#
#   $Id$
#
#   WPA Mini-HOWTO
#       Initial text by Gary Case <gcase@redhat.com>
#       2006.09.26 Brian Elliott Finley
#       - misc updates
#       
#

Here are my directions for installing wpa_supplicant, wifi-radar and all
necessary support packages on RHEL4 U2 to enable WPA/WPA2 encrypted
wireless ethernet access. 

1. Wireless-tools package: I didn't need to update this as the version
we ship (v27) was sufficient for use with the latest drivers.


2. Wireless-extensions: I didn't update this. The kernel is using v16
according to iwconfig --version, which is sufficiently new to support
everything we need here.


3. Updated wireless card driver, firmware and kernel module precompiled
RPMs retrieved from here:

http://atrpms.net/dist/el4/ipw2200-testing/

Newer driver: ipw2200-1.0.10-36.el4.at
Newer firmware: ipw2200-firmware-2.4-7.at
Newer kernel module: ipw2200-kmdl-2.6.9-22.0.2.EL-1.0.10-36.el4.at

Be sure to get the packages from the "testing" branch, as the regular
ones are the same as the one we ship with RHEL 4 (1.0.0). You need the
newer driver and associated files to make WPA work. The web page link I
posted will take you to the testing packages. 


4. WPA Supplicant, found here: http://hostap.epitest.fi/wpa_supplicant/

4a. I tried using the precompiled wpa_supplicant RPM packages from the
atrpms site, but they were built with all options enabled and needed
additional packages to solve dependencies. I decided to build the latest
stable version myself (version 0.4.8) instead of playing "find the RPM"
to solve the dependencies present in the precompiled package. My home
setup is very simple, so all I needed in my .config file were these
three lines:

CONFIG_IEEE8021X_EAPOL=Y
CONFIG_EAP_PSK=y
CONFIG_DRIVER_IPW=y

If your customer is using PEAP or LEAP or some other external
authentication protocol their .config file may vary. All the available
options are listed in the README file included in the wpa_supplicant
tarball.

4b. After building I copied the wpa_cli and wpa_supplicant binaries to
/usr/local/bin (the location suggested in the README. Feel free to
relocate if desired.). Then I copied the included wpa_supplicant.conf
file to /etc/wpa_supplicant/wpa_supplicant.conf. There's a great deal of
information and several example configurations in the supplied .conf
file. The customer can use the examples to select the proper options for
their config file if their network doesn't match my simple WPA2-PSK
setup:

#Gary's WPA2 home network
network={
        ssid="my-secret-ssid"
        scan_ssid=0
        proto=WPA2
        key_mgmt=WPA-PSK
        pairwise=CCMP
        group=CCMP
        psk="my-secret-pre-shared-key"
        priority=2


Be sure to change the SSID and PSK to the real values for your network.
All the other options in the file were left at their default state. 


5. WPA Supplicant testing

With the configuration set up as described, I could issue this command
to bring up the interface:

wpa_supplicant -Bw -ieth1 -c/etc/wpa_supplicant/wpa_supplicant.conf

(The -Bw option runs the daemon in the background and waits for the
interface to be added, if necessary. Have the customer change -ieth1 to
match their wireless interface.)

This command was then used to get a DHCP address on the card.

dhclient eth1

I wrote an extremely simple script to do the two commands for me:

#!/bin/bash
# Script to start WPA Supplicant for secure wireless communication
wpa_supplicant -Bw -ieth1 -c/etc/wpa_supplicant/wpa_supplicant.conf
sleep 8
dhclient eth1

If the network connection isn't coming up, check /var/log/messages for
errors and try dropping the -B option on wpa_supplicant to have the
program output information to stdout.


6. Wifi-radar

Although it's not needed for wireless or WPA to work, the wifi-radar
package can provide users with an alternative method for choosing and
connecting to a secure wireless access point. It has no options in the
GUI for WPA/WPA2, but it's capable of using a properly configured
wpa_supplicant installation to handle the more secure levels of
encryption. 

6a. After completing steps one through 5 above (step 5 is there to make
sure the supplicant is working properly), download and install
wifi-radar from the CVS site (directions are present on the CVS site):

http://svn.systemimager.org/

6b. Edit the configuration file to match your installation. An example
setup that works with my home network is shown below. The DEFAULT
section is already populated by the installer, but make sure that the
interface matches your wireless interface. As in all the other examples,
change "my-secret-ssid" to match the SSID in use at your site:

[DEFAULT]
ifup_required = False
auto_profile_order = my-secret-ssid
speak_up = False
scan_timeout = 5
interface = eth1
commit_required = False

[my-secret-ssid]
use_dhcp = yes
wpa_driver = ipw
use_wpa = yes
mode = Auto

6c. Edit the /usr/sbin/wifi-radar script to use dhclient instead of
dhcpcd:

The % DHCP_TIMEOUT section from the DHCP_COMMAND line needed commenting
out to make the wifi-radar script work. I suspect there's no timeout
value for dhclient or it's implemented differently from dhcpcd.

6d. Continue editing the /usr/sbin/wifi-radar script to use
wpa_supplicant. You'll need to change the command, conf, and driver
lines to match the locations of your command and configuration files as
well as the wpa driver you're using in wpa_supplicant.

# WPA_SUPPLICANT
WPA_SUPPLICANT_COMMAND  = "/usr/local/bin/wpa_supplicant"
WPA_SUPPLICANT_KILL_COMMAND=""
WPA_SUPPLICANT_CONF="/etc/wpa_supplicant/wpa_supplicant.conf"
WPA_DRIVER="ipw"
WPA_SUPPLICANT_PIDFILE  = "/var/run/wpa_supplicant.pid"
WPA_SUPPLICANT_ARGS     = "-B -i " + INTERFACE + " -c " + WPA_SUPPLICANT_CONF + " -D " + WPA_DRIVER + " -p " + WPA_SUPPLICANT_PIDFILE


7. Run wifi-radar

After making those script changes, I could run wifi-radar, select the
proper SSID and click the "Connect" button to get a DHCP address.