School of Computer Science THE UNIVERSITY OF BIRMINGHAM

Using wpa_supplicant on Linux to Connect to
the University of Birmingham (Bham)
Campus (Enterprise) Wireless Network and
Eduroam -- the multi-site network.
Aaron Sloman

(This is a supplement to my messy web site on using Linux on laptops
mosly using various Dell Latitude laptops running various versions
of Fedora, most recently Fedora 18 on a Dell latitude E6410)

__________________________________________________________________________________________

Last updated:
18 Jul 2013; 1 Aug 2013; 19 Aug 2013; 10 Sep 2013 (removed encrypted passwords)
17 Jul 2013: Upgraded from Fedora 17 to Fedora 18, mid June 2013.
__________________________________________________________________________________________

Skip background and jump to information on making NetworkManager work in F18

__________________________________________________________________________________________

17 Jul 2013; Installed Fedora 18 in June 2013
Now using NetworkManager
For unknown reasons, Wicd would not work on my laptop after upgrading to Fedora 17.
However, for the first time NetworkManager worked OK.
Then new problems turned up in Fedora 18 -- password problems. These seem to be a
result of complex changes in security mechanisms on linux systems as well as changes
in NetworkManager.
On my machine, everything now works, with fixes described below.

__________________________________________________________________________________________

Background:
When I first started using wireless on linux I simply used start-up scripts described
elsewhere on this web site. As the systems became more complex, especially with use
of WPA and WPA-enterprise, the configuration became more complex.

Eventually I had to switch to using one of the graphical network tools and having
found NetworkManager awful I used Wicd. That worked for some time, but from Fedora 17
Wicd seemed to be unable to cope with recent changes to security mechanisms. I was
unable to configure it so as to save settings. So I switched to NetworkManager
because that worked.

For a while NetworkManager worked, although I disliked its user interface: e.g. it
gave no option to choose between access points with the same Essid, as Wicd does --
sometimes useful at a location where loads on the access points differ.

In May-June 2013 I started having problems connecting to our campus web site using
NM, so I upgraded my operating system to Fedora 18. One immediate benefit was that
resume (thaw) from pm-hibernate worked immediately, without requiring modifications
to grub.cfg, which I had previously needed.

However, recent versions of NetworkManager (e.g. NetworkManager-0.9.8.2-1.fc18.x86_64)
interact badly with new (?) linux security mechanisms and this made it impossible for
me to provide a stored password for accessing our campus enterprise wifi system
(UOBwifi) or eduroam without typing in a password whenever I wanted to connect or
reconnect, even though NM happily stored passwords for other WPA services, e.g. at home.

Eventually I found a fix described below. I hope this will help others.

There are many web sites where users are now reporting problems with NetworkManager
passwords and asking for help. I suspect this is a result of some major reorganisation
of Linux, which may take some time to settle down. But at least for Fedora users who
know how to edit text files as super-user, the following solution seems to work, for
the latest version of NetworkManager. I have not tried it on earlier versions. See also

    https://fedoraproject.org/wiki/Tools/NetworkManager#Known_problems
    https://wiki.archlinux.org/index.php/NetworkManager#Troubleshooting

NB: The files and scripts needed for Redhat-like systems (e.g. Fedora) are
different from those needed for Debian-based systems (e.g. Ubuntu). So these details
will probably have to be varied for other versions of linux. If a user of another
system wishes to send me either a pointer to a solution, or text to be added here,
e.g. for Ubuntu users, I'll gladly help.

__________________________________________________________________________________________

Fix for NetworkManager Problems in Fedora 18 (and possibly others)

Note added 10 Sep 2013: After following the recommendations below had
worked for a couple of weeks, I found my laptop would, for no reason, connect
with either eduroam or our local UOBwifi network, both using Enterprise wifi.
Eventually I got it working again after re-creating the files below, using my
password in plain text, rather than using the output of wpa_passphrase. So if
you try using encrypted passwords in the keys_XXX files, without success, try
inserting the password unencrypted.
Problem and solution:
After upgrading to F18. I was at first very annoyed that NetworkManager would not
save passwords for Enterprise (MSCHAPV2) wifi connections, requiring me to type in
the password whenever I wanted to connect or re-connect, even though passwords for
home and other wifi connections using WPA worked fine with a stored password.

