Diff for /wikisrc/tutorials/how_to_use_wpa_supplicant.mdwn between versions 1.2 and 1.3

version 1.2, 2012/02/05 07:14:36 version 1.3, 2016/04/14 20:10:26
Line 2 Line 2
   
 [[!toc]]  [[!toc]]
   
 #  What is WPA ?   #  What is WPA/WPA2?
   
 Wi-Fi Protected Access (WPA) is a wireless encryption standard and the successor of Wired Equivalent Privacy (WEP). WPA has been supported since NetBSD 4.0. NetBSD uses [wpa_supplicant(8)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant+8+NetBSD-current), a cross-platform framework for WPA.   [Wi-Fi Protected Access (WPA)](https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access)
    and Wi-Fi Protected Accesss II (WPA2) are 802.11 wireless
    authentication and encryption standards, the successors to the simpler
    [Wired Equivalent Privacy (WEP)](https://en.wikipedia.org/wiki/Wired_Equivalent_Privacy).
   Most "closed" or "locked" 802.11 wireless networks use WPA/WPA2
    authentication.
   On NetBSD, the [wpa_supplicant(8)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant+8+NetBSD-current)
    daemon handles WPA/WPA2.
   
   To configure WPA/WPA2, you must create the file
    [`/etc/wpa_supplicant.conf`](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+5+NetBSD-current).
   The simplest case is a network, say `my favourite network`, with a
    fixed passphrase, say `hunter2`.
   For this case, fill your `/etc/wpa_supplicant.conf` file with:
   
      ctrl_interface=/var/run/wpa_supplicant
      ctrl_interface_group=wheel
      network={
              ssid="my favourite network"
              psk="hunter2"
      }
   
   Then enable wpa_supplicant on your network interface device, say
    `iwn0`, by editing [`/etc/rc.conf`](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+5+NetBSD-current)
    to add
   
      wpa_supplicant=YES
      wpa_supplicant_flags="${wpa_supplicant_flags} -i iwn0"
   
   If your LAN is configured with DHCP, you will likely also want
    `dhcpcd=YES` in `/etc/rc.conf` to run [dhcpcd](http://netbsd.gw.com/cgi-bin/man-cgi?dhcpcd+8+NetBSD-current).
   Then start wpa_supplicant with the shell command:
   
      # /etc/rc.d/wpa_supplicant start
   
   or reboot for the change to take effect.
   
   You can query the current status of WPA/WPA2 with the shell command:
   
      # wpa_cli status
   
   If you want to configure more 802.11 networks, add more `network`
    stanzas to `/etc/wpa_supplicant.conf`, and notify wpa_supplicant of
    them:
   
      # /etc/rc.d/wpa_supplicant reload
   
   #  Do not wait for lease; useful if no network is within reach, so boot will not hang
   
   For a typical laptop, you will usually want to use DHCP to get an IP
    address on any network you're on, but you won't always be on the
    network.
   In that case, when you're booting up, you don't want to have to wait
    until you can associate with the network and get a DHCP lease.
   You can pass the `-b` flag to
    [dhcpcd](http://netbsd.gw.com/cgi-bin/man-cgi?dhcpcd+8+NetBSD-current)
    to make it immediately go into the background, by setting
    `dhcpcd_flags` in `/etc/rc.conf`:
   
      dhcpcd_flags="${dhcpcd_flags} -b"
   
   #  Other Network Configurations
   
   wpa_supplicant can also connect to other wireless network
    configurations.
   These networks can be given different priorities using the `priority`
    field, with a higher number indicating a higher priority.
   
