From f1efc8f444d695ffabe92015656aefa2196a8961 Mon Sep 17 00:00:00 2001 From: Marc Fonvieille Date: Mon, 31 Jul 2006 13:38:52 +0000 Subject: [PATCH] Update of the wireless networking section: The old section is completely replaced with this new one. For the moment "FreeBSD as AP" is not covered (I'm working on it), but FreeBSD clients configuration and troubleshooting are detailled (how to find AP, basic settings with or without DHCP, authentication methods: WEP, WPA-PSK, WPA-TLS, WPA-TTLS and PEAP, IBSS mode is also discussed). This huge section would not exist without the help of loader@freebsdmall.com, murray@ and of course sam@ --- .../handbook/advanced-networking/chapter.sgml | 1573 ++++++++++++----- 1 file changed, 1138 insertions(+), 435 deletions(-) diff --git a/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml b/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml index 0173dbcc11..e8d3947de3 100644 --- a/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml @@ -658,445 +658,1148 @@ route_net2="-net 192.168.1.0/24 192.168.1.1" - - Eric - Anderson - Written by - + + Loader + + + + Marc + Fonvieille + + + + Murray + Stokely + Wireless Networking - wireless networking - - 802.11 - wireless networking - - - - Introduction - It can be very useful to be able to use a computer without the - annoyance of having a network cable attached at all times. FreeBSD can - be used as a wireless client, and even as a wireless access - point. - - - - Wireless Modes of Operation - There are two different ways to configure 802.11 wireless devices: - BSS and IBSS. - - - BSS Mode - BSS mode is the mode that typically is used. BSS mode is - also called infrastructure mode. In this mode, a number of - wireless access points are connected to a wired network. Each - wireless network has its own name. This name is called the - SSID of the network. - - Wireless clients connect to these wireless access - points. The IEEE 802.11 standard defines the protocol that - wireless networks use to connect. A wireless client can be - tied to a specific network, when a SSID is set. A wireless - client can also attach to any network by not explicitly - setting a SSID. - - - - IBSS Mode - IBSS mode, also called ad-hoc mode, is designed for point - to point connections. There are actually two types of ad-hoc - mode. One is IBSS mode, also called ad-hoc or IEEE ad-hoc - mode. This mode is defined by the IEEE 802.11 standards. - The second is called demo ad-hoc mode or Lucent ad-hoc mode - (and sometimes, confusingly, ad-hoc mode). This is the old, - pre-802.11 ad-hoc mode and should only be used for legacy - installations. We will not cover either of the ad-hoc modes - further. - - - - - Infrastructure Mode - - Access Points - - Access points are wireless networking devices that allow - one or more wireless clients to use the device as a central - hub. When using an access point, all clients communicate - through the access point. Multiple access points are often - used to cover a complete area such as a house, business, or - park with a wireless network. - - Access points typically have multiple network - connections: the wireless card, and one or more wired Ethernet - adapters for connection to the rest of the network. - - - Access points can either be purchased prebuilt, or you - can build your own with FreeBSD and a supported wireless card. - Several vendors make wireless access points and wireless cards - with various features. - - - - Building a FreeBSD Access Point - wireless networking - access point - - - Requirements - - In order to set up a wireless access point with - FreeBSD, you need to have a compatible wireless card. - Currently, only cards with the Prism chipset are - supported. You will also need a wired network card that is - supported by FreeBSD (this should not be difficult to find, - FreeBSD supports a lot of different devices). For this - guide, we will assume you want to &man.bridge.4; all traffic - between the wireless device and the network attached to the - wired network card. - - The hostap functionality that FreeBSD uses to implement - the access point works best with certain versions of - firmware. Prism 2 cards should use firmware version 1.3.4 - or newer. Prism 2.5 and Prism 3 cards should use firmware - 1.4.9. Older versions of the firmware way or may not - function correctly. At this time, the only way to update - cards is with &windows; firmware update utilities available - from your card's manufacturer. - - - - Setting It Up - First, make sure your system can see the wireless card: - &prompt.root; ifconfig -a -wi0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 - inet6 fe80::202:2dff:fe2d:c938%wi0 prefixlen 64 scopeid 0x7 - inet 0.0.0.0 netmask 0xff000000 broadcast 255.255.255.255 - ether 00:09:2d:2d:c9:50 - media: IEEE 802.11 Wireless Ethernet autoselect (DS/2Mbps) - status: no carrier - ssid "" - stationname "FreeBSD Wireless node" - channel 10 authmode OPEN powersavemode OFF powersavesleep 100 - wepmode OFF weptxkey 1 - - Do not worry about the details now, just make sure it shows you - something to indicate you have a wireless card installed. - If you have trouble seeing the wireless interface, and you - are using a PC Card, you may want to check out - &man.pccardc.8; and &man.pccardd.8; manual pages for more - information. - - Next, you will need to load a module in order to get - the bridging part of FreeBSD ready for the access point. - To load the &man.bridge.4; module, simply run the - following command: - - &prompt.root; kldload bridge - - It should not have produced any errors when loading the - module. If it did, you may need to compile the - &man.bridge.4; code into your kernel. The Bridging section of this handbook - should be able to help you accomplish that task. - - Now that you have the bridging stuff done, we need to - tell the FreeBSD kernel which interfaces to bridge together. - We do that by using &man.sysctl.8;: - - &prompt.root; sysctl net.link.ether.bridge.enable=1 -&prompt.root; sysctl net.link.ether.bridge.config="wi0 xl0" -&prompt.root; sysctl net.inet.ip.forwarding=1 - - On &os; versions earlier than 5.2, you - need to use the following options instead: - - &prompt.root; sysctl net.link.ether.bridge=1 -&prompt.root; sysctl net.link.ether.bridge_cfg="wi0,xl0" -&prompt.root; sysctl net.inet.ip.forwarding=1 - - Now it is time for the wireless card setup. - The following command will set the card into an access point: - - -&prompt.root; ifconfig wi0 ssid my_net channel 11 media DS/11Mbps mediaopt hostap up stationname "FreeBSD AP" - - - The &man.ifconfig.8; line brings the - wi0 interface up, sets its SSID to - my_net, and sets the station name to - FreeBSD AP. The sets the card into 11Mbps mode and is - needed for any to take effect. - The option places the - interface into access point mode. The option sets the 802.11b channel to use. The - &man.wicontrol.8; manual page has valid channel options for - your regulatory domain. - - - Now you should have a complete functioning access point - up and running. You are encouraged to read - &man.wicontrol.8;, &man.ifconfig.8;, and &man.wi.4; for - further information. - - - It is also suggested that you read the section on encryption that follows. - - - - Status Information - Once the access point is configured and operational, - operators will want to see the clients that are associated - with the access point. At any time, the operator may type: - - &prompt.root; wicontrol -l -1 station: -00:09:b7:7b:9d:16 asid=04c0, flags=3<ASSOC,AUTH>, caps=1<ESS>, rates=f<1M,2M,5.5M,11M>, sig=38/15 - - - This shows that there is one station associated, along - with its parameters. The signal indicated should be used - as a relative indication of strength only. Its - translation to dBm or other units varies between different - firmware revisions. - - - - - Clients - - A wireless client is a system that accesses an access - point or another client directly. - - Typically, wireless clients only have one network device, - the wireless networking card. - - There are a few different ways to configure a wireless - client. These are based on the different wireless modes, - generally BSS (infrastructure mode, which requires an access - point), and IBSS (ad-hoc, or peer-to-peer mode). In our - example, we will use the most popular of the two, BSS mode, to - talk to an access point. - - - Requirements - There is only one real requirement for setting up FreeBSD as a wireless client. - You will need a wireless card that is supported by FreeBSD. - - - - Setting Up a Wireless FreeBSD Client - - You will need to know a few things about the wireless - network you are joining before you start. In this example, we - are joining a network that has a name of - my_net, and encryption turned off. - - In this example, we are not using encryption, which - is a dangerous situation. In the next section, you will learn - how to turn on encryption, why it is important to do so, - and why some encryption technologies still do not completely - protect you. - - Make sure your card is recognized by FreeBSD: - - &prompt.root; ifconfig -a -wi0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 - inet6 fe80::202:2dff:fe2d:c938%wi0 prefixlen 64 scopeid 0x7 - inet 0.0.0.0 netmask 0xff000000 broadcast 255.255.255.255 - ether 00:09:2d:2d:c9:50 - media: IEEE 802.11 Wireless Ethernet autoselect (DS/2Mbps) - status: no carrier - ssid "" - stationname "FreeBSD Wireless node" - channel 10 authmode OPEN powersavemode OFF powersavesleep 100 - wepmode OFF weptxkey 1 - - Now, we can set the card to the correct settings for our - network: - - &prompt.root; ifconfig wi0 inet 192.168.0.20 netmask 255.255.255.0 ssid my_net - - Replace 192.168.0.20 and - 255.255.255.0 with a valid IP - address and netmask on your wired network. Remember, our - access point is bridging the data between the wireless - network, and the wired network, so it will appear to the other - devices on your network that you are on the wired network just - as they are. - - Once you have done that, you should be able to ping hosts - on the wired network just as if you were connected using a - standard wired connection. - - If you are experiencing problems with your wireless - connection, check to make sure that you are associated - (connected) to the access point: - - &prompt.root; ifconfig wi0 - - should return some information, and you should see: - status: associated - - If it does not show associated, then you may be out of - range of the access point, have encryption on, or - possibly have a configuration problem. - - - - - - Encryption - - wireless networking - encryption - - - Encryption on a wireless network is important because you - no longer have the ability to keep the network contained in a - well protected area. Your wireless data will be broadcast - across your entire neighborhood, so anyone who cares to read it - can. This is where encryption comes in. By encrypting the - data that is sent over the airwaves, you make it much more - difficult for any interested party to grab your data right out - of the air. - - The two most common ways to encrypt the data between your - client and the access point are WEP, and &man.ipsec.4;. - - - WEP - WEP - - WEP is an abbreviation for Wired Equivalency Protocol. - WEP is an attempt to make wireless networks as safe and secure - as a wired network. Unfortunately, it has been cracked, and is - fairly trivial to break. This also means it is not something - to rely on when it comes to encrypting sensitive data. - - It is better than nothing, so use the following to turn on - WEP on your new FreeBSD access point: - - &prompt.root; ifconfig wi0 inet up ssid my_net wepmode on wepkey 0x1234567890 media DS/11Mbps mediaopt hostap - - And you can turn on WEP on a client with this command: - - &prompt.root; ifconfig wi0 inet 192.168.0.20 netmask 255.255.255.0 ssid my_net wepmode on wepkey 0x1234567890 - - Note that you should replace the 0x1234567890 with a more unique key. - - - - - IPsec - - &man.ipsec.4; is a much more robust and powerful tool for - encrypting data across a network. This is definitely the - preferred way to encrypt data over a wireless network. You can - read more about &man.ipsec.4; security and how to implement it - in the IPsec section of this - handbook. - - - - - Tools - - There are a small number of tools available for use in - debugging and setting up your wireless network, and here we will - attempt to describe some of them and what they do. - - - The <application>bsd-airtools</application> Package - - The bsd-airtools package is a - complete toolset that includes wireless auditing tools for WEP - key cracking, access point