Howto: Wireless and Fedora Core 6 at UVa

As of 1/24/2006..

More details are available below in my old FC2 instructions about hard-coding wireless configs with xsupplicant (most of which also applies to wpa_supplicant), but I'll first mention The Easy But Flaky Way (slightly flaky in FC6 for me, should be more stable in FC7, maybe in other distros). In FC6, you can use Gnome's NetworkManager to hook up to wireless, which makes things almost as painless as Windows Wireless Zero does. It also makes things, in some cases, a little squirrelly as WZ used to before MS ironed out some of the bugs in it. FC6 comes with wpa_supplicant, and NetworkManager works with this, so I used it instead of xsupplicant.

First, run yum update to be sure you have all the latest stuff (preferably, for UVa folks, from linuxload.itc.virginia.edu). Don't forget to register your wireless MAC, or wahoo won't work for you.

NetworkManager was not enabled by default on FC6, so set it to start like so

On the Gnome desktop, it should appear on the taskbar (on the upper right, by default).

To get your certs for cavalier or jefferson, go by instructions below. I broke up certs into key, client cert, and CA certs, but I'm not sure this is necessary--you may be able to convert them all to one big pem file and use that for all three.

The builtin wireless driver for my Dell D620 did not seem to be working at first, so I installed driver packages dkms-ipw3945, ipw3945d, ipw3945-firmware, kernel-devel from FreshRPMS as recommended on this page. Your mileage may vary depending on your wireless card and how well your distro is supporting it. You may also want to install the gconf-editor package if you don't have it--it makes it much easier to see/edit NetworkManager gconf settings (where it stores all of it's network profiles).

You'll need to have the current kernel-souce for the auto-compiling ipw3945 drivers to work. Try your existing driver first (after yum update and a reboot).

I put my certs in /etc/cert/ after having some mysterious rights issues reading them from /root

For me now, NetworkManager works fine with wahoo (open) and jefferson (WPA using Eap-tls for auth and TKIP for key managment). So far, I can't get it to work with cavalier (eap-tls for auth, dynamic WEP (I think) for key management). I assume hardcoding the wpa_supplicant.conf file would beat this into submission, but I haven't bothered yet. If something gets futzed up, I have to restart the OS to get everything reinitialized to work right again--I'm not quite sure what all the daemon, driver, and config interdependencies are, but I think there are quite a few. Restarting the network service/ifup/ifdown does not cut the mustard in terms of getting things back to square one. On kernel updates, it appears it may take TWO reboots to get things working, I assume because of some timing/load order issues with the autocompiling Intel drivers.

If you have comments/corrections to this doc, please let me know: gpayne at virginia.edu.

Howto:  Wireless and Fedora Core 2 at UVa.

As of 1/9/05...

1.  General notes on cisco card and FC 2
2.  wahoo (unencrypted)
3.  cavalier (eap-tls with xsupplicant)


1. General notes on the cisco card and FC2

FC2, at least in its early iterations, broke the basic functionality of the cisco 350 and possibly other wireless cards.  There seem to be problems with the way neat and/or kudzu set up the etc/sysconfig files.

The good news is that the newer versions of the kernel (for me currently, 2.6.8-1.521) apparently support the latest versions of the cisco firmware, so there is no need to backflash cards any more.  Bad news is there are still bugs in the released Cisco airo.c driver that cause problems in eap-tls (see eap-tls section for info about patched versions of airo.c driver and xsupplicant).  Other kernel-supported cards may work as is.

Fixing your sysconfig files:  For me, kudzu had first placed a bogus HWADDR in my sysconfig files and then did not create ifcfg-eth1, which was apparently required by several networking pieces, notably dhclient.  I can't claim this is the best or even the correct solution, but I created ifcfg-eth1 by hand and put it in /etc/sysconfig/network-scripts, /etc/sysconfig/networking/devices, and /etc/sysconfig/networking/profiles/default.  I'd be happy to hear from others who have other or more correct solutions or who let me know that this has been fixed and is no longer a problem in FC2.  For completeness, here is my ifcfg-wifi0.

If you're in doubt about what eth your wireless card should be (eth0, eth1, etc), run iwconfig with your card in--it'll tell you.

2. Wahoo

Basically, if you read section 1 and have your cisco card working properly, you just need to specify ESSID=wahoo in your sysconfig ifcfg files to have things work.  ESSID= or ESSID=any used to work, but in most areas now wahoo is non-broadcast, and cards won't find it unless it is specified.

3. Cavalier

This is a little trickier, and didn't work for my cisco 350 card until I got a patch for the airo driver and a backported patch for xsupplicant 1.0.1  (thanks very much to Fabrice Bellet and Dan Streetman).  See below for more on this.  It may work more easily for other kernel-supported cards.

Get xsupplicant 1.0.1 or better from www.open1x.org.  When I checked, the rpms available griped about my (newer) copy of openssl, so I compiled the source version.  Just ./configure; make; make install (three commands, separate lines, of course).

To get uva personal certificates go to http://www.itc.virginia.edu/desktop/vpn/shared/getCert.html
to get a certificate originally.  You can do this in Mozilla on linux, but I already had a certificate in windows which I wanted to reuse, so I exported it from Internet explorer in windows using Tools/Internet Options/Content/Certificates, selecting the personal certificate I wanted, and exporting (WITH private key).  I exported using the PKCS 12 format which allows you to get all the certificates in the cert chain (which you need to do when asked).  On my linux machine, I then changed the PKCS 12 file to a ".pem" file with the openssl command:

openssl pkcs12 -in uvastandardAssurance.pfx -out uvastandardassurance.pem

If you want to break up your certs into root, intermediate certs, and personal keys, you can do it like this.

Now you want to set up your /etc/xsupplicant.conf file.  My file minus password is here, but contents are

#***GLOBAL SECTION***
#  To see all sections with full options, see example xsupplicant.conf that comes with xsupplicant
network_list = cavalier
default_netname = cavalier


# xsupplicant 1.0.1 will crash if we don't put SOMETHING here.  We do all our setup
# in calling script cavsetup.sh, since these commands will be deprecated in future versions of xsupplicant
 
startup_command = <BEGIN_COMMAND>/bin/echo xsupplicant started<END_COMMAND>
first_auth_command = <BEGIN_COMMAND>/bin/echo authenticated..<END_COMMAND>
reauth_command = <BEGIN_COMMAND>/bin/echo "authenticated user %i"<END_COMMAND>
 
logfile = /var/log/xsupplicant.log


#auth_period = 30
#held_period = 30
#max_starts = 3

allow_interfaces = eth1,wifi0

# eth0 is my wired connection
deny_interfaces = eth0

###  NETWORK SECTION (use real email with @ as id)

cavalier
{
  type = wireless
  allow_types = eap_tls
  identity = <BEGIN_ID>ghp5h at virginia.edu<END_ID>

  eap_tls {
     user_cert = /home/gpayne/standardassurance.pem
     user_key  = /home/gpayne/standardassurance.pem
     user_key_pass = <BEGIN_PASS>yourprivatekeypasswordhere<END_PASS>
     root_cert = /home/gpayne/standardassurance.pem
     chunk_size = 1398
     random_file = /dev/urandom

     # To enable TLS session resumption, you need to set the following
     # value to "yes".  By default, session resumption is disabled.
     #session_resume = yes
  }
}

 


 To start up xsupplicant/eap-tls, I use a simple script, cavsetup.sh (make sure to chmod +x).  I do it this way because I like to let my laptop boot onto the (unencrypted) wahoo network for ease of use with Kismet and whatnot, and then start eap-tls when appropriate.  Please note that my wireless interface (eth1) is hard-coded here and in the xsupplicant.conf.  Paths to executables are also hard-coded.  Change as appropriate to you.  If you write a better and more flexible script, let me know, I'll post it here.  You may want to put some version of cavsetup.sh in /etc/rc/init.d or somewhere if you want to go straight into  cavailer on bootup.   Anyway,  here's my  cavsetup.sh:

#!/bin/bash
 
/bin/echo setting up eth1 for cavalier...
killall dhclient xsupplicant
/sbin/dhclient -r eth1
sleep 1
/sbin/ifconfig eth1 down
/sbin/iwconfig eth1 essid cavalier key 00000000
# We're now associated & encrypted, bring network up and start dhclient in background.
# Will block otherwise
/sbin/ifconfig eth1 allmulti up &
/usr/local/sbin/xsupplicant -i eth1 &
/sbin/dhclient eth1 &


Now, finally to test things, run
./cavstart.sh

Run ifconfig and verify you have a 172.16 address.


And miraculously, if you have  a cisco 350 card, it doesn't work!  To fix it, you need to see
the cisco patches.  Without the patches, the cisco card endlessly reauthenticates because the card resets when the keys are changed, which it shouldn't.   Many other cards should work as-is, including possibly other cisco cards.  If you have comments/corrections to this doc, please let me know.

gpayne at virginia.edu

Notes on airo.c driver and this bug:
http://sourceforge.net/mailarchive/forum.php?thread_id=5485701&forum_id=21720

More on airo.c
Fabrice Bellet's docs on recent patches (which have been incorporated in airo.c)
http://bellet.info/laptop/t40.html#wireless