[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Using RedRover-Secure (WPA) from Linux

From: Kevin Locke <>
To:
Subject: Using RedRover-Secure (WPA) from Linux
Date: Mon, 11 Sep 2006 17:31:50 -0400
Greetings All,

Many of you may have noticed that over the summer semester
RedRover[1], CIT's wireless network, added several access points using
WPA[2] to provide wireless security under the name RedRover-Secure[3].
As others of you may have noticed, the instructions provided for
accessing RedRover-Secure are provided only for Windows XP and Mac OS
X.  So, after having been asked by a friend, I decided to spend the
time to figure out how to access this network from *nix and to post my
results for anyone who would like access and doesn't know how to go
about it.  Well, here it is.

My testing has been done using Debian and an Intel PRO/Wireless
3945ABG wireless card, however I hope these instructions are generic
enough to work regardless.  When I mention package names, they are
with reference to Debian-based distros, however it is likely that
other distributions have packages with similar names...

Note:
For those of you averse to reading (or to using the terminal),
just take a look at the configuration snippet and see if you can use
the wpa-* configuration options with whatever tools you prefer to use
for wireless.

What you need:
* wpa_supplicant[4]	0.2.2 or greater, preferably 0.4.8+ on Debian
			Distributed in the wpasupplicant package
* Thawte SSL Cert.	May be downloaded[5] and converted to PEM
			Also available as part of Mozilla CA Certs
			Distributed in ca-certificates package

First, make sure that you can connect to Cornell's unsecured RedRover
wireless network.  There are several tutorials and HowTos on the net
dealing with the quirks of wireless cards and the various drivers for
*nix systems.

Next, configure wpa_supplicant to connect to RedRover-Secure.  The
recent Debian packages of wpasupplicant have moved the configuration
from the "daemon-style" wpa_supplicant.conf to "slave-style"
statements in /etc/network/interfaces.  I assume that other distros
are moving in the same direction.  However, if you are still using
wpa_supplicant as a daemon (wpa_supplicant.conf exists and
wpa_supplicant is running when no interface is up) then to convert the
following configuration to match your needs simply do the following.
For each wpa-<option> <value> line, create a line <option> = <value>
in your wpa_supplicant.conf file inside your description of the
RedRover-Secure network.

-8<--------- /etc/network/interfaces -8<-------------------------
iface wcornell inet dhcp
	wireless-essid RedRover
	wireless-mode Managed

iface wcornell-wpa inet dhcp
	wireless-essid RedRover-Secure
	wireless-mode Managed
#	wpa-verbosity 2
	wpa-ssid RedRover-Secure
	wpa-proto RSN WPA
	wpa-scan-ssid 1
#	wpa-mode 0
	wpa-pairwise CCMP
	wpa-group TKIP
	wpa-key-mgmt WPA-EAP
	wpa-eap TTLS
	wpa-phase2 auth=PAP
	wpa-identity <NetID>
	wpa-password <NetIDPassword>
	wpa-ca-cert /etc/ssl/certs/Thawte_Premium_Server_CA.pem
-8<--------- /etc/network/interfaces -8<-------------------------

A few warnings:  The lines in the above snippet "wireless-<option>"
are used with Wireless Tools[6] (in the wireless-tools package) which
I use to configure my wireless card.  You may or may not need them.
The commented-out lines are not necessary, but may help with debugging
or may be needed with your configuration (if things go wrong, try
uncommenting them).  Also, some of the options are redundant, since
the defaults will search through available protocols and ciphers, they
are included for completeness and to avoid the long auto-detection
process.  Finally, you should of course replace <NetID> and
<NetIDPassword> with your NetID (e.g. kwl7) and your NetIDPassword, or
provide another method of providing these details to wpa_supplicant.
Note that if you do include your password in the file, you will
probably want to remove read permission for non-root users...

Once this is done (and you are using the non-daemon wpa_supplicant
mode) you should be able to run the command "ifup wlan0=wcornell-wpa"
(or eth1=... or ath0=... or whatever is appropriate for your card) and
then you should be connected and ready to go.  If you are using the
daemon-mode, then (re-)start wpa_supplicant and it should bring up
the interface once it detects the wireless network.

Troubleshooting:
If the above did not work, then after you have run the ifup command,
if you do not see any useful debugging information, try running the
command wpa_cli as root.  You should then be able to query
wpa_supplicant to see what it is doing and what is going on.  If not,
then wpa_supplicant is probably not being run and you may want to try
running it as a daemon.  Also run iwconfig (or whatever program you
use to query your wireless card) and check that it is set to the
correct SSID and that the WEP key is disabled.

1. http://www.cit.cornell.edu/redrover/
2. http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access
3. http://www.cit.cornell.edu/redrover/aboutsecure.html
4. http://hostap.epitest.fi/wpa_supplicant/
5. http://secutil1.cit.cornell.edu/SecureW2/certs.zip
6. http://www.hpl.hp.co.uk/personal/Jean_Tourrilhes/Linux/Tools.html

P.S.  Is this something that might be useful/appropriate to put on the
NetAdminWiki or /cringe/ to have CIT add to their HowTo as an
unsupported option (similar to the e-mail configuration HowTos)?  If
anyone would like to post this somewhere appropriate, you have my
permission (and encouragement) to change it as you like and put it
somewhere useful.

-- 
Good Luck,   |           |    
Kevin        |   http://kevinlocke.name  |   kevinoid on freenode
Follow-Ups:
- Re: Using RedRover-Secure (WPA) from Linux
  - From: "Michael P. Lococo" <>
Prev by Date: Re: a Linux community at cornell?
Next by Date: Re: Using RedRover-Secure (WPA) from Linux
Previous by thread: SATA and general drive failures
Next by thread: Re: Using RedRover-Secure (WPA) from Linux
Index(es):
- Date
- Thread