(Management of passwords for wifi connections seems to have become a problem in
several versions of linux recently (mid 2013). I found many suggested solutions that
did not work for me, before discovering the solution presented here, by chance,
which may provide useful clues for users of other versions of Linux.)

SOLUTION:
For a given ESSID (XXXX) NetworkManager on Fedora now uses two files
(whose names and directories may be different in other versions of linux).

    /etc/sysconfig/network-scripts/ifcfg-XXXX
        Specifies type of connection, e.g. level of security, along with Essid,
        device Mac address, user identity and other features (see example below).

    /etc/sysconfig/network-scripts/keys-XXXX
        Includes stored (optionally encrypted) password for connection to XXXX
Ideally nm-connection-editor should manage the contents of those files but I found
that it could not deal properly with the files for enterprise wifi systems, e.g.
'eduroam' or our campus system 'UOBwifi', both of which use PEAP and MSCHAPV2

Contents of /etc/sysconfig/network-scripts/ifcfg-XXXX for 'Enterprise' wifi (MSCHAPV2)
(Make sure you remove or comment out any line specifying 'USER' for the password source')
   ## Template for file /etc/sysconfig/network-scripts/ifcfg-XXXX
   ## For 'Enterprise' wifi
   ## Much of this is set up automatically when you use nm-connection-editor
   ## But I found the user name (identity) and password (in the keys file) had to be
   ## added by hand

   ## Here 'XXXX' is the ESSID.
   NAME=XXXX
   ESSID="XXXX"
   BOOTPROTO=dhcp
   DEFROUTE=yes
   ## Insert MAC address for device in next  line
   HWADDR="XX.XX.XX.XX.XX.XX"
   ## uob_root_linux.pem certificate available from campus web site
   ## This will be different for users of other sites
   IEEE_8021X_CA_CERT=/etc/cert/uob_root_linux.pem
   IEEE_8021X_EAP_METHODS=PEAP
   ## Insert your 'identity' here (username@email.address for eduroam, or just username for UOBwifi)
   IEEE_8021X_IDENTITY="username"
   IEEE_8021X_INNER_AUTH_METHODS=MSCHAPV2
   ##Next one is optional: can save time connecting on IPV4 network
   IPV4_FAILURE_FATAL=yes
   IPV6INIT=yes
   IPV6_AUTOCONF=yes
   IPV6_DEFROUTE=yes
   IPV6_FAILURE_FATAL=no
   IPV6_PEERDNS=yes
   IPV6_PEERROUTES=yes
   KEY_MGMT=WPA-EAP
   MODE=Managed
   ###Optional?
   ONBOOT=yes
   PEERDNS=yes
   PEERROUTES=yes
   TYPE=Wireless
   ## The UUID was inserted by NetworkManager
   UUID="UUID FOR DEVICE"
I had to delete this line previously inserted by nm-connection-editor:
    IEEE_8021X_PASSWORD_FLAGS=user
Also remove any line of the following form: it should go into the 'keys-XXXX' file.
    IEEE_8021X_PASSWORD=your-own-password
The 'keys' file (readable only by root -- and also non-writeable, as a precaution)
The second file has the name keys-XXXX
(where XXXX, as before, is the Essid, e.g. eduroam or UOBwifi at Birmingham university)
    ## Contents of file keys-XXXX
    ## You can use either your actual password or the long encrypted version produced
    ## by invoking wpa_passphrase:
    ## insert here either your password in plain text or the long password produced
    ## as psk=, using the command
    ##      wpa_passphrase essid password
    IEEE_8021X_PASSWORD="long encrypted password for the user at the service"

    ## Warning: I've had to revert to using the unencrypted password, as noted above.
So you end up with these two new files:
    ifcfg-XXXX      (World-readable and root-writeable).
    keys-XXXX       (Readable only by 'root')
You can store the password in plain text in the keys-XXXX file. You may or may not
find that the the encrypted form produced by wpa_passphrase works also.

Running nm-connection-editor not as root
The changes so far allowed me to run nm-connection-editor as root, but if I tried
running it while logged in as myself, without 'sudo', I got an error message about a
file being protected, namely
** (nm-connection-editor:6176): CRITICAL **: unable to create file'
        /run/user/1003/dconf/user': Permission denied.  dconf will not work properly.

(I've given a fake user number here: 1003 should be your user id, as in the /etc/passwd file.)

All I had to do then was 'chown -R xxxx /run/user/1003/' where 'xxxx' represents my user name.
That made everything in /run/user/1003/ owned by me.

After that I could run nm-connection-editor as myself and not get an error message.

If you know a better way to do this please email me with details: a.sloman[AT]cs.bham.ac.uk

Note added 19 Aug 2013
The user interface provided by NetworkManager has improved recently, including a
change to nm-applet that seems to allow users to select between different access
points with the same Essid (as wicd did long ago).
But I would still use the wicd interface if it could be made to work with the new
security mechanisms, as it is much better designed than NetworkManager's.
If anyone knows how to make wicd work on Fedora 18 without gnome please let me know.

__________________________________________________________________________________________

NOTE: /etc/wpa_supplicant/wpa_supplicant.conf
As far as I can tell wpa_supplicant no longer looks in that wpa_supplicant.conf
file for security information. I don't know whether the file is required at all. I
have simply removed user names and passwords from it, leaving the rest for the time
being.

Fedora Bugzilla Discussions
Some users may find these useful:

    https://bugzilla.redhat.com/show_bug.cgi?id=982429
    Bug 982429 - NetworkManager asks for wireless password every time when i try to connect

    https://bugzilla.redhat.com/show_bug.cgi?id=974811
    Bug 974811 - NetworkManager dispatchers dbus services misconfiguration
__________________________________________________________________________________________

EVERYTHING BELOW THIS POINT IS OUT OF DATE.
But some fragments may still be useful, so
it will remain available for a while.
Later it will be moved to a separate (history) file.

Installed: Aug 2006
Previous updates: 26 Mar 2010; 30 May 2010; 12 Jun 2010; 26 Jun 2010; 6 Aug 2010; 15 Feb 2012; 12 Jun 2013

These notes assume that you already have a working wireless card, which you have
tested on some other wireless network.

If your wireless card is not working, try to configure it using 'system-config-network'
or some other tool that works on your system, or ask a friend for help. Come back
when the card works and has been tested on another more easily accessible wireless
network, so that you are sure that you have the right drivers for your wireless card
and it has been properly recognised by your operating system.
__________________________________________________________________________________________

ERRONEOUS UPDATE 12 Jun 2013: new version of certificate.
Correction 17 Jul 2013:
This recommendation to convert .pem certificate to .der proved to be erroneous.


UPDATE 26 Jun 2010: disable selinux
Like many other linux users, I have found that the Selinux security add-on causes too many problems,
even if it is required on corporate computing services.
So I now disable selinux completely in this file:
    /etc/selinux/config
by using
    SELINUX=disabled


NEWS 26 Mar 2010:
Introduction of new service UOBwifi with new certificate (March 2010)
NB The previous service UOBWLAN was phased out in the summer of 2010,


NOTE: THIS IS NOT AN OFFICIAL DOCUMENT OF THE UNIVERSITY OF BIRMINGHAM OR THE SCHOOL OF COMPUTER SCIENCE. NEITHER THE UNIVERSITY NOR THE SCHOOL NOR THE AUTHOR OF THIS DOCUMENT CAN ACCEPT ANY RESPONSIBILITY FOR ANY CONSEQUENCES OF FOLLOWING THE ADVICE OFFERED HERE.
(In other words: the normal conditions of mutual-help for Linux users apply!)

In addition, please note that some of the helpdesk staff in Information Services are able to help users who wish to use a linux laptop to access the campus wireless service, but they will not physically change settings on user machines. That is the responsibility of users.

However, the Information Services web site now does give advice for linux users, and you should try their instructions before trying mine. See:

If that does not work for you try my method below, after fetching and installing the certificate specified on the above web page in '/etc/cert'

Alternatively, use a modified version of my instructions for using wicd, namely when setting up the connection to uobwifi make sure you specify the new certificate in /etc/cert/


Jump to Contents List, below.

8 Jul 2009: Fedora 10, using WICD to connect to WPA service

I wrote on 2nd June 2009:
For unknown reasons I started having difficulty connecting to wireless networks after upgrading from F9 to F10.
However, I have overcome the problems by installing 'wicd', described in http://www.cs.bham.ac.uk/~axs/laptop/wpa/wicd.html
Later I discovered a way to make my old scripts, described below, work, with a minor change, so that I did not need to use wicd.

The old scripts were designed to set up the files appropriate for the wireless service I was trying to connect to at these locations, after which they restarted the wpa_supplicant service and attempted to restart the wireless interface eth1.

Starting wpa_supplicant caused the interface to connect with the wireless access point, as could be seen by giving this command, which displays an encryption key (among other things), if the association with the access point is successful.

    iwconfig eth1

## produces:
    ...
    Encryption key:CB08-BE5E-DD56-7E0C-.... etc. etc.
    ...
However, trying to make eth1 connect via dhcp, by giving the command
    ifup eth1
(or using 'dhclient'), caused the effect of wpa_supplicant to be turned off, i.e. losing the association with the access point, and that prevented the connection working.

The solution (Revised 26 Mar 2010): Use dhclient with wpa_supplicant
The solution was to make wpa_supplicant restart, wait a few seconds for the machine to associate with the access point, and then use dhclient in two steps (the -v is optional).

    # release any current dhcp lease, and stop dhcp
    dhclient -r

    # try to connect eth1 using dhcp. (-v is optional, adds verbosity)
    dhclient -v eth1

    ## (Also works with 'wlan0' if you use that instead of 'eth1')

   WARNING
    This does not provide any way of choosing between access points with
    the same ESSID, but with different signal strengths: so if you do connect
    successfully it may not select an optimal access point.
    This is not a problem when all access points available are equally
    good. However if some are much better than others, then you should
    probably use a tool like 'wicd' that allows you to select a preferred
    access point to connect to.

Make sure these files are correct, as described below.

    /etc/wpa_supplicant/wpa_supplicant.conf
    /etc/hosts
    /etc/resolv.conf
        ## Unless running dhcp
    /etc/sysconfig/network
    /etc/sysconfig/network-scripts/ifcfg-eth1
        ## this should include 'ONBOOT=no' so that it doesn't
        ## immediately try to connect when the machine is booted or
        ## the network service restarted.

    
    ## Specify this certificate if you are using the uobwifi or eduroam connection
    etc/cert/uob_root_linux.pem

With thse files in place you can run a script with these commands.
    ## restart network service
    service network restart

    ## restart firewall (optional)
    service iptables restart

    ## Start the wpa_supplicant service with a 6 second delay
    ## this uses /etc/sysconfig/wpa_supplicant
    service wpa_supplicant start

    ## pause to allow association (experiment with the time needed)
    ## I think 6 seconds is longer than needed on my machine.
    sleep 6

    ## Now restart eth1 (or replace with 'wlan0' if using that)
    dhclient -r
    dhclient -v eth1

That now works reliably for me, so I can once again start my wireless connection using a shell script, without using wicd, or network manager.
Very much better -- as I can also use the script to do other things, e.g. alter security settings, host name, etc. depending on where I am.
NOTE: I have switched to using wicd to set up the connection, partly because it allows global settings, e.g. dns servers, and works very reliabily. So my script changes things I want to change, then starts wicd.


Using 'nm-applet' to connect to the campus wireless service.
Out of date. Information removed.

13 Nov 2007
Zeth Green has also provided instructions, for Ubuntu users, here. Now out of date, and no longer needed.

NEWS AND UPDATES

5 Apr 2009: Improving connection scripts
I have found for some time that I occasionally cannot start up the wireless connection without rebooting. This turned out to be due to some files left over in /var/run, so I wrote a short script to be run to clean things up, available here.
8 Jul 2009: for some reason this is no longer needed.


Updated 17 Feb 2009: Using Nokia handset on Campus Wifi network
Information provided by Emilis Prascienius


4 Nov 2008: Peter Lewis' site on Archlinux

Peter Lewis has a web page with instructions on how to access UOBWLAN and EDUROAM with ArchLinux.
http://www.petesodyssey.org/hacking/archlinuxandeduroam

He writes: "ArchLinux is a relatively new distribution which is very flexible and configurable, and easily allows source packages to be integrated in the same way as its own binary packages (and hence easily removable). I particularly like its network configuration system, which allows for scanning for a wireless network and subsequently connecting to what it finds - before being logged into X":
http://www.archlinux.org/


30 Oct 2008: Partial Support for Linux from Birmingham University Information Services
There is now a web site maintained by IS that gives one solution to the problem of connecting to the campus WIFI system. It may help many users.
https://intranet.birmingham.ac.uk/it/teams/infrastructure/networks/wireless/start/configuration/Linux.asp

For people who do not wish to use NetworkManager or cannot get it to work, the
mechanisms described below may work. However, since I started using Fedora 17 I have had to use NetworkManager.


NOTE: 17 Jul 2013
Almost everything below this point is now probably out of date.

11 May 2008
Note on wlassistant now removed. I use 'wicd' instead. You can find information about wlassistant here.


25 Apr 2008
There is an excellent overview article on the Campus Wireless system on ZDNet here.


6 Jan 2008: Wireless problems on Ubuntu Gutsy (version 7.10) and other recent Linux systems
In December 2007 had some experience getting the latest Ubuntu to connect to a WPA network (in my home). The nature of the problem and some solutions are summarised here. This is probably out of date.


13 Jul 2007: Connection instructions for the Palm T|X

Notes provided by Tim Williams.
12 Jul 2007: Using the madwifi driver on Mandriva
Notes provided by Tim Williams.
19 Dec 2006 (Updated 9 Jul 2009): Wireless Network Certificate
There are two 'Authenticated Wireless Network Certificates' for linux users to download from the campus web site http://www.helpdesk.bham.ac.uk/laptopsurgery/linux.shtml

Windows users should look at http://www.wireless.bham.ac.uk/Certs.htm



Jump to start of technical information, ignoring list of contents, notes etc.

Linux experts can start here


CONTENTS OF THIS FILE:
(Some above, some below.)


Terminology

When I write that something should be done "as super-user" or "as root" these are equivalent. You are advised to edit your /etc/sudoers file to enable you to use the 'sudo' command to avoid having to become super-user when you follow the instructions below. However, that topic lies beyond the scope of this file. Here is an introductory overview to 'sudo' and another and another.


Revision notes

13 Nov 2006
1. Started a section for comments from other users.

2. Added information about how to convert the campus wireless certificate for linux.

3. Reorganised this file a bit and extended the table of contents.

21 Aug 2006
Some more small changes clarifying things, including more information about the directory /etc/sysconfig/networking/profiles/.


14 Aug 2006
Various minor improvements and some re-ordering of information.

It turns out that if you run wpa_cli without having the username and password in the config file it does not ask you for them. However, if you use wpa_gui instead of wpa_cli for the interaction, everything works, and if you have not put user name and password in the config file, the graphical tool asks for them. I have edited the scripts and the documentation below accordingly. (Note: you need your university username and password, not your school login name and password.)


13 Aug 2006
Added reminder about switching on wireless card, and information about changing location without restarting.
Added various notes on the files in the tar package and reminders about editing some of them.

Jump to start, ignoring my notes on web site formats.

Notes on format of this file
1. This is deliberately provided as one long file rather than several short files, so that it is easy to use your browser text search facility to find information. Otherwise you would have to tediously go up and down a tree-structured file system looking for things, as is required on far too many web sites because of the mistaken view that each web page should have only a tiny amount of information (perhaps a good idea in the days when most people used only slow dial-up lines and low resolution displays: but those days are long gone, though obviously very large sites need multiple files).

If you want the effect of several short files showing different bits of information you can reopen this file in a new browser window or tab. (Easy with firefox.) You can do that for all the links below, even though most are links into this file.

