Add a FreeBSD Host Access Points section to the wireless page.

Without encryption, WPA-PSK and WEP APs are covered. Instructions for EAP-TLS, EAP-TTLS and EAP-PEAP based APs will be added in future With many useful remarks and help from: sam@ and thompsa@ Inspired from: Sam Banks <w0lfie@clear.net.nz> and loader@ contributions
svn path=/head/; revision=31045
2007-11-24 09:25:54 +00:00 · 2007-11-24 09:25:54 +00:00 · 2fbe8fd546 · 2020-12-08 03:00:23 +00:00
commit 2fbe8fd546
parent ab702cce71
1 changed files with 299 additions and 0 deletions
--- a/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml
@ -1739,6 +1739,305 @@ Associated with 00:13:46:49:41:76</screen>
 	    ready to exchange informations.</para>
    </sect2>

+    <sect2 id="network-wireless-ap">
+      <title>&os; Host Access Points</title>
+
+      <para>&os; can act as an Access Point (AP) which eliminates the
+	need to buy a hardware AP or run an ad-hoc network.  This can be
+	particularly useful when your &os; machine is acting as a
+	gateway to another network (e.g., the Internet).</para>
+
+      <sect3 id="network-wireless-ap-basic">
+	<title>Basic Settings</title>
+
+	<para>Before configuring your &os; machine as an AP, the
+	  kernel must be configured with the appropriate wireless
+	  networking support for your wireless card.  You also have to
+	  add the support for the security protocols you intend to
+	  use.  For more details, see <xref
+	  linkend="network-wireless-basic">.</para>
+
+	<note>
+	  <para>The use of the NDIS driver wrapper and the &windows;
+	    drivers do not allow currently the AP operation.  Only
+	    native &os; wireless drivers support AP mode.
+	</note>
+
+	<para>Once the wireless networking support is loaded, you can
+	  check if your wireless device supports the host-based access
+	  point mode (also know as hostap mode):</para>
+
+	<screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> list caps</userinput>
+ath0=783ed0f&lt;WEP,TKIP,AES,AES_CCM,IBSS,HOSTAP,AHDEMO,TXPMGT,SHSLOT,SHPREAMBLE,MONITOR,TKIPMIC,WPA1,WPA2,BURST,WME&gt;</screen>
+
+	<para>This output displays the card capabilities; the
+	  <literal>HOSTAP</literal> word confirms this wireless card
+	  can act as an Access Point.  Various supported ciphers are
+	  also mentioned: WEP, TKIP, WPA2, etc., these informations
+	  are important to know what security protocols could be set
+	  on the Access Point.</para>
+
+	<para>The wireless device can now be put into hostap mode and
+	  configured with the correct SSID and IP address:</para>
+
+	<screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> ssid <replaceable>freebsdap</replaceable> mode 11g mediaopt hostap</userinput> inet <replaceable>192.168.0.1</replaceable> netmask <replaceable>255.255.255.0</replaceable></screen>
+
+	<para>Use again <command>ifconfig</command> to see the status
+	  of the <devicename>ath0</devicename> interface:</para>
+
+	<screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable></userinput>
+  ath0: flags=8843&lt;UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST&gt; mtu 1500
+	  inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
+	  inet6 fe80::211:95ff:fec3:dac%ath0 prefixlen 64 scopeid 0x4
+	  ether 00:11:95:c3:0d:ac
+	  media: IEEE 802.11 Wireless Ethernet autoselect mode 11g &lt;hostap&gt;
+	  status: associated
+	  ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac
+	  authmode OPEN privacy OFF txpowmax 38 bmiss 7 protmode CTS burst dtimperiod 1 bintval 100</screen>
+
+	<para>The <literal>hostap</literal> parameter indicates the
+	  interface is running in the host-based access point
+	  mode.</para>
+
+	<para>The interface configuration can be done automatically at
+	  boot time by adding the following line to
+	  <filename>/etc/rc.conf</filename>:</para>
+
+	<programlisting>ifconfig_ath0="ssid <replaceable>freebsdap</replaceable> mode 11g mediaopt hostap inet <replaceable>192.168.0.1</replaceable> netmask <replaceable>255.255.255.0</replaceable>"</programlisting>
+      </sect3>
+
+      <sect3>
+	<title>Host-based Access Point without Authentication or
+	  Encryption</title>
+
+	<para>Although it is not recommended to run an AP without any
+	  authentication or encryption, this is a simple way to check
+	  if your AP is working.  This configuration is also important
+	  for debugging client issues.</para>
+
+	<para>Once the AP configured as previously shown, it is
+	  possible from another wireless machine to initiate a scan to
+	  find the AP:</para>
+
+	<screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> up scan</userinput>
+SSID            BSSID              CHAN RATE  S:N   INT CAPS
