Update the WPA-PSK access point section at Mark Felder's request, who
supplied the ifconfig output. Also update some of the defaults and suggestions for the current era: WPA2 and CCMP/AES. Submitted by: Mark Felder <feld@FreeBSD.org> Reviewed by: adrian Differential Revision:
This commit is contained in:
Warren Block
parent
10f5081088
commit
fc3990a3b4
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=46911
1 changed files with 57 additions and 53 deletions
|
|
@ -1935,11 +1935,11 @@ freebsdap 00:11:95:c3:0d:ac 1 54M -66:-96 100 ES WME</screen>
|
||||||
roam:rate 5 protmode CTS wme burst</screen>
|
roam:rate 5 protmode CTS wme burst</screen>
|
||||||
</sect3>
|
</sect3>
|
||||||
|
|
||||||
<sect3>
|
<sect3 xml:id="network-wireless-ap-wpa">
|
||||||
<title><acronym>WPA</acronym> Host-based Access Point</title>
|
<title><acronym>WPA2</acronym> Host-based Access Point</title>
|
||||||
|
|
||||||
<para>This section focuses on setting up a &os;
|
<para>This section focuses on setting up a &os;
|
||||||
<acronym>AP</acronym> using the <acronym>WPA</acronym>
|
access point using the <acronym>WPA2</acronym>
|
||||||
security protocol. More details regarding
|
security protocol. More details regarding
|
||||||
<acronym>WPA</acronym> and the configuration of
|
<acronym>WPA</acronym> and the configuration of
|
||||||
<acronym>WPA</acronym>-based wireless clients can be found
|
<acronym>WPA</acronym>-based wireless clients can be found
|
||||||
|
|
@ -1947,13 +1947,13 @@ freebsdap 00:11:95:c3:0d:ac 1 54M -66:-96 100 ES WME</screen>
|
||||||
|
|
||||||
<para>The &man.hostapd.8; daemon is used to deal with client
|
<para>The &man.hostapd.8; daemon is used to deal with client
|
||||||
authentication and key management on the
|
authentication and key management on the
|
||||||
<acronym>WPA</acronym>-enabled <acronym>AP</acronym>.</para>
|
<acronym>WPA2</acronym>-enabled <acronym>AP</acronym>.</para>
|
||||||
|
|
||||||
<para>The following configuration operations are performed
|
<para>The following configuration operations are performed
|
||||||
on the &os; machine acting as the <acronym>AP</acronym>.
|
on the &os; machine acting as the <acronym>AP</acronym>.
|
||||||
Once the <acronym>AP</acronym> is correctly working,
|
Once the <acronym>AP</acronym> is correctly working,
|
||||||
&man.hostapd.8; should be automatically enabled at boot
|
&man.hostapd.8; can be automatically started at boot
|
||||||
with the following line in
|
with this line in
|
||||||
<filename>/etc/rc.conf</filename>:</para>
|
<filename>/etc/rc.conf</filename>:</para>
|
||||||
|
|
||||||
<programlisting>hostapd_enable="YES"</programlisting>
|
<programlisting>hostapd_enable="YES"</programlisting>
|
||||||
|
|
@ -1963,95 +1963,95 @@ freebsdap 00:11:95:c3:0d:ac 1 54M -66:-96 100 ES WME</screen>
|
||||||
linkend="network-wireless-ap-basic"/>.</para>
|
linkend="network-wireless-ap-basic"/>.</para>
|
||||||
|
|
||||||
<sect4>
|
<sect4>
|
||||||
<title><acronym>WPA-PSK</acronym></title>
|
<title><acronym>WPA2-PSK</acronym></title>
|
||||||
|
|
||||||
<para><acronym>WPA-PSK</acronym> is intended for small
|
<para><acronym>WPA2-PSK</acronym> is intended for small
|
||||||
networks where the use of a backend authentication server
|
networks where the use of a backend authentication server
|
||||||
is not possible or desired.</para>
|
is not possible or desired.</para>
|
||||||
|
|
||||||
<para>The configuration is done in
|
<para>The configuration is done in
|
||||||
<filename>/etc/hostapd.conf</filename>:</para>
|
<filename>/etc/hostapd.conf</filename>:</para>
|
||||||
|
|
||||||
<programlisting>interface=wlan0 <co xml:id="co-ap-wpapsk-iface"/>
|
<programlisting>interface=wlan0 <co xml:id="co-ap-wpapsk-iface"/>
|
||||||
debug=1 <co xml:id="co-ap-wpapsk-dbug"/>
|
debug=1 <co xml:id="co-ap-wpapsk-dbug"/>
|
||||||
ctrl_interface=/var/run/hostapd <co xml:id="co-ap-wpapsk-ciface"/>
|
ctrl_interface=/var/run/hostapd <co xml:id="co-ap-wpapsk-ciface"/>
|
||||||
ctrl_interface_group=wheel <co xml:id="co-ap-wpapsk-cifacegrp"/>
|
ctrl_interface_group=wheel <co xml:id="co-ap-wpapsk-cifacegrp"/>
|
||||||
ssid=freebsdap <co xml:id="co-ap-wpapsk-ssid"/>
|
ssid=freebsdap <co xml:id="co-ap-wpapsk-ssid"/>
|
||||||
wpa=1 <co xml:id="co-ap-wpapsk-wpa"/>
|
wpa=2 <co xml:id="co-ap-wpapsk-wpa"/>
|
||||||
wpa_passphrase=freebsdmall <co xml:id="co-ap-wpapsk-pass"/>
|
wpa_passphrase=freebsdmall <co xml:id="co-ap-wpapsk-pass"/>
|
||||||
wpa_key_mgmt=WPA-PSK <co xml:id="co-ap-wpapsk-kmgmt"/>
|
wpa_key_mgmt=WPA-PSK <co xml:id="co-ap-wpapsk-kmgmt"/>
|
||||||
wpa_pairwise=CCMP TKIP <co xml:id="co-ap-wpapsk-pwise"/></programlisting>
|
wpa_pairwise=CCMP <co xml:id="co-ap-wpapsk-pwise"/></programlisting>
|
||||||
|
|
||||||
<calloutlist>
|
<calloutlist>
|
||||||
<callout arearefs="co-ap-wpapsk-iface">
|
<callout arearefs="co-ap-wpapsk-iface">
|
||||||
<para>This field indicates the wireless interface used
|
<para>Wireless interface used
|
||||||
for the <acronym>AP</acronym>.</para>
|
for the access point.</para>
|
||||||
</callout>
|
</callout>
|
||||||
|
|
||||||
<callout arearefs="co-ap-wpapsk-dbug">
|
<callout arearefs="co-ap-wpapsk-dbug">
|
||||||
<para>This field sets the level of verbosity during the
|
<para>Level of verbosity used during the
|
||||||
execution of &man.hostapd.8;. A value of
|
execution of &man.hostapd.8;. A value of
|
||||||
<literal>1</literal> represents the minimal
|
<literal>1</literal> represents the minimal
|
||||||
level.</para>
|
level.</para>
|
||||||
</callout>
|
</callout>
|
||||||
|
|
||||||
<callout arearefs="co-ap-wpapsk-ciface">
|
<callout arearefs="co-ap-wpapsk-ciface">
|
||||||
<para>The <literal>ctrl_interface</literal> field gives
|
<para>Pathname of the directory used by &man.hostapd.8;
|
||||||
the pathname of the directory used by &man.hostapd.8;
|
to store domain socket files for communication
|
||||||
to store its domain socket files for the communication
|
|
||||||
with external programs such as &man.hostapd.cli.8;.
|
with external programs such as &man.hostapd.cli.8;.
|
||||||
The default value is used in this example.</para>
|
The default value is used in this example.</para>
|
||||||
</callout>
|
</callout>
|
||||||
|
|
||||||
<callout arearefs="co-ap-wpapsk-cifacegrp">
|
<callout arearefs="co-ap-wpapsk-cifacegrp">
|
||||||
<para>The <literal>ctrl_interface_group</literal> line
|
<para>The group allowed to access the control
|
||||||
sets the group which is allowed to access the control
|
|
||||||
interface files.</para>
|
interface files.</para>
|
||||||
</callout>
|
</callout>
|
||||||
|
|
||||||
<callout arearefs="co-ap-wpapsk-ssid">
|
<callout arearefs="co-ap-wpapsk-ssid">
|
||||||
<para>This field sets the network name.</para>
|
<para>The wireless network name, or
|
||||||
|
<acronym>SSID</acronym>, that will appear in wireless
|
||||||
|
scans.</para>
|
||||||
</callout>
|
</callout>
|
||||||
|
|
||||||
<callout arearefs="co-ap-wpapsk-wpa">
|
<callout arearefs="co-ap-wpapsk-wpa">
|
||||||
<para>The <literal>wpa</literal> field enables
|
<para>Enable
|
||||||
<acronym>WPA</acronym> and specifies which
|
<acronym>WPA</acronym> and specify which
|
||||||
<acronym>WPA</acronym> authentication protocol will
|
<acronym>WPA</acronym> authentication protocol will
|
||||||
be required. A value of <literal>1</literal>
|
be required. A value of <literal>2</literal>
|
||||||
configures the <acronym>AP</acronym> for
|
configures the <acronym>AP</acronym> for
|
||||||
<acronym>WPA-PSK</acronym>.</para>
|
<acronym>WPA2</acronym> and is recommended.