   ##  Hidden Networks
   
   If the network is hidden, so that the access point does not broadcast
    its presence, you must specify the `scan_ssid=1` option:
   
      network={
              ssid="my network"
              scan_ssid=1
              psk="sekret"
      }
   
   ##  Open Networks
   
      network={
              ssid="MYUNPROTECTEDWLAN"
              key_mgmt=NONE
              priority=100
      }
   
   ##  WEP encryption
   
   WEP is the weakest of current 802.11 encryption solutions.
   It is known to be completely broken: breaking WEP can be done in mere
    seconds.
   However, sometimes there is a need to use WEP in legacy networks.
   Here is a configuration if you want to do it with wpa_supplicant:
   
      network={
              ssid="MYWEAKLYENCRYPTEDWLAN"
              key_mgmt=NONE
              wep_key0="12345"  # or 13 characters, or a hexkey starting with 0x
              wep_tx_keyidx=0
      }
   
   Note that you have to use wpa_supplicant to configure WEP: you can also
    simply use
    [ifconfig(8)](http://netbsd.gw.com/cgi-bin/man-cgi?ifconfig+8+NetBSD-current):
   
      ifconfig ath0 ssid MYWEAKLYENCRYPTEDWLAN nwkey 12345
   
   ##  Password-Authenticated MSCHAPv2
   
   This seems to be a common configuration for password-authenticated networks:
   
      network={
              ssid="WLANSSID"
              key_mgmt=IEEE8021X
              eap=PEAP
              phase2="auth=MSCHAPV2"
              identity="login"
              password="password"
      }
   
   #  See also
 For setting up WPA, create the file `/etc/wpa_supplicant.conf` and paste following code, replacing your own SSID and Key:   
       
     network={  
             ssid="MYWLAN"  
             scan_ssid=1  
             key_mgmt=WPA-PSK  
             psk="MySecretPassphrase"  
     }  
       
   
 It's important to set your exact SSID and of course your exact key. Both are case sensitive. For additional parameters in the configuration file, please refer to the manual page [wpa_supplicant.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+5+NetBSD-current).   
   
   
 For setting WPA up with [dhclient(8)](http://netbsd.gw.com/cgi-bin/man-cgi?dhclient+8+NetBSD-current), make the configuration in [rc.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?rc.conf+5+NetBSD-current) as follows:   
       
     dhclient=YES  
     # Do not wait for lease; useful if no network is within reach, so boot will not hang  
     dhclient_flags="-nw"  
     wpa_supplicant=YES  
     wpa_supplicant_flags="-B -i ath0 -c /etc/wpa_supplicant.conf"  
       
   
 Also, note that _wpa_supplicant_ lives in `/usr/sbin`. Depending on your file system layout, you may need to add `/usr` to the `critical_filesystems_local` override in `/etc/rc.conf`. Example:   
       
     critical_filesystems_local="/var /usr"  
       
   
 That's it. Now you can start _wpa_supplicant_ with `/etc/rc.d/wpa_supplicant start`, then restart your network with `/etc/rc.d/network restart`.   
   
 #  Using _dhcpcd_ instead of _dhclient_  
   
 In NetBSD 5.0, you can also put a new line in `/etc/ifconfig.ath0` that mentions dhcp:   
       
     up  
     dhcp  
       
   
 This will bring the interface up and start [dhcpcd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?dhcpcd+8+NetBSD-current), the new DHCP client daemon. If you do this, you can remove _dhclient_ from your configuration and change the `dhclient_flags` to `dhcpcd_flags`:   
       
   
 # Do not wait for lease; useful if no network is within reach, so boot will not hang  
     dhcpcd_flags="-q -b"  
     wpa_supplicant=YES  
     wpa_supplicant_flags="-B -i ath0 -c /etc/wpa_supplicant.conf"  
       
   
 #  Adding a new network   
   
 With the above setup, all you have to do is add the configuration to your `wpa_supplicant.conf` and then tell wpa_supplicant to reload its config:   
       
     wpa_cli reconfigure  
       
   
 That's it. With   
       
     wpa_cli status  
       
   
 you can track the status, and see if it authenticates. If you wait a moment, _dhcpcd_ will pick up the change and automatically obtain a new lease.   
   
