WiFi Security for a hostapd Access Point

Hi,
I configured a TP-LINK TL-WN721N to serve as an access point using hostapd. I'm using WPA2, and I've set up MAC filtering, and a 16 character alphanumeric password from GRC. What else can I do to make my network more secure? This is my first experience with WiFi.
Thanks in advance,
SgrA

I think that is pretty secure. If you want more, you could try something like forcing the use of a vpn; like, once they get an ip, they can only get access to the port of the vpn on your server, and everything else is blocked.
If they want something else, like web navigation, they have to do it over the vpn. That way, even if they get access to your lan, they can't do anything without the vpn certs. Try to do it using openvpn

Similar Messages

N95 Wifi, home network and hidden access points

Hello-
Just picked up a N95 and having some problems. First, my home network doesn't broadcast a SSID. I stumbled across the home network option and was able to configure it. However, it's never an option when I need an internet connection; e.g., it never shows up in the wlan list.
So, how do I congigure a hidden access point so I can use it? The user guide says you should be able to do it manually, but doesn't go into any details.
Secondly, exactly what is the home network setting for and why is it separate from the other wlan settings?
Thanks,
Jay

Jay,
I too have a hidden network (SSID not broadcast), the N95 seems to have a problem with this. It may or may not show up on the active standby screen (on my Voda N95, it shows up when I take my sim out!).
To configure your accesss point :-
Tools / Settings / Connection / Access Points
then Options / New access point
Connection name
(enter a name, whatever you want to call it)
Data bearer
=wireless LAN
WLAN network name
(enter your SSID here)
Network Status
(public or hidden)
WLAN network mode
(Infrastructure or ad-hoc. If you're using a router, infracstructure should be the one you want)
WLAN security mode
(Open, WEP, 802.1x or WPA2. Check your router)
WLAN security settings
WPA/WPA2
EAP or Pre-shared key (consult your router)
EAP plug-in settings or Pre-shared key
(which one you get depends on what you set above)
WPA2 only mode
(leave alone)
Having done all this it still won't show on the active-standy screen (at least it doesn't on mine) in the WLAN section BUT if you know try and surf the web it should ask which access point you want to use - assuming you've got it set to 'always ask'. What this seems to do is only list the connections that it can find (i.e if you've got a 'Starbucks' and a 'home' connection defined, it'll only show 'home' at home and 'Starbucks' when you're getting your latte. The standby screen may show, how to decribe it, a four leaf clover near to the battery level indicator, this is the indication that it's either found or connected to your wireless lan.
I think the 'Home netw.' option is for use with the Home Media Server application supplied on the CD. I haven't tried it so can't confirm for sure.
Hope this helps,
Simon
E&OE
Sony CMD-Z1, Nokia 8110, Nokia 6210, Nokia 6610 (returned within a week), Nokia 6600 (twice), N95, 3109c & N97.

Domain user authentication for 3650 Wireless Access point

Dear All,
I have got new proposal inorder to configure the wireless access points by managing with the 3650 wireless controller.
We wanted to block the Wifi Access to mobile users.
Only domain users need to be authenticate to the corporate wireless access.
We have 3650 switch as a wireless controller and ISE in place. Kindly guide me the achieve the same. Attached the setup diagram.
If possible share the sample configuration and it would be helpful.

Please refer
http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115734-ise-policies-ssid-00.html

Unable to get ip address from DHCP server for Aironet 1130AG Access Point

I have a network in which DHCP server is enabled. I have read the installation guide also there it is mentioned that 1130G Access point will not have any staic ip assigned to it.So it will automatically get the ip from the DHCP server from the network. I have connected that from the network but it is unable to get the ip address from the same. The same thing i have configured in the netgear it is coming fine. I have seen the sonic wall and used the IPSU tool also from checking the ip address from Mac Address but i am not able to get the same. Please provide me some tips to check where i am wrong in configuration because the first web page also not coming because of the ip address.

narendra,
I would suggest that the AP be connected to a laptop or desktop pc that would run a local dhcp server with a small scope setup...plenty of free ones on the web(this pc would obviously not be connected to your currnet network). This way you can watch the dhcp server hand the AP it's address (this can take a few minutes). Once you have the address use it to access the GUI and give the AP a static address (I find it good pratice to give all my autonomous AP's static addresses for ease of troubleshooting)...Hope that helps.

Best practice for having an access point giving out only a specific range

Hey All,
I have an access point which is currently set to relay all dhcp request to the server DC-01, However the range that has been setup is becoming low on available IP addresses so I have been asked if it is possible to setup another range for the AP only.
Is there a way to set the DHCP up with a new range and say anything from that access point it will then give out a 192.168.2 subnet address as apposed to the standard 192.168.1 subnet?
Or would it be easier / better to create a superscope? and slowly migrate the users to a new subnet with a larger range?
Any help suggestions would be appreciated
thanks
Anthony

Hi,
Maybe we could configure a DHCP superscope to achieve your target.
For details, please refer to the following articles.
Configuring a DHCP Superscope
http://technet.microsoft.com/en-us/library/dd759168.aspx
Create a superscope to solve the problem of dwindling IP addresses
http://www.techrepublic.com/article/create-a-superscope-to-solve-the-problem-of-dwindling-ip-addresses/
Best Regards,
Andy Qi
Andy Qi
TechNet Community Support

Third Party Signal Repeaters/Wireless Extenders for Boosting Cisco Access Points Indoors

We are have some buildings that have access points (Cisco 2602e with 6dBi Terrawave omni antennas) in the hallways, in which the clients residing in rooms aren't receiving a strong enough signal to connect at suitable rates. The main reason for this is the large thick doors utilized for the client rooms reducing the strength of the signal, and we weren't authorized to place APs inside the rooms. Nor are we able to modify the structure of the building, such as changing the doors. We can't ask or expect the clients to keep their doors open to rcv a stronger signal. I've tweaked the Tx power for the APs, and lowered the mandatory rates on the WLC for this location under the RF profile created for it, but this isn't resolving the issue with the weak signal.
One band aid solution idea was to place signal repeaters (low profile) inside each room, behind the wall/door area facing the hallway. I've seen a few third party products online, but they seem to only come in support of the 2.4GHz band. If this is a feasible solution, then it looks like we wouldn't be able to support clients on the 5GHz band on our AP, as clients would most likely connect to the 2.4 GHz band due to a stronger signal, limiting our load balancing on the AP. Anyone have experience with using signal repeaters that work properly with Cisco APs.
Not the ideal situation, but have the hands strapped on what we can do.

