File:  [NetBSD Developer Wiki] / wikisrc / tutorials / how_to_use_wpa_supplicant.mdwn
Revision 1.10: download - view: text, annotated - select for diffs
Wed Sep 9 14:28:56 2020 UTC (4 months, 1 week ago) by kim
Branches: MAIN
CVS tags: HEAD
Use man template

**Contents**

[[!toc]]

#  What is WPA/WPA2?

[Wi-Fi Protected Access (WPA)](https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access)
 and Wi-Fi Protected Accesss II (WPA2) are 802.11 wireless
 authentication and encryption standards, the successors to the simpler
 [Wired Equivalent Privacy (WEP)](https://en.wikipedia.org/wiki/Wired_Equivalent_Privacy).
Most "closed" or "locked" 802.11 wireless networks use WPA/WPA2
 authentication.
On NetBSD, the [[!template id=man name="wpa_supplicant" section="8"]]
 daemon handles WPA/WPA2.

To configure WPA/WPA2, you must create the file `/etc/wpa_supplicant.conf`
([[!template id=man name="wpa_supplicant.conf" section="5"]]).
You can find examples for `/etc/wpa_supplicant.conf` in
 `/usr/share/examples/wpa_supplicant/wpa_supplicant.conf`.
The simplest case is a network, say `my favourite network`, with a
 fixed passphrase, say `hunter2`.
For this case, fill your `/etc/wpa_supplicant.conf` file with:

    ctrl_interface=/var/run/wpa_supplicant
    ctrl_interface_group=wheel
    network={
            ssid="my favourite network"
            psk="hunter2"
    }

Then enable wpa_supplicant on your network interface device, say
 `iwn0`, by editing `/etc/rc.conf` ([[!template id=man name="rc.conf" section="5"]])
 to add

    wpa_supplicant=YES
    wpa_supplicant_flags="-i iwn0 -c /etc/wpa_supplicant.conf"

If your LAN is configured with DHCP, you will likely also want
 `dhcpcd=YES` in `/etc/rc.conf` to run [[!template id=man name="dhcpcd" section="8"]].
Then start wpa_supplicant with the shell command:

    # /etc/rc.d/wpa_supplicant start

or reboot for the change to take effect.

You can query the current status of WPA/WPA2 with the shell command:

    # wpa_cli status

If you want to configure more 802.11 networks, add more `network`
 stanzas to `/etc/wpa_supplicant.conf`, and notify wpa_supplicant of
 them:

    # /etc/rc.d/wpa_supplicant reload

#  Do not wait for lease; useful if no network is within reach, so boot will not hang

For a typical laptop, you will usually want to use DHCP to get an IP
 address on any network you're on, but you won't always be on the
 network.
In that case, when you're booting up, you don't want to have to wait
 until you can associate with the network and get a DHCP lease.
You can pass the `-b` flag to
 [[!template id=man name="dhcpcd" section="8"]]
 to make it immediately go into the background, by setting
 `dhcpcd_flags` in `/etc/rc.conf`:

    dhcpcd_flags="${dhcpcd_flags} -b"

#  Other Network Configurations

wpa_supplicant can also connect to other wireless network
 configurations.
These networks can be given different priorities using the `priority`
 field, with a higher number indicating a higher priority.

##  Hidden Networks

If the network is hidden, so that the access point does not broadcast
 its presence, you must specify the `scan_ssid=1` option:

    network={
            ssid="my network"
            scan_ssid=1
            psk="sekret"
    }

##  Open Networks

    network={
            ssid="MYUNPROTECTEDWLAN"
            key_mgmt=NONE
            priority=100
    }

##  WEP encryption

WEP is the weakest of current 802.11 encryption solutions.
It is known to be completely broken: breaking WEP can be done in mere
 seconds.
However, sometimes there is a need to use WEP in legacy networks.
Here is a configuration if you want to do it with wpa_supplicant:

    network={
            ssid="MYWEAKLYENCRYPTEDWLAN"
            key_mgmt=NONE
            wep_key0="12345"  # or 13 characters, or a hexkey starting with 0x
            wep_tx_keyidx=0
    }

Note that you don't have to use wpa_supplicant to configure WEP -- you
 can also simply use
 [[!template id=man name="ifconfig" section="8"]]:

    ifconfig ath0 ssid MYWEAKLYENCRYPTEDWLAN nwkey 12345

##  Password-Authenticated MSCHAPv2

This seems to be a common configuration for password-authenticated networks:

    network={
            ssid="WLANSSID"
            key_mgmt=IEEE8021X
            eap=PEAP
            phase2="auth=MSCHAPV2"
            identity="login"
            password="password"
    }

#  See also

  * [[!template id=man name="wpa_supplicant" section="8"]]
  * [[!template id=man name="wpa_supplicant.conf" section="5"]]
  * [Official wpa_supplicant site](http://hostap.epitest.fi/wpa_supplicant/)

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb