How to do WPA encryption between Linksys WRT54G and WMP54G on Linux

It worked for me (TM) on 2003-12-16.
  1. Configure your Linksys WRT54G Access Point so that it does not use encryption at all.
  2. Download WLAN DriverLoader version 1.52 (more recent versions are assumed to work) from Linuxant.
  3. Install and configure DriverLoader: You can use this .inf file and this .sys file for the Windows driver (released on 07/17/2003, version 3.30.15.0) that I found on the CD that came with the Linksys WMP54G NIC. Get an evaluation license for now. Verify your NIC works properly. If it does not, get some help on the Linuxant mailing list.
  4. Configure your Access Point so that it uses state of the art encryption: WPA with Pre-Shared Key authentication (also called WPA-Personal) and AES encryption (also called WPA-CCMP or WPA2). Make a mental note of your SSID in the Basic Wireless Settings. For the Wireless Security, I made up the 111...111 secret, but you should use 32 bytes of secret that are really random. My preferred method to generate the secret on Linux is: dd if=/dev/random bs=32 count=1 2>/dev/null | od -An -tx1 then remove all spaces and newlines... Make sure "Wireless SSID Broadcast" is set to "Enable", because that will be required later. Disabling the SSID broadcast or filtering on MAC addresses only provide weak bandwidth/privacy protection anyway, and you are setting up the way stronger WPA encryption which guarantees that only somebody who knows the secret can interact with your Access Point. Note from the screenshots that my Access Point uses version 1.42.3 of the firmware.
  5. Get the binary of the WPA Supplicant daemon. If you trust me, you can download a binary I built (I downloaded wpa_supplicant-lnxt2003121400.tar.gz from Linuxant, compiled with gcc 3.3.3, linked statically against libdnet 1.7, you will need to have libpcap.so.0.7 in order to run it). If you don't trust me, you can build your own from source:

    tar -xvzopf wpa_supplicant-lnxt2003121400.tar.gz
    cd wpa_supplicant-lnxt2003121400
    make
    

    On Debian unstable, it is confusing to do so, because there is already a package called libdnet (for DECnet) but that is not the same libdnet the daemon needs, so you need to download and build the libdnet the daemon wants from source first:

    tar -xvzopf libdnet-1.7.tar.gz
    cd libdnet-1.7
    ./configure --prefix=/opt/libdnet-1.7 --exec-prefix=/opt/libdnet-1.7
    make
    su
    make install
    ln -s /opt/libdnet-1.7/include/dnet.h /usr/include/dnet.h
    ln -s /opt/libdnet-1.7/include/dnet /usr/include/dnet
    ln -s /opt/libdnet-1.7/lib/libdnet.a /usr/lib/libdnet.a
    exit
    

  6. Download the configuration file for the daemon. Modify it to use the same SSID and secret as in your Access Point configuration.
  7. Run the daemon as root. Initially, to see what is going on, you should use this command line:
    ./wpa_supplicant -i<Your wireless NIC> -cwpa_supplicant.conf
    
    where <Your wireless NIC> is eth0 for example. Note that the daemon needs 3 things to work:

    1. You must run a kernel that supports wireless extensions version 15 (more recent versions are assumed to work), you can check the version by looking at include/linux/wireless.h in your kernel source tree. I use kernel version 2.4.22
    2. Your wireless NIC must be UP (but does not need to have an IP configuration). You can ensure that with ifconfig <Your wireless NIC> up
    3. Your Access Point must broadcast its SSID.
    The output you should expect is:
    Trying to associate with <MAC address of your Access Point> (SSID='<Your SSID>' freq=2437 MHz)
    WPA key negotiation completed with <MAC address of your Access Point>
    
    If that is the case, then you should now be able to run the daemon truly in daemon mode, i.e. with the -B option (if that didn't work, you might want to look at a more verbose output by using the -dd option). Note that the daemon must continue to run even after the negociation completed.
  8. Give its IP configuration to your wireless NIC, and fire a web browser to ...
  9. ... send 20 US dollars to Linuxant to buy a permanent license. They did an excellent job, they deserve it. But tell them to polish their documentation :)

Regis "HPReg" Duchesne