Linux repositories inspector


January 2014


Network configuration infrastructure


ifcfg-wireless - wireless LAN network interface configuration




Wireless networks need some additional configuration data compared to ethernet ones. Therefore additional variables for ifcfg files were introduced. Some wireless variables are not applicable to a single wireless network but are global to the interface. The description of the variable points this out.


Mandatory options:
Set the SSID/ESSID (or Network Name - in some products it may also called Domain ID). The ESSID is used to identify cells which are part of the same virtual network. If emtpy or set to any the node will connect to the Access Point with the best signal strength around (in managed operating mode). For WLANs that make use of WPA (see WIRELESS_AUTH_MODE below) you need to set your ESSID.
Global wireless options:
Defines which SSID scan mode should be used. Mode 0 means the driver performs the scan. Mode 1 means wpa_supplicant takes care of scanning. Mode 2 is basically the same as mode 0 but the access point gets chosen by security policy and SSID. This mode does not support multiple network settings. Default is "1" for most drivers. Try "0" or "2" if you have problems associating to your access point. This variable can have no suffix. This is only used in conjuntion with wpa_supplicant.
This variable allows to override the wpa driver name that should be used by the wpa_supplicant. In most cases "nl80211" (default on openSUSE 11.3) or "wext" (old default) can be used, but there are few exceptions.
The new "nl80211" wpa driver supports wireless regulatory domain, that can be set in /etc/sysconfig/network/config, WIRELESS_REGULATORY_DOMAIN variable (global).
Wireless network configuration options:
Sets authentication mode. The mode depends on the protection technology being used, WEP or WPA. WEP (Wired Equivalent Privacy) is a system to encrypt wireless network traffic, with an optional authentication on the basis of the used encryption key. In most cases where WEP is used, open mode (no authentication at all) is fine. This does not mean that you can not use WEP encryption. Some networks may require sharedkey authentication.
NOTE: Shared key authentication makes it easier for a potential attacker to break into your network. Unless you have specific needs for shared key authentication, use the open mode. As WEP has been proved insecure, WPA (Wi-Fi Protected Access) was defined to close its security wholes, but not every hardware supports WPA. In case you want to use WPA-PSK (WPA preshared key authentication, aka WPA "Home"), set this to psk. In case you want to use WPA-EAP (WPA with Extensible Authentication Protocol, aka WPA "Enterprise"), set this to eap. WPA authentication modes are only possible when WIRELESS_MODE is set to managed.
Set the operating mode of the device, which depends on the network topology. Set to ad-hoc for network composed of only one cell and without Access Point, managed for network composed of many cells, with roaming or with an Access Point, master if you want your system act as an Access Point or synchronisation master. If unset, managed will be used.
In environments with multiple Access points you may want to define the one to connect to by entering its MAC address. Format is 6x2 hex digits, separated by colons, eg 01:02:03:04:05:06. See also the iwconfig ap option description in the iwconfig(8) manual page.
Note, that some drivers (mac80211 based) may require to set this variable to a specific access point address, ’any’ or ’off’ to start scanning for an appropriate cell, so ifup-wireless sets it to ’any’ in Managed and Ad-Hoc modes when the variable is empty.
This variable only makes sense used in conjunction with multiple networks. If you want to prefer one configured network for over another, set the respecitve WIRELESS_PRIORITY variable (means, with the same suffix) to a higher value (integer only). NOTE: This does not work for networks that are configured with WIRELESS_HIDDEN_SSID="yes" (which is default). For networks with hidden SSID scanning support the suffix number is important. The network with the lowest suffix number gets probed first.
With this variable you can define the channel being used. This is only applicable to ad-hoc and master operating modes. Channels are usually numbered starting at 1, and you may use iwpriv(8) to get the total number of channels and list the available frequencies. Depending on regulations, some frequencies/channels may not be available.
