个人工具

Quick HOWTO : Ch13 : Linux Wireless Networking/zh

来自Ubuntu中文

Ninesun讨论 | 贡献2008年4月30日 (三) 18:01的版本

跳转至: 导航, 搜索


目录

简介

我的第一台Linux网络服务器是一台从二手市场买来的古老的、报废的台式电脑。他很便宜还能工作,但是很丑并且有噪音,吵得我都不能容受。我在这个老东西上面花了多于我该花的钱,使它能够在我寝室外面有DSL连接的地方上网。回想一下,做这些确实对我是个挑战,也由于我在有时在犯傻。我以前以为 Linux无线上网会很容易,但是那时不是很容易。我对它很头痛以至于我想起我的初次的网页之一就是关于我的一些噩梦,警告人们怎么去正确的做。这就是 www.linuxhomenetworking.com诞生的过程。这是关于怎么开始的章节。

无线网络用802.11标准有很多的优势,不仅仅是我提到的审美方面的。硬件一般是能够得到,无线网络提供相对容易且价格低的部署,而且安全也不断的提高。在考虑使你的Linux服务器能无线上网之前,确定你购买的NIC是Linux兼容的。而且你要决定你准备用的无线Linux包:Linux- WLAN或Wireless Tools 。Wireless Tools更方便使用因为它需要比较少的设置步骤,并且在你每次更新你的内核时不需要重装PRM包。如果这看起来比较令人迷惑,不要担心,我会待会儿介绍这些。

Linux 无线兼容网卡

不是所有的NIC无线卡都能在Linux上运行。由于这个原因,你就得做些作业了。你能在流行的搜索引擎上找到最新的兼容Wireless Tools硬件表。至于Linux-WLAN,请到www.linux-wlan.org上找最新的硬件兼容表。

无线网络NIC制造商因零件的价格的改变而改变他们卡上的芯片组,这使得他们臭名昭着。然後他们为每个不同的新卡提供不同的驱动。到相同的制造商买到不同的电路结构却有相同的模型号码是不可能的。频繁的linux无线新卡驱动是没有的,请在购买无线硬件的时候总是核对兼容表。

Linksys WMP11无线网卡是个好的例子,这种卡的原始的版本使用的是可以在Linux上运行的Intersill Prisim 芯片组,但是新的2.7版(Broadcom 芯片组)和版本4(InProComm 芯片组)却不能运行。即便是这样,原始的WMP如果不更新固件也不能运行。

最近几年在Linux上用Windows的驱动成为了可能。具体的细节将会在题为"设置linux兼容无线NIC"上讨论。这些方法需要理解前面一提到的Wireless Tools,但首先,为了提供一点背景,我们的提一下无线网络基础。

注意:不要搞错了,你的LInux系统能检测到你的NIC不意味着他就兼容。所有核对linux的硬件兼容表,这样你能知道怎样进行下去。

Common Wireless Networking Terms

Learning the ins and outs of wireless Linux networks will be easier if we're all speaking the same language. Before proceeding, take time to become familiar with three key wireless terms: wireless access point, Service Set ID, and shared encryption key. Learn them now, because you'll see them throughout the chapter.


无线接入点

无线接入点(WAP)是一个为所以中心数据起着中心集线器作用的装置。在多数的普通的模式中(基础模式),所以的无线服务器通过WAP和其他的服务器通讯,WAP通常连接到一个普通的外部或内部的路由器于Internet通讯。因此WAP类似于有线网络的交换机。

如果服务器的NIC配置为Ad-hoc模式它们能够不通过WAP而相互通讯,但是,他们就不能通过其他的途径通讯。因此,你的网络需要一个WAP

Service Set ID

The 802.11a/b wireless networks typically found in a home environment share the same frequency range with one another so it is possible for your computer to hear the traffic meant for somebody else's nearby network. The Extended Service Set ID (SSID) helps prevent the garbling of messages. Each wireless network needs to be assigned an ESSID that doesn't match that of any neighboring networks within its range of operation. The desired ESSID is then set on both wireless NICs and WAPs, which in turn ignore all traffic using other identifiers.

Most wireless software packages enable you to view all the available ESSIDs within range and give you the option of selecting the corresponding wireless LAN (WLAN) to join. Unfortunately, this makes it easy to eavesdrop on a neighboring network, and therefore it is best to not only change your ESSID from the factory defaults, but also to encrypt your wireless data whenever possible.

The term ESSID is frequently interchangeably referred to as an SSID (Service Set ID) by many vendors. I'll stick with ESSID unless the term SSID is relevant to an application.

Encryption

Encryption is a method of encoding or scrambling data so that only people with the secret key to unlock the code can view the original data. As expected, you need to use the same encryption scheme on all devices on your network for communication to be successful.

Wired Equivalent Privacy

The first widely used data encryption scheme for wireless networks in the home / corporate offices was Wired Equivalent Privacy (WEP). A flaw in the encryption scheme was soon discovered and freely available tools like "WEP crack" and aircrack-ng became available to decipher WEP encryption keys within minutes.

Wi-Fi Protected Access

The newer Wi-Fi Protected Access (WPA) scheme overcomes the security shortcomings of WEP. There are a number of modes:

  • Pre Shared Key (PSK) or Personal Mode
Uses a manually configured encryption key on all devices on the wireless network.
  • Enterprise Mode
Typically uses both an authentication and encryption scheme from many available options.
One common authentication method is the Extensible Authentication Protocol (EAP). EAP will typically rely on a user's LDAP or Active Directory username and password used to access their computers to verify whether they can also access the wireless network. This is done transparently to the user. Once they log into their systems, EAP is automatically invoked behind the scenes.
EAP is often combined with encryption schemes such as TLS (Transport Layer Security, now viewed as the successor to SSL) and TKIP (Temporal Key Integrity Protocol, a scheme that rapidly regenerates new encryption keys) to provide additional security.

Note: It is usually best to test your network in an unencrypted state before activating the additional security. This allows you to limit your troubleshooting activities to basic wireless settings, without the additional complications of encryption.

加密

加密是一种数据编码方式,这样只有持有密钥的用户才能解密而看到原始的数据。当然,为了能够成功的通讯你们需要在所有的装置上使用相同的加密方式。

Wired Equivalent Privacy

第一个在家庭/公司环境用的加密模式是Wire Euivalent Privacy(WEP)。其中的数据流能够很快的解密,一些免费获得的工具例如"WEP crack"和aircraft-ng能够在数分钟内取得WEP密钥。

Wi-Fi Protected Access

较新的Wi-Fi Protected Access(WPA)克服了WEP的一些安全方面的缺点,他有一些模式。

Pre Shared Key(PSK) 或Personal模式

在所以的装置上使用手工设置的密钥。

 Enterprise模式

 在很多可供选择的方法中同时用认证和加密方法。

 一种普通的认证方式是可扩展的认证协议(EAP),EAP通常依靠用户的LDAP或进入他们电脑的Active Directory用户名和密码来认证他们十分能接入网络,只有你一登入计算机,EAP就能自动的在后台引用。

EAP常常结合如TLS和TKIP等加密方法一起使用增加安全性。

注意:最好在没有网络加密的情况下测试网络,这样,能够把故障排除的工作限制在一个基础的范围内,而没有加密程序的干扰。

Networking With Linux Wireless-Tools

The Linux Wireless Tools package is installed by default probably meets most of your 802.11a/b needs. Its main advantage is that, unlike Linux-WLAN, you don't have to reinstall it every time you upgrade your kernel.

用iwconfig配置wireless-tools

安装上linux兼容的NIC后,在用Wireless Tools前你需要配置你的NIC的IP和一下无线设定。

你能像配置一般的以太网一样配置你的NIC的ip,用ifup命令启动NIC之后,他还不能正确的发挥功效,因为无线设定还没有配置好。

在Wireless Tolols中最常用的命令是iwconfig,用它可以配置多数的无线参数,包括SSID和无线模式。至于无线模式,Managed意思是在网络上有一个无线接入点(WAP),而Ad-hoc意味着没有。

例如,你的无线网卡名为eth0,用managed模式,ESSID是homenet,那么你的命令就会是:

iwconfig eth0 mode Managed
iwconfig eth0 essid homenet

你的NIC将会充分的发挥功效,每次你用ifup命令时你都要运行这些命令,忘记这些命令就会出现些错误。下个阶段就会说明怎么一劳永逸的设置改变。

Permanent wireless-tools Configuration

After testing your ad-hoc configuration, you will need to make the changes permanent. The methods for doing this vary slightly by distribution.

Fedora / RedHat

With Fedora / RedHat, wireless configuration will require some additional statements in your NIC configuration files.

1. Configure your /etc/sysconfig/network-scripts/ifcfg-eth0 file normally as if it were a regular Ethernet NIC.

DHCP Version           Fixed IP Version
============          =================
 
DEVICE=eth0           DEVICE=eth0
USERCTL=yes           IPADDR=192.168.1.100
ONBOOT=yes            NETMASK=255.255.255.0
BOOTPROTO=dhcp        ONBOOT=yes
                      BOOTPROTO=static

2. Add the following statements to the end to specify that the NIC is wireless; provide the ESSID to use (in this case homenet), and choose Managed (a WAP on present of the network) or Ad-hoc (no WAP) for the wireless mode. "Managed" is the most likely setting if you have a wireless router or WAP on your network.

If you are using a 802.11g wireless router and NIC, you can specify the higher speed 54Mbps maximum data rate this protocol provides, if not, the NIC will default to the 11 Mbps maximum rate of slower protocols. The NIC will automatically negotiate the protocol type with the WAP. You just need to set the maximum rate.

#
# Wireless configuration
#
TYPE=Wireless
MODE=Managed
ESSID=homenet
RATE=54Mb/s


These commands need only be on the main interface file. They are not needed for IP aliases. Your wireless NIC should function as if it were a regular Ethernet NIC using the ifup and ifdown commands.

Debian / Ubuntu

In Debian / Ubuntu systems configuration requires the addition of a valid wireless-essid parameter to the /etc/network/interfaces file.

#
# File: /etc/network/interfaces
#

# The primary network interface
auto eth1
iface eth1 inet static
        address 192.168.1.100
        netmask 255.255.255.0
        wireless-essid homenet

auto eth0
iface eth0 inet dhcp
        wireless-essid jamrock

In this example interface eth1 uses an ESSID of homenet while interface eth0 uses an ESSID of jamrock.

WEP Encryption Configuration

Linux supports both the WEP and WPA encryption schemes. Here's how you can configure them on your system.

WEP Encryption Configuration

Linux supports both the WEP and WPA encryption schemes. Here's how you can configure them on your system.

WEP Key Generation

WEP encryption requires an encryption key that you can make up yourself or you can generate a random one using the dd command as shown here.

[root@bigboy tmp]# dd if=/dev/random bs=1 count=5 2>/dev/null | xxd -ps
c276246d65
[root@bigboy tmp]#

By default, Linux WEP uses a 40 bit key formatted in hexadecimal notation, ie. numeric values between 0 and 9 and alphabetic characters between A and F. This requires you to use a byte count of 5, which will generate a key containing twice as many (ten) hexadecimal characters. Table 13.1 shows the byte counts required for generating keys of varying lengths, and the corresponding number of hexadecimal characters to expect in the key.

Table 13-1 Byte Count to WEP Key Length Conversion
Key Length (Bits) Byte Count Hexadecimal Character Count
40 5 10
64 8 16
104 13 26
128 16 32
152 19 28
232 29 58
256 32 64

If you decide to make up your own key, then remember to use the correct number of hexadecimal numbers.

WEP Key Configuration for Fedora / RedHat

Your WEP key can be temporarily added to your NIC configuration from the command line, using the iwconfig command. Be sure that there are no colons or any other non-hexadecimal characters between the characters of the key. There should be ten characters in total:

iwconfig eth0 key 967136deac

The same rules (no colons or non-hexadecimals between the ten total characters) apply when using the /etc/sysconfig/network-scripts files to add encryption:

#
# File: ifcfg-eth0
#

DEVICE=eth0
IPADDR=192.168.1.100
NETMASK=255.255.255.0
ONBOOT=yes
BOOTPROTO=static
TYPE=Wireless
MODE=Managed
ESSID=homenet
KEY=967136deac

Note: Newer versions of Fedora only support the use of a keys file in the /etc/sysconfig/network-scripts directory. The file format is the same as in the older interface configuration file method. Remember, the KEY statement in interface configuration file won't be supported.

#
# File: /etc/sysconfig/network-scripts/keys-eth0
#
KEY=967136deac


WEP Key Configuration for Debian / Ubuntu

In Debian / Ubuntu systems configuration requires the addition of a valid wireless-key parameter, alongside the wireless-essid parameter, in the /etc/network/interfaces file.

#
# File: /etc/network/interfaces
#

# The primary network interface
auto eth1
iface eth1 inet static
        address 192.168.1.100
        netmask 255.255.255.0
        wireless-key 967136deac
        wireless-essid homenet

In this example our WEP key of 967136deac and the ESSID of homenet have been used and will become utilized once the eth1 wireless interface is activated.

WPA Encryption

Linux WPA relies on a supplicant daemon program that both requests authentication admittance and executes data encryption on behalf of the operating system. It runs independently of the networking daemon and so, for WPA, network interfaces are not configured for encryption at all.

Installing WPA Supplicant

Installation is simple. Install the wpa_supplicant RPM or the wpasupplicant DEB package.If you need a refresher, Chapter 6, "Installing Linux Software", covers how to do this in detail.

The wpa_supplicant.conf File

The main WPA Supplicant configuration file is /etc/wpa_supplicant/wpa_supplicant.conf and its configuration is well documented, with examples, in the man pages.

[root@bigboy tmp]# man wpa_supplicant.conf

Note: With Debian / Ubuntu the file may not be created during installation, and you will have to create it manually like this:

root@u-server:/tmp# mkdir -p /etc/wpa_supplicant
root@u-server:/tmp# vi /etc/wpa_supplicant/wpa_supplicant.conf 

This chapter will only focus on the simple PSK WPA method, other methods are beyond the scope of this book.

In this example, we have set the SSID to homenet and are using WPA-PSK encryption with an encryption key of "ketchup_and_mustard".

#
# File: wpa_supplicant.conf
#
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=root
network={
        ssid="homenet"
        key_mgmt=WPA-PSK
        psk="ketchup_and_mustard"
}

If you are concerned about people being able to read your wpa_supplicant.conf file, then encrypt the PSK using the wpa_passphrase command to generate a sample configuration. It requires the SSID and unencrypted key as arguments. In this example we see that the unencrypted string psk="ketchup_and_mustard" can be replaced with and encrypted equivalent that does not use quotes.

[root@bigboy tmp]# wpa_passphrase homenet ketchup_and_mustard
network={
        ssid="homenet"
        #psk="ketchup_and_mustard"
        psk=aeaa365d1703f88afc11715cd997b71038ce5798907510bd1b1c6786d33c8c3a
}
[root@bigboy tmp]#

Note: The only place that an encryption key needs to be defined is in the WPA configuration file.

Further WPA Configuration Steps - Fedora / RedHat

WPA Supplicant also relies on the /etc/sysconfig/wpa_supplicant file to determine which interfaces it should monitor and the driver it should use to do so.

In this example, WPA needs to be applied on interface eth0 using the default "wext" driver.

#
# File: /etc/sysconfig/wpa_supplicant
#
INTERFACES="-ieth0"
DRIVERS="-Dwext"

Here we see WPA configured for the wlan0 created using the ndiswrapper driver.

#
# File: /etc/sysconfig/wpa_supplicant
#
INTERFACES="-iwlan0"
DRIVERS="-Dndiswrapper"

Further help on the wpa_supplicant file can be obtained from the man pages.

[root@bigboy tmp]# man wpa_supplicant

The WPA Supplicant daemon then needs to be started immediately after you have finished editing the configuration files for the settings to become active. Remember to also make the activation permanent using the chkconfig command.

[root@bigboy tmp]# service wpa_supplicant restart 
[root@bigboy tmp]# chkconfig wpa_supplicant on

Finally, configure your NIC as for wireless, but without an SSID or encryption key as this information will be provided through WPA supplicant.

File: /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
IPADDR=192.168.1.100
NETMASK=255.255.255.0
ONBOOT=yes
TYPE=Wireless
MODE=Managed

Please refer to the troubleshooting section of this chapter to resolve any problems you may encounter.

Further WPA Configuration Steps - Debian / Ubuntu

WPA supplicant can be invoked from the command line. In Debian / Ubuntu systems the /etc/network/interfaces file needs to be modified to include a pre-up parameter with a valid WPA supplicant command set following it. In this example the /etc/wpa_supplicant/wpa_supplicant.conf file is referenced using the "-c" option, and the desired interface is defined using the "-i" option. The post-down parameter is then used to define the command to terminate wpa_supplicant daemon when the eth1 interface is shut down.

#
# File: /etc/network/interfaces
#

# The primary network interface
auto eth1
iface eth1 inet static
        address 192.168.1.100
        netmask 255.255.255.0
        wireless-essid homenet
        pre-up wpa_supplicant -Bw -Dwext -ieth1 -c/etc/wpa_supplicant/wpa_supplicant.conf
        post-down killall -q wpa_supplicant

Please refer to the troubleshooting section of this chapter to resolve any problems you may encounter.

Configuring Linux with Incompatible Wireless NICs

Not all wireless cards work with Linux, especially the newer 54 Mbps 802.11g/n cards models. Fortunately there are a number of ways to overcome this apparent limitation. This will be covered next.

Using bcm43xx-fwcutter with Broadcom Wireless Chips

In recent years wireless chip manufacturers have shifted away from creating fixed customized designs for specific wireless applications and have started to create general purpose transmitter chips that can be reprogrammed in their firmware to communicate using different wireless protocols. Some manufacturers feel that knowledge of how the firmware works could reveal features of their chips that competitors could use against them. This has prevented some from sharing their work with the open source community.