If you've got a WLC, then disable TPC and crank up the power to full.

Tool for viewing all access points simultaneously

We have 12 Cisco Aironet access points that we're working with. Is there a utility that can be used to view/manage those access points at the same time without having to login to each one from a separate browser?

Hi Anthony,
When you hit this number of AP's you probably want to look into the WLC (Wireless Lan Controller) This appliance is perfect for managing AP's pushing new configs etc.
Guidelines and Tools for Migrating to the Cisco Unified Wireless Network
http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/ns337/networking_solutions_white_paper0900aecd804f1a23.shtml
Understanding the Lightweight Access Point Protocol (LWAPP)
http://www.cisco.com/en/US/netsol/ns340/ns394/ns348/ns337/networking_solutions_white_paper0900aecd802c18ee.shtml
Deploying Cisco 440X Series Wireless LAN Controllers
http://www.cisco.com/en/US/products/ps6366/prod_technical_reference09186a00806cfa96.html
Cisco Wireless LAN Controller Configuration Guide, Release 4.0
http://www.cisco.com/en/US/products/ps6366/products_configuration_guide_book09186a00806b0077.html
WLC Video
http://www.cisco.com/en/US/products/ps6366/index.html
Hope this helps!
Rob

QoS for voice over access point AIR-AP1242AG-A-K9

Necesito saber si en el access point AIR-AP1242AG-A-K9 se puede configurar QoS para trafico de voz. El cliente tiene 5 laptops en las cuales tiene instalado softphones ( software de telefono IP). Desde una laptop se genera trafico de datos y voz. Gracias.

Julio,
Yes, you can do QoS on an IOS AP. The below link describes how you configure it.
http://www.cisco.com/en/US/customer/docs/wireless/access_point/12.4_21a_JA1/configuration/guide/scg12421aJA1-chap15-qos.html
Keep in mind, that with a softphone, or even dual-band cell phones, the applicaiton has to be able to mark it's traffic appropriatly, for the QoS to work as it should.
HTH,
Steve

Setting up WRVS4400N for switch & wireless access point

Howdy, first post here. What is the proper way to configure this device to act as a switch and wireless access point so I can connect it to a switch with router upstream? I have a DLink router that was easy: disable UPnP, disable DHCP, set an IP/Subnet, and it worked.
My main router has a subnet mask of 255.255.240.0 but in the WRVS4400N setup screen I only get a list box with a limited number of masks, all of which are 255.255.255.x. Is there any way to specify the 240?

No. You cannot use a subnet mask larger then 255.255.255.0 on Linksys routers. They are only built to handle 255.255.255.0 and smaller. I guess they consider a LAN which requires a larger subnet, i.e. expects to run more then 253 networked devices requires a larger router.
The only thing you can do is to choose 255.255.255.0 and to pick an IP address which matches the IP address from which you expect to do the usual configuration work. If you use 10.0.0.0/255.255.240.0 but the computers which have to configure the router are all in 10.0.1.0/255.255.255.0 you can use that subnet. This works with computers even if they have a different subnet mask.
Of course, you can set any IP address you want, even one completely outside your normal LAN in order to "hide" the web interface from the normal LAN operation. The IP address of the router in your setup is irrelevant for the switching and wireless access. Both operate on ethernet/MAC addresses and the IP address of the router does not play any role there. If you use the 10 subnet mentioned before you could as well leave the router at 192.168.1.1/255.255.255.0. Whenever you have to access the web interface of the router you must temporarily set a static IP address inside 192.168.1.* on the computer...

Cisco's Options For A Ruggedized Access Point

I'm looking for a wireless solution for an open plant environment. I know Cisco sold ruggedized 350 access points. I also see they are discontinuing the 350. What is Cisco's ruggedized solution currently for 802.11b/g?

I beleive the 1200 were for outdoor but you may want to use a NEMA enclosure for the 1200. check out fabcorp and ydi for info and prices.

Can a WS-PWR-PANEL be used for POE to Access Points?

We have an AP1010, AP1030, and an AIR-LAP-1232AG. Will they be able to use a WS-PWR-PANEL for POE?

Hi Richard,
The WS-PWR-PANEL only supports AP's with a single B-radio,so I think this will be problematic. Have a look;
Cisco Platforms and Daughter Cards
Access Point Compatibility Matrix
WS-PWR-PANEL
Cisco IPM Support - No
1130AG Series with 2 Radios - No
1200 Series with 2 Radios - No
All Access Points with 1 Radio - Yes (Only with 802.11b radio.)
From this doc;
Cisco Aironet Power Over Ethernet Application Note
http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a008039e541.html#wp35628
The WS-PWR-PANEL is EOS/EOL as of May 25, 2006. Have a look at the migration options;
http://www.cisco.com/en/US/products/hw/modules/ps2797/prod_eol_notice0900aecd80380fa0.html
Hope this helps!
Rob
Please remember to rate helpful posts.......

