Friday, February 12, 2016

Debian/Ubuntu's ifupdown: If WPA2-PSK Only Works When Specifying SSID Manually

Pre-requisite: you use Debian's (also Ubuntu) ifupdown architecture, i.e. not using Network Manager, but just specifying connectivity details in /etc/network/interfaces -- including WPA passphrase (pre-shared key aka PSK).
Also, for security purposes you have configured your router to hide your SSID.

Symptom: computer starts up and but does not connect to your WiFi. However, it does connect if you set the SSID manually, that is with:
iwconfig wlan0 essid YourSSID
Solution: also add this line to your interface configuration (/etc/network/interfaces file):
wpa-scan-ssid 1


Debug steps - what happens in the background:


First I found out that ifupdown actions can be invoked manually by issuing ifup or ifdown. WPA setup and authentication is done by the otherwise excellent wpa_supplicant program, which can be invoked in two ways:
  • specifying a configuration file
  • starting up as a daemon and remotely supplying configuration options -- using wpa_cli, its command line interface
ifupdown uses the latter approach, issuing wpa_cli commands in order to:
  • add a new network (ie set of parameters)
  • specify each parameter (like SSID, passphrase, etc)
  • start connectivity
In the last step, wpa_supplicant will start scanning for the SSID specified, and will only start setup and negotiations after a router has been found.

Regarding scanning, it supports two methods: one just checks among the visible SSIDs, the other, more time consuming method is able to find access points with hidden SSIDs. You can guess which method is the default...

Of course, all this is nicely documented in /usr/share/doc/wpasupplicant/README.modes.gz; quote:

In order to be able to associate to hidden ssids, please try to set the option 'ap_scan=1' in the global section, and 'scan_ssid=1' in your network block section of your wpa_supplicant.conf file.
If you are using the managed mode, you can do so by these stanzas:

iface eth1 inet dhcp
        wpa-ap-scan 1
        wpa-scan-ssid 1
        # ... additional options for your setup
Finding the documentation is a different matter. To be noted, in my case the wpa-scan-ssid option was enough to solve the issue and have wpa_supplicant find my hidden SSID, the wpa-ap-scan option was not necessary.