# What is WPA/WPA2?
[Wi-Fi Protected Access (WPA)](https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access)
and Wi-Fi Protected Accesss II (WPA2) are 802.11 wireless
authentication and encryption standards, the successors to the simpler
[Wired Equivalent Privacy (WEP)](https://en.wikipedia.org/wiki/Wired_Equivalent_Privacy).
Most "closed" or "locked" 802.11 wireless networks use WPA/WPA2
On NetBSD, the [[!template id=man name="wpa_supplicant" section="8"]]
daemon handles WPA/WPA2.
To configure WPA/WPA2, you must create the file `/etc/wpa_supplicant.conf`
([[!template id=man name="wpa_supplicant.conf" section="5"]]).
You can find examples for `/etc/wpa_supplicant.conf` in
The simplest case is a network, say `my favourite network`, with a
fixed passphrase, say `hunter2`.
For this case, fill your `/etc/wpa_supplicant.conf` file with:
ssid="my favourite network"
Then enable wpa_supplicant on your network interface device, say
`iwn0`, by editing `/etc/rc.conf` ([[!template id=man name="rc.conf" section="5"]])
wpa_supplicant_flags="-i iwn0 -c /etc/wpa_supplicant.conf"
If your LAN is configured with DHCP, you will likely also want
`dhcpcd=YES` in `/etc/rc.conf` to run [[!template id=man name="dhcpcd" section="8"]].
Then start wpa_supplicant with the shell command:
# /etc/rc.d/wpa_supplicant start
or reboot for the change to take effect.
You can query the current status of WPA/WPA2 with the shell command:
# wpa_cli status
If you want to configure more 802.11 networks, add more `network`
stanzas to `/etc/wpa_supplicant.conf`, and notify wpa_supplicant of
# /etc/rc.d/wpa_supplicant reload
# Do not wait for lease; useful if no network is within reach, so boot will not hang
For a typical laptop, you will usually want to use DHCP to get an IP
address on any network you're on, but you won't always be on the
In that case, when you're booting up, you don't want to have to wait
until you can associate with the network and get a DHCP lease.
You can pass the `-b` flag to
[[!template id=man name="dhcpcd" section="8"]]
to make it immediately go into the background, by setting
`dhcpcd_flags` in `/etc/rc.conf`:
# Other Network Configurations
wpa_supplicant can also connect to other wireless network
These networks can be given different priorities using the `priority`
field, with a higher number indicating a higher priority.
## Hidden Networks
If the network is hidden, so that the access point does not broadcast
its presence, you must specify the `scan_ssid=1` option:
## Open Networks
## WEP encryption
WEP is the weakest of current 802.11 encryption solutions.
It is known to be completely broken: breaking WEP can be done in mere
However, sometimes there is a need to use WEP in legacy networks.
Here is a configuration if you want to do it with wpa_supplicant:
wep_key0="12345" # or 13 characters, or a hexkey starting with 0x
Note that you don't have to use wpa_supplicant to configure WEP -- you
can also simply use
[[!template id=man name="ifconfig" section="8"]]:
ifconfig ath0 ssid MYWEAKLYENCRYPTEDWLAN nwkey 12345
## Password-Authenticated MSCHAPv2
This seems to be a common configuration for password-authenticated networks:
# See also
* [[!template id=man name="wpa_supplicant" section="8"]]
* [[!template id=man name="wpa_supplicant.conf" section="5"]]
* [Official wpa_supplicant site](http://hostap.epitest.fi/wpa_supplicant/)
CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb