Unsupported Version
This article applies to an unsupported version of Ubuntu. More info...


Style Cleanup Required
This article does not follow the style standards in the Wiki Guide. More info...

WPA configuration is handled seamlessly by the "just works" WifiDocs/NetworkManager and should be installed with recent versions of Ubuntu. If not you can go through the procedure to install it manually here or you can configure the daemon in charge of WPA encryption (wpasupplicant) manually.

The NetworkManager should be installed by default on recent versions of Ubuntu, see WifiDocs/NetworkManager for more information on the NetworkManager.

What is WPA?

Wi-Fi Protected Access (WPA) is a family of encryption methods used when connecting to a wireless access point. It is based on the technology that is used in Wired Equivalent Privacy (WEP) but provides stronger security. For more information on the subject you can see the WPA entry on Wikipedia.

Kubuntu version

For instructions for Kubuntu, take a look at WifiDocs/WPAHowTo/Kubuntu

Network Manager

For Ubuntu 6.06 LTS (Dapper) or later (but not for Kubuntu 6.06 or 6.10), there should be a Network Manager icon in the GNOME panel, which looks like a couple of dots. Right click the Network Manager icon to enable the network if necessary. Next, left click on the Network Manager icon and choose "Connect to other wireless network". Then, enter "YOUR-SSID" for the network name and choose your type "WPA ENTERPRISE" or "WPA PERSONAL" etc, etc ... for wireless security. Enter the password in the password text entry box. Click connect to attempt a connection. It is unlikely that you will need the procedure described bellow.

Note: if you have altered the configuration of your network cards in /etc/network/interfaces it is likely that Network Manager will refuse to manage the non-standard interfaces (see /usr/share/doc/network-manager/README.Debian for more information). The easiest way to have NetworkManager configure your networking devices is to simply leave them out of /etc/network/interfaces.

If you do not see a network icon near your power information, or if WEP is your only encryption choice for network configuration, you may need to install Network Manager. For Ubuntu users:

sudo apt-get install network-manager-gnome

Restart dbus to make it aware of the new service

sudo /etc/init.d/dbus restart

After installing the package, logout and log back in (or re-start) and Network Manager should appear.

If the icon does not appear you can start it manually (Gnome):


If WPA does not work, make sure that wpa-supplicant is installed. No further configuration is needed NetworkManager should handle the rest. If all else fails try the procedure bellow.

sudo apt-get install wpasupplicant


Note that for Kubuntu users, the Wireless Assistant Wireless LAN Manager, found in the KMenu/Internet menu, does not integrate with WPA, and should not be used.

Kubuntu users should install the KDE version (from Kubuntu 6.0.6):

sudo apt-get install knetworkmanager

Kubuntu (still 6.0.6) users should also skip the section on editing of files and the section on password nagging, and activate kwalletmanager instead. This means you will only get WPA when logged into KDE, but hey ... (For instructions on how to do this, see this link). Log out and back in, and start KNetworkManager from the Internet menu. In some rare cases WPA needs special setup, perhaps for the RT2500 chipset WifiDocs/Driver/RalinkRT2500 (i have not tried this but I have seen it in an office).

Or for earlier versions of Kubuntu:

sudo apt-get install network-manager-kde

Avoiding password nagging

Ubuntu 10.10

If setting your keyring password to equal your login password doesn't resolve the keyring nagging you can do the following (be warned however that your essentially removing the keyring as a security feature).

  • System --> Preferences --> Passwords and Encryption Keys

  • Right click on Passwords --> Passwords: Login

  • Enter your current keyring password, leave both new password fields blank.
  • Accept the 'Store Passwords unencrypted' warning message by pushing the 'Use Unsafe Storage' button.

Gnome Network Manager bugs for the keyring password on login, so install pam-keyring to get around that.

*** Can anyone help with Gutsy yet?? This fix was brilliant under Dapper & Fiesty, but breaks under Gutsy. It is an excellent addition to your wifi and you miss it badly when upgrading!!!

*** Why? You only need to install the libpam(-gnome)-keyring package in Gutsy. Then simply check the box saying "Automatically unlock this keyring when I log in." when being asked for the keyring password.

Either use the unofficial debian package found at: ubuntuforums.org http://ubuntuforums.org/attachment.php?attachmentid=11818&d=1151394726 , or install from source. (Warning: be careful about install from unauthenticated sources; it's a little safer to build from source---see the instructions below.)

Here is the link to get the source package

You may need to get a few packages in addition to build-essential to complete the build.

Using Synaptic get:

  • libpam0g-dev
  • libgnome-keyring-dev
  • libglib2.0-dev
  • autotools-dev
  • libtool

Here are the steps to install:

  1. Download
  2. Unzip to folder (e.g. ~/pam_keyring_tmp)
  3. In Terminal:

cd ~/pam_keyring_tmp
./configure --prefix=/usr --libdir=/lib
sudo make install
cd /etc/pam.d
sudo gedit gdm

To look like:

auth    requisite       pam_nologin.so
auth    required        pam_env.so
@include common-auth
@include common-account
session required        pam_limits.so
@include common-session
@include common-password
## Added for pam-keyring so that NetworkManager doesn't ask for Keyring password.
## Please note that keyringpassword and login password must be the same.
auth optional pam_keyring.so try_first_pass
session optional pam_keyring.so

Reboot your computer, log out and in again, or type sudo /etc/init.d/gdm restart to restart X.

As I mentioned in the comments in gdm file, this relies on having the password of the default keyring the same as your login password. ENJOY!

Original instructions from: http://ubuntuforums.org/showthread.php?t=187874 and http://ubuntuforums.org/showthread.php?p=1619571 and http://ubuntuforums.org/showthread.php?t=192281

Info <!> If your wireless card is based on the rt2500 chipset, do not follow these instructions, as WPA has to be configured as described in WifiDocs/Driver/RalinkRT2500.

WPA Supplicant

(i) Before proceeding any further, it might be worthwhile to check whether your Wi-Fi Card is supported. wpa_supplicant website This will save you lots of time and frustration.

Bear in mind that altering the /etc/network/interfaces file will likely interfere with Network Manager (see note above).

Configuring wpa_supplicant

WPA supplicant provides WPA support, as well as automatic selection of the best available configured access point. WPA supplicant should already be installed in Dapper and later. Otherwise, install it:

  •   sudo apt-get install wpasupplicant

You then need to configure it.

Note to Kubuntu users: No editing of files needed. Just make sure wpasupplicant is installed and start knetworkmanager from the Internet menu.

Edit /etc/wpa_supplicant.conf to include your network. The info to include can be generated with wpa_passphrase (i) (although this is optional, it saves the supplicant having to generate the preshared key (PSK) each time it is started):


  •   dennis@mirage:~$ wpa_passphrase NetworkEssid
      # reading passphrase from stdin

(i) Requiring wpa_passphrase to prompt for the passphrase, rather than providing it as a command line argument, prevents the phrase from being stored insecurely in your shell's history.

Then add the following to the end of /etc/wpa_supplicant.conf:

  •   network={
            scan_ssid=1 # only needed if your access point uses a hidden ssid

(i) You may have to specify proto=WPA and key_mgmt=WPA-PSK, but wpa_supplicant can usually autodetect them correctly.

Testing the configuration

Next we test the WPA supplicant. To do this you first determine which driver you have. The supported drivers are visible by running wpa_supplicant -h. In this example I assume the madwifi driver. You also need to know the name of your card's interface. In this example I assume ath0.

Now simply start wpa_supplicant for testing:

  •   sudo wpa_supplicant -iath0 -c/etc/wpa_supplicant.conf -Dmadwifi -w

You should see something like the following, but more verbose (if you get a different result, append -dd to the above command line and ask someone on #ubuntu for help if you need additional examples try wpa_supplicant):


  •   Trying to associate with 00:ff:00:1e:a7:7d (SSID='NetworkEssid' freq=0 MHz)
      Associated with 00:ff:00:1e:a7:7d
      WPA: Key negotiation completed with 00:ff:00:1e:a7:7d [PTK=TKIP GTK=TKIP]

Now interrupt wpa_supplicant with <ctrl> C

Final installation (Ubuntu 6.10 (Edgy))

Telling Ubuntu Edgy to use WPA supplicant is pleasingly easy. Note this will not work with Network Manager (see note above).

First find the interface in /etc/network/interfaces. It should look like this:

auto ath0
iface ath0 inet dhcp

Now add these two lines immediately below that:

wpa-driver madwifi
wpa-conf /etc/wpa_supplicant.conf

Where, as above, you have to use your driver and interface in place of the example madwifi and ath0. That's it! Now when you ifup/ifdown the interface (of Ubuntu does it for you on boot/shutdown), wpa_supplicant will be correctly started and stopped.

