28.1 Wireless LAN
Wireless LANs have become an indispensable aspect of mobile
computing. Today, most laptops have built-in WLAN cards.
The 802.11 standard for the wireless communication
of WLAN cards was prepared by the IEEE organization. Originally,
this standard provided for a maximum transmission rate
of 2 MBit/s. Meanwhile, several supplements have been added
to increase the data rate. These supplements define details
such as the modulation, transmission output, and transmission
Table 28-1 Overview of Various WLAN Standards
Outdated; virtually no end devices available
Backward-compatible with 11b
Additionally, there are proprietary standards, like the
802.11b variation of Texas Instruments with a maximum
transmission rate of 22 MBit/s (sometimes referred to as
802.11b+). However, the popularity of cards using this
standard is limited.
802.11 cards are not supported by SUSE® Linux Enterprise. Most cards
using 802.11a, 802.11b, and 802.11g are supported.
New cards usually comply with the 802.11g standard, but
cards using 802.11b are still available. Normally, cards
with the following chips are supported:
A number of older cards that are rarely used and
no longer available are also supported.
An extensive list of WLAN cards and the chips they use is available
at the Web site of AbsoluteValue
Systems at https://www.linux-wlan.org/docs/wlan_adapters.html.gz.
https://wiki.uni-konstanz.de/wiki/bin/view/Wireless/ListeChipsatz provides an
overview of the various WLAN chips.
Some cards need a firmware image that must be loaded into the card when the
driver is initialized. This is the case with , , and
. The firmware can easily be
installed with the YaST Online Update. The firmware for Intel PRO/Wireless
cards ships with SUSE Linux Enterprise and is automatically installed by YaST as
soon as a card of this type is detected. More information about this subject
is available in the installed system in
In wireless networking, various techniques
and configurations are used to ensure fast, high-quality, and secure
connections. Different operating types suit different setups. It can be
difficult to choose the
right authentication method. The available encryption methods have different
advantages and pitfalls.
Basically, wireless networks can be classified as
managed networks and ad-hoc networks. Managed networks
have a managing element: the access point. In this
mode (also referred to as infrastructure mode), all
connections of the WLAN stations in the network run
over the access point, which may also serve as a connection
to an ethernet. Ad-hoc networks do not have an access point.
The stations communicate directly with each other.
The transmission range and number of participating
stations are greatly limited in ad-hoc networks. Therefore,
an access point is usually more efficient. It is even
possible to use a WLAN card as an access point. Most
cards support this functionality.
Because a wireless network is much easier to intercept and
compromise than a wired network, the various standards
include authentication and encryption methods. In the
original version of the IEEE 802.11 standard, these are described
under the term WEP. However, because WEP has proven to be insecure
Security), the WLAN industry
(joined under the name
Wi-Fi Alliance) has defined a new extension
called WPA, which is supposed to eliminate the weaknesses of WEP.
The later IEEE 802.11i standard (also referred to as WPA2, because
WPA is based on a draft version 802.11i) includes WPA and
some other authentication and encryption methods.
To make sure that only authorized stations can connect,
various authentication mechanisms are used in managed
An open system is a system that does not require
authentication. Any station can join the network.
Nevertheless, WEP encryption (see
can be used.
- Shared Key (according to IEEE 802.11)
In this procedure, the WEP key is used for the
authentication. However, this procedure is not
recommended, because it makes the WEP key more
susceptible to attacks. All an attacker needs
to do is to listen long enough to the communication
between the station and the access point. During
the authentication process, both sides exchange the
same information, once in encrypted form and
once in unencrypted form. This makes it possible for the key to
be reconstructed with suitable tools. Because this
method makes use of the WEP key for the authentication
and for the encryption, it does not enhance the security
of the network. A station that has the correct WEP key
can authenticate, encrypt, and decrypt. A station that
does not have the key cannot decrypt
received packets. Accordingly, it cannot communicate,
regardless of whether it had to authenticate itself.
- WPA-PSK (according to IEEE 802.1x)
WPA-PSK (PSK stands for preshared key) works similarly to the
Shared Key procedure. All participating
stations as well as the access point need the same key.
The key is 256 bits in length and is usually entered as
a passphrase. This system does not need a complex key
management like WPA-EAP and is more suitable for private
use. Therefore, WPA-PSK is sometimes referred to as
- WPA-EAP (according to IEEE 802.1x)
Actually, WPA-EAP is not an authentication system but a
protocol for transporting authentication information.
WPA-EAP is used to protect wireless networks in enterprises.
In private networks, it is scarcely used. For this
reason, WPA-EAP is sometimes referred to as
WPA-EAP needs a Radius server to authenticate users. EAP offers three
different methods for connecting and authenticating to the server: TLS
(Transport Layer Security), TTLS (Tunneled Transport Layer Security),
and PEAP (Protected Extensible Authentication Protocol). In a nutshell,
these options work as follows:
TLS authentication relies on the mutual exchange of certificates
both for server and client. First, the server presents its
certificate to the client where it is evaluated. If the certificate
is considered valid, the client in turn presents its certificate to
the server. While TLS is secure, it requires a working certification
management infrastructure in your network. This infrastructure is
rarely found in private networks.
- EAP-TTLS and PEAP
Both TTLS and PEAP are two-stage protocols. In the first stage,
a secure is established and in the second one the client
authentication data is exchanged. They require far less certification
management overhead than TLS, if any.
There are various encryption methods to ensure that no
unauthorized person can read the data packets that are
exchanged in a wireless network or gain access to the network:
- WEP (defined in IEEE 802.11)
This standard makes use of the RC4 encryption algorithm,
originally with a key length of 40 bits, later also with 104 bits.
Often, the length is declared as 64 bits or 128 bits,
depending on whether the 24 bits of the initialization vector
are included. However, this standard has some weaknesses.
Attacks against the keys generated by this system may be successful.
Nevertheless, it is better to use WEP than not encrypt the network
- TKIP (defined in WPA/IEEE 802.11i)
This key management protocol defined in the WPA standard
uses the same encryption algorithm as WEP, but eliminates
its weakness. Because a new key is generated for every data packet,
attacks against these keys are in vain. TKIP is used together
- CCMP (defined in IEEE 802.11i)
CCMP describes the key management. Usually, it is used
in connection with WPA-EAP, but it can also be used with
WPA-PSK. The encryption takes place according to AES and is
stronger than the RC4 encryption of the WEP standard.
28.1.3 Configuration with YaST
To configure your wireless network card, start the
YaST Figure 28-1, make the basic settings for
the WLAN operation:
module. Here you can also choose
whether to use YaST or NetworkManager for managing your network card. If you select
select the device type in and click
In , shown in
Figure 28-1 YaST: Configuring the Wireless Network Card
- Operating Mode
A station can be integrated in a WLAN in three different modes. The
suitable mode depends on the network in which to communicate:
(peer-to-peer network without access point),
(network is managed by an access point), or
(your network card should be used as the access
point). To use any of the WPA-PSK or WPA-EAP modes, the operating mode
must be set to .
- Network Name (ESSID)
All stations in a wireless network need the same
ESSID for communicating with each other. If nothing
is specified, the card automatically selects an
access point, which may not be the one you intended
- Authentication Mode
Select a suitable authentication method for your network:
, or . If you select
WPA authentication, a network name must be set.
- Expert Settings
This button opens a dialog for the detailed
configuration of your WLAN connection. A detailed description
of this dialog is provided later.
After completing the basic settings, your station is ready
for deployment in the WLAN.
IMPORTANT: Security in Wireless Networks
Be sure to use one of the supported authentication and
encryption methods to protect your network traffic.
Unencrypted WLAN connections allow third parties to
intercept all network data. Even a weak encryption (WEP)
is better than none at all. Refer to
Security for information.
Depending on the selected authentication method, YaST prompts
you to fine-tune the settings in another dialog. For
, there is nothing to configure,
because this setting implements unencrypted operation without
- Shared Key
Set a key input type. Choose from ,
, or . You may
keep up to four different keys to encrypt the transmitted data. Click
to enter the key configuration
dialog. Set the length of the key: or
. The default setting is . In the list area at the bottom of the dialog, up to four
different keys can be specified for your station to use for the
encryption. Press to define one of
them as the default key. Unless you change this, YaST uses the first
entered key as the default key. If the standard key is deleted, one of
the other keys must be marked manually as the default key. Click
to modify existing list entries or create new
keys. In this case, a pop-up window prompts you to select an input type
( , , or
). If you select
, enter a word or a character string from
which a key is generated according to the length previously specified.
requests an input of 5 characters for a
64-bit key and 13 characters for a 128-bit key. For
, enter 10 characters for a 64-bit key
or 26 characters for a 128-bit key in hexadecimal notation.