Nevertheless the open source community has persevered and managed to either reverse engineer the firmware of some wireless chips, or obtain the firmware from willing manufacturers, and package it as part of the some standard Linux releases. Current Linux support of the Broadcom 4301 chipset relies on the former method.

Note: The reliability of fwcutter and the Broadcom can be sporadic with the driver working for only a few hours after installation, or even not at all. If these instructions fail, try using ndiswrapper which will be covered later.

How to tell if you have a Broadcom 43XX Chipset

You can either use the lspci command to tell the type of chipset your NIC is using.

[root@bigboy tmp]# lspci
...
...
01:07.0 Network controller: Broadcom Corporation BCM4318 [AirForce One 54g] 802.11g Wireless LAN Controller (rev 02)
[root@bigboy tmp]#

Installing your Broadcom 43XX firmware

Firmware installation is not complicated. Here's how it's done.

1. Install the bcm43xx-fwcutter package, using the yum or apt utilities. If you need a refresher, Chapter 6, "Installing RPM Software", covers how to do this in detail.

If you do not have access to the Internet, then you will need to download the bcm43xx-fwcutter package to another computer that does. Fortunately, the package is a part of the Fedora distribution, but it is considered an "extra" feature and it isn't installed by default. References to URLs for "extra" features can be found in the .repo files in the /etc/yum.repos.d directory. Here we see that we can download "extra" packages from a subdirectory of http://download.fedora.redhat.com/ pub/fedora/linux/extras

[root@zippy tmp]# ls /etc/yum.repos.d/
fedora-core.repo         fedora- updates.repo
fedora-development.repo  fedora-extras.repo 
[root@zippy tmp]# cat /etc/yum.repos.d/fedora-extras.repo 
[extras]
name=Fedora Extras $releasever - $basearch
baseurl=http://download.fedora.redhat.com/pub/fedora/linux/extras/$releasever/$basearch/
...
[root@zippy tmp]#

After you have downloaded the file, copy it to your wireless Linux box and install it with the rpm command.

2. Copy the Windows NIC driver files to your Linux box. They should be located in a "drivers" directory on your CD, or downloaded ZIP file. The driver file should be called "bcmwl5a.sys".

In this example we have copied the files to the /tmp/fwcutter/ directory.

[root@bigboy tmp]# ls /tmp/fwcutter/
bcmwl5a.sys  bcmwl5.sys  WMP54GSa.inf  WMP54GS.cat  WMP54GS.inf
[root@bigboy tmp]#

3. Issue the bcm43xx-fwcutter command using the -w switch to tell it to extract the firmware to the /lib/firmware directory. Remember to specify the driver filename at the end of the command.

[root@bigboy tmp]# bcm43xx-fwcutter -w /lib/firmware /tmp/fwcutter/bcmwl5a.sys
bcm43xx-fwcutter can cut the firmware out of bcmwl5.sys
 
  filename   :  bcmwl5a.sys
  version    :  3.90.16.0
  MD5        :  e6d927deea6c75bddf84080e6c3837b7
  microcodes :  2 4 5 
  pcms       :  4 5 

  microcode  :  2
  revision   :  0x0122
  patchlevel :  0x0098
  date       :  2004-11-16
  time       :  07:21:20

  microcode  :  4
  revision   :  0x0122
  patchlevel :  0x0098
  date       :  2004-11-16
  time       :  07:21:20

  microcode  :  5
  revision   :  0x0122
  patchlevel :  0x0098
  date       :  2004-11-16
  time       :  07:21:20

extracting bcm43xx_microcode2.fw ...
extracting bcm43xx_microcode4.fw ...
extracting bcm43xx_microcode5.fw ...
extracting bcm43xx_pcm4.fw ...
extracting bcm43xx_pcm5.fw ...
extracting bcm43xx_initval01.fw ...
extracting bcm43xx_initval02.fw ...
extracting bcm43xx_initval03.fw ...
extracting bcm43xx_initval04.fw ...
extracting bcm43xx_initval05.fw ...
extracting bcm43xx_initval06.fw ...
extracting bcm43xx_initval07.fw ...
extracting bcm43xx_initval08.fw ...
extracting bcm43xx_initval09.fw ...
extracting bcm43xx_initval10.fw ...
...
...
[root@bigboy tmp]#

Note: If you get an error stating that it is impossible to extract the microcode, then you have selected the wrong driver file. Here is an example.

 *****: Sorry, it's not possible to extract "bcm43xx_microcode11.fw".
 *****: Extracting firmware from an old driver is bad. Choose a more recent one.
 *****: Luckily bcm43xx driver doesn't include microcode11 uploads at the moment.
 *****: But this can be added in the future...
 *****: Sorry, it's not possible to extract "bcm43xx_microcode13.fw".
 *****: Extracting firmware from an old driver is bad. Choose a more recent one.
 *****: Luckily bcm43xx driver doesn't include microcode11 uploads at the moment.
 *****: But this can be added in the future...


4. Next we have to load the driver module into memory so that it will be recognized by the kernel.

[root@bigboy tmp]# modprobe bcm43xx

5. With Fedora / RedHat, you also need to make the module load automatically upon reboot. This is done by placing a bcm43xx driver configuration file in the /etc/modprobe.d directory. Fortunately, the RPM package comes with a sample that you can copy into place. This step is unnecessary with Debian / Ubuntu.

[root@bigboy tmp]# updatedb 
[root@bigboy tmp]# locate modprobe.bcm43xx
/usr/share/doc/bcm43xx-fwcutter-005/modprobe.bcm43xx
[root@ bigboy tmp]# cp /usr/share/doc/bcm43xx-fwcutter-005/modprobe.bcm43xx /etc/modprobe.d/

The final step is to configure your NIC, which will be covered next.

Configuring your Broadcom NIC

After installing your firmware, NIC configuration will be just like that for any Linux compatible wireless card.

If your NIC is incompatible and doesn't contain the Broadcom 43XX chipset, then you may have to consider using ndiswrapper, which will be covered next.

Note: Your system's network connectivity may be sporadic if you have both fwcutter and ndiswrapper installed on your system, even if they are configured on different NICs. Tests in my little lab have shown that the packages may interfere with each other's ability to associate with a WAP.

Using ndiswrapper

Windows uses the Network Driver Interface Specification (NDIS) as a standardized method for the operating system to communicate with the NIC driver software from various manufacturers. The Linux ndiswrapper software suite, available from ndiswrapper.sourceforge.net, allows you to run your Windows NIC card's drivers under Linux by creating a software wrapper around the Windows driver to trick it into thinking that it is communicating with Windows and not Linux. The compatibility range is therefore much wider and in cases where you need to recompile your kernel, the project's website has links to RPM packages of standard kernels with ndiswrapper support. Installation instructions on the project's web site are reasonably clear and a proficient Linux user should be able to get their NIC card working within an hour or two on their first try.

ndiswrapper has some limitations too. It only works on hardware architectures supported by Windows, the very useful iwspy command (discussed later) isn't supported and the wrappers add a layer of software complexity that would not exist normally. There is a commercial competitor to ndiswrapper called DriverLoader created by the Linuxant corporation which you may also want to consider.

Before Starting - Broadcom Chipsets

Some Linux distributions may correctly detect NIC cards using proprietary Broadcom 43XX chipsets, but the open source drivers will fail to work. Heres's what to do:

1. Use the lspci command to see what type of card you have installed and use the lsmod command to verify the driver has been loaded.

[root@bigboy tmp]# lspci
...
...
01:07.0 Network controller: Broadcom Corporation BCM4318 [AirForce One 54g] 802.11g Wireless LAN Controller (rev 02)
[root@bigboy tmp]# lsmod
...
...
bcm43xx               419937  0 
...
...
[root@bigboy tmp]#

2. If you have the Broadcom chipset, and the fw-cutter method has failed, then use add the following entries to the /etc/modprobe.d/blacklist-compat and /etc/modprobe.d/blacklist files to prevent the driver from being reloaded on the next reboot.

#
# File: /etc/modprobe.d/blacklist AND 
#       /etc/modprobe.d/blacklist-compat
# 

blacklist bcm43xx

When this is all completed, reboot your system and continue with your ndiswapper installation.

Installing and Configuring ndiswrapper

Installation is quick and easy. Let's begin.

1. Install your NIC. Download the ndiswrapper tar file and extract the contents. Enter the ndiswrapper directory and read the installation instructions in the version specific INSTALL file. The version in this example, ndiswrapper-1.16, requires the make uninstall, make and make install commands to complete the installation process. As we have already updated the kernel, there should be no errors.

[root@bigboy tmp]# tar -xvzf ndiswrapper-1.16.tar.gz
[root@bigboy tmp]# cd ndiswrapper-1.16
[root@bigboy ndiswrapper-1.16]# make uninstall
[root@bigboy ndiswrapper-1.16]# make
[root@bigboy ndiswrapper-1.16]# make install

Note: With Debian based distributions, like Ubuntu, ndiswrapper can be installed using the apt-get command.

