Linux 如何配置无线网络 wpa_supplicant wpa_cli

http://www.gentoo.org/doc/zh_cn/handbook/handbook-x86.xml?part=4&chap=4

目前您可以使用我们提供的wireless-tools 或wpa_supplicant工具来配置无线网络。请记住重要的一点是，您对无线网络的配置是全局性的，而非针对具体的接口。

wpa_supplicant是一个最好的选择，但缺点是它不支持所有的驱动。请浏览wpa_supplicant网站获得它所支持的驱动列表。另外，wpa_supplicant目前只能连接到那些你已经配置好ESSID的无线网络。

wireless-tools支持几乎所有的无线网卡和驱动，但它不能连接到那些只支持WPA的AP。

WPASupplicant工具包可以让您连接到那些使用WPA的AP。因为还只是beta版，所以它的配置方法仍会常常变化——尽管如此，在大部分情况下它已经能很好的工作。

我们还需要配置wpa_supplicant本身，这将会比较麻烦一些，具体取决于你要连接的AP的安全程度。下面的例子是从/usr/share/doc/wpa_supplicant-<version>/wpa_supplicant.conf.gz中抽取并简化而来的，此文件出自wpa_supplicant软件包。

代码 2.3:一个/etc/wpa_supplicant/wpa_supplicant.conf的例子

# 请不要修改下面这一行内容，否则将不能正常工作 ctrl_interface=/var/run/wpa_supplicant # 确保只有root用户能读取WPA的配置 ctrl_interface_group=0 # 使用wpa_supplicant来扫描和选择AP ap_scan=1 # 简单的情形：WPA-PSk密码验证方式，PSK是ASCII密码短语，所有合法的加密方式都允许连接 network={ ssid="simple" psk="very secret passphrase" # 优先级越高，就能越早匹配到。 priority=5 } # 与前面的设置相同，但要求对特定的SSID进行扫描（针对那些拒绝广播SSID的AP） network={ ssid="second ssid" scan_ssid=1 psk="very secret passphrase" priority=2 } # 仅使用WPA-PSK方式。允许使用任何合法的加密方式的组合 network={ ssid="example" proto=WPA key_mgmt=WPA-PSK pairwise=CCMP TKIP group=CCMP TKIP WEP104 WEP40 psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb priority=2 } # 明文连接方式（不使用WPA和IEEE802.1X） network={ ssid="plaintext-test" key_mgmt=NONE } # 共享WEP秘钥连接方式（不使用WPA和IEEE802.1X） network={ ssid="static-wep-test" key_mgmt=NONE wep_key0="abcde" wep_key1=0102030405 wep_key2="1234567890123" wep_tx_keyidx=0 priority=5 } # 共享WEP秘钥连接方式（无WPA和IEEE802.1X），使用共享秘钥IEEE802.11验证方式 network={ ssid="static-wep-test2" key_mgmt=NONE wep_key0="abcde" wep_key1=0102030405 wep_key2="1234567890123" wep_tx_keyidx=0 priority=5 auth_alg=SHARED } # 在IBSS/ad-hoc网络中使用WPA-None/TKIP network={ ssid="test adhoc" mode=1 proto=WPA key_mgmt=WPA-NONE pairwise=NONE group=TKIP psk="secret passphrase" } 命令执行例子: wpa_supplicant -B -ieth0 -c /etc/wpa_supplicant.conf 获得地址: dhcpcd eth0 察看网卡状态以及参数: bt ~ # iwconfig eth0 eth0      IEEE 802.11g  ESSID:"youssid"           Mode:Managed  Frequency:2.462 GHz  Access Point: 00:00:00:00:00:00           Bit Rate:54 Mb/s   Tx-Power:14 dBm           Retry limit:15   RTS thr:off   Fragment thr:off           Encryption key:xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx-xxxx   Security mode:open           Power Management:off           Link Quality=74/100  Signal level=-57 dBm  Noise level=-57 dBm           Rx invalid nwid:0  Rx invalid crypt:1  Rx invalid frag:0           Tx excessive retries:0  Invalid misc:21   Missed beacon:0 bt ~ # ifconfig eth0 eth0      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx           inet addr:192.168.2.100  Bcast:192.168.2.255  Mask:255.255.255.0           inet6 addr: fe80::218:deff:feb0:38e5/64 Scope:Link           UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1           RX packets:33 errors:2 dropped:31 overruns:0 frame:0           TX packets:12 errors:0 dropped:0 overruns:0 carrier:0           collisions:0 txqueuelen:1000           RX bytes:11177 (10.9 KiB)  TX bytes:4324 (4.2 KiB)           Interrupt:11 Base address:0x2000 Memory:edf00000-edf00fff 这样linux就可以使用wpa 访问无线网络了. --------------------------------------------------- wpa_supplicant usage --------------------------------------------------- You will need to make a configuration file, e.g., /etc/wpa_supplicant.conf, with network configuration for the networks you are going to use. Configuration file section below includes explanation for the configuration file format and includes various examples. Once the configuration is ready, you can test whether the configuration work by first running wpa_supplicant with following command to start it on foreground with debugging enabled: wpa_supplicant -i wlan0 -c/etc/wpa_supplicant.conf -d Assuming everything goes fine, you can start using following command to start wpa_supplicant on background without debugging: wpa_supplicant -iwlan0 -c/etc/wpa_supplicant.conf -B Please note that if you included more than one driver interface in the build time configuration (.config), you may need to specify which interface to use by including -D<driver name> option on the command line. See following section for more details on command line options for wpa_supplicant. Command line options -------------------- usage: wpa_supplicant [-BddehLqqvw] -i<ifname> -c<config file> [-D<driver>] \ [-N -i<ifname> -c<conf> [-D<driver>] ...] options: -B = run daemon in the background -d = increase debugging verbosity (-dd even more) -K = include keys (passwords, etc.) in debug output -t = include timestamp in debug messages -h = show this help text -L = show license (GPL and BSD) -q = decrease debugging verbosity (-qq even less) -v = show version -w = wait for interface to be added, if needed -N = start describing new interface drivers: hostap = Host AP driver (Intersil Prism2/2.5/3) [default] (this can also be used with Linuxant DriverLoader) hermes = Agere Systems Inc. driver (Hermes-I/Hermes-II) madwifi = MADWIFI 802.11 support (Atheros, etc.) atmel = ATMEL AT76C5XXx (USB, PCMCIA) wext = Linux wireless extensions (generic) ndiswrapper = Linux ndiswrapper broadcom = Broadcom wl.o driver ipw = Intel ipw2100/2200 driver wired = wpa_supplicant wired Ethernet driver bsd = BSD 802.11 support (Atheros, etc.) ndis = Windows NDIS driver In most common cases, wpa_supplicant is started with wpa_supplicant -Bw -c/etc/wpa_supplicant.conf -iwlan0 This makes the process fork into background and wait for the wlan0 interface if it is not available at startup time. The easiest way to debug problems, and to get debug log for bug reports, is to start wpa_supplicant on foreground with debugging enabled: wpa_supplicant -c/etc/wpa_supplicant.conf -iwlan0 -d wpa_supplicant can control multiple interfaces (radios) either by running one process for each interface separately or by running just one process and list of options at command line. Each interface is separated with -N argument. As an example, following command would start wpa_supplicant for two interfaces: wpa_supplicant \ -c wpa1.conf -i wlan0 -D hostap -N \ -c wpa2.conf -i ath0 -D madwifi Configuration file ------------------ wpa_supplicant is configured using a text file that lists all accepted networks and security policies, including pre-shared keys. See example configuration file, wpa_supplicant.conf, for detailed information about the configuration format and supported fields. Changes to configuration file can be reloaded be sending SIGHUP signal to wpa_supplicant ('killall -HUP wpa_supplicant'). Similarly, reloading can be triggered with 'wpa_cli reconfigure' command. Configuration file can include one or more network blocks, e.g., one for each used SSID. wpa_supplicant will automatically select the best betwork based on the order of network blocks in the configuration file, network security level (WPA/WPA2 is prefered), and signal strength. Example configuration files for some common configurations: 1) WPA-Personal (PSK) as home network and WPA-Enterprise with EAP-TLS as work network # allow frontend (e.g., wpa_cli) to be used by all users in 'wheel' group ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel # # home network; allow all valid ciphers network={ ssid="home" scan_ssid=1 key_mgmt=WPA-PSK psk="very secret passphrase" } # # work network; use EAP-TLS with WPA; allow only CCMP and TKIP ciphers network={ ssid="work" scan_ssid=1 key_mgmt=WPA-EAP pairwise=CCMP TKIP group=CCMP TKIP eap=TLS identity="user@example.com" ca_cert="/etc/cert/ca.pem" client_cert="/etc/cert/user.pem" private_key="/etc/cert/user.prv" private_key_passwd="password" } 2) WPA-RADIUS/EAP-PEAP/MSCHAPv2 with RADIUS servers that use old peaplabel (e.g., Funk Odyssey and SBR, Meetinghouse Aegis, Interlink RAD-Series) ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid="example" scan_ssid=1 key_mgmt=WPA-EAP eap=PEAP identity="user@example.com" password="foobar" ca_cert="/etc/cert/ca.pem" phase1="peaplabel=0" phase2="auth=MSCHAPV2" } 3) EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the unencrypted use. Real identity is sent only within an encrypted TLS tunnel. ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid="example" scan_ssid=1 key_mgmt=WPA-EAP eap=TTLS identity="user@example.com" anonymous_identity="anonymous@example.com" password="foobar" ca_cert="/etc/cert/ca.pem" phase2="auth=MD5" } 4) IEEE 802.1X (i.e., no WPA) with dynamic WEP keys (require both unicast and broadcast); use EAP-TLS for authentication ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid="1x-test" scan_ssid=1 key_mgmt=IEEE8021X eap=TLS identity="user@example.com" ca_cert="/etc/cert/ca.pem" client_cert="/etc/cert/user.pem" private_key="/etc/cert/user.prv" private_key_passwd="password" eapol_flags=3 } 5) Catch all example that allows more or less all configuration modes. The configuration options are used based on what security policy is used in the selected SSID. This is mostly for testing and is not recommended for normal use. ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid="example" scan_ssid=1 key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE pairwise=CCMP TKIP group=CCMP TKIP WEP104 WEP40 psk="very secret passphrase" eap=TTLS PEAP TLS identity="user@example.com" password="foobar" ca_cert="/etc/cert/ca.pem" client_cert="/etc/cert/user.pem" private_key="/etc/cert/user.prv" private_key_passwd="password" phase1="peaplabel=0" ca_cert2="/etc/cert/ca2.pem" client_cert2="/etc/cer/user.pem" private_key2="/etc/cer/user.prv" private_key2_passwd="password" } 6) Authentication for wired Ethernet. This can be used with 'wired' interface (-Dwired on command line). ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel ap_scan=0 network={ key_mgmt=IEEE8021X eap=MD5 identity="user" password="password" eapol_flags=0 } --------------------------------------------------- wpa_cli usage --------------------------------------------------- wpa_cli commands status = get current WPA/EAPOL/EAP status mib = get MIB variables (dot1x, dot11) help = show this usage help interface [ifname] = show interfaces/select interface level <debug level> = change debug level license = show full wpa_cli license logoff = IEEE 802.1X EAPOL state machine logoff logon = IEEE 802.1X EAPOL state machine logon set = set variables (shows list of variables when run without arguments) pmksa = show PMKSA cache reassociate = force reassociation reconfigure = force wpa_supplicant to re-read its configuration file preauthenticate <BSSID> = force preauthentication identity <network id> <identity> = configure identity for an SSID password <network id> <password> = configure password for an SSID pin <network id> <pin> = configure pin for an SSID otp <network id> <password> = configure one-time-password for an SSID passphrase <network id> <passphrase> = configure private key passphrase for an SSID bssid <network id> <BSSID> = set preferred BSSID for an SSID list_networks = list configured networks select_network <network id> = select a network (disable others) enable_network <network id> = enable a network disable_network <network id> = disable a network add_network = add a network remove_network <network id> = remove a network set_network <network id> <variable> <value> = set network variables (shows list of variables when run without arguments) get_network <network id> <variable> = get network variables save_config = save the current configuration disconnect = disconnect and wait for reassociate command before connecting scan = request new BSS scan scan_results = get latest scan results get_capability <eap/pairwise/group/key_mgmt/proto/auth_alg> = get capabilies terminate = terminate wpa_supplicant quit = exit wpa_cli wpa_cli command line options wpa_cli [-p<path to ctrl sockets>] [-i<ifname>] [-hvB] [-a<action file>] \ [-P<pid file>] [-g<global ctrl>] [command..] -h = help (show this usage text) -v = shown version information -a = run in daemon mode executing the action file based on events from wpa_supplicant -B = run a daemon in the background default path: /var/run/wpa_supplicant default interface: first interface found in socket path