Wireless network security

From NetBSD Wiki

Contents 1 What is WPA ? 2 Other Network Configurations 2.1 Unprotected Networks 2.2 WEP encryption 2.3 Password-Authenticated MSCHAPv2 3 See also

What is WPA ?

Wi-Fi Protected Access (WPA) is a wireless encryption standard and the successor of Wired Equivalent Privacy (WEP). WPA support for NetBSD is available since NetBSD 4.0

For setting up wpa, create the file /etc/wpa_supplicant.conf and paste following code, replacing your own SSID and Key:

network={
        ssid="MYWLAN"
        scan_ssid=1
        key_mgmt=WPA-PSK
        psk="MySecretPassphrase"
}

It's important to set your exact SSID name and ofcourse your exact Key. Both are case sensitive.

For setting WPA up with DHCLIENT, make the configuration in /etc/rc.conf as follows: Part of /etc/rc.conf example:

wscons=YES
dhclient=YES
wpa_supplicant=YES
wpa_supplicant_flags="-B -i ath0 -c /etc/wpa_supplicant.conf"

Also, note that wpa_supplicant lives in /usr/sbin. Depending on how your filesystems are arranged, you may need to add /usr to the 'critical_filesystems_local' override in /etc/rc.conf. Example:

critical_filesystems_local="/var /usr"

That's it. Restart your network with /etc/rc.d/network restart.

Other Network Configurations

wpa_supplicant can also connect to other network configurations. These configurations can be given different priorities using the priority field, with a higher number indicating a higher priority.

Unprotected Networks

network={
    ssid="MYUNPROTECTEDWLAN"
    scan_ssid=1
    key_mgmt=NONE
    priority=100
}

WEP encryption

WEP is the weakest of encryptions and it has been shown possible to break it in mere seconds, but sometimes one needs to connect to legacy networks, so here's the configuration if you want to do it with wpa_supplicant:

network={
        ssid="MYWEAKLYENCRYPTEDWLAN"
        key_mgmt=NONE
        wep_key0="12345"  # or 13 characters, or a hexkey starting with 0x
        wep_tx_keyidx=0
}

Oddly enough, the wep_key0 and wep_tx_keyidx seem to be undocument in wpa_supplicant.conf(5)...

You don't have to use wpa_supplicant to do it, though. With ifconfig you can do it just as easily:

ifconfig ath0 ssid MYWEAKLYENCRYPTEDWLAN nwkey 12345

Password-Authenticated MSCHAPv2

This seems to be a common configuration for password-authenticated networks:

network={
    ssid="WLANSSID"
    key_mgmt=IEEE8021X
    eap=PEAP
    phase2="auth=MSCHAPV2"
    identity="login"
    password="password"
}

See also

• wpa_supplicant(8)
• wpa_supplicant.conf(5)
• Official wpa_supplicant site