(This is a supplement to my messy
web site on using Linux on laptops
mosly using various Dell Latitude laptops running various versions
of Fedora, most recently Fedora 18 on a Dell latitude E6410) __________________________________________________________________________________________
18 Jul 2013; 1 Aug 2013; 19 Aug 2013; 10 Sep 2013 (removed encrypted passwords)
17 Jul 2013: Upgraded from Fedora 17 to Fedora 18, mid June 2013.
When I first started using wireless on linux I simply used start-up scripts described
elsewhere on this web site. As the systems became more complex, especially with use
of WPA and WPA-enterprise, the configuration became more complex.
Eventually I had to switch to using one of the graphical network tools and having
found NetworkManager awful I used Wicd. That worked for some time, but from Fedora 17
Wicd seemed to be unable to cope with recent changes to security mechanisms. I was
unable to configure it so as to save settings. So I switched to NetworkManager
because that worked.
For a while NetworkManager worked, although I disliked its user interface: e.g. it
gave no option to choose between access points with the same Essid, as Wicd does --
sometimes useful at a location where loads on the access points differ.
In May-June 2013 I started having problems connecting to our campus web site using
NM, so I upgraded my operating system to Fedora 18. One immediate benefit was that
resume (thaw) from pm-hibernate worked immediately, without requiring modifications
to grub.cfg, which I had previously needed.
However, recent versions of NetworkManager (e.g. NetworkManager-0.9.8.2-1.fc18.x86_64)
interact badly with new (?) linux security mechanisms and this made it impossible for
me to provide a stored password for accessing our campus enterprise wifi system
(UOBwifi) or eduroam without typing in a password whenever I wanted to connect or
reconnect, even though NM happily stored passwords for other WPA services, e.g. at home.
Eventually I found a fix described below. I hope this will help others.
There are many web sites where users are now reporting problems with NetworkManager
passwords and asking for help. I suspect this is a result of some major reorganisation
of Linux, which may take some time to settle down. But at least for Fedora users who
know how to edit text files as super-user, the following solution seems to work, for
the latest version of NetworkManager. I have not tried it on earlier versions. See also
NB: The files and scripts needed for Redhat-like systems (e.g. Fedora) are
different from those needed for Debian-based systems (e.g. Ubuntu). So these details
will probably have to be varied for other versions of linux. If a user of another
system wishes to send me either a pointer to a solution, or text to be added here,
e.g. for Ubuntu users, I'll gladly help.
Note added 10 Sep 2013: After following the recommendations below hadProblem and solution:
worked for a couple of weeks, I found my laptop would, for no reason, connect
with either eduroam or our local UOBwifi network, both using Enterprise wifi.
Eventually I got it working again after re-creating the files below, using my
password in plain text, rather than using the output of wpa_passphrase. So if
you try using encrypted passwords in the keys_XXX files, without success, try
inserting the password unencrypted.
(Management of passwords for wifi connections seems to have become a problem in
several versions of linux recently (mid 2013). I found many suggested solutions that
did not work for me, before discovering the solution presented here, by chance,
which may provide useful clues for users of other versions of Linux.)
For a given ESSID (XXXX) NetworkManager on Fedora now uses two files
(whose names and directories may be different in other versions of linux).
/etc/sysconfig/network-scripts/ifcfg-XXXX Specifies type of connection, e.g. level of security, along with Essid, device Mac address, user identity and other features (see example below). /etc/sysconfig/network-scripts/keys-XXXX Includes stored (optionally encrypted) password for connection to XXXXIdeally nm-connection-editor should manage the contents of those files but I found
## Template for file /etc/sysconfig/network-scripts/ifcfg-XXXX ## For 'Enterprise' wifi ## Much of this is set up automatically when you use nm-connection-editor ## But I found the user name (identity) and password (in the keys file) had to be ## added by hand ## Here 'XXXX' is the ESSID. NAME=XXXX ESSID="XXXX" BOOTPROTO=dhcp DEFROUTE=yes ## Insert MAC address for device in next line HWADDR="XX.XX.XX.XX.XX.XX" ## uob_root_linux.pem certificate available from campus web site ## This will be different for users of other sites IEEE_8021X_CA_CERT=/etc/cert/uob_root_linux.pem IEEE_8021X_EAP_METHODS=PEAP ## Insert your 'identity' here (email@example.com for eduroam, or just username for UOBwifi) IEEE_8021X_IDENTITY="username" IEEE_8021X_INNER_AUTH_METHODS=MSCHAPV2 ##Next one is optional: can save time connecting on IPV4 network IPV4_FAILURE_FATAL=yes IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_PEERDNS=yes IPV6_PEERROUTES=yes KEY_MGMT=WPA-EAP MODE=Managed ###Optional? ONBOOT=yes PEERDNS=yes PEERROUTES=yes TYPE=Wireless ## The UUID was inserted by NetworkManager UUID="UUID FOR DEVICE"I had to delete this line previously inserted by nm-connection-editor:
IEEE_8021X_PASSWORD_FLAGS=userAlso remove any line of the following form: it should go into the 'keys-XXXX' file.
IEEE_8021X_PASSWORD=your-own-passwordThe 'keys' file (readable only by root -- and also non-writeable, as a precaution)
## Contents of file keys-XXXX ## You can use either your actual password or the long encrypted version produced ## by invoking wpa_passphrase: ## insert here either your password in plain text or the long password produced ## as psk=, using the command ## wpa_passphrase essid password IEEE_8021X_PASSWORD="long encrypted password for the user at the service" ## Warning: I've had to revert to using the unencrypted password, as noted above.So you end up with these two new files:
ifcfg-XXXX (World-readable and root-writeable). keys-XXXX (Readable only by 'root')You can store the password in plain text in the keys-XXXX file. You may or may not
** (nm-connection-editor:6176): CRITICAL **: unable to create file' /run/user/1003/dconf/user': Permission denied. dconf will not work properly.
If you know a better way to do this please email me with details: a.sloman[AT]cs.bham.ac.uk
As far as I can tell wpa_supplicant no longer looks in that wpa_supplicant.conf
file for security information. I don't know whether the file is required at all. I
have simply removed user names and passwords from it, leaving the rest for the time
Fedora Bugzilla Discussions
Some users may find these useful:
https://bugzilla.redhat.com/show_bug.cgi?id=982429 Bug 982429 - NetworkManager asks for wireless password every time when i try to connect https://bugzilla.redhat.com/show_bug.cgi?id=974811 Bug 974811 - NetworkManager dispatchers dbus services misconfiguration__________________________________________________________________________________________
Installed: Aug 2006
Previous updates: 26 Mar 2010; 30 May 2010; 12 Jun 2010; 26 Jun 2010; 6 Aug 2010; 15 Feb 2012; 12 Jun 2013
These notes assume that you already have a working wireless card, which you have__________________________________________________________________________________________
tested on some other wireless network.
If your wireless card is not working, try to configure it using 'system-config-network'
or some other tool that works on your system, or ask a friend for help. Come back
when the card works and has been tested on another more easily accessible wireless
network, so that you are sure that you have the right drivers for your wireless card
and it has been properly recognised by your operating system.
ERRONEOUS UPDATE 12 Jun 2013: new version of certificate.
Correction 17 Jul 2013:
This recommendation to convert .pem certificate to .der proved to be erroneous.
/etc/selinux/config by using SELINUX=disabled
In addition, please note that some of the helpdesk staff in Information Services are able to help users who wish to use a linux laptop to access the campus wireless service, but they will not physically change settings on user machines. That is the responsibility of users.
However, the Information Services web site now does give advice for linux users, and you should try their instructions before trying mine. See:
(Includes information about getting the global root certificate for linux users.)
If that does not work for you try my method below, after fetching and installing the certificate specified on the above web page in '/etc/cert'
Alternatively, use a modified version of my instructions for using wicd, namely when setting up the connection to uobwifi make sure you specify the new certificate in /etc/cert/
For unknown reasons I started having difficulty connecting to wireless networks after upgrading from F9 to F10.Later I discovered a way to make my old scripts, described below, work, with a minor change, so that I did not need to use wicd.
However, I have overcome the problems by installing 'wicd', described in http://www.cs.bham.ac.uk/~axs/laptop/wpa/wicd.html
The old scripts were designed to set up the files appropriate for the wireless service I was trying to connect to at these locations, after which they restarted the wpa_supplicant service and attempted to restart the wireless interface eth1.
Starting wpa_supplicant caused the interface to connect with the wireless access point, as could be seen by giving this command, which displays an encryption key (among other things), if the association with the access point is successful.
iwconfig eth1 ## produces: ... Encryption key:CB08-BE5E-DD56-7E0C-.... etc. etc. ...However, trying to make eth1 connect via dhcp, by giving the command
ifup eth1(or using 'dhclient'), caused the effect of wpa_supplicant to be turned off, i.e. losing the association with the access point, and that prevented the connection working.
The solution (Revised 26 Mar 2010): Use dhclient with wpa_supplicant
The solution was to make wpa_supplicant restart, wait a few seconds for the machine to associate with the access point, and then use dhclient in two steps (the -v is optional).
# release any current dhcp lease, and stop dhcp dhclient -r # try to connect eth1 using dhcp. (-v is optional, adds verbosity) dhclient -v eth1 ## (Also works with 'wlan0' if you use that instead of 'eth1') WARNING This does not provide any way of choosing between access points with the same ESSID, but with different signal strengths: so if you do connect successfully it may not select an optimal access point. This is not a problem when all access points available are equally good. However if some are much better than others, then you should probably use a tool like 'wicd' that allows you to select a preferred access point to connect to.
Make sure these files are correct, as described below.
/etc/wpa_supplicant/wpa_supplicant.conf /etc/hosts /etc/resolv.conf ## Unless running dhcp /etc/sysconfig/network /etc/sysconfig/network-scripts/ifcfg-eth1 ## this should include 'ONBOOT=no' so that it doesn't ## immediately try to connect when the machine is booted or ## the network service restarted. ## Specify this certificate if you are using the uobwifi or eduroam connection etc/cert/uob_root_linux.pemWith thse files in place you can run a script with these commands.
## restart network service service network restart ## restart firewall (optional) service iptables restart ## Start the wpa_supplicant service with a 6 second delay ## this uses /etc/sysconfig/wpa_supplicant service wpa_supplicant start ## pause to allow association (experiment with the time needed) ## I think 6 seconds is longer than needed on my machine. sleep 6 ## Now restart eth1 (or replace with 'wlan0' if using that) dhclient -r dhclient -v eth1
That now works reliably for me, so I can once again start
my wireless connection using a shell script, without using wicd,
or network manager.
Very much better -- as I can also use the script to do other things, e.g. alter security settings, host name, etc. depending on where I am.
NOTE: I have switched to using wicd to set up the connection, partly because it allows global settings, e.g. dns servers, and works very reliabily. So my script changes things I want to change, then starts wicd.
13 Nov 2007Zeth Green has also provided instructions, for Ubuntu users, here. Now out of date, and no longer needed.
5 Apr 2009: Improving connection scripts
I have found for some time that I occasionally cannot start up the wireless connection without rebooting. This turned out to be due to some files left over in /var/run, so I wrote a short script to be run to clean things up, available here.
8 Jul 2009: for some reason this is no longer needed.
Updated 17 Feb 2009: Using Nokia handset on Campus Wifi network
Information provided by Emilis Prascienius
4 Nov 2008: Peter Lewis' site on ArchlinuxPeter Lewis has a web page with instructions on how to access UOBWLAN and EDUROAM with ArchLinux.
He writes: "ArchLinux is a relatively new distribution which is very flexible and configurable, and easily allows source packages to be integrated in the same way as its own binary packages (and hence easily removable). I particularly like its network configuration system, which allows for scanning for a wireless network and subsequently connecting to what it finds - before being logged into X":
30 Oct 2008: Partial Support for Linux from Birmingham University Information ServicesThere is now a web site maintained by IS that gives one solution to the problem of connecting to the campus WIFI system. It may help many users.
For people who do not wish to use NetworkManager or cannot get it to work, the
mechanisms described below may work. However, since I started using Fedora 17 I have had to use NetworkManager.
NOTE: 17 Jul 201311 May 2008
Almost everything below this point is now probably out of date.Note on wlassistant now removed. I use 'wicd' instead. You can find information about wlassistant here.
25 Apr 2008
There is an excellent overview article on the Campus Wireless system on ZDNet here.
6 Jan 2008: Wireless problems on Ubuntu Gutsy (version 7.10) and other recent Linux systems
In December 2007 had some experience getting the latest Ubuntu to connect to a WPA network (in my home). The nature of the problem and some solutions are summarised here. This is probably out of date.
13 Jul 2007: Connection instructions for the Palm T|XNotes provided by Tim Williams.12 Jul 2007: Using the madwifi driver on Mandriva
Notes provided by Tim Williams.19 Dec 2006 (Updated 9 Jul 2009): Wireless Network Certificate
There are two 'Authenticated Wireless Network Certificates' for linux users to download from the campus web site http://www.helpdesk.bham.ac.uk/laptopsurgery/linux.shtml
Windows users should look at http://www.wireless.bham.ac.uk/Certs.htm
Linux experts can start here
13 Nov 20061. Started a section for comments from other users.21 Aug 2006
2. Added information about how to convert the campus wireless certificate for linux.
3. Reorganised this file a bit and extended the table of contents.
Some more small changes clarifying things, including more information about the directory /etc/sysconfig/networking/profiles/.
14 Aug 2006
Various minor improvements and some re-ordering of information.
It turns out that if you run wpa_cli without having the username and password in the config file it does not ask you for them. However, if you use wpa_gui instead of wpa_cli for the interaction, everything works, and if you have not put user name and password in the config file, the graphical tool asks for them. I have edited the scripts and the documentation below accordingly. (Note: you need your university username and password, not your school login name and password.)
13 Aug 2006
Added reminder about switching on wireless card, and information about changing location without restarting.
Added various notes on the files in the tar package and reminders about editing some of them.
1. This is deliberately provided as one long file rather than several short files, so that it is easy to use your browser text search facility to find information. Otherwise you would have to tediously go up and down a tree-structured file system looking for things, as is required on far too many web sites because of the mistaken view that each web page should have only a tiny amount of information (perhaps a good idea in the days when most people used only slow dial-up lines and low resolution displays: but those days are long gone, though obviously very large sites need multiple files).
If you want the effect of several short files showing different bits of information you can reopen this file in a new browser window or tab. (Easy with firefox.) You can do that for all the links below, even though most are links into this file.
2. This file is deliberately loosely formatted. I intensely dislike web sites that dictate how many pixels wide my text display should be. So this web site leaves it to you. If you want longer lines of text make the browser window wider. If you want shorter lines make it narrower. If you change font size the line breaks will adjust accordingly.
Compare fixed width BBC web site, which ignores the user's width preference and wastes screen space on a modern display. Contrast that with what google does and also two of the UK research councils EPSRC and PPARC (though some of the pages fail on this test). Another computer science department avoids these annoying restrictions web sites. Even the Directgov web site does it right, to my surprise, since I expect UK government sites to be very backward.
Unfortunately the School of Computer science also recently moved to the dreadful 'fixed-width' style, though fortunately not for all its web pages.
The University of Birmingham has a campus wireless computing service (WIFI) described here, providing a 802.11g (54Mb/s) service, at hotspots depicted here.Preliminary considerations and requirements
Hotspots on main campus.
Because Information Services decided to go for a maximum security system, it has been very difficult for normal users (especially those with older wireless cards) to connect to it --- e.g. compared with using a hotel, or airport connection, or most connections I have experienced in other universities, e.g. for conferences.
Moreover there is no central support for Linux users, only Windows XP (Service Pack 2) users, and MAC OSX users. However, there are indications on some of the web pages that Linux support will be provided later. In the meantime Linux-users are on their own. So mutual support will be very important.
Because the campus wireless system adopted very new technology for maximum security as soon as it was installed, widely available software and hardware on laptops (not only on Linux) were not yet capable of coping with the requirements, though things have got much better thanks to Linux developments in the last few years.
Because of this, I struggled for over a year before I managed to get to the point where I can reliably connect to the campus wireless network. Using the latest linux tools, I find the connection process described here now works faster and more predictably than my previous attempts to use XP to connect to the wireless service following IS instructions. As explained below, it is also easier to make the connection work by giving a command to run a shell script, instead of laboriously going through the error-prone process of clicking on a sequence of graphical displays as Windows and Mac users have to. (However, if you are a linux user and prefer doing that, follow the 'wicd' link.)
My experience is based on using a Dell Latitude D610 laptop computer, with Intel IPW2200 integrated wireless card, now running Fedora Core 5, automatically updated to kernel 2.6.17-1.2157_FC5 after installation (later upgraded by me to 2.6.17-1.2174_1.rhfc5.cubbi_suspend2 in order to be able to use Software Suspend 2).
If anyone has to modify these instructions for another configuration, I am happy to be informed, provided that I get enough information to specify exactly what text I should insert or modify.
This overview may include mistakes or recommend methods that are inferior to some alternatives. So please suggest improvements. I'll be happy to add them to this file.
For the sake of completeness (and comparison) I provide pointers to information on the Bham IS web site for Windows XP and Mac OSX users, at the end of this file.
The rest of this file gives information for Linux users wishing to copy my method. I have tried to cover a lot of details that may be useful for people who are not familiar with the processes of accessing different wireless networks. Some of this will not be needed for experts (but I'd be grateful if some of them check for errors or infelicities). A starting point for Linux experts who already have wpa_supplicant installed is provided in the table of contents.
Before using the UOBWLAN service, Birmingham users must be registered with Information Services and have a user name and password (sometimes referred to as 'ADF' user name, where 'AD' stands for 'Active Directory': and the 'F' is a mystery to me).
If you have not registered, but have a student or staff card, you can get a user name at one of the IS help desks, e.g. in the building opposite Computer Science.
You may be able to get a user name and temporary password yourself here.
E.g. recent versions of Linux include a driver for
the Intel IPW2200 card I use, whereas earlier versions did not.
Some of the versions of linux that provide the driver also include the firmware files to go in /lib/firmware, while others require you to fetch the firmware files, as described below.
How to get a driver for your card depends on the card and on the version of linux. Use google, or friends who have been through the process.
These don't change the firmware but interact with it. E.g. for Intel wireless cards this web site gives lots of useful information and pointers to firmware and drivers
It is also not needed for most wireless public access hot spots, e.g. in hotels, airports, etc.
If you don't already have it on your linux system you can get wpa_supplicant from here, and follow instructions to compile and install it:
When I wrote these instructions I was using version 0.4.8, which came with FC5, but some older versions may also work. Newer versions are now included with many linux distributions.
If you install wpa_supplicant yourself make sure that you compile and install both wpa_supplicant and wpa_cli, since you'll need both, if you wish to do it 'my way', as explained below.wpa_supplicant
provides the extension to the linux wireless service that handles communication with the authentication service at the access point.
provides an interactive text-based utility ('Command Line Interface') that reports what's going on and allows you to check the current status and if necessary give the 'reassociate' command.
This is an optional extra. It provides a graphical interface tool that can be used as the last step in starting up instead of wpa_cli. If you have it you don't need to include your ADF username and password in the wpa_supplicant configuration file. wpa_gui is not included in FC5 for some reason, but if you get the sources for wpa_supplicant you can compile it with the 'make wpa_gui' command after doing everything else.
So, before copying what I have done, you should save all your files listed below (or their equivalents on your Linux installation) in such a way that you can easily restore them. Your linux installation may already have tools for managing network profiles, possibly in this subdirectory:
/etc/sysconfig/networking/profiles/containing a directory for each profile with the files to be used for that profile. I don't like that because there is no indication of where the files go when the profile is selected -- that information is hidden the activation scripts. (That could be altered by using a local directory tree for a profile, or encoding directory names in pathnames.)
Also, as far as I know that profile mechanism does not support associating different firewall configurations or different wpa_supplicant configurations with different profiles, as mine does. But most people will prefer to use what is provided in which case you will need to edit my 'netuob' script.
If requested I could try to produce a version of my script compatible with a standard profile mechanism. It would merely require collecting into a profile subdirectory, e.g./etc/sysconfig/networking/profiles/uob/all the files that I put in subdirectories called 'uob', apart from the firewall script and the /etc/sysconfig/wpa_supplicant file. Then the installation script would have to know where each file needs to be copied, whereas my script just copies each to its super-directory.
Even if old profiles have been saved in the profiles directory I still recommend saving all the files mentioned below, as a precaution. (You could simply make a tar file of your whole /etc directory, as I do after any significant change.)
The directory and file names given here correspond to what I have found on Redhat versions of linux and derived versions such as Fedora Core and Centos. Your network configuration files may be in different locations,e.g. if you use Debian, Ubuntu or some other versions of Linux. I believe SuSe and Debian store profile information in a directory tree in /etc/sysconfig/network/ rather than /etc/sysconfig/networking as in RedHat and Fedora. SuSE users may find this useful:
On RedHat-related systems, such as Fedora Core systems, the following
directories and files may need to have their contents modified when you
attach to a new network. So you will need to save their old values so
that you can easily restore them, as is done by a profiles mechanism. On
a different linux sustem you may have to modify these instructions.