Final installation (older versions)

  • Once wpa_supplicant works, you should edit /etc/network/interfaces to include wpa_supplicant. If prior to all of this, your /etc/network/interfaces looks like:
      auto ath0
      iface ath0 inet dhcp
    Simply change it to look like:
      auto ath0
      iface ath0 inet dhcp
      pre-up /etc/init.d/wpasupplicant start
      pre-up sleep 5

(i) This looks like an optional step, too. As of 0.4.7-0ubuntu3, the /etc/network/if-pre-up.d/wpasupplicant script will take care of this step automatically. - 20060107 DaniloPiazzalunga

(i) It is indeed optional and only relevant for Breezy systems. I made the change in Dapper's package. - 20060110 [DanielTChen]

(i) For an alternative more detailed way to configure /etc/network/interfaces to work with wpa_supplicant 0.4.8-3ubuntu1.1 try http://svn.debian.org/wsvn/pkg-wpa/trunk/wpasupplicant/debian/README.modes?op=file&rev=0&sc=0- particularly if you want to set up a static IP address, which Network Manager doesn't currently support very well

  • Finally, edit /etc/default/wpasupplicant to enable wpa_supplicant and provide its command line options. For our example setup, this would be:
      # Useful flags:
      #  -D <driver>          Wireless drive, typically optional.
      #  -i <ifname>          Interface
      #  -c <config file>     Configuration file
      #  -d                   Debugging (-dd for more)
      #  -w                   Wait for interface to come up
      # See the manual page wpa_supplicant(1) for more options and information.
      OPTIONS="-iath0 -c/etc/wpa_supplicant.conf -Dmadwifi -w"

(i) Note that in Dapper, because of a newer kernel (2.6.15) and a newer wpasupplicant package (0.4.7), your wireless driver may already support the kernel's wireless extensions interface. Please consult the README.Debian. - 20060110 [DanielTChen]

(i) I placed the "ENABLED=1" setting directly above the "OPTIONS" setting; it was easy to miss that setting when it was above the comment section in the file. - 20060129 [Scott]

(i) If you have an ipw2200 wirless card and a kernel 2.6.16 or newer, you maybe have to use "wext" driver instead of "ipw"

Integration with DHCP

(i) Note that the instructions below are deprecated. The changes that I made in Dapper's wpasupplicant package already take care of this case. [DanielTChen]

  • If you want your wireless card to aquire a new IP address using DHCP when wpa_supplicant associates with an access point, use the wpa_cli utility as documented in the wpa_supplicant README:

      wpa_cli can used to run external programs whenever wpa_supplicant
      connects or disconnects from a network. This can be used, e.g., to
      update network configuration and/or trigget DHCP client to update IP
      addresses, etc.
    The wpa_cli utility can automatically execute a script whenever wpa_supplicant connects or disconnects from an access point. For this, use the -a switch like so:
      wpa_cli -a<my-script>
    The script will be invoked like this:
      my-script $IF $CONN
    Where $IF is the interface (eth0, ath0, etc), and $CONN is the event - either "CONNECTED" or "DISCONNECTED".


  • The simplest thing to do is write a script that invokes ifup or ifdown. I've put it in /sbin/wpa_action:
      #! /bin/bash
      if [ "$CMD" == "CONNECTED" ]; then
        SSID=`wpa_cli -i$IFNAME status | grep ^ssid= | cut -f2- -d=`
        logger "WiFi: Connecting `$IFNAME' to network `$SSID'"
        ifup $IFNAME
      elif [ "$CMD" == "DISCONNECTED" ]; then
        logger "WiFi: Disconnecting `$IFNAME`"
        ifdown $IFNAME
    Then, edit /etc/init.d/wpasupplicant to run wpa_cli appropriately. Look for these lines:
      case "$1" in
                    echo -n "Starting wpa_supplicant: "
                    start-stop-daemon --start --name $PNAME
                            --oknodo --startas $DAEMON -- -B $OPTIONS
                    echo "done."
    Insert a sleep and wpa_cli call below the start-stop-daemon call:
       case "$1" in
                    echo -n "Starting wpa_supplicant: "
                    start-stop-daemon --start --name $PNAME
                            --oknodo --startas $DAEMON -- -B $OPTIONS
                    sleep 1
                    wpa_cli -a/sbin/wpa_action -B
                    echo "done."
    If you are using DHCP exclusively to configure your wireless interface, then make sure you have this line for your wireless interface in /etc/network/interfaces:
      iface eth0 inet dhcp
    Where "eth0" is your wireless interface. And you'll want to make sure that your computer doesn't try to automatically start the interface up without an associated AP, so remove your wireless interface from the 'auto' line in /etc/network/interfaces:
      auto lo eth0 eth1
    So it becomes
      auto lo eth1
    Listing only those interfaces that you want to configure on startup. (Obviously, your 'auto' line will look different, depending on what network interfaces you have on your system.) Now, whenever you associate with a new wireless access point, your wireless interface will have an IP automatically configured and you'll be fully connected to the network. (YAY!)

