Contents
Abstract
Wireless LANs, or Wireless Local Area Network (WLANs), have become an indispensable aspect of mobile computing. Today, most laptops have built-in WLAN cards. This chapter describes how to set up a WLAN card with YaST, encrypt transmissions, and use tips and tricks.
WLAN cards communicate using the 802.11 standard, prepared by the IEEE organization. Originally, this standard provided for a maximum transmission rate of 2 Mbit/s. Meanwhile, several supplements have been added to increase the data rate. These supplements define details such as the modulation, transmission output, and transmission rates (see Table 32.1, “Overview of Various WLAN Standards”). Additionally, many companies implement hardware with proprietary or draft features.
Table 32.1. Overview of Various WLAN Standards
Name |
Band (GHz) |
Maximum Transmission Rate (Mbit/s) |
Note |
---|---|---|---|
802.11 Legacy |
2.4 |
2 |
Outdated; virtually no end devices available |
802.11a |
5 |
54 |
Less interference-prone |
802.11b |
2.4 |
11 |
Less common |
802.11g |
2.4 |
54 |
Widespread, backwards-compatible with 11b |
802.11n (formerly 802.11n draft) |
2.4 and/or 5 |
300 |
Common |
802.11 Legacy cards are not supported by openSUSE®. Most cards using 802.11a, 802.11b, 802.11g and 802.11n draft are supported. New cards usually comply with the 802.11n draft standard, but cards using 802.11g are still available.
In wireless networking, various techniques and configurations are used to ensure fast, high-quality, and secure connections. Different operating types suit different setups. It can be difficult to choose the right authentication method. The available encryption methods have different advantages and pitfalls.
Basically, wireless networks can be classified into three network modes:
Managed networks have a managing element: the access point. In this mode (also referred to as infrastructure mode), all connections of the WLAN stations in the network run through the access point, which may also serve as a connection to an ethernet.
Ad-hoc networks do not have an access point. The stations communicate directly with each other, therefore an ad-hoc network is usually faster than a managed network. However, the transmission range and number of participating stations are greatly limited in ad-hoc networks. They also do not support WPA authentication. Therefore, an access point is usually used. It is even possible to use a WLAN card as an access point. Some cards support this functionality.
In master mode your network card is used as the access point. It works only if your WLAN card supports this mode. Find out the details of your WLAN card on http://linux-wless.passys.nl.
Because a wireless network is much easier to intercept and compromise than a wired network, the various standards include authentication and encryption methods. In the original version of the IEEE 802.11 standard, these are described under the term WEP (Wired Equivalent Privacy). However, because WEP has proven to be insecure (see Section 32.7.2, “Security”), the WLAN industry (joined under the name Wi-Fi Alliance) has defined an extension called WPA, which is supposed to eliminate the weaknesses of WEP. The later IEEE 802.11i standard (also referred to as WPA2, because WPA is based on a draft version of 802.11i) includes WPA and some other authentication and encryption methods.
To make sure that only authorized stations can connect, various authentication mechanisms are used in managed networks:
An open system is a system that does not require authentication. Any station can join the network. Nevertheless, WEP encryption (see Section 32.4, “Encryption”) can be used.
In this procedure, the WEP key is used for the authentication. However, this procedure is not recommended, because it makes the WEP key more susceptible to attacks. All an attacker needs to do is to listen long enough to the communication between the station and the access point. During the authentication process, both sides exchange the same information, once in encrypted form and once in unencrypted form. This makes it possible for the key to be reconstructed with suitable tools. Because this method makes use of the WEP key for the authentication and for the encryption, it does not enhance the security of the network. A station that has the correct WEP key can authenticate, encrypt, and decrypt. A station that does not have the key cannot decrypt received packets. Accordingly, it cannot communicate, regardless of whether it had to authenticate itself.
WPA-PSK (PSK stands for preshared key) works similarly to the Shared Key procedure. All participating stations as well as the access point need the same key. The key is 256 bits in length and is usually entered as a passphrase. This system does not need a complex key management like WPA-EAP and is more suitable for private use. Therefore, WPA-PSK is sometimes referred to as WPA “Home”.
