wpa_supplicant is a cross-platform WPA Supplicant with support for WPA and WPA2 (IEEE 802.11i/RSN (Robust Secure Network)). It is suitable for desktops, laptops and embedded systems.
wpa_supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wlan driver.
Install wpa_supplicant from the official repositories.
Optionally, wpa_supplicant_gui can be installed which provides wpa_gui; a graphical frontend for wpa_supplicant using the qt4 toolkit.
wpa_cli is a command line tool which can be used to interactively configure wpa_supplicant in order to associate with a wireless access point (WAP). In order to use wpa_cli, a control interface must be specified for wpa_supplicant. Do this by creating a config file containing ctrl_interface=/run/wpa_supplicant. Refer to wpa_supplicant.conf(5) and the example file /etc/wpa_supplicant/wpa_supplicant.conf for details.
Start wpa_supplicant with wpa_supplicant -B -i _interface_ -c _/path/to/config_.
|
Tip
|
To discover your wireless network interface name, issue the ip link command. |
Invoke wpa_cli with no arguments to get an interactive prompt (>). The prompt has tab completion and descriptions of completed commands. The command scan initiates a scan; a notification is issued when the scan is complete. Then:
> scan_results bssid / frequency / signal level / flags / ssid 00:00:00:00:00:00 2462 -49 [WPA2-PSK-CCMP][ESS] MYSSID 11:11:11:11:11:11 2437 -64 [WPA2-PSK-CCMP][ESS] ANOTHERSSID
To associate with MYSSID, tell wpa_supplicant about it. Each network is indexed numerically, so the first network will have index zero. The PSK can be provided without quotes as an alternative to providing the passphrase in this example, and computed with wpa_passphrase.
> add_network 0 > set_network 0 ssid "MYSSID" > set_network 0 psk "passphrase" > enable_network 0 <2>CTRL-EVENT-CONNECTED - Connection to 00:00:00:00:00:00 completed (reauth) [id=0 id_str=]
To enable saving changes made using wpa_cli, the setting update_config must be enabled. To save this network in the configuration file,
> set update_config 1 OK > save_config OK
Now that association with the WAP is complete, obtain an IP address by setting it manually with the iproute2 suite or some networking program, like systemd-networkd or dhcpcd.
wpa_supplicant provides a reference configuration file located at /etc/wpa_supplicant/wpa_supplicant.conf containing detailed documentation for the all available options and their utilisation.
In its simplest form, a configuration file requires only a network block. This can easily be generated using the wpa_passphrase tool. For example:
$ wpa_passphrase essid passphrase
network={
ssid="essid"
#psk="passphrase"
psk=f5d1c49e15e679bebe385c37648d4141bc5c9297796a8a185d7bc5ac62f954e3
}
Now both wpa_supplicant and wpa_passphrase can be combined to associate with almost all WPA2 (Personal) networks:
# wpa_supplicant -B -i wlp2s0 -c <(wpa_passphrase essid passphrase)
# dhcpcd wlp2s0
|
Warning
|
If dhcpcd is invoked without specifying an interface, it will bind to all interfaces it can find. During booting, this introduces a race with udev, where dhcpcd may prevent udev from renaming interfaces. |
As discussed above, wpa_passphrase is useful for generating a basic configuration to which additional networks and options can be added. This may be necessary for more advanced wireless networks employing extensive use of EAP. For networks of varying complexity, please study the examples provided in the default /etc/wpa_supplicant/wpa_supplicant.conf file.
Two pieces of configuration are key. First, use wpa_passphrase to create a basic configuration file.
# wpa_passphrase essid passphrase > /etc/wpa_supplicant/foobar.conf
|
Tip
|
Some unusually complex passphrases may require input from a file: wpa_passphrase essid < passphrase.txt > /etc/wpa_supplicant/foobar.conf |
Next, add a ctrl_interface so that wpa_cli can be used to control the wpa_supplicant daemon. Either by using wpa_cli interactively or manually adding update_config=1 to the config file, changes to foobar.conf can be saved. Ultimately, the configuration should resemble:
# /etc/wpa_supplicant/foobar.conf
ctrl_interface=DIR=/run/wpa_supplicant GROUP=wheel
update_config=1
network={
ssid="foobarssid"
psk=f5d1c49e15e679bebe385c37648d4141bc5c9297796a8a185d7bc5ac62f954e3
}
Multiple network blocks may be appended to this configuration. To connect to the configured wireless network, simply run the following:
# wpa_supplicant -B -D nl80211 -i wlp2s0 -c /etc/wpa_supplicant/foobar.conf # dhcpcd -A wlp2s0
|
Note
|
nl80211 is preferred over the deprecated wext driver. For a list of supported drivers see the output of wpa_supplicant -h. |
It is likely that wpa_supplicant@.service will have to be modified so that it will read the desired configuration file. To override the ExecStart= line, create the following file:
# /etc/systemd/system/wpa_supplicant@.service.d/foo.conf [Service] ExecStart= ExecStart=/usr/bin/wpa_supplicant -c/etc/wpa_supplicant/bar.conf -i%i
Then enable wireless at boot, enable wpa_supplicant@ on a particular wireless interface:
# systemctl enable wpa_supplicant@wlp2s0
The supplicant handles assocation to and roaming between all the networks in its configuration file.
holomorph: Thanks for all your help last Saturday with
systemd-networkd and wpa_supplicant. I came across some useful
information about connecting to an SSID that doesn't have password
authentication. It seems important, so I updated the Archwiki, but I
think your gist can use the update as well. You can find it here,
starting at the line "If the SSID does not have password
authentication":
https://wiki.archlinux.org/index.php/WPA_supplicant#Connecting_with_wpa_cli