problems with zydas
John H.
mistamaila
Wed Dec 21 07:50:31 PST 2005
it seems i simply cannot keep wpa supplicant from locking things up
unless i use ap_scan=0. 1 and 2 both lock things up after use.
On 12/20/05, John H. <mistamaila at gmail.com> wrote:
> Sheesh, why is it so hard to get this working with WPA? It works fine
> without. I followed the instructions as per this page.
> http://ubuntuforums.org/archive/index.php/t-92327.html
> on my fedora core 4 machine
>
> here is my /etc/wpa_supplicant.conf. Now I set the essid manually,
> then issue the command
> wpa_supplicant -Bw -i wlan0 -c /etc/wpa_supplicant.conf -D zydas
> And then I ran dhclient wlan0, but it never gets the IP. Then the
> keyboard, but not the mouse, stopped working. help?
>
> ##### Example wpa_supplicant configuration file ###############################
> # Empty lines and lines starting with # are ignored
>
> # NOTE! This file may contain password information and should probably be made
> # readable only by root user on multiuser systems.
>
> # global configuration (shared by all network blocks)
> #
> # Interface for separate control program. If this is specified, wpa_supplicant
> # will create this directory and a UNIX domain socket for listening to requests
> # from external programs (CLI/GUI, etc.) for status information and
> # configuration. The socket file will be named based on the interface name, so
> # multiple wpa_supplicant processes can be run at the same time if more than
> # one interface is used.
> # /var/run/wpa_supplicant is the recommended directory for sockets and by
> # default, wpa_cli will use it when trying to connect with wpa_supplicant.
> ctrl_interface=/var/run/wpa_supplicant
>
> # Access control for the control interface can be configured by setting the
> # directory to allow only members of a group to use sockets. This way, it is
> # possible to run wpa_supplicant as root (since it needs to change network
> # configuration and open raw sockets) and still allow GUI/CLI components to be
> # run as non-root users. However, since the control interface can be used to
> # change the network configuration, this access needs to be protected in many
> # cases. By default, wpa_supplicant is configured to use gid 0 (root). If you
> # want to allow non-root users to use the contron interface, add a new group
> # and change this value to match with that group. Add users that should have
> # control interface access to this group.
> #
> # This variable can be a group name or gid.
> #ctrl_interface_group=wheel
> ctrl_interface_group=0
>
> # IEEE 802.1X/EAPOL version
> # wpa_supplicant was implemented based on IEEE 802-1X-REV-d8 which defines
> # EAPOL version 2. However, there are many APs that do not handle the new
> # version number correctly (they seem to drop the frames completely). In order
> # to make wpa_supplicant interoperate with these APs, the version number is set
> # to 1 by default. This configuration value can be used to set it to the new
> # version (2).
> eapol_version=1
>
> # AP scanning/selection
> # By default, wpa_supplicant requests driver to perform AP scanning and then
> # uses the scan results to select a suitable AP. Another alternative is to
> # allow the driver to take care of AP scanning and selection and use
> # wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association
> # information from the driver.
> # 1: wpa_supplicant initiates scanning and AP selection
> # 0: driver takes care of scanning, AP selection, and IEEE 802.11 association
> # parameters (e.g., WPA IE generation); this mode can also be used with
> # non-WPA drivers when using IEEE 802.1X mode
> ap_scan=2
>
> # network block
> #
> # Each network (usually AP's sharing the same SSID) is configured as a separate
> # block in this configuration file. The network blocks are in preference order
> # (the first match is used).
> #
> # network block fields:
> #
> # ssid: SSID (mandatory); either as an ASCII string with double quotation or
> # as hex string; network name
> #
> # scan_ssid:
> # 0 = do not scan this SSID with specific Probe Request frames (default)
> # 1 = scan with SSID-specific Probe Request frames (this can be used to
> # find APs that do not accept broadcast SSID or use multiple SSIDs;
> # this will add latency to scanning, so enable this only when needed)
> #
> # bssid: BSSID (optional); if set, this network block is used only when
> # associating with the AP using the configured BSSID
> #
> # priority: priority group (integer)
> # By default, all networks will get same priority group (0). If some of the
> # networks are more desirable, this field can be used to change the order in
> # which wpa_supplicant goes through the networks when selecting a BSS. The
> # priority groups will be iterated in decreasing priority (i.e., the larger the
> # priority value, the sooner the network is matched against the scan results).
> # Within each priority group, networks will be selected based on security
> # policy, signal strength, etc.
> # Please note that AP scanning with scan_ssid=1 is not using this priority to
> # select the order for scanning. Instead, it uses the order the networks are in
> # the configuration file.
> #
> # proto: list of accepted protocols
> # WPA = WPA/IEEE 802.11i/D3.0
> # RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN)
> # If not set, this defaults to: WPA RSN
> #
> # key_mgmt: list of accepted authenticated key management protocols
> # WPA-PSK = WPA pre-shared key (this requires 'psk' field)
> # WPA-EAP = WPA using EAP authentication (this can use an external
> # program, e.g., Xsupplicant, for IEEE 802.1X EAP Authentication
> # IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically
> # generated WEP keys
> # NONE = WPA is not used; plaintext or static WEP could be used
> # If not set, this defaults to: WPA-PSK WPA-EAP
> #
> # pairwise: list of accepted pairwise (unicast) ciphers for WPA
> # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
> # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
> # NONE = Use only Group Keys (deprecated, should not be included if APs support
> # pairwise keys)
> # If not set, this defaults to: CCMP TKIP
> #
> # group: list of accepted group (broadcast/multicast) ciphers for WPA
> # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
> # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
> # WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key
> # WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11]
> # If not set, this defaults to: CCMP TKIP WEP104 WEP40
> #
> # psk: WPA preshared key; 256-bit pre-shared key
> # The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e.,
> # 32 bytes or as an ASCII passphrase (in which case, the real PSK will be
> # generated using the passphrase and SSID). ASCII passphrase must be between
> # 8 and 63 characters (inclusive).
