How do I connect to a WPA wifi network using the command line?

iw (list/config) can only handle WEP.

You need the wpasupplicant package which provides the wpa_supplicant command, install if necessary through sudo apt-get install wpasupplicant.

You put your SSID and password into /etc/wpa_supplicant.conf (requires sudo).

Example:

network={
    ssid="ssid_name"
    psk="password"
}

Assuming your interface is wlan0 you can connect with:

sudo wpa_supplicant -B -i wlan0 -c /etc/wpa_supplicant.conf -D wext
sudo dhclient wlan0

"wext" is a driver and that will be specific for each card; refer to wpa_supplicant -h. Examples:

hostap (default) Host AP driver (Intersil Prism2/2.5/3). (this can also be used with Linuxant DriverLoader).
hermes Agere Systems Inc. driver (Hermes-I/Hermes-II).
madwifi MADWIFI 802.11 support (Atheros, etc.).
atmel ATMEL AT76C5XXx (USB, PCMCIA).
wext Linux wireless extensions (generic).
ndiswrapper Linux ndiswrapper.
broadcom Broadcom wl.o driver.
ipw Intel ipw2100/2200 driver.
wired wpa_supplicant wired Ethernet driver
roboswitch wpa_supplicant Broadcom switch driver
bsd BSD 802.11 support (Atheros, etc.).
ndis Windows NDIS driver.

This link shows it all and worked fine for me: http://linux.icydog.net/wpa.php

I'm copying the contents here, so we have it, in case that site goes offline.

Command line WPA

Sometimes you'll be at a command line with no access to GUI networking tools -- but your access point is secured with WPA. What do you do?

Assuming your wireless card actually works (i.e. iwconfig can see it and interact with it), using wpa_supplicant is actually pretty simple. Installing wpa_supplicant

Most distros nowadays have wpa_supplicant installed by default. If you have the commands wpa_passphrase and wpa_supplicant available, then you're good to go. Otherwise, you will need to install the package by doing something like (for Ubuntu):

$ sudo apt-get install wpasupplicant

Or (for Fedora):

# yum install wpa_supplicant

Or whatever the command is for your distro.

Generating the config file

Now that wpa_supplicant is installed, we will create its configuration file. Once you know the SSID and WPA passphrase, all you have to do is run:

$ wpa_passphrase myrouter mypassphrase > wpa.conf

Of course, replace "myrouter" with the SSID of your router, "mypassphrase" with your WPA passphrase, and "wpa.conf" with whatever file you want to store the configuration in. This filename does not have to follow a particular format or have a particular extension.

Alternatively, to avoid typing the passphrase on the command line (so it doesn't get saved in the shell's history), you can specify just the SSID on the command line. wpa_passphrase will wait for you to type in the passphrase followed by enter:

$ wpa_passphrase myrouter > wpa.conf
mypassphrase

You should end up with a file looking like this:

network={
    ssid="myrouter"
    #psk="mypassphrase"
    psk=8ada1f8dbea59704ac379538b4d9191f6a72390581b4cd7a72864cea685b1a7f
}

Getting connected

Now we will actually run wpa_supplicant to connect to the wireless network. First, if your router broadcasts its SSID (they all do by default), you probably want to make sure your wireless card can actually see it:

$ iwlist scan

You might have to run that as root to force a refresh.

Next, you will need to know three pieces of information:

1. Which wpa_supplicant wireless drivers to use for your card. Running wpa_supplicant --help lists the different drivers it has (under "drivers:"). As of 0.5.8, the useful choices are: wext, hostap, madwifi, atmel, ndiswrapper, and ipw (ipw is for old kernels only; >=2.6.13 should use wext). If you don't see a specific match for your card, try wext, as that's kind of the catch-all.
2. The network device of your card. This is usually eth1 or wlan0, but if you're unsure you can just run iwconfig. It will report "no wireless extensions" for non-wireless devices and will display some data for any wireless devices.
3. The path to the configuration file that you created in the previous step.

Now that you have this data, run (as root):

# wpa_supplicant -D[driver] -i[device] -c[/path/to/config]

There are no spaces between the options and parameters. Don't include the brackets as I just added those for clarity. For example, for my laptop it looks like this:

# wpa_supplicant -Dwext -ieth1 -c/root/wpa.conf

You can also run it in the background by using the -B option so that it doesn't take up your console.

Now you're associated with the network.

Getting online

To actually get online, you'll have to get an IP somehow. Most people will just want to get a dynamic IP from a DHCP server, probably the one built into the router. (I'm not going to cover setting a static IP and routing table because that's a beast in itself.)

To get a DHCP lease, first release whatever leases you're still holding onto (as root):

# dhclient -r

Then ask for a new lease (of course replacing eth1 with the name of your network device, the same one as you used in the previous section):

# dhclient eth1

You now have an IP, in theory at least. Happy surfing!

Debian and other distros have wpa_suplicant running as a service by default in order to manage the wifi networks. wpa_suplicant can be handled by different clients/front-ends such as the network manager GUI. This is better explained in this debian wiki.

wpa_cli is the command line wpa_suplicant client to manage the wifi networks.

Edit: I have just found this post explaining how to use nmcli and it is much better than wpa_cli since it is compatible with the GUI Network Manager and their settings and saved wifi networks.

Example of use of wpa_cli:

Check that I already have a wifi enabled network interface:

# iwconfig
wlan0     IEEE 802.11bgn  ESSID:off/any  
          Mode:Managed  Access Point: Not-Associated   Tx-Power=22 dBm   
          Retry short limit:7   RTS thr:off   Fragment thr:off
          Encryption key:off
          Power Management:on

Check if wpa_suplicant process is running:

# ps -e | grep wpa
1881 ?        00:00:07 wpa_supplicant

Enter in wpa client interactive mode:

# wpa_cli

List available access points:

> scan
> scan_results

... and you get something like this:

bssid / frequency / signal level / flags / ssid
e0:60:66:7c:81:7f       2417    -66     [WPA2-PSK-CCMP][ESS]    vodafone817E
e0:60:66:61:83:4b       2452    -76     [WPA2-PSK-CCMP][WPS][ESS]       vodafone834A
f8:8e:85:c5:65:c2       2462    -76     [WPA-PSK-CCMP+TKIP][WPS][ESS]   MOVISTAR_65C1
a8:d3:f7:46:0c:be       2472    -83     [WPA-PSK-CCMP+TKIP][WPA2-PSK-CCMP+TKIP][WPS][ESS]       Orange-0CBC
...

Add your AP:

> add_network
> set_network 0 ssid "vodafone817E"
> set_network 0 psk "my-pass-phrase"

Select it as current:

> enable_network 0

Connect to it:

> reconnect

Check the status:

> status

Exit wpa_cli:

> quit

From the shell, request DHCP for an IP and net settings:

# dhclient -r
# dhclient wlan0