In wireless communications, infrastructure mode (also known as "station") refers to a network configuration where devices connect to each other through a centralized access point (AP). This is the most common mode for Wi-Fi networks.
This topic shows some methods and examples for connecting the Wi-Fi interface to an access point.
NetworkManager
Digi Embedded Yocto uses the NetworkManager software package to manage any kind of Wi-Fi configuration on a Wi-Fi network.
The NetworkManager configuration is kept in /etc/NetworkManager/NetworkManager.conf, and the network configurations are kept at /etc/NetworkManager/system-connections/.
Digi Embedded Yocto provides a default nm-wlan0 file which is part of the NetworkManager package.
When the Wi-Fi interface is brought up, NetworkManager reads the /etc/NetworkManager/system-connections/nm-wlan0 configuration file and applies the corresponding actions for the Wi-Fi interface.
The default file doesn’t specify an SSID so the Wi-Fi will not connect to any AP.
You can change this configuration file in a custom layer or during system run time.
The nmcli is a command line tool which allows the user to interact with NetworkManager.
You can use nmcli to establish a manual connection for different authentication and encryption configurations.
The following examples show how to create different configurations of the Wi-Fi interface.
Automatic mode
By default, NetworkManager will try to obtain most of the information it needs to connect to a network from the AP beacons.
Call nmcli with the access point SSID and the option -a to instruct NetworkManager to ask for any required parameter (such as the password):
# nmcli dev wifi connect <ssid> -a
Password:
Device 'wlan0' successfully activated with 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'.If the connection succeeds, a new file called <ssid>.nmconnection is created in /etc/NetworkManager/system-connections/ with the full configuration.
If there are several configuration files, NetworkManager uses an algorithm to decide which network to connect to.
Manual mode
Some complex AP security configurations, such as WPA2/WPA3-Enterprise, cannot be resolved by NetworkManager. In these cases, you must configure the connection manually.
| If your Enterprise Mode requires certificates, install the certificates in the rootfs of your device (in a path of your choice). |
The following example shows how to create a WPA2 radius EAP-TLS connection using certificates:
-
Create a new connection. For simplicity, use the SSID as the name of the connection:
# nmcli connection add type wifi con-name <ssid> ifname wlan0 SSID <ssid> Connection '<ssid>' (e104e26b-7d6b-4be7-a57b-dab65bff7fbd) successfully added. -
Edit the connection and provide the parameters (including the paths to the certificates):
# nmcli connection edit <ssid> ===| nmcli interactive connection editor |=== Editing existing '802-11-wireless' connection: '<ssid>' Type 'help' or '?' for available commands. Type 'print' to show all the connection properties. Type 'describe [<setting>.<prop>]' for detailed property description. You may edit the following settings: connection, 802-11-wireless (wifi), 802-11-wireless-security (wifi-sec), 802-1x, ethtool, match, ipv4, ipv6, hostname, link, tc, proxy nmcli> set wifi-sec.key-mgmt wpa-eap nmcli> set 802-1x.eap tls nmcli> set 802-1x.phase2-auth tls nmcli> set 802-1x.identity <radius_identity> nmcli> set 802-1x.ca-cert file:///path/to/ca.pem nmcli> set 802-1x.private-key file:///path/to/client.key nmcli> set 802-1x.private-key-password <private_key_password> nmcli> set 802-1x.client-cert file:///path/to/client.pem nmcli> set connection.autoconnect yes nmcli> verify fix Verify connection: OK nmcli> save persistent nmcli> quit -
Finally, bring the connection up (the
-wparameter establishes a timeout of 30 seconds):# nmcli -w 30 connection up <ssid>
WPA supplicant
If you don’t want to use NetworkManager for your wireless connection, a different option is to use WPA supplicant.
With WPA supplicant you can define multiple wireless configurations in a single file and select the one you want to connect with.
The my-custom-supplicant.conf file contains several WPA2/WPA3 Personal and WPA2/WPA3 Enterprise (RADIUS) example configurations (all disabled by default):
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
fast_reauth=1
update_config=1
ap_scan=1
# 0 - WPA2-Personal AES
network={
scan_ssid=1
ssid="MySSID"
psk="MyPassword"
proto=RSN
key_mgmt=WPA-PSK
pairwise=CCMP
disabled=1
}
# 1 - WPA2-Enterprise (RADIUS) EAP-TLS (certificates)
network={
scan_ssid=1
ssid="MySSID"
key_mgmt=WPA-EAP
pairwise=CCMP TKIP
group=CCMP TKIP
eap=TLS
identity="User1"
ca_cert="/etc/cert/ca.pem"
client_cert="/etc/cert/client.pem"
private_key="/etc/cert/client.p12"
private_key_passwd="User1Password"
disabled=1
}
# 2 - WPA2-Enterprise (RADIUS) EAP-TTLS with MSCHAPV2
network={
scan_ssid=1
ssid="MySSID"
key_mgmt=WPA-EAP
eap=TTLS
identity="User1"
password="User1Password"
phase2="auth=MSCHAPV2"
eapol_flags=3
disabled=1
}
# 3 - WPA2-Enterprise (RADIUS) EAP-TTLS with PAP
network={
scan_ssid=1
ssid="MySSID"
key_mgmt=WPA-EAP
eap=TTLS
identity="User1"
password="User1Password"
phase2="auth=PAP"
eapol_flags=3
disabled=1
}
# 4 - WPA2-Enterprise (RADIUS) EAP-PEAP
network={
scan_ssid=1
ssid="MySSID"
key_mgmt=WPA-EAP
eap=PEAP
identity="User1"
password="User1Password"
disabled=1
}
# 5 - WPA3-Personal AES
network={
scan_ssid=1
ssid="MySSID"
key_mgmt=SAE
group=CCMP
pairwise=CCMP
sae_password="MyPassword"
ieee80211w=2
disabled=1
}
# 6 - WPA3-Enterprise (RADIUS) EAP-TTLS with MSCHAPV2
network={
scan_ssid=1
ssid="MySSID"
key_mgmt=WPA-EAP-SHA256
eap=TTLS
identity="User1"
password="User1Password"
phase2="auth=MSCHAPV2"
eapol_flags=3
ieee80211w=1
disabled=1
}
# 7 - WPA3-Enterprise (RADIUS) EAP-TTLS with PAP
network={
scan_ssid=1
ssid="MySSID"
key_mgmt=WPA-EAP-SHA256
eap=TTLS
identity="User1"
password="User1Password"
phase2="auth=PAP"
eapol_flags=3
ieee80211w=1
disabled=1
}
# 8 - WPA3-Enterprise (RADIUS) EAP-PEAP
network={
scan_ssid=1
ssid="MySSID"
key_mgmt=WPA-EAP-SHA256
eap=PEAP
identity="User1"
password="User1Password"
ieee80211w=1
disabled=1
}
# 9 - WPA3-Enterprise (RADIUS) EAP-TLS (certificates) with 128 bits encryption
network={
scan_ssid=1
ssid="MySSID"
key_mgmt=WPA-EAP-SHA256
pairwise=CCMP
group=CCMP
eap=TLS
proto=RSN
identity="User1"
ca_cert="/etc/cert/ca.pem"
client_cert="/etc/cert/client.pem"
private_key="/etc/cert/client.p12"
private_key_passwd="User1Password"
ieee80211w=1
disabled=1
}
# 10 - WPA3-Enterprise (RADIUS) EAP-TLS (certificates) with 192 bits encryption
network={
scan_ssid=1
ssid="MySSID"
key_mgmt=WPA-EAP-SUITE-B-192
pairwise=GCMP-256
group=GCMP-256
group_mgmt=BIP-GMAC-256
eap=TLS
proto=RSN
identity="User1"
ca_cert="/etc/cert/ca.pem"
client_cert="/etc/cert/client.pem"
private_key="/etc/cert/client.p12"
private_key_passwd="User1Password"
ieee80211w=2
disabled=1
}To activate and connect one of the configurations:
-
Create a configuration file like the one above
/etc/my-custom-supplicant.confwith your SSIDs, certificates paths, usernames, and passwords, as necessary. -
Edit NetworkManager configuration file
/etc/NetworkManager/NetworkManager.confand addwlan0to the list of unmanaged devices, to prevent NetworkManager from managing this interface:[keyfile] unmanaged-devices=[...];interface-name:wlan0 -
Restart NetworkManager to use the new configuration:
# systemctl restart NetworkManager -
Start the WPA supplicant in the background:
# killall wpa_supplicant # wpa_supplicant -Dnl80211 -iwlan0 -c /etc/my-custom-supplicant.conf -B -
Connect to a network of your choice:
# wpa_cli -i wlan0 select_network <index>where <index> is the connection index in the file (starting at 0).
Fast roaming (802.11r)
Roaming in the context of 802.11 Wi-Fi networks occurs when a client with an established association to an access point (AP) migrates the connection within the same Extended Service Set (ESS) to another AP within an area of overlapping coverage. The fast roaming (802.11r) standard introduces a fast transition mechanism which performs the handshake with the new access point before the roaming starts, allowing the client and AP to perform the Pairwise Transient Key (PTK) calculation in advance. This allows fast transitions without reauthentication, and reduces handshaking overheads while providing security and quality of service.
The Wi-Fi chip on the ConnectCore MP25 supports the fast roaming standard. To use it, you need a group of access points that support the 802.11r mechanisms for fast roaming. You also need to configure them as a mobility domain so they can exchange client station details and perform client pre-authentication prior to the roam.
