nas is the proprietary binary tool that sets up dynamic encryption (WEP/WPA) on the wireless device.

note: normally nas is called by the S41wpa script in /etc/init.d. This Script composes the command by reading the corresponding nvram variables (wl0_ssid, wl0_akm, wl0_crypto,…). If nas does not start on router reboot, try to start it manually with one of the commandlines from this page (see below) and watch out for errors. If it reports no error it should start on reboot from now on…

note: nas is not used in client bridging mode (i.e. the wireless interface is a client to a remote access point and it is bridged to the LAN port). This mode is configured by `wl0_mode=wet`. In this case the chipset driver's built-in supplicant is used, configured by `/sbin/wifi` from the wificonfig package. It reads the nvram variables itself.

The nas binary can be found at: http://downloads.openwrt.org/whiterussian/packages/non-free If you use old version of firmware, please upgrade.

If you installed the nas binary using the package indicated above, an install script is automatically added to the router. You can use the nvram to configure the nas options.

For a working Freeradius configuration for use with the Radius-enabled modes, see Wpa2Enterprise

Please note, not all client cards/drivers/OSes support wpa/wpa2 or psk/psk2. Try all combinations of wl0_akm before giving up on nas.

nas -P /tmp/nas.lan.pid -l br0 -H 34954

nas -P /tmp/nas.lan.pid -l br0 -H 34954 -i eth1 -A -m 4 -k  -s linksys -w 2 -g 3600

nas -P /tmp/nas.lan.pid -l br0 -H 34954 -i eth1 -A -m 4 -k  -s linksys -w 4 -g 3600

nas -P /tmp/nas.lan.pid -l br0 -H 34954 -i eth1 -A -m 4 -k  -s linksys -w 6 -g 3600

nas -P /tmp/nas.lan.pid -l br0 -H 34954 -i eth1 -A -m 2 -r  -s linksys -w 2 -g 3600 -h  -p 1812 -t 36000

nas -P /tmp/nas.lan.pid -l br0 -H 34954 -i eth1 -A -m 128 -k  -s linksys -w 2 -g 3600

nas -P /tmp/nas.lan.pid -l br0 -H 34954 -i eth1 -A -m 64 -r  -s linksys -w 2 -g 3600 -h  -p 1812 -t 36000

nas -P /tmp/nas.lan.pid -l br0 -H 34954 -i eth1 -A -m 64 -r  -s linksys -w 4 -g 3600 -h  -p 1812 -t 36000

nas -P /tmp/nas.lan.pid -l br0 -H 34954 -i eth1 -A -m 132 -k  -s linksys -w 2 -g 3600

nas -P /tmp/nas.lan.pid -l br0 -H 34954 -i eth1 -A -m 66 -r  -s linksys -w 2 -g 3600 -h  -p 1812 -t 36000

nas -P /tmp/nas.lan.pid -l br0 -H 34954 -i eth1 -A -m 32 -r  -s linksys -w 1 -I 1 -K  -h  -p 1812 -t 36000

nas -P /tmp/nas.lan.pid -l br0 -H 34954

The usage for nas is :

Usage: nas [options]
        -l    LAN interface name
        -i    Wireless interface name
        -k    WPA share-key
        -m    2 - WPA
              4 - PSK
              32 - 802.1X
              64 - WPA2
              66 - WPA WPA2
              128 - PSK2
              132 - PSK PSK2
        -g    WPA GTK rotation interval
        -h    RADIUS server IP address
        -r    RADIUS secret
        -p    RADIUS server authentication UDP port
        -s    SSID
        -w    1 - WEP
              2 - TKIP
              4 - AES
              6 - AES+TKIP
        -P    nas pid file
        -I    WEP key index
        -K    WEP share key
        -H    UDP port on which to listen to requests
        -t    ??????

The -l  option must be present first and then followed by -i  ... options for each wireless interface

On "Supplicant"/"Client" side -l  option can't be used.

 -S|-A = Authenticator (NAS) or Supplicant

For more detail please read forum post http://forum.openwrt.org/viewtopic.php?id=1836

For more detail about "Supplicant"/"Client" mode see http://forum.openwrt.org/viewtopic.php?pid=10703

Unfortunately nas often (favorably so in supplicant mode) seems to fail without giving an error, it simply does not work. Sometimes trying all the permutations of WPA/WPA2 AES/TKIP/AES+TKIP works, sometimes it does not. Better debugging facilities seem desperately needed. Also see http://forum.openwrt.org/viewtopic.php?pid=31430