Using the Orinoco (Hermes) card with xsupplicant

by Matthew Gast

When I started working with xsupplicant, I started with an Orinoco Gold card. It wasn't a hard choice--Orinoco cards were so popular at one point that nearly everybody has at least one lying around. Even if you don't have a PC Card lying around, you probably have a laptop with a Hermes chipset somewhere. Lucent was successful in making the Hermes a standard OEM part when a laptop vendor wanted to add 802.11. Many of the initial 802.11 cards supplied by laptop vendors were based on the Hermes chip, and use the same software as the PC Card. (Many of them use the mini-PCI form factor, but they are essentially a PCI-to-PC Card bridge; Linux will therefore detect them as a PC Card.)

Getting the Orinoco card running with xsupplicant is a slightly involved process. It requires two patches to fix unwanted behavior. Like many drivers, the Orinoco driver would reset the card if a new WEP key was configured. In the days of single-key static WEP, this was acceptable. However, the whole point of 802.1X is that you can dynamically push keys into the driver. There is a small patch distributed with xsupplicant to allow dynamic keying. A second patch is required to disable promiscuous mode.


1. orinoco_cs 0.13e. The dynamic keying patch distributed with xsupplicant is written against orinoco_cs version 0.13e. Many Linux distributions using the 2.4 kernels ship 0.13d, so you will need to update the driver. You can obtain it directly from David Gibson's distribution site.

2. Firmware update. I used the latest firmware version I could find on the Proxim support site (8.42, I think). The firmware update utility is available only for Windows, so updating firmware from an old card will probably require a Windows machine somewhere.

3. patch. There are two patches to apply, and not all installations may have installed the utility. If you don't have it, it should be easy to get from your current distribution's package system.

4. xsupplicant rekey patch. This is distributed with xsupplicant (drivers/Linux/rekey_patch_orinoco-0.13e), so if you already have xsupplicant, you are good to go.

5. promiscuous mode fix. There's a second patch you will need to disable promiscuous mode in the driver; it can be downloaded from here from the University of Twente (Netherlands). I suspect that this patch is required because something in xsupplicant that calls libpcap will put the driver into promiscuous mode, and that breaks frame reception to higher protocol stack layers. This is just a theory; I'd be interested in why it's required if anybody knows.

Building and installing the new driver

Like most other drivers, this driver is a kernel module. If you have a complete kernel configuration, you can just build the module in place and install over the earlier version. (You might also be able to integrate it into your kernel source tree, but doing so isn't strictly necessary.)

To start building the driver, extract its source tree.

# tar -xvzf orinoco-0.13e.tar.gz

Apply the patches to the source distribution:

# cd orinoco-0.13e
# patch -p0 < ~/xsupplicant-0.8b/drivers/Linux/rekey_patch_orinoco_0.13e
# patch -p0 < ~/orinoco-no-promisc.patch

Build and install the software, just like any other driver. As always, be sure to update module dependencies after installing a new driver.

# make
(see the output of compilation)
# make install
(watch the module go to /lib/modules/...)
# depmod -a

Using the driver

When the Orinoco card is detected, the system will load orinoco_cs and create an Ethernet interface. If you have a build-in Ethernet interface (as most laptops do), the newly created interface will be "eth1". Configure it and run xsupplicant as described in the previous post. If you're watching your system log, you should see messages from the Orinoco driver indicating "orinoco_set_multicast_list: ignoring promisc setting" during the 802.1X negotiation. If you're not, the promiscuous mode patch isn't applied to the driver that is currently being loaded.