G4 (10.4.11) airport (9.52) wifi connectivity issue w WPA access point

I am struggling to resolve a wi-fi connectivity issue between a G4 imac with airport card and a netgear wireless-n access point.
The set up is as follows - the broadband comes into a Netgear router (DG834Gv5)which my Intel imac connects wirelessly to. Two daughter's den is away downstairs so I run an ethernet cable from the main netgear router to a netgear Pro-safe wireless access point (WNAP210) as an extender (we live on a houseboat so there are metal bulkheads and the like inbetween.
In the den older daughters G5 wirelessly connects to the Netgear access point easily through a WPA-PSK connection.
Younger daughters G4 running 10.4.11, with original airport card running firmware 9.52 (airport admin utility 4.2) refuses with the 'wrong password' error (it isn't - I have checked 50x) or sometimes just 'there was an error joining'.
It can see the network strongly (the airport menubar icon goes full, then cuts, then flashes on, then drops) but refuses any traffic.
This G4 can however connect, weakly, with my upstairs router which is also WPA-PSK protected (same password)!
I have read all the forums on this and despite some non-expert posts muddling the issue I believe that this SHOULD be possible. Not WPA2 I know but basic WPA.
In addition the options in the netgear extender are b&g (like upstairs which works), g or n. So I have selected b&g - no difference.
Currently I have had to set a separate channel for her and leave it unsecured which isn't a long term option (I am just hoping that even the cleverest war-driver cant sneak in through the extender, back up to the traffic between my Intel and the main router !!?)
Can anyone suggest what I might be missing in the conjuration (sic, ahem) configuration settings either on the G4 or the Netgear box ?
Is it enough to turn the broadcasting of the open channel name off and so render it invisible ?
Thanks in advance for any expert person's attention

hi kathryn
did it have to be the Telekom, by all means??
anyway, first of all a link to a video where a german comedian writes a letter to steve jobs demanding he chose any carrier but the DTAG for the iPhone distribution in germany - really funny!
http://bit.ly/4B4OdQ
OK, I´m currently downloading the speedport manual from their website and will look through it, in order to see if there´s something in there..
as a first guess I´d try looking at the wireless prefs of that speedport box. I guess it supports by default 802.11a/b/g, whereas the G4 only does 802.11b (the "normal" airport). Try selecting only the 802.11b portion from the speedport (that makes networking somewhat slower for airport express computers, but shoudn´t be a problem since it´s still at least as fast as basic DSL service (11MBit vs 2 or 6 MBit)
cheers
Matt
(german in spain)

Similar SSID for two 1252 access points

Hi, we currently have one 1252 AP. It has two Vlans. One for data and one for voice. Just bought another 1252 AP and going to have similar setup.
I read I can have similar SSID so that uses don't need to re-authenticate to the other AP. If this is true, can I just copy the config.txt file to the other AP, except of course I'll change the static IP addr of the AP. Pls advise, thks.

Hi sohocisco,
Keeping the same SSID/VLAN will ensure that L2 roaming is possible, which is what you want. Depending on your authentication methods, though, you may need to configure WDS in order to ensure for seamless roaming as you describe.
Note that this is only if you're using and EAP or WPA (non-PSK) authentication method. Please see this document for configuration assistance:
http://www.cisco.com/en/US/docs/wireless/access_point/12.3_7_JA/configuration/guide/s37roamg.html
I hope that helps!
Jeff

[script] create_ap: Create a NATed or Bridged WiFi Access Point

This script use hostapd + dnsmasq + iptables to create a NATed Access Point OR hostapd + brctl + dhclient to create a bridged Access Point.
The default behavior is a NATed Access Point.
updated script will be here: https://github.com/oblique/create_ap and http://git.2f30.org/create_ap/
Examples
No passphrase (open network):
./create_ap wlan0 eth0 MyAccessPoint
OR
echo -e "MyAccessPoint" | ./create_ap wlan0 eth0
WPA + WPA2 passphrase:
./create_ap wlan0 eth0 MyAccessPoint MyPassPhrase
OR
echo -e "MyAccessPoint\nMyPassPhrase" | ./create_ap wlan0 eth0
AP without Internet sharing:
./create_ap -n wlan0 MyAccessPoint MyPassPhrase
Bridged Internet sharing:
./create_ap -m bridge wlan0 eth0 MyAccessPoint MyPassPhrase
Internet sharing from the same WiFi interface:
./create_ap wlan0 wlan0 MyAccessPoint MyPassPhrase
Usage
Usage: create_ap [options] <wifi-interface> [<interface-with-internet>] [<access-point-name> [<passphrase>]]
Options:
-h, --help Show this help
-c <channel> Channel number (default: 1)
-w <WPA version> Use 1 for WPA, use 2 for WPA2, use 1+2 for both (default: 1+2)
-n Disable Internet sharing (if you use this, don't pass
the <interface-with-internet> argument)
-m <method> Method for Internet sharing.
Use: 'nat' for NAT (default)
'bridge' for bridging
'none' for no Internet sharing (equivalent to -n)
--hidden Make the Access Point hidden (do not broadcast the SSID)
--ieee80211n Enable IEEE 802.11n (HT)
--ht_capab <HT> HT capabilities (default: [HT40+])
--driver Choose your WiFi adapter driver (default: nl80211)
--no-virt Do not create virtual interface
Non-Bridging Options:
-g <gateway> IPv4 Gateway for the Access Point (default: 192.168.12.1)
-d DNS server will take into account /etc/hosts
Useful informations:
* If you're not using the --no-virt option, then you can create an AP with the same
interface you are getting your Internet connection.
* You can pass your SSID and password through pipe or through arguments (see examples).
Examples:
create_ap wlan0 eth0 MyAccessPoint MyPassPhrase
echo -e 'MyAccessPoint\nMyPassPhrase' | create_ap wlan0 eth0
create_ap wlan0 eth0 MyAccessPoint
echo 'MyAccessPoint' | create_ap wlan0 eth0
create_ap wlan0 wlan0 MyAccessPoint MyPassPhrase
create_ap -n wlan0 MyAccessPoint MyPassPhrase
create_ap -m bridge wlan0 eth0 MyAccessPoint MyPassPhrase
create_ap --driver rtl871xdrv wlan0 eth0 MyAccessPoint MyPassPhrase
Code
#!/bin/bash
# general dependencies:
# bash (to run this script)
# util-linux (for getopt)
# hostapd
# iproute2
# iw
# iwconfig (you only need this if 'iw' can not recognize your adapter)
# haveged (optional)
# dependencies for 'nat' or 'none' Internet sharing method
# dnsmasq
# iptables
# dependencies for 'bridge' Internet sharing method
# bridge-utils
usage() {
echo "Usage: $(basename $0) [options] <wifi-interface> [<interface-with-internet>] [<access-point-name> [<passphrase>]]"
echo
echo "Options:"
echo " -h, --help Show this help"
echo " -c <channel> Channel number (default: 1)"
echo " -w <WPA version> Use 1 for WPA, use 2 for WPA2, use 1+2 for both (default: 1+2)"
echo " -n Disable Internet sharing (if you use this, don't pass"
echo " the <interface-with-internet> argument)"
echo " -m <method> Method for Internet sharing."
echo " Use: 'nat' for NAT (default)"
echo " 'bridge' for bridging"
echo " 'none' for no Internet sharing (equivalent to -n)"
echo " --hidden Make the Access Point hidden (do not broadcast the SSID)"
echo " --ieee80211n Enable IEEE 802.11n (HT)"
echo " --ht_capab <HT> HT capabilities (default: [HT40+])"
echo " --driver Choose your WiFi adapter driver (default: nl80211)"
echo " --no-virt Do not create virtual interface"
echo
echo "Non-Bridging Options:"
echo " -g <gateway> IPv4 Gateway for the Access Point (default: 192.168.12.1)"
echo " -d DNS server will take into account /etc/hosts"
echo
echo "Useful informations:"
echo " * If you're not using the --no-virt option, then you can create an AP with the same"
echo " interface you are getting your Internet connection."
echo " * You can pass your SSID and password through pipe or through arguments (see examples)."
echo
echo "Examples:"
echo " $(basename $0) wlan0 eth0 MyAccessPoint MyPassPhrase"
echo " echo -e 'MyAccessPoint\nMyPassPhrase' | $(basename $0) wlan0 eth0"
echo " $(basename $0) wlan0 eth0 MyAccessPoint"
echo " echo 'MyAccessPoint' | $(basename $0) wlan0 eth0"
echo " $(basename $0) wlan0 wlan0 MyAccessPoint MyPassPhrase"
echo " $(basename $0) -n wlan0 MyAccessPoint MyPassPhrase"
echo " $(basename $0) -m bridge wlan0 eth0 MyAccessPoint MyPassPhrase"
echo " $(basename $0) --driver rtl871xdrv wlan0 eth0 MyAccessPoint MyPassPhrase"
# it takes 2 arguments
# returns:
# 0 if v1 (1st argument) and v2 (2nd argument) are the same
# 1 if v1 is less than v2
# 2 if v1 is greater than v2
version_cmp() {
[[ ! $1 =~ ^[0-9]+(\.[0-9]+)*$ ]] && die "Wrong version format!"
[[ ! $2 =~ ^[0-9]+(\.[0-9]+)*$ ]] && die "Wrong version format!"
V1=( $(echo $1 | tr '.' ' ') )
V2=( $(echo $2 | tr '.' ' ') )
VN=${#V1[@]}
[[ $VN -lt ${#V2[@]} ]] && VN=${#V2[@]}
for ((x = 0; x < $VN; x++)); do
[[ ${V1[x]} -lt ${V2[x]} ]] && return 1
[[ ${V1[x]} -gt ${V2[x]} ]] && return 2
done
return 0
USE_IWCONFIG=0
is_wifi_interface() {
which iw > /dev/null 2>&1 && iw dev $1 info > /dev/null 2>&1 && return 0
if which iwconfig > /dev/null 2>&1 && iwconfig $1 > /dev/null 2>&1; then
USE_IWCONFIG=1
return 0
fi
return 1
get_phy_device() {
for x in /sys/class/ieee80211/*; do
[[ ! -d "$x" ]] && continue
if [[ "${x##*/}" = "$1" ]]; then
echo $1
return 0
elif [[ -e "$x/device/net/$1" ]]; then
echo ${x##*/}
return 0
elif [[ -e "$x/device/net:$1" ]]; then
echo ${x##*/}
return 0
fi
done
echo "Failed to get phy interface" >&2
return 1
get_adapter_info() {
PHY=$(get_phy_device "$1")
[[ $? -ne 0 ]] && return 1
iw phy $PHY info
can_have_sta_and_ap() {
# iwconfig does not provide this information, assume false
[[ $USE_IWCONFIG -eq 1 ]] && return 1
get_adapter_info "$1" | grep -E '{.* managed.* AP.*}' > /dev/null 2>&1 && return 0
get_adapter_info "$1" | grep -E '{.* AP.* managed.*}' > /dev/null 2>&1 && return 0
return 1
can_have_ap() {
# iwconfig does not provide this information, assume true
[[ $USE_IWCONFIG -eq 1 ]] && return 0
get_adapter_info "$1" | grep -E '\* AP$' > /dev/null 2>&1 && return 0
return 1
can_transmit_to_channel() {
IFACE=$1
CHANNEL=$2
if [[ $USE_IWCONFIG -eq 0 ]]; then
CHANNEL_INFO=$(get_adapter_info ${IFACE} | grep "MHz \[${CHANNEL}\]")
[[ -z "${CHANNEL_INFO}" ]] && return 1
[[ "${CHANNEL_INFO}" == *no\ IR* ]] && return 1
[[ "${CHANNEL_INFO}" == *disabled* ]] && return 1
return 0
else
CHANNEL=$(printf '%02d' ${CHANNEL})
CHANNEL_INFO=$(iwlist ${IFACE} channel | grep "Channel ${CHANNEL} :")
[[ -z "${CHANNEL_INFO}" ]] && return 1
return 0
fi
is_wifi_connected() {
if [[ $USE_IWCONFIG -eq 0 ]]; then
iw dev "$1" link 2>&1 | grep -E '^Connected to' > /dev/null 2>&1 && return 0
else
iwconfig "$1" 2>&1 | grep -E 'Access Point: [0-9a-fA-F]{2}:' > /dev/null 2>&1 && return 0
fi
return 1
get_macaddr() {
ip link show "$1" | grep ether | grep -Eo '([0-9a-f]{2}:){5}[0-9a-f]{2}[[:space:]]' | tr -d '[[:space:]]'
get_avail_bridge() {
for i in {0..100}; do
curr_bridge=$(brctl show | grep "br$i" | cut -s -f1)
if [[ -z $curr_bridge ]]; then
echo "br$i"
return
fi
done
get_new_macaddr() {
OLDMAC=$(get_macaddr "$1")
for i in {20..255}; do
NEWMAC="${OLDMAC%:*}:$(printf %02x $i)"
(ip link | grep "ether ${NEWMAC}" > /dev/null 2>&1) || break
done
echo $NEWMAC
ADDED_UNMANAGED=0
NETWORKMANAGER_CONF=/etc/NetworkManager/NetworkManager.conf
NM_OLDER_VERSION=1
networkmanager_exists() {
which nmcli > /dev/null 2>&1 || return 1
NM_VER=$(nmcli -v | grep -m1 -oE '[0-9]+(\.[0-9]+)*\.[0-9]+')
version_cmp $NM_VER 0.9.10
if [[ $? -eq 1 ]]; then
NM_OLDER_VERSION=1
else
NM_OLDER_VERSION=0
fi
return 0
networkmanager_is_running() {
networkmanager_exists || return 1
if [[ $NM_OLDER_VERSION -eq 1 ]]; then
NMCLI_OUT=$(nmcli -t -f RUNNING nm)
else
NMCLI_OUT=$(nmcli -t -f RUNNING g)
fi
[[ "$NMCLI_OUT" == "running" ]]
networkmanager_iface_is_unmanaged() {
nmcli -t -f DEVICE,STATE d | grep -E "^$1:unmanaged$" > /dev/null 2>&1
ADDED_UNMANAGED=
networkmanager_add_unmanaged() {
networkmanager_exists || return 1
[[ -d ${NETWORKMANAGER_CONF%/*} ]] || mkdir -p ${NETWORKMANAGER_CONF%/*}
[[ -f ${NETWORKMANAGER_CONF} ]] || touch ${NETWORKMANAGER_CONF}
if [[ $NM_OLDER_VERSION -eq 1 ]]; then
if [[ -z "$2" ]]; then
MAC=$(get_macaddr "$1")
else
MAC="$2"
fi
[[ -z "$MAC" ]] && return 1
fi
UNMANAGED=$(grep -m1 -Eo '^unmanaged-devices=[[:alnum:]:;,-]*' /etc/NetworkManager/NetworkManager.conf | sed 's/unmanaged-devices=//' | tr ';,' ' ')
WAS_EMPTY=0
[[ -z "$UNMANAGED" ]] && WAS_EMPTY=1
for x in $UNMANAGED; do
[[ $x == "mac:${MAC}" ]] && return 2
[[ $NM_OLDER_VERSION -eq 0 && $x == "interface-name:${1}" ]] && return 2
done
if [[ $NM_OLDER_VERSION -eq 1 ]]; then
UNMANAGED="${UNMANAGED} mac:${MAC}"
else
UNMANAGED="${UNMANAGED} interface-name:${1}"
fi
UNMANAGED=$(echo $UNMANAGED | sed -e 's/^ //')
UNMANAGED="${UNMANAGED// /;}"
UNMANAGED="unmanaged-devices=${UNMANAGED}"
if ! grep -E '^\[keyfile\]' ${NETWORKMANAGER_CONF} > /dev/null 2>&1; then
echo -e "\n\n[keyfile]\n${UNMANAGED}" >> ${NETWORKMANAGER_CONF}
elif [[ $WAS_EMPTY -eq 1 ]]; then
sed -e "s/^$\[keyfile\].*$$/\1\n${UNMANAGED}/" -i ${NETWORKMANAGER_CONF}
else
sed -e "s/^unmanaged-devices=.*/${UNMANAGED}/" -i ${NETWORKMANAGER_CONF}
fi
ADDED_UNMANAGED="${ADDED_UNMANAGED} ${1} "
return 0
networkmanager_rm_unmanaged() {
networkmanager_exists || return 1
[[ ! -f ${NETWORKMANAGER_CONF} ]] && return 1
if [[ $NM_OLDER_VERSION -eq 1 ]]; then
if [[ -z "$2" ]]; then
MAC=$(get_macaddr "$1")
else
MAC="$2"
fi
[[ -z "$MAC" ]] && return 1
fi
UNMANAGED=$(grep -m1 -Eo '^unmanaged-devices=[[:alnum:]:;,-]*' /etc/NetworkManager/NetworkManager.conf | sed 's/unmanaged-devices=//' | tr ';,' ' ')
[[ -z "$UNMANAGED" ]] && return 1
[[ -n "$MAC" ]] && UNMANAGED=$(echo $UNMANAGED | sed -e "s/mac:${MAC}$ \|$$//g")
UNMANAGED=$(echo $UNMANAGED | sed -e "s/interface-name:${1}$ \|$$//g")
UNMANAGED=$(echo $UNMANAGED | sed -e 's/ $//')
if [[ -z "$UNMANAGED" ]]; then
sed -e "/^unmanaged-devices=.*/d" -i ${NETWORKMANAGER_CONF}
else
UNMANAGED="${UNMANAGED// /;}"
UNMANAGED="unmanaged-devices=${UNMANAGED}"
sed -e "s/^unmanaged-devices=.*/${UNMANAGED}/" -i ${NETWORKMANAGER_CONF}
fi
ADDED_UNMANAGED="${ADDED_UNMANAGED/ ${1} /}"
return 0
networkmanager_rm_unmanaged_if_needed() {
[[ $ADDED_UNMANAGED =~ .*\ ${1}\ .* ]] && networkmanager_rm_unmanaged ${1}
networkmanager_wait_until_unmanaged() {
networkmanager_is_running || return 1
while ! networkmanager_iface_is_unmanaged "$1"; do
sleep 1
done
sleep 2
return 0
CHANNEL=1
GATEWAY=192.168.12.1
WPA_VERSION=1+2
ETC_HOSTS=0
HIDDEN=0
SHARE_METHOD=nat
IEEE80211N=0
HT_CAPAB='[HT40+]'
DRIVER=nl80211
NO_VIRT=0
CONFDIR=
WIFI_IFACE=
VWIFI_IFACE=
INTERNET_IFACE=
BRIDGE_IFACE=
OLD_IP_FORWARD=
OLD_BRIDGE_IPTABLES=
OLD_MACADDR=
cleanup() {
trap "" SIGINT
echo
echo "Doing cleanup..."
# exiting
for x in $CONFDIR/*.pid; do
# even if the $CONFDIR is empty, the for loop will assign
# a value in $x. so we need to check if the value is a file
[[ -f $x ]] && kill -9 $(cat $x)
done
rm -rf $CONFDIR
if [[ "$SHARE_METHOD" != "none" ]]; then
if [[ "$SHARE_METHOD" == "nat" ]]; then
iptables -t nat -D POSTROUTING -o ${INTERNET_IFACE} -j MASQUERADE > /dev/null 2>&1
iptables -D FORWARD -i ${WIFI_IFACE} -s ${GATEWAY%.*}.0/24 -j ACCEPT > /dev/null 2>&1
iptables -D FORWARD -i ${INTERNET_IFACE} -d ${GATEWAY%.*}.0/24 -j ACCEPT > /dev/null 2>&1
[[ -n $OLD_IP_FORWARD ]] && echo $OLD_IP_FORWARD > /proc/sys/net/ipv4/ip_forward
elif [[ "$SHARE_METHOD" == "bridge" ]]; then
ip link set down $BRIDGE_IFACE
brctl delbr $BRIDGE_IFACE
[[ -n $OLD_BRIDGE_IPTABLES ]] && echo $OLD_BRIDGE_IPTABLES > /proc/sys/net/bridge/bridge-nf-call-iptables
fi
fi
if [[ "$SHARE_METHOD" != "bridge" ]]; then
iptables -D INPUT -p tcp -m tcp --dport 53 -j ACCEPT > /dev/null 2>&1
iptables -D INPUT -p udp -m udp --dport 53 -j ACCEPT > /dev/null 2>&1
iptables -D INPUT -p udp -m udp --dport 67 -j ACCEPT > /dev/null 2>&1
fi
if [[ $NO_VIRT -eq 0 ]]; then
if [[ -n $VWIFI_IFACE ]]; then
ip link set down dev ${VWIFI_IFACE}
ip addr flush ${VWIFI_IFACE}
networkmanager_rm_unmanaged_if_needed ${VWIFI_IFACE} ${OLD_MACADDR}
iw dev ${VWIFI_IFACE} del
fi
else
ip link set down dev ${WIFI_IFACE}
ip addr flush ${WIFI_IFACE}
networkmanager_rm_unmanaged_if_needed ${WIFI_IFACE}
fi
die() {
[[ -n "$1" ]] && echo -e "\nERROR: $1\n" >&2
cleanup
exit 1
clean_exit() {
cleanup
exit 0
# if the user press ctrl+c then execute die()
trap "die" SIGINT
ARGS=$(getopt -o hc:w:g:dnm: -l "help","hidden","ieee80211n","ht_capab:","driver:","no-virt" -n $(basename $0) -- "$@")
[[ $? -ne 0 ]] && exit 1
eval set -- "$ARGS"
while :; do
case "$1" in
-h|--help)
usage >&2
exit 1
--hidden)
shift
HIDDEN=1
-c)
shift
CHANNEL="$1"
shift
-w)
shift
WPA_VERSION="$1"
shift
-g)
shift
GATEWAY="$1"
shift
-d)
shift
ETC_HOSTS=1
-n)
shift
SHARE_METHOD=none
-m)
shift
SHARE_METHOD="$1"
shift
--ieee80211n)
shift
IEEE80211N=1
--ht_capab)
shift
HT_CAPAB="$1"
shift
--driver)
shift
DRIVER="$1"
shift
--no-virt)
shift
NO_VIRT=1
shift
break
esac
done
if [[ $# -lt 1 ]]; then
usage >&2
exit 1
fi
if [[ $(id -u) -ne 0 ]]; then
echo "You must run it as root." >&2
exit 1
fi
WIFI_IFACE=$1
if ! is_wifi_interface ${WIFI_IFACE}; then
echo "ERROR: '${WIFI_IFACE}' is not a WiFi interface" >&2
exit 1
fi
if ! can_have_ap ${WIFI_IFACE}; then
echo "ERROR: Your adapter does not support AP (master) mode" >&2
exit 1
fi
if ! can_have_sta_and_ap ${WIFI_IFACE}; then
if is_wifi_connected ${WIFI_IFACE}; then
echo "ERROR: Your adapter can not be connected to an AP and at the same time transmit as an AP" >&2
exit 1
elif [[ $NO_VIRT -eq 0 ]]; then
echo "WARN: Your adapter does not fully support AP virtual interface, enabling --no-virt" >&2
NO_VIRT=1
fi
fi
if [[ "$SHARE_METHOD" != "nat" && "$SHARE_METHOD" != "bridge" && "$SHARE_METHOD" != "none" ]]; then
echo "ERROR: Wrong Internet sharing method" >&2
echo
usage >&2
exit 1
fi
if [[ "$SHARE_METHOD" == "bridge" ]]; then
OLD_BRIDGE_IPTABLES=$(cat /proc/sys/net/bridge/bridge-nf-call-iptables)
BRIDGE_IFACE=$(get_avail_bridge)
if [[ -z $BRIDGE_IFACE ]]; then
echo "ERROR: No availabe bridges < br100" >&2
exit 1
fi
elif [[ "$SHARE_METHOD" == "nat" ]]; then
OLD_IP_FORWARD=$(cat /proc/sys/net/ipv4/ip_forward)
fi
if [[ "$SHARE_METHOD" != "none" ]]; then
MIN_REQUIRED_ARGS=2
else
MIN_REQUIRED_ARGS=1
fi
if [[ $# -gt $MIN_REQUIRED_ARGS ]]; then
if [[ "$SHARE_METHOD" != "none" ]]; then
if [[ $# -ne 3 && $# -ne 4 ]]; then
usage >&2
exit 1
fi
INTERNET_IFACE=$2
SSID=$3
PASSPHRASE=$4
else
if [[ $# -ne 2 && $# -ne 3 ]]; then
usage >&2
exit 1
fi
SSID=$2
PASSPHRASE=$3
fi
else
if [[ "$SHARE_METHOD" != "none" ]]; then
if [[ $# -ne 2 ]]; then
usage >&2
exit 1
fi
INTERNET_IFACE=$2
fi
if tty -s; then
read -p "SSID: " SSID
while :; do
read -p "Passphrase: " -s PASSPHRASE
echo
read -p "Retype passphrase: " -s PASSPHRASE2
echo
if [[ "$PASSPHRASE" != "$PASSPHRASE2" ]]; then
echo "Passphrases do not match."
else
break
fi
done
else
read SSID
read PASSPHRASE
fi
fi
if [[ $NO_VIRT -eq 1 && "$WIFI_IFACE" == "$INTERNET_IFACE" ]]; then
echo -n "ERROR: You can not share your connection from the same" >&2
echo " interface if you are using --no-virt option." >&2
exit 1
fi
CONFDIR=$(mktemp -d /tmp/create_ap.${WIFI_IFACE}.conf.XXXXXXXX)
echo "Config dir: $CONFDIR"
if [[ $NO_VIRT -eq 0 ]]; then
VWIFI_IFACE=${WIFI_IFACE}ap
# in NetworkManager 0.9.10 and above we can set the interface as unmanaged without
# the need of MAC address, so we set it before we create the virtual interface.
if networkmanager_is_running && [[ $NM_OLDER_VERSION -eq 0 ]]; then
