Diff for /wikisrc/tutorials/how_to_use_wpa_supplicant.mdwn between versions 1.2 and 1.5

version 1.2, 2012/02/05 07:14:36 version 1.5, 2016/04/14 20:33:04
Line 2 Line 2
   
 [[!toc]]  [[!toc]]
   
 #  What is WPA ?   #  What is WPA/WPA2?
   
 Wi-Fi Protected Access (WPA) is a wireless encryption standard and the successor of Wired Equivalent Privacy (WEP). WPA has been supported since NetBSD 4.0. NetBSD uses [wpa_supplicant(8)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant+8+NetBSD-current), a cross-platform framework for WPA.   [Wi-Fi Protected Access (WPA)](https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access)
    and Wi-Fi Protected Accesss II (WPA2) are 802.11 wireless
    authentication and encryption standards, the successors to the simpler
    [Wired Equivalent Privacy (WEP)](https://en.wikipedia.org/wiki/Wired_Equivalent_Privacy).
   Most "closed" or "locked" 802.11 wireless networks use WPA/WPA2
    authentication.
   On NetBSD, the [wpa_supplicant(8)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant+8+NetBSD-current)
    daemon handles WPA/WPA2.
   
   To configure WPA/WPA2, you must create the file
    [`/etc/wpa_supplicant.conf`](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+5+NetBSD-current).
   You can find examples for `/etc/wpa_supplicant.conf` in
    `/usr/share/examples/wpa_supplicant/wpa_supplicant.conf`.
   The simplest case is a network, say `my favourite network`, with a
    fixed passphrase, say `hunter2`.
   For this case, fill your `/etc/wpa_supplicant.conf` file with:
   
       ctrl_interface=/var/run/wpa_supplicant
 For setting up WPA, create the file `/etc/wpa_supplicant.conf` and paste following code, replacing your own SSID and Key:       ctrl_interface_group=wheel
       
     network={      network={
             ssid="MYWLAN"              ssid="my favourite network"
             scan_ssid=1              psk="hunter2"
             key_mgmt=WPA-PSK  
             psk="MySecretPassphrase"  
     }      }
       
   
 It's important to set your exact SSID and of course your exact key. Both are case sensitive. For additional parameters in the configuration file, please refer to the manual page [wpa_supplicant.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+5+NetBSD-current).   
   
   Then enable wpa_supplicant on your network interface device, say
    `iwn0`, by editing [`/etc/rc.conf`](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+5+NetBSD-current)
    to add
   
 For setting WPA up with [dhclient(8)](http://netbsd.gw.com/cgi-bin/man-cgi?dhclient+8+NetBSD-current), make the configuration in [rc.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?rc.conf+5+NetBSD-current) as follows:   
       
     dhclient=YES  
     # Do not wait for lease; useful if no network is within reach, so boot will not hang  
     dhclient_flags="-nw"  
     wpa_supplicant=YES      wpa_supplicant=YES
     wpa_supplicant_flags="-B -i ath0 -c /etc/wpa_supplicant.conf"      wpa_supplicant_flags="${wpa_supplicant_flags} -i iwn0"
       
   
 Also, note that _wpa_supplicant_ lives in `/usr/sbin`. Depending on your file system layout, you may need to add `/usr` to the `critical_filesystems_local` override in `/etc/rc.conf`. Example:   If your LAN is configured with DHCP, you will likely also want
        `dhcpcd=YES` in `/etc/rc.conf` to run [dhcpcd](http://netbsd.gw.com/cgi-bin/man-cgi?dhcpcd+8+NetBSD-current).
     critical_filesystems_local="/var /usr"  Then start wpa_supplicant with the shell command:
       
   
 That's it. Now you can start _wpa_supplicant_ with `/etc/rc.d/wpa_supplicant start`, then restart your network with `/etc/rc.d/network restart`.       # /etc/rc.d/wpa_supplicant start
   
