Configuring Wireless LAN Interfaces
Overview
To configure a wireless LAN for CDRouter, the following three testvars must be configured, at a minimum:
-
lanInterface: This testvar specifies which physical interface CDRouter should use on the LAN; CDRouter will automatically detect whether the configured interface is wireless or Ethernet. -
lanSecurity: This testvar specifies the security type used by the device under test (DUT) on the LAN; for wireless LAN interfaces this can be one of three values -NONE,WEP, orWPA. The default value for this testvar isNONE, which implies that no security is being used on the DUT. -
lanSSID: This testvar specifies the wireless SSID of the DUT.
Additional testvars may be required based on the DUT’s wireless security settings. Configuration examples for some common wireless security modes are provided below.
Note that many of the testvars in these examples utilize default values which do not need to be explicitly uncommented in the config file. Detailed descriptions of all of the testvars used in these example configurations can be found on the Documentation tab of CDRouter’s web interface or in the LAN Configuration section of the CDRouter User’s Guide.
Example Configurations
Basic wireless with no security
# -- Interface Configuration
testvar lanInterface wifi2-ax56
testvar lanSecurity NONE
# -- Wireless Configuration
testvar lanSSID my-network
WEP with static key
WEP with 64-bit static key and key index of 0:
# -- Interface Configuration
testvar lanInterface wifi2-ax56
testvar lanSecurity WEP
# -- Wireless Configuration
testvar lanSSID my-network
testvar lanWEPKey 0102030405
testvar lanWEPKeyIndex 0
To use a 128-bit static key and key index of 3 instead:
# -- Wireless Configuration
testvar lanWEPKey 0102030405060708090a010203
testvar lanWEPKeyIndex 3
WPA or WPA2-Personal
# -- Interface Configuration
testvar lanInterface wifi2-ax56
testvar lanSecurity WPA
# -- Wireless Configuration
testvar lanSSID my-network
# -- WPA Encryption Configuration
testvar wpaMode WPA-Personal (or WPA2-Personal)
testvar wpaKey qacafe123
WPA or WPA2-Enterprise
# -- Interface Configuration
testvar lanInterface wifi2-ax56
testvar lanSecurity WPA
# -- Wireless Configuration
testvar lanSSID my-network
# -- WPA Encryption Configuration
testvar wpaMode WPA-Enterprise (or WPA2-Enterprise)
# -- LAN 802.1X and RADIUS Configuration
testvar enableRADIUSserver yes
testvar radiusHost remoteHost
testvar radiusSecret qacafe123
# -- LAN EAP Type and Credentials
testvar eapType eap-tls
testvar eapIdentity1 user1
testvar eapPassword1 qacafe123
testvar eapUserCertPath1 /usr/cdrouter/tests/user1.pem
testvar eapUserCertPassword1 qacafe123
testvar eapUserPrivateKey1 ""
WPA3-Personal
# -- Interface Configuration
testvar lanInterface wifi2-ax56
testvar lanSecurity WPA
# -- Wireless Configuration
testvar lanSSID my-network
# -- WPA Encryption Configuration
testvar wpaMode WP3-Personal
testvar wpaSaePassword "sae secret"
WPA3-Enterprise
# -- Interface Configuration
testvar lanInterface wifi2-ax56
testvar lanSecurity WPA
# -- Wireless Configuration
testvar lanSSID my-network
# -- WPA Encryption Configuration
testvar wpaMode WPA3-Enterprise
# -- LAN 802.1X and RADIUS Configuration
testvar enableRADIUSserver yes
testvar radiusHost remoteHost
testvar radiusSecret qacafe123
# -- LAN EAP Type and Credentials
testvar eapType eap-tls
testvar eapIdentity1 user1
testvar eapPassword1 qacafe123
testvar eapUserCertPath1 /usr/cdrouter/tests/user1.pem
testvar eapUserCertPassword1 qacafe123
testvar eapUserPrivateKey1 ""
Wireless Mesh Topologies
CDRouter can be used to test LAN networks comprised of multiple wireless
extenders that form a distributed LAN or “mesh” topology. The lanBSSID
testvar specifies the unique BSSID address of the mesh node that
CDRouter’s wireless interface will associate with.
