Datastream Cowboys

Wi-Fi Protected Access version 2 (WPA2) is becoming the de 
facto standard for securing wireless networks, and a mandatory
feature for all new Wi-Fi products certified by the Wi-Fi 
Alliance. We all know the security weaknesses of its 
predecessor, WEP; this time they got it right. Here's how to 
implement the WPA2 protocol on a Linux host and create a 
secure wireless access point (WAP) for your network. 

Most consumer-grade commercial WAPs operate in the same simple 
manner: they create a bridge between a wired (Ethernet) 
network interface and a wireless one. That's exactly what 
we'll do too. The WAP part will be handled by the hostapd 
daemon, so you must pick a wireless interface it supports. 
Among the supported NICs are those with Prism 2/2.5/3, 
Atheros ar521x, and Prism GT/Duette/Indigo chipsets; a list is 
available on the hostapd homepage, along with links for Linux 
drivers for each chipset. I have an Atheros AR5212-based PCI 
card installed on my WAP, which works great with the latest 
stable version of MADWifi drivers and is supported by hostapd. 
Although any Pentium (or newer) system will work, some PCI 
wireless cards require PCI 2.2 to operate, so make sure to 
check your system's motherboard specifications before buying. 
You will also need an Ethernet interface that's supported by 
Linux for connecting your WAP to the LAN; most on-board 
interfaces will work just fine.

My setup is based on Ubuntu 6.06 LTS but any GNU/Linux 
distribution with a recent 2.6 kernel will work. The kernel 
must support 802.1d Ethernet Bridging (CONFIG_BRIDGE) and 
Wireless LAN (CONFIG_NET_RADIO). Most default stock kernels 
have these features enabled, but if you prefer to build your 
own kernel, make sure to include these options. The only other 
packages you need to install, besides hostapd, are bridge-utils
and wireless-tools. Major GNU/Linux distributions offer binary
packages for all these programs, but if you prefer to build 
them from source, you can find more information on their 
homepages.

Before bridging together the two interfaces we must put the 
wireless interface (in my case ath0; adjust it to match your 
setup) in hostap or Master mode. Usually this is as simple as 
running iwconfig ath0 mode Master, but since wlan support in 
Linux is not yet standardized, some drivers may need 
additional configuration. If you have an Atheros-based 
interface you also need to run the following: wlanconfig ath0 
destroy; wlanconfig ath0 create wlandev wifi0 wlanmode ap 
before the iwconfig command. After that, running iwconfig ath0 
will return mode:Master, among others. 

Now let's create the bridge. We'll assume that the Ethernet 
interface is eth0:

ifconfig eth0 0.0.0.0 up
ifconfig ath0 0.0.0.0 up
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 ath0

And for stopping the bridge, you should run:

ifconfig br0 down
ifconfig eth0 0.0.0.0 down
ifconfig ath0 0.0.0.0 down
brctl delif br0 eth0
brctl delif br0 ath0
brctl delbr br0

You can optionally give an IP address to the br0 interface if 
you want to access the WAP host from the network, using for 
instance SSH. Each distribution offers its own way to 
configure the network; if you use Debian (or any Debian-based 
distribution, such as Ubuntu) you can wrap up all the previous 
commands by simply adding the following to your 
/etc/network/interfaces file:

auto ath0 br0

iface ath0 inet manual
        pre-up wlanconfig ath0 destroy
        pre-up wlanconfig ath0 create wlandev wifi0 wlanmode ap
        post-down wlanconfig ath0 destroy
        wireless-mode master

iface br0 inet manual
        bridge_ports eth0 ath0

Note that ifupdown handles eth0 automatically, so you don't 
need a separate stanza for it in /etc/network/interfaces. 
To verify that the bridge is configured correctly, run brctl 
show. You should get something like this in return:

bridge name     bridge id               STP enabled     interfaces
br0             8000.00032f2481f0       no              ath0
                                                        eth0

Before starting to mess with hostapd we need a pass phrase for
WPA2. As with all passwords, it should be random and thus hard 
to guess. A nice way to get a random pass phrase is to visit 
Gibson Research Corp.'s Ultra High Security Password Generator
and use the third password it creates -- the one titled 63 
random alpha-numeric characters (a-z, A-Z, 0-9). Having a 
passphrase that includes non-alpha-numeric ASCII characters 
(e.g. !, @, etc.) might be tempting, but some clients -- 
namely Windows XP -- don't seem to like them. 

Now create a new text file named /etc/hostapd/wpa_psk and 
paste your pass phrase as:

00:00:00:00:00:00 PASSPHRASE

The first part with the zeros means 'match all MAC addresses,' 
and does exactly that. You can also use different passphrases 
for each client by appending a new line to the file with each 
client's MAC address and its passphrase. Make sure that only 
root has access to that file by running chmod 600 
/etc/hostapd/wpa_psk.

Now create a backup of hostapd's main configuration file, 
/etc/hostapd/hostapd.conf, and keep it as a reference by 
running mv /etc/hostapd/hostapd.conf /etc/hostapd/hostapd.conf.orig. 
Create a new hostapd.conf file and paste the following lines 
into it:

interface=ath0
bridge=br0
driver=madwifi
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
debug=0
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=My_Secure_WLAN
#macaddr_acl=1
#accept_mac_file=/etc/hostapd/accept
auth_algs=3
eapol_key_index_workaround=0
eap_server=0
wpa=3
wpa_psk_file=/etc/hostapd/wpa_psk
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
stakey=0

Replace the parts in italics with information that matches your
setup. If you want to allow only specific clients to connect,
remove the # character from the two lines above and copy the 
MAC addresses of those clients to /etc/hostapd/accept, and 
make this file accessible only by root (chmod 600). For more 
information about the options used, read the comments in the 
backup file you created previously (hostapd.conf.orig). 

Start the hostapd daemon (/etc/init.d/hostapd start) and check
/var/log/daemon.log to verify that it works. If the daemon 
does not come up, increase the debug level (option debug= in 
hostapd.conf) to 4 and try again.

Now if you scan for available wireless networks from a client,
you should see your ESSID. To connect to the WAP from a 
Windows XP SP2 client, you need to install Microsoft's 
KB893357 patch first, which adds WPA2 support. On a Linux 
client, install wpa_supplicant and create a configuration file,
wpa_supplicant.conf (in Debian, installed in 
/etc/wpa_supplicant/) like the following:

update_config=1
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=1
ap_scan=1
fast_reauth=1

network={
        ssid="My_Secure_WLAN"
        proto=RSN
        key_mgmt=WPA-PSK
        pairwise=CCMP
        group=CCMP
        psk="PASSPHRASE"
        priority=5
}

Again replace the parts in italics to match your setup and run
wpa_supplicant -i eth1 -D wext -c /etc/wpa_supplicant/wpa_supplicant.conf 
(replacing eth1 with your wlan interface name and wext with 
the appropriate driver for your card; run wpa_supplicant 
without any options for more information). This command starts 
wpa_supplicant in the foreground and tries to connect to the WAP. 
If the output looks like the following, you're all set:

Trying to associate with 00:11:22:33:44:55 (SSID='My_Secure_WLAN' freq=0 MHz)
Associated with 00:11:22:33:44:55
WPA: Key negotiation completed with 00:11:22:33:44:55 [PTK=CCMP GTK=CCMP]
CTRL-EVENT-CONNECTED - Connection to 00:11:22:33:44:55 completed (auth) [id=0 id_str=]

Give a static IP address to your wireless interface (or run a 
DHCP client) and try to ping a host inside your LAN to verify 
that the connection works.

Congratulations, you've just built yourself a highly 
customizable wireless access point. Although this setup is 
ideal for home or small office usage, you need something more
robust in the enterprise, with authentication with a RADIUS 
server, or even better, a VPN.