To enter a key for WPA-PSK, select the input method
or . In
the mode, the input must be 8 to
63 characters. In the mode,
enter 64 characters.
Enter the credentials you have been given by your network
administrator. For TLS, provide /etc/cert, so save the certificates given to
you to this location and restrict access to these files to
0600 (owner read and write).
, , and
. TTLS and PEAP require
. and are optional. YaST searches for any certificate
Click any, MD5, GTC,
MSCHAPv1, or MSCHAPv2. If you
PEAP, choose any, MD5,
GTC, or MSCHAPv2. can be used to force the use of a certain PEAP
implementation if the automatically-determined setting does not work for
to enter the advanced
authentication dialog for your WPA-EAP setup. Select the authentication
method for the second stage of EAP-TTLS or EAP-PEAP communication. If you
selected TTLS in the previous dialog, choose
to leave the
dialog for the basic configuration of the WLAN connection
and enter the expert configuration. The following options are
available in this dialog:
The specification of a channel on which the WLAN
station should work is only needed in and
mode, the card automatically
searches the available channels for access points. In
mode, select one of the 12 offered
channels for the communication of your station with the other
stations. In mode, determine
on which channel your card should offer access point functionality.
The default setting for this option is .
- Bit Rate
Depending on the performance of your network,
you may want to set a certain bit rate for the
transmission from one point to another. In the
default setting , the
system tries to use the highest possible
data transmission rate. Some WLAN cards do not
support the setting of bit rates.
- Access Point
In an environment with several access points,
one of them can be preselected by specifying
the MAC address.
28.1.5 Tips and Tricks for Setting Up a WLAN
These tips can help tweak speed and stability as well as security aspects of
Stability and Speed
The performance and reliability of a wireless network mainly depend on
whether the participating stations receive a clean signal from the other
stations. Obstructions like walls greatly weaken the signal. The more the
signal strength sinks, the more the transmission slows down. During
operation, check the signal strength with the iwconfig utility on the
command line (Link Quality field) or with KInternet
in KDE. If you have problems with the signal quality, try to set up the
devices somewhere else or adjust the position of the antennas of your
access points. Auxiliary antennas that substantially improve the reception
are available for a number of PCMCIA WLAN cards. The rate specified by the
manufacturer, such as 54 MBit/s, is a nominal value that
theoretical maximum. In practice, the maximum data throughput is
no more than half this value.
If you want to set up a wireless network, remember that anybody within the
transmission range can easily access it if no security measures are
implemented. Therefore, be sure to activate an encryption method. All WLAN
cards and access points support WEP encryption. Although this is not
entirely safe, it does present an obstacle for a potential attacker. WEP is
usually adequate for private use. WPA-PSK would be even better, but it is
not implemented in older access points or routers with WLAN functionality.
On some devices, WPA can be implemented by means of a firmware update.
Furthermore, Linux does not support WPA on all hardware components. When
this documentation was prepared, WPA only worked with cards using
, , or
chips. On , WPA only works if the
hostap driver is used (see
Problems with Prism2 Cards). If WPA is not available, WEP
is better than no encryption. In enterprises with advanced security
requirements, wireless networks should only be operated with WPA.
If your WLAN card fails to respond, check if you have downloaded the needed
firmware. Refer to Section 28.1.1,
Hardware. The following paragraphs cover some known problems.
Multiple Network Devices
Modern laptops usually have a network card and a WLAN card. If you
configured both devices with DHCP (automatic address assignment), you may
encounter problems with the name resolution and the default gateway. This
is evident from the fact that you can ping the router but cannot surf the
Internet. The Support Database features an article on this
subject at https://en.opensuse.org/SDB:Name_Resolution_Does_Not_Work_with_Several_Concurrent_DHCP_Clients.
Problems with Prism2 Cards
Several drivers are available for devices with
chips. The various cards work more or
less smoothly with the various drivers. With these cards, WPA is only
possible with the hostap driver. If such a card does not work properly or
not at all or you want to use WPA, read
WPA support is quite new in SUSE Linux Enterprise and still under development. Thus,
YaST does not support the configuration of all WPA authentication
methods. Not all wireless LAN cards and drivers support WPA. Some cards
need a firmware update to enable WPA. If you want to use WPA, read