WPA, Linux, wpa_supplicant, DWL-7000AP, freeradius

It's amazing how long it can take to set up a small "reasonably-secure" WPA wireless network.

I thought it would be pretty straight-forward. Just configure the AP to EAP, tell it the radius secret, apt-get install freeradius, distribute some X.509 certificates and start wpa_supplicant on the client machines.

In principle, that's it. However, practical issues I ran into:

  • The AP crashes every so often
  • The AP needs to reboot after every single config change (no chance to do multiple changes and then reboot
  • The AP needs some 5 minutes to reboot
  • The AP refuses to use certain totally valid IP addresses, be it via DHCP or statically configured in the web frontend
  • The Debian freeradius package on AMD64 misses EAP support due to a libtool problem (missing -fPIC), known since January.
  • The Debian freeradius package doesn't ship with EAP-TLS, since the EAP-TLS code is GPL licensed but links to openssl.
  • wpa_supplicant doesn't work with the PowerBook built-in Airport (orinoco_cs) card

So I wasted the better part of a day to overcome the issues above, but I'm still not happy. My PowerBook now needs an Atheros Cardbus card, even though it has a built-in card. DHCP randomly fails for unknown reasons (I see the valid DHCP replies go into the AP, but it fails to pass them on).