2. Next we have to determine the PCI ID of our newly installed NIC card. First use lspci command to find the IRQ number of the NIC card. The IRQ will be listed in the first column. In this case the IRQ is 01:08.0.

[root@bigboy ndiswrapper-1.16]# lspci
...
...
01:08.0 Network controller: Intersil Corporation Prism 2.5 Wavelan chipset (rev 01)
...
...
[root@bigboy ndiswrapper-1.16]#

3. The lspci -n command can then be used to obtain the PCI ID which has the format xxxx:xxxx. Our NIC has the ID 1260:3873.

[root@bigboy ndiswrapper-1.16]# lspci -n
...
...
01:08.0 Class 0280: 1260:3873 (rev 01)
...
...
[root@bigboy ndiswrapper-1.16]#

4. The ndiswrapper website has a table of PCI IDs and the matching Windows drivers to be used for each at the following URL.

http://ndiswrapper.sourceforge.net/mediawiki/index.php/List.

Note: Use this information to download the correct driver for your NIC. Do not use the Windows drivers that came on your NIC's CD as it may not have been tested in the quality assurance process done by the ndiswrapper developers. The website's list provides the names of drivers that are known to work.

5. Once downloaded, extract the driver files. Under the main driver directory there will usually be subdirectories with drivers matching various versions of Windows. Enter the subdirectory of the most recent version.

[root@bigboy tmp]# unzip mzq345v25_xp_certd.zip
Archive:  mzq345v25_xp_certd.zip
  inflating: mzq345v25_xp_certd_no_doc/autorun.exe  
  inflating: mzq345v25_xp_certd_no_doc/autorun.inf  
...
...
...
  inflating: mzq345v25_xp_certd_no_doc/winxp/NETmzq345.INF  
  inflating: mzq345v25_Release_Note.TXT  
[root@bigboy tmp]# cd mzq345v25_xp_certd_no_doc/winxp
[root@bigboy winxp]#

6. The main windows driver file will have a .INF extension. Install this driver using the ndiswrapper command with the -i option followed by the driver filename. Use the ndiswrapper command again with the -l option to verify that the installation was successful.

[root@bigboy winxp]# ls
mzq345n51.sys  NETmzq345.INF
[root@bigboy winxp]# ndiswrapper -i NETmzq345.INF 
Installing netmzq345
[root@bigboy winxp]# ndiswrapper -l
Installed drivers:
netmzq345                driver installed, hardware present 
[root@bigboy winxp]#

7. Next the Linux kernel modules tables will have to be updated to include ndiswrapper in the listing. This is done with the depmod command with the -a flag.

[root@bigboy winxp]# depmod -a
[root@bigboy winxp]#

8. When ndiswrapper loads, it will need to assign a device name to your NIC card. This is done using the ndiswrapper command with the -m flag. Here we see that the new device name will be wlan0.

[root@bigboy winxp]# ndiswrapper -m
Adding "alias wlan0 ndiswrapper" to /etc/modprobe.d/ndiswrapper
[root@bigboy winxp]#

9. Now its time to load the ndiswrapper kernel module with the modprobe command. You can also verify the success of this operation by searching the end of the /var/log/messages file for correct execution of the command.

[root@bigboy winxp]# modprobe ndiswrapper
[root@bigboy winxp]# tail /var/log/messages
...
...
Mar 17 23:25:21 bigboy kernel: ndiswrapper version 1.6 loaded (preempt=no,smp=no)
[root@bigboy winxp]# 

The dmesg command will give status messages for the loading of both your NIC driver and the ndiswrapper module. There should be no errors. If there are, you may have used a driver not recommended by the ndiswrapper website, your NIC card may be faulty, your NIC could be Linux compatible, or your ndiswrapper or kernel installation could have been faulty. Please refer to the "Troubleshooting Your Wireless LAN" section of this chapter for more details.

[root@bigboy tmp]# dmesg
...
...
...
ndiswrapper version 1.16 loaded (preempt=no,smp=no)
ndiswrapper: driver mzq345 (Broadcom,04/21/2005, 3.100.65.1) loaded
ACPI: PCI Interrupt 0000:01:08.0[A] -> Link [LNKB] -> GSI 10 (level, low) -> IRQ 10
ndiswrapper: using irq 10
wlan0: vendor: 
wlan0: ndiswrapper ethernet device 00:06:25:1b:b2:a9 using driver mzq345, 14E4:4301.5.conf
wlan0: encryption modes supported: WEP; TKIP with WPA, WPA2, WPA2PSK, WPA2, WPA2PSK
[root@bigboy tmp]#


10. You will always need to have a ndiswrapper compatible kernel for the application to function correctly. To maintain your current kernel during yum updates, edit your /etc/yum.conf file to exclude the kernel from being kept up to date with the exclude option.

#
# File: /etc/yum.conf
#

exclude= kernel

11. Use the regular Linux wireless tools to configure your wlan0 interface with an IP address, ESSID and if necessary, encryption. With Fedora, you can adjust the data rate up to the 802.11g 54 Mbps data rate by adding this statement to your /etc/sysconfig/network-scripts/ifcfg-wlan0 file. Leave this blank if you are using 802.11b.

RATE=54Mb/s

12. Now you can use the ifup command to activate the NIC, and the iwconfig command will show the interface as connecting correctly to an access point at 54 Mbps.

[root@bigboy winxp]# ifup wlan0
[root@bigboy winxp]# iwconfig
...
...
wlan0      IEEE 802.11g  ESSID:"johncr0w"  Nickname:"bigboy"
         Mode:Managed  Frequency:2.462GHz  Access Point: 00:09:5B:C9:19:22  
         Bit Rate=54Mb/s   Tx-Power:32 dBm   
         RTS thr=2347 B   Fragment thr=2346 B   
         Encryption key:98D1-26D5-AC   Security mode:restricted
         Power Management:off
         Link Quality:88/100  Signal level:-55 dBm  Noise level:-256 dBm
         Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
         Tx excessive retries:96  Invalid misc:1157   Missed beacon:0
...
...
[root@bigboy winxp]#

My experience with ndiswrapper in the home has been very good, but like Prism54 and even Linux-WLAN, you have to reinstall the product each time you upgrade your kernel. This may not be tolerable in a mission critical business environment where maintenance related downtime needs to be kept to a minimum and where all software used needs to be 100% Linux compatible to ensure stability. When 802.11g WiFi technology becomes more mature it will indubitably be supported natively by Linux Wireless Tools without the need for additional software, but there will always be NICs that don't support Linux and knowledge of ndiswrapper will be invaluable.

Networking With Linux-WLAN

Linux-WLAN is one of the original wireless LAN products developed for Linux. It is generally more difficult to install than wireless-tools and has fewer troubleshooting tools, but it has wide ranging hardware support making it a desirable alternative based on the NIC card you have available. You'll notice that Linux-WLAN uses the term SSID instead of ESSID in its configuration files.

Linux-WLAN Preparation

Here are some pointers you'll need to remember prior to using the Linux-WLAN product:

All devices on a wireless network must use the same Network Identifier or SSID to communicate with each other: The default SSID for Linux-WLAN is linux-wlan, the default SSID for your windows NIC cards may be different. It's a good idea to decide on a common SSID and stick with it.

Once configured, Linux-WLAN doesn't identify the wireless NIC as an Ethernet eth device, but as a wlan device: This is good to know in order to avoid confusion when troubleshooting.

Always be prepared to check your syslog /var/log/messages file for errors if things don't work: It is a good source of information. Chapter 5, "Troubleshooting Linux with syslog", shows you how to set up syslog error logging to be more sensitive to errors.

You may get "device unknown" or "no such device" errors related to the wlan device in the /var/log/messages file if you use older unpatched versions of the Linux-WLAN software: Always use the most recent versions to make the installation smoother.

Before installing the Linux-WLAN software for PCMCIA cards such as the Linksys WPC11 you will need to install the RPM packages that support PCMCIA: This step isn't necessary for such true PCI cards as the Linksys WMP11.

In Fedora Core, the package name is pcmcia-cs and in RedHat 9 and earlier it is kernel-pcmcia-cs. When searching for the RPMs, remember that the filename usually starts with the software package name and a version number, as in kernel-pcmcia-cs-3.1.31-13.i386.rpm.

Identifying The Correct RPMs

You can find RPM versions of the driver files at http://prism2.unixguru.raleigh.nc.us. Remember to download the files for the correct kernel type, OS version, and kernel version. Downloading and installing RPMs isn't hard. If you need a refresher, Chapter 6, "Installing RPM Software", covers how to do this in detail.

Determine The Kernel Type

Use the uname -p command. The Bigboy server discussed in Chapter 1, "Why Host Your Own Site?", is running an i686 version of Linux. The Linux version may not match the CPU you have installed, always use the uname version:

[root@bigboy tmp]# uname -p
i686
[root@bigboy tmp]#

Determine The OS Version

One of the easiest ways is to determine the OS version is to view the /etc/ redhat-release or the /etc/fedora-release file. In this case, server bigboy is running RedHat version 9.0, while zero is running Fedora Core 1. You can also look at the /etc/issue file for other versions of Linux.

[root@bigboy tmp]# cat /etc/redhat-release
Red Hat Linux release 9 (Shrike)
[root@bigboy tmp]#
 
[root@zero root]# cat /etc/fedora-release
Fedora Core release 1 (Yarrow)
[root@zero root]#
 

Determine The Kernel Version

You can use the uname -r command to figure out the kernel version. In this case, Bigboy is running version 2.4.20-8:

[root@bigboy tmp]# uname -r
2.4.20-8
[root@bigboy tmp]#

Installing the RPMs

After you have all this Linux information, you need to download and install the base, module, and interface packages. When searching for the RPMs, remember that the filename usually starts with the software package name by a version number:

kernel-wlan-ng-0.2.1-pre14.i686.rpm
kernel-wlan-ng-modules-fc1.1.2115-0.2.1-pre14.i686.rpm
kernel-wlan-ng-pci-0.2.1-pre14.i686.rpm
kernel-wlan-ng-pcmcia-0.2.1-pre14.i686.rpm

Note: There are different RPMs for PCMCIA- and PCI-based NIC cards. The base and modules RPMs need to be installed in all cases.

Notice the sequence of installation in this sample output. Double-check your preparation steps and the RPM versions if the very last line of the installation gives a result code that is not success.

[root@bigboy tmp]# rpm -Uvh kernel-wlan-ng-0.2.1-pre14.i686.rpm
Preparing...                 ##################################### [100%]
   1:kernel-wlan-ng         ##################################### [100%]
[root@bigboy tmp]# rpm -Uvh kernel-wlan-ng-modules-fc1.1.2115-0.2.1-pre14.i686.rpm
Preparing...                 ##################################### [100%]
   1:kernel-wlan-ng-modules-##################################### [100%]
[root@bigboy tmp]#
 
[root@bigboy tmp]# rpm -Uvh kernel-wlan-ng-pcmcia-0.2.1-pre14.i686.rpm
Preparing...                 ##################################### [100%]
   1:kernel-wlan-ng-pci     ##################################### [100%]
Adding prism2_pci alias to /etc/modprobe.conf file...
***NOTE***  YOU MUST CHANGE THIS IF YOU HAVE A PLX CARD!!!
The default wlan0 network configuration is DHCP.  Adjust accordingly.
 
ACHTUNG!  ATTENTION!  WARNING!
   YOU MUST configure /etc/wlan/wlan.conf to define your SSID!
   YOU ALSO must configure /etc/wlan/wlancfg-SSID to match WAP settings!
       (---> replace SSID in filename with the value of your SSID)
 
If you get an error after this point, there is either a problem with
your drivers or you don't have the hardware installed!  If the former,
get help!
 
Starting WLAN Devices:message=dot11req_mibset
   mibattribute=dot11PrivacyInvoked=false
  resultcode=success
message=dot11req_mibset
   mibattribute=dot11ExcludeUnencrypted=false
  resultcode=success
[root@bigboy tmp]#

Note: If you upgrade your Linux kernel you'll have to reinstall Linux-WLAN all over again. This will also create new versions of your /etc/sysconfig/network-scripts/ifcfg-wlan0, /etc/wlan/wlan.conf and /etc/pcmcia/wlan-ng.opts files which you may have to restore from the automatically saved versions.

Linux-WLAN Post Installation Steps

After the RPMs are installed, you need to configure the new wlan0 wireless NIC to be compatible with your network.

Configure The New wlan0 Interface

Edit /etc/sysconfig/network-scripts/ifcfg-wlan0 to include these new lines:

DHCP Version           Fixed IP Version
============          =================
 
DEVICE=wlan0          DEVICE=wlan0
USERCTL=yes           IPADDR=192.168.1.100
ONBOOT=yes            NETMASK=255.255.255.0
BOOTPROTO=dhcp        ONBOOT=yes
                      BOOTPROTO=static

In the fixed IP version you also need to substitute your selected IP, netmask, network, and broadcast address with those above. Plus, make sure you have the correct gateway statement in your /etc/sysconfig/network file, for example. GATEWAY=192.168.1.1.

Disable Your Existing Ethernet NIC

You may want to disable your existing eth0 Ethernet interface after installing the drivers. Add an ONBOOT=no entry to the /etc/sysconfig/network-scripts/ifcfg-eth0 file. This disables the interface on reboot or when /etc/init.d/network is restarted.

Select the Wireless mode and SSID

All the configuration files are located in the /etc/wlan directory. The package allows your server to be connected to up to three wireless LANs. You specify the SSIDs (LAN IDs) for each wireless LAN in the /etc/wlan/wlan.conf file. In the example, I make the wlan0 interface join the homenet WLAN, as well as instruct the WLAN driver to scan all wireless channels for SSIDs.


#
# Specify all the wlan interfaces on the server
#
WLAN_DEVICES="wlan0"
 
#
# Specify whether the server should scan the network channels
# for valid SSIDs
#
WLAN_SCAN=y

#
# Specify expected SSIDs and the wlan0 interface to which it should
# be tied
#
SSID_wlan0="homenet"
ENABLE_wlan0=y

Each WLAN specified in the /etc/wlan/wlan.conf file has its own configuration file. Copy the /etc/wlan/wlancfg-DEFAULT file to a file named /etc/wlan/wlancfg-SSID (replace SSID with the actual SSID for your WAP). This line configures for the homenet SSID:

[root@bigboy wlan]# cp wlancfg-DEFAULT wlancfg-homenet

Start Linux-WLAN

Start the wlan process and test for errors in the file /var/log/messages. All the result codes in the status messages should be "success". You may receive the following error, however, which the WLAN RPM website claims is "harmless".

Error for wireless request "Set Encode" (8B2A) :
    SET failed on device wlan0 ; Function not implemented.
Error for wireless request "Set ESSID" (8B1A) :
    SET failed on device wlan0 ; Function not implemented.
 

PCI Cards - Installed Using RPMs

With PCI cards, Linux-wlan can be started by restarting the WLAN daemon.

[root@bigboy tmp]# service wlan restart
[root@bigboy tmp]# ifup wlan0

PCMCIA Cards

With PCMCIA cards, Linux-wlan can be started by restarting the Linux PCMCIA daemon.

[root@bigboy tmp]# service pcmcia restart
[root@bigboy tmp]# service network restart

Testing Linux-WLAN

Now check to see if IP address of the wlan0 interface is okay. Refer to the troubleshooting section below if you cannot ping the network's gateway.

[root@bigboy tmp]# ifconfig -a
[root@bigboy tmp]# ping <gateway-address>

Linux-WLAN WEP Encryption For Security

One of the flaws of wireless networking is that all the wireless clients can detect the presence of all available network SSIDs and have the option of joining any of them. With encryption, the client must have a membership encryption password that can also be represented as a series of Wireless Encryption Protocol (WEP) keys. The wlan.conf file (RedHat 8.0 RPMs), wlan-SSID file (RedHat 9/Fedora Core 1 RPMs), or /etc/pcmcia/wlan-ng.opts file (PCMCIA-type NICs) is also used to activate this feature.

Note: I strongly recommend that you first set up your network without encryption. Only migrate to an encrypted design after you are satisfied that the unencrypted design works correctly.

To invoke encryption, you have to set the dot11PrivacyInvoked parameter to true. You also must state which of the keys will be used as the default starting key via the dot11WEPDefaultKeyID parameter. You then have the option of either providing a key-generating string (simple password) or all four of the keys. In the example below, ketchup is the password used to automatically generate the keys.

#=======WEP===========================================
# [Dis/En]able WEP. Settings only matter if PrivacyInvoked is true
lnxreq_hostWEPEncrypt=false # true|false
lnxreq_hostWEPDecrypt=false # true|false
dot11PrivacyInvoked=true
dot11WEPDefaultKeyID=1
dot11ExcludeUnencrypted=true # true|false, in AP this means WEP
# is required for all STAs
# If PRIV_GENSTR is not empty, use PRIV_GENTSTR to generate
# keys (just a convenience)
PRIV_GENERATOR=/sbin/nwepgen # nwepgen, Neesus compatible
PRIV_KEY128=false # keylength to generate
PRIV_GENSTR="ketchup"
# or set them explicitly. Set genstr or keys, not both.
dot11WEPDefaultKey0= # format: xx:xx:xx:xx:xx or
dot11WEPDefaultKey1= # xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
dot11WEPDefaultKey2= # e.g. 01:20:03:40:05 or
dot11WEPDefaultKey3= # 01:02:03:04:05:06:07:08:09:0a:0b:0c:0d   

Not all devices on your network will use the same algorithm method to generate the encryption keys. You may find the same generator string will not create the same keys, rendering intra-network communication impossible. If this is the case, you can use the /sbin/nwepgen program to generate the keys after you provide an easy to remember key generator string. Once you have the four sets of keys, you'll have to add them individually and in sequence to the wlan.conf, wlan-SSID or /etc/pcmcia/wlan-ng.opts file and set the PRIV_GENSTR parameter to a null string of a null string of "" (the quotes are important). Here is how you can use nwepgen to create the keys with a generator string of ketchup.

