Wpa supplicant

From Gentoo Wiki
Jump to:navigation Jump to:search
This page is a translated version of the page Wpa supplicant and the translation is 66% complete.
Outdated translations are marked like this.
Other languages:
English • ‎русский • ‎中文(中国大陆)‎ • ‎日本語

Warning: Display title "wpa_supplicant" overrides earlier display title "Wpa supplicant".

wpa_supplicant 是 一个处理网络认证的 wifi 请求者程序(supplicant)。

安装

作为前提条件,无线支持可能需要在内核中激活在IEEE_802.11中介绍的内容,以及必要的 无线设备驱动[1]

USE 标记

USE flags for net-wireless/wpa_supplicant IEEE 802.1X/WPA supplicant for secure wireless transfers

ap Add support for access point mode
bindist Flag to enable or disable options for prebuilt (GRP) packages (eg. due to licensing issues)
broadcom-sta Flag to help users disable features not supported by broadcom-sta driver
dbus Enable dbus support for anything that needs it (gpsd, gnomemeeting, etc)
eap-sim Add support for EAP-SIM authentication algorithm
eapol-test Build and install eapol_test binary
fasteap Add support for FAST-EAP authentication algorithm
fils Add support for Fast Initial Link Setup (802.11ai)
hs2-0 Add support for 802.11u and Passpoint for HotSpot 2.0
libressl Use dev-libs/libressl instead of dev-libs/openssl when applicable (see also the ssl useflag)
macsec Add support for wired macsec
mbo Add support Multiband Operation
mesh Add support for mesh mode
p2p Add support for Wi-Fi Direct mode
privsep Enable wpa_priv privledge separation binary
ps3 Add support for ps3 hypervisor driven gelic wifi
qt5 Add support for the Qt 5 application and UI framework
readline Enable support for libreadline, a GNU line-editing library that almost everyone wants
selinux !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur
smartcard Add support for smartcards
tdls Add support for Tunneled Direct Link Setup (802.11z)
uncommon-eap-types Add support for GPSK, SAKE, GPSK_SHA256, IKEV2 and EKE
wimax Add support for Wimax EAP-PEER authentication algorithm
wps Add support for Wi-Fi Protected Setup
Data provided by the Gentoo Package Database · Last update: 2020-02-18 14:49 More information about USE flags

Emerge

检查了 USE 标记之后,使用 Portage 的 emerge 命令安装 net-wireless/wpa_supplicant

root #emerge --ask net-wireless/wpa_supplicant

配置

文件

全局

对于单一无线接口的使用,只需要一个配置文件。 默认情况下该文件不存在,可以从 /usr/share/doc/${P}/wpa_supplicant.conf.bz2 复制一个配置文件模板,其中 P 变量的值是当前 emerge 的 Wpa supplicant 的名称和版本:

FILE /etc/wpa_supplicant/wpa_supplicant.conf
# 允许 “wheel” 组中的用户控制 wpa_supplicant
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
 
# 使 wpa_gui / wpa_cli 对此文件可写
update_config=1

为了允许非特权用户使用 wpa_gui / wpa_cli 控制连接,确保用户在 wheel 用户组中。

This file does not exist by default; a well documented template configuration file can be copied from /usr/share/doc/${P}/wpa_supplicant.conf.bz2 where the value of the P variable is the name and version of the currently emerged wpa_supplicant:

root #bzless /usr/share/doc/${P}/wpa_supplicant.conf.bz2 > /etc/wpa_supplicant/wpa_supplicant.conf

Setup wired 802.1X

It's possible to have wired connections handled via wpa_supplicant, which is useful for networks using 802.1X. Create a separate configuration file containing the wired configuration. Below example use certificates for authentication, check the wpa_supplicant.conf man page for examples of other methods.

FILE /etc/wpa_supplicant/wpa_supplicant_wired.conf
ctrl_interface=/var/run/wpa_supplicant
eapol_version=1
ap_scan=0
fast_reauth=1
 
network={
	key_mgmt=IEEE8021X
	eap=TLS
	identity="COMPUTERAACT$@DOMAIN"
	ca_cert="/etc/wpa_supplicant/ca.pem"
	client_cert="/etc/wpa_supplicant/COMPUTERACCT.pem"
	private_key="/etc/wpa_supplicant/COMPUTERAACT.key"
	private_key_passwd="secret_password"
	eapol_flags=0
}

Since the configuration file contains sensitive information, chmod accordingly.

root #chmod 600 /etc/wpa_supplicant/wpa_supplicant_wired.conf

wpa_supplicant needs some extra parameters to apply above configuration to the wired interface (eth0) Note that below wpa_supplicant arguments assumes wpa_supplicant is version >=2.6-r2 (-M, CONFIG_MATCH_IFACE=y)

