WPA Supplicant

The WPA supplicant can be configured to control the roaming and IEEE 802.11 authentication/association of the owl device.

The configuration is usually performed in a configuration file, e.g. /etc/wpa_supplicant.conf. It is also possible to directly issue commands to the WPA Supplicant, using a dedicated shell command, wpa_cli. The usage of wpa_cli is out of the scope of this document, but is described in detail in the WPA supplicant documentation http://hostap.epitest.fi/wpa_supplicant/.

This section will show examples of how to perform the following operations using WPA Supplicant.

All the steps and expected output is provided in detail below. See the end of this section for a complete list of supported configurations. For complete documentation on WPA Supplicant, see the WPA Supplicant documentation http://hostap.epitest.fi/wpa_supplicant/.

Connect to an unencrypted network

To simply instruct the WPA Supplicant to connect to any unencrypted network with ssid hdwireless, the following configuration file should be enough:

ctrl_interface=/var/run/wpa_supplicant
network={
    ssid="hdwireless"
    key_mgmt=NONE
}

The path to the configuration file and the interface name (owl0) should then be passed as parameters when starting the WPA Supplicant:

$ wpa_supplicant -Dwext -iowl0 -c /etc/wpa_supplicant.conf -B

The paramater -Dwext informs the WPA Supplicant that the standard Wireless Extensions interface should be used to control the network interface. For detailed information on how to configure and run the WPA supplicant, see the WPA supplicant documentation http://hostap.epitest.fi/wpa_supplicant/.

The WPA Supplicant will now periodically scan for networks until one that matches the configuration is found. Once found, a connection will be established. The WPA Supplicant will also handle reconnect if the connection is lost. Therefore, opposed to Wirieless Tools, when using the WPA Supplicant, it is not necessary to perform manual scanning and network selection.

Note that the WPA Supplicant configuration can hold several networks and the WPA Supplicant will choose and roam amongst them. However, most importantly, the WPA supplicant implements the key negotiation with a WPA Authenticators.

Connect to a WPA protected network that uses TKIP encryption

To connect to a network using WPA key management and TKIP encryption, the following network configuration can be specified in the configuration file:

ctrl_interface=/var/run/wpa_supplicant
network={
    ssid="hdwireless"
    key_mgmt=WPA-PSK
    group=TKIP
    pairwise=TKIP
    proto=WPA
    psk="hdwirelesskey"
}

The key configured on the access point should be "hdwirelesskey".

To force the WPA Supplicant to re-read its configuration file wpa_cli can be used

$ wpa_cli reconfigure

One should remember that all wireless operations performed by both the WPA supplicant and Wireless Tools are done through the same Wireless Extensions API. This means that it will still be possible to e.g. check the connection status with iwconfig:

$ iwconfig
owl0    IEEE 802.11bg ESSID:"angr"
        Mode:Managed Frequency:2.422 GHz Access Point:68:7F:74:10:5B:4C
        Bit Rate=54 Mb/s
        Encryption key:472A-7E38-C465-D4EB-6DA7-BAE6-4700-0960-EDB1-40DE-
        18CC-5A02-4AE1-EA96-F3EE-142A Security mode:open
        Power Management timeout:10
        Link Quality=24/30 Signal level=-20 dBm Noise level=-44 dBm
        Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
        Tx excessive retries:0 Invalid misc:0 Missed beacon:0

Once connected, it is possible to obtain an ip address and perform the ping test:

$ udhcpc -i owl0
Sending discover...
Sending select for 192.168.2.102...
Lease of 192.168.2.102 obtained, lease time 172800
adding dns 192.168.2.1
$ ping -c 3 192.168.2.1
...

Connect to a WPA2 enabled network that uses CCMP encryption

To connect to a network using the WPA2 protocol and CCMP encryption, the following network configuration can be specified in the configuration file:

ctrl_interface=/var/run/wpa_supplicant
network={
    ssid="hdwireless"
    key_mgmt=WPA-PSK
    group=CCMP
    pairwise=CCMP
    proto=WPA2
    psk="hdwirelesskey"
}

Connect to a network that uses any WPA/WPA2 protocol and TKIP/CCMP encryption.

Note that several encryption parameters can be specified on a single line, allowing connections to a specific ssid using a range of encryption methods. The configuration file below should allow connections to the hdwireless access point regardless of whether the WPA or WPA2 protocol is used or whether CCMP or TKIP is used for pairwise and group key encryption. The actual encryption method used will be the most secure one that is supported by the access point.

ctrl_interface=/var/run/wpa_supplicant
network={
    ssid="hdwireless"
    key_mgmt=WPA-PSK
    group=TKIP CCMP
    pairwise=TKIP CCMP
    proto=WPA WPA2
    psk="hdwirelesskey"
}

Connect to a network with hidden SSID

To allow the wpa_supplicant to connect to hidden networks, the scan_ssid parameter must be added to the network configuration.

ctrl_interface=/var/run/wpa_supplicant
network={
    ssid="hdwireless"
    scan_ssid=1
    key_mgmt=WPA-PSK
    group=TKIP CCMP
    pairwise=TKIP CCMP
    proto=WPA WPA2
    psk="hdwirelesskey"
}

List of supported WPA Supplicant network options

Key management (key_mgmt): WPA-PSK, NONE
Group key encryption (group): CCMP, TKIP
Pairwise key encryption (pairwise): CCMP, TKIP
Protocol (proto): WPA, WPA2