How I run scripts to set up wireless network configurations using different subdirectories containing files for different network locations, is described later.
Files for configuring the wireless network
The following files are used on my machine. The versions I use are all included in the tar file described in the section on fetching a tar file, below.
In case you wish to install the files manually I specify their contents here.
If you have any reason to think that the central certificate has changed, you can fetch the latest .pem version fromhttps://intranet.birmingham.ac.uk/it/teams/infrastructure/networks/wireless/start/configuration/Linux.aspxIn order to derive the .der version required for linux from the .pem version, you can use something like the following conversion command (modified to suit your local naming convention).
which includes a link at the end, to:
https://universityofbirmingham.service-now.com/sys_attachment.do?sys_id=3981ee22fd776480e8ee68743023abddopenssl x509 -inform PEM -in /etc/cert/uob_root_linux.pem -outform DER -out /etc/cert/uob_root_linux.der
I shall endeavour to keep a copy of the latest certificate here. Please inform me (A.Sloman@cs.bham.ac.uk) if you think it needs to be updated.
If you need to connect to different networks using wpa_supplicant you can have multiple entries in the file using the 'ssid' field for each entry to specify where it is relevant. In the case of the Bham wireless network it will be
ssid="UOBWLAN" (or ssid="eduroam")You can copy the version from here and insert your user name and password (where indicated in the file) then leave it. Alternatively remove all references to password and username and use the graphical interface to wpa_supplicant, namely wpa_gui, instead of the command line interface, as indicated below.
If you already have a wpa_supplicant.conf file set up for another context, you may be able simply to add a new network entry copied from this file.
service wpa_supplicant restartIt can tell the service which interface to use and where more detailed configuration files are.
I use this file, containing
INTERFACES="-ieth1" # DRIVERS="-Dndiswrapper -Dprism" DRIVERS="-Dwext"The commented out second line indicates some other options for drivers. Be prepared to edit this.
The '-Dwext' flag
works with my Intel ipw2200 card, and with several other modern wireless
(In older versions of wpa_supplicant I used -Dipw for the Intel wireless card, but that is now subsumed by the more general 'wext' (wireless extension) software.)
You may need to use a different driver if you use ndiswrapper or something else, e.g. "-Dmadwifi". For more details see the information about wpa_supplicant on its web site, or in the documentation that came with the version you are using. You can use google to search for wpa_supplicant plus the name of your card.
For connection to the Bham campus network it should suffice to use the following, with 'MACHINENAME' replaced:
# Contents of /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 MACHINENAME localhost.localdomain localhost
The following contents will probably be generated automatically if you manage to connect to the Bham wireless network
; generated by /sbin/dhclient-script search bham.ac.uk nameserver 18.104.22.168 nameserver 22.214.171.124
# contents of /etc/sysconfig/network
The contents required for access to the bham wireless network are in this file:
# /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth1 BOOTPROTO=dhcp ONBOOT=no ## you may find that 'yes' works for you TYPE=Wireless USERCTL=yes ESSID="UOBWLAN" (or ESSID "eduroam") MODE=managed HWADDR=You will use different contents for that file in different contexts. So make sure you save your current contents (as indicated below) before installing my files for use on Bham campus.
This will probably not have to be changed, but you may wish to save it
In particular, if it is configured to connect on booting, make sure before connecting to the campus wireless network that the file contains the following, to prevent it starting up when you are trying to connect to the wireless service:
ONBOOT=noNormally connecting to the same network both by wireless and by cable is not permitted.
mkdir /var/run/wpa_supplicantand make sure only super-user can access it:
chmod 700 /var/run/wpa_supplicantIf you put the directory anywhere else you will have to alter the wpa_supplicant.conf file, which by default includes this:
It is important to run a firewall when connected to any public network. You may already be happy with the firewall you are currently using. If you sometimes connect using cable and sometimes using wireless, make sure in each context that the firewall knows which interface can be trusted. (Until we have intelligent laptops that do all this automatically.)
On recent Linux systems the firewall depends on the iptables service, which normally starts up when the machine boots up, but can be restarted if the configuration changes.
For people who do not have a firewall installed on their laptop I provide two files based on files originally supplied by Simon Thompson. which I have made available slightly modified and with additional comments here. These files enable your machine to have two connections, one to an untrusted external network and one to a trusted local network. However you are unlikely to need both connections while using the Campus network. You might if, for example, you had a few machines in your office linked together by cable, with one of them providing a gateway to the internet via the campus wireless service. But if you know enough to set that up you probably don't need to read this document.
service iptables status service iptables stop service iptables restartBefore installing this save your old version of the iptables script, in case something goes wrong. The behaviour of Simon's script is controlled by a configuration file as follows.
NB: If connecting to the campus network or any other public network, you should make your firewall treat the wireless card (eth1) as a non-trusted network interface.
cd /etc tar cfz /root/backupfiles-yymmd.tar.gz \ cert \ ## may not exist hosts \ resolv.conf \ wpa_supplicant \ ## may not exist sysconfig/network \ sysconfig/wpa_supplicant \ ## may not exist sysconfig/network-scripts/ifcfg-eth1 \ sysconfig/network-scripts/ifcfg-eth0 \ sysconfig/firewall \ ## may not exist rc.d/init.d/iptables \Edit as required. E.g. you may prefer some other location, rather than /root to save the tarfile.
Those saved files can later be restored (over-writing all changes) by doing this:cd /etc tar xfz /root/backupfiles-yymmd.tar.gz
Switching networking profiles
Switching network profiles is handled via graphical tools available in recent versions of linux based on wicd. If you prefer that method follow these instructions.EXPERTS CAN START HERE
The following notes explain how I do it using shell scripts, which provide more fine-grained control, e.g. allowing different firewalls in different contexts.
Different 'network profiles' may be required for connecting to different wireless or wired networks. Each profile records the contents of certain files used by the network software, including the files listed above, especially:/etc/hosts /etc/resolv.conf /etc/sysconfig/network /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth1 and possibly if you are using a new linux system: /etc/sysconfig/network-scripts/keys-eth1Note that unlike my system described below, this does not cater for a firewall configuration to be associated with a network profile.
If you already have more than one networking profile you can probably use the mechanisms you are familiar with, perhaps storing different profiles as sub-directories of/etc/sysconfig/networking/profiles/Then switching between profiles involves running tools that copy those files to their appropriate locations (possibly after saving the 'current' profile). If you use such a system make sure you cover all the details given here.
My own 'home-grown' mechanism for handling different networking profiles for different contexts (developed before I knew about the above profiles directory) makes use of subdirectories.
E.g. in each of the directories containing files that need to change (/etc, /etc/sysconfig, /etc/sysconfig/network-scripts) I use one sub-directory for each profile, containing the files needed for that profile, e.g. directories called 'home/' 'school/' 'uob/' 'remote/'. The last one is for hotels, airports, etc. that simply allow a dhcp connection without any key etc.
Then activating a profile simply involves copying the files from each of the relevant subdirectories for that profile into its superdirectory, as is done in this script netuob.
For example I have the following directories containing files for use when my laptop is at home./etc/home /etc/sysconfig/home /etc/sysconfig/network-scripts/homeand the following for use when my laptop is connected to the Bham wireless network:/etc/uob /etc/sysconfig/uob /etc/sysconfig/network-scripts/uobSo after travelling, I get home and reconnect by running a script that does this as root (it could be compacted to a loop), which re-sets all the static addresses, re-inserts names of other machines in the /etc/hosts file, and restarts the network.service network stop cd /etc cp -p home/* . cd /etc/sysconfig/ cp -p home/* . cd /etc/sysconfig/network-scripts/ cp -p home/* . ## restart firewall service iptables restart ## restart network service network start ## Start the wpa_supplicant service with a 5 second delay ## this uses /etc/sysconfig/wpa_supplicant (sleep 5; service wpa_supplicant start) & ## Now immediately restart eth1 and let it wait for wpa_supplicant dhclient eth1Similar commands can be given with 'home' replaced by one of 'school' 'uob' 'remote' etc. Obviously this can be done by a script that takes the profile name as an argument.
For Linux experts. If you don't already have wpa_supplicant you can probably get a package for your linux distribution. E.g. one of these commands should sufficeFedora: yum install wpa_supplicant Ubuntu apt-get wpa_supplicant etc ....As a last resort, get it from http://hostap.epitest.fi/wpa_supplicant/
There are instructions for compiling and installing in the tar files. You should make sure you install wpa_supplicant, wpa_cli and, if you want a graphical interface, wpa_gui (this allows you to avoid putting username and password in the wpa_supplicant.conf file).
If you are a visitor to Birmingham using the "eduroam" service you'll need to replace "UOBWLAN" with "eduroam" in all the files provided. (Later I'll provide a set of files for visitors.) Alternatively use the wicd configuration tool if you have it. Users of the eduroam service should probably read the details above.
If you wish to
copy my strategy you can do this as root, using 'home' as the label for
your normal configuration, though you could choose another label:
If you have a recent version of Linux network tools which includes the
following file, you may wish to save it too:
Having deleted the files from my tar file that you don't want (e.g.
iptables and firewall), as explained above, and edited the ones that
need to be changed (also as indicated above), copy all the other files
over into the /etc directory. You can do this as follows:
As root change to the directory where you ran the 'tar xfz'
command to unpack the tar file:
Don't forget to edit the file /etc/wpa_supplicant/wpa_supplicant.conf
so that it contains your BHAM ADF
user name and password (unless you decide
to use the graphical interface wpa_gui instead of the command
line interface wpa_cli).
Also if you have not yet created the control interface directory as
explained above do that now, as super
You are advised to read through it and check what it does before running
it. If necessary you can delete or edit inappropriate bits, for instance
if you do not wish to restart the firewall, delete the commands that
refer to iptables.
If you have wpa_gui installed, and you wish to use it instead of
wpa_cli, change the last call of wpa_cli to wpa_gui. You must
do that if you don't wish to include your username and password in the
wpa_supplicant.conf configuration file.
Do you have the wpa_supplicant service script?
If that is not available and you have installed wpa_supplicant
as described above,
you can instead change the 'netuob' script to
make it run wpa_supplicant directly by replacing the above service
command with this line, using the '-Bw' flag to run it as a 'daemon':
Backup your files as explained above and then
fetch this tar file and save it somewhere
then unpack it into a temporary /etc directory as follows
(where '...' names the directory where you put the tar file).
That tar file is probably out of date. Read relevant sections of this file and build your own scripts instead.
Or use a package like 'wicd'!
tar xfz .../etcfiles.tar.gz
Examine the contents and decide which bits you wish to use. The contents
are these files.
#you could make a copy of your ifcfg-eth0 file here too
[*1] Edit 'hosts' file to include your machine name
[*2] If 'firewall' file is used, check that eth1 is DIRTYIF
[*3] Edit 'network' file to include your machine name
[*4] Make sure that the driver for your wireless card is invoked
in -Dxxx parameter
[*5] Make sure your ADF user name and password are included
unless you decide to use wpa_gui (graphical interface) instead of wpa_cli
[*6] Optional script to start wpa_supplicant
if you use it edit to invoke driver for your wireless card
The files that might overwrite files that you already have are
in subdirectories called 'uob/' except for the iptables file and the
wpa_supplicant.conf file. (If you already had the latter then you would
probably not need my instructions.) So if you want to use Simon's
firewall, save your existing iptables, and then copy his over to
If you want to use your existing firewall then don't use this copy of
'iptables' and remove this file from the tar file, as this is used
only by simon's iptables file:
As explained above, you should have already backed up the files in /etc that will be over-written, in a tar file of the form:
However it is a good idea to make sure you have copies of them in
your /etc directory in a conveniently accessible place.
# create directories for the 'home' profile
mkdir -p home sysconfig/home sysconfig/network-scripts/home
# Copy files in /etc to home/ directory
cp -p hosts resolv.conf home/
# Copy files in /etc/sysconfig to home/ directory
# then either
cp -p network firewall wpa_supplicant home
# or, if the other two files don't exist yet
cp -p network home/
# Copy files in /etc/sysconfig/network-scripts to home/ directory
cp -p ifcfg-eth1 ifcfg-eth1 home/
# If using a new version of iptables save the old one
cp -p iptables home
You may not need to do all this if you already have a profile mechanism
that has saved your normal profile.
First make sure you have saved all your normal files.
# copy all the unpacked files to their appropriate places in the
# /etc directory tree
cp -a etc /etc
The 'cp -a' copies in 'archive' mode, preserving all information,
including symbolic links.
# create the file
mkdir -p /var/run/wpa_supplicant
# protect it
chmod 700 /var/run/wpa_supplicant
That directory is used by wpa_cli or wpa_gui to communicate with
Fetch, install and, if appropriate, edit this script in some place where it can be invoked to start up the Bham wireless connection.
E.g. put the file in /usr/local/bin/netuob and make sure it is executable
chmod 755 netuob
Alternatively you may wish to give it a different name, e.g. 'startuob'
The 'netuob' script assumes that you have the wpa_supplicant service script installed in /etc/rc.d/init.d so that this command will work when you run the script:
service wpa_supplicant restart
This service script came with my Fedora Core 5 installation, but older
versions of Linux will probably not have it.
wpa_supplicant -Bw -c/etc/wpa_supplicant/wpa_supplicant.conf -ieth1 -Dwext
You may have to change 'wext' to suit your wireless card, as explained
A precompiled wpa_gui (Removed 9 Jul 2009: out of date)
If you wish to copy my strategy you can do this as root, using 'home' as the label for your normal configuration, though you could choose another label:
If you have a recent version of Linux network tools which includes the following file, you may wish to save it too:
Having deleted the files from my tar file that you don't want (e.g. iptables and firewall), as explained above, and edited the ones that need to be changed (also as indicated above), copy all the other files over into the /etc directory. You can do this as follows:
As root change to the directory where you ran the 'tar xfz' command to unpack the tar file:
NB Don't forget to edit the file /etc/wpa_supplicant/wpa_supplicant.conf so that it contains your BHAM ADF user name and password (unless you decide to use the graphical interface wpa_gui instead of the command line interface wpa_cli).
Also if you have not yet created the control interface directory as explained above do that now, as super user:
You are advised to read through it and check what it does before running it. If necessary you can delete or edit inappropriate bits, for instance if you do not wish to restart the firewall, delete the commands that refer to iptables.
If you have wpa_gui installed, and you wish to use it instead of wpa_cli, change the last call of wpa_cli to wpa_gui. You must do that if you don't wish to include your username and password in the wpa_supplicant.conf configuration file.
Do you have the wpa_supplicant service script?
If that is not available and you have installed wpa_supplicant as described above, you can instead change the 'netuob' script to make it run wpa_supplicant directly by replacing the above service command with this line, using the '-Bw' flag to run it as a 'daemon':
Make sure you have backed up over-writeable filesInteracting with wpa_cli (Command Line Interface)
Double check that you have done everything as above, including backing up all the files that will be overwritten, as explained here, and checking and if necessary editing the script 'netuob' described above.
Find a hot spot
Find a location on campus close to an access point, for testing. Possible locations are shown here. A good place is the basement of the building opposite Computer Science.
Start up and switch on wireless card
Start the computer. Make sure your wireless hardware is switched on. E.g. on the Dell D610 and others like it use FN+F2.
(People have reported problems because they forgot to turn this on.)
Start an xterm or your preferred console (command line) window into which you can type commands. Become super-user ('su root' or use sudo for the following). Check that your wireless card is on:iwconfig eth1
The 'iwconfig' command will include 'radio off' in its output if the hardware is turned off.
Run the 'netuob' script (i.e. /usr/local/bin/netuob)
Run the 'netuob' script (after you have checked and possibly edited it, as described above).
Alternatively, if you prefer, go through all its commands yourself.
This script (if you have not edited it) will
If you have run wpa_gui, it will create a panel showing what is going on. The panel will indicate when the connection has been made by showing an IP address along with the other information displayed. The IP address will come last.
- Turn off your existing network services,
- copy files from /etc/uob to /etc/hosts and /etc/resolv.conf (though the latter will be overwritten again when the connection is made).
