Voyage Linux - WRAP
Voyage Linux is a linux distribution built for embedded wireless controllers, like the WRAP board from PC Engines. Hostapd provides WPA and 802.1x. No other free firmware for the WRAP provides this capability. The downside is it doesn't have a fancy gui, so it is very difficult for a newbie to configure. (Must use ssh.) pfSense is a better choice for field deployment.
Here are a few notes from my experiments. Make sure you check out the WRAP page for other related info/notes. Big Note - hostapd runs well with the atheros radio. The Prism radio (2511) needs updated firmware.
First Connect
In general, the install instructions are pretty good. Once the OS is loaded on the card, you need to configure the device via the command line. SSH is enabled by default. You can use a serial console, too. However, 'vi' wouldn't work right under gtkterm. I'm sure the terminal emulation is wrong.
Useful commands:
remountrw - remount the CF R/W so you can make changes to the configuration files remountro
Setting up the Interfaces
I'm going for the following:
eth0 wlan0 - 802.11b/g Prism ath0 - 802.11a Atheros
After much work, I built the following /etc/network/interfaces file:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 169.203.41.40
netmask 255.255.255.192
broadcast 169.203.41.0
# Set up the Prism card
auto wlan0
iface wlan0 inet static
address 10.1.10.1
netmask 255.255.255.0
broadcast 10.1.10.255
# wireless-x -> iwconfig iface command
wireless-essid vortex
wireless-mode Master
wireless-channel 1
wireless-txpower 17dbm
# up nat.sh wlan0 eth0 "10.1.10.0/24"
# Atheros interface config
auto ath0
iface ath0 inet static
address 192.168.10.1
netmask 255.255.255.0
broadcast 192.168.10.255
# Build the wlanconfig command (see if-pre-up.d/madwifi)
# Set to wifi0
madwifi-base wifi0
# Set mode (master=ap, sta=sta)
madwifi-mode Master
# Set parameters
wireless-channel 40
wireless-essid w7iy-1
wireless-txpower 16dbm
wireless-rate 54M
# Send private ioctl to ath0 (1=11a, 0=autoselect)
up iwpriv ath0 mode 1
# up nat.sh ath0 eth0 "10.1.20.0/24"
The prism card uses the 'hostap' driver. Not to be confused with hostapd. The atheros card uses the madwifi-ng driver. There is a file in if-up-pre.d (madwifi), which builds the wlanconfig command.
$WLANCONFIG $IFACE create wlandev $IF_MADWIFI_BASE wlanmode $MODE
Getting WPA-PSK to Work
After hours of screwing with wlan0, I discovered the Prism 2511 card isn't compatible with hostapd. Everytime I would enable wpa (hostapd.conf) I would end up with a bogus interace. iwconfig showed wlan0ap_rename. I had to reboot, destroy ath0 and recreate by hand to get my radios back. So I found a page on flashing the firmware for the Prism radios and then tried all the wpa stuff using just the CM9 (atheros) card. After I disabled wlan0 (by removing it from the system,) it worked! I was able to make a secure (wpa-psk) connection from my windows XP workstation. Most of the following config has nothing to do with the wpa stuff. So I highlighted the statements that mattered. I found a config file on the voyage site which had the right config statments.
voyage:/etc/hostapd# grep -v ^# hostapd.conf|grep -v ^$ interface=ath0 # Changed to ath0 from wlan0 driver=madwifi # Changed to use madwifi instead of hostap logger_syslog=-1 logger_syslog_level=2 logger_stdout=-1 logger_stdout_level=2 debug=0 dump_file=/tmp/hostapd.dump ctrl_interface=/var/run/hostapd ctrl_interface_group=0 ssid=vortex # Must match the SSID of the interface! max_num_sta=255 macaddr_acl=0 auth_algs=3 # Checked eapol_key_index_workaround=0 eap_server=0 own_ip_addr=127.0.0.1 wpa=1 # Turned on wpa wpa_passphrase=secretpassphrase # Set the passphrase - which matches the passphrase in windows (make this long and complex) wpa_key_mgmt=WPA-PSK # Made sure this was set to wpa-psk wpa_pairwise=CCMP # Uses AES and CCMP
In the Windows client, I set the properties to wpa-psk, AES and entered the passphrase.
Getting WPA2 w/802.1x to Work
Hostapd web page with all the gory details. WPA2 is WPA with AES and 802.1x EAP.
This mode is significantly more complicated because it requires a radius server to resolve usernames and passwords.
Supported drivers include madwifi and hostap.
