File:  [NetBSD Developer Wiki] / wikisrc / tutorials / how_to_use_wpa_supplicant.mdwn
Revision 1.2: download - view: text, annotated - select for diffs
Sun Feb 5 07:14:36 2012 UTC (2 years, 2 months ago) by schmonz
Branches: MAIN
CVS tags: HEAD
dos2unix

**Contents**

[[!toc]]

#  What is WPA ? 

Wi-Fi Protected Access (WPA) is a wireless encryption standard and the successor of Wired Equivalent Privacy (WEP). WPA has been supported since NetBSD 4.0. NetBSD uses [wpa_supplicant(8)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant+8+NetBSD-current), a cross-platform framework for WPA. 


For setting up WPA, create the file `/etc/wpa_supplicant.conf` and paste following code, replacing your own SSID and Key: 
    
    network={
            ssid="MYWLAN"
            scan_ssid=1
            key_mgmt=WPA-PSK
            psk="MySecretPassphrase"
    }
    

It's important to set your exact SSID and of course your exact key. Both are case sensitive. For additional parameters in the configuration file, please refer to the manual page [wpa_supplicant.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+5+NetBSD-current). 


For setting WPA up with [dhclient(8)](http://netbsd.gw.com/cgi-bin/man-cgi?dhclient+8+NetBSD-current), make the configuration in [rc.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?rc.conf+5+NetBSD-current) as follows: 
    
    dhclient=YES
    # Do not wait for lease; useful if no network is within reach, so boot will not hang
    dhclient_flags="-nw"
    wpa_supplicant=YES
    wpa_supplicant_flags="-B -i ath0 -c /etc/wpa_supplicant.conf"
    

Also, note that _wpa_supplicant_ lives in `/usr/sbin`. Depending on your file system layout, you may need to add `/usr` to the `critical_filesystems_local` override in `/etc/rc.conf`. Example: 
    
    critical_filesystems_local="/var /usr"
    

That's it. Now you can start _wpa_supplicant_ with `/etc/rc.d/wpa_supplicant start`, then restart your network with `/etc/rc.d/network restart`. 

#  Using _dhcpcd_ instead of _dhclient_

In NetBSD 5.0, you can also put a new line in `/etc/ifconfig.ath0` that mentions dhcp: 
    
    up
    dhcp
    

This will bring the interface up and start [dhcpcd(8)](http://netbsd.gw.com/cgi-bin/man-cgi?dhcpcd+8+NetBSD-current), the new DHCP client daemon. If you do this, you can remove _dhclient_ from your configuration and change the `dhclient_flags` to `dhcpcd_flags`: 
    

# Do not wait for lease; useful if no network is within reach, so boot will not hang
    dhcpcd_flags="-q -b"
    wpa_supplicant=YES
    wpa_supplicant_flags="-B -i ath0 -c /etc/wpa_supplicant.conf"
    

#  Adding a new network 

With the above setup, all you have to do is add the configuration to your `wpa_supplicant.conf` and then tell wpa_supplicant to reload its config: 
    
    wpa_cli reconfigure
    

That's it. With 
    
    wpa_cli status
    

you can track the status, and see if it authenticates. If you wait a moment, _dhcpcd_ will pick up the change and automatically obtain a new lease. 

If the `wpa_cli` command generates a "Failed to connect to wpa_supplicant - wpa_ctrl_open: No such file or directory" error, make sure you set the `ctrl_interface` parameter in the [wpa_supplicant.conf(8)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+8+NetBSD-current) as: 
    

    ctrl_interface=/var/run/wpa_supplicant
    ctrl_interface_group=wheel
    

#  Other Network Configurations 

_wpa_supplicant_ can also connect to other network configurations. These configurations can be given different priorities using the `priority` field, with a higher number indicating a higher priority. 

##  Unprotected Networks 
    
    network={
        ssid="MYUNPROTECTEDWLAN"
        scan_ssid=1
        key_mgmt=NONE
        priority=100
    }
    

##  WEP encryption 

WEP is the weakest of current 802.11 encryption solutions. It is known to be completely broken; breaking WEP can be done in mere seconds. However, sometimes there is a need to use WEP in legacy networks. Here is a configuration if you want to do it with _wpa_supplicant_: 
    
    network={
            ssid="MYWEAKLYENCRYPTEDWLAN"
            key_mgmt=NONE
            wep_key0="12345"  # or 13 characters, or a hexkey starting with 0x
            wep_tx_keyidx=0
    }
    

Oddly enough, the `wep_key0` and `wep_tx_keyidx` seem to be undocumented in [wpa_supplicant.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+5+NetBSD-current)... 


You don't have to use wpa_supplicant to do it, though. With [[basics/ifconfig]] you can do it just as easily: 


ifconfig ath0 ssid MYWEAKLYENCRYPTEDWLAN nwkey 12345
    

##  Password-Authenticated MSCHAPv2 

This seems to be a common configuration for password-authenticated networks: 
    
    network={
        ssid="WLANSSID"
        key_mgmt=IEEE8021X
        eap=PEAP
        phase2="auth=MSCHAPV2"
        identity="login"
        password="password"
    }
    

  


##  WPA2 

**Step 0:** for NetBSD 5.0.1 use wpa_passphrase() to create a basic configuration: 
    
    wpa_passphrase My_world My_secret | tee /etc/wpa_supplicant.conf | nl
        1  network={
        2          ssid="My_world"
        3          #psk="My_secret"
        4          psk=b7d1304e45ebbdb66ebd458b2d89e6871ac1dcb1efae521beaa76fb78708fe9b
        5  }
    

**Step 1:** and add the following changes marked by (+) 
    
    +ap_scan=1
    +ctrl_interface=/var/run/wpa_supplicant
    +ctrl_interface_group=0
    +
    network={
    +       scan_ssid=1
    +       proto=RSN WPA
    +       key_mgmt=WPA-PSK
    +       pairwise=CCMP TKIP
    +       group=CCMP TKIP
           ssid="My_world"
           #psk="My_secret"
           psk=b7d1304e45ebbdb66ebd458b2d89e6871ac1dcb1efae521beaa76fb78708fe9b
     }
    +
    

**Step 2:** and add the following to ifconfig.INTERFACE_NAME with your own address values 
    
    cat -n /etc/ifconfig.wpi0
        1  inet 192.168.1.23 netmask 255.255.255.0
        2  !route add default 192.168.1.254
    

**Step 3:** and add the following to /etc/defaults/rc.conf 
    
    fgrep -i wpa /etc/defaults/rc.conf | nl
        1  # WPA daemons.
        2  wpa_supplicant=YES
        3  wpa_supplicant_flags="-B -i wpi0 -c /etc/wpa_supplicant.conf"
    

#  See also 

  * [wpa_supplicant(8)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant+8+NetBSD-current)
  * [wpa_supplicant.conf(5)](http://netbsd.gw.com/cgi-bin/man-cgi?wpa_supplicant.conf+5+NetBSD-current)
  * [Official wpa_supplicant site](http://hostap.epitest.fi/wpa_supplicant/)

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb