Linux wifi from the command line with wpa_supplicant

In this article I will tell how you can configure WiFi using wpa_supplicant , without any Xorg / X11 utilities. This is necessary to ensure that basic OS services work properly with a minimum set of remote access hardware. The program will be executed as a service, the settings are made by editing the config file.

Quickly, you can establish a connection with an open access point in this way.

[root@home ~]$ wpa_cli > add_network > set_network 0 ssid "MYSSID" > set_network 0 key_mgmt NONE > enable_network 0

If it is necessary seriously and for a long time, then I ask inside.

Wpa_supplicant Overview

What is wpa_supplicant ?

Cross-platform open implementation of the IEEE 802.11 standard for Linux, * BSD, Windows, Mac OS X and other systems.
Full support for WPA2, WPA and older wireless LAN security protocols.
A user-space application that performs the functions of a supplicant and SME operator that executes MLME instructions.

Wpa_supplicant supports

WPA and fully IEEE 802.11i / RSN / WPA2.
WPA-PSK and WPA2-PSK (pre-shared key) ("WPA-Personal").
WPA with EAP (i.e., RADIUS authentication server) ("WPA-Enterprise") key management for CCMP, TKIP, WEP (104/128 and 40/64 bits).
Caching RSN, PMKSA: pre-authentication.

How does wpa_supplicant communicate with an access point?

The network interface must function properly with the driver installed before wpa_supplicant starts.
Wpa_supplicant requests the kernel driver to scan the available Basic Service Set (BSS).
Wpa_supplicant selects the BSS according to the settings.
Wpa_supplicant requests the kernel driver to establish a connection with the selected BSS.
For WPA-EAP: EAP authentication is performed by the built-in IEEE 802.1X Supplicant, or external Xsupplicant with an authentication server.
For WPA-EAP: Master key from IEEE 802.1X Supplicant received.
For WPA-PSK, wpa_supplicant uses the PSK password as the session master key.
Wpa_supplicant performs 4-step negotiation ^[1] and group key negotiation with the authenticator of the access point.
Wpa_supplicant encrypts the unidirectional and broadcast packets ^[2] , after which the usual data exchange begins.

The main and big plus of wpa_supplicant is its Unixway , that is, compliance with the Unix Way principle, when the program does one thing, but does it well. In a sense, the wpa_supplicant is also the Gentoo Way . It requires some attention and patience at the beginning, but then you can completely forget about it. After the program is set up and started up, it completely drops out of the event flow, turning into a couple of lines from ps -ef . It does not sparkle and does not flash in the system tray, does not notify you about the explored, connected and disconnected wireless networks. It simply is not there until you yourself look for it.

Of the minuses - the complexity of configuration and configuration . A lot of fuss compared to tyrk-tyrk-tyrk in the Network Manager window, not to mention the WiFi connection from any Android device. If you are going on a trip with a Linux laptop, you will surely prefer a more friendly front-end wireless setup to quickly connect to free WiFi access points at the airport, hotel or in the work environment. For the home wireless Internet - the most it.

Installation

If you do not select a graphical frontend, then the program almost does not pull any dependencies. For Gentoo Linux, the installation will be fine with the flags set as shown.

 (5:562)$ equery uses wpa_supplicant [ Legend : U - final flag setting for installation] [ : I - package is installed with flag ] [ Colors : set, unset ] * Found these USE flags for net-wireless/wpa_supplicant-2.6: UI - - ap : Add support for access point mode + + dbus : Enable dbus support for anything that needs it (gpsd, gnomemeeting, etc) - - eap-sim : Add support for EAP-SIM authentication algorithm - - fasteap : Add support for FAST-EAP authentication algorithm - - gnutls : Add support for net-libs/gnutls (TLS 1.0 and SSL 3.0 support) + + hs2-0 : Add support for 802.11u and Passpoint for HotSpot 2.0 - - p2p : Add support for Wi-Fi Direct mode - - qt4 : Add support for the Qt GUI/Application Toolkit version 4.x - - qt5 : Add support for the Qt 5 application and UI framework + + readline : Enable support for libreadline, a GNU line-editing library that almost everyone wants - - smartcard : Add support for smartcards + + ssl : Add support for Secure Socket Layer connections - - tdls : Add support for Tunneled Direct Link Setup (802.11z) - - uncommon-eap-types : Add support for GPSK, SAKE, GPSK_SHA256, IKEV2 and EKE - - wps : Add support for Wi-Fi Protected Setup

Install.

emerge -av wpa_supplicant #Gentoo
aptitude install wpasupplicant #Debian
yum install wpa_supplicant #Redhat
pacman -S wpa_supplicant #Arch

Connection without config file

If you need to connect only once, then there is no need to create a configuration file and delve into all the details of the settings. Just type a few instructions from the command line.

An example for an open network was shown at the very beginning. For a closed WPA network, the quick connection looks like this:

In the beginning, you need to run the wpa_supplicant program itself and the associated wpa_cli .

 [root@home ~]$ wpa_supplicant -Dnl80211 -iwlan0 -C/var/run -u & [root@home ~]$ wpa_cli -p/var/run

Then setup from wpa_cli interactive interface.

 > add_network > set_network 0 ssid "name of AP" > set_network 0 key_mgmt WPA-PSK > set_network 0 pairwise TKIP > set_network 0 psk "key" > enable_network 0

For closed WPA2 network:

 > add_network > set_network 0 ssid "name of AP" > set_network 0 key_mgmt WPA-PSK > set_network 0 pairwise CCMP > set_network 0 psk "key" > enable_network 0

Finally, you need to manually start the DHCP daemon.

 [root@home ~]$ dhcpcd wlan0

Ad-Hoc network connection

I have never come across such a thing, but you need to be ready for everything. Connect to open ad-hoc.

 > add_network > set_network 0 ssid "adhoc-ssid" > set_network 0 mode 1 > set_network 0 frequency 2412 > set_network 0 key_mgmt NONE > enable_network 0

The same with iw .

 > iw dev wlan0 del > iw phy phy0 interface add wlan0 type ibss > ifconfig wlan0 up > iw dev wlan0 scan > iw dev wlan0 ibss join AdHocNetworkName 2412

Setup for home network

Now the most interesting is the setting. This process is documented for the Arch Wiki , the Debian Wiki, and the Gentoo Wiki , but of course there’s no details.

The program is usually placed in the /etc/wpa_supplicant/ directory, and our task is to correctly configure the wpa_supplicant.conf configuration file , and bind it to autorun the wireless network interface .

Let's start with wpa_supplicant.conf . If you are connecting from home to WPA / WPA2, then most likely you use the password for the WiFi connection, which corresponds to the WPA-PSK ("WPA-Personal") mode WPA-PSK ("WPA-Personal") . We will not consider options with WEP encryption, since it is not much better than an open network.

Let's take typical config from documentation. For example such.

 ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel # # home network; allow all valid ciphers network={ ssid="home" scan_ssid=1 key_mgmt=WPA-PSK psk="very secret passphrase" }

The first line is necessary , without ctrl_interface program will not even start. GROUP = wheel is needed in order to run wpa_gui from under a normal user, but this is not our way. Therefore, we change to rutovy GROUP=0 .

 ctrl_interface_group=0 ctrl_interface=/var/run/wpa_supplicant ap_scan=1

Each network in the settings file must correspond to the network {} block. Having rummaged in the source code, I found the ap_scan variable ap_scan in the file config.h , and in the manual and user manual its description is very poor.

 ap_scan=0 #    ap_scan=1 #wpa_supplicant   ,  - ap_scan=2 # 0,       SSID,   ndiswrapper

Full description

ap_scan - AP scanning / selection

By default, it will be possible to scan the AP. If you are not in use, it can be used for the IEEE 802.11 association.

1: wpa_supplicant initiates scanning and AP selection (default).
0: Driver selection, AP selection, and IEEE 802.11 association parameters (WPA IE generation); non-WPA drivers when using this mode can also be used with IEEE 802.1X mode;
do not try to associate with APs (ie, external program needs to control association). This mode must also be used when using wired Ethernet drivers.

