Please note: This project is no longer active. The website is kept online for historic purposes only.
If you´re looking for a Linux driver for your Atheros WLAN device, you should continue here .

02/21/06 News To make WPA2 (WPA2=RSN) or Hostapd-0.5.1 using the instructions below, You Must Use the development branch of hostapd posted after 02/21/06 04:00:00 (earlier releases still need to be patched). Please see:

  • Ticket #241
  • Download madwifi from the svn release 1453 or greater - see r1453 for details on the RSN patches.
  • Use hostapd-0.5.1 (posted after 02/21/06 04:00:00) or later.

WPA on madwifi: AP & Station

This page shows how to set up Pre-Shared Key WPA security on both the Access Point (AP) and the Station for madwifi, code. This does not cover setting up a Radius server, nor how to become a supplicant/client station to a Radius server. Pre-Shared keys are adequate for home and small networks, compared to the alternatives (WEP, Open) and much easier than a Radius server. NB: the example hostapd.conf setup has the standard bridge instruction commented out . As set, hostapd expects that bridging/routing/firewalling is managed by netfilters and iptables (ie: by hand or with Shorewall or the like). See the bottom of this doc for the standard bridging setup.

You will need to download, configure, and build programs for both the Station and the Access Point. You will need to construct runtime configuration files for the programs once you've built them. The examples below show wpa_supplicant and hostapd version 0.4.7, you must substitute your own version numbers (ie: 0.5.0, etc) for those shown in the example scripts.

Further, you must already have your kernel source and build, and the madwifi source and drivers built and available. See UserDocs/KernelConfig and the Wiki UserDocs for your distribution to find instructions. These examples all presume you've chosen /usr/src/ as the source code directory-if you have made other choices, substitute your chosen source directory for /usr/src/ in the scripts and config files below. The programs need to be run on the AP and on the Stations before you can authenticate the wireless connection and begin to associate and network. Once you've gotten everything running, you can automate your startups.

Additional Documentation


The Station (client) Side

Get wpa_supplicant


On All workstations that want to subscribe to the WPA enabled AP, do the following:

Go here: http://hostap.epitest.fi/wpa_supplicant/ and get: Latest stable release: (as of this writing: wpa_supplicant-0.4.7.tar.gz). Unpack it to /usr/src/wpa_supplicant-0.4.7


Copy this to /usr/src/wpa_supplicant-0.4.7/.config


CONFIG_DRIVER_MADWIFI=y
CFLAGS += -I/usr/src/madwifi-ng
CONFIG_CTRL_IFACE=y

Now build wpa_supplicant on the station

cd /usr/src/wpa_supplicant-0.4.7
make clean
make
make install

Run /usr/src/wpa_supplicant-0.4.7/wpa_passphrase to make your PSK


From /usr/src/wpa_supplicant-0.4.7/ execute:

wpa_passphrase My_WPA_Protected_AP_ESSID "Some_Decent_PassPhrase_of_up_64_Characters" >> /etc/wpa_supplicant.conf

with the SSID of your AP My_WPA_Protected_AP_ESSID and the passphrase of your choice Some_Decent_PassPhrase_of_up_64_Characters . This writes

network={
        ssid="My_WPA_Protected_AP_ESSID"
        #psk="Some_Decent_PassPhrase_of_up_64_Characters"
        psk=701459761a3d17c5ddead0deafbeeffeedbadf00dc659db31e2e3d36f00a12b1
 }

to /etc/wpa_supplicant.conf

Edit /etc/wpa_supplicant.conf and add the lines into the network section created above:

    key_mgmt=WPA-PSK
#    proto=WPA
   proto=RSN

Add the following line to /etc/wpa_supplicant.conf prior to the network section:

    ap_scan=0

Uncomment the proto=WPA line (and comment out the RSN line) to enable WPA. Leave as is for WPA2 (stronger encryption).

If you want to make a user control GUI interface to wpa_supplicant, see UserDocs/WPA_PSK_on_Both_Ends/wpa_gui for information about using wpa_gui with wpa_supplicant.

Change the permissions of /etc/wpa_supplicant.conf with: chmod 640 /etc/wpa_supplicant.conf


In Madwifi releases after r1407, modprobe ath_pci automatically creates ath0 (see UserDocs/autocreate. If you are using Madwifi releases prior to r1408, you must use wlanconfig to create the station device ath0. The examples below reflect the autocreate/post r1407 behavior.

