HOWTO: Wireless Roaming on Lenny with wpa_supplicant

[Arthur Archnix]

UPDATE: Well over a year ago hkoster1 posted a much more concise how-to which covers the same topic. See it here: http://forums.debian.net/viewtopic.php?t=17199 That thread has received much more attention and vetting, so you should head over there to check it out what kinds of problems people have had and what workarounds are available. Thanks to hkoster1 for bringing it to my attention.

Introduction
The purpose of this how-to is to setup simple wireless roaming (automatic network recognition and connection) on Debian Lenny. By simple I do not mean really easy. By simple I mean clean, without unnecessary programs, daemons or services. This is almost certainly not the easiest way. But I like it.

We're going to use wpa_supplicant as called by the ifupdown networking components of Lenny to automatically connect to networks that we define in advance. Why are we using wpa_supplicant? If you want to connect to any wireless network worth connecting to, you're going to need wpa_supplicant. You want easy? Just install some app to manage your wireless network, like wicd or network-manager. But why install another app to do what we can already do? It's just one more app that can crash, one more app that can potentially be exploited, one more app eating up your hardware's resources. Here's a description from the man pages, lightly edited:

The Debian wpasupplicant packages provides two modes of operation that are closely integrated with ifupdown (the core networking infrastructure); Managed Mode and Roaming Mode. A self contained, simplistic roaming mechanism is provided by wpasupplicant, in the form of a wpa_cli action script, /sbin/wpa_action, and it assumes control of ifupdown once activated. See the wpa_action man page for more info.

Pre-Req's / Assumptions

• 1. You need a working internet connection. You should be able to bring up your wireless network, and connect to all the places you want to connect to manually. This means knowing about /etc/network/interfaces, ifupdown, iwconfig, iwlist, and so on. If you can't manually connect you probably can't use this guide.
  
  2. You need wpa_supplicant installed, but it has to be from at least Debian Lenny. The man pages talk about significant changes from earlier kernel versions, if you're not running Lenny stop now and read the man pages and docs listed below. It's probably not going to work, but maybe you can figure it out. If you do, post how you did it below. Here's a website that may help you out: http://home.telomsa.net/richm/hp-nx6125.html
  
  3. You read /usr/share/doc/wpasupplicant/README.modes. You don't even need this if you read that. It's that good. I highly recommend you read everything else under /usr/share/doc/wpasupplicant/, the man pages for interfaces, iwconfig, iwlist, and wpa_supplicant.conf.
  
  4. You don't trust me, and are concerned that these steps may harm your computer. That's a good assumption to have considering that all of these instructions require root privileges and I "wrote" this how-to because I didn't want to forget everything I learned in the previous four hours.

What follows are excerpts from the man pages. Sometimes verbatim, sometimes summarized. None of the useful content is mine, though it's likely that most of the useless comments and all the mistakes are. Consult the man pages and recommended reading when in doubt. In all cases the information in those pages supersedes the information found here.

Ok, time to end the attribution and begin the execution; And it's the network interfaces that are first against the wall.

Instructions & Crib Notes
To start, open /etc/network/interfaces file and place this in there:

Code: Select all

allow-hotplug wlan0
iface wlan0 inet manual
        wpa-driver wext
        wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf

Change wlan0 if necessary. If you have references to your wireless interface anywhere else, for example something like "auto lo wlan0" remove the reference to your wireless network device. The documentation says you can use either auto or allow-hotplug.

Some important info about drivers:

The Intel Pro Wireless adapters (ipw2100, ipw2200 and ipw3945) all use the 'wext' driver, the 'ipw' backend is deprecated and no longer provided. The Madwifi supports both the 'wext' and 'madwifi' driver backends and 'wext' is the preferred driver interface. Ndiswrapper no longer supports the 'ndiswrapper' driver backend as of version 1.16. Therefore, 'wext' must be used. See readme.modes for more info.

The file location may not be important, but change it at your own peril. Next we deal with the wpa_supplicant.conf file. It's very important. Here's what respectable people have to say about it:

It is required to provide a wpa_supplicant.conf containing a minimal amount of global options, and any known network blocks that should be connected to without interaction. A good starting point is provided by an example configuration file:

Let's do what he tells us:

Code: Select all

cp /usr/share/doc/wpasupplicant/examples/wpa-roam.conf /etc/wpa_supplicant/wpa_supplicant.conf
chmod 0600 /etc/wpa_supplicant/wpa_supplicant.conf

Ok, now we lightly edit the file to our own use. Pay attention to the big scary warning about the ctrl_interface, and don't touch it if you don't know exactly what it means. Here's what the wpa_supplicant.conf file looks like, minus all the very important comments:

Code: Select all

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
network={
	ssid="Example WEP Network"
	key_mgmt=NONE
	wep_key0=6162636465
	wep_tx_keyidx=0
	id_str="johns_house"
	priority=5
}

network={
	ssid="Example WPA Network"
	psk="mysecretpassphrase"
	id_str="home"
	priority=10
}

network={
	key_mgmt=NONE
}

Amazingly you don't need all the info you usually need when manually setting up your wpa connections. You would think that you have to move all the wpa-* info, but for whatever reason, it's not needed. Also, the reason we chmod'd the file so that non-root couldn't read it is because you put your ASCII password in there. Does wpa_supplicant md5 hash it before transmit? I don't know.

Note the priority settings, those aren't in the example file. But if, like me, you've got a neighbour with an unsecured wireless and your own secured wireless, you naturally want to connect to yours. To ensure that happens (or perhaps, only to make it more likely) you need to set it at a higher priority. If my home and John's house were side by side and I could access both, my home would take priority (10 > 5). The default network (aka, fall back network, very important you have this) has no priority, which is as good as zero as makes no difference.

Anyway, once you've edited that example file to your tastes, you just need to go back into /etc/network/interfaces and make a few minor additions. This is what it would look like, based on the above example.

Code: Select all

debian:/# cat /etc/network/interfaces
# Loopback
auto lo
iface lo inet loopback

# Ethernet
iface eth0 inet dhcp

# Wireless
allow-hotplug wlan0
iface wlan0 inet manual
	wpa-driver wext
	wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf

iface home inet dhcp

iface johns_house inet dhcp

iface default inet dhcp

If you have a static setup instead of dhcp, just have a look at the example files, documents and man pages referenced above. Examples are included. Note that for every network block in the wpa_supplicant.conf file there is a corresponding iface. Also, the last network block was blank, but in interfaces, it is called default. Just go with it. It's all good.

At this point I'm just gonna to cut and paste this entire section, because it's all relevant and directly to the point:

Once the roaming daemon is started, it assumes control of ifupdown. That is; wpa_cli calls ifup when wpa_supplicant has successfully associated with an access point, and calls ifdown when the connection is lost or terminated. While the roaming daemon is active, ifupdown should not be controlled directly by manually issued commands... For example, to stop the roaming daemon on the device 'wlan0':

Code: Select all

wpa_action wlan0 stop

When it is required to update the roaming daemon with a new networks details, it can be done without stopping it. Edit the wpa_supplicant.conf file that is being used by the daemon with the new networks details, add optional network settings to /etc/network/interfaces that are specific to the new network (linked by the 'id_str') and then 'reload' the daemon like so:

Code: Select all

wpa_action wlan0 reload

For the complete technical details of what wpa_action can do, read the wpa_action manpage.

Anyway, at this point everything should hopefully be working. So run

Code: Select all

/etc/init.d/networking force-reload
wpa_action wlan0 reload

And everything should come up. Confirm this by opening a terminal and typing

Code: Select all

wpa_cli

A handy-dandy "interface" pops up. Type status to see your connection status. If you're not connected to anything you can type "list" to see what networks are actually available. If you see networks in your list but aren't connected try typing "reassociate"

Type help to check out all the useful commands. You'll see that you can actually use wpa_cli to add new networks, which could be handy if you want to add new networks as non-root. I haven't experimented with this, but you'll need to make sure to uncomment #update_config=1 in /etc/wpa_supplicant/wpa_supplicant if you want to try this method out.

The last thing to do is make this available to your normal user. Assuming your normal user is a part of the netdev group, you don't need to make any changes. Just run

Code: Select all

/sbin/wpa_cli 

If you decide to create a new group, just change the group in /etc/wpa_supplicant/wpa_supplicant.conf on the control interface line. As always, there is more than one way to skin a cat.

Credits & Feedback:
I've tried to condense what was -- to me -- the most essential information from the manpages, which are really quite excellent with respect to documenting these features. Thanks to the developers for making them so good that even a new Debian user could bungle his way through it all.

That said, please give me feedback so I can improve this how-to. Have I misrepresented something in the manpages? Given bad advice? Typo? Don't like my avatar? Let me know so that I can improve this post / cry.

[infinitycircuit]

Excellent guide!

I had to run "ifup wlan0" after reloading the network, because it was set on manual mode.

[Arthur Archnix]

Excellent guide!

I had to run "ifup wlan0" after reloading the network, because it was set on manual mode.

Thanks, glad it worked for you. There was a note in there that while using this method you should avoid manually calling ifup wlan0, or whatever else it is. I'm not sure if you're experiencing any problems, but if so a reboot should put everything back in order.

I've updated the guide to reflect the fact that your network didn't come backup after reloading the network.

[hkoster1]

Great minds think alike, http://forums.debian.net/viewtopic.php?t=17199

[Arthur Archnix]

Well that's slightly embarrassing.

[Arthur Archnix]

Just an update, I've installed wpa_gui and use it to manage networks from the panel. It works really great.

[toonoob]

great!
at the beginning wpa_cli said couldn't connect to wpa_supplicant
and ifup wlan0 said something i can't remember.
but then with wpa_gui i just rescanned and connected to the wireless i wanted (wich had no mac addres authentication).
i guess i did some mistakes in the wpa_supplicant.conf (i should have connected simply with wpa_cli)
maybe i should specify hidden ssid and mac addres authentication for network i know they use it?
because as i remember last time i tried it failed authentication.

[oOarthurOo]

I have not tried to use the gui to add new networks, but certainly if you're trying to do that make sure you've enabled it first in wpa_supplicant.conf, as it is disabled by default. Ideally, you would setup your networks manually in the wpa_supplicant.conf file, remembering to define them also in /etc/network/interfaces, and then only use the gui to get status and switch between them as required.