Create the Certificates
Create the CA key and self signed certificate:
cd /etc/pki/tls/certs openssl genrsa -des3 -out cacert.key 1024 openssl req -new -key cacert.key -out cacert.csr openssl x509 -req -days 365 -in cacert.csr -signkey cacert.key -out cacert.crt or cd/etc/pki/tls/certs make cacert.key --- private key make cacert.csr --- certificate signing request make cacert.crt --- self signed certificate
We need server side certificates for the node:
# private key w/passphrase -- private key make server.key # certificate request make server.csr # Sign the server key with the CA key openssl x509 -req -days 365 -in server.csr -signkey cacert.key -out server.crt
Copy server.key, server.crt and cacert.crt over to the access point. Modify hostapd.conf to point to those files.
Hostapd.conf WPA2 Integrated EAP
A few more hours and voila! Here is the configuration file for hostapd.conf, which allows wpa2 and the integrated EAP server.
voyage:/etc/hostapd# grep -v ^# hostapd.conf|grep -v ^$ interface=ath0 driver=madwifi logger_syslog=-1 logger_syslog_level=1 logger_stdout=-1 logger_stdout_level=2 debug=4 dump_file=/tmp/hostapd.dump ctrl_interface=/var/run/hostapd ctrl_interface_group=0 ssid=vortex max_num_sta=255 macaddr_acl=0 auth_algs=3 ieee8021x=1 eapol_key_index_workaround=1 eap_server=1 eap_user_file=/etc/hostapd/eap_user ca_cert=/etc/hostapd/ca.crt server_cert=/etc/hostapd/server.crt private_key=/etc/hostapd/server.key private_key_passwd=secretpassword own_ip_addr=127.0.0.1 wpa=1 wpa_passphrase=secretpassphrase wpa_key_mgmt=WPA-PSK WPA-EAP wpa_pairwise=CCMP
Here is the eap_users file. Note the XP suplicant is a phase 2. (i.e. tunnelled within EAP-PEAP) So it requires two lines, one for a phase 1 anonymous user and one for the actual user.
voyage:/etc/hostapd# cat eap_user * PEAP,TTLS,TLS,SIM,AKA "DOMAIN\user" MSCHAPV2 "userpassword" [2]
On the XP client, configure the wireless AP to use WPA2, AES. Then on the Authentication Tab, choose EAP = Protected EAP. Configure EAP and deselect validate certificate and choose MSCHAPv2. Configure MSCHAP, deselect using windows login.
The user will need to 1) view the wireless networks, 2) connect and then 3) enter the credentials in the window.
If all this works, you can change the password in eap_user to match the windows logon information. Then re-configure the MSCHAPv2 setting in XP to use the windows logon information. On my workstation, the domain was available on the logon screen and the first letter of my user ID had to be capitalized in eap_user. Obviously, hooking into the enterprise radius server - fed by Active Directory - would be the best.
Debugging
You will need to set EnableFileTracing to 1 in WinXP registry My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\EAPOL The log file will be written to %windir\tracing\eapol.log
STA Mode
Use the atheros card to function as a client and connect to an access point.
http://madwifi.org/wiki/UserDocs/WPA_PSK_on_Both_Ends
Store a passphrase in /etc/wpa_supplicant.conf using this command:
wpa_passphrase My_WPA_Protected_AP_ESSID "Some_Decent_PassPhrase_of_up_64_Characters" >> /etc/wpa_supplicant.conf
Then edit the file and add the key_mgmt and proto statements.
voyage:~# cat /etc/wpa_supplicant.conf
network={
ssid="woody"
#psk="Some Decent Passphase used above"
psk=d74da2b6d2ba792aaa1a8748277dc44e9db657bc561ca85f9060a38d7024db33
key_mgmt=WPA-PSK
#proto=WPA
proto=RSN
}
Bring up the interface. This will scan for a matching ssid and negotiate the connection. (Command has debug enabled)
voyage:~# wpa_supplicant -dd -Dmadwifi -iath0 -c/etc/wpa_supplicant.conf
Check with iwconfig.
voyage:~# iwconfig
lo no wireless extensions.
eth0 no wireless extensions.
wifi0 no wireless extensions.
ath0 IEEE 802.11g ESSID:"woody" Nickname:""
Mode:Managed Frequency:2.437 GHz Access Point: 00:13:10:11:20:25
Bit Rate:48 Mb/s Tx-Power:19 dBm Sensitivity=0/3
Retry:off RTS thr:off Fragment thr:off
Encryption key:ED7F-C1EF-61E3-90CB-721F-ABFB-3811-5CCC Security mode:restricted
Power Management:off
Link Quality=46/94 Signal level=-50 dBm Noise level=-96 dBm
Rx invalid nwid:5944 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0