Content
Introduction. The purpose of this update is to report on the operation of NetworkManager and iwl3945 under Fedora 8/9 x86_64 on a Clemson Laptop Program Lenovo T61 which has the following features:
- Intel Core 2 Duo Processor T7300 2GHz
- 14.1" WXGA (1280x800) with Camera
- Intel Pro 3945 Wireless a/b/g
- Bluetooth Wireless
- 2 GB memory
- 120GB 5400 RPM Hard Drive
- 8X DVD-RW Multiburner
- NVIDIA Quadro NVS 140M (128MB)
We will report on the current Clemson security set up using WEP and on the new WPA Enterprise setup. Because of a change in the X API, stable nvidia drivers are not yet available for F9 so we continue to report on F8 for the T61. We also report that F9 works well on a Clemson T42 using the ipw2200 driver.
Current Packages. We report on an up-to-date F8 installation plus the latest NetworkManager rpms from http://koji.fedoraproject.org/koji/ and the latest nvidia drivers from livna:
kernel-2.6.25.4-10.fc8.x86_64 NetworkManager-0.7.0-0.6.9.svn3675.fc8.x86_64 NetworkManager-gnome-0.7.0-0.6.9.svn3675.fc8.x86_64 NetworkManager-glib-0.7.0-0.6.9.svn3675.fc8.x86_64 NetworkManager-vpnc-0.7.0-0.7.7.svn3627.fc8.x86_64 vpnc-0.5.1-2.fc8.x86_64 kmod-nvidia-2.6.25.4-10.fc8-173.14.05-2.lvn8.x86_64 xorg-x11-drv-nvidia-173.14.05-1.lvn8.x86_64 xorg-x11-drv-nvidia-libs-173.14.05-1.lvn8.x86_64 kmod-nvidia-173.14.05-2.lvn8.x86_64 Starting with 2.6.24.5-85.fc8 the kernel includes these three patches [patch 1] linux-wireless, iwlwifi: fix bug to show hidden APs during scan [patch 2] linux-wireless, mac80211: fix hardware scan completion [patch 3] linux-wireless, mac80211: fix no scan results after deconfigure
Patch 1 makes hidden access points visible to an indirect scan (not by SSID). Patch 2 ensures that the Fedora ifup script will successfully connect at boot or after an iwl3945 module reload. Patch 3 ensures that an indirect scan produces results after the wireless interface has been deconfigured.
By using compat-wireless, the most up-to-date wireless drivers can be hacked and built without building a kernel if you want to experiment with wireless drivers.
http://linuxwireless.org/en/users/Download#DownloadlatestLinuxwirelessdrivers
(a) NetworkManager stores access point connection data (NM stored AP list) for each access point that it has successfully connected to. When NetworkManager starts, it directs the wireless driver to scan about every 20 seconds, and produces a list of scanned access points (NM scanned AP list). NetworkManager then creates a dynamic access point list (NM available AP list) consisting of access points that are in both the NM stored AP list and the NM scanned AP list. Comparisons are made by SSID and BSSID so that the NM available AP list can contain hidden access points.
(b) NetworkManager uses the wpa_supplicant to connect to the access point in the NM available AP list that was mostly recently connected to. Depending on driver capabilities, wpa_supplicant may direct the wireless driver to do a scan by SSID. In particular, this is usually required to make a connection to a hidden access point.
(c) Once a connection has been made, NetworkManager directs the wireless driver (B/G only) to scan every two minutes and NetworkManager uses these scan results to keep the NM available AP list up-to-date.
(d) A NetworkManager resume from suspend is essentially a NetworkManager restart. NetworkManager scans, creates a NM available AP list, and associates with the available access point that was mostly recently connected to.
To be compatible with NetworkManager, a wireless driver must support the wireless extensions, must be able to scan both broadcast and hidden access points, and must be able to connect to broadcast and hidden access points using wpa_supplicant.
The iwlwifi drivers support both hardware and software scanning. Currently, hardware scanning is faster and more reliable and so is recommended for use with NetworkManager. Hardware scanning is currently the default for iwlwifi. This report discusses hardware scanning only.
/etc/modprobe.conf alias wlan0 iwl3945 options iwl3945 disable_hw_scan=0 <-- default, enables hardware scanning OR options iwl3945 disable_hw_scan=1 <-- enables software scanning
The command 'iwlist wlan0 scan' produces what iwlwifi calls an indirect scan. The command 'iwlist wlan0 scan essid my_ssid' produces what iwlwifi calls a direct scan, which is also called a scan by ssid. There are two additional terms, active and passive, that are commonly used to describe scans.
During a passive scan, the driver listens for an access point beacon on each supported channel. The driver then extracts data from each received beacon frame. A passive scan can detect the presence of access points that have a hidden ssid.
During an active scan, the driver sends a probe request frame on each supported channel to solicit a probe response frame from an access point with a specified ssid. Hidden access points are not generally visible to an active scan.
It is reported that there are newer access points which will respond to an active scan with no ssid specified, but to be successful across all access points currently in use, an indirect scan must be a passive scan on all supported channels. This is the issue that was addressed in the Patch 1 above.
NetworkManager Issues. Updates kernels with the nvidia drivers from livna can suspend/resume without using any HAL quirks (see F8 Binary NVIDIA Suspend). When started with ifup, the iwl3945 module does not generally resume cleanly. It will often resume in a state where iwconfig shows SSID, BSSID, and security set, and Link Quality, Signal level, and Noise level all equal to 0. Also, dhclient is running and ifconfig shows that the wlan0 interface is up and has an ip address. The wlan0 interface will not transmit or receive packets, and your laptop may become sluggish or freeze. If you kill dhclient, the sluggishness goes away and a connection can again be setup using ifup. Suspend/resume for mac80211 drivers is a work in progress (see linux-wireless mailing list). At this point in time, it is probably best to put iwl3945 in the suspend modules list. Then ifup can be used to make a connection after a resume. Reloading the iwl3945 module during a resume is consistent with NetworkManager's design and will cause no problems.