2. This file is deliberately loosely formatted. I intensely dislike web sites that dictate how many pixels wide my text display should be. So this web site leaves it to you. If you want longer lines of text make the browser window wider. If you want shorter lines make it narrower. If you change font size the line breaks will adjust accordingly.

Compare fixed width BBC web site, which ignores the user's width preference and wastes screen space on a modern display. Contrast that with what google does and also two of the UK research councils EPSRC and PPARC (though some of the pages fail on this test). Another computer science department avoids these annoying restrictions web sites. Even the Directgov web site does it right, to my surprise, since I expect UK government sites to be very backward.

Unfortunately the School of Computer science also recently moved to the dreadful 'fixed-width' style, though fortunately not for all its web pages.


Introduction: The Problem

The University of Birmingham has a campus wireless computing service (WIFI) described here, providing a 802.11g (54Mb/s) service, at hotspots depicted here.
Hotspots on main campus.

Because Information Services decided to go for a maximum security system, it has been very difficult for normal users (especially those with older wireless cards) to connect to it --- e.g. compared with using a hotel, or airport connection, or most connections I have experienced in other universities, e.g. for conferences.

Moreover there is no central support for Linux users, only Windows XP (Service Pack 2) users, and MAC OSX users. However, there are indications on some of the web pages that Linux support will be provided later. In the meantime Linux-users are on their own. So mutual support will be very important.

Because the campus wireless system adopted very new technology for maximum security as soon as it was installed, widely available software and hardware on laptops (not only on Linux) were not yet capable of coping with the requirements, though things have got much better thanks to Linux developments in the last few years.

Because of this, I struggled for over a year before I managed to get to the point where I can reliably connect to the campus wireless network. Using the latest linux tools, I find the connection process described here now works faster and more predictably than my previous attempts to use XP to connect to the wireless service following IS instructions. As explained below, it is also easier to make the connection work by giving a command to run a shell script, instead of laboriously going through the error-prone process of clicking on a sequence of graphical displays as Windows and Mac users have to. (However, if you are a linux user and prefer doing that, follow the 'wicd' link.)

NOTE:
My experience is based on using a Dell Latitude D610 laptop computer, with Intel IPW2200 integrated wireless card, now running Fedora Core 5, automatically updated to kernel 2.6.17-1.2157_FC5 after installation (later upgraded by me to 2.6.17-1.2174_1.rhfc5.cubbi_suspend2 in order to be able to use Software Suspend 2).

If anyone has to modify these instructions for another configuration, I am happy to be informed, provided that I get enough information to specify exactly what text I should insert or modify.

This overview may include mistakes or recommend methods that are inferior to some alternatives. So please suggest improvements. I'll be happy to add them to this file.

For the sake of completeness (and comparison) I provide pointers to information on the Bham IS web site for Windows XP and Mac OSX users, at the end of this file.

The rest of this file gives information for Linux users wishing to copy my method. I have tried to cover a lot of details that may be useful for people who are not familiar with the processes of accessing different wireless networks. Some of this will not be needed for experts (but I'd be grateful if some of them check for errors or infelicities). A starting point for Linux experts who already have wpa_supplicant installed is provided in the table of contents.


Preliminary considerations and requirements
You will need to have

Switching networking profiles

Switching network profiles is handled via graphical tools available in recent versions of linux based on wicd. If you prefer that method follow these instructions.

The following notes explain how I do it using shell scripts, which provide more fine-grained control, e.g. allowing different firewalls in different contexts.

Different 'network profiles' may be required for connecting to different wireless or wired networks. Each profile records the contents of certain files used by the network software, including the files listed above, especially:
    /etc/hosts
    /etc/resolv.conf
    /etc/sysconfig/network
    /etc/sysconfig/network-scripts/ifcfg-eth0
    /etc/sysconfig/network-scripts/ifcfg-eth1

and possibly if you are using a new linux system:

    /etc/sysconfig/network-scripts/keys-eth1
Note that unlike my system described below, this does not cater for a firewall configuration to be associated with a network profile.

If you already have more than one networking profile you can probably use the mechanisms you are familiar with, perhaps storing different profiles as sub-directories of

    /etc/sysconfig/networking/profiles/
Then switching between profiles involves running tools that copy those files to their appropriate locations (possibly after saving the 'current' profile). If you use such a system make sure you cover all the details given here.