|
||||||
|
Set to <literal>1</literal> only if the obsolete
|
||||||
|
<acronym>WPA</acronym> is required.</para>
|
||||||
</callout>
|
</callout>
|
||||||
|
|
||||||
<callout arearefs="co-ap-wpapsk-pass">
|
<callout arearefs="co-ap-wpapsk-pass">
|
||||||
<para>The <literal>wpa_passphrase</literal> field
|
<para>ASCII passphrase for
|
||||||
contains the ASCII passphrase for
|
|
||||||
<acronym>WPA</acronym> authentication.</para>
|
<acronym>WPA</acronym> authentication.</para>
|
||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para>Always use strong passwords that are
|
<para>Always use strong passwords that are at least
|
||||||
sufficiently long and made from a rich alphabet so
|
8 characters long and made from a rich alphabet so
|
||||||
that they will not be easily guessed or
|
that they will not be easily guessed or
|
||||||
attacked.</para>
|
attacked.</para>
|
||||||
</warning>
|
</warning>
|
||||||
</callout>
|
</callout>
|
||||||
|
|
||||||
<callout arearefs="co-ap-wpapsk-kmgmt">
|
<callout arearefs="co-ap-wpapsk-kmgmt">
|
||||||
<para>The <literal>wpa_key_mgmt</literal> line refers
|
<para>The
|
||||||
to the key management protocol to use. This example
|
key management protocol to use. This example
|
||||||
sets <acronym>WPA-PSK</acronym>.</para>
|
sets <acronym>WPA-PSK</acronym>.</para>
|
||||||
</callout>
|
</callout>
|
||||||
|
|
||||||
<callout arearefs="co-ap-wpapsk-pwise">
|
<callout arearefs="co-ap-wpapsk-pwise">
|
||||||
<para>The <literal>wpa_pairwise</literal> field
|
<para>Encryption algorithms accepted by
|
||||||
indicates the set of accepted encryption algorithms by
|
the access point. In this example, only
|
||||||
the <acronym>AP</acronym>. In this example, both
|
the
|
||||||
<acronym>TKIP</acronym> (<acronym>WPA</acronym>) and
|
<acronym>CCMP</acronym> (<acronym>AES</acronym>)
|
||||||
<acronym>CCMP</acronym> (<acronym>WPA2</acronym>)
|
cipher is accepted. <acronym>CCMP</acronym>
|
||||||
ciphers are accepted. The <acronym>CCMP</acronym>
|
is an alternative to <acronym>TKIP</acronym>
|
||||||
cipher is an alternative to <acronym>TKIP</acronym>
|
|
||||||
and is strongly preferred when possible.
|
and is strongly preferred when possible.
|
||||||
<acronym>TKIP</acronym> should be used solely for
|
<acronym>TKIP</acronym> should be allowed only when
|
||||||
stations incapable of doing
|
there are stations incapable of using
|
||||||
<acronym>CCMP</acronym>.</para>
|
<acronym>CCMP</acronym>.</para>
|
||||||
</callout>
|
</callout>
|
||||||
</calloutlist>
|
</calloutlist>
|
||||||
|
|
@ -2061,14 +2061,18 @@ wpa_pairwise=CCMP TKIP <co xml:id="co-ap-wpapsk-pwise"/></programlisting>
|
||||||
<screen>&prompt.root; <userinput>service hostapd forcestart</userinput></screen>
|
<screen>&prompt.root; <userinput>service hostapd forcestart</userinput></screen>
|
||||||
|
|
||||||
<screen>&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable></userinput>
|
<screen>&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable></userinput>
|
||||||
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2290
|
wlan0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
|
||||||
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
|
ether 04:f0:21:16:8e:10
|
||||||
inet6 fe80::211:95ff:fec3:dac%ath0 prefixlen 64 scopeid 0x4
|
inet6 fe80::6f0:21ff:fe16:8e10%wlan0 prefixlen 64 scopeid 0x9
|
||||||
ether 00:11:95:c3:0d:ac
|
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
|
||||||
media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
|
media: IEEE 802.11 Wireless Ethernet autoselect mode 11na <hostap>
|
||||||
status: associated
|
status: running
|
||||||
ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac
|
ssid No5ignal channel 36 (5180 MHz 11a ht/40+) bssid 04:f0:21:16:8e:10
|
||||||
authmode WPA2/802.11i privacy MIXED deftxkey 2 TKIP 2:128-bit txpowmax 36 protmode CTS dtimperiod 1 bintval 100</screen>
|
country US ecm authmode WPA2/802.11i privacy MIXED deftxkey 2
|
||||||
|
AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 17 mcastrate 6 mgmtrate 6
|
||||||
|
scanvalid 60 ampdulimit 64k ampdudensity 8 shortgi wme burst
|
||||||
|
dtimperiod 1 -dfs
|
||||||
|
groups: wlan</screen>
|
||||||
|
|
||||||
<para>Once the <acronym>AP</acronym> is running, the
|
<para>Once the <acronym>AP</acronym> is running, the
|
||||||
clients can associate with it. See <xref
|
clients can associate with it. See <xref
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue