Wireless and Fedora Core 2 at UVA
From UVA Linux Users Group
Contents |
General notes on the cisco card and FC2
(Note: As of 2009, the current Fedora is Fedora 10.
FC2, at least in its early iterations, broke the basic functionality of the cisco 350 and possibly other wireless cards. There seem to be problems with the way neat and/or kudzu set up the etc/sysconfig files.
The good news is that the newer versions of the kernel (for me currently, 2.6.8-1.521) apparently support the latest versions of the cisco firmware, so there is no need to backflash cards any more. Bad news is there are still bugs in the released Cisco airo.c driver that cause problems in eap-tls (see eap-tls section for info about patched versions of airo.c driver and xsupplicant). Other kernel-supported cards may work as is.
Fixing your sysconfig files: For me, kudzu had first placed a bogus HWADDR in my sysconfig files and then did not create ifcfg-eth1, which was apparently required by several networking pieces, notably dhclient. I cant claim this is the best or even the correct solution, but I created ifcfg-eth1 by hand and put it in /etc/sysconfig/network-scripts, /etc/sysconfig/networking/devices, and /etc/sysconfig/networking/profiles/ default. Id be happy to hear from others who have other or more correct solutions or who let me know that this has been fixed and is no longer a problem in FC2. For completeness, here is my ifcfg-wifi0.
If youre in doubt about what eth your wireless card should be (eth0, eth1, etc), run iwconfig with your card in--itll tell you.
Wahoo
Basically, if you read section 1 and have your cisco card working properly, you just need to specify ESSID=wahoo in your sysconfig ifcfg files to have things work. ESSID= or ESSID=any used to work, but in most areas now wahoo is non-broadcast, and cards wont find it unless it is specified.
Cavalier
This is a little trickier, and didnt work for my cisco 350 card until I got a patch for the airo driver and a backported patch for xsupplicant 1.0.1 (thanks very much to Fabrice Bellet and Dan Streetman). See below for more on this. It may work more easily for other kernel-supported cards.
Get xsupplicant 1.0.1 or better from http://www.open1x.org. When I checked, the rpms available griped about my (newer) copy of openssl, so I compiled the source version. Just ./configure; make; make install (three commands, separate lines, of course).
To get uva personal certificates go to http://www.itc.virginia.edu/desktop/vpn/shared/getCert.html to get a certificate originally. I already had a certificate in windows which I wanted to reuse, so I exported it from Internet explorer in windows using Tools/Internet Options/Content/Certificates, selecting the personal certificate I wanted, and exporting (WITH private key). I exported using the PKCS 12 format which allows you to get all the certificates in the cert chain (which you need to do when asked). When I moved it to linux, I changed the PKCS 12 file to a ".pem" file with the openssl command:
openssl pkcs12 -in uvastandardAssurance.pfx -out uvastandardassurance.pem
If you want to break up your certs into root, intermediate certs, and personal keys, you can do it like this.
Now you want to set up your /etc/xsupplicant.conf file. My file minus password is here, but contents are
#***GLOBAL SECTION***
# To see all sections with full options, see example xsupplicant.conf that comes with xsupplicant
network_list = cavalier
default_netname = cavalier
# xsupplicant 1.0.1 will crash if we dont put SOMETHING here. We do all our setup
# in calling script cavsetup.sh, since these commands will be deprecated in future versions of xsupplicant
startup_command = <BEGIN_COMMAND>/bin/echo xsupplicant started<END_COMMAND>
first_auth_command = <BEGIN_COMMAND>/bin/echo authenticated..<END_COMMAND>
reauth_command = <BEGIN_COMMAND>/bin/echo "authenticated user %i"<END_COMMAND>
logfile = /var/log/xsupplicant. log
#auth_period = 30
#held_period = 30
#max_starts = 3
allow_interfaces = eth1,wifi0
# eth0 is my wired connection
deny_interfaces = eth0
### NETWORK SECTION
cavalier
{
type = wireless
allow_types = eap_tls
identity = <BEGIN_ID>ghp5h<END_ID>
eap_tls {
user_cert = /home/gpayne/ standardassurance.pem
user_key = /home/gpayne/standardassurance.pem
user_key_pass = <BEGIN_PASS>yourprivatekeypasswordhere<END_PASS>
root_cert = /home/ gpayne/standardassurance.pem
chunk_size = 1398
random_file = /dev/urandom
# To enable TLS session resumption, you need to set the following
# value to "yes". By default, session resumption is disabled.
#session_resume = yes
}
}
To start up xsupplicant/eap-tls, I use a simple script, cavsetup.sh (make sure to chmod +x). I do it this way because I like to let my laptop boot onto the (unencrypted) wahoo network for ease of use with Kismet and whatnot, and then start eap-tls when appropriate. Please note that my wireless interface (eth1) is hard-coded here and in the xsupplicant.conf. Paths to executables are also hard-coded. Change as appropriate to you. If you write a better and more flexible script, let me know, Ill post it here. You may want to put some version of cavsetup.sh in /etc/rc/init.d or somewhere if you want to go straight into cavailer on bootup. Anyway, heres my cavsetup.sh:
#!/bin/bash /bin/echo setting up eth1 for cavalier... killall dhclient xsupplicant /sbin/dhclient -r eth1 sleep 1 /sbin/ifconfig eth1 down /sbin/iwconfig eth1 essid cavalier key 00000000 # Were now associated & encrypted, bring network up and start dhclient in background. # Will block otherwise /sbin/ifconfig eth1 allmulti up & /usr/local/sbin/xsupplicant -i eth1 & /sbin/dhclient eth1 &
Now, finally to test things, run
./cavstart.sh
Run ifconfig and verify you have a 172.16 address.
And miraculously, if you have a cisco 350 card, it doesnt work! To fix it, you need to see the cisco patches. Without the patches, the cisco card endlessly reauthenticates because the card resets when the keys are changed, which it shouldnt. Many other cards should work as-is, including possibly other cisco cards. If you have comments/corrections to this doc, please let me know.
gpayne @virginia. edu
Notes on airo.c driver and this bug:
http://sourceforge.net/mailarchive/forum.php?thread_id=5485701&forum_id=21720
More on airo.c
Fabrice Bellets docs on recent patches (which have been incorporated in airo.c)