Actually, WPA-EAP (Extensible Authentication Protocol) is not an authentication system but a protocol for transporting authentication information. WPA-EAP is used to protect wireless networks in enterprises. In private networks, it is scarcely used. For this reason, WPA-EAP is sometimes referred to as WPA “Enterprise”.
WPA-EAP needs a Radius server to authenticate users. EAP offers three different methods for connecting and authenticating to the server: TLS (Transport Layer Security), TTLS (Tunneled Transport Layer Security), and PEAP (Protected Extensible Authentication Protocol). In a nutshell, these options work as follows:
TLS authentication relies on the mutual exchange of certificates for both server and client. First, the server presents its certificate to the client where it is evaluated. If the certificate is considered valid, the client in turn presents its certificate to the server. While TLS is secure, it requires a working certification management infrastructure in your network. This infrastructure is rarely found in private networks.
Both TTLS and PEAP are two-stage protocols. In the first stage, a secure connection is established and in the second the client authentication data is exchanged. They require far less certification management overhead than TLS, if any.
There are various encryption methods to ensure that no unauthorized person can read the data packets that are exchanged in a wireless network or gain access to the network:
This standard makes use of the RC4 encryption algorithm, originally with a key length of 40 bits, later also with 104 bits. Often, the length is declared as 64 bits or 128 bits, depending on whether the 24 bits of the initialization vector are included. However, this standard has some weaknesses. Attacks against the keys generated by this system may be successful. Nevertheless, it is better to use WEP than to not encrypt the network at all.
Some vendors have implemented the non-standard “Dynamic WEP”. It works exactly as WEP and shares the same weaknesses, except that the key is periodically changed by a key management service.
This key management protocol defined in the WPA standard uses the same encryption algorithm as WEP, but eliminates its weakness. Because a new key is generated for every data packet, attacks against these keys are fruitless. TKIP is used together with WPA-PSK.
CCMP describes the key management. Usually, it is used in connection with WPA-EAP, but it can also be used with WPA-PSK. The encryption takes place according to AES and is stronger than the RC4 encryption of the WEP standard.
![]() | Security in Wireless Networks |
---|---|
Be sure to use one of the supported authentication and encryption methods to protect your network traffic. Unencrypted WLAN connections allow third parties to intercept all network data. Even a weak encryption (WEP) is better than none at all. Refer to Section 32.4, “Encryption” and Section 32.7.2, “Security” for information. |
A WLAN card is usually detected during the installation. In case you need to configure it later, do the following:
Start YaST as user root
.
Select
+ in the YaST control center. The Network Settings dialog opens. If your network is currently controlled by NetworkManager, it can not be edited by YaST and you see a warning message. Click and the tab appears. Select to enable editing with YaST.Switch to the Section 21.4, “Configuring a Network Connection with YaST”.
tab where all network cards are listed that have been detected by the system. If you need more information about general network configuration, refer toChoose your wireless card from the list and click
to open the dialog.Configure whether to use a dynamic or a static IP address under the tab
. Usually is fine.Click
to proceed to the dialog.Configure operating mode, network name (ESSID), and authentication mode:
Choose the
.A station can be integrated in a WLAN in three different modes. The suitable mode depends on the network in which to communicate:
(peer-to-peer network without access point), (network is managed by an access point), or (your network card should be used as the access point). To use any of the WPA-PSK or WPA-EAP modes, the operating mode must be set to .Select a
.All stations in a wireless network need the same ESSID for communicating with each other. If nothing is specified, the card may automatically selects an access point, which may not be the one you intended to use. Use
for a list of available wireless networks.Select an
.Select a suitable authentication method for your network:
(not preferable), , , , or . If you select WPA authentication, a network name (ESSID) must be set. WEP and WPA-PSK authentication methods require to input a key. The key has to be entered as either a , as an string, or string. You have the following options for your key input type:Either enter the default key here or click
to enter the advanced key configuration dialog. Set the length of the key to or . The default setting is . In the list area at the bottom of the dialog, up to four different keys can be specified for your station to use for the encryption. Press to define one of them as the default key. Unless you change this, YaST uses the first entered key as the default key. If the standard key is deleted, one of the other keys must be marked manually as the default key. Click to modify existing list entries or create new keys. In this case, a pop-up window prompts you to select an input type ( , , or ). If you select , enter a word or a character string from which a key is generated according to the length previously specified. requests an input of 5 characters for a 64-bit key and 13 characters for a 128-bit key. For , enter 10 characters for a 64-bit key or 26 characters for a 128-bit key in hexadecimal notation.To enter a key for WPA-PSK, select the input method
or . In the mode, the input must be 8 to 63 characters. In the mode, enter 64 characters.If you need detailed configuration of your WLAN connection, use the
button. Usually there should be no need to change the preconfigured settings. You have the following options:The specification of a channel on which the WLAN station should work is only needed in
and modes. In mode, the card automatically searches the available channels for access points. In mode, select one of the offered channels (11 to 14, depending on your country) for the communication of your station with the other stations. In mode, determine on which channel your card should offer access point functionality. The default setting for this option is .Depending on the performance of your network, you may want to set a certain bit rate for the transmission from one point to another. In the default setting
, the system tries to use the highest possible data transmission rate. Some WLAN cards do not support the setting of bit rates.In an environment with several access points, one of them can be preselected by specifying the MAC address.
When you are on the road, use power saving technologies to maximize the operating time of your battery. Using power management may affect the connection quality and increase the network latency.
Click
and finish with .If you have chosen WPA-EAP authentication, another configuration step is needed before your station is ready for deployment in the WLAN.
Enter the credentials you have been given by your network
administrator. For TLS, provide /etc/cert
. Therefore, save the
certificates given to you to this location and restrict access to
these files to 0600
(owner read and write).
Click
to enter the advanced authentication dialog for your WPA-EAP setup.
Select the authentication method for the second stage of EAP-TTLS or
EAP-PEAP communication. If you selected TTLS in the previous dialog,
choose any
, MD5
,
GTC
, CHAP
,
PAP
, MSCHAPv1
, or
MSCHAPv2
. If you selected PEAP, choose
any
, MD5
,
GTC
, or MSCHAPv2
. can be used to force the use of a certain PEAP
implementation if the automatically-determined setting does not work
for you.
In some cases it is useful to connect two computers equipped with a WLAN card. To establish an ad-hoc network with YaST, do the following:
Perform Step 1 to Step 4 as described in Section 32.5, “Configuration with YaST”.
Choose
and enter the following data:
192.168.1.1
.
Change this address on the second computer to
192.168.1.2
, for
example.
/24
: Choose any name you like.
Proceed with
.Configure your operating mode, network name (ESSID), and authentication mode:
Choose from the
popup menu the entry .Choose a
. This can be any name, but it has to be used on every computer.Choose from
the entry .Click
and finish with .
If you do not have smpppd
installed, YaST asks you to do so.
The package wireless-tools
contains utilities that allow to set wireless LAN specific parameters and
get statistics. See
http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Tools.html
for more information.
kismet (package kismet
) is a
network diagnosis tool with which to listen to the WLAN packet traffic.
In this way, you can also detect any intrusion attempts in your network.
More information is available at
http://www.kismetwireless.net/ and in the manual page.
These tips can help tweak speed and stability as well as security aspects of your WLAN.
The performance and reliability of a wireless network mainly depend on
whether the participating stations receive a clear signal from the other
stations. Obstructions like walls greatly weaken the signal. The more
the signal strength sinks, the more the transmission slows down. During
operation, check the signal strength with the
iwconfig utility on the command line (Link
Quality
field) or with NetworkManager or KNetworkManager. If you have problems
with the signal quality, try to set up the devices somewhere else or
adjust the position of the antennas of your access points. Auxiliary
antennas that substantially improve the reception are available for a
number of PCMCIA WLAN cards. The rate specified by the manufacturer,
such as 54 Mbit/s, is a nominal value that represents the
theoretical maximum. In practice, the maximum data throughout is no more
than half this value.
The useful iwspy command can displays WLAN statistics.
iwspy wlan0 wlan0 Statistics collected: 00:AA:BB:CC:DD:EE : Quality:0 Signal level:0 Noise level:0 Link/Cell/AP : Quality:60/94 Signal level:-50 dBm Noise level:-140 dBm (updated) Typical/Reference : Quality:26/94 Signal level:-60 dBm Noise level:-90 dBm
If you want to set up a wireless network, remember that anybody within the transmission range can easily access it if no security measures are implemented. Therefore, be sure to activate an encryption method. All WLAN cards and access points support WEP encryption. Although this is not entirely safe, it does present an obstacle for a potential attacker.
WEP is usually adequate for private use. WPA-PSK would be even better, but it is not implemented in older access points or routers with WLAN functionality. On some devices, WPA can be implemented by means of a firmware update. Furthermore, although Linux supports WPA on most hardware components, some drivers do not offer WPA support. If WPA is not available, WEP is better than no encryption. In enterprises with advanced security requirements, wireless networks should only be operated with WPA.
Use strong passwords for your authentication method. For example, the webpage https://www.grc.com/passwords.htm generates random 64 character passwords.
If your WLAN card is not automatically detected, check whether it is supported by openSUSE. A list of supported WLAN network cards is available under http://en.opensuse.org/HCL/Network_Adapters_(Wireless). If your card is not supported, it may be possible to make it work using the Microsoft Windows drivers with Ndiswrapper. Please refer to http://en.opensuse.org/Ndiswrapper for detailed information.
If your WLAN card fails to respond, check the following prerequisites:
Do you know your device name? Usually it is
wlan0
. Check with the tool
ifconfig.
Have you checked your needed firmware? Refer to
/usr/share/doc/packages/wireless-tools/README.firmware
for more information.
Is your ESSID of your router broadcasted and visible (not hidden)?
The command iwconfig can give you important information about your wireless connection. For example, the following line displays the ESSID, the wireless mode, frequency, if you signal is encrypted, the link quality, and much more:
iwconfig wlan0
wlan0 IEEE 802.11abg ESSID:"guest"
Mode:Managed Frequency:5.22GHz Access Point: 00:11:22:33:44:55
Bit Rate:54 Mb/s Tx-Power=13 dBm
Retry min limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality:62/92 Signal level:-48 dBm Noise level:-127 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:10 Invalid misc:0 Missed beacon:0
You can also get the previous information with the iwlist command. For example, the following line displays the current bit rate:
iwlist wlan0 rate
wlan0 unknown bit-rate information.
Current Bit Rate=54 Mb/s
If you want an overview how many access points are available, it can also be done with the iwlist command. It gives you a list of “cells” which looks like this:
iwlist wlan0 scanning
wlan0 Scan completed:
Cell 01 - Address: 00:11:22:33:44:55
Channel:40
Frequency:5.2 GHz (Channel 40)
Quality=67/70 Signal level=-43 dBm
Encryption key: off
ESSID:"Guest"
Bit Rates: 6 Mb/s; 9 Mb/s; 12 Mb/s; 18 Mb/s;
24 Mb/s; 36 Mb/s; 48 Mb/s
Mode: Master
Extra:tsf=0000111122223333
Extra: Last beacon: 179ms ago
IE: Unknown: ...
Modern laptops usually have a network card and a WLAN card. If you configured both devices with DHCP (automatic address assignment), you may encounter problems with the name resolution and the default gateway. This is evident from the fact that you can ping the router but cannot surf the Internet. The Support Database features an article on this subject at http://en.opensuse.org/SDB:Name_Resolution_Does_Not_Work_with_Several_Concurrent_DHCP_Clients.
Several drivers are available for devices with
Prism2 chips. The various cards work more or
less smoothly with the various drivers. With these cards, WPA is only
possible with the hostap driver. If such a card does not work properly
or not at all or you want to use WPA, read
/usr/share/doc/packages/wireless-tools/README.prism2
.
More information can be found on the following pages:
http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Wireless.html—The Internet pages of Jean Tourrilhes, who developed the Wireless Tools for Linux, present a wealth of useful information about wireless networks.
tuxmobil.org—Useful hands-on information about mobile computers under Linux .
http://www.linux-on-laptops.com—More information about Linux on laptops.