 If the `wpa_cli` command generates a "Failed to connect to wpa_supplicant - wpa_ctrl_open: No such file or directory" error, make sure you set the `ctrl_interface` parameter in the [wpa_supplicant.conf(8)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+8+NetBSD-current) as:   
       
   
     ctrl_interface=/var/run/wpa_supplicant  
     ctrl_interface_group=wheel  
       
   
 #  Other Network Configurations   
   
 _wpa_supplicant_ can also connect to other network configurations. These configurations can be given different priorities using the `priority` field, with a higher number indicating a higher priority.   
   
 ##  Unprotected Networks   
       
     network={  
         ssid="MYUNPROTECTEDWLAN"  
         scan_ssid=1  
         key_mgmt=NONE  
         priority=100  
     }  
       
   
 ##  WEP encryption   
   
 WEP is the weakest of current 802.11 encryption solutions. It is known to be completely broken; breaking WEP can be done in mere seconds. However, sometimes there is a need to use WEP in legacy networks. Here is a configuration if you want to do it with _wpa_supplicant_:   
       
     network={  
             ssid="MYWEAKLYENCRYPTEDWLAN"  
             key_mgmt=NONE  
             wep_key0="12345"  # or 13 characters, or a hexkey starting with 0x  
             wep_tx_keyidx=0  
     }  
       
   
 Oddly enough, the `wep_key0` and `wep_tx_keyidx` seem to be undocumented in [wpa_supplicant.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+5+NetBSD-current)...   
   
   
 You don't have to use wpa_supplicant to do it, though. With [[basics/ifconfig]] you can do it just as easily:   
   
   
 ifconfig ath0 ssid MYWEAKLYENCRYPTEDWLAN nwkey 12345  
       
   
 ##  Password-Authenticated MSCHAPv2   
   
 This seems to be a common configuration for password-authenticated networks:   
       
     network={  
         ssid="WLANSSID"  
         key_mgmt=IEEE8021X  
         eap=PEAP  
         phase2="auth=MSCHAPV2"  
         identity="login"  
         password="password"  
     }  
       
   
     
   
   
 ##  WPA2   
   
 **Step 0:** for NetBSD 5.0.1 use wpa_passphrase() to create a basic configuration:   
       
     wpa_passphrase My_world My_secret | tee /etc/wpa_supplicant.conf | nl  
         1  network={  
         2          ssid="My_world"  
         3          #psk="My_secret"  
         4          psk=b7d1304e45ebbdb66ebd458b2d89e6871ac1dcb1efae521beaa76fb78708fe9b  
         5  }  
       
   
 **Step 1:** and add the following changes marked by (+)   
       
     +ap_scan=1  
     +ctrl_interface=/var/run/wpa_supplicant  
     +ctrl_interface_group=0  
     +  
     network={  
     +       scan_ssid=1  
     +       proto=RSN WPA  
     +       key_mgmt=WPA-PSK  
     +       pairwise=CCMP TKIP  
     +       group=CCMP TKIP  
            ssid="My_world"  
            #psk="My_secret"  
            psk=b7d1304e45ebbdb66ebd458b2d89e6871ac1dcb1efae521beaa76fb78708fe9b  
      }  
     +  
       
   
 **Step 2:** and add the following to ifconfig.INTERFACE_NAME with your own address values   
       
     cat -n /etc/ifconfig.wpi0  
         1  inet 192.168.1.23 netmask 255.255.255.0  
         2  !route add default 192.168.1.254  
       
   
 **Step 3:** and add the following to /etc/defaults/rc.conf   
       
     fgrep -i wpa /etc/defaults/rc.conf | nl  
         1  # WPA daemons.  
         2  wpa_supplicant=YES  
         3  wpa_supplicant_flags="-B -i wpi0 -c /etc/wpa_supplicant.conf"  
       
   
 #  See also   
   
   * [wpa_supplicant(8)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant+8+NetBSD-current)    * [wpa_supplicant(8)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant+8+NetBSD-current)
   * [wpa_supplicant.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+5+NetBSD-current)    * [wpa_supplicant.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+5+NetBSD-current)

Removed from v.1.2  
changed lines
  Added in v.1.3


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb