Linux Wireless Networking

7/30/2019 Linux Wireless Networking

http://slidepdf.com/reader/full/linux-wireless-networking 1/34

Introduction

My very first Linux web server was an ancient desktop computer that I

bought from a secondhand store that advertised it as being "very obsolete."

It was cheap and it worked, but it was ugly and noisy, so noisy that it quickly

became too loud to tolerate. Spending more money than I should have on the

antique, I made it wireless so I could take it out of my bedroom where the

DSL connection entered my apartment. Looking back, I really did it for the

challenge, and also because we all get stupid some of the time. I thought

wireless Linux would be easy, but at the time it wasn't. I had so many

headaches with it that I thought one of my very first Web pages should be

about my little nightmare warning people about how to do it right. This was

how www.linuxhomenetworking.com was born. This is the chapter about what

started it all.

Wireless networks using the 802.11 standard have many advantages, not just

the aesthetic one I mentioned. The hardware is commonly available, and

wireless networks offer relatively easy and low cost deployment with security

that's becoming increasingly better. Before you consider making a Linux

server wireless capable, however, make sure you purchase a NIC that is Linux

compatible. If this seems confusing, don't worry; I will explain all this later.

Wireless Linux Compatible NICsNot all wireless NIC cards work with Linux. For this reason, do your

homework. You can find hardware compatibility lists for Wireless Tools quite

easily on popular search engines.

Wireless NIC manufacturers are notorious for changing the chip sets on their

cards depending on the price of the components. They then supply different

drivers with each new card to make them work. It is possible to buy cards

with the same model number from the same vendor with very different

circuitry. Frequently Linux drivers for the new cards are unavailable. Always

check the compatibility lists before buying your wireless hardware.

The Linksys WMP11 wireless card is a good example of this confusion. The

original version of the card used the Intersil Prisim chip set, which worked

with Linux, but the newer version 2.7 (Broadcom chip set) and version 4



(InProComm chip set) do not. Even so, the original WMP won't work without

upgrading the firmware.

In recent years it has become possible to use regular Windows drivers with

Linux NICs. This is discussed in more detail in the section titled "Configuring

Linux with Incompatible Wireless NICs". The method requires an

understanding of Linux Wireless Tools which is covered beforehand, but first,

let's cover some wireless networking essentials to provide some background.

Note: Don't be fooled. The fact that your Linux system can detect your NIC

doesn't mean that it is compatible. Always check the Internet for Linux

compatibility listings so that you'll know how to proceed.

Common Wireless Networking Terms

Learning the ins and outs of wireless Linux networks will be easier if we're all

speaking the same language. Before proceeding, take time to become

familiar with three key wireless terms: wireless access point, Service Set ID,

and shared encryption key. Learn them now, because you'll see them

throughout the chapter.

Wireless Access Points

A wireless access point (WAP) is a device that acts as the central hub of all

wireless data communications. In the most common operating mode(Infrastructure mode), all wireless servers communicate with one another via

the WAP, which is usually connected to a regular external or integrated router

for communication to the Internet. WAPs are, therefore, analogous to

switches in regular wired networks.

Servers can communicate with one another without a WAP if their NICs are

configured in Ad Hoc mode, but this prevents them from communicating with

any other communications path. For that, you need a WAP on your network.

Service Set ID The 802.11a/b wireless networks typically found in a home environment

share the same frequency range with one another so it is possible for your

computer to hear the traffic meant for somebody else's nearby network. The

Extended Service Set ID (SSID) helps prevent the garbling of messages. Each

wireless network needs to be assigned an ESSID that doesn't match that of



any neighboring networks within its range of operation. The desired ESSID is

then set on both wireless NICs and WAPs, which in turn ignore all traffic using

other identifiers.

Most wireless software packages enable you to view all the available ESSIDs

within range and give you the option of selecting the corresponding wireless

LAN (WLAN) to join. Unfortunately, this makes it easy to eavesdrop on a

neighboring network, and therefore it is best to not only change your ESSID

from the factory defaults, but also to encrypt your wireless data whenever

possible.

The term ESSID is frequently interchangeably referred to as an SSID (Service

Set ID) by many vendors. I'll stick with ESSID unless the term SSID is relevant

to an application.

Encryption

Encryption is a method of encoding or scrambling data so that only people

with the secret key to unlock the code can view the original data. As

expected, you need to use the same encryption scheme on all devices on

your network for communication to be successful.

Wired Equivalent Privacy

The first widely used data encryption scheme for wireless networks in the

home / corporate offices was Wired Equivalent Privacy (WEP). A flaw in the

encryption scheme was soon discovered and freely available tools like "WEP

crack" and aircrack-ng became available to decipher WEP encryption keys

within minutes.

Wi-Fi Protected Access

The newer Wi-Fi Protected Access (WPA) scheme overcomes the security

shortcomings of WEP. There are a number of modes:

Pre Shared Key (PSK) or Personal Mode

Uses a manually configured encryption key on all devices on the wireless

network.

Enterprise Mode



Typically uses both an authentication and encryption scheme from many

available options.

One common authentication method is the Extensible Authentication Protocol

(EAP). EAP will typically rely on a user's LDAP or Active Directory username

and password used to access their computers to verify whether they can also

access the wireless network. This is done transparently to the user. Once

they log into their systems, EAP is automatically invoked behind the scenes.

EAP is often combined with encryption schemes such as TLS (Transport Layer

Security, now viewed as the successor to SSL) and TKIP (Temporal Key

Integrity Protocol, a scheme that rapidly regenerates new encryption keys) to

provide additional security.

Note: It is usually best to test your network in an unencrypted state before

activating the additional security. This allows you to limit your

troubleshooting activities to basic wireless settings, without the additional

complications of encryption.

Networking With Linux Wireless-Tools

The Linux Wireless Tools package is installed by default probably meets most

of your 802.11a/b needs.

Using iwconfig For wireless-toolsConfiguration

After physically installing your Linux-compatible NIC, you need to configure

your NIC's IP and wireless settings before Wireless Tools works.

You can configure your NIC's IP settings as if the NIC were a regular Ethernet

device. After you use the ifup command the NIC becomes active, but it will

not function correctly as its wireless settings haven't been configured yet.

The most commonly used command in Wireless Tools is iwconfig, which you

can use to configure most of the wireless parameters, including the SSID and

the wireless mode. For the wireless mode, Managed means that there is a

wireless access point (WAP) on the network and Ad-hoc signifies that there is

none.



For example, if your wireless NIC is named eth0 and your managed network's

ESSID is homenet, then the commands would be.

iwconfig eth0 mode Managed

iwconfig eth0 essid homenet

Your NIC should now become fully functional. You will need to run these

iwconfig commands each time you use the ifup command, however;

forgetting to do so can be problematic. The next section shows how to make

these iwconfig changes permanent.

Permanent wireless-tools Configuration

After testing your ad-hoc configuration, you will need to make the changes

permanent. The methods for doing this vary slightly by distribution.

Fedora / RedHat

With Fedora / RedHat, wireless configuration will require some additional

statements in your NIC configuration files.

1. Configure your /etc/sysconfig/network-scripts/ifcfg-eth0 file normally as if it

were a regular Ethernet NIC.

DHCP Version Fixed IP Version

============ =================

DEVICE=eth0 DEVICE=eth0

USERCTL=yes IPADDR=192.168.1.100

ONBOOT=yes NETMASK=255.255.255.0

BOOTPROTO=dhcp ONBOOT=yes

BOOTPROTO=static

2. Add the following statements to the end to specify that the NIC is wireless;

provide the ESSID to use (in this case homenet), and choose Managed (a WAP

on present of the network) or Ad-hoc (no WAP) for the wireless mode."Managed" is the most likely setting if you have a wireless router or WAP on

your network.

If you are using a 802.11g wireless router and NIC, you can specify the higher

speed 54Mbps maximum data rate this protocol provides, if not, the NIC will

default to the 11 Mbps maximum rate of slower protocols. The NIC will



automatically negotiate the protocol type with the WAP. You just need to set

the maximum rate.

#

# Wireless configuration

#

TYPE=Wireless

MODE=Managed

ESSID=homenet

RATE=54Mb/s

These commands need only be on the main interface file. They are not

needed for IP aliases. Your wireless NIC should function as if it were a regular

Ethernet NIC using the ifup and ifdown commands.Debian / Ubuntu

In Debian / Ubuntu systems configuration requires the addition of a valid

wireless-essid parameter to the /etc/network/interfaces file.

#

# File: /etc/network/interfaces

#

# The primary network interface

auto eth1

iface eth1 inet static

address 192.168.1.100

netmask 255.255.255.0

wireless-essid homenet

auto eth0

iface eth0 inet dhcp

wireless-essid jamrock

In this example interface eth1 uses an ESSID of homenet while interface eth0

uses an ESSID of jamrock.

WEP Encryption Configuration

Linux supports both the WEP and WPA encryption schemes. Here's how you

can configure them on your system.



WEP Encryption Configuration

Linux supports both the WEP and WPA encryption schemes. Here's how you

can configure them on your system.

WEP Key Generation

WEP encryption requires an encryption key that you can make up yourself or

you can generate a random one using the dd command as shown here.

[root@bigboy tmp]# dd if=/dev/random bs=1 count=5 2>/dev/null | xxd

-ps

c276246d65

[root@bigboy tmp]#

By default, Linux WEP uses a 40 bit key formatted in hexadecimal notation,

ie. numeric values between 0 and 9 and alphabetic characters between A and

F. This requires you to use a byte count of 5, which will generate a key

containing twice as many (ten) hexadecimal characters. Table 13.1 shows the

byte counts required for generating keys of varying lengths, and the

corresponding number of hexadecimal characters to expect in the key.

Table 13-1 Byte Count to WEP Key Length Conversion

Key Length

(Bits)

Byte

Count

Hexadecimal Character

Count

40 5 10

64 8 16

104 13 26

128 16 32

152 19 28

232 29 58

256 32 64

If you decide to make up your own key, then remember to use the correct

number of hexadecimal numbers.

WEP Key Configuration for Fedora / RedHat



Your WEP key can be temporarily added to your NIC configuration from the

command line, using the iwconfig command. Be sure that there are no colons

or any other non-hexadecimal characters between the characters of the key.

There should be ten characters in total:

iwconfig eth0 key 967136deac

The same rules (no colons or non-hexadecimals between the ten total

characters) apply when using the /etc/sysconfig/network-scripts files to add

encryption:

#

# File: ifcfg-eth0

#

DEVICE=eth0

IPADDR=192.168.1.100

NETMASK=255.255.255.0

ONBOOT=yes

BOOTPROTO=static

TYPE=Wireless

MODE=Managed

ESSID=homenet

KEY=967136deac

Note: Newer versions of Fedora only support the use of a keys file in the

/etc/sysconfig/network-scripts directory. The file format is the same as in the

older interface configuration file method. Remember, the KEY statement in

interface configuration file won't be supported.

#

# File: /etc/sysconfig/network-scripts/keys-eth0

#

KEY=967136deac

WEP Key Configuration for Debian / Ubuntu



In Debian / Ubuntu systems configuration requires the addition of a valid

wireless-key parameter, alongside the wireless-essid parameter, in the

/etc/network/interfaces file.

## File: /etc/network/interfaces

#


auto eth1


address 192.168.1.100

netmask 255.255.255.0

wireless-key 967136deac


In this example our WEP key of 967136deac and the ESSID of homenet have

been used and will become utilized once the eth1 wireless interface is

activated.

WPA Encryption

Linux WPA relies on a supplicant daemon program that both requests

authentication admittance and executes data encryption on behalf of the

operating system. It runs independently of the networking daemon and so,

for WPA, network interfaces are not configured for encryption at all.

