**Contents** [[!toc]] # What is WPA/WPA2? [Wi-Fi Protected Access (WPA)](https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access) and Wi-Fi Protected Accesss II (WPA2) are 802.11 wireless authentication and encryption standards, the successors to the simpler [Wired Equivalent Privacy (WEP)](https://en.wikipedia.org/wiki/Wired_Equivalent_Privacy). Most "closed" or "locked" 802.11 wireless networks use WPA/WPA2 authentication. On NetBSD, the [[!template id=man name="wpa_supplicant" section="8"]] daemon handles WPA/WPA2. To configure WPA/WPA2, you must create the file `/etc/wpa_supplicant.conf` ([[!template id=man name="wpa_supplicant.conf" section="5"]]). You can find examples for `/etc/wpa_supplicant.conf` in `/usr/share/examples/wpa_supplicant/wpa_supplicant.conf`. The simplest case is a network, say `my favourite network`, with a fixed passphrase, say `hunter2`. For this case, fill your `/etc/wpa_supplicant.conf` file with: ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid="my favourite network" psk="hunter2" } Then enable wpa_supplicant on your network interface device, say `iwn0`, by editing `/etc/rc.conf` ([[!template id=man name="rc.conf" section="5"]]) to add wpa_supplicant=YES wpa_supplicant_flags="-i iwn0 -c /etc/wpa_supplicant.conf" If your LAN is configured with DHCP, you will likely also want `dhcpcd=YES` in `/etc/rc.conf` to run [[!template id=man name="dhcpcd" section="8"]]. Then start wpa_supplicant with the shell command: # /etc/rc.d/wpa_supplicant start or reboot for the change to take effect. You can query the current status of WPA/WPA2 with the shell command: # wpa_cli status If you want to configure more 802.11 networks, add more `network` stanzas to `/etc/wpa_supplicant.conf`, and notify wpa_supplicant of them: # /etc/rc.d/wpa_supplicant reload # Do not wait for lease; useful if no network is within reach, so boot will not hang For a typical laptop, you will usually want to use DHCP to get an IP address on any network you're on, but you won't always be on the network. In that case, when you're booting up, you don't want to have to wait until you can associate with the network and get a DHCP lease. You can pass the `-b` flag to [[!template id=man name="dhcpcd" section="8"]] to make it immediately go into the background, by setting `dhcpcd_flags` in `/etc/rc.conf`: dhcpcd_flags="${dhcpcd_flags} -b" # Other Network Configurations wpa_supplicant can also connect to other wireless network configurations. These networks can be given different priorities using the `priority` field, with a higher number indicating a higher priority. ## Hidden Networks If the network is hidden, so that the access point does not broadcast its presence, you must specify the `scan_ssid=1` option: network={ ssid="my network" scan_ssid=1 psk="sekret" } ## Open Networks network={ ssid="MYUNPROTECTEDWLAN" key_mgmt=NONE priority=100 } ## WEP encryption WEP is the weakest of current 802.11 encryption solutions. It is known to be completely broken: breaking WEP can be done in mere seconds. However, sometimes there is a need to use WEP in legacy networks. Here is a configuration if you want to do it with wpa_supplicant: network={ ssid="MYWEAKLYENCRYPTEDWLAN" key_mgmt=NONE wep_key0="12345" # or 13 characters, or a hexkey starting with 0x wep_tx_keyidx=0 } Note that you don't have to use wpa_supplicant to configure WEP -- you can also simply use [[!template id=man name="ifconfig" section="8"]]: ifconfig ath0 ssid MYWEAKLYENCRYPTEDWLAN nwkey 12345 ## Password-Authenticated MSCHAPv2 This seems to be a common configuration for password-authenticated networks: network={ ssid="WLANSSID" key_mgmt=IEEE8021X eap=PEAP phase2="auth=MSCHAPV2" identity="login" password="password" } # See also * [[!template id=man name="wpa_supplicant" section="8"]] * [[!template id=man name="wpa_supplicant.conf" section="5"]] * [Official wpa_supplicant site](http://hostap.epitest.fi/wpa_supplicant/)