I recently setup a Netgear WGR614 wireless router for use with my
broadband link and discovered that it had support for WiFi Protected
Access (WPA). It can use WPA in pre-shared-key mode (WPA-PSK) otherwise
known as "WPA Personal". If you don't know what WPA is or why you
would want to use it, visit the .
WiFi Protected Access (WPA)
In summary, it's the successor to Wired Equivalent Privacy (WEP) and
the predecesor to WPA2 which is expected to fully implement 802.11i.
WPA addresses the common security issues associated with WEP but can be
implemented on existing WiFi hardware (subject to the availability of
updated firmware/drivers).
There are two types of WPA,
Personal
and
Enterprise. Enterprise
uses 802.11x with the
Extensible
Authentication Protocol (EAP) to
authenticate/authorise via a
Remote
Authentication Dial-In User Service (RADIUS)
server and setup a unique initial key. Personal doesn't use 802.11x or
need a RADIUS server; it relies on an initial shared key that the AP
and all clients need to know. WPA uses the Temporal Key
Integrity Protocol (TKIP) which has a per-packet key mixing function, a
message integrity check (MIC), allows for re-keying and has other
secuirty enhancements over WEP.
NB. Although WPA Personal is a vast improvement over WEP, it doesn't
provide sufficient security
to stop authorised wireless users from eavesdropping on each other. If
that's an issue, you'll need a WPA Enterprise capable AP and will have
to setup and run a WPA Enterprise
infrastructure.
Wireless Access Point (AP)
Netgear WGR614 v3 (firmware ?, Nov 2003)
Switching WPA-PSK on in the Netgear is simplicity. Enable the checkbox
in
the wireless settings page and enter a 8-63 char passphrase (no
WEP-style HEX to fiddle with here). Apply the change and wait for the
router/AP to reboot.
Make sure that SSID broadcasting is enabled. It's enabled by default
but gives a slight security-by-obscurity feeling if you disable it. If
you leave it enabled, WPA will be much easier (read as
actually possible) to get working
and with WPA working it won't make any difference whether unauthorised
users can see your SSID or not.
Wireless Clients
Mac OSX 10.3.3 - built-in Airport Extreme 802.11g client
Getting it to work on a PowerBook G4 was trivial. You need Panther (Mac
OSX 10.3), it's not supported on Jaguar (10.2) or Classic. Enable the
WiFi radio, connect to the desired WiFi SSID (network) and Panther
detects that the
AP is using WPA-PSK. It pops up a dialogue for you to enter the WPA
passphrase. The connection works. End of story.
Windows XP home - Avaya Gold 802.11b PC card
I have an laptop that
still has an XP partition that it came bundled with. I also have an old
Avaya Gold 802.11b card lying around and decided to see if I could get
them to work. Bear in mind that I know very little about XP and only
ever run it as a
user and
only then very occasionally. This is what I did to make it all work.
You'll probably need to
restart
Windows a few times during this process:
- Run XP SP1
- Download the WPA update (via Windows Update)
- (reboot)
- Remove the Avaya WiFi utility (it's important for XP to manage
the device itself)
- Download the latest (not the
Avaya driver - it doesn't support WPA)
- Unpack the driver to C:\WUTEMP
- Update the driver for the Avaya card, pointing the driver
update utility at C:\WUTEMP
- (reboot)
- Double-click the wireless network icon in the taskbar and hit
the Advanced button
- Select the appropriate WiFi SSID (network) and hit configure
- Choose WPA-PSK with TKIP and enter the passphrase
XP associated with the AP and maintained a connection for a few minutes
but then the network dropped out and a dialogue popped up telling me
that the connection had been lost. One more reboot and it started to
work continuously.
Linux 2.4.24 (RedHat 9) - Avaya Gold 802.11b PC card
After some googling, I didn't think that the Avaya Gold would have any
chance of working under Linux without at least paying for a license. I then
decided to look around for a new 802.11g PC card that would run with
WPA on Linux. Here are a few resources I used:
- (Prism2/2.5/3
driver) and wpa_supplicant
- (802.11g Prism
GT/Duette/Indigo driver)
It looked like it was possible to use either:
- An 802.11b Prism-based card with hostap drivers and
wpa_supplicant
- An 802.11g card with Linuxant/Windows NDIS driver and
wpa_supplicant.
I opted to go with a Netgear WG511 as it had a Prism 54
chipset (ie. it
could be driven natively under Linux albeit without support for WPA
yet), was supported by Linuxant (for the WPA support) and was the same
make as my AP. However, before this card arrived I downloaded the
latest (31st
March 2004, release 7.18) Agere This
had a new Hermes and Hermes-II chipset driver with support for WPA and
came with a copy of wpa_supplicant bundled. I had found a way to get my
original Avaya Gold to work!
- An 802.11b Hermes (Orinoco) based card with Agere driver and
wpa_supplicant
Update 6-4-04: Jouni has
updated his
page to reflect the new Hermes support
Here's a procedure to get (3) to work:
- Download what you need:
- The latest . I used release 7.18
- The latest
sources. I used version 3.2.7
- Check that your iwconfig
supports Wireless Extensions (WE) v15 (iwconfig -v). If not, download
the latest package containing iwconfig.
iwconfig needs to
support at least WE v15. Linux kernel 2.4.24 and wireless tools version
26 both support WE v16.
- Have the source tree for your running available. I used
- Build and/or install the latest wireless tools package (if
necessary)
- Build the Agere driver:
- Unpack the pcmcia-cs sources and then unpack the Agere
tarball
on top
- See README.wlags49 for detailed instructions on all of the
following
- Run ./Configure and answer questions such as the kernel src
location
- Run make. This
will build the Agere Hermes driver
- Run make install
as root
- Check that the new driver loads ok:
- Plug in the PC card (if not already plugged in)
- Restart pcmcia subsystem (/etc/init.d/pcmcia restart)
- Check /var/log/messages (or dmesg) and verify that the Hermes
driver is being used
- Build wpa_supplicant:
- Configure the wireless device:
- Use redhat-config-network
(or the tool that came with your particular distro or hack the relevant
ifcfg file) to create a new wireless interface
- Edit /etc/sysconfig/network-scripts/ifcfg- where is the device name used in the
previous step, eg. eth0 or eth1.
- Add a line at the bottom of the file:
WPA=y
- Edit the /etc/sysconfig/network-scripts/ifup-wireless file:
- At the end of the file add:
if [ "$WPA" = "y" -a -x /usr/local/bin/wpa_supplicant ];
then
/usr/local/bin/wpa_supplicant -D
hermes -Bw -c/etc/wpa_supplicant.conf \
-i$DEVICE
fi
- Restart the pcmcia subsystem again or ifdown/ifup the interface
It *should* now be working with WPA-PSK enabled. It did for me...
阅读(5209) | 评论(0) | 转发(0) |