static
103
125
wpa-driver madwifi
104
126
wpa-ssid HotSpot1
105
127
wpa-bssid 00:1a:2b:3c:4d:5e
106
wpa-passphrase madhotspot
128
# plaintext passphrase
107
130
wpa-key-mgmt WPA-PSK
108
131
wpa-pairwise TKIP CCMP
109
132
wpa-group TKIP CCMP
110
133
wpa-proto WPA RSN
111
135
address 192.168.0.100
112
136
netmask 255.255.255.0
113
137
network 192.168.0.0
117
141
# User supplied wpa_supplicant.conf is used for eth1. All network information
118
142
# is contained within the user supplied wpa_supplicant.conf. No wpa-driver type
119
143
# is specified, so wext is used. DHCP is used to obtain a network address.
120
145
iface eth1 inet dhcp
121
146
wpa-conf /path/to/wpa_supplicant.conf
126
As mentioned earlier, each wpa_supplicant specific element is prefixed with
127
'wpa-'. Each element correlates to a property of wpa_supplicant described in
128
the wpa_supplicant.conf(5), wpa_supplicant(8) and wpa_cli(8) manpages. The
129
supplicant is launched without any pre-configuration whatsoever, and wpa_cli
130
forms a network configuration from the input provided by the 'wpa-*' lines.
131
Initially, wpa_supplicant/wpa_cli does not directly set the properties of the
132
device (like setting an essid with iwconfig, for example), rather it informs
133
the device of what access point is suitable to associate with. Once the device
134
has scanned the area, and found that the suitable access point is available for
135
use, these properties are set.
137
The script that does all the work is located at:
139
/etc/wpa_supplicant/ifupdown.sh
141
It is executed by run-parts, which in turn is invoked by ifupdown during the
142
'pre-up', 'pre-down' and 'post-down' phases.
144
In the 'pre-up' phase, a wpa_supplicant daemon is launched, if wpa-roam is used
145
a wpa_cli daemon is lauched and then there is a series of wpa_cli commands that
146
set up a network configuration according to what 'wpa-' options were used in
147
/etc/network/interfaces for the physical device.
149
In the 'pre-down' phase, the wpa_cli daemon is killed if it exists.
151
In the 'post-down' phase, the wpa_supplicant daemon is killed.
153
148
Table of Common Options
154
149
=======================
156
151
A brief summary of common 'wpa-' options that may be used in the
157
/etc/network/interfaces stanza for a wireless device:
152
/etc/network/interfaces stanza for a wireless device. See the
153
'Important Notes About Managed Mode' section for information about
154
valid and invalid 'wpa-' values.
159
156
NOTE: ALL values are CASE SeNsItVe
164
161
wpa-bssid 00:1a:2b:3c:4d:5e the bssid of your AP
165
162
wpa-psk 0123456789...... your preshared wpa key. Use
166
163
wpa_passphrase(8) to generate your psk
168
wpa-passphrase plaintextphrase plaintext string, which is then
169
converted to a hexadecimal psk via
164
from a passphrase and ssid pair
171
165
wpa-key-mgmt NONE, WPA-PSK, WPA-EAP, list of accepted authenticated key
172
166
IEEE8021X management protocols
173
167
wpa-group CCMP, TKIP, WEP104, list of accepted group ciphers for WPA
203
197
that is valid for each option. For example, it assumes that some input is
204
198
plaintext and wraps quotation marks around the input before passing it on
205
199
to wpa_cli, which then adds the input to the network block being formed via
206
the wpa_supplicant ctrl_interface socket. This can be a point of confusion, and
207
something that has tricked more than a few people in the past. For example:
209
# Invalid, wpa-ssid expects unquoted plaintext ssid's only
210
# If you need to use a hexadecimal ssid, please supply a
211
# wpa_supplicant.conf, and use the 'wpa-conf' option.
212
wpa-ssid "hostpot12345678"
200
the wpa_supplicant ctrl_interface socket. Running ifup manually with the
201
'--verbose' option will reveal all of the commands used to form the network
202
block via wpa_cli. If the value you used for any wpa-* option in
203
/etc/network/interfaces is surrounded by double quotes, than it has been
204
assumed to be of "plaintext" or "ascii" type input.
206
Some input is assumed to be a hexadecimal string (eg. wpa-wep-key*). The value
207
'type' of the wpa-psk option however, is determined via a simple check for more
208
than one non hexadecimal character.
214
As mentioned earlier, each wpa_supplicant specific element is prefixed with
215
'wpa-'. Each element correlates to a property of wpa_supplicant described in
216
the wpa_supplicant.conf(5), wpa_supplicant(8) and wpa_cli(8) manpages. The
217
supplicant is launched without any pre-configuration whatsoever, and wpa_cli
218
forms a network configuration from the input provided by the 'wpa-*' lines.
219
Initially, wpa_supplicant/wpa_cli does not directly set the properties of the
220
device (like setting an essid with iwconfig, for example), rather it informs
221
the device of what access point is suitable to associate with. Once the device
222
has scanned the area, and found that the suitable access point is available for
223
use, these properties are set.
225
The script that does all the work is located at:
214
# Valid, unquoted plaintext string
215
wpa-ssid hostpot12345678
217
# Invalid, wpa-psk expects hexadecimal strings only
218
wpa-psk plaintextpassword
220
# NOTE: wpa-psk will accept a plaintext string enclosed in quotation
221
# marks this is equivalent to the 'wpa-passphrase' option
222
wpa-psk "plaintextpassword"
224
# Invalid, wpa-passphrase accepts only plaintext strings, as it
225
# automatically quotes the input
226
wpa-passphrase "invalidinput"
228
# Valid, unquoted plaintext string
229
wpa-passphrase validinput
227
/etc/wpa_supplicant/ifupdown.sh
229
It is executed by run-parts, which in turn is invoked by ifupdown during the
230
'pre-up', 'pre-down' and 'post-down' phases.
232
In the 'pre-up' phase, a wpa_supplicant daemon is launched followed by a series
233
of wpa_cli commands that set up a network configuration according to what
234
'wpa-' options were used in /etc/network/interfaces for the physical device.
236
If wpa-roam is used, a wpa_cli daemon is lauched in the 'post-up' phase.
238
In the 'pre-down' phase, the wpa_cli daemon is killed if it exists.
240
In the 'post-down' phase, the wpa_supplicant daemon is killed.
232
243
3. Mode #2: Roaming Mode
486
500
secured networks. In some cases, setting the parameter 'ap_scan=2' in the
487
501
config file, (or using a 'wpa-ap-scan 2' stanza, which is equivalent) can
488
502
greatly help to speed up association.
505
5. Security Considerations
506
==========================
508
Configuration File Permissions
509
==============================
510
It is important to keep PSK's and other sensitive information concerning your
511
network settings private, therefore ensure that important configuration files
512
containing such data are only readable by their owner. For example:
514
chmod 0600 /etc/network/interfaces
515
# substitute the path of your wpa_supplicant.conf file
516
chmod 0600 /etc/wpa_supplicant/wpa_supplicant.conf
518
By default, /etc/network/interfaces is world readable, and thus unsuitable for
519
containing secret keys and passwords.