2: like 0, but associate with APs using security policy (but not BSSID); SSIDs for optimized roaming;
in this configuration each network block should have explicit security policy (ie, only one
option in the lists) for key_mgmt, pairwise, group, proto variables.

Note: ap_scan = 2 should not be used with the driver interface (the current Linux interface). ap_scan = 1 is optimized work working with nl80211. For finding networks using hidden SSID, scan_ssid = 1 in the network block can be used with nl80211.

The remaining options are taken from the config file manual .

bssid - The Basic Service Set Identifier (BSSID), the physical address of the access point.
key_mgmt - Authentication protocols.
pairwise - For WPA2, specify CCMP, and for WPA, specify TKIP.
proto - WPA / WPA2.
psk - PreShared Key password hash.

settings guide

group: list of accepted group (broadcast / multicast) ciphers for WPA
CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i / D7.0]
TKIP = Temporal Key Integrity Protocol [IEEE 802.11i / D7.0]
WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key
WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11]
If not set, this defaults to: CCMP TKIP WEP104 WEP40

pairwise: list of accepted pairwise (unicast) ciphers for WPA
CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i / D7.0]
TKIP = Temporal Key Integrity Protocol [IEEE 802.11i / D7.0]
NONE = Use only Keys Group (deprecated, should not be included if APs support pairwise keys)

proto: list of accepted protocols
WPA = WPA / IEEE 802.11i / D3.0
RSN = WPA2 / IEEE 802.11i (also WPA2 can be used)
If not set, this defaults to: WPA RSN

key_mgmt: list of accepted authenticated key management protocols
WPA-PSK = WPA pre-shared key (this requires 'psk' field)
WPA-EAP = WPA using EAP authentication (for example, Xsupplicant, for IEEE 802.1X EAP Authentication)
IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically generated WEP keys
NONE = WPA is not used; plaintext or static WEP could be used
If not set, this defaults to: WPA-PSK WPA-EAP

Create a password hash for psk :

 $ wpa_passphrase MYSSID passphrase

Everything is ready to create a network config. The resulting file should look something like this.

 ctrl_interface_group=0 ap_scan=1 ctrl_interface=/var/run/wpa_supplicant network={ proto=WPA2 pairwise=CCMP key_mgmt=WPA-PSK priority=5 ssid="MYSSID" bssid=44:b0:51:dc:ba:f8 psk=ce55977186ae1df2dffeb571acee8dacd92f49edddbdef53623132e3c24567ae }

bssid values for bssid , group , proto and pairwise can be determined by scanning the wireless network.

 [root@home ~]$ iwlist <wlan_interface> scan

The iwlist command from the Wireless Tools set is deprecated, instead it is now iw .

 [root@home ~]$ iw dev <wlan_interface> scan

802.1X Office Setup

The IEEE 802.1X standard defines a more rigorous model for connecting to a WiFi network. Instead of a psk password, you need to present a server certificate.

ca_cert - Absolute path to the CA-certificate in the PEM or DER format, necessary to be able to verify the server certificate.
ca_path - Absolute path to the directory where CA certificate files (in PEM format) are stored that you want to add to the trusted list.
client_cert - The absolute path to the client certificate in PEM or DER format.
eap - A space-separated list of supported EAP methods: MD5, MSCHAPV2, OTP, GTC, TLS, PEAP, or TTLS.
identity - EAP identifications, such as username.
password - EAP password.

This might look like a block configured to connect to the network in WPA-Enterprise mode with 802.1X PEAP authentication, which requires user account information to be entered:

 network = { ssid="Company WPA2 EAP" key_mgmt=WPA-EAP pairwise=TKIP group=TKIP eap=PEAP identity="username@domain" password="your_passphrase" ca_cert="/etc/cert/ca.pem" phase1="peapver=0" phase2="MSCHAPV2" }