You can define up to 4 WEP encryption keys. You can use WEP with open and sharedkey authentication. The key can be entered in different formats: Either directly in hex digits, with or without dashes, or in the key’s ASCII representation (prefix s: ), or as a passphrase which will be hashed (prefix h: ). The amount of hex digits resp. length of the ASCII key depends on the key size being used: 10 hex digits or 5 ASCII characters for 64 bit keys, 26 hex digits or 6 to 13 ASCII characters for 128 bit keys (see WIRELESS_KEY_LENGTH below). Examples:
WIRELESS_KEY_0="0123-4567-89" WIRELESS_KEY_0-"s:hello" WIRELESS_KEY_0="h:mysecretphrase"
You can also use 1, 2, or 3 as suffix for multiple key settings. This is usually not necessary. Leave empty if you do not want WEP.
Sets the default WEP key. The default key is used to encrypt outgoing packets, incoming ones are decrypted with the key number specified in the packet. This defaults to 0.
Defines the length in bits for all keys used. There are currently 40 and 104 bit keys supported. Sometimes they are also called 64 resp. 128 bits (depends on whether you count the 24 bit initialization vetor or not). This variable is only meaningful if you enter the key as passphrase.
Using this variable you can specify the WPA protocol to be used. Valid values are WPA and RSN (aka WPA2, can be also used as synonym). Default is to allow both. When using WIRELESS_AP_SCANMODE 2, this variable needs to be set, otherwise WPA will be used as fallback.
When using WPA-PSK authentication, you need to specify your preshared key here. The key is used for authentication and encryption purposes. You can enter it in hex digits (needs to be exactly 64 digits long) or as passphrase getting hashed (8 to 63 ASCII characters long).
WPA modes support two different encryption systems, TKIP and CCMP. This variable defines which to use for unicast communication. Default is to allow both. In case you want to restrict it to one protocol, set this variable. When using WIRELESS_AP_SCANMODE 2, this variable needs to be set, otherwise TKIP will be used as fallback.
WPA modes support two different encryption systems, TKIP and CCMP. This variable defines which to use for broad-/multicast communication. Default is to allow both. In case you want to restrict it to one protocol, set this variable. When using WIRELESS_AP_SCANMODE 2, this variable needs to be set, otherwise TKIP will be used as fallback.
WPA-EAP can use different outer authentication (i.e. TLS tunnel) methods. Supported value is PEAP (TLS and TTLS not fully implemented yet. Default is to allow subset TTLS PEAP TLS.
WPA-EAP can use different inner authentication with TLS tunnel methods. Supported values are PAP, CHAP, MSCHAP, MSCHAPv2. Default is to allow any.
Needs to be set in conjunction with WPA-EAP. Set to your identity as configured on the RADIUS server.
Needs to be set in conjunction with WPA-EAP. Set to your password as configured on the RADIUS server.
Sets anonymous identity. Default is "anonymous". The anonymous identity is used with WPA-EAP protocols that support different tunnelled identities (e.g., TTLS).
When using WPA-EAP with PEAP authentication, you can use this variable to force which PEAP version (0 or 1) to be used. Default is to allow both.
When set to 1 the new label: "client PEAP encryption" can be enforced to be used during key derivation with version PEAPv1 or newer. Most existing PEAPv1 implementation tend to use the old label, "client EAP encryption", which is the default value for wpa_supplicant. Default value is 0.
Defines whether hidden SSID scan support should be enabled. Setting this to "no" can speed up scanning and makes the usage of WIRELESS_PRIORITY possible. This is only used in conjunction with wpa_supplicant.
Fragmentation allow to split a IP packet in a burst of smaller fragments transmitted on the medium. In most cases this adds overhead, but in very noisy environment this reduce the error penalty. Possible values: any integer (representing the maximum fragment size), auto, fixed, or off.


Some examples of different configuration types supported at the moment:
Common parameters
        NAME=’PRO/Wireless 4965 AG or AGN [Kedron] Network Connection’
Global wireless parameters
WPA-EAP network configuration
WPA-PSK network configuration
WEP network configuration
Open network configuration


Copyright (C) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.



Joachim Gleissner -- original wireless man page
Pawel Wieczorkiewicz -- wicked wireless


⇧ Top