echo -n "Network Manager found, set $1 as unmanaged device... "
networkmanager_add_unmanaged ${VWIFI_IFACE}
# do not call networkmanager_wait_until_unmanaged because interface does not
# exist yet
echo "DONE"
fi
WIFI_IFACE_CHANNEL=$(iw dev ${WIFI_IFACE} info | grep channel | awk '{print $2}')
if [[ -n $WIFI_IFACE_CHANNEL && $WIFI_IFACE_CHANNEL -ne $CHANNEL ]]; then
echo "hostapd will fail to use channel $CHANNEL because $WIFI_IFACE is already set to channel $WIFI_IFACE_CHANNEL, fallback to channel $WIFI_IFACE_CHANNEL."
CHANNEL=$WIFI_IFACE_CHANNEL
fi
VIRTDIEMSG="Maybe your WiFi adapter does not fully support virtual interfaces.
Try again with --no-virt."
echo -n "Creating a virtual WiFi interface... "
iw dev ${VWIFI_IFACE} del > /dev/null 2>&1
if iw dev ${WIFI_IFACE} interface add ${VWIFI_IFACE} type __ap; then
# now we can call networkmanager_wait_until_unmanaged
networkmanager_is_running && [[ $NM_OLDER_VERSION -eq 0 ]] && networkmanager_wait_until_unmanaged ${VWIFI_IFACE}
echo "${VWIFI_IFACE} created."
else
VWIFI_IFACE=
die "$VIRTDIEMSG"
fi
OLD_MACADDR=$(get_macaddr ${VWIFI_IFACE})
[[ ${OLD_MACADDR} == $(get_macaddr ${WIFI_IFACE}) ]] && NEW_MACADDR=$(get_new_macaddr ${VWIFI_IFACE})
WIFI_IFACE=${VWIFI_IFACE}
fi
can_transmit_to_channel ${WIFI_IFACE} ${CHANNEL} || die "Your adapter can not transmit to channel ${CHANNEL}."
if networkmanager_is_running && ! networkmanager_iface_is_unmanaged ${WIFI_IFACE}; then
echo -n "Network Manager found, set $1 as unmanaged device... "
networkmanager_add_unmanaged ${WIFI_IFACE}
networkmanager_wait_until_unmanaged ${WIFI_IFACE}
echo "DONE"
fi
[[ $HIDDEN -eq 1 ]] && echo "Access Point's SSID is hidden!"
# hostapd config
cat << EOF > $CONFDIR/hostapd.conf
ssid=${SSID}
interface=${WIFI_IFACE}
driver=${DRIVER}
hw_mode=g
channel=${CHANNEL}
ctrl_interface=$CONFDIR/hostapd_ctrl
ctrl_interface_group=0
ignore_broadcast_ssid=$HIDDEN
EOF
if [[ $IEEE80211N -eq 1 ]]; then
cat << EOF >> $CONFDIR/hostapd.conf
ieee80211n=1
wmm_enabled=1
ht_capab=${HT_CAPAB}
EOF
fi
if [[ -n "$PASSPHRASE" ]]; then
[[ "$WPA_VERSION" == "1+2" || "$WPA_VERSION" == "2+1" ]] && WPA_VERSION=3
cat << EOF >> $CONFDIR/hostapd.conf
wpa=${WPA_VERSION}
wpa_passphrase=$PASSPHRASE
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
rsn_pairwise=CCMP
EOF
fi
if [[ "$SHARE_METHOD" == "bridge" ]]; then
echo "bridge=${BRIDGE_IFACE}" >> $CONFDIR/hostapd.conf
else
# dnsmasq config (dhcp + dns)
DNSMASQ_VER=$(dnsmasq -v | grep -m1 -oE '[0-9]+(\.[0-9]+)*\.[0-9]+')
version_cmp $DNSMASQ_VER 2.63
if [[ $? -eq 1 ]]; then
DNSMASQ_BIND=bind-interfaces
else
DNSMASQ_BIND=bind-dynamic
fi
cat << EOF > $CONFDIR/dnsmasq.conf
interface=${WIFI_IFACE}
${DNSMASQ_BIND}
dhcp-range=${GATEWAY%.*}.1,${GATEWAY%.*}.254,255.255.255.0,24h
dhcp-option=option:router,${GATEWAY}
EOF
[[ $ETC_HOSTS -eq 0 ]] && echo no-hosts >> $CONFDIR/dnsmasq.conf
fi
# initialize WiFi interface
if [[ $NO_VIRT -eq 0 && -n "$NEW_MACADDR" ]]; then
ip link set dev ${WIFI_IFACE} address ${NEW_MACADDR} || die "$VIRTDIEMSG"
fi
ip link set down dev ${WIFI_IFACE} || die "$VIRTDIEMSG"
ip addr flush ${WIFI_IFACE} || die "$VIRTDIEMSG"
if [[ "$SHARE_METHOD" != "bridge" ]]; then
ip link set up dev ${WIFI_IFACE} || die "$VIRTDIEMSG"
ip addr add ${GATEWAY}/24 broadcast ${GATEWAY%.*}.255 dev ${WIFI_IFACE} || die "$VIRTDIEMSG"
fi
# enable Internet sharing
if [[ "$SHARE_METHOD" != "none" ]]; then
echo "Sharing Internet using method: $SHARE_METHOD"
if [[ "$SHARE_METHOD" == "nat" ]]; then
iptables -t nat -I POSTROUTING -o ${INTERNET_IFACE} -j MASQUERADE || die
iptables -I FORWARD -i ${WIFI_IFACE} -s ${GATEWAY%.*}.0/24 -j ACCEPT || die
iptables -I FORWARD -i ${INTERNET_IFACE} -d ${GATEWAY%.*}.0/24 -j ACCEPT || die
echo 1 > /proc/sys/net/ipv4/ip_forward || die
elif [[ "$SHARE_METHOD" == "bridge" ]]; then
# disable iptables rules for bridged interfaces
echo 0 > /proc/sys/net/bridge/bridge-nf-call-iptables || die
# create and initialize bridged interface
brctl addbr ${BRIDGE_IFACE} || die
brctl addif ${BRIDGE_IFACE} ${INTERNET_IFACE} || die
ip link set dev ${BRIDGE_IFACE} up || die
fi
else
echo "No Internet sharing"
fi
# boost low-entropy
if [[ $(cat /proc/sys/kernel/random/entropy_avail) -lt 1000 ]]; then
which haveged > /dev/null 2>&1 && {
haveged -w 1024 -p $CONFDIR/haveged.pid
fi
# start dns + dhcp server
if [[ "$SHARE_METHOD" != "bridge" ]]; then
iptables -I INPUT -p tcp -m tcp --dport 53 -j ACCEPT || die
iptables -I INPUT -p udp -m udp --dport 53 -j ACCEPT || die
iptables -I INPUT -p udp -m udp --dport 67 -j ACCEPT || die
dnsmasq -C $CONFDIR/dnsmasq.conf -x $CONFDIR/dnsmasq.pid || die
fi
# start access point
echo "hostapd command-line interface: hostapd_cli -p $CONFDIR/hostapd_ctrl"
# from now on we exit with 0 on SIGINT
trap "clean_exit" SIGINT
if ! hostapd $CONFDIR/hostapd.conf; then
echo -e "\nError: Failed to run hostapd, maybe a program is interfering." >&2
if networkmanager_is_running; then
echo "If an error like 'n80211: Could not configure driver mode' was thrown" >&2
echo "try running the following before starting create_ap:" >&2
if [[ $NM_OLDER_VERSION -eq 1 ]]; then
echo " nmcli nm wifi off" >&2
else
echo " nmcli r wifi off" >&2
fi
echo " rfkill unblock wlan" >&2
fi
die
fi
clean_exit
Last edited by OBLiQUE (2014-09-02 20:26:22)