And this is an example of a block configured to connect to the network in WPA-Enterprise mode with 802.1X EAP-TLS authentication, which requires server and client certificates:

 network = { ssid="Company WPA2 TLS" key_mgmt=WPA-EAP pairwise=CCMP group=CCMP eap=TLS ca_cert="/etc/cert/ca.pem" private_key="/etc/cert/privkey.p12" private_key_passwd="your_passphrase PKCS#12" }

Linking wpa_supplicant to a network map

For Gentoo Linux, add 2 lines to /etc/conf.d/net .

 modules=( "wpa_supplicant" ) wpa_supplicant_wlan0="-Dnl80211"

List of drivers supported by -D<driver> . For modern chips and kernel versions fit nl80211 . On the old gland wext can take off.

nl80211 - New driver.
wext - Linux wireless extensions (generic).
wired - wpa_supplicant wired Ethernet driver.
roboswitch - wpa_supplicant Broadcom switch driver.
bsd - BSD 802.11 support (Atheros, etc.).
ndis - Windows NDIS driver.

The wlan0 network card must be linked to lo0 .

 lrwxrwxrwx 1 root root 6  29 2014 /etc/init.d/net.wlan0 -> net.lo

You should also add wpa_supplicant to autorun.

  [root@home ~]$ rc-update add wpa_supplicant default

Debian users add an entry to the /etc/network/interfaces file.

 auto wlan0 iface wlan0 inet dhcp wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

RedHat users add to /etc/sysconfig/wpa_supplicant

 INTERFACES="-iwlan0"

and in /etc/sysconfig/network-scripts/ifcfg-wlan0

 ESSID="home" NAME=wlan0 MODE=Managed KEY_MGMT=WPA-PSK TYPE=Wireless BOOTPROTO=dhcp DEFROUTE=yes ONBOOT=yes HWADDR=aa:bb:cc:dd:ee IPV6INIT=yes IPV6_AUTOCONF=yes

Debugging

After wpa_supplicant has successfully connected to the access point, you can see the connection setup protocol in dmesg .

 [243960.587] cfg80211: World regulatory domain updated: [243960.587] cfg80211: DFS Master region: unset [243960.587] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time) [243960.587] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A) [243960.587] cfg80211: (2457000 KHz - 2482000 KHz @ 20000 KHz, 92000 KHz AUTO), (2000 mBm), (N/A) [243960.587] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (N/A, 2000 mBm), (N/A) [243960.587] cfg80211: (5170000 KHz - 5250000 KHz @ 80000 KHz, 160000 KHz AUTO), (2000 mBm), (N/A) [243960.587] cfg80211: (5250000 KHz - 5330000 KHz @ 80000 KHz, 160000 KHz AUTO), (2000 mBm), (0 s) [243960.587] cfg80211: (5490000 KHz - 5730000 KHz @ 160000 KHz), (N/A, 2000 mBm), (0 s) [243960.587] cfg80211: (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 2000 mBm), [243960.587] cfg80211: (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 0 mBm), [243963.070] wlan0: authenticate with aa:bb:cc:dd:ee [243963.075] wlan0: send auth to aa:bb:cc:dd:ee (try 1/3) [243963.077] wlan0: authenticated [243963.084] wlan0: associate with aa:bb:cc:dd:ee (try 1/3) [243963.088] wlan0: RX AssocResp from aa:bb:cc:dd:ee (capab=0x411 status=0 aid=3) [243963.090] wlan0: associated

If instead you see an error:

 Successfully initialized wpa_supplicant nl80211: Driver does not support authentication/association or connect commands wlan0: Failed to initialize driver interface

you probably need to use the wext driver instead of nl80211 . And with an error:

 WEXT: Driver did not support SIOCSIWAUTH for AUTH_ALG, trying SIOCSIWENCODE

on the contrary, instead of wext it is necessary to substitute nl80211 .
In a situation where you cannot determine the error, run wpa_supllicant directly with the -dd .

 [root@home ~]$ wpa_supplicant -Dnl80211 -iwlan0 -C/var/run/wpa_supplicant/ -c/etc/wpa_supplicant/wpa_supplicant.conf -dd

Used materials

↑ 4-way handshake
↑ Unicast and broadcast

Source: https://habr.com/ru/post/315960/

All Articles