detection, etc. - - The bsd-airtools utilities can be - installed from the net-mgmt/bsd-airtools port. Information on - installing ports can be found in of this - handbook. - - The program dstumbler is the packaged - tool that allows for access point discovery and signal to noise - ratio graphing. If you are having a hard time getting your - access point up and running, dstumbler may - help you get started. - - To test your wireless network security, you may choose to - use dweputils (dwepcrack, - dwepdump and dwepkeygen) - to help you determine if WEP is the right solution to your - wireless security needs. - - - - - The <command>wicontrol</command>, <command>ancontrol</command> and <command>raycontrol</command> Utilities - - These are the tools you can use to control how your wireless - card behaves on the wireless network. In the examples above, we - have chosen to use &man.wicontrol.8;, since our wireless card is - a wi0 interface. If you had a Cisco - wireless device, it would come up as - an0, and therefore you would use - &man.ancontrol.8;. - - - - - The <command>ifconfig</command> Command - ifconfig - - The &man.ifconfig.8; command can be used to do many of the same options - as &man.wicontrol.8;, however it does lack a few options. Check - &man.ifconfig.8; for command line parameters and options. - - - - - - - Supported Cards - - Access Points - - The only cards that are currently supported for BSS (as an - access point) mode are devices based on the Prism 2, 2.5, or 3 - chipsets. For a complete list, look at &man.wi.4;. - - - - - 802.11b Clients - - Almost all 802.11b wireless cards are currently supported - under FreeBSD. Most cards based on Prism, Spectrum24, Hermes, - Aironet, and Raylink will work as a wireless network card in - IBSS (ad-hoc, peer-to-peer, and BSS) mode. - - - - - 802.11a & 802.11g Clients - - The &man.ath.4; device driver supports 802.11a and 802.11g. - If your card is based on an Atheros chipset, you may be able to - use this driver. Many other drivers are available: &man.an.4;, - &man.awi.4;, &man.iwi.4;, &man.ipw.4;, &man.ral.4; and - &man.ural.4;. Some chipsets may not have a native &os; driver - available, in this case you should check if you cannot directly - use the &windows; driver with the NDIS driver wrapper. - - - - + wireless networking + + 802.11 + wireless networking + + + + Wireless Networking Basics + + Most wireless networks are based on the IEEE 802.11 + standards. A basic wireless network consists of multiple + stations communicating with radios that broadcast in either + the 2.4GHz or 5GHz band (though this varies according to the + locale and is also changing to enable communication in the + 2.3GHz and 4.9GHz ranges). + + 802.11 networks are organized in two ways: in + infrastructure mode one station acts as a + master with all the other stations associating to it; the + network is known as a BSS and the master station is termed an + access point (AP). In a BSS all communication passes through + the AP; even when one station wants to communicate with + another wireless station messages must go through the AP. In + the second form of network there is no master and stations + communicate directly. This form of network is termed an IBSS + and is commonly known as an ad-hoc + network. + + 802.11 networks were first deployed in the 2.4GHz band + using protocols defined by the IEEE 802.11 and 802.11b + standard. These specifications include the operating + frequencies, MAC layer characteristics including framing and + transmission rates (communication can be done at various + rates). Later the 802.11a standard defined operation in the + 5GHz band, including different signalling mechanisms and + higher transmission rates. Still later the 802.11g standard + was defined to enable use of 802.11a signalling and + transmission mechanisms in the 2.4GHz band in such a way as to + be backwards compatible with 802.11b networks. + + Separate from the underlying transmission techniques + 802.11 networks have a variety of security mechanisms. The + original 802.11 specifications defined a simple security + protocol called WEP. This protocol uses a fixed pre-shared key + and the RC4 cryptographic cipher to encode data transmitted on + a network. Stations must all agree on the fixed key in order + to communicate. This scheme was shown to be easily broken and + is now rarely used except to discourage transient users from + joining networks. Current security practice is given by the + IEEE 802.11i specification that defines new cryptographic + ciphers and an additional protocol to authenticate stations to + an access point and exchange keys for doing data + communication. Further, cryptographic keys are periodically + refreshed and there are mechanisms for detecting intrusion + attempts (and for countering intrusion attempts). Another + security protocol specification commonly used in wireless + networks is termed WPA. This was a precursor to 802.11i + defined by an industry group as an interim measure while + waiting for 802.11i to be ratified. WPA specifies a subset of + the requirements found in 802.11i and is designed for + implementation on legacy hardware. Specifically WPA requires + only the TKIP cipher that is derived from the original WEP + cipher. 802.11i permits use of TKIP but also requires support + for a stronger cipher, AES-CCM, for encrypting data. (The AES + cipher was not required in WPA because it was deemed too + computationally costly to be implemented on legacy + hardware.) + + Other than the above protocol standards the other + important standard to be aware of is 802.11e. This defines + protocols for deploying multi-media applications such as + streaming video and voice over IP (VoIP) in an 802.11 network. + Like 802.11i, 802.11e also has a precursor specification + termed WME (later renamed WMM) that has been defined by an + industry group as a subset of 802.11e that can be deployed now + to enable multi-media applications while waiting for the final + ratification of 802.11e. The most important thing to know + about 802.11e and WME/WMM is that it enables prioritized + traffic use of a wireless network through Quality of Service + (QoS) protocols and enhanced media access protocols. Proper + implementation of these protocols enable high speed bursting + of data and prioritized traffic flow. + + Since the 6.0 version, &os; supports networks that operate + using 802.11a, 802.11b, and 802.11g. The WPA and 802.11i + security protocols are likewise supported (in conjunction with + any of 11a, 11b, and 11g) and QoS and traffic prioritization + required by the WME/WMM protocols are supported for a limited + set of wireless devices. + + + + Basic Setup + + + Kernel Configuration + + To use wireless networking you need a wireless + networking card and to configure the kernel with the + appropriate wireless networking support. The latter is + separated into multiple modules so that you only need to + configure the software you are actually going to use. + + The first thing you need is a wireless device. The most + commonly used devices are those that use parts made by + Atheros. These devices are supported by the &man.ath.4; + driver and require the following line to be added to the + /boot/loader.conf file: + + if_ath_load="YES" + + The Atheros driver is split up into three separate + pieces: the driver proper (&man.ath.4;), the hardware + support layer that handles chip-specific functions + (&man.ath.hal.4;), and an algorithm for selecting which of + several possible rates for transmitting frames + (ath_rate_sample here). When you load this support as + modules these dependencies are automatically handled for + you. If instead of an Atheros device you had another device + you would select the module for that device; e.g.: + + if_wi_load="YES" + + for devices based on the Intersil Prism parts + (&man.wi.4; driver). + + + In the rest of this document, we will use an + &man.ath.4; device, the device name in the examples must + be changed according to your configuration. A list of + available wireless drivers can be found at the beginning + of the &man.wlan.4; manual page. If a native &os; driver + for your wireless device does not exist, it may be + possible to directly use the &windows; driver with the + help of the NDIS driver + wrapper. + + + With a device driver configured you need to also bring + in the 802.11 networking support required by the driver. + For the &man.ath.4; driver this is at least the &man.wlan.4; + module; this module is automatically loaded with the + wireless device driver. With that you will need the modules + that implement cryptographic support for the security + protocols you intend to use. These are intended to be + dynamically loaded on demand by the &man.wlan.4; module but + for now they must be manually configured. The following + modules are available: &man.wlan.wep.4;, &man.wlan.ccmp.4; + and &man.wlan.tkip.4;. Both &man.wlan.ccmp.4; and + &man.wlan.tkip.4; drivers are only needed if you intend to + use the WPA and/or 802.11i security protocols. If your + network is to run totally open (i.e., with no encryption) + then you do not even need the &man.wlan.wep.4; support. To + load these modules at boot time, add the following lines to + /boot/loader.conf: + + wlan_wep_load="YES" +wlan_ccmp_load="YES" +wlan_tkip_load="YES" + + With this information in the system bootstrap + configuration file (i.e., + /boot/loader.conf), you have to reboot + your &os; box. If you do not want to reboot your machine + for the moment, you can just load the modules by hand using + &man.kldload.8;. + + + If you do not want to use modules, it is possible to + compile these drivers into the kernel by adding the + following lines to your kernel configuration file: + + device ath # Atheros IEEE 802.11 wireless network driver +device ath_hal # Atheros Hardware Access Layer +device ath_rate_sample # John Bicket's SampleRate control algorithm. +device wlan # 802.11 support (Required) +device wlan_wep # WEP crypto support for 802.11 devices +device wlan_ccmp # AES-CCMP crypto support for 802.11 devices +device wlan_tkip # TKIP and Michael crypto support for 802.11 devices + + With this information in the kernel configuration + file, recompile the kernel and reboot your &os; + machine. + + + When the system is up, we could find some information + about the wireless device in the boot messages, like + this: + + ath0: <Atheros 5212> mem 0xff9f0000-0xff9fffff irq 17 at device 2.0 on pci2 +ath0: Ethernet address: 00:11:95:d5:43:62 +ath0: mac 7.9 phy 4.5 radio 5.6 + + + + + Infrastructure Mode + + The infrastructure mode or BSS mode is the mode that is + typically used. In this mode, a number of wireless access + points are connected to a wired network. Each wireless + network has its own name, this name is called the SSID of the + network. Wireless clients connect to the wireless access + points. + + + &os; Clients + + + How to Find Access Points + + To scan for networks, use the + ifconfig command. This request may + take a few moments to complete as it requires that the + system switches to each available wireless frequency and + probes for available access points. Only the super-user + can initiate such a scan: + + &prompt.root; ifconfig ath0 up scan +SSID BSSID CHAN RATE S:N INT CAPS +dlinkap 00:13:46:49:41:76 6 54M 29:0 100 EPS WPA WME +freebsdap 00:11:95:c3:0d:ac 1 54M 22:0 100 EPS WPA + + + You must mark the interface + before you can scan. Subsequent scan requests do not + require you to mark the interface up again. + + + The output of a scan request lists each BSS/IBSS + network found. Beside the name of the network, + SSID, we find the + BSSID which is the MAC address of the + access point. The CAPS field + identifies the type of each network and the capabilities + of the stations operating there: + + + + E + + + Extended Service Set (ESS). Indicates that the + station is part of an infrastructure network (in + contrast to an IBSS/ad-hoc network). + + + + + I + + + IBSS/ad-hoc network. Indicates that the station + is part of an ad-hoc network (in contrast to an ESS + network). + + + + + P + + + Privacy. Data confidentiality is required for + all data frames exchanged within the BSS. This means + that this BSS requires the station to use + cryptographic means such as WEP, TKIP or AES-CCMP to + encrypt/decrypt data frames being exchanged with + others. + + + + + S + + + Short Preamble. Indicates that the network is + using short preambles (defined in 802.11b High + Rate/DSSS PHY, short preamble utilizes a 56 bit sync + field in contrast to a 128 bit field used in long + preamble mode). + + + + + s + + + Short slot time. Indicates that the 802.11g + network is using a short slot time because there are + no legacy (802.11b) stations present. + + + + + One can also display the current list of known + networks with: + + &prompt.root; ifconfig ath0 list scan + + This information may be updated automatically by the + adapter or manually with a request. + Old data is automatically removed from the cache, so over + time this list may shrink unless more scans are + done. + + + + Basic Settings + + This section provides a simple example of how to make + the wireless network adapter work in &os; without + encryption. After you are familiar with these concepts, + we strongly recommend using WPA to set up your + wireless network. + + There are three basic steps to configure a wireless + network: selecting an access point, authenticating your + station, and configuring an IP address. The following + sections discuss each step. + + + Selecting an Access Point + + Most of time it is sufficient to let the system + choose an access point using the builtin heuristics. + This is the default behaviour when you mark an interface + up or otherwise configure an interface by listing it in + /etc/rc.conf, e.g.: + + ifconfig_ath0="DHCP" + + If there are multiple access points and you want to + select a specific one, you can select it by its + SSID: + + ifconfig_ath0="ssid your_ssid_here DHCP" + + In an environment where there are multiple access + points with the same SSID (often done to simplify + roaming) it may be necessary to associate to one + specific device. In this case you can also specify the + BSSID of the access point (you can also leave off the + SSID): + + ifconfig_ath0="ssid your_ssid_here bssid xx:xx:xx:xx:xx:xx DHCP" + + There are other ways to constrain the choice of an + access point such as limiting the set of frequencies the + system will scan on. This may be useful if you have a + multi-band wireless card as scanning all the possible + channels can be time-consuming. To limit operation to a + specific band you can use the + parameter; e.g.: + + ifconfig_ath0="mode 11g ssid your_ssid_here DHCP" + + will force the card to operate in 802.11g which is + defined only for 2.4GHz frequencies so any 5GHz channels + will not be considered. Other ways to do this are the + parameter, to lock operation to + one specific frequency, and the + parameter, to specify a list + of channels for scanning. More information about these + parameters can be found in the &man.ifconfig.8; manual + page. + + + + Authentication + + Once you have selected an access point your station + needs to authenticate before it can pass data. + Authentication can happen in several ways. The most + common scheme used is termed open authentication and + allows any station to join the network and communicate. + This is the authentication you should use for test + purpose the first time you set up a wireless network. + Other schemes require cryptographic handshakes be + completed before data traffic can flow; either using + pre-shared keys or secrets, or more complex schemes that + involve backend services such as RADIUS. Most users + will use open authentication which is the default + setting. Next most common setup is WPA-PSK, also known + as WPA Personal, which is described below. + + + If you have an &apple; &airport; Extreme base + station for an access point you may need to configure + shared-key authentication together with a WEP key. + This can be done in the + /etc/rc.conf file or using the + &man.wpa.supplicant.8; program. If you have a single + &airport; base station you can setup access with + something like: + + ifconfig_ath0="authmode shared wepmode on weptxkey 1 wepkey 01234567 DHCP" + + In general shared key authentication is to be + avoided because it uses the WEP key material in a + highly-constrained manner making it even easier to + crack the key. If WEP must be used (e.g., for + compatibility with legacy devices) it is better to use + WEP with open authentication. More + information regarding WEP can be found in the . + + + + + Getting an IP Address with DHCP + + Once you have selected an access point and set the + authentication parameters, you will have to get an IP + address to communicate. Most of time you will obtain + your wireless IP address via DHCP. To achieve that, + simply edit /etc/rc.conf and add + DHCP to the configuration for your + device as shown in various examples above: + + ifconfig_ath0="DHCP" + + At this point, you are ready to bring up the + wireless interface: + + &prompt.root; /etc/rc.d/netif start + + Once the interface is running, use + ifconfig to see the status of the + interface ath0: + + &prompt.root; ifconfig ath0 +ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 + inet6 fe80::211:95ff:fed5:4362%ath0 prefixlen 64 scopeid 0x1 + inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255 + ether 00:11:95:d5:43:62 + media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/54Mbps) + status: associated + ssid dlinkap channel 6 bssid 00:13:46:49:41:76 + authmode OPEN privacy OFF txpowmax 36 protmode CTS bintval 100 + + The status: associated means you + are connected to the wireless network (to the + dlinkap network in our case). The + bssid 00:13:46:49:41:76 part is the + MAC address of your access point; the + authmode line informs you that the + communication is not encrypted + (OPEN). + + + + Static IP Address + + In the case you cannot obtain an IP address from a + DHCP server, you can set a fixed IP address. Replace + the DHCP keyword shown above with the + address information. Be sure to retain any other + parameters you have set up for selecting an access + point: + + ifconfig_ath0="inet 192.168.1.100 netmask 255.255.255.0 ssid your_ssid_here" + + + + WPA + + WPA (Wi-Fi Protected Access) is a security protocol + used together with 802.11 networks to address the lack of + proper authentication and the weakness of WEP. WPA leverages + the 802.1X authentication protocol and uses one of several + ciphers instead of WEP for data integrity. The only + cipher required by WPA is TKIP (Temporary Key Integrity + Protocol) which is a cipher that extends the basic RC4 + cipher used by WEP by adding integrity checking, tamper + detection, and measures for responding to any detected + intrusions. TKIP is designed to work on legacy hardware + with only software modification; it represents a + compromise that improves security but is still not + entirely immune to attack. WPA also specifies the + AES-CCMP cipher as an alternative to TKIP and that is + preferred when possible; for this specification the term + WPA2 (or RSN) is commonly used. + + WPA defines authentication and encryption protocols. + Authentication is most commonly done using one of two + techniques: by 802.1X and a backend authentication service + such as RADIUS, or by a minimal handshake between the + station and the access point using a pre-shared secret. + The former is commonly termed WPA Enterprise with the + latter known as WPA Personal. Since most people will not + set up a RADIUS backend server for wireless network, + WPA-PSK is by far the most commonly encountered + configuration for WPA. + + The control of the wireless connection and the + authentication (key negotiation or authentication with a + server) is done with the &man.wpa.supplicant.8; utility. + This program requires a configuration file, + /etc/wpa_supplicant.conf, to run. + More information regarding this file can be found in the + &man.wpa.supplicant.conf.5; manual page. + + + WPA-PSK + + WPA-PSK also known as WPA-Personal is based on a + pre-shared key (PSK) generated from a given password and + that will be used as the master key in the wireless + network. This means every wireless user will share the + same key. WPA-PSK is intended for small networks where + the use of an authentication server is not possible or + desired. + + + Always use strong passwords that are + sufficiently long and made from a rich alphabet so + they will not be guessed and/or attacked. + + + The first step is the configuration of the + /etc/wpa_supplicant.conf file with + the SSID and the pre-shared key of your network: + + network={ + ssid="freebsdap" + psk="freebsdmall" +} + + Then, in /etc/rc.conf, we + indicate that the wireless device configuration will be + done with WPA and the IP address will be obtained with + DHCP: + + ifconfig_ath0="WPA DHCP" + + Then, we can bring up the interface: + + &prompt.root; /etc/rc.d/netif start +Starting wpa_supplicant. +DHCPDISCOVER on ath0 to 255.255.255.255 port 67 interval 5 +DHCPDISCOVER on ath0 to 255.255.255.255 port 67 interval 6 +DHCPOFFER from 192.168.0.1 +DHCPREQUEST on ath0 to 255.255.255.255 port 67 +DHCPACK from 192.168.0.1 +bound to 192.168.0.254 -- renewal in 300 seconds. +ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 + inet6 fe80::211:95ff:fed5:4362%ath0 prefixlen 64 scopeid 0x1 + inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255 + ether 00:11:95:d5:43:62 + media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/36Mbps) + status: associated + ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac + authmode WPA privacy ON deftxkey UNDEF TKIP 2:128-bit txpowmax 36 + protmode CTS roaming MANUAL bintval 100 + + Or you can try to configure it manually using the + same /etc/wpa_supplicant.conf above, and + run: + + &prompt.root; wpa_supplicant -i ath0 -c /etc/wpa_supplicant.conf +Trying to associate with 00:11:95:c3:0d:ac (SSID='freebsdap' freq=2412 MHz) +Associated with 00:11:95:c3:0d:ac +WPA: Key negotiation completed with 00:11:95:c3:0d:ac [PTK=TKIP GTK=TKIP] + + The next operation is the launch of the + dhclient command to get the IP + address from the DHCP server: + + &prompt.root; dhclient ath0 +DHCPREQUEST on ath0 to 255.255.255.255 port 67 +DHCPACK from 192.168.0.1 +bound to 192.168.0.254 -- renewal in 300 seconds. +&prompt.root; ifconfig ath0 +ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 + inet6 fe80::211:95ff:fed5:4362%ath0 prefixlen 64 scopeid 0x1 + inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255 + ether 00:11:95:d5:43:62 + media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/48Mbps) + status: associated + ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac + authmode WPA privacy ON deftxkey UNDEF TKIP 2:128-bit txpowmax 36 + protmode CTS roaming MANUAL bintval 100 + + + If the /etc/rc.conf is set up + with the line ifconfig_ath0="DHCP" + then it is no need to run the + dhclient command manually, + dhclient will be launched after + wpa_supplicant plumbs the + keys. + + + In the case where the use of DHCP is not possible, + you can set a static IP address after + wpa_supplicant has authenticated the + station: + + &prompt.root; ifconfig ath0 inet 192.168.0.100 netmask 255.255.255.0 +&prompt.root; ifconfig ath0 +ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 + inet6 fe80::211:95ff:fed5:4362%ath0 prefixlen 64 scopeid 0x1 + inet 192.168.0.100 netmask 0xffffff00 broadcast 192.168.0.255 + ether 00:11:95:d5:43:62 + media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/36Mbps) + status: associated + ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac + authmode WPA privacy ON deftxkey UNDEF TKIP 2:128-bit txpowmax 36 + protmode CTS roaming MANUAL bintval 100 + + When DHCP is not used, you also have to manually set + up the default gateway and the nameserver: + + &prompt.root; route add default your_default_router +&prompt.root; echo "nameserver your_DNS_server" >> /etc/resolv.conf + + + + WPA with EAP-TLS + + The second way to use WPA is with an 802.1X backend + authentication server, in this case WPA is called + WPA-Enterprise to make difference with the less secure + WPA-Personal with its pre-shared key. The + authentication in WPA-Enterprise is based on EAP + (Extensible Authentication Protocol). + + EAP does not come with an encryption method, it was + decided to embed EAP inside an encrypted tunnel. Many + types of EAP authentication methods have been designed, + the most common methods are EAP-TLS, EAP-TTLS and + EAP-PEAP. + + EAP-TLS (EAP with Transport Layer Security) is a + very well-supported authentication protocol in the + wireless world since it was the first EAP method to be + certified by the Wi-Fi alliance. + EAP-TLS will require three certificates to run: the CA + certificate (installed on all machines), the server + certificate for your authentication server, and one + client certificate for each wireless client. In this + EAP method, both authentication server and wireless + client authenticate each other in presenting their + respective certificates, and they verify that these + certificates were signed by your organization's + certificate authority (CA). + + As previously, the configuration is done via + /etc/wpa_supplicant.conf: + + network={ + ssid="freebsdap" + proto=RSN + key_mgmt=WPA-EAP + eap=TLS + identity="loader" + ca_cert="/etc/certs/cacert.pem" + client_cert="/etc/certs/clientcert.pem" + private_key="/etc/certs/clientkey.pem" + private_key_passwd="freebsdmallclient" +} + + + + This field indicates the network name + (SSID). + + + + Here, we use RSN (IEEE 802.11i) protocol, i.e., + WPA2. + + + + The key_mgmt line refers to + the key management protocol we use. In our case it + is WPA using EAP authentication: + WPA-EAP. + + + + In this field, we mention the EAP method for our + connection. + + + + The identity field contains + the identity string for EAP. + + + + The ca_cert field indicates + the pathname of the CA certificate file. This file + is needed to verify the server certificat. + + + + The client_cert line gives + the pathname to the client certificate file. This + certificate is unique to each wireless client of the + network. + + + + The private_key field is the + pathname to the client certificate private key + file. + + + + The private_key field + contains the passphrase for the private key. + + + + Then add the following line to + /etc/rc.conf: + + ifconfig_ath0="WPA DHCP" + + The next step is to bring up the interface with the + help of the rc.d facility: + + &prompt.root; /etc/rc.d/netif start +Starting wpa_supplicant. +DHCPREQUEST on ath0 to 255.255.255.255 port 67 +DHCPREQUEST on ath0 to 255.255.255.255 port 67 +DHCPACK from 192.168.0.20 +bound to 192.168.0.254 -- renewal in 300 seconds. +ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 + inet6 fe80::211:95ff:fed5:4362%ath0 prefixlen 64 scopeid 0x1 + inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255 + ether 00:11:95:d5:43:62 + media: IEEE 802.11 Wireless Ethernet autoselect (DS/11Mbps) + status: associated + ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac + authmode WPA2/802.11i privacy ON deftxkey UNDEF TKIP 2:128-bit + txpowmax 36 protmode CTS roaming MANUAL bintval 100 + + As previously shown, it is also possible to bring up + the interface manually with both + wpa_supplicant and + ifconfig commands. + + + + WPA with EAP-TTLS + + With EAP-TLS both the authentication server and the + client need a certificate, with EAP-TTLS (EAP-Tunneled + Transport Layer Security) a client certificate is + optional. This method is close to what some secure web + sites do , where the web server can create a secure SSL + tunnel even if the visitors do not have client-side + certificates. EAP-TTLS will use the encrypted TLS + tunnel for safe transport of the authentication + data. + + The configuration is done via the + /etc/wpa_supplicant.conf + file: + + network={ + ssid="freebsdap" + proto=RSN + key_mgmt=WPA-EAP + eap=TTLS + identity="test" + password="test" + ca_cert="/etc/certs/cacert.pem" + phase2="auth=MD5" +} + + + + In this field, we mention the EAP method for our + connection. + + + + The identity field contains + the identity string for EAP authentication inside + the encrypted TLS tunnel. + + + + The password field contains + the passphrase for the EAP authentication. + + + + The ca_cert field indicates + the pathname of the CA certificate file. This file + is needed to verify the server certificat. + + + + In this field, we mention the authentication + method used in the encrypted TLS tunnel. In our + case, EAP with MD5-Challenge has been used. The + inner authentication phase is often + called phase2. + + + + You also have to add the following line to + /etc/rc.conf: + + ifconfig_ath0="WPA DHCP" + + The next step is to bring up the interface: + + &prompt.root; /etc/rc.d/netif start +Starting wpa_supplicant. +DHCPREQUEST on ath0 to 255.255.255.255 port 67 +DHCPREQUEST on ath0 to 255.255.255.255 port 67 +DHCPREQUEST on ath0 to 255.255.255.255 port 67 +DHCPACK from 192.168.0.20 +bound to 192.168.0.254 -- renewal in 300 seconds. +ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 + inet6 fe80::211:95ff:fed5:4362%ath0 prefixlen 64 scopeid 0x1 + inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255 + ether 00:11:95:d5:43:62 + media: IEEE 802.11 Wireless Ethernet autoselect (DS/11Mbps) + status: associated + ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac + authmode WPA2/802.11i privacy ON deftxkey UNDEF TKIP 2:128-bit + txpowmax 36 protmode CTS roaming MANUAL bintval 100 + + + + WPA with EAP-PEAP + + PEAP (Protected EAP) has been designed as an + alternative to EAP-TTLS. There are two types of PEAP + methods, the most common one is PEAPv0/EAP-MSCHAPv2. In + the rest of this document, we will use the PEAP term to + refers to that EAP method. PEAP is the most used EAP + standard after EAP-TLS, in other words if you have a + network with mixed OSes, PEAP should be the most + supported standard after EAP-TLS. + + PEAP is similar to EAP-TTLS: it uses a server-side + certificate to authenticate clients by creating an + encrypted TLS tunnel between the client and the + authentication server, which protects the ensuing + exchange of authentication information. In term of + security the difference between EAP-TTLS and PEAP is + that PEAP authentication broadcasts the username in + clear, only the password is sent in the encrypted TLS + tunnel. EAP-TTLS will use the TLS tunnel for both + username and password. + + We have to edit the + /etc/wpa_supplicant.conf file and + add the EAP-PEAP related settings: + + network={ + ssid="freebsdap" + proto=RSN + key_mgmt=WPA-EAP + eap=PEAP + identity="test" + password="test" + ca_cert="/etc/certs/cacert.pem" + phase1="peaplabel=0" + phase2="auth=MSCHAPV2" +} + + + + In this field, we mention the EAP method for our + connection. + + + + The identity field contains + the identity string for EAP authentication inside + the encrypted TLS tunnel. + + + + The password field contains + the passphrase for the EAP authentication. + + + + The ca_cert field indicates + the pathname of the CA certificate file. This file + is needed to verify the server certificat. + + + + This field contains the parameters for the + first phase of the authentication (the TLS + tunnel). According to the authentication server + used, you will have to specify a specific label + for the authentication. Most of time, the label + will be client EAP encryption which + is set by using peaplabel=0. + More information can be found in the + &man.wpa.supplicant.conf.5; manual page. + + + + In this field, we mention the authentication + protocol used in the encrypted TLS tunnel. In the + case of PEAP, it is + auth=MSCHAPV2. + + + + The following must be added to + /etc/rc.conf: + + ifconfig_ath0="WPA DHCP" + + Then, we can bring up the interface: + + &prompt.root; /etc/rc.d/netif start +Starting wpa_supplicant. +DHCPREQUEST on ath0 to 255.255.255.255 port 67 +DHCPREQUEST on ath0 to 255.255.255.255 port 67 +DHCPREQUEST on ath0 to 255.255.255.255 port 67 +DHCPACK from 192.168.0.20 +bound to 192.168.0.254 -- renewal in 300 seconds. +ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 + inet6 fe80::211:95ff:fed5:4362%ath0 prefixlen 64 scopeid 0x1 + inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255 + ether 00:11:95:d5:43:62 + media: IEEE 802.11 Wireless Ethernet autoselect (DS/11Mbps) + status: associated + ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac + authmode WPA2/802.11i privacy ON deftxkey UNDEF TKIP 2:128-bit + txpowmax 36 protmode CTS roaming MANUAL bintval 100 + + + + + WEP + + WEP (Wired Equivalent Privacy) is part of the original + 802.11 standard. There is no authentication mechanism, + only a weak form of access control, and it is easily to be + cracked. + + WEP can be set up with + ifconfig: + + &prompt.root; ifconfig ath0 inet 192.168.1.100 netmask 255.255.255.0 ssid my_net \ + wepmode on weptxkey 3 wepkey 3:0x3456789012 + + + + The weptxkey means which WEP + key will be used in the transmission. Here we used the + third key. This must match the setting in the access + point. + + + + The wepkey means setting the + selected WEP key. It should in the format + index:key, if the index is + not given, key 1 is set. That is + to say we need to set the index if we use keys other + than the first key. + + + You must replace + the 0x3456789012 with the key + configured for use on the access point. + + + + + You are encouraged to read &man.ifconfig.8; manual + page for further information. + + The wpa_supplicant facility also + can be used to configure your wireless interface with WEP. + The example above can be set up by adding the following + lines to + /etc/wpa_supplicant.conf: + + network={ + ssid="my_net" + key_mgmt=NONE + wep_key3=3456789012 + wep_tx_keyidx=3 +} + + Then: + + &prompt.root; wpa_supplicant -i ath0 -c /etc/wpa_supplicant.conf +Trying to associate with 00:13:46:49:41:76 (SSID='dlinkap' freq=2437 MHz) +Associated with 00:13:46:49:41:76 + + + + + + Ad-hoc Mode + + IBSS mode, also called ad-hoc mode, is designed for point + to point connections. For example, to establish an ad-hoc + network between the machine A and the machine + B we will just need to choose two IP adresses + and a SSID. + + On the box A: + + &prompt.root; ifconfig ath0 inet 192.168.0.1 netmask 255.255.255.0 ssid freebsdap mediaopt adhoc +&prompt.root; ifconfig ath0 + ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 + inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 + inet6 fe80::211:95ff:fec3:dac%ath0 prefixlen 64 scopeid 0x4 + ether 00:11:95:c3:0d:ac + media: IEEE 802.11 Wireless Ethernet autoselect <adhoc> (autoselect <adhoc>) + status: associated + ssid freebsdap channel 2 bssid 02:11:95:c3:0d:ac + authmode OPEN privacy OFF txpowmax 36 protmode CTS bintval 100 + + The adhoc parameter indicates the + interface is running in the IBSS mode. + + On B, we should be able to detect + A: + + &prompt.root; ifconfig ath0 up scan + SSID BSSID CHAN RATE S:N INT CAPS + freebsdap 02:11:95:c3:0d:ac 2 54M 19:0 100 IS + + The I in the output confirms the + machine A is in ad-hoc mode. We just have to + configure B with a different IP + address: + + &prompt.root; ifconfig ath0 inet 192.168.0.2 netmask 255.255.255.0 ssid freebsdap mediaopt adhoc +&prompt.root; ifconfig ath0 + ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 + inet6 fe80::211:95ff:fed5:4362%ath0 prefixlen 64 scopeid 0x1 + inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255 + ether 00:11:95:d5:43:62 + media: IEEE 802.11 Wireless Ethernet autoselect <adhoc> (autoselect <adhoc>) + status: associated + ssid freebsdap channel 2 bssid 02:11:95:c3:0d:ac + authmode OPEN privacy OFF txpowmax 36 protmode CTS bintval 100 + + Both A and B are now + ready to exchange informations. + + + + Troubleshooting + + If you are having trouble with wireless networking, there + are a number of steps you can take to help troubleshoot the + problem. + + + + If you do not see the access point listed when + scanning be sure you have not configured your wireless + device to a limited set of channels. + + + + If you cannot associate to an access point verify the + configuration of your station matches the one of the + access point. This includes the authentication scheme and + any security protocols. Simplify your configuration as + much as possible. If you are using a security protocol + such as WPA or WEP configure the access point for open + authentication and no security to see if you can get + traffic to pass. + + + + Once you can associate to the access point diagnose + any security configuration using simple tools like + &man.ping.8;. + + The wpa_supplicant has much + debugging support; try running it manually with the + option and look at the system + logs. + + + + There are also many lower-level debugging tools. You + can enable debugging messages in the 802.11 protocol + support layer using the wlandebug + program found in + /usr/src/tools/tools/net80211. For + example: + + &prompt.root; wlandebug -i ath0 +scan+auth+debug+assoc + net.wlan.0.debug: 0 => 0xc80000<assoc,auth,scan> + + can be used to enable console messages related to + scanning for access points and doing the 802.11 protocol + handshakes required to arrange communication. + + There are also many useful statistics maintained by + the 802.11 layer; the wlanstats tool + will dump these informations. These statistics should + identify all errors identified by the 802.11 layer. + Beware however that some errors are identified in the + device drivers that lie below the 802.11 layer so they may + not show up. To diagnose device-specific problems you + need to refer to the drivers' documentation. + + + + If the above information does not help to clarify the + problem, please submit a problem report and include output + from the above tools. +