Using WPA with OSX, XP and Linux

I recently setup a Netgear WGR614 wireless router for use with my broadband link and discovered that it had support for WiFi Protected Access (WPA). It can use WPA in pre-shared-key mode (WPA-PSK) otherwise known as "WPA Personal". If you don't know what WPA is or why you would want to use it, visit the WiFi Alliance.

WiFi Protected Access (WPA)

In summary, it's the successor to Wired Equivalent Privacy (WEP) and the predecesor to WPA2 which is expected to fully implement 802.11i. WPA addresses the common security issues associated with WEP but can be implemented on existing WiFi hardware (subject to the availability of updated firmware/drivers).

There are two types of WPA, Personal and Enterprise. Enterprise uses 802.11x with the Extensible Authentication Protocol (EAP) to authenticate/authorise via a Remote Authentication Dial-In User Service (RADIUS) server and setup a unique initial key. Personal doesn't use 802.11x or need a RADIUS server; it relies on an initial shared key that the AP and all clients need to know. WPA uses the Temporal Key Integrity Protocol (TKIP) which has a per-packet key mixing function, a message integrity check (MIC), allows for re-keying and has other secuirty enhancements over WEP.

NB. Although WPA Personal is a vast improvement over WEP, it doesn't provide sufficient security to stop authorised wireless users from eavesdropping on each other. If that's an issue, you'll need a WPA Enterprise capable AP and will have to setup and run a WPA Enterprise infrastructure.

Wireless Access Point (AP)

Netgear WGR614 v3 (firmware ?, Nov 2003)

Switching WPA-PSK on in the Netgear is simplicity. Enable the checkbox in the wireless settings page and enter a 8-63 char passphrase (no WEP-style HEX to fiddle with here). Apply the change and wait for the router/AP to reboot.

Make sure that SSID broadcasting is enabled. It's enabled by default but gives a slight security-by-obscurity feeling if you disable it. If you leave it enabled, WPA will be much easier (read as actually possible) to get working and with WPA working it won't make any difference whether unauthorised users can see your SSID or not.

Wireless Clients

Mac OSX 10.3.3 - built-in Airport Extreme 802.11g client

Getting it to work on a PowerBook G4 was trivial. You need Panther (Mac OSX 10.3), it's not supported on Jaguar (10.2) or Classic. Enable the WiFi radio, connect to the desired WiFi SSID (network) and Panther detects that the AP is using WPA-PSK. It pops up a dialogue for you to enter the WPA passphrase. The connection works. End of story.

Windows XP home - Avaya Gold 802.11b PC card

I have an I8500 laptop that still has an XP partition that it came bundled with. I also have an old Avaya Gold 802.11b card lying around and decided to see if I could get them to work. Bear in mind that I know very little about XP and only ever run it as a user and only then very occasionally. This is what I did to make it all work. You'll probably need to restart Windows a few times during this process:

• Run XP SP1
• Download the WPA update (via Windows Update)
• (reboot)
  
• Remove the Avaya WiFi utility (it's important for XP to manage the device itself)
• Download the latest Agere driver (not the Avaya driver - it doesn't support WPA)
• Unpack the driver to C:\WUTEMP
  
• Update the driver for the Avaya card, pointing the driver update utility at C:\WUTEMP
• (reboot)
  
• Double-click the wireless network icon in the taskbar and hit the Advanced button
• Select the appropriate WiFi SSID (network) and hit configure
  
• Choose WPA-PSK with TKIP and enter the passphrase

XP associated with the AP and maintained a connection for a few minutes but then the network dropped out and a dialogue popped up telling me that the connection had been lost. One more reboot and it started to work continuously.

Linux 2.4.24 (RedHat 9) - Avaya Gold 802.11b PC card

After some googling, I didn't think that the Avaya Gold would have any chance of working under Linux without at least paying for a Linuxant license. I then decided to look around for a new 802.11g PC card that would run with WPA on Linux. Here are a few resources I used:

• Host AP (Prism2/2.5/3 driver) and wpa_supplicant
  
• prism54.org (802.11g Prism GT/Duette/Indigo driver)
• How to do WPA encryption between Linksys WRT54G and WMP54G on Linux

It looked like it was possible to use either:

1. An 802.11b Prism-based card with hostap drivers and wpa_supplicant
2. An 802.11g card with Linuxant/Windows NDIS driver and wpa_supplicant.

   I opted to go with a Netgear WG511 as it had a Prism 54 chipset (ie. it could be driven natively under Linux albeit without support for WPA yet), was supported by Linuxant (for the WPA support) and was the same make as my AP. However, before this card arrived I downloaded the latest (31st March 2004, release 7.18) Agere Linux driver. This had a new Hermes and Hermes-II chipset driver with support for WPA and came with a copy of wpa_supplicant bundled. I had found a way to get my original Avaya Gold to work!

3. An 802.11b Hermes (Orinoco) based card with Agere driver and wpa_supplicant

Update 6-4-04: Jouni has updated his wpa_supplicant page to reflect the new Hermes support

Here's a procedure to get (3) to work:

• Download what you need:
• The latest Agere Linux driver. I used release 7.18
  
• The latest pcmcia-cs sources. I used version 3.2.7
• Check that your iwconfig supports Wireless Extensions (WE) v15 (iwconfig -v). If not, download the latest wireless tools package containing iwconfig. iwconfig needs to support at least WE v15. Linux kernel 2.4.24 and wireless tools version 26 both support WE v16.
  
• Have the source tree for your running kernel available. I used 2.4.24-dis9
• Build and/or install the latest wireless tools package (if necessary)
  
• Build the Agere driver:
• Unpack the pcmcia-cs sources and then unpack the Agere tarball on top
• See README.wlags49 for detailed instructions on all of the following
  
• Run ./Configure and answer questions such as the kernel src location
  
• Run make. This will build the Agere Hermes driver
• Run make install as root
• Check that the new driver loads ok:
  
• Plug in the PC card (if not already plugged in)
  
• Restart pcmcia subsystem (/etc/init.d/pcmcia restart)
• Check /var/log/messages (or dmesg) and verify that the Hermes driver is being used
  
• Build wpa_supplicant:
• Run make in the hostap/wpa_supplicant directory within pcmcia-cs sources
  
• Copy wpa_supplicant and wpa_passphrase to /usr/local/bin
• Create /etc/wpa_supplicant.conf containing:

  network={
    ssid="<Your WiFi SSID>"
    psk="<Your WPA passphrase>"
}

• Configure the wireless device:
• Use redhat-config-network (or the tool that came with your particular distro or hack the relevant ifcfg file) to create a new wireless interface
  
• Edit /etc/sysconfig/network-scripts/ifcfg-<ethernet device> where <ethernet device> is the device name used in the previous step, eg. eth0 or eth1.
• Add a line at the bottom of the file:

  WPA=y
  

• Edit the /etc/sysconfig/network-scripts/ifup-wireless file:
• At the end of the file add:
  
  if [ "$WPA" = "y" -a -x /usr/local/bin/wpa_supplicant ]; then
    /usr/local/bin/wpa_supplicant -D hermes -Bw -c/etc/wpa_supplicant.conf \
            -i$DEVICE
fi


• Restart the pcmcia subsystem again or ifdown/ifup the interface

It *should* now be working with WPA-PSK enabled. It did for me...

April 2004 - Graeme Wilford <G.Wilford _at_ surrey _dot_ ac _dot_ uk>