Chapter 13
|
||||
|
|
Linux forums for Web Adminstrators
In This Chapter
Wireless Linux Compatible NICs
Common Wireless Networking Terms
Networking With Linux Wireless-Tools
Configuring 802.11g with Linux Incompatible NICs
Troubleshooting Your Wireless LAN
Wireless Networks In Businesses
(c) Peter Harrison, www.linuxhomenetworking.com
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
My very first Linux web server was an ancient desktop computer that I bought from a secondhand store that advertised it as being "very obsolete." It was cheap and it worked, but it was ugly and noisy, so noisy that it quickly became too loud to tolerate. Spending more money than I should have on the antique, I made it wireless so I could take it out of my bedroom where the DSL connection entered my apartment. Looking back, I really did it for the challenge, and also because we all get stupid some of the time. I thought wireless Linux would be easy, but at the time it wasn't. I had so many headaches with it that I thought one of my very first Web pages should be about my little nightmare warning people about how to do it right. This was how www.linuxhomenetworking.com was born. This is the chapter about what started it all.
Wireless networks using the 802.11 standard have many advantages, not just the aesthetic one I mentioned. The hardware is commonly available, and wireless networks offer relatively easy and low cost deployment with security that's becoming increasingly better. Before you consider making a Linux server wireless capable, however, make sure you purchase a NIC that is Linux compatible. You also need to decide on the wireless Linux package you intend to use: Linux-WLAN or Wireless Tools. Wireless Tools is more convenient to use as it requires fewer configuration steps and the RPM package doesn't have to be reinstalled every time you upgrade your kernel as with Linux-WLAN. If this seems confusing, don't worry; I will explain all this later.
Wireless Linux Compatible NICs
Not all wireless NIC cards work with Linux. For this reason, do your homework. You can find hardware compatibility lists for Wireless Tools quite easily on popular search engines. For Linux-WLAN, check www.linux-wlan.org for the latest list of compatible hardware.
Wireless NIC manufacturers are notorious for changing the chip sets on their cards depending on the price of the components. They then supply different drivers with each new card to make them work. It is possible to buy cards with the same model number from the same vendor with very different circuitry. Frequently Linux drivers for the new cards are unavailable. Always check the compatibility lists before buying your wireless hardware.
The Linksys WMP11 wireless card is a good example of this confusion. The original version of the card used the Intersil Prisim chip set, which worked with Linux, but the newer version 2.7 (Broadcom chip set) and version 4 (InProComm chip set) do not. Even so, the original WMP won't work without upgrading the firmware.
In recent years it has become possible to use regular Windows drivers with Linux NICs. This is discussed in more detail in the section titled "Configuring 802.11g with Linux Incompatible NICs". The method requires an understanding of Linux Wireless Tools which is covered beforehand, but first, let's cover some wireless networking essentials to provide some background.
Common Wireless Networking Terms
Learning the ins and outs of wireless Linux networks will be easier if we're all speaking the same language. Before proceeding, take time to become familiar with three key wireless terms: wireless access point, Service Set ID, and shared encryption key. Learn them now, because you'll see them throughout the chapter.
Wireless Access Points
A wireless access point (WAP) is a device that acts as the central hub of all wireless data communications. In the most common operating mode (Infrastructure mode), all wireless servers communicate with one another via the WAP, which is usually connected to a regular external or integrated router for communication to the Internet. WAPs are, therefore, analogous to switches in regular wired networks.
Servers can communicate with one another without a WAP if their NICs are configured in Ad Hoc mode, but this prevents them from communicating with any other communications path. For that, you need a WAP on your network.
Service Set ID
The 802.11a/b wireless networks typically found in a home environment share the same frequency range with one another so it is possible for your computer to hear the traffic meant for somebody else's nearby network. The Extended Service Set ID (SSID) helps prevent the garbling of messages. Each wireless network needs to be assigned an ESSID that doesn't match that of any neighboring networks within its range of operation. The desired ESSID is then set on both wireless NICs and WAPs, which in turn ignore all traffic using other identifiers.
Most wireless software packages enable you to view all the available ESSIDs within range and give you the option of selecting the corresponding wireless LAN (WLAN) to join. Unfortunately, this makes it easy to eavesdrop on a neighboring network, and therefore it is best to not only change your ESSID from the factory defaults, but also to encrypt your wireless data whenever possible.
The term ESSID is frequently interchangeably referred to as an SSID (Service Set ID) by many vendors. I'll stick with ESSID unless the term SSID is relevant to an application.
Encryption Keys
Encryption is a method of encoding data so that only people with the secret key to unlock the code can view the original data. As expected, if you encrypt your wireless network's data then you also need to use a shared encryption key on all the NICs and WAPs. Some software packages allow you to use a plain text key, but the more secure ones treat the key like a password and prompt you to enter your chosen key twice without your actually being able to ever see the unencrypted key again.
It is always best to encrypt your network data last to simplify troubleshooting. Make sure everything works normally first and then encrypt later.
Networking With Linux Wireless-Tools
The Linux Wireless Tools package is installed by default probably meets most of your 802.11a/b needs. Its main advantage is that, unlike Linux-WLAN, you don't have to reinstall it every time you upgrade your kernel.
Using iwconfig For wireless-tools Configuration
After physically installing your Linux-compatible NIC, you need to configure your NIC's IP and wireless settings before Wireless Tools works.
You can configure your NIC's IP settings as if the NIC were a regular Ethernet device. After you use the ifup command the NIC becomes active, but it will not function correctly as its wireless settings haven't been configured yet.
The most commonly used command in Wireless Tools is iwconfig, which you can use to configure most of the wireless parameters, including the SSID and the wireless mode. For the wireless mode, Managed means that there is a wireless access point (WAP) on the network and Ad-hoc signifies that there is none.