adam777 wrote:
Thank, just what I was looking for.
Unfortunately, it seems that currently my Intel 5300 card (using the iwlwifi driver), does not support AP mode.
From what I understand, hostapd can be used in bridge mode as well, which should have no compatibility problems.
Can some one point me in the right direction?
* EDIT *
After more attempts, I think I got it wrong and AP mode is indeed required.
Sorry for the late reply, I didn't noticed your message.. Did you got any errors? I have Intel 6205 and it works.
Also if you use NetworkManager, then you have to say to NetworkManager to stop using your interface.
You can do it by editing the /etc/NetworkManager/NetworkManager.conf file and put the following (without the <>):
[keyfile]
unmanaged-devices=mac:<interface's mac address here>
and restart your NetworkManager. Ofcourse after you finish, you have to remove it in order to get your wifi back to working with NetworkManager.

Have apple tv 2g and several IDevices (ipad, iphone..)and around the house i have several access point connect via UTP cable to the same router/modem, but when i try Airplay it wont work if the devices are on dif wifi conn. regardelless its the same LAN.

Problem with Homesharing/Airplay with dif IDevices (Itunes with a PC, Iphone, Ipad, Itouch etc) using my home wifi connections that has several access point throu out the house and they all are connected via UTP cable to the same modem/router (My LAN).
When i try to use airplay or homesharing both devices have to in the same ACCESS POINT (it does not mather if its WIRED or WIRELESS, i have the same problem with both).
Any ideas?? This did not happen before i upgraded ITUNES in order to use IOS5.
Thanks

Thanks for the advice. But i dont have any devices sync wifi. It also happens with older versions of IOS on iphone 4.2.1 and 3.1.3 and also IOS5 (no wifi sync enable).
Basiclly when i try to airplay music using itunes (pc) to my apple tv 2g (4.3.3.) they both have to be in the same access point, if the apple tv is connect via UTP cable i have to be connected to that access point wifi. Basicly dosent work with dif access points. Also if i manage to be on the same access point (itunes using a pc and the apple tv) if i have to use Remote App to change songs i have to be in the access point to.. can not see the devices...
Any ideas?

WiFi Security for a hostapd Access Point

Similar Messages

Maybe you are looking for