Despite our ups and downs, for me there’s still
only one choice for a server OS .
Luckily, FreeBSD 6.x now has WPA supplicant in the base,
along with ipi/ipw (Centrino 802.11b/g support), and word is
the 5.x wrinkles are ironed out.
So I thought I’d do a BSD version of the
WPA howto
I wrote the other day.
0: ingredients:
- FreeBSD 6.0
- a WPA capable supported wireless NIC (mainly 802.11g kit). I’m using a Cardbus NEC WL54AG - piece of crap but supported by ath and only 20 notes on ebay. Replace ath0 with ipw/ipi/ndis as appropriate.
- a computer
- an access point (should work on ad-hoc WLANs, too)
- a rootprompt
1: patch your kernel
Sod’s law -
since we’re securing our WLAN you might as well do it right.
2: get your modules on
If your card doesn’t show up in ’ifconfig -a’, check dmesg. Mine said:
cardbus0: at device 0.0 (no driver attached) until I kldload if_ath, then I got:
ath_hal: 0.9.14.9 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413)
ath0: mem 0x88000000-0x8800ffff irq 12 at device 0.0 on cardbus0
ath0: Ethernet address: 00:0d:00:1d:41:1b
ath0: mac 5.9 phy 4.3 radio 3.6 3: setup /etc/wpa_supplicant.conf
If you’re accessing a pre-shared key WPA network, you should only need
to tweak the ‘psk=’, ‘proto=’ lines.
For anything else, read the (excellent)
wpa_supplicant.conf
manpage.
# used by wpa_cli(8) (see 'troubleshooting' below)
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
# boilerplate, essentially. see the example for a walkthrough
eapol_version=1
ap_scan=1
fast_reauth=1
# 'network' is a group of APs sharing a SSID
network={
ssid="YOURSSID"
# 'RSN' == 'WPA2'
proto=RSN WPA
# that's 'pre-shared key'
key_mgmt=WPA-PSK
# lists ciphers to try. CCMP is AES
# pairwise is for client <-> AP traffic, group is for broadcasts
pairwise=CCMP TKIP
group=CCMP TKIP
psk="hail beastie, baby"
}
4: setup your AP
(the faint-hearted should probably check they have ethernet access to it first)
You want to enable WPA-PSK and broadcast your SSID. On the WRT54G that goes:
- under ‘wireless’ → ‘basic wireless settings’
- enable “SSID broadcast” (no need for security by obscurity)
- under ‘wireless’ → ‘wireless security’
- set ‘security mode’ = ‘WPA2 personal’ (’enterprise’ needs a RADIUS server)
- WPA algorithms = ‘AES’ or ‘TKIP + AES’ (I went for plain AES)
- shared key = choose a long passphrase (it’s not like you’ll type it much)
Check you have everything you need (before you lose connectivity) and ‘save settings’.
5: gentlemen, start your NICs
As root, try this:
/etc/rc.d/wpa_supplicant forcestart ath0
/sbin/dhclient ath0 # or just 'ifconfig ath0 .....'and hopefully you’re back online.
Since I told my supplicant to try CCMP, then TKIP (the ’pairwise=…’ .conf line),
I was asked to kldload
wlan_ccmp
and restart the supplicant. If it fell through to TKIP it presumably want
wlan_tkip
.
6: automatic for the people
Assuming our /etc/wpa_supplicant.conf was good, we now want this
to start at boot.
First the loader has to pull in our modules. For my case, that’s
cat >> /boot/loader.conf if_ath_load="YES" wlan_ccmp_load="YES" wlan_tkip_load="YES"# can't hurt EOF
Now you just flag the interface as using WPA and DHCP:
cat >> /etc/rc.conf ifconfig_ath0="WPA DHCP" EOF
7: troubleshooting
wpa_supplicant will give you more detail than you could possibly want if you pass it
a ’-dd’ argument. A ’ps awwux|grep supplicant’ should give you the full command you’re
using, just add ’-dd’ to those arguments.
That should give you some idea where it’s failing, or at least get you a string to google for.
I also highly recommend
wpa_cli
for those who a) don’t want to hardcode a PSK in a cfg file, b) need to debug their connection or c) like talking to network processes for some reason.
8: homework schools out
Laptop users might want to play with devd and have the start_if.ath0 script run when you insert your NIC should be pleased to find you can now just plug in your card and devd will fire it up correctly for you. It even kills off wpa_supplicant and dhclient neatly when you eject the card.