This document will describe how to use nas to enable wpa in non-client mode on a WRT54G/compatible


Reccomend using S41wpa from http://www.bingner.com/openwrt/S41wpa - this will allow NAS to on an interface besides the "lan" interface, such as "wifi"
YOU MUST use the version of nas which is 126444 bytes with md5sum of "043685e8e6b8be97fd2a720d221f62a3"
If you wish to use WPA+WDS you MUST have your wireless interface configured to be a bridge

Simple AP Config


nvram set wl0_auth_mode=psk
nvram set wl0_wpa_psk=<YourPresharedKey>
nvram set wl0_crypto=tkip

Technical info

NVRAM Variables used

NAS requests the following variables from nvram when configured in "wpa+psk" mode:

NVRAM Variable Description
lan_ifname Interface to run on, generally "br0"
lan_ifnames Interfaces in bridge, if bridged
wl0_auth_mode Authentication mode, either "psk" or "radius"
wl0_mode Wireless mode - "ap" or "sta"
wl0_wpa_psk WPA Preshared Key up to 63 ASCII characters or a 64-character HEX key
wl0_ssid SSID of wireless network
wl0_crypto Algorithm to use for encryption one of: "aes", "tkip" or "aes+tkip"
wl0_wep same as wl0_crypto
wl0_wpa_gtk_rekey Rekey interval, default value of "3600"

NAS requests the following variables from nvram when configured in "wpa+radius" mode:

NVRAM Variable Description
lan_ifname Interface to run on, generally "br0"
lan_ifnames Interfaces in bridge, if bridged
wl0_auth_mode Authentication mode, either "psk" or "radius"
wl0_mode Wireless mode - "ap" or "sta"
wl0_radius_key RADIUS Preshared Key - used to authenticate to RADIUS server
wl0_ssid SSID of wireless network
wl0_wep Algorithm to use for encryption one of: "aes", "tkip" or "aes+tkip"
wl0_radius_ipaddr IP Address of RADIUS Server
wl0_radius_port Port number to use for communication with RADIUS server, generally "1812" but could be "1645" depending on your server

Command line options for nas

Option Description
-P File to write PID of running nas process to, generally "/tmp/nas.lan.pid"
-l Logical interface, or "bridged" interface. Usually "br0"
-H UDP Port to listen for requests from nas4not etc on, use "34954"
-i Hardware wireless interface. "eth1" on WRT54G/GS
-A Authenticator Mode, mututally exclusive of -S. This option is used more often, you probably want it
-S Supplicant Mode, mutually exclusive of -A
-m WPA mode - 0=RADIUS, 1=WPA and 2=WPA+PSK - WPA+PSK is most widely used
-k Preshared Key - used to authenticate clients in WPA+PSK mode, or to RADIUS server in RADIUS mode
-s SSID of wireless network, if you don't know what this is give up...
-w Crypto algorithm to use. 2=TKIP, 4=AES, 6=AES+TKIP - TKIP is most widely supported
-g Rekey Interval - Generally 3600
-h RADIUS Server IP Address - used only in RADIUS mode
-p RADIUS Server Port Number - used only in RADIUS mode

nas4not syntax

nas4not is used to authenticate WDS links to the running nas daemon. It can be automatically run by the hotplug script if you have a compatible script and nas4not exists in /usr/sbin as a symlink to "nas". If the proper version of nas is in place, it can be created by executing the following in a shell: "ln -s nas /usr/sbin/nas4not"
The only known syntax accepted is:
nas4not lan WDSLINK up auto CRYPTO AUTH_MODE PSK SSID

Where WDSLINK is the wds link being added eg "wds0.2", CRYPTO is one of "tkip", "aes" or "aes+tkip", AUTH_MODE is "psk", PSK is YOUR preshared key for that WDS link and SSID is the SSID of the wireless network
this should not be necessary if the hotplug script located at http://www.bingner.com/openwrt/hotplug is installed as /sbin/hotplug