+freebsdap       00:11:95:c3:0d:ac    1   54M 22:1   100 ES</screen>
+
+	<para>The client machine found the Access Point and can be
+	  associated with it:</para>
+
+	<screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> ssid <replaceable>freebsdap</replaceable> inet <replaceable>192.168.0.2</replaceable> netmask <replaceable>255.255.255.0</replaceable></userinput>
+&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable></userinput>
+  ath0: flags=8843&lt;UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST&gt; mtu 1500
+	  inet6 fe80::211:95ff:fed5:4362%ath0 prefixlen 64 scopeid 0x1
+	  inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
+	  ether 00:11:95:d5:43:62
+	  media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/54Mbps)
+	  status: associated
+	  ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac
+	  authmode OPEN privacy OFF txpowmax 36 protmode CTS bintval 100</screen>
+      </sect3>
+
+      <sect3>
+	<title>WPA Host-based Access Point</title>
+
+	<para>This section will focus on setting up &os; Access Point
+	  using the WPA security protocol.  More details regarding WPA
+	  and the configuration of WPA-based wireless clients can be
+	  found in the <xref linkend="network-wireless-wpa">.</para>
+
+	<para>The <application>hostapd</application> daemon is used to
+	  deal with client authentication and keys management on the
+	  WPA enabled Access Point.</para>
+
+	<para>In the following, all the configuration operations will
+	  be performed on the &os; machine acting as AP.  Once the
+	  AP is correctly working, <application>hostapd</application>
+	  should be automatically enabled at boot with the following
+	  line in <filename>/etc/rc.conf</filename>:</para>
+
+	<programlisting>hostapd_enable="YES"</programlisting>
+
+	<para>Before trying to configure
+	  <application>hostapd</application>, be sure you have done
+	  the basic settings introduced in the <xref
+	  linkend="network-wireless-ap-basic">.</para>
+
+	<sect4>
+	  <title>WPA-PSK</title>
+
+	  <para>WPA-PSK is intended for small networks where the use
+	    of an backend authentication server is not possible or
+	    desired.</para>
+
+	  <para>The configuration is done in the
+	    <filename>/etc/hostapd.conf</filename> file:</para>
+
+	  <programlisting>interface=ath0 <co id="co-ap-wpapsk-iface">
+debug=1 <co id="co-ap-wpapsk-dbug">
+ctrl_interface=/var/run/hostapd <co id="co-ap-wpapsk-ciface">
+ctrl_interface_group=wheel <co id="co-ap-wpapsk-cifacegrp">
+ssid=freebsdap <co id="co-ap-wpapsk-ssid">
+wpa=1 <co id="co-ap-wpapsk-wpa">
+wpa_passphrase=freebsdmall <co id="co-ap-wpapsk-pass">
+wpa_key_mgmt=WPA-PSK <co id="co-ap-wpapsk-kmgmt">
+wpa_pairwise=CCMP TKIP <co id="co-ap-wpapsk-pwise"></programlisting>
+
+	  <calloutlist>
+	    <callout arearefs="co-ap-wpapsk-iface">
+	      <para>This field indicates the wireless interface used
+		for the Access Point.</para>
+	    </callout>
+
+	    <callout arearefs="co-ap-wpapsk-dbug">
+	      <para>This field sets the level of verbosity during the
+		execution of <application>hostapd</application>.  A
+		value of <literal>1</literal> represents the minimal
+		level.</para>
+	    </callout>
+
+	    <callout arearefs="co-ap-wpapsk-ciface">
+	      <para>The <literal>ctrl_interface</literal> field gives
+		the pathname of the directory used by
+		<application>hostapd</application> to stores its
+		domain socket files for the communication with
+		external programs such as &man.hostapd.cli.8;.  The
+		default value is used here.</para>
+	    </callout>
+
+	    <callout arearefs="co-ap-wpapsk-cifacegrp">
+	      <para>The <literal>ctrl_interface_group</literal> line
+		sets the group (here, it is the
+		<groupname>wheel</groupname> group) allowed to access
+		to the control interface files.</para>
+	    </callout>
+
+	    <callout arearefs="co-ap-wpapsk-ssid">
+	      <para>This field sets the network name.</para>
+	    </callout>
+
+	    <callout arearefs="co-ap-wpapsk-wpa">
+	      <para>The <literal>wpa</literal> field enables WPA and
+		specifies which WPA authentication protocol will be
+		required.  A value of <literal>1</literal> configures the
+		AP for WPA-PSK.</para>
+	    </callout>
+
+	    <callout arearefs="co-ap-wpapsk-pass">
+	      <para>The <literal>wpa_passphrase</literal> field
+		contains the ASCII passphrase for the WPA
+		authentication.</para>
+
+	      <warning>
+		<para>Always use strong passwords that are
+		  sufficiently long and made from a rich alphabet so
+		  they will not be guessed and/or attacked.</para>
+	      </warning>
+	    </callout>
+