FILE /etc/conf.d/wpa_supplicant
wpa_supplicant_args="-ieth0 -Dwired -c/etc/wpa_supplicant/wpa_supplicant_wired.conf -M -c/etc/wpa_supplicant/wpa_supplicant.conf"

Let wpa_supplicant handle start/stop of the interfaces by removing them from /etc/init.d and enabling the wpa_supplicant daemon

root #/etc/init.d/net.eth0 stop
root #/etc/init.d/net.wlan0 stop
root #rm /etc/init.d/net.wlan0 /etc/init.d/net.eth0
root #rc-update add wpa_supplicant
root #/etc/init.d/wpa_supplicant start

Check the status of the wired interface via wpa_cli

root #wpa_cli 
wpa_cli v2.8
Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi> and contributors
 
This software may be distributed under the terms of the BSD license.
See README for more details.
 
 
Selected interface 'p2p-dev-wlan0'
 
Interactive mode
 
> interface eth0
Connected to interface 'eth0.
> status
bssid=00:00:00:00:00:00
freq=0
ssid=
id=0
mode=station
pairwise_cipher=NONE
group_cipher=NONE
key_mgmt=IEEE 802.1X (no WPA)
wpa_state=COMPLETED
ip_address=10.10.10.100
p2p_device_address=bb:bb:bb:bb:bb:bb
address=aa:aa:aa:aa:aa:aa
Supplicant PAE state=AUTHENTICATED
suppPortStatus=Authorized
EAP state=SUCCESS
selectedMethod=13 (EAP-TLS)
eap_tls_version=TLSv1
EAP TLS cipher=ECDHE-RSA-AES256-SHA
...

Setup the network manager

Important
网络管理器中列出的解决方案通常不能一起使用。确保一次仅运行其中一项服务。启动多个网络管理服务将导致不可预期的结果

请务必选择相应的设置。

设置为 dhcpcd 的网络管理器

Emerge wpa_supplicant (Version >=2.6-r2 is needed in order to get the CONFIG_MATCH_IFACE option added in April 2017.)

root #emerge --ask net-wireless/wpa_supplicant

Complete its conf.d file with the -M option for the wireless network interface:

FILE /etc/conf.d/wpa_supplicant
wpa_supplicant_args="-B -M -c/etc/wpa_supplicant/wpa_supplicant.conf"

In case authentication for the wired interface is needed this configuration file should look like

FILE /etc/conf.d/wpa_supplicant
wpa_supplicant_args="-ieth0 -Dwired -c/etc/wpa_supplicant/wpa_supplicant_wired.conf -B -M -c/etc/wpa_supplicant/wpa_supplicant.conf"

With the configuration done, run it as a service:

root #rc-update add wpa_supplicant default
root #rc-service wpa_supplicant start


In case the deprecated WEXT driver is needed, changing the wireless driver can help resolve cases where it associates then immediately disconnects with reason 3. Run wpa_supplicant -h to see a list of the available drivers that were built at compile-time.

FILE /etc/conf.d/wpa_supplicant将驱动程序设置为 wext
wpa_supplicant_args="-D wext"

在Gentoo 中设置 net.* 脚本

告诉网络脚本使用 wpa_supplicant:

FILE /etc/conf.d/net
modules_wlan0="wpa_supplicant"
config_wlan0="dhcp"

完成下面的配置后,最好更改权限,确保使用计算机的任何人都不能以明文形式查看WiFi密码:[2]

root #chmod 600 /etc/wpa_supplicant/wpa_supplicant.conf

使用

使用 wpa_gui

The simplest way to use wpa_supplicant is by using its interface called wpa_gui. To enable it, build wpa_supplicant with the qt5 USE flag enabled.

使用 wpa_cli

Wpa_supplicant also has a command-line user interface. Typing wpa_cli starts its interactive mode with tab-completion. Typing help at this prompt will list the commands available (click "Expand" to view the output for the wpa_cli command below):

root #echo "update_config=1" >>/etc/wpa_supplicant/wpa_supplicant.conf
root #wpa_cli 
wpa_cli v2.5
 Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi> and contributors
 
 This software may be distributed under the terms of the BSD license.
 See README for more details.
 
 
 Selected interface 'wlan0'
 
 Interactive mode
 
 > scan
 OK
 > scan_results
 bssid / frequency / signal level / flags / ssid
 01:23:45:67:89:ab       2437    0       [WPA-PSK-CCMP+TKIP][WPA2-PSK-CCMP+TKIP][ESS]    hotel-free-wifi
 > add_network
 0
 > set_network 0 ssid "hotel-free-wifi"
 OK
 > set_network 0 psk "password"
 OK
 > enable_network 0
 OK
 <3>CTRL-EVENT-SCAN-RESULTS 
 <3>WPS-AP-AVAILABLE 
 <3>Trying to associate with 01:23:45:67:89:ab (SSID='hotel-free-wifi' freq=2437 MHz)
 <3>Associated with 01:23:45:67:89:ab
 <3>WPA: Key negotiation completed with 01:23:45:67:89:ab [PTK=CCMP GTK=TKIP]
 <3>CTRL-EVENT-CONNECTED - Connection to 01:23:45:67:89:ab completed [id=0 id_str=]
 > save_config 
 OK
 > quit

更多有关与如何连接的详细信息,可以在 Arch Linux Wiki 中找到。[3]

使用 wpa_passphrase

wpa_supplicant 包括一个工具,这个工具可以从命令行快速写入带有预共享密钥(PSK 又称密码)网络的网络块,wpa_passphrase

root #wpa_passphrase <ssid> [passphrase]

其中 SSID 必须输入。但如果省略了 passphrase ,可以在出现提示时输入密码。

输出的结果可以复制或使用管道命令输出到 /etc/wpa_supplicant/wpa_supplicant.conf.

手动编辑

当然,/etc/wpa_supplicant/wpa_supplicant.conf 配置文件也能手动编辑。但是,如果计算机需要连接到许多不同的接入点,这会很耗时费力。

示例可以在 man 5 wpa_supplicant.conf/usr/share/doc/wpa_supplicant-2.4-r3/wpa_supplicant.conf.bz2 中找到。

WPA2 with wpa_supplicant

Connecting to any wireless access point serving YourSSID

FILE /etc/wpa_supplicant/wpa_supplicant.conf
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
#ap_scan=0
#update_config=1
 
network={
        ssid="YourSSID"
        psk="your-secret-key"
        scan_ssid=1
        proto=RSN
        key_mgmt=WPA-PSK
        group=CCMP TKIP
        pairwise=CCMP TKIP
        priority=5
}

Using bssid to specify which access point it should connect to using its MAC address, in case there are repeaters in place. Remember to use wpa_passphrase <ssid> [passphrase] to generate the psk

FILE /etc/wpa_supplicant/wpa_supplicant.conf
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
ap_scan=1
 
network={
        bssid=00:50:17:31:1a:11
        ssid="YourSSID"
        psk="your-secret-key"
        scan_ssid=1
        proto=RSN
        key_mgmt=WPA-PSK
        group=CCMP TKIP
        pairwise=CCMP TKIP
        priority=5
}

自动连接到任何不安全的网络

FILE /etc/wpa_supplicant/wpa_supplicant.conf
network={
        key_mgmt=NONE
        priority=-999
}

故障排除

如果它不能像你预期的那样运行,请尝试下面的一些操作并分析输出。

检索已知 bug

以调试模式运行 wpa_supplicant

区别已停止所有运行的请求者 (supplicant) 实例:

root #killall wpa_supplicant

Something like the following options can be used for debugging (click "Expand" to view the output below):

root #wpa_supplicant -Dnl80211 -iwlan0 -C/var/run/wpa_supplicant/ -c/etc/wpa_supplicant/wpa_supplicant.conf -dd 
wpa_supplicant v2.2
random: Trying to read entropy from /dev/random
Successfully initialized wpa_supplicant
Initializing interface 'wlp8s0' conf '/etc/wpa_supplicant/wpa_supplicant.conf' driver 'nl80211' ctrl_interface '/var/run/wpa_supplicant' bridge 'N/A'
Configuration file '/etc/wpa_supplicant/wpa_supplicant.conf' -> '/etc/wpa_supplicant/wpa_supplicant.conf'
Reading configuration file '/etc/wpa_supplicant/wpa_supplicant.conf'
ctrl_interface='DIR=/var/run/wpa_supplicant GROUP=wheel'
update_config=1
Line: 6 - start of a new network block

启用日志

在 Gentoo 中启用 net.* 脚本日志

FILE /etc/conf.d/net在Gentoo 中设置 net.* 脚本
modules_wlan0="wpa_supplicant"
wpa_supplicant_wlan0="-Dnl80211 -d -f /var/log/wpa_supplicant.log"
config_wlan0="dhcp"

Now, within one terminal issue a tail command to monitor output and restart the net.wlan0 device in another:

root #tail -f /var/log/wpa_supplicant.log
root #/etc/init.d/net.wlan0 restart

参考

  1. bug #623014
  2. bug #264000
  3. https://wiki.archlinux.org/index.php/WPA_supplicant#Connecting_with_wpa_cli

另请参阅

  • iwd — an up-and-coming wireless daemon for Linux. iwd 是计划替代wpa_supplicant 的产品。

外部资源

Retrieved from "https://wiki.gentoo.org/index.php?title=Wpa_supplicant/zh-cn&oldid=883362"