Contents

What is WPA/WPA2?

Wi-Fi Protected Access (WPA) and Wi-Fi Protected Accesss II (WPA2) are 802.11 wireless authentication and encryption standards, the successors to the simpler Wired Equivalent Privacy (WEP). Most "closed" or "locked" 802.11 wireless networks use WPA/WPA2 authentication. On NetBSD, the wpa_supplicant(8) daemon handles WPA/WPA2.

To configure WPA/WPA2, you must create the file /etc/wpa_supplicant.conf (wpa_supplicant.conf(5)). You can find examples for /etc/wpa_supplicant.conf in /usr/share/examples/wpa_supplicant/wpa_supplicant.conf. The simplest case is a network, say my favourite network, with a fixed passphrase, say hunter2. For this case, fill your /etc/wpa_supplicant.conf file with:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
network={
        ssid="my favourite network"
        psk="hunter2"
}

Then enable wpa_supplicant on your network interface device, say iwn0, by editing /etc/rc.conf (rc.conf(5)) to add

wpa_supplicant=YES
wpa_supplicant_flags="-i iwn0 -c /etc/wpa_supplicant.conf"

If your LAN is configured with DHCP, you will likely also want dhcpcd=YES in /etc/rc.conf to run dhcpcd(8). Then start wpa_supplicant with the shell command:

# /etc/rc.d/wpa_supplicant start

or reboot for the change to take effect.

You can query the current status of WPA/WPA2 with the shell command:

# wpa_cli status

If you want to configure more 802.11 networks, add more network stanzas to /etc/wpa_supplicant.conf, and notify wpa_supplicant of them:

# /etc/rc.d/wpa_supplicant reload

Do not wait for lease; useful if no network is within reach, so boot will not hang

For a typical laptop, you will usually want to use DHCP to get an IP address on any network you're on, but you won't always be on the network. In that case, when you're booting up, you don't want to have to wait until you can associate with the network and get a DHCP lease. You can pass the -b flag to dhcpcd(8) to make it immediately go into the background, by setting dhcpcd_flags in /etc/rc.conf:

dhcpcd_flags="${dhcpcd_flags} -b"

Other Network Configurations

wpa_supplicant can also connect to other wireless network configurations. These networks can be given different priorities using the priority field, with a higher number indicating a higher priority.

Hidden Networks

If the network is hidden, so that the access point does not broadcast its presence, you must specify the scan_ssid=1 option:

network={
        ssid="my network"
        scan_ssid=1
        psk="sekret"
}

Open Networks

network={
        ssid="MYUNPROTECTEDWLAN"
        key_mgmt=NONE
        priority=100
}

WEP encryption

WEP is the weakest of current 802.11 encryption solutions. It is known to be completely broken: breaking WEP can be done in mere seconds. However, sometimes there is a need to use WEP in legacy networks. Here is a configuration if you want to do it with wpa_supplicant:

network={
        ssid="MYWEAKLYENCRYPTEDWLAN"
        key_mgmt=NONE
        wep_key0="12345"  # or 13 characters, or a hexkey starting with 0x
        wep_tx_keyidx=0
}

Note that you don't have to use wpa_supplicant to configure WEP -- you can also simply use ifconfig(8):

ifconfig ath0 ssid MYWEAKLYENCRYPTEDWLAN nwkey 12345

Password-Authenticated MSCHAPv2

This seems to be a common configuration for password-authenticated networks:

network={
        ssid="WLANSSID"
        key_mgmt=IEEE8021X
        eap=PEAP
        phase2="auth=MSCHAPV2"
        identity="login"
        password="password"
}

See also

• wpa_supplicant(8)
• wpa_supplicant.conf(5)
• Official wpa_supplicant site

ifconfig -l

dhclient=YES
# Do not wait for lease; useful if no network is within reach, so boot will not hang
dhclient_flags="-nw"
wpa_supplicant=YES
# select the appropriate interface (-i) for your wifi card. (i.e. -i wpi0)
wpa_supplicant_flags="-B -i wpi0 -c /etc/wpa_supplicant.conf"