[root@bigboy tmp]# /sbin/nwepgen ketchup
64:c1:a1:cc:db
2b:32:ed:37:16
b6:cc:9e:1b:37
d7:0e:51:3f:03
[root@bigboy tmp]#

In this case your wlan.conf or wlan-SSID file would look like this:

PRIV_GENSTR=""
# or set them explicitly. Set genstr or keys, not both.
dot11WEPDefaultKey0= 64:c1:a1:cc:db
dot11WEPDefaultKey1= 2b:32:ed:37:16
dot11WEPDefaultKey2= b6:cc:9e:1b:37
dot11WEPDefaultKey3= d7:0e:51:3f:03

Remember that all devices on your network, including all wireless NICs and WAPs, need to have the same keys and default key for this to work.

De-activating Encryption

In some cases, NIC cards without full Linux-WLAN compatibility freeze up after a number of hours of working with encryption. The steps to reverse encryption are:

1. Set the configuration file parameter dot11PrivacyInvoked to false.

2. Stop Linux-WLAN, and disable the wireless wlan0 interface

[root@bigboy tmp]# service wlan stop
Shutting Down WLAN Devices:message=lnxreq_ifstate
  ifstate=disable
  resultcode=success
[root@bigboy tmp]# ifdown wlan0

3. The driver is still loaded in memory with the old encryption parameters, even though it is not active. Linux frequently loads device driver software, such as those that govern the operation of NIC cards, as modules that the kernel, or Linux master program, uses in its regular operation. Use the lsmod command to display a list of loaded modules. You'll be most interested in the modules associated with 802.11 wireless protocols, which appear here as p80211 and prism2_pci:.

[root@bigboy tmp]# lsmod
Module                  Size  Used by    Not tainted
...
...
prism2_pci             66672   1  (autoclean)
p80211                 20328   1  [prism2_pci]
...
...
[root@bigboy tmp]#

Sometimes your NIC card may use the orinoco chip set drivers instead of the prism drivers:

[root@bigboy tmp]# lsmod
Module                  Size   Used by
...
...
orinoco                45517  1 orinoco_pci
hermes                  6721  2 orinoco_pci,orinoco
...
...
[root@bigboy tmp]#

4. Now that you have identified the driver modules in memory, unload them with the rmmod command:

[root@bigboy tmp]# rmmod prism2_pci
[root@bigboy tmp]# rmmod p80211

5. Restart Linux-WLAN, reactivate the wlan0 interface, and you should be functional again:

[root@bigboy tmp]# service wlan start
Starting WLAN Devices:message=lnxreq_hostwep
  resultcode=no_value
  decrypt=false
  encrypt=false
[root@bigboy tmp]# ifup wlan0

If you fail to reload the driver modules, you'll get errors in your /var/log/messages file and your NIC card will operate in an encrypted mode only.

Jan 2 18:11:12 bigboy kernel: prism2sta_ifstate: hfa384x_drvr_start() failed,result=-110
Jan 2 18:11:18 bigboy kernel: hfa384x_docmd_wait: hfa384x_cmd timeout(1), reg=0x8021.
Jan 2 18:11:18 bigboy kernel: hfa384x_drvr_start: Initialize command failed.
Jan 2 18:11:18 bigboy kernel: hfa384x_drvr_start: Failed, result=-110

Troubleshooting Your Wireless LAN

Linux wireless troubleshooting tools are quite extensive and provide a variety of useful information to help you get your network working. This section covers many important strategies that will compliment the use of more conventional procedures such as scanning your /var/log/messages file.

Check The NIC Status

When using WLAN methodology, the iwconfig, iwlist, and iwspy commands can provide useful information about the status of your wireless network. Take a closer look.

The iwconfig Command

In addition to using the regular ifconfig command to check the status of your NIC, you can use the iwconfig command to view the state of your wireless network, just don't specify any parameters. Specifically, you can see such important information as the link quality, WAP MAC address, data rate, and encryption keys, which can be helpful in ensuring the parameters across your network are the same. For example:

[root@bigboy tmp]# iwconfig
eth0      IEEE 802.11-DS  ESSID:"homenet"   Nickname:"bigboy"
          Mode:Managed   Frequency:2.462GHz  Access Point: 00:09:5B:C9:19:22
          Bit Rate:11Mb/s   Tx-Power=15 dBm   Sensitivity:1/3
          Retry min limit:8   RTS thr:off   Fragment thr:off
          Encryption key:98D1-26D5-AC   Security mode:restricted
          Power Management:off
          Link Quality:36/92   Signal level:-92 dBm  Noise level:-148 dBm
          Rx invalid nwid:0  Rx invalid crypt:2  Rx invalid frag:0
          Tx excessive retries:10  Invalid misc:0   Missed beacon:0
[root@bigboy tmp]#

The iwlist Command

The iwlist command can provide get further information related to not just the NIC, but the entire network, including the number of available frequency channels, the range of possible data rates, and the signal strength. This example uses the command to verify the encryption key being used by the NIC, which can be very helpful in troubleshooting security related difficulties on your network.

[root@bigboy tmp]# iwlist key
...
...
eth0      2 key sizes : 40, 104bits
          4 keys available :
                [1]: 9671-36DE-AC (40 bits)
                [2]: off
                [3]: off
                [4]: off
          Current Transmit Key: [1]
          Security mode:open
...
...
[root@bigboy tmp]#

The iwlist command can verify the speed of the NIC card being used, 11Mb/s in this case. This can be helpful in determining possible reasons for network slowness, especially as poor signal quality can result in the NIC negotiating a low bit rate with its WAP.

[root@bigboy tmp]# iwlist rate
...
...
eth0      4 available bit-rates :
          1Mb/s
          2Mb/s
          5.5Mb/s
          11Mb/s
          Current Bit Rate:11Mb/s
...
...
[root@bigboy tmp]#

For further information on the iwlist command, consult the man pages.

The iwspy Command

The iwspy command provides statistics on the quality of the link between your NIC and another wireless device on the network. It doesn't run all the time; you have to activate iwspy on your interface first. When not activated, iwspy gives a "no statistics to collect" message.

[root@bigboy root]# iwspy eth0
eth0      No statistics to collect
[root@bigboy root]#

Activation requires you to specify the target IP address and the wireless NIC interface through which it can be found.

[root@bigboy tmp]# iwspy eth0 192.168.1.1

If you use the iwspy command without the IP address it provides WLAN statistics with a typical/reference value against which it can be compared. In the example that follows the signal is considered fairly strong, with a 64/92 quality value versus a typical 36/92 value, but it could be weak by the historical values on your network. It's good to check this from time to time for fluctuations.

[root@bigboy tmp]# iwspy eth0
eth0      Statistics collected:
    00:09:5B:C9:19:22 : Quality:0  Signal level:0  Noise level:0
    Link/Cell/AP      : Quality:64/92  Signal level:-51 dBm   Noise level:-149 dBm (updated)
    Typical/Reference : Quality:36/92  Signal level:-62 dBm   Noise level:-98 dBm
[root@bigboy tmp]#

To switch off iwspy monitoring, add the off argument.

[root@bigboy root]# iwspy eth0 off

Check For Interrupt Conflicts

Devices slotted into your PCI bus are generally assigned an interrupt value by the system, which the system uses to signal its need to communicate with the device. Multiple devices on the bus can have the same interrupt, but the system will access each one using a different memory address to avoid confusion. Sometimes this automatic allocation of interrupt (IRQ) values and memory locations is flawed and overlaps do occur, causing devices to fail.

Before configuring your WLAN software, you should ensure that the wireless NIC card doesn't have an interrupt that clashes with another device in your computer. Insert the card in an empty slot in your Linux box according to the instructions in its manual, reboot, and inspect your /var/log/messages file again:

[root@bigboy tmp]# tail -300 /var/log/messages

Look carefully for any signs that the card is interfering with existing card IRQs. If there is a conflict, there will usually be a warning or "IRQ also used by ..." message. If that is the case, move the card to a different slot or otherwise eliminate the conflict by disabling the conflicting device if you don't really need it.

You should also inspect your /proc/interrupts file for multiple devices having the same interrupt

[root@bigboy tmp]# cat /proc/interrupts
11:     4639     XT-PIC     wlan0, eth0      (potentially bad)
 
[root@bigboy tmp]# cat /proc/interrupts
11:     4639     XT-PIC     wlan0            (good)
 

Interrupt conflicts are usually more problematic with old style PC-AT buses; newer PCI-based systems generally handle conflicts better. The prior (potentially bad) /proc/interrupts example came from a functioning PCI-based Linux box. It worked because, although the interrupt was the same, the base memory addresses that Linux used to communicate with the cards were different. You can check both the interrupts and base memory of your NIC cards by using the ifconfig -a command:

[root@bigboy tmp]# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:08:C7:10:74:A8
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:11 Base address:0x1820 

wlan0 Link encap:Ethernet HWaddr 00:06:25:09:6A:B5
inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:215233 errors:0 dropped:0 overruns:0 frame:0
TX packets:447594 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:39394014 (37.5 Mb) TX bytes:126738425 (120.8 Mb)
Interrupt:11 Memory:c887a000-c887b000

[root@bigboy tmp]#

Kernel Errors

When you find p80211 Kernel errors in /var/log/messages, they usually point to an incorrectly configured SSID or may also be caused by a NIC card with an outdated firmware version. For example

Nov 13 22:24:54 bigboy kernel: p80211knetdev_hard_start_xmit: Tx attempt prior to association, frame dropped.

Another good source of information is the dmesg command which shows errors encountered by the kernel. In this case the firmware (microcode) for a Broadcom 43XX NIC could not be found. This was fixed by using the bcm43xx-fwcutter technique explained in this chapter.

[root@bigboy tmp]# dmesg
...
...
bcm43xx: PHY connected
bcm43xx: Error: Microcode "bcm43xx_microcode5.fw" not available or load failed.
bcm43xx: core_up for active 802.11 core failed (-2)
[root@bigboy tmp]#

Can't Ping Default Gateway

If you can't ping the default gateway, first check for kernel log errors.

If there are no errors in /var/log/messages and you can't ping your gateways or obtain an IP address, then check your /etc/sysconfig/network-scripts/ configuration files for a correct IP configuration and your routing table to make sure your routes are OK. You can also check to see if your Linux box is out or range of the WAP using the iwconfig command.

"Unknown Device" Errors

Look for "unknown device" or "no such device" errors in your log files or on your screen during installation or configuration. These may be caused by:

  • A NIC card that hasn't been correctly inserted in the PCI slot
  • Incompatible hardware.

For example, you might see incompatible hardware errors in /var/log/messages:

00:0c.0 Network controller: BROADCOM Corporation: Unknown device 4301 (rev01)
Subsystem: Unknown device 1737:4301
Flags: bus master, fast devsel, latency 64, IRQ 5
Memory at f4000000 (32-bit, non-prefetchable) [size=3D8K]
Capabilities: [40] Power Management version 2

Or, you might see errors on the screen:

Dec 1 01:28:14 bigboy insmod: /lib/modules/2.4.18-14/net/prism2_pci.o: init_module: No such device
Dec 1 01:28:14 bigboy insmod: Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters. You may find more information in syslog or the output from dmesg
Dec 1 01:28:14 bigboy insmod: /lib/modules/2.4.18-14/net/prism2_pci.o: insmod wlan0 failed

Hermes Chipset Errors

I have seen cases where Linux compatible NIC cards with the Hermes chipset fail to respond after the system has been running for a few days with errors in the /var/log/messages file similar to these.

May  7 22:26:26 bigboy kernel: hermes @ e0854000: BAP0 offset timeout: reg=0x8044 id=0xfc80 offset=0x0
May  7 22:26:26 bigboy kernel: eth1: Error -110 setting multicast list.
May  7 22:26:26 bigboy avahi-daemon[1701]: Withdrawing address record for 216.10.119.243 on eth1.
May  7 22:26:26 bigboy avahi-daemon[1701]: Leaving mDNS multicast group on interface eth1.IPv4 with address 216.10.119.243.
May  7 22:26:26 bigboy avahi-daemon[1701]: IP_DROP_MEMBERSHIP failed: No such device
May  7 22:26:26 bigboy avahi-daemon[1701]: iface.c: interface_mdns_mcast_join() called but no local address available.
May  7 22:26:26 bigboy avahi-daemon[1701]: Interface eth1.IPv4 no longer relevant for mDNS.
May  7 22:26:27 bigboy kernel: hermes @ e0854000: Timeout waiting for command 0x0002 completion.
May  7 22:26:27 bigboy kernel: eth1: Error -110 disabling MAC port
May  7 22:26:31 bigboy kernel: hermes @ e0854000: ng Error -16 issuing command 0x0021.
May  7 22:26:31 bigboy kernel: hermes @ e0854000: Error -16 issuing command 0x0021.
May  7 22:26:31 bigboy kernel: eth1: Error -110 setting MAC address
May  7 22:26:31 bigboy kernel: eth1: Error -110 configuring card

Connectivity is usually only restored after a reboot. The best solution to the problem has been to either use ndiswrapper or replace the NIC with a truly compatible device.

Broadcom SoftMac Errors

If your configuration is correct, and your NIC fails to work while adding repeated failed SoftMAC authentication requests messgaes to your /var/logs/messages file, as seen here, you may have a Linux incompatibility issue with your NIC.

May 15 20:02:04 bigboy kernel: bcm43xx: set security called, .level = 0, .enabled = 0, .encrypt = 0
May 15 20:02:04 bigboy kernel: bcm43xx: set security called, .level = 0, .enabled = 0, .encrypt = 0
May 15 20:02:04 bigboy kernel: bcm43xx: set security called, .level = 0, .enabled = 0, .encrypt = 0
May 15 20:02:04 bigboy kernel: bcm43xx: set security called, .level = 0, .enabled = 0, .encrypt = 0
May 15 20:02:04 bigboy kernel: bcm43xx: set security called, .level = 0, .enabled = 0, .encrypt = 0
May 15 20:02:04 bigboy kernel: SoftMAC: Scanning finished: scanned 14 channels starting with channel 1
May 15 20:02:04 bigboy kernel: SoftMAC: Queueing Authentication Request to 00:18:39:ea:5c:ac
May 15 20:02:04 bigboy kernel: SoftMAC: Cannot associate without being authenticated, requested authentication
May 15 20:02:04 bigboy kernel: SoftMAC: Sent Authentication Request to 00:18:39:ea:5c:ac.
May 15 20:02:04 bigboy kernel: SoftMAC: generic IE set to dd160050f20101000050f20201000050f20201000050f202
May 15 20:02:04 bigboy kernel: SoftMAC: Already associating or associated to 00:18:39:ea:5c:ac
May 15 20:02:04 bigboy kernel: SoftMAC: Open Authentication completed with 00:18:39:ea:5c:ac
May 15 20:02:04 bigboy kernel: SoftMAC: sent association request!
May 15 20:02:04 bigboy kernel: SoftMAC: associated!
May 15 20:02:04 bigboy kernel: SoftMAC: Associate: Scanning for networks first.

Try using ndiswrapper as a quick solution to this problem.

ndiswrapper Errors

There are a number of common errors that can occur with the use of ndiswrappers. Here are some common examples.

CONFIG_4KSTACKS errors During Installation

Sometimes your ndiswrapper installation will give CONFIG_4KSTACKS errors, like the one that follows, due to a kernel incompatibility:

*** WARNING: Kernel seems to have 4K size stack option (CONFIG_4KSTACKS) removed; many Windows
drivers will need at least 8K size stacks. You should read wiki about 4K size stack issue. Don't
complain about crashes until you resolve this.
...
...
[root@bigboy ndiswrapper-1.16]#

This is common with default Fedora installations, and ndiswrapper may work perfectly with this limitation. If you had no CONFIG_4KSTACKS type errors or are willing to test ndiswrapper even though they exist, then you can proceed with your installation in the normal fashion. The following steps will show you how to recover from this error cleanly.

1. The ndiswrapper website lists websites at the following URL from which you can download kernels with larger 16K stacks. This will be faster than creating your own.

http://ndiswrapper.sourceforge.net/mediawiki/index.php/Fedora

Remember to download a kernel that matches your system architecture and kernel version. This can be ascertained using the uname -a command. Here our system is running Fedora Core 5 kernel version 2.6.16-1.2122 on an i686 platform.

[root@bigboy linux]# uname -rp
2.6.16-1.2122_FC5 i686
[root@bigboy linux]#

If you choose to download the purpose built kernel then do so. Install the RPM, reboot and then continue to the section, "Installing and Configuring ndiswrapper".

If you decide to create your own kernel, then follow the next steps.

2. You have reached this step because you have decided to recompile your kernel. It is not a difficult process, there are only a few steps, but the compilation time can be lengthy. The first step is to install the kernel source files. This is covered in Chapter 33, "Modifying the Kernel to Improve Performance".

3. After installing the sources, you'll have to prepare for compiling a new kernel customized for use with ndiswrapper. The first step is to clean up any temporary files that may have existed from any previous compilations you may have done by using the make mrproper command. You'll then need to use the make oldconfig command to create a default version of the .config file Linux will use in compiling your new customized kernel.

[root@bigboy tmp]# cd /usr/src/linux
[root@bigboy linux]# make mrproper
[root@bigboy linux]# make oldconfig

4. Edit the .config file and set the CONFIG_4KSTACKS variable to "n".

[root@bigboy linux]# vi .config

#
# File: /usr/src/linux/.config
#

#CONFIG_4KSTACKS=y
CONFIG_4KSTACKS=n

[root@bigboy linux]#

5. The kernel compilation process also reads the file Makefile to determine the new name of the kernel to be used. The EXTRAVERSION variable in this file adds a suffix to the kernel name to help you track version numbers. Edit Makefile and set the EXTRAVERSION to -ndis-stk16 so that the new kernel will be easily identifiable as a version that supports ndiswrapper.

[root@bigboy linux]# vi Makefile

#
# File: /usr/src/linux/Makefile
#

EXTRAVERSION = -ndis-stk16

[root@bigboy linux]#

6. Compile the kernel and its modules with the following series of make commands. Make sure they finish without error and remember that this can be a lengthy process.

[root@bigboy linux]# make; make modules_install; make install

7. If you installed a new version of the kernel, you'll now have to ensure that your system selects the correct kernel version when it reboots. This will require you to edit the /etc/grub.conf file as outlined in Chapter 33, "Modifying the Kernel to Improve Performance".

8. Shutdown your system, install the NIC card and boot up. The system will now load your new kernel which you can verify with the uname command.

[root@bigboy linux]# uname -r
2.6.16-ndis-stk16
[root@bigboy linux]#

9. If you installed a new version of the kernel and your system fails to reboot correctly, refer to the "Kernel Crash Recovery" section of Chapter 33, "Modifying the Kernel to Improve Performance" for help. When you get your system to reboot correctly, revise your installation steps and make sure you had originally installed the correct version.

With your new kernel running, its time to reinstall and configure ndiswrapper.

Incorrect Driver

Using an incorrect driver will cause errors to be displayed when you run the dmesg command. Here is a simple error message in which part of th edriver initialization process failed:

[root@bigboy tmp]# 
...
...
...
wlan0: ndiswrapper ethernet device 00:06:25:1b:b2:a9 using driver wmp11v27, 14E4:4301:1737:4301.5.conf
ndiswrapper (set_auth_mode:702): setting auth mode to 3 failed (C0010015)
[root@bigboy tmp]#

The best way to fix this is to obtain the correct driver, unload the ndiswrapper module from memory, uninstall the old driver, install the new driver and then reload ndiswrapper. Here are the steps with the necessary commands:

1. Download the driver package from the correct source and extract the contents to your Linux system. 2. Verify that the ndiswrapper module has been loaded using the lsmod command, and then remove it from memory using the rmod command.

[root@bigboy tmp]# lsmod
 Module                  Size  Used by
 ...
 ...
 ndiswrapper           145584  0 
 ipv6                  225504  16 
 autofs4                19204  1 
 [root@bigboy tmp]# rmmod ndiswrapper

3. Get a listing of the installed drivers using the ndiswrapper command with the -l flag, and then remove the desired driver using the ndiswrapper -e flag.

[root@bigboy tmp]# ndiswrapper -l
Installed drivers:
wmp11v27                driver installed, hardware present 
[root@bigboy tmp]# ndiswrapper -e wmp11v27 
[root@bigboy tmp]# 

4. Install the new driver with the ndiswrapper -i flag and verify that the driver was loaded with the ndiswrapper -l flag.

[root@bigboy tmp]# ndiswrapper -i bcmwl5.inf
Installing bcmwl5
[root@bigboy tmp]# ndiswrapper -l
Installed drivers:
bcmwl5          driver installed, hardware present 
[root@bigboy tmp]#

5. Use modprobe to reload the ndiswrapper module into memory.

[root@bigboy tmp]# modprobe ndiswrapper

6. Finally, verify that there were no loading problems with the dmesg command. If there weren't any, configure your wlan0 interface like any other Linux NIC interface on your system.

It is always a good idea to use the correct drivers to reduce the risk of installation failure. Fortunately this recovery procedure should get your system to function correctly.

NICs that are Incompatible with ndiswrapper

The ndiswrapper module works by assuming that the Linux operating system does not recognize the NIC card. If Linux does recognize the card, then ndiswrapper won't load correctly. The ndiswrapper -l command will list installed drivers, there will be ndiswrapper entries in the /var/log/messages file but the dmesg command won't mention the status of the ndiswrapper module loading process at all and activating the wlan0 interface will fail.

[root@bigboy tmp]# ifup wlan0
ndiswrapper device wlan0 does not seem to be present, delaying initialization.
[root@bigboy tmp]# ndiswrapper -l
Installed drivers:
netma311                driver installed, hardware present 
[root@bigboy tmp]# dmesg | grep ndiswrapper
[root@bigboy tmp]#

The previous example shows these symptoms when using ndiswrapper with a Linux compatible Netgear ma311 NIC.

A Common Problem With Linux-WLAN And Fedora Core 1

In older versions of Fedora Core 1, the operating system will auto-detect Linux-WLAN-compatible NIC cards and enter a line similar to.

alias      eth2       orinoco_pci

in the /etc/modprobe.conf file. In other words, it detects them as an Ethernet eth device instead of a WLAN wlan device.

This seems to conflict with the WLAN RPMs, and you'll get errors like this when starting Linux-WLAN:

Starting WLAN Devices: /etc/init.d/wlan: line 119: Error: Device wlan0 does not seem to be present.: command not found
/etc/init.d/wlan: line 120: Make sure you've inserted the appropriate: command not found
/etc/init.d/wlan: line 121: modules or that your modules.conf file contains: command not found
/etc/init.d/wlan: line 122: the appropriate aliase(s).: command not found

You can fix the problem with the proper steps. This example refers to a compatible Orinoco chipset card:

Use the following steps to fix the problem. The example below refers to a compatible Orinoco chipset card. The intention of this procedure is to remove all reference to the Orinoco driver in the Linux configuration files and then force the Linux new hardware detection program, named "kudzu", not to configure the NIC card according to the Linux defaults. The "eth" device will be recreated, but the "ignore" option provided to kudzu will prevent the Orinoco entry in the /etc/modprobe.conf from being reinserted, preventing conflict with the Linux-WLAN package's "wlan" device.

  1. Remove the orinoco_pci line from the /etc/modprobe.conf file. Do not remove the entry for device wlan0.
  2. Edit your /etc/sysconfig/hwconf file, search for orinoco_pci, and remove the orinoco_pci section that refers to your wireless card. (Each section starts and ends with a single - on a new line.)
  3. Reboot.
  4. The Linux boot process always runs kudzu, the program that detects new hardware. Kudzu detects the wireless card and asks whether you want to configure it. Choose ignore. This will reinsert the wireless card in the /etc/sysconfig/hwconf file, but not in the /etc/modprobe.conf file.
  5. Your NIC card should start to function as expected as device wlan0 when you use the ifconfig -a command. Configure the IP address, and activate the NIC as shown earlier in this chapter. Remove the orinoco_pci line from the /etc/modprobe.conf file. DO NOT remove the entry for device wlan0.

The procedure removes all reference to the Orinoco driver in the Linux configuration files and then forces kudzu not to configure the NIC card according to the Linux defaults. The eth device will be recreated, but the ignore option provided to kudzu will prevent the Orinoco entry in the /etc/modprobe.conf from being reinserted, preventing conflict with the Linux-WLAN package's wlan device.

Wireless Networks In Businesses

Sometimes implementing a wireless network inside a business place becomes necessary. Visiting managers may need a quick connection in a conference room; sales people sharing cubicles my need it as the number of work spaces get exhausted. Perhaps someone is going to set one up on your network anyway, you might as well control this from the beginning.

Apart from people who download infected software and e-mail attachments, mobile employees' notebook computers are usually viewed as a high risk source of unintentional malicious activity as there is even less control over what these employees do than those with fixed workstations. With this in mind, it is usually best to isolate this type of wireless network completely from your internal, trusted, and wired one. Some types of network architectures make the wireless router only have access to the Internet, and no where else, via its own dedicated DSL line. The wireless users then have to use some form of a VPN client to gain access to the office servers just as if they were doing so from home. To reduce the risk of the network being hijacked, be sure to encrypt the traffic and use a proxy server running such software as Squid (see Chapter 32, "Controlling Web Access with Squid") to limit Internet access to authorized users via some form of pop-up username and password authentication. With this sort of architecture, if the wireless network gets hijacked, your office systems should remain relatively safe.

Many WAPs have the option of not advertising their ESSIDs which prevents users from browsing around to select the nearest available WLAN. Activation of this feature can be inconvenient to users as wireless clients will need to know the predefined ESSID to gain LAN access, but it more importantly reduces the risk of an outsider connecting to your wireless LAN by roaming the airwaves for an available WAP.

There are many other types of wireless methodologies. Please investigate a variety of options before coming to a final conclusion.

Conclusion

With the knowledge gained in the chapters in Part 1 of the book you will be able to configure a Linux file and DHCP server on small network with relative ease. Part 2 will explore the possibility of making your server also become the core of your self-managed dedicated Web site.