> # This field is not needed, if WPA-EAP is used.
> # Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys
> # from ASCII passphrase. This process uses lot of CPU and wpa_supplicant
> # startup and reconfiguration time can be optimized by generating the PSK only
> # only when the passphrase or SSID has actually changed.
> #
> # eapol_flags: IEEE 802.1X/EAPOL options (bit field)
> # Dynamic WEP key require for non-WPA mode
> # bit0 (1): require dynamically generated unicast WEP key
> # bit1 (2): require dynamically generated broadcast WEP key
> # (3 = require both keys; default)
> #
> # Following fields are only used with internal EAP implementation.
> # eap: space-separated list of accepted EAP methods
> # MD5 = EAP-MD5 (unsecure and does not generate keying material ->
> # cannot be used with WPA; to be used as a Phase 2 method
> # with EAP-PEAP or EAP-TTLS)
> # MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used
> # as a Phase 2 method with EAP-PEAP or EAP-TTLS)
> # OTP = EAP-OTP (cannot be used separately with WPA; to be used
> # as a Phase 2 method with EAP-PEAP or EAP-TTLS)
> # GTC = EAP-GTC (cannot be used separately with WPA; to be used
> # as a Phase 2 method with EAP-PEAP or EAP-TTLS)
> # TLS = EAP-TLS (client and server certificate)
> # PEAP = EAP-PEAP (with tunnelled EAP authentication)
> # TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2
> # authentication)
> # If not set, all compiled in methods are allowed.
> #
> # identity: Identity string for EAP
> # anonymous_identity: Anonymous identity string for EAP (to be used as the
> # unencrypted identity with EAP types that support different tunnelled
> # identity, e.g., EAP-TTLS)
> # password: Password string for EAP
> # ca_cert: File path to CA certificate file. This file can have one or more
> # trusted CA certificates. If ca_cert is not included, server certificate
> # will not be verified. This is insecure and the CA file should always be
> # configured.
> # client_cert: File path to client certificate file
> # private_key: File path to client private key file
> # private_key_passwd: Password for private key file
> # phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters
> # (string with field-value pairs, e.g., "peapver=0" or
> # "peapver=1 peaplabel=1")
> # 'peapver' can be used to force which PEAP version (0 or 1) is used.
> # 'peaplabel=1' can be used to force new label, "client PEAP encryption",
> # to be used during key derivation when PEAPv1 or newer. Most existing
> # PEAPv1 implementation seem to be using the old label, "client EAP
> # encryption", and wpa_supplicant is now using that as the default value.
> # Some servers, e.g., Radiator, may require peaplabel=1 configuration to
> # interoperate with PEAPv1; see eap_testing.txt for more details.
> # 'peap_outer_success=0' can be used to terminate PEAP authentication on
> # tunneled EAP-Success. This is required with some RADIUS servers that
> # implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
> # Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode)
> # phase2: Phase2 (inner authentication with TLS tunnel) parameters
> # (string with field-value pairs, e.g., "auth=MSCHAPV2")
> # Following certificate/private key fields are used in inner Phase2
> # authentication when using EAP-TTLS or EAP-PEAP.
> # ca_cert2: File path to CA certificate file. This file can have one or more
> # trusted CA certificates. If ca_cert2 is not included, server
> # certificate will not be verified. This is insecure and the CA file
> # should always be configured.
> # client_cert2: File path to client certificate file
> # private_key2: File path to client private key file
> # private_key2_passwd: Password for private key file
>
> # Example blocks:
>
> # Only WPA-PSK is used. Any valid cipher combination is accepted.
>
> network={
> ssid="NetworkForMe"
> scan_ssid=1
> pairwise=TKIP
> psk="mykeywords"
> key_mgmt=WPA-PSK
> proto=WPA
> }
>
>
>
>
>
>
> On 10/1/05, Pedro Ramalhais <ramalhais at serrado.net> wrote:
> > John H. wrote:
> > > well, it only happens in relation to the wpa_supplicant. at any rate,
> > > i think it stopped after switching to 0, so i will switch to 2.
> > >
> > > will let you know,thanks
> > >
> > > On 10/1/05, Jouni Malinen <jkmaline at cc.hut.fi> wrote:
> > >
> > >>On Sat, Oct 01, 2005 at 02:06:26PM -0500, John H. wrote:
> > >>
> > >>
> > >>>ok, i set it to 0, and it seems the lockup is gone. I'd also made the
> > >>>ssid broadcast instead of hidden. so here is where i am now. iwconfig
> > >>>wlan0 essid myssid still won't change it, though, and here's the
> > >>>output of running wpa_supplicant in dbug mode
> > >>
> > >>ap_scan=0 mode is not really a very good option for WPA networks since
> > >>it has never been tested and is likely to not work. You would also need
> > >>to use an external program to trigger association. In other words,
> > >>ap_scan=2 would be a better choice. Anyway, I have never tested the
> > >>ZyDAS driver, so I have no idea what it supports and how it should be
> > >>configured.
> > >>
> > >>As far as the kernel crash/lockup is concerned, that should be reported
> > >>to the author(s) of the driver, not this mailing list.
> > >>
> > >>--
> > >>Jouni Malinen PGP id EFC895FA
> >
> > Does scanning work when you do iwlist scan?
> >
> > --
> > Pedro Ramalhais
> >
>
More information about the Hostap
mailing list