GUI for WPA_Supplicant

A Qt-based application is available that lets you monitor what wpa_supplicant is up to: http://packages.ubuntu.com/dapper/net/wpagui

You will need to run it via gksudo wpa_gui so that it can talk to the WPA daemon.


Manual install on Edgy 6.10

requirements: wpa2-psk with tkip, intel ipw220, dhcp, roaming with different aps


# the roaming interface MUST use the manual inet method
iface eth1 inet manual
        wpa-driver wext                           #also for intel ip2200!!!!
        wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf

# no id_str, 'default' is used as the fallback mapping target
iface default inet dhcp

# id_str="uni"
iface uni inet dhcp

# id_str="home_static"
iface home_static inet static


        # this id_str will notify /sbin/wpa_action to 'ifup uni'

        # this id_str will notify /sbin/wpa_action to 'ifup home_static'

        # no 'id_str' is given, /sbin/wpa_action will 'ifup default'

#need wpa2 with tkip
        scan_ssid=1 # only needed if your access point uses a hidden ssid

for more info see

zmore /usr/share/doc/wpasupplicant/README.modes.gz

Edgy - Using just the /etc/network/interfaces file, with ndiswrapper and no SSID broadcast

I had no luck using any of the above techniques. I'm using Ndiswrapper on a LinksysG PCMCIA card. What worked for me is described in the forum here: http://ubuntuforums.org/showthread.php?t=290414

After setting up the Ndiswrapper module, all I had to do was add the following to /etc/network/interfaces:

auto wlan0
iface wlan0 inet dhcp
wpa-driver wext
wpa-conf managed
wpa-ssid YOUR_SSID
wpa-ap-scan 2
wpa-proto TKIP
wpa-pairwise TKIP
wpa-key-mgmt WPA-PSK
wpa-psk YOUR_HEX_KEY

Works great, hope this helps some people.

Info <!> Above may be syntactically incorrect - my feisty complains it doesn't find a 'managed' file, so I think the wpa-conf parameter should be the name of an existing file.

Feisty - Using just the /etc/network/interfaces file, with ndiswrapper and SSID broadcast

I got mine working(RaLink Rt2500). Run lspci and if you have "Network controller: RaLink RT2500 802.11g Cardbus/mini-PCI" then this should work for you.

1. Make sure you have ndiswrapper, wpa_supplicant, and the correct rt2500.inf and rt2500.sys files installed through ndiswrapper(as above).I had to get a special inf/sys file from my windows driver disk which was for 64-bit because I run amd64.If you need these let me know and I'll email them to you. I have both 32 and 64 bit, please specify.

2. Verify that you're not using the default driver(serialmonkey) and that you're using ndiswrapper. Just type dmesg |grep rt2500 and you should get something like:

[   46.334475] ndiswrapper: driver rt2500 (Ralink Technology, Inc.,10/20/2005, loaded
[   46.890841] wlan0: ethernet device 00:13:d3:75:d4:a8 using serialized NDIS driver: rt2500, version: 0x20001, NDIS version: 0x501, vendor: 'IEEE 802.11g Wireless Card.', 1814:0201.5.conf

Step 3 won't work if you don't get through step 2. I had to blacklist the serialmonkey driver and then add ndiswrapper to /etc/modules before I could proceed.

3. Find out your router settings. I just ran iwlist scan and got the following:

          Cell 01 - Address: 00:14:BF:0F:XX:XX
                    Protocol:IEEE 802.11g
                    Frequency:2.417 GHz (Channel 2)
                    Quality:100/100  Signal level:-29 dBm  Noise level:-96 dBm
                    Encryption key:on
                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s
                              24 Mb/s; 36 Mb/s; 54 Mb/s; 6 Mb/s; 9 Mb/s
                              12 Mb/s; 48 Mb/s
                    IE: IEEE 802.11i/WPA2 Version 1
                        Group Cipher : TKIP 
                        Pairwise Ciphers (2) : CCMP TKIP 
                        Authentication Suites (1) : PSK  
                    IE: WPA Version 1
                        Group Cipher : TKIP 
                        Pairwise Ciphers (2) : CCMP TKIP 
                        Authentication Suites (1) : PSK

4. Modify /etc/network/interfaces as follows, using the info from iwlist scan above:

iface ra0 inet dhcp
wpa-driver wext
wpa-ssid your-ssid
wpa-ap-scan 1
wpa-proto RSN WPA
wpa-pairwise CCMP TKIP
wpa-group CCMP TKIP
wpa-key-mgmt WPA-PSK
wpa-psk your-wpa-psk

You may need to remove other things aded by network manager and you may need to disable the wireless in network manager as well for this to work.

Troubleshooting intermittent disconnects

This can be caused by Network Manager. Apparently when Network Manager scans for APs, wpa_supplicant will disconnect. Disabling Network Manager allows WPA to work, but you loose the NM function of automatic connections.


You can use sudo iwconfig to check that you have your wireless device working. Most of the time this should be the case, but sometimes the drivers (kernel modules) fight, and the wrong one wins---for example, Prism 2 cards supported by hostap may instead end up using the orinoco driver, which won't work properly. Add incorrect modules to /etc/modprobe.d/blacklist.

Links and Resources


This was my case in Kubuntu, but should also apply to ubuntu. Once I had ndiswrapper setup, and after much detective work on filtering through the various pages on wifi in linux(ie using wext, wpa_supplicant, etc), I was able to connect to my router using wpa. I ignored the section on editing the /etc/network/interfaces to just use kwlan(Not knetworkmanager) to handle my wpa needs. There all one needs to do is set it to use wext, scan, enter password, and it just works. So maybe next time it should be made easier with having ndiswrapper(or the other driver solutions) and wpa_supplicant pre-installed. And maybe a much more non-veteran linux user howto.

Pretty sure "network management framework (GNOME Frontend)" is what made WPA "just work" - the problem is I have followed 3 or 4 sets of instructions, so I can't be sure that the one package is all you need - but it sure seems it is a good place to start. If someone can confirm this, fix this entry (or e-mail CarlKarsten and I'll fix it.) So try this: First disable the System, Administration, Networking - select the/all interface - Properties, uncheck "Enable this connection" (so that the next step can take over managing it.), OK, OK.

sudo apt-get install network-manager-gnome

look for a new icon in the upper left - click it - you should see a list of ESSID's (wireless network names)

Some WLAN routers, such as the FRITZ!Box WLAN 3170, allow WPA network keys of up to 60 characters, including alpha-numeric and special characters. WPA network keys including alphabetical and special characters can cause problems. The solution to such problems is to set the WPA network key to maximal 10 numbers on the WLAN router.

Restarting nm-applet

In my case (on Edgy) I had wireless with WPA working but no wireless connections ever showed under the network manager applet. To solve this issue I simply killed the nm-applet process (since there's no quit option via right-click) and then restarted the service. Wireless showed up right away. To kill the process go to System > Administration > System Monitor. Select the Processes tab and scroll to find a process called nm-applet. Click to highlight it and hit the "End Process" button. I added a "Run Application" utility to my panel, so I just click that and type in "nm-applet" to start it back up.

Using /etc/rcS.d for boot

(i) This is for launching wpa_supplicant as a background daemon on boot in Ubuntu 6.06 LTS (Dapper)

Info <!> You need to have wpa_supplicant.conf created and know how to launch wpa_supplicant from the command line

  • I tried the examples above and the man 8 page for wpa_supplicant examples, but could not get it to launch automatically on boot. This approach seems very straightforward. If you can run your launch script manually, it will run on boot just the same. The other methods seem very difficult editing the system files.

Work around for booting with /etc/init.d and /etc/rcS.d

Create a simple shell script in /etc/init.d that launches the wpa_supplicant as a background daemon:

    /sbin/wpa_supplicant -Bw -iath1 -Dmadwifi -c/etc/wpa_supplicant/wpa_supplicant.conf

Create a symbolic link in /etc/rcS.d that points to the launch script:

ln -s /etc/rcS.d/S42wpa_launch -> /etc/init.d/wpa_launch.sh

Info <!> Are there potential disadvantages of this method? Please post comments here.

If the nm-applet is causing intermittent connection drop as described above then you can easily disable it from automatically starting up. Simply go to System | Preferences | Sessions and uncheck the Network Manager checkbox.

I found that Network Manager had successfully configured my wireless for WPA (a WUSB54G, on Ubuntu 7.10, standard desktop packages) and would work when manually configuring within Network Manager or by restarting the interface, however on reboot it would once again not obtain a valid address from DHCP. I needed it to work without my having to log in. As work-around I have added the following two lines to /etc/rc.local and the interface now consistently obtains a valid address at boot up: "ifdown wlan0", and "ifup wlan0" (without the quotes)


Interesting to mention is an alternative network manager that makes almost any wifi connection just work. It's called wicd and it is in the standard repositories of Ubuntu. It replaces the standard network-manager and is only capable to manage LAN and WLAN connections. The wicd tool has a website on sourceforge:[http://wicd.sourceforge.net/]

CategoryNetworking CategoryWireless

WifiDocs/WPAHowTo (last edited 2013-12-14 00:21:33 by knome)