Example config for mesh topology
# -- Interface Configuration
testvar lanInterface wifi2-ax56
testvar lanSecurity NONE
# -- Wireless Configuration
testvar lanSSID my-network
# -- Advanced Wireless Configuration
testvar lanBSSID 00:01:02:00:00:01
Multiple Wireless Networks
The CDRouter Multiport Expansion allows multiple LAN interfaces to be connected to the DUT simultaneously. Each physical wireless interface can be configured with its own independent security settings, SSID, BSSID, and channel.
Some devices broadcast the same SSID on multiple frequency bands. CDRouter can be configured to connect on a specific band by either:
- Configuring the BSSID of the device’s 2.4GHz, 5.0GHz or 6.0GHz AP using the
lanBSSIDtestvar, or - Configuring the specific channel or frequency band to connect on using the
lanChanneltestvar
Example config for connecting to a specific SSID
In this example the DUT is broadcasting unique SSIDs in the 5.0GHz and 6.0GHz
frequency bands. CDRouter’s primary LAN client will connect to the DUT’s 5.0GHz
radio which is broadcasting the SSID my-network 5.0GHz, while CDRouter’s
second LAN interface will connect to the DUT’s 6.0GHz radio which is
broadcasting a unique SSID of my-network 6.0GHz.
# -- Base LAN Configuration ("lan")
testvar lanInterface wifi2-ax56
testvar lanSecurity WPA
testvar wpaMode WPA2-Personal
testvar lanSSID "my-network 5.0GHz"
testvar wpaMode auto
testvar wpaKey qacafe123
# -- Multiport LAN Configuration ("lan2")
testvar_group lan2 {
testvar lanInterface wifi7-be
testvar lanSecurity NONE
testvar lanSSID "my-network 6.0GHz"
}
Example config for connecting to a specific BSSID
In this example the DUT is broadcasting the same SSID in the 5.0GHz and 6.0GHz frequency bands. CDRouter’s primary LAN client will connect to the DUT’s 5.0GHz radio by configuring its BSSID of 00:01:02:00:00:AA, while CDRouter’s second LAN interface will connect to the DUT’s 6.0GHz radio by configuring its BSSID of 00:01:02:00:00:BB.
# -- Base LAN Configuration ("lan")
testvar lanInterface wifi2-ax56
testvar lanSecurity WPA
testvar wpaMode WPA2-Personal
testvar lanSSID "my-network"
testvar wpaKey qacafe123
testvar lanBSSID 00:01:02:00:00:AA
# -- Multiport LAN Configuration ("lan2")
testvar_group lan2 {
testvar lanInterface wifi7-be
testvar lanSecurity NONE
testvar lanSSID "my-network"
testvar lanBSSID 00:01:02:00:00:BB
}
Example config for connecting on a specific frequency band
In this example the DUT is broadcasting the same SSID in the 2.4GHz, 5.0 and 6.0GHz frequency bands. CDRouter’s primary LAN client will connect to the DUT’s 2.4GHz radio by configuring the band to 2.4GHz, while two additional LAN interfaces will connect to the DUT’s 5.0GHz and 6.0GHz radios by configuring their respective frequency bands.
# -- Base LAN Configuration ("lan")
testvar lanInterface wifi1-ax24
testvar lanSecurity WPA
testvar lanSSID "my-network"
testvar wpaMode WPA2-Personal
testvar wpaKey qacafe123
testvar lanChannel 2.4GHz
# -- Multiport LAN Configuration ("lan2")
testvar_group lan2 {
testvar lanInterface wifi2-ax56
testvar lanSecurity WPA
testvar lanSSID "my-network"
testvar wpaMode WPA2-Personal
testvar wpaKey qacafe123
testvar lanChannel 5GHz
}
# -- Multiport LAN Configuration ("lan3")
testvar_group lan2 {
testvar lanInterface wifi7-be
testvar lanSecurity WPA
testvar lanSSID "my-network"
testvar wpaMode WPA2-Personal
testvar wpaKey qacafe123
testvar lanChannel 6GHz
}
Multiple Virtual Wireless LAN Clients
Some interfaces on the NTA1000 platform allow multiple wireless
LAN clients to be created at the same time on the same interface.
