|
 |
|
| |
30.1 Wireless LAN
Wireless LANs have become an indispensable aspect of mobile computing.
Today, most laptops have built-in WLAN cards. The 802.11 standard for the
wireless communication of WLAN cards was prepared by the IEEE
organization. Originally, this standard provided for a maximum
transmission rate of 2 Mbit/s. Meanwhile, several supplements have
been added to increase the data rate. These supplements define details
such as the modulation, transmission output, and transmission rates (see
Table 30-1). Additionally, a lot of
companies implement hardware with proprietary or draft features.
Table 30-1 Overview of Various WLAN Standards
|
802.11 Legacy
|
2.4
|
2
|
Outdated; virtually no end devices available
|
|
802.11a
|
5
|
54
|
Less interference-prone
|
|
802.11b
|
2.4
|
11
|
Less common
|
|
802.11g
|
2.4
|
54
|
Widespread, backwards-compatible with 11b
|
|
802.11n draft
|
2.4 and/or 5
|
300
|
Common
|
802.11 Legacy cards are not supported by openSUSE®. Most cards
using 802.11a, 802.11b, 802.11g and 802.11n draft are supported. New cards
usually comply with the 802.11n draft standard, but cards using 802.11g
are still available.
30.1.1 Function
In wireless networking, various techniques and configurations are used to
ensure fast, high-quality, and secure connections. Different operating
types suit different setups. It can be difficult to choose the right
authentication method. The available encryption methods have different
advantages and pitfalls.
Basically, wireless networks can be classified as managed networks and
ad-hoc networks. Managed networks have a managing element: the access
point. In this mode (also referred to as infrastructure mode), all
connections of the WLAN stations in the network run over the access
point, which may also serve as a connection to an ethernet. Ad-hoc
networks do not have an access point. The stations communicate directly
with each other, therefore an ad-hoc network is usually faster than a
managed network. However, the transmission range and number of
participating stations are greatly limited in ad-hoc networks. They also
do not support WPA authentication. Therefore, an access point is usually
used. It is even possible to use a WLAN card as an access point. Some
cards support this functionality.
Authentication
Because a wireless network is much easier to intercept and compromise
than a wired network, the various standards include authentication and
encryption methods. In the original version of the IEEE 802.11 standard,
these are described under the term WEP. However, because WEP has proven
to be insecure (see Security), the
WLAN industry (joined under the name Wi-Fi
Alliance) has defined a new extension called WPA, which is
supposed to eliminate the weaknesses of WEP. The later IEEE 802.11i
standard (also referred to as WPA2, because WPA is based on a draft
version 802.11i) includes WPA and some other authentication and
encryption methods.
To make sure that only authorized stations can connect, various
authentication mechanisms are used in managed networks:
- Open
-
An open system is a system that does not require authentication. Any
station can join the network. Nevertheless, WEP encryption (see
Encryption) can be used.
- Shared Key (according to IEEE 802.11)
-
In this procedure, the WEP key is used for the authentication.
However, this procedure is not recommended, because it makes the WEP
key more susceptible to attacks. All an attacker needs to do is to
listen long enough to the communication between the station and the
access point. During the authentication process, both sides exchange
the same information, once in encrypted form and once in unencrypted
form. This makes it possible for the key to be reconstructed with
suitable tools. Because this method makes use of the WEP key for the
authentication and for the encryption, it does not enhance the
security of the network. A station that has the correct WEP key can
authenticate, encrypt, and decrypt. A station that does not have the
key cannot decrypt received packets. Accordingly, it cannot
communicate, regardless of whether it had to authenticate itself.
- WPA-PSK (according to IEEE 802.1x)
-
WPA-PSK (PSK stands for preshared key) works similarly to the Shared
Key procedure. All participating stations as well as the access point
need the same key. The key is 256 bits in length and is usually
entered as a passphrase. This system does not need a complex key
management like WPA-EAP and is more suitable for private use.
Therefore, WPA-PSK is sometimes referred to as WPA
Home .
- WPA-EAP (according to IEEE 802.1x)
-
Actually, WPA-EAP is not an authentication system but a protocol for
transporting authentication information. WPA-EAP is used to protect
wireless networks in enterprises. In private networks, it is scarcely
used. For this reason, WPA-EAP is sometimes referred to as WPA
Enterprise .
WPA-EAP needs a Radius server to authenticate users. EAP offers three
different methods for connecting and authenticating to the server:
TLS (Transport Layer Security), TTLS (Tunneled Transport Layer
Security), and PEAP (Protected Extensible Authentication Protocol).
In a nutshell, these options work as follows:
- EAP-TLS
-
TLS authentication relies on the mutual exchange of certificates
both for server and client. First, the server presents its
certificate to the client where it is evaluated. If the
certificate is considered valid, the client in turn presents its
certificate to the server. While TLS is secure, it requires a
working certification management infrastructure in your network.
This infrastructure is rarely found in private networks.
- EAP-TTLS and PEAP
-
Both TTLS and PEAP are two-stage protocols. In the first stage, a
secure connection is established and in the second one the client
authentication data is exchanged. They require far less
certification management overhead than TLS, if any.
Encryption
There are various encryption methods to ensure that no unauthorized
person can read the data packets that are exchanged in a wireless
network or gain access to the network:
- WEP (defined in IEEE 802.11)
-
This standard makes use of the RC4 encryption algorithm, originally
with a key length of 40 bits, later also with 104 bits.
Often, the length is declared as 64 bits or 128 bits,
depending on whether the 24 bits of the initialization vector
are included. However, this standard has some weaknesses. Attacks
against the keys generated by this system may be successful.
Nevertheless, it is better to use WEP than not encrypt the network at
all.
Some vendors have implemented the non-standard Dynamic
WEP . It works exactly as WEP and shares the same weaknesses,
except the fact that the key is periodically changed by a key
management service.
- TKIP (defined in WPA/IEEE 802.11i)
-
This key management protocol defined in the WPA standard uses the
same encryption algorithm as WEP, but eliminates its weakness.
Because a new key is generated for every data packet, attacks against
these keys are in vain. TKIP is used together with WPA-PSK.
- CCMP (defined in IEEE 802.11i)
-
CCMP describes the key management. Usually, it is used in connection
with WPA-EAP, but it can also be used with WPA-PSK. The encryption
takes place according to AES and is stronger than the RC4 encryption
of the WEP standard.
30.1.2 Configuration with YaST
To configure the wireless network card, select in the YaST control center. The Network Settings dialog
where you can configure general network settings opens. Please refer to
Section 20.4, Configuring a Network Connection with YaST for more information about the
general network configuration. All network cards that have been detected
by the system are listed under the tab.
Choose your wireless card from the list and click
to open the Network Card Setup dialog. Configure whether to use a dynamic
or a static IP address under the tab . You can
also adjust and
settings such as or
and driver settings. In most cases there
is no need to change the preconfigured values.
Click to proceed to the wireless network card
specific configuration dialog. If you are using NetworkManager (refer to
Section 20.5, NetworkManager for more information), there is no need
to adjust the wireless device settings, since these will be set by NetworkManager
on demand—proceed with and
to finish the configuration. If you are using your
computer only in a specific wireless network, make the basic settings for
WLAN operation here.
- Operating Mode
-
A station can be integrated in a WLAN in three different modes. The
suitable mode depends on the network in which to communicate:
(peer-to-peer network without access point),
(network is managed by an access point), or
(your network card should be used as the
access point). To use any of the WPA-PSK or WPA-EAP modes, the
operating mode must be set to .
- Network Name (ESSID)
-
All stations in a wireless network need the same ESSID for
communicating with each other. If nothing is specified, the card may
automatically selects an access point, which may not be the one you
intended to use. Use for a list of
available wireless networks.
- Authentication Mode
-
Select a suitable authentication method for your network: , , , , or
. If you select WPA authentication, a
network name (ESSID) must be set.
- Key Input Type
-
WEP and WPA-PSK authentication methods require to input a key. The key
has to be entered as either a , as an
string, or
string.
- WEP Keys
-
Either enter the default key here or click to enter the advanced key configuration dialog. Set
the length of the key to or . The default setting is .
In the list area at the bottom of the dialog, up to four different
keys can be specified for your station to use for the encryption.
Press to define one of them as
the default key. Unless you change this, YaST uses the first
entered key as the default key. If the standard key is deleted, one
of the other keys must be marked manually as the default key. Click
to modify existing list entries or create
new keys. In this case, a pop-up window prompts you to select an
input type (,
, or ). If
you select , enter a word or a
character string from which a key is generated according to the
length previously specified. requests an
input of 5 characters for a 64-bit key and 13 characters for a
128-bit key. For , enter 10
characters for a 64-bit key or 26 characters for a 128-bit key in
hexadecimal notation.
- WPA-PSK
-
To enter a key for WPA-PSK, select the input method
or . In
the mode, the input must be 8 to 63
characters. In the mode, enter 64
characters.
- Expert Settings
-
This button opens a dialog for the detailed configuration of your WLAN
connection. Usually there should be no need to change the
preconfigured settings.
- Channel
-
The specification of a channel on which the WLAN station should
work is only needed in and
modes. In
mode, the card automatically searches the available channels for
access points. In mode, select one of the
offered channels (11 to 14, depending on your country) for the
communication of your station with the other stations. In
mode, determine on which channel your
card should offer access point functionality. The default setting
for this option is .
- Bit Rate
-
Depending on the performance of your network, you may want to set a
certain bit rate for the transmission from one point to another. In
the default setting , the system tries to
use the highest possible data transmission rate. Some WLAN cards do
not support the setting of bit rates.
- Access Point
-
In an environment with several access points, one of them can be
preselected by specifying the MAC address.
- Use Power Management
-
When you are on the road, use power saving technologies to maximize
the operating time of your battery.
Using
power management may affect the connection quality and increase the
network latency.
Click next to finish the setup. If you have chosen WPA-EAP
authentication, another configuration step is needed before your station
is ready for deployment in the WLAN. Enter the credentials you have been
given by your network administrator. For TLS, provide
, ,
, and .
TTLS and PEAP require and
. and
are optional. YaST searches for
any certificate under /etc/cert. Therefore, save the
certificates given to you to this location and restrict access to these
files to 0600 (owner read and write). Click
to enter the advanced authentication dialog
for your WPA-EAP setup. Select the authentication method for the second
stage of EAP-TTLS or EAP-PEAP communication. If you selected TTLS in the
previous dialog, choose any, MD5,
GTC, CHAP, PAP,
MSCHAPv1, or MSCHAPv2. If you
selected PEAP, choose any, MD5,
GTC, or MSCHAPv2. can be used to force the use of a certain PEAP
implementation if the automatically-determined setting does not work for
you.
IMPORTANT: Security in Wireless Networks
Be sure to use one of the supported authentication and encryption
methods to protect your network traffic. Unencrypted WLAN connections
allow third parties to intercept all network data. Even a weak
encryption (WEP) is better than none at all. Refer to
Encryption and
Security for information.
30.1.4 Tips and Tricks for Setting Up a WLAN
These tips can help tweak speed and stability as well as security aspects
of your WLAN.
Stability and Speed
The performance and reliability of a wireless network mainly depend on
whether the participating stations receive a clean signal from the other
stations. Obstructions like walls greatly weaken the signal. The more
the signal strength sinks, the more the transmission slows down. During
operation, check the signal strength with the iwconfig utility on the
command line (Link Quality field) or with NetworkManager or
KNetworkManager. If you have problems with the signal quality, try to set up the
devices somewhere else or adjust the position of the antennas of your
access points. Auxiliary antennas that substantially improve the
reception are available for a number of PCMCIA WLAN cards. The rate
specified by the manufacturer, such as 54 Mbit/s, is a nominal
value that represents the theoretical maximum. In practice, the maximum
data throughput is no more than half this value.
Security
If you want to set up a wireless network, remember that anybody within
the transmission range can easily access it if no security measures are
implemented. Therefore, be sure to activate an encryption method. All
WLAN cards and access points support WEP encryption. Although this is
not entirely safe, it does present an obstacle for a potential attacker.
WEP is usually adequate for private use. WPA-PSK would be even better,
but it is not implemented in older access points or routers with WLAN
functionality. On some devices, WPA can be implemented by means of a
firmware update. Furthermore, although Linux supports WPA on most
hardware components, some drivers do not offer WPA support. If WPA is
not available, WEP is better than no encryption. In enterprises with
advanced security requirements, wireless networks should only be
operated with WPA.
30.1.5 Troubleshooting
If your WLAN card is not automatically detected, check whether it is
supported by openSUSE. A list of supported WLAN network cards is
available under
https://en.opensuse.org/HCL/Network_Adapters_(Wireless).
If your card is not supported, it may be possible to make it work using
the Microsoft Windows drivers with Ndiswrapper. Please refer to
https://en.opensuse.org/Ndiswrapper for detailed
information.
If your WLAN card fails to respond, check if you have downloaded the
needed firmware. Refer to
/usr/share/doc/packages/wireless-tools/README.firmware
for more information.
Multiple Network Devices
Modern laptops usually have a network card and a WLAN card. If you
configured both devices with DHCP (automatic address assignment), you
may encounter problems with the name resolution and the default gateway.
This is evident from the fact that you can ping the router but cannot
surf the Internet. The Support Database features an article on this
subject at
https://en.opensuse.org/SDB:Name_Resolution_Does_Not_Work_with_Several_Concurrent_DHCP_Clients.
Problems with Prism2 Cards
Several drivers are available for devices with
Prism2 chips. The various cards work more or
less smoothly with the various drivers. With these cards, WPA is only
possible with the hostap driver. If such a card does not work properly
or not at all or you want to use WPA, read
/usr/share/doc/packages/wireless-tools/README.prism2.
|
|
|