+	    <callout arearefs="co-ap-wpapsk-kmgmt">
+	      <para>The <literal>wpa_key_mgmt</literal> line refers to
+		the key management protocol we use.  In our case it is
+		WPA-PSK.</para>
+	    </callout>
+
+	    <callout arearefs="co-ap-wpapsk-pwise">
+	      <para>The <literal>wpa_pairwise</literal> field
+		indicates the set of accepted encryption algorithms by
+		the Access Point.  Here both TKIP (WPA) and CCMP
+		(WPA2) ciphers are accepted.  CCMP cipher is an
+		alternative to TKIP and that is strongly preferred
+		when possible; TKIP should be used solely for stations
+		incapable of doing CCMP.</para>
+	    </callout>
+	  </calloutlist>
+
+	  <para>The next step is to start
+	    <application>hostapd</application>:</para>
+
+	  <screen>&prompt.root <userinput>/etc/rc.d/hostapd forcestart</userinput></screen>
+
+	<screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable></userinput>
+  ath0: flags=8843&lt;UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST&gt; mtu 2290
+	  inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
+	  inet6 fe80::211:95ff:fec3:dac%ath0 prefixlen 64 scopeid 0x4
+	  ether 00:11:95:c3:0d:ac
+	  media: IEEE 802.11 Wireless Ethernet autoselect mode 11g &lt;hostap&gt;
+	  status: associated
+	  ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac
+	  authmode WPA2/802.11i privacy MIXED deftxkey 2 TKIP 2:128-bit txpowmax 36 protmode CTS dtimperiod 1 bintval 100</screen>
+
+	<para>The Access Point is running, the clients can now be
+	  associated with it, see <xref
+	  linkend="network-wireless-wpa"> for more details.  It is
+	  possible to see the stations associated with the AP using
+	  the <command>ifconfig <replaceable>ath0</replaceable> list
+	  sta</command> command.</para>
+	</sect4>
+      </sect3>
+
+      <sect3>
+	<title>WEP Host-based Access Point</title>
+
+	<para>It is not recommended to use WEP for setting up an
+	  Access Point since there is no authentication mechanism and
+	  it is easily to be cracked.  Some legacy wireless cards only
+	  support WEP as security protocol, these cards will only
+	  allow to set up AP without authentication or encryption or
+	  using the WEP protocol.</para>
+
+	<para>The wireless device can now be put into hostap mode and
+	  configured with the correct SSID and IP address:</para>
+
+	<screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> ssid <replaceable>freebsdap</replaceable> wepmode on weptxkey 3 wepkey 3:0x3456789012 mode 11g mediaopt hostap \
+	inet <replaceable>192.168.0.1</replaceable> netmask <replaceable>255.255.255.0</replaceable></userinput></screen>
+
+	<itemizedlist>
+	  <listitem>
+	    <para>The <literal>weptxkey</literal> means which WEP
+	      key will be used in the transmission.  Here we used the
+	      third key (note that the key numbering starts with
+	      <literal>1</literal>).  This parameter must be specified
+	      to really encrypt the data.</para>
+	  </listitem>
+
+	  <listitem>
+	    <para>The <literal>wepkey</literal> means setting the
+	      selected WEP key.  It should in the format
+	      <replaceable>index:key</replaceable>, if the index is
+	      not given, key <literal>1</literal> is set.  That is
+	      to say we need to set the index if we use keys other
+	      than the first key.</para>
+	  </listitem>
+	</itemizedlist>
+
+	<para>Use again <command>ifconfig</command> to see the status
+	  of the <devicename>ath0</devicename> interface:</para>
+
+	<screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable></userinput>
+  ath0: flags=8843&lt;UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST&gt; mtu 1500
+	  inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
+	  inet6 fe80::211:95ff:fec3:dac%ath0 prefixlen 64 scopeid 0x4
+	  ether 00:11:95:c3:0d:ac
+	  media: IEEE 802.11 Wireless Ethernet autoselect mode 11g &lt;hostap&gt;
+	  status: associated
+	  ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac
+	  authmode OPEN privacy ON deftxkey 3 wepkey 3:40-bit txpowmax 36 protmode CTS dtimperiod 1 bintval 100</screen>
+
+	<para>From another wireless machine, it is possible to initiate
+	  a scan to find the AP:</para>
+
+	<screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> up scan</userinput>
+SSID            BSSID              CHAN RATE  S:N   INT CAPS
+freebsdap       00:11:95:c3:0d:ac    1   54M 22:1   100 EPS</screen>
+
+	<para>The client machine found the Access Point and can be
+	  associated with it using the correct parameters (key, etc.),
+	  see <xref linkend="network-wireless-wep"> for more
+	  details.</para>
+      </sect3>
+    </sect2>
+
    <sect2>
      <title>Troubleshooting</title>