...making Linux just a little more fun!

WPA Supplicant LEAP

By Nic Tjirkalli

To get Linux wireless to connect using LEAP authentication (yes, yes, yes, I know the choir will tell us that LEAP is not so secure and we should not be using it, but if that's the way the AP is configured, we do not have much option), I did the following. It worked for me and I hope it works for you.

[ The Lightweight Extensible Authentication Protocol (LEAP) was developed for use with wireless access points and features dynamic WEP keys and mutual authentication. -- René ]

These settings worked for connecting to a CISCO Access Point that is configured to:

System

My system is a: On my Slackware machine, the wireless interface is called wlan0, if yours is not, replace wlan0 with the interface name used by your machine in all the scripts and commands below.

See What Wireless LANs Are Out There

To see what wireless networks are within range and to see what security they have enabled, use the command:
iwlist wlan0 scan

If iwlist returns an error saying it cannot scan because the interface is down, bring the interface up with ifconfig:

ifconfig wlan0 up
and then run the scan command again.

Scripts

I connect manually with a script, as opposed to using any of the automated scripts.

WPA Supplicant Configuration

My /etc/wpa_supplicant.conf looks like this:

# This line enables the use of wpa_cli which is used by rc.wireless
# if possible (to check for successful association)
ctrl_interface=/var/run/wpa_supplicant
# By default, only root (group 0) may use wpa_cli
ctrl_interface_group=0
eapol_version=1
ap_scan=1
fast_reauth=1

network={
  scan_ssid=1
  mode=0
  ssid="SSID_To_Connect_To"
  proto=WPA
  key_mgmt=WPA-EAP
  pairwise=TKIP
  group=TKIP
  eap=LEAP
  priority=2
  auth_alg=LEAP
  eapol_flags=0
  identity="Your_User_Name"
  password="Your_Password"
}

In the above configuration file, replace SSID_To_Connect_To with the Service Set IDentifier, or SSID, of the particular 802.11 wireless LAN you want to connect to; replace Your_User_Name with the user name used for authentication; and last, replace Your_Password with the password used for authentication.

Connection Script

On my Slackware machine, the connection script looks like this:

#!/bin/bash

ifconfig wlan0 down
iwconfig wlan0 essid "XXXXXXXXXX"
ifconfig wlan0 up
wpa_supplicant -iwlan0 -c /etc/wpa_supplicant.conf -Dwext -dd

The -dd causes wpa_supplicant to be very verbose in its output - this is useful if there are any issues, but it also tells you what is happening.

Save this connection script (as root) and make it executable, readable, and writable by user root (chmod 700 con_script. The script must be run as root (or via sudo) to be able to play with interfaces.

When run, the connection script will not terminate. To see what is happening and if all is well, execute the command wpa_cli in another shell, or if you prefer a GUI on X, run wpa_gui. To know if you have successfully connected to the wireless LAN look for the line
CTRL-EVENT-CONNECTED - Connection to 00:11:11:11:11:11 completed

Once connected, you can obtain a DHCP address (assuming a DHCP server exists and is functioning on the Wireless LAN) with the command:
dhcpcd wlan0

Hope this was of use to you and helped.


Talkback: Discuss this article with The Answer Gang


[BIO]

Nic Tjirkalli works for one of South Africa's primer internet service providers. He has been using Linux for over 15 years - started with Slackware and has stayed with that.


Copyright © 2008, Nic Tjirkalli. Released under the Open Publication License unless otherwise noted in the body of the article. Linux Gazette is not produced, sponsored, or endorsed by its prior host, SSC, Inc.

Published in Issue 154 of Linux Gazette, September 2008

Tux