--- wikisrc/tutorials/how_to_use_wpa_supplicant.mdwn 2011/11/21 03:22:58 1.1 +++ wikisrc/tutorials/how_to_use_wpa_supplicant.mdwn 2012/02/05 07:14:36 1.2 @@ -1,179 +1,179 @@ -**Contents** - -[[!toc]] - -# What is WPA ? - -Wi-Fi Protected Access (WPA) is a wireless encryption standard and the successor of Wired Equivalent Privacy (WEP). WPA has been supported since NetBSD 4.0. NetBSD uses [wpa_supplicant(8)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant+8+NetBSD-current), a cross-platform framework for WPA. - - -For setting up WPA, create the file `/etc/wpa_supplicant.conf` and paste following code, replacing your own SSID and Key: - - network={ - ssid="MYWLAN" - scan_ssid=1 - key_mgmt=WPA-PSK - psk="MySecretPassphrase" - } - - -It's important to set your exact SSID and of course your exact key. Both are case sensitive. For additional parameters in the configuration file, please refer to the manual page [wpa_supplicant.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+5+NetBSD-current). - - -For setting WPA up with [dhclient(8)](http://netbsd.gw.com/cgi-bin/man-cgi?dhclient+8+NetBSD-current), make the configuration in [rc.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?rc.conf+5+NetBSD-current) as follows: - - dhclient=YES - # Do not wait for lease; useful if no network is within reach, so boot will not hang - dhclient_flags="-nw" - wpa_supplicant=YES - wpa_supplicant_flags="-B -i ath0 -c /etc/wpa_supplicant.conf" - - -Also, note that _wpa_supplicant_ lives in `/usr/sbin`. Depending on your file system layout, you may need to add `/usr` to the `critical_filesystems_local` override in `/etc/rc.conf`. Example: - - critical_filesystems_local="/var /usr" - - -That's it. Now you can start _wpa_supplicant_ with `/etc/rc.d/wpa_supplicant start`, then restart your network with `/etc/rc.d/network restart`. - -# Using _dhcpcd_ instead of _dhclient_ - -In NetBSD 5.0, you can also put a new line in `/etc/ifconfig.ath0` that mentions dhcp: - - up - dhcp - - -This will bring the interface up and start [dhcpcd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?dhcpcd+8+NetBSD-current), the new DHCP client daemon. If you do this, you can remove _dhclient_ from your configuration and change the `dhclient_flags` to `dhcpcd_flags`: - - -# Do not wait for lease; useful if no network is within reach, so boot will not hang - dhcpcd_flags="-q -b" - wpa_supplicant=YES - wpa_supplicant_flags="-B -i ath0 -c /etc/wpa_supplicant.conf" - - -# Adding a new network - -With the above setup, all you have to do is add the configuration to your `wpa_supplicant.conf` and then tell wpa_supplicant to reload its config: - - wpa_cli reconfigure - - -That's it. With - - wpa_cli status - - -you can track the status, and see if it authenticates. If you wait a moment, _dhcpcd_ will pick up the change and automatically obtain a new lease. - -If the `wpa_cli` command generates a "Failed to connect to wpa_supplicant - wpa_ctrl_open: No such file or directory" error, make sure you set the `ctrl_interface` parameter in the [wpa_supplicant.conf(8)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+8+NetBSD-current) as: - - - ctrl_interface=/var/run/wpa_supplicant - ctrl_interface_group=wheel - - -# Other Network Configurations - -_wpa_supplicant_ can also connect to other network configurations. These configurations can be given different priorities using the `priority` field, with a higher number indicating a higher priority. - -## Unprotected Networks - - network={ - ssid="MYUNPROTECTEDWLAN" - scan_ssid=1 - key_mgmt=NONE - priority=100 - } - - -## WEP encryption - -WEP is the weakest of current 802.11 encryption solutions. It is known to be completely broken; breaking WEP can be done in mere seconds. However, sometimes there is a need to use WEP in legacy networks. Here is a configuration if you want to do it with _wpa_supplicant_: - - network={ - ssid="MYWEAKLYENCRYPTEDWLAN" - key_mgmt=NONE - wep_key0="12345" # or 13 characters, or a hexkey starting with 0x - wep_tx_keyidx=0 - } - - -Oddly enough, the `wep_key0` and `wep_tx_keyidx` seem to be undocumented in [wpa_supplicant.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+5+NetBSD-current)... - - -You don't have to use wpa_supplicant to do it, though. With [[basics/ifconfig]] you can do it just as easily: - - -ifconfig ath0 ssid MYWEAKLYENCRYPTEDWLAN nwkey 12345 - - -## Password-Authenticated MSCHAPv2 - -This seems to be a common configuration for password-authenticated networks: - - network={ - ssid="WLANSSID" - key_mgmt=IEEE8021X - eap=PEAP - phase2="auth=MSCHAPV2" - identity="login" - password="password" - } - - - - - -## WPA2 - -**Step 0:** for NetBSD 5.0.1 use wpa_passphrase() to create a basic configuration: - - wpa_passphrase My_world My_secret | tee /etc/wpa_supplicant.conf | nl - 1 network={ - 2 ssid="My_world" - 3 #psk="My_secret" - 4 psk=b7d1304e45ebbdb66ebd458b2d89e6871ac1dcb1efae521beaa76fb78708fe9b - 5 } - - -**Step 1:** and add the following changes marked by (+) - - +ap_scan=1 - +ctrl_interface=/var/run/wpa_supplicant - +ctrl_interface_group=0 - + - network={ - + scan_ssid=1 - + proto=RSN WPA - + key_mgmt=WPA-PSK - + pairwise=CCMP TKIP - + group=CCMP TKIP - ssid="My_world" - #psk="My_secret" - psk=b7d1304e45ebbdb66ebd458b2d89e6871ac1dcb1efae521beaa76fb78708fe9b - } - + - - -**Step 2:** and add the following to ifconfig.INTERFACE_NAME with your own address values - - cat -n /etc/ifconfig.wpi0 - 1 inet 192.168.1.23 netmask 255.255.255.0 - 2 !route add default 192.168.1.254 - - -**Step 3:** and add the following to /etc/defaults/rc.conf - - fgrep -i wpa /etc/defaults/rc.conf | nl - 1 # WPA daemons. - 2 wpa_supplicant=YES - 3 wpa_supplicant_flags="-B -i wpi0 -c /etc/wpa_supplicant.conf" - - -# See also - - * [wpa_supplicant(8)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant+8+NetBSD-current) - * [wpa_supplicant.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+5+NetBSD-current) - * [Official wpa_supplicant site](http://hostap.epitest.fi/wpa_supplicant/) +**Contents** + +[[!toc]] + +# What is WPA ? + +Wi-Fi Protected Access (WPA) is a wireless encryption standard and the successor of Wired Equivalent Privacy (WEP). WPA has been supported since NetBSD 4.0. NetBSD uses [wpa_supplicant(8)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant+8+NetBSD-current), a cross-platform framework for WPA. + + +For setting up WPA, create the file `/etc/wpa_supplicant.conf` and paste following code, replacing your own SSID and Key: + + network={ + ssid="MYWLAN" + scan_ssid=1 + key_mgmt=WPA-PSK + psk="MySecretPassphrase" + } + + +It's important to set your exact SSID and of course your exact key. Both are case sensitive. For additional parameters in the configuration file, please refer to the manual page [wpa_supplicant.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+5+NetBSD-current). + + +For setting WPA up with [dhclient(8)](http://netbsd.gw.com/cgi-bin/man-cgi?dhclient+8+NetBSD-current), make the configuration in [rc.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?rc.conf+5+NetBSD-current) as follows: + + dhclient=YES + # Do not wait for lease; useful if no network is within reach, so boot will not hang + dhclient_flags="-nw" + wpa_supplicant=YES + wpa_supplicant_flags="-B -i ath0 -c /etc/wpa_supplicant.conf" + + +Also, note that _wpa_supplicant_ lives in `/usr/sbin`. Depending on your file system layout, you may need to add `/usr` to the `critical_filesystems_local` override in `/etc/rc.conf`. Example: + + critical_filesystems_local="/var /usr" + + +That's it. Now you can start _wpa_supplicant_ with `/etc/rc.d/wpa_supplicant start`, then restart your network with `/etc/rc.d/network restart`. + +# Using _dhcpcd_ instead of _dhclient_ + +In NetBSD 5.0, you can also put a new line in `/etc/ifconfig.ath0` that mentions dhcp: + + up + dhcp + + +This will bring the interface up and start [dhcpcd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?dhcpcd+8+NetBSD-current), the new DHCP client daemon. If you do this, you can remove _dhclient_ from your configuration and change the `dhclient_flags` to `dhcpcd_flags`: + + +# Do not wait for lease; useful if no network is within reach, so boot will not hang + dhcpcd_flags="-q -b" + wpa_supplicant=YES + wpa_supplicant_flags="-B -i ath0 -c /etc/wpa_supplicant.conf" + + +# Adding a new network + +With the above setup, all you have to do is add the configuration to your `wpa_supplicant.conf` and then tell wpa_supplicant to reload its config: + + wpa_cli reconfigure + + +That's it. With + + wpa_cli status + + +you can track the status, and see if it authenticates. If you wait a moment, _dhcpcd_ will pick up the change and automatically obtain a new lease. + +If the `wpa_cli` command generates a "Failed to connect to wpa_supplicant - wpa_ctrl_open: No such file or directory" error, make sure you set the `ctrl_interface` parameter in the [wpa_supplicant.conf(8)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+8+NetBSD-current) as: + + + ctrl_interface=/var/run/wpa_supplicant + ctrl_interface_group=wheel + + +# Other Network Configurations + +_wpa_supplicant_ can also connect to other network configurations. These configurations can be given different priorities using the `priority` field, with a higher number indicating a higher priority. + +## Unprotected Networks + + network={ + ssid="MYUNPROTECTEDWLAN" + scan_ssid=1 + key_mgmt=NONE + priority=100 + } + + +## WEP encryption + +WEP is the weakest of current 802.11 encryption solutions. It is known to be completely broken; breaking WEP can be done in mere seconds. However, sometimes there is a need to use WEP in legacy networks. Here is a configuration if you want to do it with _wpa_supplicant_: + + network={ + ssid="MYWEAKLYENCRYPTEDWLAN" + key_mgmt=NONE + wep_key0="12345" # or 13 characters, or a hexkey starting with 0x + wep_tx_keyidx=0 + } + + +Oddly enough, the `wep_key0` and `wep_tx_keyidx` seem to be undocumented in [wpa_supplicant.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+5+NetBSD-current)... + + +You don't have to use wpa_supplicant to do it, though. With [[basics/ifconfig]] you can do it just as easily: + + +ifconfig ath0 ssid MYWEAKLYENCRYPTEDWLAN nwkey 12345 + + +## Password-Authenticated MSCHAPv2 + +This seems to be a common configuration for password-authenticated networks: + + network={ + ssid="WLANSSID" + key_mgmt=IEEE8021X + eap=PEAP + phase2="auth=MSCHAPV2" + identity="login" + password="password" + } + + + + + +## WPA2 + +**Step 0:** for NetBSD 5.0.1 use wpa_passphrase() to create a basic configuration: + + wpa_passphrase My_world My_secret | tee /etc/wpa_supplicant.conf | nl + 1 network={ + 2 ssid="My_world" + 3 #psk="My_secret" + 4 psk=b7d1304e45ebbdb66ebd458b2d89e6871ac1dcb1efae521beaa76fb78708fe9b + 5 } + + +**Step 1:** and add the following changes marked by (+) + + +ap_scan=1 + +ctrl_interface=/var/run/wpa_supplicant + +ctrl_interface_group=0 + + + network={ + + scan_ssid=1 + + proto=RSN WPA + + key_mgmt=WPA-PSK + + pairwise=CCMP TKIP + + group=CCMP TKIP + ssid="My_world" + #psk="My_secret" + psk=b7d1304e45ebbdb66ebd458b2d89e6871ac1dcb1efae521beaa76fb78708fe9b + } + + + + +**Step 2:** and add the following to ifconfig.INTERFACE_NAME with your own address values + + cat -n /etc/ifconfig.wpi0 + 1 inet 192.168.1.23 netmask 255.255.255.0 + 2 !route add default 192.168.1.254 + + +**Step 3:** and add the following to /etc/defaults/rc.conf + + fgrep -i wpa /etc/defaults/rc.conf | nl + 1 # WPA daemons. + 2 wpa_supplicant=YES + 3 wpa_supplicant_flags="-B -i wpi0 -c /etc/wpa_supplicant.conf" + + +# See also + + * [wpa_supplicant(8)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant+8+NetBSD-current) + * [wpa_supplicant.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+5+NetBSD-current) + * [Official wpa_supplicant site](http://hostap.epitest.fi/wpa_supplicant/)