Wednesday, March 11, 2009

WPA support in Debian Sarge/Etch/Lenny

What is WPA?

Wi-Fi Protected Access is a wireless encryption standard and alternative to "Wired Equivalent Privacy" (WEP). In order to secure your wireless network you need a WPA enabled access point and a supplicant, like wpa_supplicant, installed on your computer.

wpa_supplicant in Debian 3.1 (Sarge)

In Sarge, the wpasupplicant package was configured as a system service. This means that you had to edit wpa_supplicant parameters like the interface to be managed, the driver backend to use in /etc/default/wpasupplicant and provide a suitable /etc/wpa_supplicant.conf yourself.

Debian Sarge includes wpa_supplicant 0.3.8. This branch is currently still supported by upstream, but the recommended branch is the 0.5.x one. You can get an updated package from Debian Backports. Please note that the package from is based on the 'Etch' package, so please read the notes below.

wpa_supplicant in Debian 4.0 (Etch)

Debian Etch includes wpa_supplicant 0.5.5.

In Etch, the system service /etc/init.d/wpasupplicant was dropped. The Debian package provides integration to /etc/network/interfaces just like the wireless-tools package. This means the wpasupplicant package no longer provides the wpasupplicant system service itself!

For information how to configure wpa_supplicant, please refer to README.modes, which gives /etc/network/interfaces configuration examples. Usage examples can also be seen in WiFi/HowToUse.

Upgrade Issues

MadWifi users beware!

The wpasupplicant package in Debian 4.0 only supports the so-called "madwifi-ng" version of MadWifi. Please read NEWS for information on how to enable support for madwifi-old.

Please also visit WiFi/ath_pci for information on how to obtain the new MadWifi drivers. For driver installation support, you can ask for assistance in #debian (see IRC) or on the debian-user mailing list.

Upgrading wpasupplicant from a package version <0.4.8-1>

This will happen unless:

  1. You are not using the init script and

  2. You are not using /etc/wpa_supplicant.conf.

You are required to configure /etc/network/interfaces to restore wpa_supplicant functionality. Please see wpa_supplicant in Debian 4.0 (Etch) above.

wpa_supplicant in Debian 5.0 (Lenny)

Debian Lenny includes wpa_supplicant version 0.6.4.

The hostap, madwifi and test wpa_supplicant driver backends are no longer provided in the wpasupplicant package (see the package changelog). As the hostap and madwifi drivers support Linux wireless extensions, any wpa-driver foo references in /etc/network/interfaces should be changed to wpa-driver wext or omitted entirely (the wext driver backend is used by default if not specified).

Information on wpa_supplicant's modes of operation was also moved to README.Debian, which provides /etc/network/interfaces configuration examples. Usage examples can also be seen in WiFi/HowToUse.


We want to improve WPA secured networking and location roaming support in Debian. The system service makes it hard to integrate support for packages like NetworkManager, which start instances of wpa_supplicant themselves. We no longer bother with the system service approach in the basic package itself, but delegate this task to more specialised packages. Therefore the wpasupplicant package provides only basic integration for easy (read: non roaming) cases.

Moreover this approach makes it easier to support more than one interface: just configure them in /etc/network/interfaces.

But I want to use the roaming feature of wpa_supplicant!

wpa_supplicant can be used as a roaming daemon and you have two options to exploit this possibility:

1) Having /etc/network/interfaces handle wpa_supplicant's networks (Etch, Lenny)

Within wpa_supplicant.conf, you can assign a value to the 'str_id' variable for each network={...} block in order to uniquely identify each network. Once this is done the value of this variable can then be used within /etc/network/interfaces to have each wpa_supplicant network activated/configured automatically. If the 'str_id' variable is not explicitly defined for a given network in wpa_supplicant.conf then the variable defaults to 'default'.

The following line specified in /etc/network/interfaces will activate and configure each 'default' network in wpa_supplicant.conf with DHCP upon a successful connection to an access point:

iface default inet dhcp

See README.modes (Etch), README.Debian (Lenny) or for more information.

2) Use it as system service and make ifplugd to "activate the interface"

ifplugd has support for wireless networking: Whenever an association to an AP is detected the network will be configured using ifupdown. This approach assumes that wpa_supplicant runs as a system service and ifupdown can safely activate a network alias. For detecting the 'correct' alias you can use the guessnet package.


Refer to the Debian Package Tracking System.

You can join development discussions in our mailing list, where we discuss bugs and future developments.

See Also

External Links - wpa_supplicant homepage

No comments: