Category Archives: Wifi

Configuring wireless networks in Linux

1. Overview

This post assumes that you are already familiar with connecting Windows or Mac OS to an existing accesspoint. It also assumes that you have a working wireless network card.  If you are looking for an inexpensive wifi card that you can attach to a USB 2.0 port, take a look at my previous post (CSL 300 Mbit/s wifi adapter with Debian 8 Jessie). You might have to install additional firmware packages.

Here is a list of supported wifi devices by the Linux kernel:

Check with iwconfig that there is a working WiFi device on your computer:

$ iwconfig

wlan0     IEEE 802.11bgn  ESSID:off/any   
          Mode:Managed  Access Point: Not-Associated   Tx-Power=15 dBm    
          Retry short limit:7   RTS thr:off   Fragment thr:off 
          Encryption key:off 
          Power Management:on

This tells us that there is a WiFi device called "wlan0" capable to connect to any 802.11b/g/n accesspoint.

There are 2 ways to configure wireless networks in Linux:

  • Using the graphical tool "NetworkManager"
    The preferred method if you are using a graphical desktop environment. Very similar to Windows or Mac OS and easy to use.
  • On the command line using "wpa_supplicant"
    Only recommended for experienced Linux users.

Both of them are included in every modern Linux distribution and have advantages and disadvantages which I will explain later in this post. You should not mix both methods, just decide for one of them and stick with it. So if you already use NetworkManager to manage ethernet connections, it is easy to add one or more WiFi connections.

Both NetworkManager and the native command line method rely on the package "wpa_supplicant" (or "wpasupplicant") to actually use a wifi network. Nevertheless I will use the term "wpa_supplicant" to refer to the command line method.

There is a plethora of additional graphical network tools in Linux, e.g. graphical front ends for wpa_supplicant. Once you know the basics of wpa_supplicant it is easy to use other tools too. Therefore in this post I will only describe how to configure wpa_supplicant on the command line.

2. Encryption Protocols

WPA2 (802.11i) is today's standard for wireless data encryption. It uses 2 different keys for encrypting traffic between accesspoint and client stations.

NameDescriptionConfiguration OptionRekeying Interval (Default Value)Notes
PTK ("Pairwise Transient Key":)- Consists of several other keys / fields used to encrypt data and distribute GTK to client stations

- Unique to every client station

- Only used for unicast traffic
"wpa_ptk_rekey" in wpa_supplicant.conf?
GTK ("Group Transient Key")- Generated by accesspoint and sent to client stations

- Shared by all client stations

- Only used for multicast, / broadcast traffic
"Group Key Interval" in accesspoint configuration

rekey interval is not configurable in NetworkManager or wpa_supplicant
30 seconds- Not configurable in NetworkManager or wpa_supplicant

- Rekeying is completely up to accesspoint, so there is no way to print the rekey interval on client station (wpa_cli or nmcli)

- wpa_supplicant generates log entries like the following:
wpa_supplicant[1652]: wlan0: WPA: Group rekeying completed with 00:2a:0e:ab:cd:ef [GTK=CCMP]

Both keys are then used to encrypt traffic between accesspoint and client stations. There are 2 protocols for symmetric data encryption:

  • TKIP (Temporal Key Integrity Protocol)
    based on RC4
    insecure and obsolete
    use only in combination with additional encryption layers like VPN or SSH tunnels
  • CCMP (CCM Mode Protocol)
    based on AES
    today's standard

3. Authentication Methods

There are 2 different authentication methods for wireless networks:

  • All users share the same single key
    Primarily used for a smaller number of client stations, e.g. in home networks or small guest networks
  • Every user has his own username / password (or unique client certificate)
    Useful for a larger number of client stations, e.g. in corporate environments or where you have a lot of guest users

WPA2 Personal / PSK (Preshared Key)

The same key (8 - 63 characters) must be configured on accesspoint and client stations. It is directly used as PMK (Pairwise Master Key) by accesspoint, and then used to calculate PTK (Pairwise Transient Key). PTK is then used to calculate GTK.

WPA2 Enterprise / 802.1x

Actual authentication is not performed by the accesspoint, but by a 3rd party server called "authentication server". This is usually a Radius server running "freeradius".

Even though authentication is performed by a separate authentication server, it only knows the MK (Master Key) and its derived PMK (Pairwise Master Key). The PMK is transferred (moved, not copied) from the authentication server to the accesspoint and used to calculate a PTK (Pairwise Transient Key). So the authentication server has no access to neither PTK nor GTK and therefore cannot decrypt traffic (unicast or multicast) between accesspoint and client stations.

  • WPA2 Enterprise usually requires a username / password combination for authentication
    (authentication methods LEAP, FAST, PEAP, and TTLS)
  • Using TLS as the authentication method the client authenticates with a client X.509 certificate.
  • The client itself may use a CA certificate to verify that it is connecting to the right accesspoint (similar to HTTPS connections in webbrowsers).

4. NetworkManager

NetworkManager is part of every modern LInux distribution. After a standard installation of Linux you will see a network icon in the system bar of desktop environment. If you click on it you will see a list of options to configure NetworkManager.

Connection settings that you make in the GUI are stored as plain text files under /etc/NetworkManager/system-connections . (Explanation of all settings: )

In addition to configure wireless networks, NetworkManager offers some other useful features:

  • You can integrate NetworkManager with desktop encryption tools like kwallet to prevent passwords from being saved in plain text to the configuration files.
  • You can integrate NetworkManager with firewalld to automatically assign WiFi networks to firewall zones.
  • You can configure NetworkManager to automatically use a VPN connection once you are connected to a specific WiFi network.

