Purdue Linux Users Group

This is a HOWTO guide for getting PAL 2.0 (aka Purdue AirLink) to work with GNU/Linux.  Important note: some of this information, especially that information concerning distro releases and driver versions, may be outdated.  As soon as our wiki is up, this page will be moved there for easier editing.

See also Mike Shuey’s Quick Start Guide to Debian and WPA Wireless Security.

If your card doesn’t support WPA, try the PAL1.0 guide at the bottom of the page.

There are four different configurations described here:

1. Using NetworkManager (or KNetworkManager), a GUI program for configuring networks (easiest method).

2. Running wpa_supplicant from /etc/network/interfaces (newer method).
3. Running wpa_supplicant as a daemon (older method).
4. Connecting to PAL 1.0

Please feel free to add to this page if you have hints or insights.

1. Driver-specific notes

Note: There are two kinds of drivers. The first is the low-level driver for your particular wireless card. The second is the driver for wpa_supplicant. These days, the wext driver is most often used as the wpa_supplicant driver, though this was not always the case before.

1.1. Broadcom

This driver is a bit tricky to get working. However, the Ubuntu community has a page at https://help.ubuntu.com/community/WifiDocs/Driver/bcm43xx which may prove helpful.

1.2. ipw2200

If you have Intel(R) PRO/Wireless 2100 Network card or Intel PRO/Wireless 2200BG Network card and thus use the ipw2100 or ipw2200 driver, you need to check what version of wireless extensions are supported by your kernel. If your kernel has WE-18 support or greater (i.e., 2.6.13 or greater) then you need to specify wext as the driver for wpa_supplicant, instead of ipw.

1.3. ipw3945

For me this driver “just worked”, using Ubuntu Gutsy Gibbon (7.10) on an IBM Thinkpad X60s.

To check which version of the wireless extensions your kernel supports, do the following.

1. Make sure you have loaded the wireless driver module
2. use the following command: cat /proc/net/wireless
3. You should get the following results.

   Inter-| sta-|   Quality            |   Discarded packets               | Missed | WE
   face  | tus | link level noise     |  nwid  crypt   frag  retry   misc | beacon | 19

What we are looking for from the output is the WE on the far right and the corresponding number below it. Thus, in this example, we have version 19 of wireless extension, so we need to specify wext for the driver. It seems that this applies to the 2.6.13 kernel and newer kernels.

An example wpa_supplicant daemon invocation for the wext driver follows.

wpa_supplicant -Dwext -c/etc/wpa_supplicant.conf

Previously most drivers implemented their own extensions for wpa, but now with the push to standardize drivers around Wireless Extensions you will see more and more drivers move to using wext with wpa_supplicant.

1.4. madwifi

• Confusingly, there are two different branches of the madwifi driver: the old, now unsupported version, and the new version which is sometimes called “madwifi-ng”.
• The madwifi-ng driver (version 0.9.2) is known to work with wpa_supplicant. It is uncertain whether this is the version bundled with Ubuntu Dapper’s linux-restricted-modules package. This version is, however, bundled with Ubuntu Edgy and Ubuntu Feisty.
• The madwifi developers have made the unorthodox choice to call their network interfaces “ath0″, “ath1″, etc. instead of “wlan0″, “wlan1″, etc. If this annoys you, do the following.

  1. Create a file called /etc/modprobe.d/madwifi with the following content.

     # Don't create the nonstandard ath0 device
     options ath_pci autocreate=none

  2. In your /etc/network/interfaces file, use something like the following. Note that we use the “wext” driver for wpa_supplicant instead of “madwifi”, because the latter has been known not to work on madwifi-ng and Ubuntu Dapper.

     auto wlan0
     iface wlan0 inet manual
       wpa-driver wext
       wpa-conf /home/<user>/.wpa/wpa_supplicant.conf
       wpa-action /etc/wpa_supplicant/dhclient
       wireless_essid PAL2.0
       pre-up wlanconfig wlan0 create wlandev wifi0 wlanmode sta
       post-down wlanconfig wlan0 destroy

1.4.1. Mac Mini notes

The wireless device that comes with Intel-based Mac Minis seems to have a few quirks.

• The method that was described earlier for making the interface be “wlan0″ instead of “ath0″ does not work. You’re stuck with “ath0″ :^( .
• Instead of using “wext” as the wpa_supplicant driver, you must use “madwifi”.

1.5. ndiswrapper

1. This is a configuration for wireless drivers using ndiswrapper.

   • Ndiswrapper will not be able to find the PAL2.0 access points with the above configuration since the SSID is not broadcast.

     • Note: This only holds true for some drivers/cards. I had a PCMCIA card that was able to do this. –MichaelOlson

   • Not all wireless drivers that can be used with ndiswrapper will work with PAL2.0. For example, my card is a Broadcom BCM4306 (rev 02), which uses the bcmwl5 driver. Older versions of the bcmwl5 driver don’t support WPA. Be sure your card’s driver supports the necessary features/encryption. Be sure to check for updated drivers. Ndiswrapper uses windows drivers so they should be easy to find. For information on your card’s compatability see the ndiswrapper list.

2. Configuration
   • Adding “ndiswrapper” to the /etc/modules file is not recommended, since this can cause hotplug to try to bring up the interface before everything else is ready.

   • Instead, add the following line to /etc/network/interfaces in your wlan0 stanza.

     pre-up modprobe ndiswrapper

3. Details for using the “ap_scan=2″ setting

   • Here are some relevant links: Here and here

   • This setting is needed for ndiswrapper to find the PAL2.0 access points because it does not support per-SSID scans.
   • Using this setting requires an explicit security policy for each network (i.e. explicit settings for proto, key_mgmt, pairwise, and group that only have one option).
   • The “priority” and “disabled” settings are ignored by wpa_supplicant.
   • wpa_supplicant will just go through the networks in the order they are listed in the conf file.
     • This means that you should not put an entry for “any open access point” above PAL2.0 in the conf file.
     • In general, be mindful of the order of the wireless networks listed in the conf file.

2. Using NetworkManager

(Recommended for Ubuntu 7.04 and above + Fedora)

It is often possible to use NetworkManager and its graphical frontend to connect to PAL2.0, instead of setting up the wpa_supplicant daemon manually or editing /etc/network/interfaces. These instructions should also work for KNetworkManager.

• Click on the wireless icon in your tray area.
• Select “Connect to Other Wireless Network”
  • Network Name: PAL2.0
  • Wireless Security: WPA Enterprise
  • EAP Method / Authentication: PEAP
  • Key Type (if present): TKIP
  • Phase2 Type / Inner Authentication: MSCHAPV2
  • Identity / Username: Your Purdue Login
  • Password: Your Purdue Password
  • Anonymous Identity: (leave blank)
  • Client Certificate File (if present): (None)
  • CA Certificate File: Click it, then enter:
    • Location: /etc/ssl/certs/Thawte_Premium_Server_CA.pem
    • Alternatively: /usr/share/ca-certificates/mozilla/Thawte_Premium_Server_CA.crt
  • Private Key File: (None)
  • Private Key Password: (leave blank)
  • PEAP Version (if present): Automatic

Now you should be connected to PAL2.0. To connect again, simply choose connect to hidden wireless network and click PAL2.0. If you are unable to find the CA Certificate file in either location, you might need to install the ‘ca-certificates’ package located in System>Administration>Synaptic Package Manager. If on Fedora, download the certificate from Thawte’s Download Root Certificates.

After you download the thawte-roots.zip file, extract the Thawte SSLWeb Server Roots/thawte Premium Server CA/Thawte Premium Server CA.pem file to your home directory.

3. Using /etc/network/interfaces

As of Ubuntu’s Dapper release (wpa_supplicant v0.4.8), it is possible to use /etc/network/interfaces to set up the WPA connection.

An example wpa_supplicant.conf file may be found in the Appendix on this page.

3.1. Ubuntu Edgy and Ubuntu Feisty

1. Add something like the following to your /etc/network/interfaces file, replacing <user> with your username. Change the wpa-driver line if you use a different wpa_supplicant driver. Change “ath0″ to whichever interface the wireless driver is attached to. Note that we changed the “wpa-conf” line to “wpa-roam”, and that we added a new interface called “pal20″.

   auto ath0
   iface ath0 inet manual
     wpa-driver madwifi
     wpa-roam /home/<user>/.wpa/wpa_supplicant.conf
   iface pal20 inet dhcp

2. Edit your wpa_supplicant.conf file and add the line id_str=”pal20″ to your network stanza. This is the only change you need to make to wpa_supplicant.conf. This will cause the wpa_supplicant scripts to execute “ifup pal20″ once it has successfully associated with PAL2.0. An example follows — modify it to suit your setup.

   network={
           ssid="PAL2.0"
           # this id_str line will cause "ifup pal20" to happen, which will call dhclient
           id_str="pal20"
           scan_ssid=1
           proto=WPA RSN
           key_mgmt=WPA-EAP
           pairwise=TKIP
           group=TKIP
           eap=PEAP
           ca_cert="/etc/ssl/certs/ca-certificates.crt"
           # identity and password are not required if you use the script below
           identity="<your identity>"
           password="<your password>"
   }

3. Run ifup ath0 and everything should happen automatically.

3.2. Ubuntu Dapper

1. Add something like the following to your /etc/network/interfaces file, replacing <user> with your username. Change the wpa-driver line if you use a different driver like madwifi or ipw2200.

   auto wlan0
   iface wlan0 inet manual
     wpa-driver ndiswrapper
     wpa-conf /home/<user>/.wpa/wpa_supplicant.conf
     wpa-action /etc/wpa_supplicant/dhclient
     wireless_essid PAL2.0
     # I need this in order for the ndiswrapper module to be loaded at the
     # right time.  If you don't use ndiswrapper, remove it.
     pre-up modprobe ndiswrapper

2. Copy the dhclient script to /etc/wpa_supplicant.

   cp /usr/share/doc/wpasupplicant/examples/wpacli-action-dhclient /etc/wpa_supplicant/dhclient
   chmod +x /etc/wpa_supplicant/dhclient

3. Use the wpa_supplicant.conf file from above and copy it to /home/<user>/.wpa/wpa_supplicant.conf, replacing <user> with your username.

4. Run ifup wlan0 and everything should happen automatically.

3.3. Notes

• When I used the ndiswrapper driver, I had the most success when I inserted my wireless PCMCIA card after the system has booted, rather than before, because some other over-eager program tries to do ifup wlan0 before things are set up. This isn’t a problem for the madwifi driver that I currently use.

4. wpa_supplicant daemon configuration

1. Make sure you have functional wireless drivers in Linux. I have an Intel Centrino laptop so the driver I use is ipw2200 (ipw).
2. Ensure you have the right packages installed, you’ll need wpa_supplicant for this to work.

3. Configure your wpa_supplicant networks file. Mine was installed in /etc/wpa_supplicant.conf. Information on configuring this can be found here. Note that you don’t need to specify identity and password in this file, but you’d need to specify it later using wpa_cli. For reference, a sample file is included below.

4. Configure your wpa_supplicant daemon settings. Mine was installed in /etc/default/wpasupplicant. Again, information on configuring this file can be found here. Make sure you specify the driver pertaining to your wireless card after the -D option. Since I have Intel Centrino, I used ipw. For reference, this file is included below.

5. Also, make sure you have the certificate installed. I installed it in /etc/ssl/certs/ca-certificates.crt. If you are unable to find this certificate, save the hash below in a text file in that location.

4.1. Connecting with wpa_cli

Note that all these commands require root privileges.

1. Set your essid to PAL2.0. To do this, type:

   iwconfig eth1 essid PAL2.0

2. Ensure the wpa_supplicant daemon is running. To double check, type:

   ps -A | grep wpa_supplicant

3. Make sure you can see the access point in wpa_cli. To do this, type:

   wpa_cli list_networks

4. If you’ve omitted your identity and password in the networks file, you need to authenticate yourself using wpa_cli. To do this (using the number list_networks printed above), type:

   wpa_cli identity 1 username
   
   wpa_cli password 1 password

5. Authenticate with the access point, type:

   wpa_cli logon

6. Use a dhcp client to obtain an address. To do this, type:

   dhcpcd eth1 or
   
   dhclient eth1

A tip: You can make sure you’re connected to PAL2.0’s access point by typing iwconfig and noting the Access Point’s mac address. If the number isn’t all 0s you should be able to use a dhcp client and connect to the internet.

5. PAL 1.0

PAL 1.0 will work with more hardware, but may not be present in all University buildings.

1. Connect to the unencrypted hidden network “PAL”
2. Set up a VPN connection into Purdue.  I suggest using NetworkManager’s VPN tools, which can be installed in Ubuntu from Synaptic.  You will need the package network-manager-vpnc, but it’s good to have all of NetworkManager’s addons installed.
   1. Create a new VPN, Cisco-compatible (vpnc)
   2. Name it something like Purdue VPN.
   3. Enter the following information:
      1. Gateway: vpn.purdue.edu
      2. Group name: PurdueUser
      3. User password: your career account password
      4. Group password: jtgkld1990
      5. User name: your career account username
3. You cannot access the Internet from PAL until you connect the VPN.  Do so now.

6. Acknowledgments

Thanks to Mike Shuey’s guide for configuring wpa_supplicant.

This was submitted using PAL2.0 in Linux, and the first working draft was written by Chandos Etchison.

The NetworkManager section was submitted by Erik Nelson.

Michael Olson submitted the section on configuring wpa_supplicant to use /etc/network/interfaces.

William Snyder provided the section on the ipw2200 wireless card driver.

7. Appendix

7.1. wpa_supplicant.conf

# PLUG's recommended settings for /etc/wpa_supplicant.conf

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel

eapol_version=1

# Some people might need this set to 2 instead of 1

ap_scan=1
fast_reauth=1

### Note that priority is bottom up for connecting to networks.

network={
        ssid="PAL2.0"
        scan_ssid=1
        key_mgmt=WPA-EAP
        eap=PEAP
        # identity and password are not required if you use the script below
        identity="<your identity>"
        password="<your password>"
        ca_cert="/etc/ssl/certs/Thawte_Premium_Server_CA.pem"
        phase1="peaplabel=0" # This may need to be set to "peaplabel=1" depending on the access point (you'll have to experiment)
        phase2="auth=MSCHAPV2"
}

7.2. /etc/default/wpasupplicant

# /etc/default/wpasupplicant
# WARNING! Make sure you have a configuration file!

ENABLED=1

# Useful flags:
#  -D <driver>          Wireless drive, typically optional.
#  -i <ifname>          Interface
#  -c <config file>     Configuration file
#  -d                   Debugging (-dd for more)
#  -w                   Wait for interface to come up
#  -B                   Run as a daemon

# See the manual page wpa_supplicant(1) for more options and information.

#OPTIONS="-w"
# EXAMPLES:
# OPTIONS="-i wlan0 -D hostap -c /etc/wpa_supplicant.conf"
# OPTIONS="-i ath0 -D madwifi -c /etc/wpa_supplicant.conf"
OPTIONS="-i eth1 -D wext -c /etc/wpa_supplicant.conf"

7.3. Connection script

Here’s a script that can be used to connect to PAL 2.0. Note that you’ll need to change some lines to reflect your setup.

#!/bin/bash
read -p "username: " user
read -p "password: " -s pass
iwconfig eth1 essid PAL2.0
wpa_cli identity 1 $user
wpa_cli password 1 $pass
wpa_cli logon
dhclient eth1

7.4. Thawte Server Base-64 X.509 Authentication Hash

If you don’t have the right Thawte certificate, here it is. If you’re using Debian, this may be found in the ca-certificates package. (apt-get install ca-certificates)

Make sure you modify the ca_cert line in wpa_supplicant.conf to point to whatever file you save this in.

-----BEGIN CERTIFICATE-----
MIIDbzCCAlegAwIBAgIQ2Mh2diLpT6UR0zu3OPMSkDANBgkqhkiG9w0BAQQFADAd
MRswGQYDVQQDExJSb290IFNHQyBBdXRob3JpdHkwHhcNOTkwNzE2MTk0NzA1WhcN
MDQwNzE2MTk0NzA0WjCBzjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4g
Q2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3Vs
dGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lv
bjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcN
AQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDSNjZqi9fCW57agUFijzjuSQRV1tDvHBuVFkfvGEg1OlL0K2oG
jzsv6lbjr4aNnhf3nrRldQJN78sJoiFR2JvQZ9C6DZIGFHPUk8uXKgCcXE4MvPoV
UvzyRG7aEUpuCJ8vLeP5qjqGc7ZGU1jIiQW9gxG4cz+qB430Qk3nQJ0cNwIDAQAB
o30wezANBgNVHQoEBjAEAwIHgDAgBgNVHSUEGTAXBgorBgEEAYI3CgMDBglghkgB
hvhCBAEwSAYDVR0BBEEwP4AQDScp5AUql7R3WDVHky0GuKEfMB0xGzAZBgNVBAMT
ElJvb3QgU0dDIEF1dGhvcml0eYIKIJ0R0Q5/e4V0gDANBgkqhkiG9w0BAQQFAAOC
AQEAtpjGLFCXuP8g1Vw1aG7lznNu3l/k5ILEZ/0mFvF6xWzV4a/7HAUQkP6ZSMrd
Ko/WoOssAkvxX4bOW/qcOPEnnAGm5W0TwFYL8PE8StApw5/XkT8ZYE5RVBk1pq9j
PdeKRS7sMW9GVz3ONfF/Zq4IfqM3S8am3SA5wOF/+jJ/2OoeobV38aF7n6vxEmrI
uWSK0hpLSUXtOTvdx1POo2lt5+Hj1dnFtdTRYTDbog2wO4nVDtrD94V6dOfAKXFt
0NXwo/9d7ylenV1cVg34JSMGNMlWApLwpsRPCM6x2pbYxciUktaukwdhrBO28sSb
RatCwXzGbGSaSYIC0T28vEA5Lg==
-----END CERTIFICATE-----