CDRouter will create additional temporary clients on these interfaces for
particular tests as needed. It is also possible to configure persistent
clients that are active for the duration of the test run using the lanClients
testvar in the config file.
Testing with multiple wireless clients requires the CDRouter Multiport expansion. Each wireless interface of the NTA1000 supports a different number of wireless LAN clients. See the Wireless Virtualization Support section of the CDRouter Multiport User Guide to determine the maximum number of clients supported by each NTA1000 system.
Configuration Example
This example configures 10 wireless LAN clients on interface wifi2-ax56
with WPA-Personal security:
# -- Interface Configuration
testvar lanInterface wifi2-ax56
testvar lanSecurity WPA
testvar lanClients 10
# -- Wireless Configuration
testvar lanSSID my-network
# -- WPA Encryption Configuration
testvar wpaMode WPA-Personal (or WPA2-Personal)
testvar wpaKey qacafe123
Advanced WPA Configuration Options
The following wireless security modes defined by the WiFi Alliance can be
configured directly using the testvar wpaMode:
- WPA-Personal
- WPA-Enterprise
- WPA2-Personal
- WPA2-Enterprise
- WPA3-Personal
- WPA3-Enterprise
Within CDRouter these modes represent configuration presets that map to specific, fixed testvar values according to the following table:
| Testvar | WPA-Personal | WPA-Enterprise | WPA2-Personal | WPA2-Enterprise | WPA3-Personal | WPA3-Enterprise |
|---|---|---|---|---|---|---|
| wpaMode | WPA | WPA | RSN | RSN | RSN | RSN |
| wpaKeyMgmt | PSK | 802.1X | PSK | 802.1X | SAE | SUITE-B-192 |
| wpaCipher | TKIP | TKIP | CCMP-128 | CCMP-128 | CCMP-128 | GCMP-128 |
| wpaGroupCipher | auto | auto | CCMP-128 | CCMP-128 | CCMP-128 | GCMP-128 |
| wpaKey | user defined | not used | user defined | not used | not used | not used |
| wpaPMF | no | no | no | no | yes | yes |
| wpaSaePassword | not used | not used | not used | not used | user defined | not used |
To deviate from the configuration presets above, the wpaMode testvar must be
set to one of the values below:
- auto - Automatically select WPA connection mode
- WPA - Use WPA security mode
- RSN - Use WPA2/WPA3 security mode
These modes make it possible to enable and set advanced WPA configuration
options such as the key management mode (wpaKeyMgmt),
pairwise cipher (wpaCipher), group cipher (wpaGroupCipher),
and whether or not protected management frames
(PMF) are enabled (wpaPMF).
Notes
-
A number of WPA related testvars within CDRouter can be set to a value of
auto. When auto mode is selected for any applicable WPA testvar, CDRouter will automatically use the strongest encryption options supported by the DUT. Specific values can be set for each testvar as well to test a single mode of operation. -
Please see this Knowledge Base article for information on which EAP types are supported for each LAN security mode.
-
WPA3 relies on the Simultaneous Authentication of Equals (SAE) handshake as opposed to the Pre-Shared Key (PSK) technique used in WPA2 and WPA. As a result, the testvar
wpaSaePasswordmust be specified for WPA3-Personal configurations while the testvarwpaKeyfor WPA-Personal and WPA2-Personal configurations. -
WPA3 requires the use of protected management frames (PMF). PMF is optional for RSN modes and can be enabled using the testvar
wpaPMF.
Backwards Compatibility
When support for WPA3 was added in CDRouter 11.5 a number of new WPA3 specific testvars were added while some existing testvars options were deprecated.
To maintain backwards compatibility with older configurations, CDRouter will automatically map any deprecated WPA related testvar values to new, supported values according to the following table:
| Testvar | Deprecated Values | New Value |
|---|---|---|
| lanSecurity | WPA-802.1X, WPA-PSK | WPA |
| wpaMode | WPA2 | RSN |
| wpaCipher | AES-CCMP | CCMP-128 |
| wpaGroupCipher | AES-CCMP | CCMP-128 |
