WPA supplicant is used to implement security protocols for wireless networks. In a previous blog post I explained how to use it on a WiFi network for different authentication methods. In this post, I will show you how to use a utility to monitor and control WPA supplicant on Linux.
The utility in question is wpa_cli. “cli” stands for Command Line Utility, and as the name suggests, it helps you to interact with the WPA supplicant process through the command line.
WPA Supplicant Installation
If you install WPA supplicant, then wpa_cli will be installed as well:
apt-get install wpasupplicant
Something that may be confusing about the installation is that the package name, ‘wpasupplicant’, doesn’t contain any hyphens or other punctuation marks. However, the command that corresponds to the package is wpa_supplicant. So, don’t try to install WPA supplicant with “apt-get install wpa_supplicant.”
WPA Supplicant Launch
The WPA supplicant process is usually launched on boot or when you connect an interface to the network. A common way to do that is to have the WPA supplicant command in the file “/etc/network/interfaces” as follows:
auto wlan0 allow-hotplug wlan0 iface wlan0 inet dhcp wpa-ssid netbeez-enterprise-wireless pre-up wpa_supplicant -B -Dwext,nl80211 -i wlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf -f /var/log/wpa_supplicant.log post-down wpa_cli -i wlan0 terminate
This is the stanza that controls the wireless interface wlan0. It specifies that before wlan0 is brought up (pre-up), the wpa_supplicant process needs to be launched with the following options:
-B: put the wpa_supplicant process in the background
-Dwext,nl80211: used the Wireless Extension or nl80211 WiFi drivers
-i wlan0: apply these to interface wlan0
-c/etc/wpa_supplicant/wpa_supplicant.conf: the configuration file that has the WiFi credential and authentications method
-f /var/log/wpa_supplicant.log: the log file
The post-down command uses the wpa_cli command to terminate the wpa_supplicant process.
With this set up, whenever we bring the wlan0 interface up the wpa_supplicant process will be launched, and when we bring it down, it will be terminated. However, sometimes we need to interact with the background wpa_supplicant during runtime. Here is how to do it with wpa_cli.
wpa_cli
If you just type “wpa_cli” you will get into the interactive mode of the utility:
netbeez.net$ wpa_cli wpa_cli v2.4 Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi> and contributors This software may be distributed under the terms of the BSD license. See README for more details. Selected interface 'wlan0' Interactive mode
This means that you have a session that you can just use to issue commands without having to repeat “wpa_cli” all of the time. As you can see, I didn’t specify the interface that I wanted to use – this is why wpa_cli informed me that it will be applying all following commands to interface “wlan0,” which is the correct one. Alternatively you can explicitly specify the interface with “wpa_cli -i wlan0.”
The benefit of using interactive mode is that you will see log messages from the wpa_supplicant process printed in the session (instead of monitoring the log file /var/log/netbeez/wpa_supplicant.log). For example, a few seconds after I started the interactive wpa_cli, a few events occurred, and I could see the following:
Interactive mode <3>CTRL-EVENT-SCAN-STARTED <3>CTRL-EVENT-SCAN-RESULTS <3>WPS-AP-AVAILABLE <3>CTRL-EVENT-SSID-REENABLED id=0 ssid="netbeez" <3>Trying to associate with 38:3b:c8:3e:d4:3a (SSID='netbeez' freq=5180 MHz) <3>CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="netbeez" auth_failures=4 duration=60 reason=CONN_FAILED
If you only want to send a one-off command, you can use the following syntax at its most basic form:
wpa_cli command
For example, if I want to get the status of the interface:
netbeez.net$ wpa_cli status Selected interface 'wlan0' bssid=38:3b:c8:3e:d4:3a freq=5180 ssid=netbeez id=0 mode=station pairwise_cipher=CCMP group_cipher=CCMP key_mgmt=WPA2-PSK wpa_state=COMPLETED ip_address=192.168.0.31 p2p_device_address=40:a5:ef:d5:31:ad address=40:a5:ef:d5:31:ad uuid=b127081f-1946-5a2a-ae3f-3570ee11a374
If you type “help” you will get a list of more than 150 options, since wpa_cli gives you the ability to control all aspects of a WPA configuration. I am referring you to the help menu for more details. Here we’ll review just a few of these options.
Reconfigure
Let’s say wlan0 is up and running, but you made a change in the wpa_supplicant.conf file and by hardcoded the bssid as follows:
netbeez.net$ cat /etc/wpa_supplicant/wpa_supplicant.conf ctrl_interface=DIR=/var/run/wpa_supplicant update_config=1 network={ ssid="netbeez" scan_ssid=1 key_mgmt=WPA-PSK psk="passowrd" bssid=38:3b:c8:3e:d4:31 }
You can ask wpa_supplicant to reread the configuration file and reconnected by issuing the reconfigure command:
netbeez.net$ wpa_cli reconfigure Selected interface 'wlan0' OK
With the “OK” wpa_cli informs us that the command was received successfully by wpa_supplicant. At this point your interface will try to reassociate with the specific AP.
Reassociate
If you want to force the reassociation of the interface you can issue the reassociate command as follows:
netbeez.net$ wpa_cli reassociate Selected interface 'wlan0' OK
Log Level
The wpa_supplicant logs information and error messages in the file specified with the “-f” option shown above. It also gives you the option to specify the verbosity of the logs. You can do that when you launch the process by using the “-d” option as follows:
pre-up wpa_supplicant -B -Dwext,nl80211 -i wlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf -f /var/log/wpa_supplicant.log -d
You can increase it even more if you add “-dd”
wpa_cli gives you the ability to change that during runtime. Here is how the command looks:
netbeez.net$ wpa_cli log_level DEBUG Selected interface 'wlan0' OK
The available levels, in order of increasing verbosity are: ERROR, WARNING, INFO, DEBUG, MSGDUMP, EXCESSIVE. The default level is INFO.
I noticed that for wpa_cli version 2.4 the manual page is wrong and it says that the option to set the verbosity is “level” and not “log_level.” In addition, I had to look at the source code of wpa_cli to find the available levels since they are not documented anywhere else.
wpa_cli is a very nifty utility that helps you interact with the wpa_supplicant process without having to stop and restart it all the time. It’s handy and a good idea to keep it in your arsenal if you are interested in WiFi on Linux.