The picture: My laptop has an ethernet and a wireless card, tlp0 and ath0. Ethernet can be plugged in at times, and should have precedence over wireless -- this is mostly to prevent a wifi network bouncing up and down interrupting operating via the cable. Wireless can be configured in several ways, including no security, WEP or WPA.

The machine should try to find network when waking up from APM, when ethernet is plugged in, or when a wireless network is found (using whatever SSID).

The idea is to use wpa_supplicant(8) to detect wifi networks and mark the ath0 interface as "connected". NetBSD's ifwatchd(8) is used to detect if either ethernet or wifi is "connected" or disconnected when the machine's either running, or returning from sleep. A shell script then runs dhcp and does assorted setup and cleanup.

The main engine in this setup is ifwatchd(8), which basically handles all the work that's either induced by kicking wpa_supplicant(8) via APM, wpa_supplicant(8) finding a working wifi network, or by plugging in/out an ethernet cable.

The configuration:

1. /etc/rc.conf:

   apmd=yes
   wpa_supplicant=yes
   wpa_supplicant_flags="-B -iath0 -c/root/wpa.conf"
   ifwatchd=yes
   ifwatchd_flags="-c /root/ifwatch-up -n /root/ifwatch-down tlp0 ath0" 

2. WPA supplicant config: /root/wpa.conf

   Here's a sample config file for wpa_supplicant(8) that I use for University, home and another place. Note that the WPA in there is a bit more complex than in a home-setup with just a pre-shared key (PSK):

   % cat /root/wpa.conf
   ctrl_interface=/var/run/wpa_supplicant
   ctrl_interface_group=wheel
   
   #
   # WPA-enabled network with identities 
   # (used at uni-regensburg.de and fh-regensburg.de)
   #
   network={
           ssid="802.11i"
           key_mgmt=WPA-EAP
           eap=TTLS
           identity="abc12345"
           password="foobar"
           phase2="auth=PAP"
   }
   
   #
   # An unencrypted (open) network:
   #
   network={
           ssid="eyeswideshut"
           scan_ssid=1
           key_mgmt=NONE
   }
   
   #
   # A WEP-encrypted network with pre-shared key:
   #
   network={
          ssid="wepssid"
          scan_ssid=1
          key_mgmt=NONE
          wep_key0="wepkey"
          #wep_tx_keyidx=0
          #priority=5
   } 

3. Watching interfaces: /root/ifwatch-updown

   ifwatchd(8) can't pass parameters, so I'm using two different scripts, and then look at $0 to see if we're going up or down:

   % ls -la /root/ifwatch-*
   lrwxr-xr-x  1 root  wheel   14 Mar 10 12:27 /root/ifwatch-down -> ifwatch-updown
   lrwxr-xr-x  1 root  wheel   14 Mar 10 12:27 /root/ifwatch-up -> ifwatch-updown
   -rwxr-xr-x  1 root  wheel  760 Aug 16 11:45 /root/ifwatch-updown
   

   Here is the script that handles ethernet and wifi networks going up and down:

   % cat /root/ifwatch-updown
   #!/bin/sh
   #
   # See if network is going up or down, to be called via ifwatchd(8)
   #
   # Copyright (c) 2007 Hubert Feyrer <hubert@feyrer.de>
   # All rights reserved.
   #
   
   case $0 in
   *-up)
           case $1 in
           tlp*)
                   # Disable wireless bouncing up and down if we're on wire
                   #
                   logger stopping wpa_supplicant
                   sh /etc/rc.d/wpa_supplicant stop
                   ;;
           esac
   
           pkill dhclient
           sh /etc/rc.d/network restart
           dhclient $1
           sh /etc/rc.d/ntpd restart
           ;;
   
   *-down)
           case $1 in
           tlp*)
                   # Re-enable wireless if we go off-wire
                   #
                   logger starting wpa_supplicant
                   sh /etc/rc.d/wpa_supplicant start
                   ;;
           esac
   
           pkill -x ssh
           sh /etc/rc.d/ntpd stop
   
           pkill dhclient
   
           sh /etc/rc.d/network stop
           route delete 194.95.108.0/24
           ;;
   
   *)
           logger "$0 $@": unknown 
           ;;
   esac
   
   logger "$0 $@" done.
   echo ^G >/dev/console
   

   A few comments:

   • As the comment says, if the ethernet interface (tlp) is found to be connected, wpa_supplicant(8) is stopped to prevent it from bouncing up and down and possibly disrupt things.
   • I stop the network at every time, to flush routes and everything. This mostly works, but not completely, thus I remove one route manually. Someone please fix "route flush"...
   • I use NTP, and to prevent ntpd(8) from spamming the logs when offline, I disable it when offline.
   • When network goes away, I kill my ssh sessions. I prefer this over dead sessions that I have to kill with ~.
   • The echo-command in the last line sends a beep with ^G to give a signal that network's up/down now.

4. APM setup:

   During my experiments, wpa_supplicant(8) died during suspend/resume, I thus stop it before suspending, and start after resuming. This may also have positive effects on power consumption (if not it should probably be hooked in here). My machine uses APM, and I mostly use /usr/share/examples/apm/script, see that file for install instructions.

   Here's the diff that I use to handle wpa_supplicant - dhclient is restarted via ifwatchd:

   % diff -u /usr/share/examples/apm/script /etc/apm/battery
   --- /usr/share/examples/apm/script      2003-03-11 15:56:54.000000000 +0100
   +++ /etc/apm/battery    2007-03-10 12:57:21.000000000 +0100
   @@ -25,7 +25,7 @@
    S=/usr/X11R6/share/kde/sounds
    
    # What my network card's recognized as:
   -if=ne0
   +if=ath0
    
    LOGGER='logger -t apm'
    
   @@ -43,8 +43,11 @@
           # In case some NFS mounts still exist - we don't want them to hang:
           umount -a    -t nfs
           umount -a -f -t nfs
   -       ifconfig $if down
   -       sh /etc/rc.d/dhclient stop
   +
   +       sh /etc/rc.d/wpa_supplicant stop
   +
   +       cd /usr/tmp ; make off
   +
           $LOGGER 'Suspending done.'
           ;;
    
   @@ -62,7 +65,9 @@
    *resume)
           $LOGGER 'Resuming...'
           noise $S/KDE_Startup.wav
   -       sh /etc/rc.d/dhclient start
   +
   +       sh /etc/rc.d/wpa_supplicant start
   +
           # mount /home
           # mount /data
           $LOGGER 'Resuming done.'
   

   The "make off" when shutting down the machine unmounts the cgf-encrypted data partition that I'm using for SSH and PGP keys. I manually mount it when I need it again.

The future -- more work on this would include adding ACPI/powerd(8) scripts, and putting all of this either into the default NetBSD install, or at least into NetBSD's /usr/share/examples.

[Tags: apm, cgd, cgf, ifwatchd, networking, wlan, wpa]

Those interested can find the config in the "May 2007" entry of the updates of my vpnc article.

(I also have some scripts that do auto-detection of wirefull and wireless networks and setup connections accordingly, together with APM-based suspend and resume; I'll write some more about that some other time, as it's what NetBSD lacks when installed out of the box)

[Tags: hubertf, vpnc, wpa]

(Why is this interesting for me and Jan? I've moved to teach at Jan's campus this fall, and they seem to be phasing out the MAC/DHCP-based wireless LAN with something that's using IEEE 802.1x and some *yuck* Windows-domain accounts - but at least no more seperate registration for machines then...)

[Tags: wlan, wpa]