For example, if your wireless NIC is named eth0 and your managed network's ESSID is homenet, then the commands would be.
iwconfig eth0 mode Managed
iwconfig eth0 essid homenet
Your NIC should now become fully functional. You will need to run these iwconfig commands each time you use the ifup command, however; forgetting to do so can be problematic. The next section shows how to make these iwconfig changes permanent.
Permanent wireless-tools Configuration
Once your ad-hoc configuration has been completed you will need to make the changes permanent.
1. Configure your /etc/sysconfig/network-scripts/ifcfg-eth0 file normally as if it were a regular Ethernet NIC.
DHCP Version Fixed IP Version
============ =================
DEVICE=eth0 DEVICE=eth0
USERCTL=yes IPADDR=192.168.1.100
ONBOOT=yes NETMASK=255.255.255.0
BOOTPROTO=dhcp ONBOOT=yes
BOOTPROTO=static
2. Add the following statements to the end to specify that the NIC is wireless; provide the ESSID to use (in this case homenet), and finally choose Managed (a WAP on present of the network) or Ad-hoc (no WAP) for the wireless mode.
#
# Wireless configuration
#
TYPE=Wireless
MODE=Managed
ESSID=homenet
These commands need only be on the main interface file. They are not needed for IP aliases. Your wireless NIC should function as if it were a regular Ethernet NIC using the ifup and ifdown commands.
It is usually best to test your network in an unencrypted state before activating the additional security. This allows you to limit your troubleshooting activities to basic wireless settings, without the additional complications of encryption.
Encryption requires an encryption key that you can make up yourself or generate with the /sbin/nwepgen command that comes with the kernel-wlan-ng RPM (more on this coming up). The advantage of the nwepgen command is that you can provide an easily remembered string that it will consistently encode in to an ESSID key. You can use any one of the rows of characters to create a 40-bit key.
If you don't have nwepgen, then remember to use hexadecimal numbers, which are composed of numeric values between 0 and 9 and alphabetic characters between A and F:
[root@bigboy tmp]# /sbin/nwepgen ketchup
64:c1:a1:cc:db
2b:32:ed:37:16
b6:cc:9e:1b:37
d7:0e:51:3f:03
[root@bigboy tmp]#
iwconfig eth0 key 967136deac
The same rules (no colons or non-hexidecimals between the ten total characters) apply when using the /etc/sysconfig/network-scripts files to add encryption:
KEY=967136deac
Configuring 802.11g with Linux Incompatible NICs
There are a number of ways to get 54 Mbps 802.11g/n cards to work with Fedora, but most open source references focus on the Prism54 and NdisWrapper projects.
Though it works, the Prism54.org software suite has a number of limitations. It requires you to apply kernel patches and then recompile the kernel. It is also only compatible with a limited number of wireless cards. This can be a daunting process for even experienced Linux users.
Windows uses the Network Driver Interface Specification (NDIS) as a standardized method for the operating system to communicate with the NIC driver software from various manufacturers. The Linux NdisWrapper software suite, available from ndiswrapper.sourceforge.net, allows you to run your Windows NIC card's drivers under Linux by creating a software wrapper around the Windows driver to trick it into thinking that it is communicating with Windows and not Linux. The compatibility range is therefore much wider and in cases where you need to recompile your kernel, the project's website has links to RPM packages of standard kernels with NdisWrapper support. Installation instructions on the project's web site are reasonably clear and a proficient Linux user should be able to get their NIC card working within an hour or two on their first try.
NdisWrapper has some limitations too. It only works on hardware architectures supported by Windows, the very useful iwspy command (discussed later) isn't supported and the wrappers add a layer of software complexity that would not exist normally. There is a commercial competitor to NdisWrapper called DriverLoader created by the Linuxant corporation which you also want to consider.
There are some caveats with installation under Fedora which I will show in the steps that follow. Let's begin.
1. First start by downloading the NdisWrapper tar file and extracting the contents. Don't install the NIC yet.
[root@bigboy tmp]# tar -xvzf ndiswrapper-1.1.tar.gz
2. Enter the NdisWrapper subdirectory and run the make distclean and make commands to start the installation process. Each of the make commands will give a lot of output to the screen, look carefully and make sure there are no errors.
[root@bigboy tmp]# cd ndiswrapper-1.1
[root@bigboy ndiswrapper-1.1]# make distclean
[root@bigboy ndiswrapper-1.1]# make
...
...
*** WARNING: Kernel seems to have 4K size stack option (CONFIG_4KSTACKS) removed; many Windows drivers will need at least 8K size stacks. You should read wiki about 4K size stack issue. Don't complain about crashes until you resolve this.
...
...
[root@bigboy ndiswrapper-1.1]#
3. Some versions of the Fedora core kernel need special stack compilation parameters for NdisWrapper to work. In this case, the kernel needs to be upgraded, but fortunately the NdisWrapper website shows you where to go to get the latest precompiled standard kernel RPM with stack modification. Use the uname -r command to determine the current version of the kernel. In this case Fedora Core 2 is running version 2.6.8-1.521.
[root@bigboy tmp]# uname -r
2.6.8-1.521
[root@bigboy tmp]#
If you have no errors with the make command, then shutdown your system and skip the next step.
4. Go to the NdisWrapper website and search for the word "fedora". You'll discover that a Fedora Core 2 version of the required kernel can be downloaded from linuxant.com. Download and install the kernel RPM that matches your kernel version. In this case it would be 2.6.8-1.521.stk16 for a kernel with a 16K stack.
If you are not familiar with Linux RPM files, please refer to Chapter 6 "Installing Linux Software" for a full explanation.
In this example we install the kernel and shutdown the system to allow us to install the NIC.
[root@bigboy ndiswrapper-1.1]# cd /tmp
[root@bigboy tmp]# wget http://www.linuxant.com/driverloader/wlan/full/archive/fc2/kernel-2.6.8-1.521.stk16.i686.rpm.zip
[root@bigboy tmp]# unzip kernel-2.6.8-1.521.stk16.i686.rpm.zip
[root@bigboy tmp]# rpm -ivh kernel-2.6.8-1.521.stk16.i686.rpm
[root@bigboy tmp]# init 0
5. Install your NIC card and reboot your system. On the Fedora, splash screen, select to boot from your NdisWrapper compatible kernel. Linux will auto detect the NIC card, and will prompt you to "Press any key to continue". Do so and select the "ignore" device option as we don't want the regular Linux system drivers to manage it.
If you installed a new version of the kernel and your system fails to reboot correctly, refer to the "Kernel Crash Recovery" section of Chapter 33 "Modifying The Linux Kernel To Improve Performance" for help. When you get your system to reboot correctly, revise your installation steps and make sure you had originally installed the correct version.
6. After the reboot, login and complete the NdisWrapper installation.
[root@bigboy root]# cd /tmp/ndiswrapper-1.1
[root@bigboy ndiswrapper-1.1]# make distclean
[root@bigboy ndiswrapper-1.1]# make
[root@bigboy ndiswrapper-1.1]# make install
7. The correct selection of the Windows driver required for NdisWrapper depends on information you receive from the lspci command which provides information about devices on your PCI bus. We first use the lspci command without any arguments to determine the PCI bus IRQ / interrupt number your system assigned to the card, in this case 01:08.0. Next you need to use the command again with the -n argument to get the unique PCI ID your manufacturer assigned to that model of NIC, in this case 1260:3890.
[root@bigboy tmp]# lspci
...
...
01:08.0 Network controller: Intersil Corporation Intersil ISL3890 [Prism GT/Prism Duette] (rev 01)
...
...
[root@bigboy tmp]# lspci -n
...
...
01:08.0 Class 0280: 1260:3890 (rev 01)
...
...
[root@bigboy tmp]#
8. The NdisWrapper website's wiki gives a list of instructions on how to install drivers for each PCI ID (http://ndiswrapper.sourceforge.net/phpwiki/index.php/List). In this case we have already downloaded the windows driver ZIP file from the manufacturer and now need to extract the files and search for the driver file which usually has a .inf file extension.
[root@bigboy tmp]# unzip SMC2802Wv2_DRUT.zip
Archive: SMC2802Wv2_DRUT.zip
...
...
inflating: SMC2802Wv2_DRUT/Driver/2802W.inf
...
...
[root@bigboy tmp]# cd SMC2802Wv2_DRUT/Driver/
[root@bigboy Driver]# ls
2802W51.sys 2802W.cat 2802W.inf 2802W.sys Driver.2K Driver.98 Driver.ME
[root@bigboy Driver]#
9. In this case the driver file is named 2802W.inf and is located in the Driver sub directory. Use the ndiswrapper -i command to install the driver in the expected NDIS directory.
[root@bigboy Driver]# ls
2802W51.sys 2802W.cat 2802W.inf 2802W.sys
Driver.2K Driver.98 Driver.ME
[root@bigboy Driver]# ndiswrapper -i 2802W.inf
Installing 2802w
[root@bigboy Driver]#
10. Use the ndiswrapper -l command to list the names of all the NDIS compatible drivers and hardware that are installed. You should see statement saying that compatible hardware your driver has been found.
[root@bigboy Driver]# ndiswrapper -l
Installed ndis drivers:
2802w driver present, hardware present
[root@bigboy Driver]#
11. Now you need to load the driver into memory so you can start configuring the NIC with an IP address and Wi-Fi parameters. The modprobe command will do this and you can verify the success of this operation by searching the end of the /var/log/messages file for correct execution of the command.
[root@bigboy Driver]# modprobe ndiswrapper
[root@bigboy Driver]# tail /var/log/messages
...
...
Mar 17 23:25:21 bigboy kernel: ndiswrapper version 1.1 loaded
(preempt=no,smp=no)
[root@bigboy Driver]#
12. The iwconfig command can now be used to determine the interface name Linux has assigned to your NIC, in this case eth0. The NIC will show a NOT READY state because you haven't yet configured the wireless parameters. You'll do this next.
[root@bigboy Driver]# iwconfig
...
...
eth0 NOT READY!
ESSID:off/any
Mode:Managed
Channel:6 Access Point: 00:00:00:00:00:00
Tx-Power=31
dBm Sensitivity=0/200
Retry min
limit:0 RTS thr=0 B Fragment thr=0 B
Encryption key:off
Link Quality:0
Signal level:0 Noise level:0
Rx invalid nwid:0
Rx invalid crypt:0 Rx invalid frag:0
Tx excessive
retries:0 Invalid misc:0 Missed beacon:0
...
...
[root@bigboy Driver]#
13. Use the regular Linux wireless tools to configure your eth0 interface with an IP address, ESSID and if necessary, encryption. You can adjust the data rate up to the 802.11g 54 Mbps data rate by adding this statement to your /etc/sysconfig/network-scripts/ifcfg-eth0 file. Leave this blank if you are using 802.11b.
RATE=54Mb/s
14. Now you can use the ifup command to activate the NIC, and the iwconfig command will show the interface as connecting correctly to an access point at 54 Mbps.
[root@bigboy Driver]# ifup eth0
[root@bigboy Driver]# iwconfig
...
...
eth0 IEEE 802.11g
ESSID:"johncr0w" Nickname:"bigboy"
Mode:Managed
Frequency:2.462GHz Access Point: 00:09:5B:C9:19:22
Bit
Rate=54Mb/s Tx-Power:32 dBm
RTS thr=2347
B Fragment thr=2346 B
Encryption
key:98D1-26D5-AC Security mode:restricted
Power Management:off
Link
Quality:88/100 Signal level:-55 dBm Noise level:-256 dBm
Rx invalid nwid:0
Rx invalid crypt:0 Rx invalid frag:0
Tx excessive
retries:96 Invalid misc:1157 Missed beacon:0
...
...
[root@bigboy Driver]#
15. You are not quite finished, the modprobe command only temporarily loaded the driver into memory. To make this permanent, you will have to update your /etc/modprobe.conf file to assign the name eth0 to your NdisWrapper NIC the next time the system reboots.
#
# /etc/modprobe.conf
#
options ndiswrapper if_name=eth0
alias eth0 ndiswrapper
16. If you installed a new version of the kernel, you'll now have to ensure that your system selects the correct kernel version when it reboots. This will require you to edit the /etc/grub.conf file as outlined in Chapter 33 "Modifying The Linux Kernel To Improve Performance".
My experience with NdisWrapper in the home has been very good, but like Prism54 and even Linux-WLAN, you have to reinstall the product each time you upgrade your kernel. This may not be tolerable in a mission critical business environment where maintenance related downtime needs to be kept to a minimum and where all software used needs to be 100% Linux compatible for the sake of stability.
When 802.11g WiFi technology becomes more mature it will undoubtably be supported natively by Linux Wireless Tools without the need for additional software, but there will always be NICs that don't support Linux and knowledge of NdisWrapper will be invaluable.
Linux-WLAN is one of the original wireless LAN products developed for Linux. It is generally more difficult to install than wireless-tools and has fewer troubleshooting tools, but it has wide ranging hardware support making it a desirable alternative based on the NIC card you have available. You'll notice that Linux-WLAN uses the term SSID instead of ESSID in its configuration files.
Here are some pointers you'll need to remember prior to using the Linux-WLAN product:
o All devices on a wireless network must use the same Network Identifier or SSID to communicate with each other: The default SSID for Linux-WLAN is linux-wlan, the default SSID for your windows NIC cards may be different. It's a good idea to decide on a common SSID and stick with it.
o Once configured, Linux-WLAN doesn't identify the wireless NIC as an Ethernet eth device, but as a wlan device: This is good to know in order to avoid confusion when troubleshooting.
o Always be prepared to check your syslog /var/log/messages file for errors if things don't work: It is a good source of information. Chapter 5, "Troubleshooting Linux with Syslog," shows you how to set up syslog error logging to be more sensitive to errors.
o You may get "device unknown" or "no such device" errors related to the wlan device in the /var/log/messages file if you use older unpatched versions of the Linux-WLAN software: Always use the most recent versions to make the installation smoother.
o Before installing the Linux-WLAN software for PCMCIA cards such as the Linksys WPC11 you will need to install the RPM packages that support PCMCIA: This step isn't necessary for such true PCI cards as the Linksys WMP11.
In Fedora Core, the package name is pcmcia-cs and in RedHat 9 and earlier it is kernel-pcmcia-cs. When searching for the RPMs, remember that the filename usually starts with the software package name and a version number, as in kernel-pcmcia-cs-3.1.31-13.i386.rpm.
You can find RPM versions of the driver files at http://prism2.unixguru.raleigh.nc.us. Remember to download the files for the correct kernel type, OS version, and kernel version. Downloading and installing RPMs isn't hard. If you need a refresher, Chapter 6, "Installing RPM Software," covers how to do this in detail.
Use the uname -p command. The Bigboy server discussed in Chapter 1, "Why Host Your Own Site," is running an i686 version of Linux. The Linux version may not match the CPU you have installed, always use the uname version:
[root@bigboy tmp]# uname -p
i686
[root@bigboy tmp]#
One of the easiest ways is to determine the OS version is to view the /etc/ redhat-release or the /etc/fedora-release file. In this case, server bigboy is running RedHat version 9.0, while zero is running Fedora Core 1. You can also look at the /etc/issue file for other versions of Linux.
[root@bigboy tmp]# cat /etc/redhat-release
Red Hat Linux release 9 (Shrike)
[root@bigboy tmp]#
[root@zero root]# cat /etc/fedora-release
Fedora Core release 1 (Yarrow)
[root@zero root]#
You can use the uname -r command to figure out the kernel version. In this case, Bigboy is running version 2.4.20-8:
[root@bigboy tmp]# uname -r
2.4.20-8
[root@bigboy tmp]#
After you have all this Linux information, you need to download and install the base, module, and interface packages. When searching for the RPMs, remember that the filename usually starts with the software package name by a version number:
kernel-wlan-ng-0.2.1-pre14.i686.rpm
kernel-wlan-ng-modules-fc1.1.2115-0.2.1-pre14.i686.rpm
kernel-wlan-ng-pci-0.2.1-pre14.i686.rpm
kernel-wlan-ng-pcmcia-0.2.1-pre14.i686.rpm
Note: There are different RPMs for PCMCIA- and PCI-based NIC cards. The base and modules RPMs need to be installed in all cases.
Notice the sequence of installation in this sample output. Double-check your preparation steps and the RPM versions if the very last line of the installation gives a result code that is not success.
[root@bigboy tmp]# rpm -Uvh kernel-wlan-ng-0.2.1-pre14.i686.rpm
Preparing... ##################################### [100%]
1:kernel-wlan-ng ##################################### [100%]
[root@bigboy tmp]# rpm -Uvh kernel-wlan-ng-modules-fc1.1.2115-0.2.1-pre14.i686.rpm
Preparing... ##################################### [100%]
1:kernel-wlan-ng-modules-##################################### [100%]
[root@bigboy tmp]#
[root@bigboy tmp]# rpm -Uvh kernel-wlan-ng-pcmcia-0.2.1-pre14.i686.rpm
Preparing... ##################################### [100%]
1:kernel-wlan-ng-pci ##################################### [100%]
Adding prism2_pci alias to /etc/modprobe.conf file...
***NOTE*** YOU MUST CHANGE THIS IF YOU HAVE A PLX CARD!!!
The default wlan0 network configuration is DHCP. Adjust accordingly.
ACHTUNG! ATTENTION! WARNING!
YOU MUST configure /etc/wlan/wlan.conf to define your SSID!
YOU ALSO must configure /etc/wlan/wlancfg-SSID to match WAP settings!
(---> replace SSID in filename with the value of your SSID)
If you get an error after this point, there is either a problem with
your drivers or you don't have the hardware installed! If the former,
get help!
Starting WLAN Devices:message=dot11req_mibset
mibattribute=dot11PrivacyInvoked=false
resultcode=success
message=dot11req_mibset
mibattribute=dot11ExcludeUnencrypted=false
resultcode=success
[root@bigboy tmp]#
Note: If you upgrade your Linux kernel you'll have to reinstall Linux-WLAN all over again. This will also create new versions of your /etc/sysconfig/network-scripts/ifcfg-wlan0, /etc/wlan/wlan.conf and /etc/pcmcia/wlan-ng.opts files which you may have to restore from the automatically saved versions.
Linux-WLAN Post Installation Steps
After the RPMs are installed, you need to configure the new wlan0 wireless NIC to be compatible with your network.
Configure The New wlan0 Interface
Edit /etc/sysconfig/network-scripts/ifcfg-wlan0 to include these new lines:
DHCP Version Fixed IP Version
============ =================
DEVICE=wlan0 DEVICE=wlan0
USERCTL=yes IPADDR=192.168.1.100
ONBOOT=yes NETMASK=255.255.255.0
BOOTPROTO=dhcp ONBOOT=yes
BOOTPROTO=static
In the fixed IP version you also need to substitute your selected IP, netmask, network, and broadcast address with those above. Plus, make sure you have the correct gateway statement in your /etc/sysconfig/network file, for example. GATEWAY=192.168.1.1.
Disable Your Existing Ethernet NIC
You may want to disable your existing eth0 Ethernet interface after installing the drivers. Add an ONBOOT=no entry to the /etc/sysconfig/network-scripts/ifcfg-eth0 file. This disables the interface on reboot or when /etc/init.d/network is restarted.
Select the Wireless mode and SSID
All the configuration files are located in the /etc/wlan directory. The package allows your server to be connected to up to three wireless LANs. You specify the SSIDs (LAN IDs) for each wireless LAN in the /etc/wlan/wlan.conf file. In the example, I make the wlan0 interface join the homenet WLAN, as well as instruct the WLAN driver to scan all wireless channels for SSIDs.
#
# Specify all the wlan interfaces on the server
#
WLAN_DEVICES="wlan0"
#
# Specify whether the server should scan the network channels
# for valid SSIDs
#
WLAN_SCAN=y
#
# Specify expected SSIDs and the wlan0 interface to which it should
# be tied
#
SSID_wlan0="homenet"
ENABLE_wlan0=y
Each WLAN specified in the /etc/wlan/wlan.conf file has its own configuration file. Copy the /etc/wlan/wlancfg-DEFAULT file to a file named /etc/wlan/wlancfg-SSID (replace SSID with the actual SSID for your WAP). This line configures for the homenet SSID:
[root@bigboy wlan]# cp wlancfg-DEFAULT wlancfg-homenet
Start the wlan process and test for errors in the file /var/log/messages. All the result codes in the status messages should be "success". You may receive the following error, however, which the WLAN RPM website claims is "harmless".
Error for wireless request "Set Encode" (8B2A) :
SET failed on device wlan0 ; Function not implemented.
Error for wireless request "Set ESSID" (8B1A) :
SET failed on device wlan0 ; Function not implemented.
PCI Cards - Installed Using RPMs
With PCI cards, Linux-wlan can be started by restarting the WLAN daemon.
[root@bigboy tmp]# service wlan restart
[root@bigboy tmp]# ifup wlan0
With PCMCIA cards, Linux-wlan can be started by restarting the Linux PCMCIA daemon.
[root@bigboy tmp]# service pcmcia restart
[root@bigboy tmp]# service network restart
Now check to see if IP address of the wlan0 interface is okay. Refer to the troubleshooting section below if you cannot ping the network's gateway.
[root@bigboy tmp]# ifconfig -a
[root@bigboy tmp]# ping <gateway-address>
Linux-WLAN Encryption For Security
One of the flaws of wireless networking is that all the wireless clients can detect the presence of all available network SSIDs and have the option of joining any of them. With encryption, the client must have a membership encryption password that can also be represented as a series of Wireless Encryption Protocol (WEP) keys. The wlan.conf file (RedHat 8.0 RPMs), wlan-SSID file (RedHat 9/Fedora Core 1 RPMs), or /etc/pcmcia/wlan-ng.opts file (PCMCIA-type NICs) is also used to activate this feature.
Note: I strongly recommend that you first set up your network without encryption. Only migrate to an encrypted design after you are satisfied that the unencrypted design works correctly.
To invoke encryption, you have to set the dot11PrivacyInvoked parameter to true. You also must state which of the keys will be used as the default starting key via the dot11WEPDefaultKeyID parameter. You then have the option of either providing a key-generating string (simple password) or all four of the keys. In the example below, ketchup is the password used to automatically generate the keys.
#=======WEP===========================================
# [Dis/En]able WEP. Settings only matter if PrivacyInvoked is true
lnxreq_hostWEPEncrypt=false # true|false
lnxreq_hostWEPDecrypt=false # true|false
dot11PrivacyInvoked=true
dot11WEPDefaultKeyID=1
dot11ExcludeUnencrypted=true # true|false, in AP this means WEP
# is required for all STAs
# If PRIV_GENSTR is not empty, use PRIV_GENTSTR to generate
# keys (just a convenience)
PRIV_GENERATOR=/sbin/nwepgen # nwepgen, Neesus compatible
PRIV_KEY128=false # keylength to generate
PRIV_GENSTR="ketchup"
# or set them explicitly. Set genstr or keys, not both.
dot11WEPDefaultKey0= # format: xx:xx:xx:xx:xx or
dot11WEPDefaultKey1= # xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
dot11WEPDefaultKey2= # e.g. 01:20:03:40:05 or
dot11WEPDefaultKey3= # 01:02:03:04:05:06:07:08:09:0a:0b:0c:0d
Not all devices on your network will use the same algorithm
method to generate the encryption keys. You may find the same generator string
will not create the same keys, rendering intra-network communication
impossible. If this is the case, you can use the /sbin/nwepgen
program to generate the keys after you provide an easy to remember key
generator string. Once you have the four sets of keys, you'll have to add them
individually and in sequence to the wlan.conf,
wlan-SSID or /etc/pcmcia/wlan-ng.opts file and set
the PRIV_GENSTR parameter to a null string of a null string of ""
(the quotes are important). Here is how you can use nwepgen to create the keys with a generator string of ketchup.
[root@bigboy tmp]# /sbin/nwepgen ketchup
64:c1:a1:cc:db
2b:32:ed:37:16
b6:cc:9e:1b:37
d7:0e:51:3f:03
[root@bigboy tmp]#
In this case your wlan.conf or wlan-SSID file would look like this:
PRIV_GENSTR=""
# or set them explicitly. Set genstr or keys, not both.
dot11WEPDefaultKey0= 64:c1:a1:cc:db
dot11WEPDefaultKey1= 2b:32:ed:37:16
dot11WEPDefaultKey2= b6:cc:9e:1b:37
dot11WEPDefaultKey3= d7:0e:51:3f:03
Remember that all devices on your network, including all wireless NICs and WAPs, need to have the same keys and default key for this to work.
In some cases, NIC cards without full Linux-WLAN compatibility freeze up after a number of hours of working with encryption. The steps to reverse encryption are:
1. Set the configuration file parameter dot11PrivacyInvoked to false.
2. Stop Linux-WLAN, and disable the wireless wlan0 interface
[root@bigboy tmp]# service wlan stop
Shutting Down WLAN Devices:message=lnxreq_ifstate
ifstate=disable
resultcode=success
[root@bigboy tmp]# ifdown wlan0
3. The driver is still loaded in memory with the old encryption parameters, even though it is not active. Linux frequently loads device driver software, such as those that govern the operation of NIC cards, as modules that the kernel, or Linux master program, uses in its regular operation. Use the lsmod command to display a list of loaded modules. You'll be most interested in the modules associated with 802.11 wireless protocols, which appear here as p80211 and prism2_pci:.
[root@bigboy tmp]# lsmod
Module Size Used by Not tainted
...
...
prism2_pci 66672 1 (autoclean)
p80211 20328 1 [prism2_pci]
...
...
[root@bigboy tmp]#
Sometimes your NIC card may use the orinoco chip set drivers instead of the prism drivers:
[root@bigboy tmp]# lsmod
Module Size Used by
...
...
orinoco 45517 1 orinoco_pci
hermes 6721 2 orinoco_pci,orinoco
...
...
[root@bigboy tmp]#
4. Now that you have identified the driver modules in memory, unload them with the rmmod command:
[root@bigboy tmp]# rmmod prism2_pci
[root@bigboy tmp]# rmmod p80211
5. Restart Linux-WLAN, reactivate the wlan0 interface, and you should be functional again:
[root@bigboy tmp]# service wlan start
Starting WLAN Devices:message=lnxreq_hostwep
resultcode=no_value
decrypt=false
encrypt=false
[root@bigboy tmp]# ifup wlan0
If you fail to reload the driver modules, you'll get errors in your /var/log/messages file and your NIC card will operate in an encrypted mode only.
Jan 2 18:11:12 bigboy kernel: prism2sta_ifstate: hfa384x_drvr_start()
failed,result=-110
Jan 2 18:11:18 bigboy kernel: hfa384x_docmd_wait: hfa384x_cmd timeout(1),
reg=0x8021.
Jan 2 18:11:18 bigboy kernel: hfa384x_drvr_start: Initialize command failed.
Jan 2 18:11:18 bigboy kernel: hfa384x_drvr_start: Failed, result=-110
Troubleshooting Your Wireless LAN
Linux wireless troubleshooting tools are quite extensive and provide a variety of useful information to help you get your network working. This section covers many important strategies that will compliment the use of more conventional procedures such as scanning your /var/log/messages file.
When using WLAN methodology, the iwconfig, iwlist, and iwspy commands can provide useful information about the status of your wireless network. Take a closer look.
In addition to using the regular ifconfig command to check the status of your NIC, you can use the iwconfig command to view the state of your wireless network, just don't specify any parameters. Specifically, you can see such important information as the link quality, WAP MAC address, data rate, and encryption keys, which can be helpful in ensuring the parameters across your network are the same. For example:
[root@bigboy tmp]# iwconfig
eth0 IEEE 802.11-DS ESSID:"homenet" Nickname:"bigboy"
Mode:Managed Frequency:2.462GHz Access Point: 00:09:5B:C9:19:22
Bit Rate:11Mb/s Tx-Power=15 dBm Sensitivity:1/3
Retry min limit:8 RTS thr:off Fragment thr:off
Encryption key:98D1-26D5-AC Security mode:restricted
Power Management:off
Link Quality:36/92 Signal level:-92 dBm Noise level:-148 dBm
Rx invalid nwid:0 Rx invalid crypt:2 Rx invalid frag:0
Tx excessive retries:10 Invalid misc:0 Missed beacon:0
[root@bigboy tmp]#
The iwlist command can provide get further information related to not just the NIC, but the entire network, including the number of available frequency channels, the range of possible data rates, and the signal strength. This example uses the command to verify the encryption key being used by the NIC, which can be very helpful in troubleshooting security related difficulties on your network.
[root@bigboy tmp]# iwlist key
...
...
eth0 2 key sizes : 40, 104bits
4 keys available :
[1]: 9671-36DE-AC (40 bits)
[2]: off
[3]: off
[4]: off
Current Transmit Key: [1]
Security mode:open
...
...
[root@bigboy tmp]#
The iwlist command can verify the speed of the NIC card being used, 11Mb/s in this case. This can be helpful in determining possible reasons for network slowness, especially as poor signal quality can result in the NIC negotiating a low bit rate with its WAP.
[root@bigboy tmp]# iwlist rate
...
...
eth0 4 available bit-rates :
1Mb/s
2Mb/s
5.5Mb/s
11Mb/s
Current Bit Rate:11Mb/s
...
...
[root@bigboy tmp]#
For further information on the iwlist command, consult the man pages.
The iwspy Command
The iwspy command provides statistics on the quality of the link between your NIC and another wireless device on the network. It doesn't run all the time; you have to activate iwspy on your interface first. When not activated, iwspy gives a "no statistics to collect" message.
[root@bigboy root]# iwspy eth0
eth0 No statistics to collect
[root@bigboy root]#
Activation requires you to specify the target IP address and the wireless NIC interface through which it can be found.
[root@bigboy tmp]# iwspy eth0 192.168.1.1
If you use the iwspy command without the IP address it provides WLAN statistics with a typical/reference value against which it can be compared. In the example that follows the signal is considered fairly strong, with a 64/92 quality value versus a typical 36/92 value, but it could be weak by the historical values on your network. It's good to check this from time to time for fluctuations.
[root@bigboy tmp]# iwspy eth0
eth0 Statistics collected:
00:09:5B:C9:19:22 : Quality:0 Signal level:0 Noise level:0
Link/Cell/AP : Quality:64/92 Signal level:-51 dBm Noise level:-149 dBm (updated)
Typical/Reference : Quality:36/92 Signal level:-62 dBm Noise level:-98 dBm
[root@bigboy tmp]#
To switch off iwspy monitoring, add the off argument.
[root@bigboy root]# iwspy eth0 off
Devices slotted into your PCI bus are generally assigned an interrupt value by the system, which the system uses to signal its need to communicate with the device. Multiple devices on the bus can have the same interrupt, but the system will access each one using a different memory address to avoid confusion. Sometimes this automatic allocation of interrupt (IRQ) values and memory locations is flawed and overlaps do occur, causing devices to fail.
Before configuring your WLAN software, you should ensure that the wireless NIC card doesn't have an interrupt that clashes with another device in your computer. Insert the card in an empty slot in your Linux box according to the instructions in its manual, reboot, and inspect your /var/log/messages file again:
[root@bigboy tmp]# tail -300 /var/log/messages
Look carefully for any signs that the card is interfering with existing card IRQs. If there is a conflict, there will usually be a warning or "IRQ also used by ..." message. If that is the case, move the card to a different slot or otherwise eliminate the conflict by disabling the conflicting device if you don't really need it.
You should also inspect your /proc/interrupts file for multiple devices having the same interrupt
[root@bigboy tmp]# cat /proc/interrupts
11: 4639 XT-PIC wlan0, eth0 (potentially bad)
[root@bigboy tmp]# cat /proc/interrupts
11: 4639 XT-PIC wlan0 (good)
Interrupt conflicts are usually more problematic with old style PC-AT buses; newer PCI-based systems generally handle conflicts better. The prior (potentially bad) /proc/interrupts example came from a functioning PCI-based Linux box. It worked because, although the interrupt was the same, the base memory addresses that Linux used to communicate with the cards were different. You can check both the interrupts and base memory of your NIC cards by using the ifconfig -a command:
[root@bigboy tmp]# ifconfig
-a
eth0 Link encap:Ethernet HWaddr 00:08:C7:10:74:A8
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:11 Base address:0x1820
wlan0 Link encap:Ethernet HWaddr 00:06:25:09:6A:B5
inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:215233 errors:0 dropped:0 overruns:0 frame:0
TX packets:447594 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:39394014 (37.5 Mb) TX bytes:126738425 (120.8 Mb)
Interrupt:11
Memory:c887a000-c887b000
[root@bigboy tmp]#
When you find p80211 Kernel errors in /var/log/messages, they usually point to an incorrectly configured SSID or may also be caused by a NIC card with an outdated firmware version. For example
Nov 13 22:24:54 bigboy kernel: p80211knetdev_hard_start_xmit: Tx attempt prior to association, frame dropped.
If you can't ping the default gateway, first check for kernel log errors.
If there are no errors in /var/log/messages and you can't ping your gateways or obtain an IP address, then check your /etc/sysconfig/network-scripts/ configuration files for a correct IP configuration and your routing table to make sure your routes are OK. You can also check to see if your Linux box is out or range of the WAP using the iwconfig command.
Look for "unknown device" or "no such device" errors in your log files or on your screen during installation or configuration. These may be caused by:
o A NIC card that hasn't been correctly inserted in the PCI slot
o Incompatible hardware.
For example, you might see incompatible hardware errors in /var/log/messages:
00:0c.0 Network controller: BROADCOM Corporation: Unknown
device 4301 (rev01)
Subsystem: Unknown device 1737:4301
Flags: bus master, fast devsel, latency 64, IRQ 5
Memory at f4000000 (32-bit, non-prefetchable) [size=3D8K]
Capabilities: [40] Power Management version 2
Or, you might see errors on the screen:
Dec 1 01:28:14 bigboy insmod:
/lib/modules/2.4.18-14/net/prism2_pci.o: init_module: No such device
Dec 1 01:28:14 bigboy insmod: Hint: insmod errors can be caused by incorrect
module parameters, including invalid IO or IRQ parameters. You may find more
information in syslog or the output from dmesg
Dec 1 01:28:14 bigboy insmod: /lib/modules/2.4.18-14/net/prism2_pci.o: insmod
wlan0 failed
A Common Problem With Linux-WLAN And Fedora Core 1
In older versions of Fedora Core 1, the operating system will auto-detect Linux-WLAN-compatible NIC cards and enter a line similar to.
alias eth2 orinoco_pci
in the /etc/modprobe.conf file. In other words, it detects them as an Ethernet eth device instead of a WLAN wlan device.
This seems to conflict with the WLAN RPMs, and you'll get errors like this when starting Linux-WLAN:
Starting WLAN Devices: /etc/init.d/wlan: line 119: Error: Device wlan0 does not seem to be present.: command not found
/etc/init.d/wlan: line 120: Make sure you've inserted the appropriate: command not found
/etc/init.d/wlan: line 121: modules or that your modules.conf file contains: command not found
/etc/init.d/wlan: line 122: the appropriate aliase(s).: command not found
You can fix the problem with the proper steps. This example refers to a compatible Orinoco chipset card:
Use the following steps to fix the problem. The example below refers to a compatible Orinoco chipset card. The intention of this procedure is to remove all reference to the Orinoco driver in the Linux configuration files and then force the Linux new hardware detection program, named "kudzu", not to configure the NIC card according to the Linux defaults. The "eth" device will be recreated, but the "ignore" option provided to kudzu will prevent the Orinoco entry in the /etc/modprobe.conf from being reinserted, preventing conflict with the Linux-WLAN package's "wlan" device.
1. Remove the orinoco_pci line from the /etc/modprobe.conf file. Do not remove the entry for device wlan0.
2. Edit your /etc/sysconfig/hwconf file, search for orinoco_pci, and remove the orinoco_pci section that refers to your wireless card. (Each section starts and ends with a single - on a new line.)
3. Reboot.
4. The Linux boot process always runs kudzu, the program that detects new hardware. Kudzu detects the wireless card and asks whether you want to configure it. Choose ignore. This will reinsert the wireless card in the /etc/sysconfig/hwconf file, but not in the /etc/modprobe.conf file.
5. Your NIC card should start to function as expected as device wlan0 when you use the ifconfig -a command. Configure the IP address, and activate the NIC as shown earlier in this chapter.Remove the orinoco_pci line from the /etc/modprobe.conf file. DO NOT remove the entry for device wlan0.
The procedure removes all reference to the Orinoco driver in the Linux configuration files and then forces kudzu not to configure the NIC card according to the Linux defaults. The eth device will be recreated, but the ignore option provided to kudzu will prevent the Orinoco entry in the /etc/modprobe.conf from being reinserted, preventing conflict with the Linux-WLAN package's wlan device.
Wireless Networks In Businesses
Sometimes implementing a wireless network inside a business place becomes necessary. Visiting managers may need a quick connection in a conference room; sales people sharing cubicles my need it as the number of work spaces get exhausted. Perhaps someone is going to set one up on your network anyway, you might as well control this from the beginning.
Apart from people who download infected software and e-mail attachments, mobile employees' notebook computers are usually viewed as a high risk source of unintentional malicious activity as there is even less control over what these employees do than those with fixed workstations. With this in mind, it is usually best to isolate this type of wireless network completely from your internal, trusted, and wired one. Some types of network architectures make the wireless router only have access to the Internet, and no where else, via its own dedicated DSL line. The wireless users then have to use some form of a VPN client to gain access to the office servers just as if they were doing so from home. To reduce the risk of the network being hijacked, be sure to encrypt the traffic and use a proxy server running such software as Squid (see Chapter 32, "Controlling Web Access with Squid") to limit Internet access to authorized users via some form of pop-up username and password authentication. With this sort of architecture, if the wireless network gets hijacked, your office systems should remain relatively safe.
Many WAPs have the option of not advertising their ESSIDs which prevents users from browsing around to select the nearest available WLAN. Activation of this feature can be inconvenient to users as wireless clients will need to know the predefined ESSID to gain LAN access, but it more importantly reduces the risk of an outsider connecting to your wireless LAN by roaming the airwaves for an available WAP.
There are many other types of wireless methodologies. Please investigate a variety of options before coming to a final conclusion.
With the knowledge gained in the chapters in Part 1 of the book you will be able to configure a Linux file and DHCP server on small network with relative ease. Part 2 will explore the possibility of making your server also become the core of your self-managed dedicated Web site.