Installing WPA Supplicant

Installation is simple. Install the wpa_supplicant RPM or the wpasupplicant

DEB package.If you need a refresher, Chapter 6, "Installing Linux Software",

covers how to do this in detail.

The wpa_supplicant.conf File

The main WPA Supplicant configuration file is

/etc/wpa_supplicant/wpa_supplicant.conf and its configuration is welldocumented, with examples, in the man pages.

[root@bigboy tmp]# man wpa_supplicant.conf

Note: With Debian / Ubuntu the file may not be created during installation,

and you will have to create it manually like this:

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch06_:_Installing_Linux_Software

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch06_:_Installing_Linux_Software



root@u-server:/tmp# mkdir -p /etc/wpa_supplicant

root@u-server:/tmp# vi /etc/wpa_supplicant/wpa_supplicant.conf

This chapter will only focus on the simple PSK WPA method, other methods

are beyond the scope of this book.

In this example, we have set the SSID to homenet and are using WPA-PSK

encryption with an encryption key of "ketchup_and_mustard".

#

# File: wpa_supplicant.conf

#

ctrl_interface=/var/run/wpa_supplicant

ctrl_interface_group=root

network={

ssid="homenet"

key_mgmt=WPA-PSK

psk="ketchup_and_mustard"

}

If you are concerned about people being able to read your

wpa_supplicant.conf file, then encrypt the PSK using the wpa_passphrase

command to generate a sample configuration. It requires the SSID and

unencrypted key as arguments. In this example we see that the unencrypted

string psk="ketchup_and_mustard" can be replaced with and encryptedequivalent that does not use quotes.

[root@bigboy tmp]# wpa_passphrase homenet ketchup_and_mustard

network={

ssid="homenet"

#psk="ketchup_and_mustard"

psk=aeaa365d1703f88afc11715cd997b71038ce5798907510bd1b1c678

6d33c8c3a

}

[root@bigboy tmp]#

Note: The only place that an encryption key needs to be defined is in the

WPA configuration file.

Further WPA Configuration Steps - Fedora / RedHat



WPA Supplicant also relies on the /etc/sysconfig/wpa_supplicant file to

determine which interfaces it should monitor and the driver it should use to

do so.

In this example, WPA needs to be applied on interface eth0 using the default

"wext" driver.

#

# File: /etc/sysconfig/wpa_supplicant

#

INTERFACES="-ieth0"

DRIVERS="-Dwext"

Here we see WPA configured for the wlan0 created using the ndiswrapper

driver.

#

# File: /etc/sysconfig/wpa_supplicant

#

INTERFACES="-iwlan0"

DRIVERS="-Dndiswrapper"

Further help on the wpa_supplicant file can be obtained from the man pages.

[root@bigboy tmp]# man wpa_supplicant

The WPA Supplicant daemon then needs to be started immediately after you

have finished editing the configuration files for the settings to become active.

Remember to also make the activation permanent using the chkconfig

command.

[root@bigboy tmp]# service wpa_supplicant restart

[root@bigboy tmp]# chkconfig wpa_supplicant on

Finally, configure your NIC as for wireless, but without an SSID or encryption

key as this information will be provided through WPA supplicant.

File: /etc/sysconfig/network-scripts/ifcfg-eth0



DEVICE=eth0

IPADDR=192.168.1.100

NETMASK=255.255.255.0

ONBOOT=yes

TYPE=Wireless

MODE=Managed

Please refer to the troubleshooting section of this chapter to resolve any

problems you may encounter.

Further WPA Configuration Steps - Debian / Ubuntu

WPA supplicant can be invoked from the command line. In Debian / Ubuntu

systems the /etc/network/interfaces file needs to be modified to include a

pre-up parameter with a valid WPA supplicant command set following it. In

this example the /etc/wpa_supplicant/wpa_supplicant.conf file is referenced

using the "-c" option, and the desired interface is defined using the "-i"

option. The post-down parameter is then used to define the command to

terminate wpa_supplicant daemon when the eth1 interface is shut down.

#

# File: /etc/network/interfaces

#


auto eth1


address 192.168.1.100

netmask 255.255.255.0


pre-up wpa_supplicant -Bw -Dwext -ieth1

-c/etc/wpa_supplicant/wpa_supplicant.conf

post-down killall -q wpa_supplicant

Please refer to the troubleshooting section of this chapter to resolve any

problems you may encounter.

Configuring Linux with IncompatibleWireless NICs



Not all wireless cards work with Linux, especially the newer 54 Mbps

802.11g/n cards models. Fortunately there are a number of ways to

overcome this apparent limitation. This will be covered next.

Using ndiswrapper

Windows uses the Network Driver Interface Specification (NDIS) as a

standardized method for the operating system to communicate with the NIC

driver software from various manufacturers. The Linux ndiswrapper software

suite, available from ndiswrapper.sourceforge.net, allows you to run your

Windows NIC card's drivers under Linux by creating a software wrapper

around the Windows driver to trick it into thinking that it is communicating

with Windows and not Linux. The compatibility range is therefore much widerand in cases where you need to recompile your kernel, the project's website

has links to RPM packages of standard kernels with ndiswrapper support.

Installation instructions on the project's web site are reasonably clear and a

proficient Linux user should be able to get their NIC card working within an

hour or two on their first try.

ndiswrapper has some limitations too. It only works on hardware

architectures supported by Windows, the very useful iwspy command

(discussed later) isn't supported and the wrappers add a layer of softwarecomplexity that would not exist normally. There is a commercial competitor

to ndiswrapper called DriverLoader created by the Linuxant corporation

which you may also want to consider.

Installing and Configuring ndiswrapper

1. The ndiswrapper application utilizes many features of the kernel. With

newer versions of Fedora you will first need to install the kernel development

(kernel-devel) RPM. The RPM file should be on your installation CDs. If you are

new to Linux software installation, don’t worry. Downloading and installing

RPMs isn't hard. If you need a refresher, Chapter 6, "Installing Linux

Software", covers how to do this in detail.



2. Shutdown your system, install your NIC and reboot. Download the

ndiswrapper tar file and extract the contents. Enter the ndiswrapper directory

and read the installation instructions in the version specific INSTALL file. The

version in this example, ndiswrapper-1.16, requires the make distclean, make

and make install commands to complete the installation process.

[root@bigboy tmp]# tar -xvzf ndiswrapper-1.16.tar.gz

[root@bigboy tmp]# cd ndiswrapper-1.16

[root@bigboy ndiswrapper-1.16]# make distclean

[root@bigboy ndiswrapper-1.16]# make

[root@bigboy ndiswrapper-1.16]# make install

Note: With Debian based distributions, like Ubuntu, ndiswrapper can be

installed using the apt-get command.

3. Next we have to determine the PCI ID of our newly installed NIC card. First

use lspci command to find the IRQ number of the NIC card. The IRQ will be

listed in the first column. In this case the IRQ is 01:08.0.

[root@bigboy ndiswrapper-1.16]# lspci

...

...

01:08.0 Network controller: Intersil Corporation Prism 2.5 Wavelan

chipset (rev 01)

...

...

[root@bigboy ndiswrapper-1.16]#

4. The lspci -n command can then be used to obtain the PCI ID which has the

format xxxx:xxxx. Our NIC has the ID 1260:3873.

[root@bigboy ndiswrapper-1.16]# lspci -n

...

...

01:08.0 Class 0280: 1260:3873 (rev 01)

...

...


5. The ndiswrapper website has a table of PCI IDs and the matching Windows

drivers to be used for each at the following URL.



http://ndiswrapper.sourceforge.net/mediawiki/index.php/List.

Note: Use this information to download the correct driver for your NIC. Do

not use the Windows drivers that came on your NIC's CD as it may not have

been tested in the quality assurance process done by the ndiswrapper

developers. The website's list provides the names of drivers that are known

to work.

6. Once downloaded, extract the driver files. Under the main driver directory

there will usually be subdirectories with drivers matching various versions of

Windows. Enter the subdirectory of the most recent version.

[root@bigboy tmp]# unzip mzq345v25_xp_certd.zip

Archive: mzq345v25_xp_certd.zip

inflating: mzq345v25_xp_certd_no_doc/autorun.exe

inflating: mzq345v25_xp_certd_no_doc/autorun.inf

...

...

...

inflating: mzq345v25_xp_certd_no_doc/winxp/NETMZQ345.INF

inflating: MZQ345v25_Release_Note.TXT

[root@bigboy tmp]# cd mzq345v25_xp_certd_no_doc/winxp

[root@bigboy winxp]#

7. The main windows driver file will have a .INF extension. Install this driver

using the ndiswrapper command with the -i option followed by the driverfilename.

[root@bigboy winxp]# ls

mzq345n51.sys NETMZQ345.INF

[root@bigboy winxp]# ndiswrapper -i NETMZQ345.INF

Installing netmzq345


8. Use the ndiswrapper command again with the -l option to verify that the

installation was successful.

[root@bigboy winxp]# ndiswrapper -l

Installed drivers:

netmzq345 driver installed, hardware present


http://ndiswrapper.sourceforge.net/mediawiki/index.php/List

http://ndiswrapper.sourceforge.net/mediawiki/index.php/List



Note: If you get an alternate driver message like we see below, then you

need to take additional steps because it indicates the Linux has already

loaded its own a driver for your device and this will cause ndiswrapper to fail.

[root@bigboy winxp]# ndiswrapper -lbcmwl5 : driver installed

device (14E4:4320) present (alternate driver: bcm43xx)


You first need to remove the Linux driver from memory. In this case

the driver ndiswrapper detects is bcm43xx and can be removed with

the rmmod command. In some cases you may get an error saying the

driver depends on another, remove both with rmmod.

[root@bigboy winxp]# rmmod bcm43xx

Next you need to prevent the Linux version of the driver from being

loaded when your system reboots. Add blacklist entries for the driver in

your /etc/modprobe.d/blacklist-compat and /etc/modprobe.d/blacklist

files.

#

# File: /etc/modprobe.d/blacklist AND

# /etc/modprobe.d/blacklist-compat

#

blacklist bcm43xx

If you had to use the rmmod command more than once remember to add all

the drivers you had to remove to your blacklists.

Now you have to reinstall the Windows driver using rmmod with the -r

and –I flags as we see here.

[root@bigboy winxp]# ndiswrapper -r Bcmwl5.inf

[root@bigboy winxp]# ndiswrapper -i Bcmwl5.inf



9. Next the Linux kernel modules tables will have to be updated to include

ndiswrapper in the listing. This is done with the depmod command with the -a

flag.

[root@bigboy winxp]# depmod -a[root@bigboy winxp]#

10. When ndiswrapper loads, it will need to assign a device name to your NIC

card. This is done using the ndiswrapper command with the -m flag. Here we

see that the new device name will be wlan0.

[root@bigboy winxp]# ndiswrapper -m

Adding "alias wlan0 ndiswrapper" to /etc/modprobe.d/ndiswrapper


11. Now it’s time to load the ndiswrapper kernel module with the modprobe

command. You can also verify the success of this operation by searching the

end of the /var/log/messages file for correct execution of the command.

[root@bigboy winxp]# modprobe ndiswrapper

[root@bigboy winxp]# tail /var/log/messages

...

...

Mar 17 23:25:21 bigboy kernel: ndiswrapper version 1.6

loaded (preempt=no,smp=no)


The dmesg command will give status messages for the loading of both your

NIC driver and the ndiswrapper module. There should be no errors. If there

are, you may have used a driver not recommended by the ndiswrapper

website, your NIC card may be faulty, your NIC could be Linux compatible, or

your ndiswrapper or kernel installation could have been faulty. Please refer to

the "Troubleshooting Your Wireless LAN" section of this chapter for more

details.

[root@bigboy tmp]# dmesg

...

...

...



ndiswrapper version 1.16 loaded (preempt=no,smp=no)

ndiswrapper: driver mzq345 (Broadcom,04/21/2005, 3.100.65.1) loaded

ACPI: PCI Interrupt 0000:01:08.0[A] -> Link [LNKB] -> GSI 10

(level, low) -> IRQ 10

ndiswrapper: using irq 10

wlan0: vendor:

wlan0: ndiswrapper ethernet device 00:06:25:1b:b2:a9 using

driver mzq345, 14E4:4301.5.conf

wlan0: encryption modes supported: WEP; TKIP with WPA, WPA2,

WPA2PSK, WPA2, WPA2PSK

[root@bigboy tmp]#

12. You will always need to have a ndiswrapper compatible kernel for the

application to function correctly. To maintain your current kernel during yum

updates, edit your /etc/yum.conf file to exclude the kernel from being kept up

to date with the exclude option.

#

# File: /etc/yum.conf

#

exclude=kernel

13. Use the regular Linux wireless tools to configure your wlan0 interface with

an IP address, ESSID and if necessary, encryption. With Fedora, You can

adjust the data rate up to the 802.11g 54 Mbps data rate by adding this

statement to your /etc/sysconfig/network-scripts/ifcfg-wlan0 file. Leave this

blank if you are using 802.11b.

RATE=54Mb/s

14. Now you can use the ifup command to activate the NIC, and the iwconfig

command will show the interface as connecting correctly to an access point

at 54 Mbps.

[root@bigboy winxp]# ifup wlan0

[root@bigboy winxp]# iwconfig

...

...

wlan0 IEEE 802.11g ESSID:"johncr0w" Nickname:"bigboy"



In addition to using the regular ifconfig command to check the status of your

NIC, you can use the iwconfig command to view the state of your wireless

network, just don't specify any parameters. Specifically, you can see such

important information as the link quality, WAP MAC address, data rate, and

encryption keys, which can be helpful in ensuring the parameters across your

network are the same. For example:

[root@bigboy tmp]# iwconfig

eth0 IEEE 802.11-DS ESSID:"homenet" Nickname:"bigboy"

Mode:Managed Frequency:2.462GHz Access Point:

00:09:5B:C9:19:22

Bit Rate:11Mb/s Tx-Power=15 dBm Sensitivity:1/3

Retry min limit:8 RTS thr:off Fragment thr:off

Encryption key:98D1-26D5-AC Security mode:restricted

Power Management:off

Link Quality:36/92 Signal level:-92 dBm Noise level:-

148 dBm

Rx invalid nwid:0 Rx invalid crypt:2 Rx invalid frag:0

Tx excessive retries:10 Invalid misc:0 Missed beacon:0

[root@bigboy tmp]#

The iwlist Command

The iwlist command can provide get further information related to not just

the NIC, but the entire network, including the number of available frequency

channels, the range of possible data rates, and the signal strength. This

example uses the command to verify the encryption key being used by the

NIC, which can be very helpful in troubleshooting security related difficulties

on your network.

[root@bigboy tmp]# iwlist key

...

...

eth0 2 key sizes : 40, 104bits

4 keys available :

[1]: 9671-36DE-AC (40 bits)

[2]: off

[3]: off

[4]: off

Current Transmit Key: [1]

Security mode:open

...

...



[root@bigboy tmp]#

The iwlist command can verify the speed of the NIC card being used, 11Mb/s

in this case. This can be helpful in determining possible reasons for network

slowness, especially as poor signal quality can result in the NIC negotiating a

low bit rate with its WAP.

[root@bigboy tmp]# iwlist rate

...

...

eth0 4 available bit-rates :

1Mb/s

2Mb/s

5.5Mb/s

11Mb/sCurrent Bit Rate:11Mb/s

...

...

[root@bigboy tmp]#

For further information on the iwlist command, consult the man pages.

The iwspy Command

The iwspy command provides statistics on the quality of the link between

your NIC and another wireless device on the network. It doesn't run all thetime; you have to activate iwspy on your interface first. When not activated,

iwspy gives a "no statistics to collect" message.

[root@bigboy root]# iwspy eth0

eth0 No statistics to collect

[root@bigboy root]#

Activation requires you to specify the target IP address and the wireless NIC

interface through which it can be found.

[root@bigboy tmp]# iwspy eth0 192.168.1.1

If you use the iwspy command without the IP address it provides WLAN

statistics with a typical/reference value against which it can be compared. In

the example that follows the signal is considered fairly strong, with a 64/92



quality value versus a typical 36/92 value, but it could be weak by the

historical values on your network. It's good to check this from time to time for

fluctuations.

[root@bigboy tmp]# iwspy eth0eth0 Statistics collected:

00:09:5B:C9:19:22 : Quality:0 Signal level:0 Noise level:0

Link/Cell/AP : Quality:64/92 Signal level:-51 dBm Noise

level:-149 dBm (updated)

Typical/Reference : Quality:36/92 Signal level:-62 dBm Noise

level:-98 dBm

[root@bigboy tmp]#

To switch off iwspy monitoring, add the off argument.

[root@bigboy root]# iwspy eth0 off

Check For Interrupt Conflicts

Devices slotted into your PCI bus are generally assigned an interrupt value by

the system, which the system uses to signal its need to communicate with

the device. Multiple devices on the bus can have the same interrupt, but the

system will access each one using a different memory address to avoid

confusion. Sometimes this automatic allocation of interrupt (IRQ) values and

memory locations is flawed and overlaps do occur, causing devices to fail.

Before configuring your WLAN software, you should ensure that the wireless

NIC card doesn't have an interrupt that clashes with another device in your

computer. Insert the card in an empty slot in your Linux box according to the

instructions in its manual, reboot, and inspect your /var/log/messages file

again:

[root@bigboy tmp]# tail -300 /var/log/messages

Look carefully for any signs that the card is interfering with existing card

IRQs. If there is a conflict, there will usually be a warning or "IRQ also used by

..." message. If that is the case, move the card to a different slot or otherwise

eliminate the conflict by disabling the conflicting device if you don't really

need it.



You should also inspect your /proc/interrupts file for multiple devices having

the same interrupt

[root@bigboy tmp]# cat /proc/interrupts

11: 4639 XT-PIC wlan0, eth0 (potentially bad)

[root@bigboy tmp]# cat /proc/interrupts

11: 4639 XT-PIC wlan0 (good)

Interrupt conflicts are usually more problematic with old style PC-AT buses;

newer PCI-based systems generally handle conflicts better. The prior

(potentially bad) /proc/interrupts example came from a functioning PCI-based

Linux box. It worked because, although the interrupt was the same, the base

memory addresses that Linux used to communicate with the cards were

different. You can check both the interrupts and base memory of your NIC

cards by using the ifconfig -a command:

[root@bigboy tmp]# ifconfig -a

eth0 Link encap:Ethernet HWaddr 00:08:C7:10:74:A8

BROADCAST MULTICAST MTU:1500 Metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:100

RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)Interrupt:11 Base address:0x1820

wlan0 Link encap:Ethernet HWaddr 00:06:25:09:6A:B5

inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0

UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

RX packets:215233 errors:0 dropped:0 overruns:0 frame:0

TX packets:447594 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:100

RX bytes:39394014 (37.5 Mb) TX bytes:126738425 (120.8 Mb)

Interrupt:11 Memory:c887a000-c887b000

[root@bigboy tmp]#

Kernel Errors

Messages related to how compatible your wireless card is with your version of

the Linux master program, or kernel, can usually be found in one of two



places. The /var/log/messages file, and through the use of the dmesg

command.

Using the /var/log/messages File

When you find p80211 Kernel errors in the /var/log/messages file, theyusually point to an incorrectly configured SSID or may also be caused by a

NIC card with an outdated firmware version. For example:

Nov 13 22:24:54 bigboy kernel: p80211knetdev_hard_start_xmit: Tx

attempt prior to association, frame dropped.

Using the dmesg Command

Another good source of information is the dmesg command which shows

errors encountered by the kernel. In this case the firmware (microcode) for a

Broadcom 43XX NIC could not be found. This was fixed by using the

ndiswrapper technique explained in this chapter.


...

...

bcm43xx: PHY connected

b43-phy0 debug: Adding Interface type 2

b43-phy0 ERROR: Microcode "bcm43xx_microcode5.fw" not available or

load failed.

b43-phy0 ERROR: You must go tohttp://linuxwireless.org/en/users/Drivers/b43#devicefirmware and

download the correct firmware (version 4)

bcm43xx: core_up for active 802.11 core failed (-2)


Can't Ping Default Gateway

If you can't ping the default gateway, first check for kernel log errors.

If there are no errors in /var/log/messages and you can't ping your gateways

or obtain an IP address, then check your /etc/sysconfig/network-scripts/

configuration files for a correct IP configuration and your routing table to

make sure your routes are OK. You can also check to see if your Linux box is

out or range of the WAP using the iwconfig command.

"Unknown Device" Errors

http://linuxwireless.org/en/users/Drivers/b43#devicefirmware

http://linuxwireless.org/en/users/Drivers/b43#devicefirmware



Look for "unknown device" or "no such device" errors in your log files or on

your screen during installation or configuration. These may be caused by:

A NIC card that hasn't been correctly inserted in the PCI slot

Incompatible hardware.

For example, you might see incompatible hardware errors in

/var/log/messages:

00:0c.0 Network controller: BROADCOM Corporation: Unknown device

4301 (rev01)

Subsystem: Unknown device 1737:4301

Flags: bus master, fast devsel, latency 64, IRQ 5

Memory at f4000000 (32-bit, non-prefetchable) [size=3D8K]

Capabilities: [40] Power Management version 2

Or, you might see errors on the screen:

Dec 1 01:28:14 bigboy insmod: /lib/modules/2.4.18-

14/net/prism2_pci.o: init_module: No such device

Dec 1 01:28:14 bigboy insmod: Hint: insmod errors can be caused by

incorrect module parameters, including invalid IO or IRQ

parameters. You may find more information in syslog or the output

from dmesg

Dec 1 01:28:14 bigboy insmod: /lib/modules/2.4.18-

14/net/prism2_pci.o: insmod wlan0 failed

Hermes Chipset Errors

I have seen cases where Linux compatible NIC cards with the Hermes chipset

fail to respond after the system has been running for a few days with errors

in the /var/log/messages file similar to these.

May 7 22:26:26 bigboy kernel: hermes @ e0854000: BAP0 offset

timeout: reg=0x8044 id=0xfc80 offset=0x0

May 7 22:26:26 bigboy kernel: eth1: Error -110 setting multicastlist.

May 7 22:26:26 bigboy avahi-daemon[1701]: Withdrawing address

record for 216.10.119.243 on eth1.

May 7 22:26:26 bigboy avahi-daemon[1701]: Leaving mDNS multicast

group on interface eth1.IPv4 with address 216.10.119.243.



May 7 22:26:26 bigboy avahi-daemon[1701]: IP_DROP_MEMBERSHIP

failed: No such device

May 7 22:26:26 bigboy avahi-daemon[1701]: iface.c:

interface_mdns_mcast_join() called but no local address available.

May 7 22:26:26 bigboy avahi-daemon[1701]: Interface eth1.IPv4 no

longer relevant for mDNS.

May 7 22:26:27 bigboy kernel: hermes @ e0854000: Timeout waiting

for command 0x0002 completion.

May 7 22:26:27 bigboy kernel: eth1: Error -110 disabling MAC port

May 7 22:26:31 bigboy kernel: hermes @ e0854000: ng Error -16

issuing command 0x0021.

May 7 22:26:31 bigboy kernel: hermes @ e0854000: Error -16 issuing

command 0x0021.

May 7 22:26:31 bigboy kernel: eth1: Error -110 setting MAC address

May 7 22:26:31 bigboy kernel: eth1: Error -110 configuring card

Connectivity is usually only restored after a reboot. The best solution to the

problem has been to either use ndiswrapper or replace the NIC with a truly

compatible device.

Broadcom SoftMac Errors

If your configuration is correct, and your NIC fails to work while adding

repeated failed SoftMAC authentication requests messgaes to your

/var/logs/messages file, as seen here, you may have a Linux incompatibility

issue with your NIC.

May 15 20:02:04 bigboy kernel: bcm43xx: set security called, .level

= 0, .enabled = 0, .encrypt = 0









May 15 20:02:04 bigboy kernel: SoftMAC: Scanning finished: scanned

14 channels starting with channel 1

May 15 20:02:04 bigboy kernel: SoftMAC: Queueing Authentication

Request to 00:18:39:ea:5c:ac

May 15 20:02:04 bigboy kernel: SoftMAC: Cannot associate without

being authenticated, requested authentication



May 15 20:02:04 bigboy kernel: SoftMAC: Sent Authentication Request

to 00:18:39:ea:5c:ac.

May 15 20:02:04 bigboy kernel: SoftMAC: generic IE set to

dd160050f20101000050f20201000050f20201000050f202

May 15 20:02:04 bigboy kernel: SoftMAC: Already associating or

associated to 00:18:39:ea:5c:ac

May 15 20:02:04 bigboy kernel: SoftMAC: Open Authentication

completed with 00:18:39:ea:5c:ac

May 15 20:02:04 bigboy kernel: SoftMAC: sent association request!

May 15 20:02:04 bigboy kernel: SoftMAC: associated!

May 15 20:02:04 bigboy kernel: SoftMAC: Associate: Scanning for

networks first.

Try using ndiswrapper as a quick solution to this problem.

ndiswrapper Errors

There are a number of common errors that can occur with the use of

ndiswrappers. Here are some common examples.

CONFIG_4KSTACKS errors During Installation

Sometimes your ndiswrapper installation will give CONFIG_4KSTACKS errors,

like the one that follows, due to a kernel incompatibility:

*** WARNING: Kernel seems to have 4K size stack option

(CONFIG_4KSTACKS) removed; many Windows

drivers will need at least 8K size stacks. You should read wiki

about 4K size stack issue. Don't

complain about crashes until you resolve this.

...

...


This is common with default Fedora installations, and ndiswrapper may work

perfectly with this limitation. If you had no CONFIG_4KSTACKS type errors or

are willing to test ndiswrapper even though they exist, then you can proceed

with your installation in the normal fashion. The following steps will show you

how to recover from this error cleanly.



1. The ndiswrapper website lists websites at the following URL from which

you can download kernels with larger 16K stacks. This will be faster than

creating your own.

http://ndiswrapper.sourceforge.net/mediawiki/index.php/Fedora

Remember to download a kernel that matches your system architecture and

kernel version. This can be ascertained using the uname -a command. Here

our system is running Fedora Core 5 kernel version 2.6.16-1.2122 on an i686

platform.

[root@bigboy linux]# uname -rp

2.6.16-1.2122_FC5 i686

[root@bigboy linux]#

If you choose to download the purpose built kernel then do so. Install the

RPM, reboot and then continue to the section, "Installing and Configuring

ndiswrapper".

If you decide to create your own kernel, then follow the next steps.

2. You have reached this step because you have decided to recompile your

kernel. It is not a difficult process, there are only a few steps, but the

compilation time can be lengthy. The first step is to install the kernel sourcefiles. This is covered in Chapter 33, "Modifying the Kernel to Improve

Performance".

3. After installing the sources, you'll have to prepare for compiling a new

kernel customized for use with ndiswrapper. The first step is to clean up any

temporary files that may have existed from any previous compilations you

may have done by using the make mrproper command. You'll then need to

use the make oldconfig command to create a default version of the .config

file Linux will use in compiling your new customized kernel.

[root@bigboy tmp]# cd /usr/src/linux

[root@bigboy linux]# make mrproper

[root@bigboy linux]# make oldconfig

4. Edit the .config file and set the CONFIG_4KSTACKS variable to "n".


http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch33_:_Modifying_the_Kernel_to_Improve_Performance







[root@bigboy linux]# vi .config

#

# File: /usr/src/linux/.config

#

#CONFIG_4KSTACKS=y

CONFIG_4KSTACKS=n


5. The kernel compilation process also reads the file Makefile to determine

the new name of the kernel to be used. The EXTRAVERSION variable in this

file adds a suffix to the kernel name to help you track version numbers. Edit

Makefile and set the EXTRAVERSION to -ndis-stk16 so that the new kernel will

be easily identifiable as a version that supports ndiswrapper.

[root@bigboy linux]# vi Makefile

#

# File: /usr/src/linux/Makefile

#

EXTRAVERSION = -ndis-stk16


6. Compile the kernel and its modules with the following series of make

commands. Make sure they finish without error and remember that this can

be a lengthy process.

[root@bigboy linux]# make; make modules_install; make install

7. If you installed a new version of the kernel, you'll now have to ensure that

your system selects the correct kernel version when it reboots. This will

require you to edit the /etc/grub.conf file as outlined in Chapter 33,

"Modifying the Kernel to Improve Performance".





8. Shutdown your system, install the NIC card and boot up. The system will

now load your new kernel which you can verify with the uname command.

[root@bigboy linux]# uname -r

2.6.16-ndis-stk16


9. If you installed a new version of the kernel and your system fails to reboot

correctly, refer to the "Kernel Crash Recovery" section of Chapter 33,

"Modifying the Kernel to Improve Performance" for help. When you get your

system to reboot correctly, revise your installation steps and make sure you

had originally installed the correct version.

With your new kernel running, its time to reinstall and configure ndiswrapper.

Incorrect Drivers

Using an incorrect driver will cause errors to be displayed when you run the

dmesg command. Here is a simple error message in which part of the driver

initialization process failed:

[root@bigboy tmp]#

...

...

...wlan0: ndiswrapper ethernet device 00:06:25:1b:b2:a9 using driver

wmp11v27, 14E4:4301:1737:4301.5.conf

ndiswrapper (set_auth_mode:702): setting auth mode to 3 failed

(C0010015)

[root@bigboy tmp]#

The best way to fix this is to obtain the correct driver, unload the ndiswrapper

module from memory, uninstall the old driver, install the new driver and then

reload ndiswrapper. Here are the steps with the necessary commands:

1. Download the driver package from the correct source and extract the

contents to your Linux system. 2. Verify that the ndiswrapper module has

been loaded using the lsmod command, and then remove it from memory

using the rmod command.





[root@bigboy tmp]# lsmod

Module Size Used by

...

...

ndiswrapper 145584 0

ipv6 225504 16

autofs4 19204 1

[root@bigboy tmp]# rmmod ndiswrapper

3. Get a listing of the installed drivers using the ndiswrapper command with

the -l flag, and then remove the desired driver using the ndiswrapper -r flag.

[root@bigboy tmp]# ndiswrapper -l

Installed drivers:

wmp11v27 driver installed, hardware present

[root@bigboy tmp]# ndiswrapper -r wmp11v27

[root@bigboy tmp]#

4. Install the new driver with the ndiswrapper -i flag and verify that the driver

was loaded with the ndiswrapper -l flag.

[root@bigboy tmp]# ndiswrapper -i bcmwl5.inf

Installing bcmwl5


Installed drivers:bcmwl5 driver installed, hardware present

[root@bigboy tmp]#

5. Use depmod to reload the module tables for the operating system.

[root@bigboy tmp]# depmod -a

6. Use modprobe to reload the ndiswrapper module into memory.

[root@bigboy tmp]# modprobe ndiswrapper

7. Finally, verify that there were no loading problems with the dmesg

command. If there weren't any, configure your wlan0 interface like any other

Linux NIC interface on your system.



8. At this stage, even with no errors, a reboot may be necessary in order to

get your wireless card to work.

It is always a good idea to use the correct drivers to reduce the risk of

installation failure. Fortunately this recovery procedure should get your

system to function correctly.

NICs that are Incompatible with ndiswrapper

The ndiswrapper module works by assuming that the Linux operating system

does not recognize the NIC card. If Linux does recognize the card, then

ndiswrapper won't load correctly. The ndiswrapper -l command will list

installed drivers, there will be ndiswrapper entries in the /var/log/messages

file but the dmesg command won't mention the status of the ndiswrapper

module loading process at all and activating the wlan0 interface will fail.

[root@bigboy tmp]# ifup wlan0

ndiswrapper device wlan0 does not seem to be present, delaying

initialization.


Installed drivers:

netma311 driver installed, hardware present

[root@bigboy tmp]# dmesg | grep ndiswrapper

[root@bigboy tmp]#

The previous example shows these symptoms when using ndiswrapper with aLinux compatible Netgear ma311 NIC.

Invalid module format Errors

The ndiswrapper package installs itself as a module that works closely with

the Linux kernel. If you upgrade your kernel, ndiswrapper can stop working.

In such cases reinstalling ndiswrapper can cause "Invalid module format"

errors like this:

[root@bigboy tmp]# modprobe ndiswrapperFATAL: Error inserting ndiswrapper

(/lib/modules/2.6.23.9-85.fc8/misc/ndiswrapper.ko): Invalid module

format

[root@bigboy tmp]#



The solution to this is to remember to always run the make distclean

command before any of the other installation related make commands. This

guarantees that the module will be compatible with your new kernel.

Wireless Networks In Businesses

Sometimes implementing a wireless network inside a business place

becomes necessary. Visiting managers may need a quick connection in a

conference room; sales people sharing cubicles my need it as the number of

work spaces get exhausted. Perhaps someone is going to set one up on your

network anyway, you might as well control this from the beginning.

Apart from people who download infected software and e-mail attachments,

mobile employees' notebook computers are usually viewed as a high risk

source of unintentional malicious activity as there is even less control over

what these employees do than those with fixed workstations. With this in

mind, it is usually best to isolate this type of wireless network completely

from your internal, trusted, and wired one. Some types of network

architectures make the wireless router only have access to the Internet, and

no where else, via its own dedicated DSL line. The wireless users then have

to use some form of a VPN client to gain access to the office servers just as if

they were doing so from home. To reduce the risk of the network beinghijacked, be sure to encrypt the traffic and use a proxy server running such

software as Squid (see Chapter 32, "Controlling Web Access with Squid") to

limit Internet access to authorized users via some form of pop-up username

and password authentication. With this sort of architecture, if the wireless

network gets hijacked, your office systems should remain relatively safe.

Many WAPs have the option of not advertising their ESSIDs which prevents

users from browsing around to select the nearest available WLAN. Activation

of this feature can be inconvenient to users as wireless clients will need to

know the predefined ESSID to gain LAN access, but it more importantly

reduces the risk of an outsider connecting to your wireless LAN by roaming

the airwaves for an available WAP.

There are many other types of wireless methodologies. Please investigate a

variety of options before coming to a final conclusion.

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch32_:_Controlling_Web_Access_with_Squid

http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch32_:_Controlling_Web_Access_with_Squid



Conclusion

With the knowledge gained in the chapters in Part 1 of the book you will be

able to configure a Linux file and DHCP server on small network with relative

ease. Part 2 will explore the possibility of making your server also become

the core of your self-managed dedicated Web site

Linux Wireless Networking

Documents

Transcript of Linux Wireless Networking