My own 'home-grown' mechanism for handling different networking profiles for different contexts (developed before I knew about the above profiles directory) makes use of subdirectories.

E.g. in each of the directories containing files that need to change (/etc, /etc/sysconfig, /etc/sysconfig/network-scripts) I use one sub-directory for each profile, containing the files needed for that profile, e.g. directories called 'home/' 'school/' 'uob/' 'remote/'. The last one is for hotels, airports, etc. that simply allow a dhcp connection without any key etc.

Then activating a profile simply involves copying the files from each of the relevant subdirectories for that profile into its superdirectory, as is done in this script netuob.

For example I have the following directories containing files for use when my laptop is at home.

    /etc/home
    /etc/sysconfig/home
    /etc/sysconfig/network-scripts/home
and the following for use when my laptop is connected to the Bham wireless network:
    /etc/uob
    /etc/sysconfig/uob
    /etc/sysconfig/network-scripts/uob
So after travelling, I get home and reconnect by running a script that does this as root (it could be compacted to a loop), which re-sets all the static addresses, re-inserts names of other machines in the /etc/hosts file, and restarts the network.
    service network stop

    cd /etc
    cp -p home/* .

    cd /etc/sysconfig/
    cp -p home/* .

    cd /etc/sysconfig/network-scripts/
    cp -p home/* .

    ## restart firewall
    service iptables restart

    ## restart network
    service network start

    ## Start the wpa_supplicant service with a 5 second delay
    ## this uses /etc/sysconfig/wpa_supplicant
    (sleep 5; service wpa_supplicant start) &

    ## Now immediately restart eth1 and let it wait for wpa_supplicant

    dhclient eth1
Similar commands can be given with 'home' replaced by one of 'school' 'uob' 'remote' etc. Obviously this can be done by a script that takes the profile name as an argument.


EXPERTS CAN START HERE
For Linux experts. If you don't already have wpa_supplicant you can probably get a package for your linux distribution. E.g. one of these commands should suffice
Fedora:
    yum install wpa_supplicant
Ubuntu
    apt-get wpa_supplicant
etc
    ....
As a last resort, get it from http://hostap.epitest.fi/wpa_supplicant/

There are instructions for compiling and installing in the tar files. You should make sure you install wpa_supplicant, wpa_cli and, if you want a graphical interface, wpa_gui (this allows you to avoid putting username and password in the wpa_supplicant.conf file).

If you are a visitor to Birmingham using the "eduroam" service you'll need to replace "UOBWLAN" with "eduroam" in all the files provided. (Later I'll provide a set of files for visitors.) Alternatively use the wicd configuration tool if you have it. Users of the eduroam service should probably read the details above.


Fetch and install files for use with Bham Wireless network


Testing the system

Make sure you have backed up over-writeable files
Double check that you have done everything as above, including backing up all the files that will be overwritten, as explained here, and checking and if necessary editing the script 'netuob' described above.

Find a hot spot
Find a location on campus close to an access point, for testing. Possible locations are shown here. A good place is the basement of the building opposite Computer Science.

Start up and switch on wireless card
Start the computer. Make sure your wireless hardware is switched on. E.g. on the Dell D610 and others like it use FN+F2.
(People have reported problems because they forgot to turn this on.)

Start an xterm or your preferred console (command line) window into which you can type commands. Become super-user ('su root' or use sudo for the following). Check that your wireless card is on:

    iwconfig eth1

The 'iwconfig' command will include 'radio off' in its output if the hardware is turned off.

Run the 'netuob' script (i.e. /usr/local/bin/netuob)
Run the 'netuob' script (after you have checked and possibly edited it, as described above).

Alternatively, if you prefer, go through all its commands yourself.

This script (if you have not edited it) will

If you have run wpa_gui, it will create a panel showing what is going on. The panel will indicate when the connection has been made by showing an IP address along with the other information displayed. The IP address will come last.
You can then try to get your web browser to connect to http://www.bham.ac.uk/

If that works, all is well.

If you cannot connect, use the browser configuration facility to make sure that it is not set up to use a different connection, e.g. for your home network. It may be that in your browser you have set the 'connection' option to go through the School's proxy server. If so, change it to use 'direct connection to internet'.

E.g. if you use 'Firefox' go to 'edit' then 'preferences'. Select the 'General' tab. Then select 'Connection settings'. Then select 'Direct connection to the internet'. Then close the preferences panels.

If the connection is working you should also be able to use external links, e.g. news.bbc.co.uk, and you should be able to use 'ssh' to log in to a server in the School of computer science as you would from home.


Interacting with wpa_cli (Command Line Interface)
The printout that I get after starting up is shown in this file:
http://www.cs.bham.ac.uk/~axs/laptop/wpa/cli_out

You may find it useful to save a copy on your machine to compare with the output you get.

As the output file shows, after getting [OK] I typed 'status', and it printed out the following:

    bssid=00:0c:db:8b:84:40
    ssid=UOBWLAN
    pairwise_cipher=TKIP
    group_cipher=WEP-40
    key_mgmt=WPA/IEEE 802.1X/EAP
    wpa_state=COMPLETED
    ip_address=192.168.30.87
    Supplicant PAE state=AUTHENTICATED
    suppPortStatus=Authorized
    EAP state=SUCCESS
    selectedMethod=25 (EAP-PEAP)
    EAP TLS cipher=RC4-MD5
    EAP-PEAPv0 Phase2 method=MSCHAPV2

If you press the RETURN key you should get this prompt from wpa_cli

    >
You can type 'status' and it will indicate what the current state of the connection is, in the format shown above.

It should include an IP address of the form 192.168.xxx.yyy'

If there is no IP address after a minute or two, type 'reassociate' and wait and see what happens.

The man file for wpa_cli gives more information, or you can type 'help' to the running process.


Interacting with wpa_gui (Graphical Interface)
There are some screenshots showing how the wpa_gui can appear (depending on your window manager) here. The display is shown prior to completion of the connection: the IP address has not been provided yet.

Another example, with completed connection is shown here

Of course, if you use it to connect to the Bham wireless service the contents will be different, and will correspond to the output of the 'status' command given to wpa_cli, shown above.

If you are a KDE user you may wish to consider this

If you are having trouble there are many online forums including this and its latest page (as of 14 Aug 2006) here.


Moving to a new location on campus without re-starting

I found that if I moved to another 'hot spot' (e.g. from one level of the Learning Centre to another, or to the School of Biosciences, or to Staff House), while leaving my laptop running, the connection was lost, but it could be regained without repeating the whole start-up rigmarole, simply by typing 'reassociate' to the wpa_cli prompt, as long as everything else has been left running.

Sometimes I find that after I move to a new location it reassociates automatically if I wait a short time, keeping the same IP address.

I have also found that if I put my computer to sleep using 'Software Suspend' (suspend to disc), then when it wakes up the wireless connection still works: it does not need to be re-started. I don't know how long a time gap this will tolerate.

On fedora core 5, the command to suspend to disc is 'pm-hibernate', requiring super-user privileges. If you have installed SWSUSP2 (as I recommend) then the command is 'hibernate'.

(In FC 5 there is also a command to suspend to RAM, 'pm-suspend' which worked before I got my Intel wireless card working, but stopped working thereafter. However 'hibernate' is not much slower, and far more robust.)


Comments from other users



The Bham Campus Wireless Service: Information for Windows and Mac Users

General Information and Conditions of use.

[NOTE Added 17 Apr 2007: Several of these links now produce random effects.
The University has yet again (like many others) reorganised its web pages in such a way as to clobber bookmarks. I'll try to fix the links soon.]

Finding out how to use the campus wireless network on Windows or Mac, requires looking at these web pages:

http://www.wireless.bham.ac.uk/index.shtml
Overview of campus wireless network service.

http://www.wireless.bham.ac.uk/start/
The 'Getting Started' web site, which will eventually lead you through all the following:

Configuring Wireless Access on Windows XP (SP2), Mac OSX and Linux
The Linux link is to this page.


Other resources on campus

(To be extended)


Maintained by Aaron Sloman
School of Computer Science
The University of Birmingham