From fc3990a3b436f017be8c46a360fb0cba7e96d403 Mon Sep 17 00:00:00 2001 From: Warren Block Date: Thu, 2 Jul 2015 00:14:31 +0000 Subject: [PATCH] Update the WPA-PSK access point section at Mark Felder's request, who supplied the ifconfig output. Also update some of the defaults and suggestions for the current era: WPA2 and CCMP/AES. Submitted by: Mark Felder Reviewed by: adrian Differential Revision: --- .../handbook/advanced-networking/chapter.xml | 110 +++++++++--------- 1 file changed, 57 insertions(+), 53 deletions(-) diff --git a/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml b/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml index 7d7e8ac3ac..e57fc225de 100644 --- a/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml +++ b/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml @@ -1935,11 +1935,11 @@ freebsdap 00:11:95:c3:0d:ac 1 54M -66:-96 100 ES WME roam:rate 5 protmode CTS wme burst - - <acronym>WPA</acronym> Host-based Access Point + + <acronym>WPA2</acronym> Host-based Access Point This section focuses on setting up a &os; - AP using the WPA + access point using the WPA2 security protocol. More details regarding WPA and the configuration of WPA-based wireless clients can be found @@ -1947,13 +1947,13 @@ freebsdap 00:11:95:c3:0d:ac 1 54M -66:-96 100 ES WME The &man.hostapd.8; daemon is used to deal with client authentication and key management on the - WPA-enabled AP. + WPA2-enabled AP. The following configuration operations are performed on the &os; machine acting as the AP. Once the AP is correctly working, - &man.hostapd.8; should be automatically enabled at boot - with the following line in + &man.hostapd.8; can be automatically started at boot + with this line in /etc/rc.conf: hostapd_enable="YES" @@ -1963,95 +1963,95 @@ freebsdap 00:11:95:c3:0d:ac 1 54M -66:-96 100 ES WME linkend="network-wireless-ap-basic"/>. - <acronym>WPA-PSK</acronym> + <acronym>WPA2-PSK</acronym> - WPA-PSK is intended for small + WPA2-PSK is intended for small networks where the use of a backend authentication server is not possible or desired. The configuration is done in /etc/hostapd.conf: - interface=wlan0 -debug=1 -ctrl_interface=/var/run/hostapd -ctrl_interface_group=wheel -ssid=freebsdap -wpa=1 -wpa_passphrase=freebsdmall -wpa_key_mgmt=WPA-PSK -wpa_pairwise=CCMP TKIP + interface=wlan0 +debug=1 +ctrl_interface=/var/run/hostapd +ctrl_interface_group=wheel +ssid=freebsdap +wpa=2 +wpa_passphrase=freebsdmall +wpa_key_mgmt=WPA-PSK +wpa_pairwise=CCMP - This field indicates the wireless interface used - for the AP. + Wireless interface used + for the access point. - This field sets the level of verbosity during the + Level of verbosity used during the execution of &man.hostapd.8;. A value of 1 represents the minimal level. - The ctrl_interface field gives - the pathname of the directory used by &man.hostapd.8; - to store its domain socket files for the communication + Pathname of the directory used by &man.hostapd.8; + to store domain socket files for communication with external programs such as &man.hostapd.cli.8;. The default value is used in this example. - The ctrl_interface_group line - sets the group which is allowed to access the control + The group allowed to access the control interface files. - This field sets the network name. + The wireless network name, or + SSID, that will appear in wireless + scans. - The wpa field enables - WPA and specifies which + Enable + WPA and specify which WPA authentication protocol will - be required. A value of 1 + be required. A value of 2 configures the AP for - WPA-PSK. + WPA2 and is recommended. + Set to 1 only if the obsolete + WPA is required. - The wpa_passphrase field - contains the ASCII passphrase for + ASCII passphrase for WPA authentication. - Always use strong passwords that are - sufficiently long and made from a rich alphabet so + Always use strong passwords that are at least + 8 characters long and made from a rich alphabet so that they will not be easily guessed or attacked. - The wpa_key_mgmt line refers - to the key management protocol to use. This example + The + key management protocol to use. This example sets WPA-PSK. - The wpa_pairwise field - indicates the set of accepted encryption algorithms by - the AP. In this example, both - TKIP (WPA) and - CCMP (WPA2) - ciphers are accepted. The CCMP - cipher is an alternative to TKIP + Encryption algorithms accepted by + the access point. In this example, only + the + CCMP (AES) + cipher is accepted. CCMP + is an alternative to TKIP and is strongly preferred when possible. - TKIP should be used solely for - stations incapable of doing + TKIP should be allowed only when + there are stations incapable of using CCMP. @@ -2061,14 +2061,18 @@ wpa_pairwise=CCMP TKIP &prompt.root; service hostapd forcestart &prompt.root; ifconfig wlan0 - wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2290 - inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 - inet6 fe80::211:95ff:fec3:dac%ath0 prefixlen 64 scopeid 0x4 - ether 00:11:95:c3:0d:ac - media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap> - status: associated - ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac - authmode WPA2/802.11i privacy MIXED deftxkey 2 TKIP 2:128-bit txpowmax 36 protmode CTS dtimperiod 1 bintval 100 +wlan0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 + ether 04:f0:21:16:8e:10 + inet6 fe80::6f0:21ff:fe16:8e10%wlan0 prefixlen 64 scopeid 0x9 + nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> + media: IEEE 802.11 Wireless Ethernet autoselect mode 11na <hostap> + status: running + ssid No5ignal channel 36 (5180 MHz 11a ht/40+) bssid 04:f0:21:16:8e:10 + country US ecm authmode WPA2/802.11i privacy MIXED deftxkey 2 + AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 17 mcastrate 6 mgmtrate 6 + scanvalid 60 ampdulimit 64k ampdudensity 8 shortgi wme burst + dtimperiod 1 -dfs + groups: wlan Once the AP is running, the clients can associate with it. See