- copy files from /etc/sysconfig/uob to /etc/sysconfig (e.g. 'network', and possibly also 'firewall' and 'wpa_supplicant', if you have not removed them)
- copy ifcfg-eth1 from /etc/sysconfig/network-scripts/uob to /etc/sysconfig/network-scripts
- restart iptables (the firewall)
- restart the network service
- give a command to restart the wpa_supplicant service after a delay
- run 'dhclient eth1' which should start the connection going, though it will wait until the command to restart wpa_supplicant has run.
If you removed your ADF user name and password from the wpa_supplicant.conf file then you can run wpa_gui (graphical interface) to enable you to type them in. Or use 'wicd' or NetworkManager instead of my scripts.
You can then try to get your web browser to connect to http://www.bham.ac.uk/
If that works, all is well.
If you cannot connect, use the browser configuration facility to make sure that it is not set up to use a different connection, e.g. for your home network. It may be that in your browser you have set the 'connection' option to go through the School's proxy server. If so, change it to use 'direct connection to internet'.
E.g. if you use 'Firefox' go to 'edit' then 'preferences'. Select the 'General' tab. Then select 'Connection settings'. Then select 'Direct connection to the internet'. Then close the preferences panels.
If the connection is working you should also be able to use external links, e.g. news.bbc.co.uk, and you should be able to use 'ssh' to log in to a server in the School of computer science as you would from home.
The printout that I get after starting up is shown in this file:Interacting with wpa_gui (Graphical Interface)
You may find it useful to save a copy on your machine to compare with the output you get.
As the output file shows, after getting [OK] I typed 'status', and it printed out the following:bssid=00:0c:db:8b:84:40 ssid=UOBWLAN pairwise_cipher=TKIP group_cipher=WEP-40 key_mgmt=WPA/IEEE 802.1X/EAP wpa_state=COMPLETED ip_address=192.168.30.87 Supplicant PAE state=AUTHENTICATED suppPortStatus=Authorized EAP state=SUCCESS selectedMethod=25 (EAP-PEAP) EAP TLS cipher=RC4-MD5 EAP-PEAPv0 Phase2 method=MSCHAPV2
If you press the RETURN key you should get this prompt from wpa_cli>You can type 'status' and it will indicate what the current state of the connection is, in the format shown above.
It should include an IP address of the form 192.168.xxx.yyy'
If there is no IP address after a minute or two, type 'reassociate' and wait and see what happens.
The man file for wpa_cli gives more information, or you can type 'help' to the running process.
There are some screenshots showing how the wpa_gui can appear (depending on your window manager) here. The display is shown prior to completion of the connection: the IP address has not been provided yet.
Another example, with completed connection is shown here
Of course, if you use it to connect to the Bham wireless service the contents will be different, and will correspond to the output of the 'status' command given to wpa_cli, shown above.
If you are a KDE user you may wish to consider this
If you are having trouble there are many online forums including this and its latest page (as of 14 Aug 2006) here.
Moving to a new location on campus without re-starting
I found that if I moved to another 'hot spot' (e.g. from one level of the Learning Centre to another, or to the School of Biosciences, or to Staff House), while leaving my laptop running, the connection was lost, but it could be regained without repeating the whole start-up rigmarole, simply by typing 'reassociate' to the wpa_cli prompt, as long as everything else has been left running.
Sometimes I find that after I move to a new location it reassociates automatically if I wait a short time, keeping the same IP address.
I have also found that if I put my computer to sleep using 'Software Suspend' (suspend to disc), then when it wakes up the wireless connection still works: it does not need to be re-started. I don't know how long a time gap this will tolerate.
On fedora core 5, the command to suspend to disc is 'pm-hibernate', requiring super-user privileges. If you have installed SWSUSP2 (as I recommend) then the command is 'hibernate'.
(In FC 5 there is also a command to suspend to RAM, 'pm-suspend' which worked before I got my Intel wireless card working, but stopped working thereafter. However 'hibernate' is not much slower, and far more robust.)
like you I had been struggling with this on and off for a while now. Anyway with the documentation on your webpage I have now got it working and it seems really stable (my main problem was finding a linux version of the uob_root_linux.pem file so many thanks for the link to a linux version on your page), also your wpa_supplicant.conf configuration file was a great help.
for the sake of sharing info my computer is a sony vaio fe11h with an integrated network card, running kubuntu dapper-drake6.06, kde3.5.5. the easiest way for me to get it working was to run the following commands (as root), a bit of crude hack but it works...1) wpa_supplicant -i eth1 -D wext -c /etc/wpa_supplicant/wpa_supplicant.conf 2) wpa_guithese 2 commands enabled a connection but not an assignment of an ip address so to get this I ran3) dhclient eth1
[NOTE Added 17 Apr 2007: Several of these links now produce random
The University has yet again (like many others) reorganised its web pages in such a way as to clobber bookmarks. I'll try to fix the links soon.]
Finding out how to use the campus wireless network on Windows or Mac, requires looking at these web pages:
Overview of campus wireless network service.
The 'Getting Started' web site, which will eventually lead you through all the following:
Configuring Wireless Access on Windows XP (SP2), Mac OSX and Linux
The Linux link is to this page.
If you use XP without 'service pack 2' installed, it will not work, and if you use an older version of windows you may or may not find useful information on how to connect. Further information on connection and checking below.
School of Computer Science
The University of Birmingham