Once you have completed the AP side as described below, you should see something like this when you run wpa_supplicant with debugging(-dd) on (from a terminal as root).

Note: If you encounter "Argument list too long" errors in your wpa_supplicant debug output, use -Dwext rather than -Dmadwifi in the example below (assuming you're running a kernel that's version 1.6.15 or later).

For example:

  • modprobe ath_pci (if running pre-r1408 Madwifi code, then also: wlanconfig ath0 create wlandev wifi0 wlanmode sta)
  • iwconfig ath0 essid "My_WPA_Protected_AP_ESSID"
  • ifconfig ath0 192.168.0.100 up
  • /usr/local/bin/wpa_supplicant -dd -Dmadwifi -iath0 -c/etc/wpa_supplicant.conf

yields:

State: GROUP_HANDSHAKE -> COMPLETED
CTRL-EVENT-CONNECTED - Connection to 00:0f:b4:a1:3f:47 completed (auth)
==================================================================

and iwconfig ath0 shows:

ath0      IEEE 802.11g  ESSID:"My_WPA_Protected_AP_ESSID"  Nickname:"YOUR_HOSTNAME"
          Mode:Managed  Frequency:2.422GHz  Access Point: 00:0D:B3:1A:E2:67
          Bit Rate:54Mb/s   Tx-Power:18 dBm   Sensitivity=0/3
          Retry:off   RTS thr:off   Fragment thr:off
          Encryption key:59B8-0286-FEED-DEAF-BEEF-F00D-192B   Security mode:restricted
          Power Management:off
          Link Quality:43/94  Signal level:-52 dBm  Noise level:-95 dBm
          Rx invalid nwid:3  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

You should be able to use the network now, and your wireless data is encrypted and authenticated with WPA. If you have the interface up, but things like ping fail with huge error rates, check and assure that your firewall is not blocking ath0, and that you have a default route set to ath0.

You can terminate the running wpa_supplicant with CTRL-C from the terminal you've launched it from, or with pkill wpa_supplicant.

To automate your Station device, execute this script

#!/bin/sh
modprobe ath_pci  (If running pre-r1408 Madwifi code, then also: wlanconfig ath0 create wlandev wifi0 wlanmode sta)
iwconfig ath0 essid "My_WPA_Protected_AP_ESSID"
ifconfig ath0 192.168.0.100 up
wpa_supplicant -Bw -Dmadwifi -iath0 -c/etc/wpa_supplicant.conf

The above is only an example. You may have a better way to invoke the modprobe ath_pci (ie: /etc/modprobe.conf, /etc/modules.conf, or the like). Your distribution may offer a means to launch this script when you insert a pccard, or start the network. See UserDocs/Distro for your distribution for more information.


An Advanced Example of wpa_supplicant

This is example of setting up wpa_supplicant to run on a WRAP. Do all the setups as above, but for the make wpa_supplicant- also you'll need to first build your kernel with the AES option as shown below.

Platform

OpenWrt, BCM4710A0 CPU, Asus WL-500G AP: atheros 5212 wireless miniPCI card, madwifi-ng 2005-12-15 snapshot, wpa_supplicant-0.4.7

Compile the kernel with

CONFIG_CRYPTO_AES=m

After the regular modprobe ath_pci, also modprobe aes

Make wpa_supplicant as described above, but with this /usr/src/wpa_supplicant-0.4.7/.config

(You NEED to change is the path in this line: CFLAGS += -I/root/drivers/madwifi-ng)

CONFIG_DRIVER_ATMEL=n
CONFIG_DRIVER_HOSTAP=n
CONFIG_DRIVER_IPW=n
CONFIG_DRIVER_MADWIFI=y
# Point this to your madwifi(-ng) sources
CFLAGS += -I/root/drivers/madwifi-ng
CONFIG_DRIVER_NDISWRAPPER=n
CONFIG_DRIVER_PRISM54=n
CONFIG_DRIVER_WEXT=y
CONFIG_DRIVER_WIRED=y
CONFIG_WIRELESS_EXTENSION=y