/etc/pm/config.d/unload_modules SUSPEND_MODULES="ehci_hcd ohci_hcd uhci_hcd iwl3945"
The NetworkManager context menu checkbox 'Enable Networking' is designed to shutdown all network interfaces when not needed, for example during travel. Unchecking the box, executes NetworkManager's sleep code, which clears the NM available AP list. Checking the box executes NetworkManager's resume code. Currently, it takes NetworkManager about 45 seconds to establish a connection. This connection time can be reduced to about 15 seconds by patching mac80211 so that reauthentication is not attempted when no ssid is specified. This eliminates iwl3945/mac80211 initiated scans that are unnecessary and confused NetworkManager.
Recommandations, What Works. First, use the default hardware scanning. Software scanning is still plagued by random disassociations; dmesg shows 'No probe response' error messages are seen and the driver incorrectly thinks that the access point has moved out of range.
Second, avoid hidden access points if you can. Microsoft and Cisco have been saying this for years. It has taken 5 years of discussion but Clemson is finally moving in this direction.
Third, put the iwl3945 module in the suspend modules list.
The following table indicates what is working. Connections are attempted with static WEP starting from boot.| broadcast/hidden | indirect scan shows hidden access points |
ifup wlan0 after boot or module reload |
indirect scan after wlan0 deconfigured |
wpa_supplicant ap_scan=1, scan_ssid=1 |
NetworkManager connection at boot |
| broadcast | yes | yes, Patch 2 | yes, Patch 3 | yes | yes |
| hidden | yes, Patch 1 | yes, Patch 2 | yes, Patch 3 | yes | yes |
WPA Enterprise Configuration. Clemson will introduce a new WPA Enterprise in the summer of 2008. The SSID is tigernet and the SSID will be broadcast.
The Entrust Secure Server CA root certificate which validates the tigernet certificate can be downloaded and installed as follows.
http://www.entrust.net/developer/index.cfm --> Download Root Certificates --> Personal Use
--> Download Certificates --> download entrust_ssl_ca.der
Convert to pem format
# openssl x509 -inform der -in entrust_ssl_ca.der -out entrust_ssl_ca.pem
Copy entrust_ssl_ca.pem to /etc/pki/tls/certs
Next, we set up the wpa_supplicant configuration.
wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
ap_scan=1
network={
ssid="tigernet"
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
identity="bmoss"
password="xxxxxxxx"
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
ca_cert="/etc/pki/tls/certs/entrust_ssl_ca.pem"
}
Finally, we configure NetworkManager.
Network Name: tigernet Wireless Security: WPA & WPA2 Enterprise Authentication: Protected EAP (PEAP) CA Certificate: /etc/pki/tls/certs/entrust_ssl_ca.pem PEAP Version: 0 Inner Authentication: MSCHAPv2 User Name: bmoss Password: xxxxxxxx
scan_ssid and ap_scan. The iwlwifi drivers and other mac80211 drivers require the wpa_supplicant settings ap_scan=1 and scan_ssid=1 when attempting to connect to a hidden access point with wpa_supplicant or with NetworkManager. These settings can also be used for the broadcast case. Dan Williams has submitted a patch upstream which is scheduled for 2.6.25. Distros can backport to obtain better hidden ssid handling. The kernel will then be able to detect the scan capabilities of wireless drivers. NetworkManager will determine the scan capabilities from the kernel and then set ap_scan and scan_ssid accordingly.
NetworkManager-vpnc. The options for the current version of vpnc have changed. To match this change, NetworkManager-vpnc needs updating. vpnc has a new dead peer detection idle timeout option. This option has a default value of 600 seconds. With this setting, connections to the Clemson VPN server will drop randomly. Until NetworkManager-vpnc allows the user to specify this timeout, the best bet is to change its default value to 0 which will turn of dead peer detection.
Install vpnc source. In the SOURCE directory, edit vpnc-0.5.1-dpd.patch. Change "600" to "0". Build and install.
The following table lists the options currently supported by NetworkManager-vpnc, as well as recommendations for updates.
| NM-vpnc options | vpnc.conf options |
| Gateway <ip/hostname> | IPSec gateway <ip/hostname> |
| Group name <ascii string> | IPSec ID <ascii string> |
| Group password <ascii string> | IPSec secret <ascii string> |
| No support, recommended | IPSec obfuscated secret <hex string> |
| Default username or Override username <ascii string> | Xauth username <ascii string> |
| Password <ascii string> | Xauth password <ascii string> |
| No support, not recommended | Xauth obfuscated password <hex string> |
| Use domain for authentication <ascii string> | Domain <ascii string> |
| Use Nat keepalive packets and specify interval | Deprecated |
| No support, recommended | DPD idle timeout (our side) <0, 10-86400> |
| Disable NAT traversal | Deprecated |
| No support, recommended | NAT Traversal Mode <natt/none/force-natt/cisco-udp> |
| Enable weak single DES encryption | Enable Single DES |
Fedora 9 T42. The DVD iso file can be downloaded from the Ga Tech, internet II mirror. This takes about 8 minutes on campus. I installed on my Clemson IBM T42. After installation, the kernel and packages where updated.
gnome-keyring-pam is working again so you do not have to enter your password twice at login. The T42 uses the ipw2200 driver which continues to be updated. NetworkManager passed all tests with this configuration.