General configuration

NetworkManager screenshot: General configuration

Automatically connect to this network when it is available
In most cases leave this unchecked. Otherwise there might be occasions where you involuntary connect to the WiFi network.

All users may connect to this network
Only check this option if you want to share your wifi configuration with other Linux user accounts.

Automatically connect to VPN when using this connection
Useful when using an insecure public WiFi hotspot that you only want to use in combination with a VPN tunnel.

Firewall zone
If you are using firewalld and firewall-config, you may associate this WiFi network with a specific firewall zone. If empty the default firewall zone will be used automatically.

The dialog box layout is a little bit misleading because this field has nothing to do with the previous "Firewall zone" field. If there is more than one of the "Automatically connect to this network ..." wifi networks available, "Priority" defines the order in which those networks will be activated. The first successful connection will be used.


NetworkManager screenshot: Wi-Fi

Name of wifi network. Use dropdown list to see all available networks. If you don't see any networks here, make sure that wifi is switched on and enabled and that NetworkManager is running.

For normal network access, choose "Infrastructure".
"Ad-hoc" lets you connect directly to another wifi client without using an access point in between.
"Access Point" lets you act as an access point yourself.

Physical id of the access point. The network you have chosen under "SSID" might have several access points. Here you can chose the one with the best signal strength.

Restrict to device
If you have more than one wifi network cards, you can restrict the wifi network to only one of them. Usually you leave this blank.

Cloned MAC address
A MAC address is like a unique serial number for every network card. There should not be two network cards with the same MAC address on the same network. Sometimes in very rare cases, two network cards have the same MAC address. If this is the case, you will have problems connecting to the network or experience other weird problems. Choose another MAC address, but make sure to use the "Random..." button.

Another situation where you might use this field is when the network is protected and configured to accept only certain MAC addresses. This is not a fool proof security feature, but it helps to keep random surfers out of public accessible wifi networks. In this case you need to get a valid MAC address from the network administrator and type it in here. Make sure it is not in use by someone else on the same wifi network.

In most cases leave this field blank.

Leave this to "Automatic".

If the network name does not show in the network dropdown list (SSID), but you are still sure that it is a valid network name, you might want to check "Hidden network".

Command line

NetworkManager can also be controlled from the command line with "nmcli".

Display current state of NetworkManager service
$ nmcli g
connected  full          enabled  enabled  enabled  enabled

Show a list of all network connections
$ nmcli c  
mynetwork           abababab-cdcd-12cc-bbef-1212121212ab  802-11-wireless  wlan0 

Stop wifi network
$ nmcli c down id mynetwork

Start wifi network
$ nmcli c up id mynetwork


5. wpa_supplicant

wpa_supplicant runs as a service process in the background. Connections are stored by default in /etc/wpa_supplicant/wpa_supplicant.conf .

Sample configuration file with detailed explanations:

The wpa_supplicant background service can be controlled from the command line with "wpa_cli".

Display list of all command line parameters
$ wpa_cli help

Display a list of configured networks
$ wpa_cli list_networks
0       mynetwork 0a:ab:ee:ef:2a:ef       [CURRENT]

Start wifi network
$ wpa_cli enable_network 0

Stop wifi network
$ wpa_cli disable_network 0

Show current wifi connection status
$ wpa_cli status



CSL 300 Mbit/s wifi adapter with Debian 8 Jessie

The CSL 300 Mbit/s wifi adapter is available at Amazon and is an inexpensive wifi USB adapter for Linux. It supports 802.11 b/g/n, WPA2, and has an external antenna adapter.

It identifies as follows with "sudo lsusb":

Bus 003 Device 002: ID 0bda:8172 Realtek Semiconductor Corp. RTL8191SU 802.11n WLAN Adapter

The loaded kernel module is "r8712u" (check with "sudo lsmod | grep r8712u").

To make it work with Debian Jessie, all you need to do is to install the standard Debian package "firmware-realtek". The output in "kern.log" after installing the package and plugging in the USB adapter should look something like this:

Sep 27 13:50:37 computername kernel: [    9.617950] r8712u: module is from the staging directory, the quality is unknown, you have been warned.
Sep 27 13:50:37 computername kernel: [    9.618985] r8712u: Staging version
Sep 27 13:50:37 computername kernel: [    9.619009] r8712u: register rtl8712_netdev_ops to netdev_ops
Sep 27 13:50:37 computername kernel: [    9.619014] usb 4-2: r8712u: USB_SPEED_HIGH with 4 endpoints
Sep 27 13:50:37 computername kernel: [    9.619553] usb 4-2: r8712u: Boot from EFUSE: Autoload OK
Sep 27 13:50:37 computername kernel: [   10.284174] usb 4-2: r8712u: CustomerID = 0x000a
Sep 27 13:50:37 computername kernel: [   10.284178] usb 4-2: r8712u: MAC Address from efuse = 20:ac:3f:b9:b9:b9
Sep 27 13:50:37 computername kernel: [   10.284181] usb 4-2: r8712u: Loading firmware from "rtlwifi/rtl8712u.bin"
Sep 27 13:50:37 computername kernel: [   10.284258] usbcore: registered new interface driver r8712u
Sep 27 13:50:37 computername kernel: [   10.348992] usb 4-2: firmware: direct-loading firmware rtlwifi/rtl8712u.bin