 #  Using _dhcpcd_ instead of _dhclient_  or reboot for the change to take effect.
   
 In NetBSD 5.0, you can also put a new line in `/etc/ifconfig.ath0` that mentions dhcp:   You can query the current status of WPA/WPA2 with the shell command:
       
     up  
     dhcp  
       
   
 This will bring the interface up and start [dhcpcd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?dhcpcd+8+NetBSD-current), the new DHCP client daemon. If you do this, you can remove _dhclient_ from your configuration and change the `dhclient_flags` to `dhcpcd_flags`:       # wpa_cli status
       
   
 # Do not wait for lease; useful if no network is within reach, so boot will not hang  If you want to configure more 802.11 networks, add more `network`
     dhcpcd_flags="-q -b"   stanzas to `/etc/wpa_supplicant.conf`, and notify wpa_supplicant of
     wpa_supplicant=YES   them:
     wpa_supplicant_flags="-B -i ath0 -c /etc/wpa_supplicant.conf"  
       
   
 #  Adding a new network       # /etc/rc.d/wpa_supplicant reload
   
 With the above setup, all you have to do is add the configuration to your `wpa_supplicant.conf` and then tell wpa_supplicant to reload its config:   #  Do not wait for lease; useful if no network is within reach, so boot will not hang
       
     wpa_cli reconfigure  
       
   
 That's it. With   For a typical laptop, you will usually want to use DHCP to get an IP
        address on any network you're on, but you won't always be on the
     wpa_cli status   network.
       In that case, when you're booting up, you don't want to have to wait
    until you can associate with the network and get a DHCP lease.
   You can pass the `-b` flag to
    [dhcpcd](http://netbsd.gw.com/cgi-bin/man-cgi?dhcpcd+8+NetBSD-current)
    to make it immediately go into the background, by setting
    `dhcpcd_flags` in `/etc/rc.conf`:
   
 you can track the status, and see if it authenticates. If you wait a moment, _dhcpcd_ will pick up the change and automatically obtain a new lease.       dhcpcd_flags="${dhcpcd_flags} -b"
   
 If the `wpa_cli` command generates a "Failed to connect to wpa_supplicant - wpa_ctrl_open: No such file or directory" error, make sure you set the `ctrl_interface` parameter in the [wpa_supplicant.conf(8)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+8+NetBSD-current) as:   #  Other Network Configurations
       
   
     ctrl_interface=/var/run/wpa_supplicant  wpa_supplicant can also connect to other wireless network
     ctrl_interface_group=wheel   configurations.
       These networks can be given different priorities using the `priority`
    field, with a higher number indicating a higher priority.
   
 #  Other Network Configurations   ##  Hidden Networks
   
 _wpa_supplicant_ can also connect to other network configurations. These configurations can be given different priorities using the `priority` field, with a higher number indicating a higher priority.   If the network is hidden, so that the access point does not broadcast
    its presence, you must specify the `scan_ssid=1` option:
   
 ##  Unprotected Networks   
       
     network={      network={
         ssid="MYUNPROTECTEDWLAN"              ssid="my network"
         scan_ssid=1              scan_ssid=1
         key_mgmt=NONE              psk="sekret"
         priority=100  
     }      }
       
   
 ##  WEP encryption   ##  Open Networks
   
 WEP is the weakest of current 802.11 encryption solutions. It is known to be completely broken; breaking WEP can be done in mere seconds. However, sometimes there is a need to use WEP in legacy networks. Here is a configuration if you want to do it with _wpa_supplicant_:   
       
     network={      network={
             ssid="MYWEAKLYENCRYPTEDWLAN"              ssid="MYUNPROTECTEDWLAN"
             key_mgmt=NONE              key_mgmt=NONE
             wep_key0="12345"  # or 13 characters, or a hexkey starting with 0x              priority=100
             wep_tx_keyidx=0  
     }      }
       
   
 Oddly enough, the `wep_key0` and `wep_tx_keyidx` seem to be undocumented in [wpa_supplicant.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+5+NetBSD-current)...   
   
   
 You don't have to use wpa_supplicant to do it, though. With [[basics/ifconfig]] you can do it just as easily:   ##  WEP encryption
   
   WEP is the weakest of current 802.11 encryption solutions.
   It is known to be completely broken: breaking WEP can be done in mere
    seconds.
   However, sometimes there is a need to use WEP in legacy networks.
   Here is a configuration if you want to do it with wpa_supplicant:
   
 ifconfig ath0 ssid MYWEAKLYENCRYPTEDWLAN nwkey 12345  
       
   
 ##  Password-Authenticated MSCHAPv2   
   
 This seems to be a common configuration for password-authenticated networks:   
       
     network={      network={
         ssid="WLANSSID"              ssid="MYWEAKLYENCRYPTEDWLAN"
         key_mgmt=IEEE8021X              key_mgmt=NONE
         eap=PEAP              wep_key0="12345"  # or 13 characters, or a hexkey starting with 0x
         phase2="auth=MSCHAPV2"              wep_tx_keyidx=0
         identity="login"  
         password="password"  
     }      }
       
   
     Note that you have to use wpa_supplicant to configure WEP: you can also
    simply use
    [ifconfig(8)](http://netbsd.gw.com/cgi-bin/man-cgi?ifconfig+8+NetBSD-current):
   
       ifconfig ath0 ssid MYWEAKLYENCRYPTEDWLAN nwkey 12345
   
 ##  WPA2   ##  Password-Authenticated MSCHAPv2
   
   This seems to be a common configuration for password-authenticated networks:
   
 **Step 0:** for NetBSD 5.0.1 use wpa_passphrase() to create a basic configuration:   
       
     wpa_passphrase My_world My_secret | tee /etc/wpa_supplicant.conf | nl  
         1  network={  
         2          ssid="My_world"  
         3          #psk="My_secret"  
         4          psk=b7d1304e45ebbdb66ebd458b2d89e6871ac1dcb1efae521beaa76fb78708fe9b  
         5  }  
       
   
 **Step 1:** and add the following changes marked by (+)   
       
     +ap_scan=1  
     +ctrl_interface=/var/run/wpa_supplicant  
     +ctrl_interface_group=0  
     +  
     network={      network={
     +       scan_ssid=1              ssid="WLANSSID"
     +       proto=RSN WPA              key_mgmt=IEEE8021X
     +       key_mgmt=WPA-PSK              eap=PEAP
     +       pairwise=CCMP TKIP              phase2="auth=MSCHAPV2"
     +       group=CCMP TKIP              identity="login"
            ssid="My_world"              password="password"
            #psk="My_secret"      }
            psk=b7d1304e45ebbdb66ebd458b2d89e6871ac1dcb1efae521beaa76fb78708fe9b  
      }  
     +  
       
   
 **Step 2:** and add the following to ifconfig.INTERFACE_NAME with your own address values   
       
     cat -n /etc/ifconfig.wpi0  
         1  inet 192.168.1.23 netmask 255.255.255.0  
         2  !route add default 192.168.1.254  
       
   
 **Step 3:** and add the following to /etc/defaults/rc.conf   
       
     fgrep -i wpa /etc/defaults/rc.conf | nl  
         1  # WPA daemons.  
         2  wpa_supplicant=YES  
         3  wpa_supplicant_flags="-B -i wpi0 -c /etc/wpa_supplicant.conf"  
       
   
 #  See also   #  See also
   
   * [wpa_supplicant(8)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant+8+NetBSD-current)    * [wpa_supplicant(8)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant+8+NetBSD-current)
   * [wpa_supplicant.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+5+NetBSD-current)    * [wpa_supplicant.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+5+NetBSD-current)

Removed from v.1.2  
changed lines
  Added in v.1.5


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb