7.4. Linux Supplicant

In this example, wireless client is assumed to run the Fedora Core 5 distribution.

7.4.1. Wireless Tools

The Wireless Tools is a collection of tools to manipulate wireless drivers at runtime. The sources were already download in Section 2.3.4, “Wireless Configuration (wireless_tools)”. This time unpack, compile and install them on the client machine. (2BD in Fedora Core 6, use yum install wireless_tools)

tar -C $HOME -xvzf $DL_DIR/wireless_tools.28.tar.gz
cd $HOME/wireless_tools.28
make clean
make install

7.4.2. Install WiFi driver

My client laptop (Dell Inspiron 5100) uses a Broadcom bcm4306 (Dell Truemobile 1400) WiFI miniPCI card. At the time of this writing bcm43xx-fwcutter was not ready for prime time. Instead we use ndiswrapper together with Broadcom's proprietary Windows/XP driver (bcmwl5a.inf 3.40.73). (2BD in Fedora Core 6, use yum install ndiswrapper)

yum install kernel-devel
# download ndiswrapper from
tar -C $HOME -xvzf ndiswrapper-1.43.tar.gz 
cd $HOME/ndiswrapper-1.43  # was 1.27
make install

rmmod ndiswrapper # just to make sure
ndiswrapper -i /etc/ndiswrapper_drivers/bcmw15a.inf
ndiswrapper -m # ensure that /etc/modprobe.conf contains "alias wlan0 ndiswrapper"
modprobe ndiswrapper
dmesg | tail

Some warnings that you may encounter:

  • Kernel's 4k stack size, during compilation. While valid, the bcm4306 driver does well despite the small stack size.

  • Forcing parameter IBSSGMODE, during driver installation. Again, it it runs fine despite this.

  • ADDRCONF(NETDEV_UP): wlan0: link is not ready, merely means what it says: the link is not up yet. The link will be up once wpa_supplicant negotiated the key.

7.4.3. Configure WiFi driver

Verify functionality of the driver using:

  • iwconfig wlan0 should show the properties of the wireless network interface.

  • iwlist wlan0 scan should show you a list of access points nearby.

Create a configuration file for the wireless network interface. For an example refer to Example F.9, “wpa-supplicant:/etc/sysconfig/network-scripts/ifcfg-wlan0”. Note that the key is only needed for WEP.

Even if you plan to use WPA for the final configuration, you may first want to test connecting to a WEP access point using:

ifup wlan0

# to verify:
iwconfig wlan0  # ESSID is only shown once the card is associated
ip link show dev wlan0
ip address show dev wlan0

7.4.4. Import Certificates

Generate X.509 CA and a certificate for the client as described in Section 7.2, “Certificates”. Then copy the certificate and unencrypted key to the client, and create the 8-byte hash for the CA certificate, so that OpenSSL will recognize it.

ssh root@crox.lan.vonk mkdir $CLIENT_DIR
scp "$SSL_DIR/certs/crox.vonk-cert.pem" \
    "$SSL_DIR/certs/crox.vonk-key.pem" \
    "$SSL_DIR/ca/CAcert.pem" \
    "$SSL_DIR/ca/CRL.pem" root@crox.lan.vonk:$CLIENT_DIR/

7.4.5. Install supplicant deamon

The supplicant implementation used in this example is hostap's wpa_supplicant. Version 0.4.4 did not recognize SISO as a WPA enabled access point. In debug mode it reported "skip - no WPA/RSN IE" errors.

Download and extract the sources; copy the .config; and start the compilation and installation. An example .config can be found in Example F.5, “wpa_supplicant .config”. (2BD in Fedora Core 6: first rpm -e wpa_supplicant NetworkManager NetworkManager-gnome)

wget -P $DL_DIR  # was 0.5.5
tar -C $HOME -xvzf wpa_supplicant-0.6.1.tar.gz
cd $HOME/wpa_supplicant-0.6.1
make clean
# configure .config
make install  # installs in /usr/local/sbin/

(2BD) cp: cannot stat `dynamic_eap_methods': No such file or directory

7.4.6. Authenticate using certificates (EAP-TLS)


Pre-authentication is disabled. Enabling it causes the WPA Information Elements in the beacon/probe-response to list that capability, while the WPA IEs in the key handshake do not. This caused wpa_supplicant to abort the handshake.

The first time you should start the wpa_supplicant in the foreground and enable additional debug (-dd). Once this is working you can enable and start the wpa_supplicant service as shown below. In my specific case, I also had to increase the maximum loop count from 10 to 75 in /etc/sysconfig/network-scripts/network-functions:check_link_down().

Example files are:

Install wpa_supplicant as a service.

chkconfig --level 345 wpa_supplicant on
service wpa_supplicant start
ifup wlan0

# to verify:
iwconfig wlan0  # ESSID is only shown once the card is associated
ip link show dev wlan0
ip address show dev wlan0