#CONFIG_DRIVER_NDIS=y
#CONFIG_DRIVER_HERMES=y
#CONFIG_DRIVER_BROADCOM=y

CONFIG_IEEE8021X_EAPOL=y

CONFIG_EAP_MD5=y
CONFIG_EAP_MSCHAPV2=y
CONFIG_EAP_FAST=y
CONFIG_EAP_TLS=y
CONFIG_EAP_PEAP=y
CONFIG_EAP_TTLS=y
CONFIG_EAP_GTC=y
CONFIG_EAP_OTP=y
CONFIG_EAP_SIM=y
CONFIG_EAP_PSK=y
CONFIG_EAP_PAX=y
CONFIG_EAP_LEAP=y
CONFIG_EAP_AKA=y

CONFIG_PKCS12=y
CONFIG_SMARTCARD=y
CONFIG_PCSC=y

CONFIG_CTRL_IFACE=y
CONFIG_READLINE=y

If wpa_supplicant -D madwifi -i ath0 -c /etc/wpa_supplicant.conf -dd -t fails to associate and you see something like:

Setting scan request: 0 sec 100000 usec
BSSID 00:0f:66:c8:8b:14 blacklist count incremented to 2
State: GROUP_HANDSHAKE -> DISCONNECTED
EAPOL: External notification - portEnabled=0
EAPOL: SUPP_PAE entering state DISCONNECTED
...then :
"ioctl[IEEE80211_IOCTL_SETKEY]: No such device or address".  | ioctl[unknown???]: No such device or address"),  and  what should read "RX EAPOL from 00:12:17:b8:1c:db"  when wpa_supplicant is launched  with the debug log -dd option ubstead reads "ioctl[unknown???]: No such device or address"

You've probably not gotten the kernel config right or the aes module loaded.



Now do the AP side



Get hostapd


Go here: http://hostap.epitest.fi/hostapd/ and get: Latest stable release (as of this writing: http://hostap.epitest.fi/releases/hostapd-0.4.7.tar.gz) unpack it to /usr/src/hostapd-0.4.7


Copy the below to /usr/src/hostapd-0.4.7/.config


# Driver interface for madwifi driver
CONFIG_DRIVER_MADWIFI=y
CFLAGS += -I/usr/src/madwifi-ng # change to reflect local setup; directory for madwifi src
# IEEE 802.11F/IAPP
CONFIG_IAPP=y
# WPA2/IEEE 802.11i RSN pre-authentication
CONFIG_RSN_PREAUTH=y
# Integrated EAP server
CONFIG_EAP=y
# EAP-MD5 for the integrated EAP server
CONFIG_EAP_MD5=y
# EAP-TLS for the integrated EAP server
CONFIG_EAP_TLS=y
# EAP-MSCHAPv2 for the integrated EAP server
CONFIG_EAP_MSCHAPV2=y
# EAP-PEAP for the integrated EAP server
CONFIG_EAP_PEAP=y
# EAP-GTC for the integrated EAP server
CONFIG_EAP_GTC=y
# EAP-TTLS for the integrated EAP server
CONFIG_EAP_TTLS=y

# EAP-PSK for the integrated EAP server
#CONFIG_EAP_PSK=y

# PKCS#12 (PFX) support (reads private keys or certificates from  .p12 or .pfx files)
CONFIG_PKCS12=y
# RADIUS authentication server. Access the integrated EAP server from external hosts using RADIUS.
CONFIG_RADIUS_SERVER=y

Change to the /usr/src/hostapd-0.4.7 directory and:

  • make clean
  • make
  • make install

Caution, hostapd's make clean doesn't get the installed /usr/local/bin copies, and make install won't overwrite them. You must hand erase them if you have to run it 2x+

Add the ssid and psk generated above to your /etc/hostapd.conf on the AP as shown below


Copy the below to /etc/hostapd.conf (uncomment the bridge line for standard bridging)


# An additional configuration parameter, bridge,
# must be used to notify hostapd if the interface is included in a bridge. 

#bridge=br0     # Enable this for standard bridging, leave disabled for netfilter firewalls

interface=ath0
driver=madwifi
logger_syslog=-1
logger_syslog_level=2
logger_stdout=--1
logger_stdout_level=2
debug=0
ctrl_interface_group=0
macaddr_acl=0
deny_mac_file=/etc/hostapd.deny
auth_algs=3
eapol_key_index_workaround=0
eap_server=0
dump_file=/tmp/hostapd.dump
ssid="My_WPA_Protected_AP_ESSID"
wpa=3  
wpa_psk=701459761a3d17c5ddead0deafbeeffeedbadf00dc659db31e2e3d36f00a12b1
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP

Successful hostapd Run Log With Debugging Output


[root@cablin]# hostapd -dd /etc/hostapd.conf

Configuration file: /etc/hostapd.conf
madwifi_set_iface_flags: dev_up=0
Using interface ath0 with hwaddr 00:0a:b5:89:ea:b7 and ssid 'alex'
madwifi_set_ieee8021x: enabled=1
madwifi_configure_wpa: group key cipher=1
madwifi_configure_wpa: pairwise key ciphers=0xa
madwifi_configure_wpa: key management algorithms=0x2
madwifi_configure_wpa: rsn capabilities=0x0
madwifi_configure_wpa: enable WPA= 0x1
madwifi_set_iface_flags: dev_up=1
madwifi_set_privacy: enabled=1
WPA: group state machine entering state GTK_INIT
WPA: group state machine entering state SETKEYSDONE
madwifi_set_key: alg=TKIP addr=00:00:00:00:00:00 key_idx=1
Flushing old station entries
madwifi_sta_deauth: addr=ff:ff:ff:ff:ff:ff reason_code=3
Deauthenticate all stations
l2_packet_receive - recvfrom: Network is down

When a station succesfully connects you will see things (amoung many) like:

ath0: STA 00:0f:b5:62:b1:71 WPA: received EAPOL-Key frame (2/2 Group)
WPA: 00:0f:b5:62:b1:71 WPA_PTK_GROUP entering state REKEYESTABLISHED
ath0: STA 00:0f:b5:62:b1:71 WPA: group key handshake completed (WPA)
WPA: group state machine entering state SETKEYSDONE
madwifi_set_key: alg=TKIP addr=00:00:00:00:00:00 key_idx=1
WPA: 00:0f:b5:62:b1:71 WPA_PTK_GROUP entering state IDLE
Checking STA 00:0f:b5:62:b1:71 inactivity:
  Station has been active

If you see something successful like the above you can kill hostapd and turn down debugging by setting the debug values in /etc/hostapd to 0 or 1 (your choice), then relaunch hostapd without the -dd option.

If the AP has netfilters/iptables and or a firewall manager like Shorewall (my favorite) running on the AP, expect to manage bridging/routing/firewalling without brctl or br0. See your firewall docs for instructions.

To Launch hostapd in the background (mode G only, ip 192.168.0.2 in this example), at every startup from a script.

#!/bin/sh
/sbin/modprobe ath_pci autocreate=ap
iwconfig ath0 essid "My_WPA_Protected_AP_ESSID"
iwpriv ath0 mode 3
ifconfig ath0 192.168.0.2 up
hostapd -B /etc/hostapd.conf

NB: The above is just an example. Be certain to include the 'autocreate=ap' parameter to modprobe ath_pci (as shown above), or you will have to 'wlanconfig ath0 destroy; wlanconfig ath0 create wlandev wifi0 wlanmode ap' to start the AP VAP. You will also need to do this if you are using the pre-r1408 Madwifi code.

Standard Bridging

Alternatively, to build an AP with standard bridging ath0 to eth0 (mode G only, ip 192.168.0.2 in this example), uncomment the #br0 line in hostapd.conf (see above) and:

    /sbin/modprobe ath_pci autocreate=ap
    iwconfig ath0 essid "My_WPA_Protected_AP_ESSID"
    iwpriv ath0 mode 3
    brctl addbr br0
    brctl addif br0 eth0
    brctl addif br0 ath0
    brctl setfd br0 1
    ifconfig ath0 up
    ifconfig eth0 up
    ifconfig br0 192.168.0.2 up
    hostapd -dd /etc/hostapd.conf 

See man brctl, and http://linux-net.osdl.org/index.php/Bridge for more about bridging.



Things That Did Not Work


  • The hostapd.conf from users-guide appendix
  • Don't begin with a copy /usr/src/hostapd/defconfig file as base, use MADWIFI.CONF instead.
  • Don't follow the README regarding editing the makefile to set the madwifi directory, do that in the .config