Wireless network security
From NetBSD Wiki
Contents |
What is WPA ?
Wi-Fi Protected Access (WPA) is a wireless encryption standard and the successor of Wired Equivalent Privacy (WEP). WPA support for NetBSD is available since NetBSD 4.0
For setting up wpa, create the file /etc/wpa_supplicant.conf and paste following code, replacing your own SSID and Key:
network={
ssid="MYWLAN"
scan_ssid=1
key_mgmt=WPA-PSK
psk="MySecretPassphrase"
}
It's important to set your exact SSID name and ofcourse your exact Key. Both are case sensitive.
For setting WPA up with DHCLIENT, make the configuration in /etc/rc.conf as follows: Part of /etc/rc.conf example:
dhclient=YES # Do not wait for lease; useful if no network is within reach, so boot will not hang dhclient_flags="-nw" wpa_supplicant=YES wpa_supplicant_flags="-B -i ath0 -c /etc/wpa_supplicant.conf"
Also, note that wpa_supplicant lives in /usr/sbin. Depending on how your filesystems are arranged, you may need to add /usr to the 'critical_filesystems_local' override in /etc/rc.conf. Example:
critical_filesystems_local="/var /usr"
That's it. Now you can start wpa_supplicant with /etc/rc.d/wpa_supplicant start, then restart your network with /etc/rc.d/network restart.
Using dhcpcd instead of dhclient
In NetBSD 5.0, you can also put a new line in /etc/ifconfig.ath0 that mentions dhcp:
up dhcp
This will bring the interface up and start dhcpcd, the new dhcp client daemon. If you do this, you can remove dhclient from your config and change the dhclient_flags to dhcpcd_flags:
# Do not wait for lease; useful if no network is within reach, so boot will not hang dhcpcd_flags="-q -b" wpa_supplicant=YES wpa_supplicant_flags="-B -i ath0 -c /etc/wpa_supplicant.conf"
Adding a new network
With the above setup, all you have to do is add the configuration to your wpa_supplicant.conf and then tell wpa_supplicant to reload its config:
wpa_cli reconfigure
That's it. With
wpa_cli status
you can track the status, and see if it authenticates. If you wait a moment, dhcpcd will pick up the change and automatically obtain a new lease.
If the wpa_cli command generates a "Failed to connect to wpa_supplicant - wpa_ctrl_open: No such file or directory" error, make sure you set the ctrl_interface parameter in the wpa_supplicant.conf file such as:
ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel
Other Network Configurations
wpa_supplicant can also connect to other network configurations. These configurations can be given different priorities using the priority field, with a higher number indicating a higher priority.
Unprotected Networks
network={
ssid="MYUNPROTECTEDWLAN"
scan_ssid=1
key_mgmt=NONE
priority=100
}
WEP encryption
WEP is the weakest of encryptions and it has been shown possible to break it in mere seconds, but sometimes one needs to connect to legacy networks, so here's the configuration if you want to do it with wpa_supplicant:
network={
ssid="MYWEAKLYENCRYPTEDWLAN"
key_mgmt=NONE
wep_key0="12345" # or 13 characters, or a hexkey starting with 0x
wep_tx_keyidx=0
}
Oddly enough, the wep_key0 and wep_tx_keyidx seem to be undocument in wpa_supplicant.conf(5)...
You don't have to use wpa_supplicant to do it, though. With ifconfig you can do it just as easily:
ifconfig ath0 ssid MYWEAKLYENCRYPTEDWLAN nwkey 12345
Password-Authenticated MSCHAPv2
This seems to be a common configuration for password-authenticated networks:
network={
ssid="WLANSSID"
key_mgmt=IEEE8021X
eap=PEAP
phase2="auth=MSCHAPV2"
identity="login"
password="password"
}
