3 # Wireless Networking Quick Start
5 This section illustrates the basic procedure to connect a DragonFly system to an existing wireless network. The next section will go into detail should that be required.
7 ## Use WPA Supplicant from DPorts
9 DragonFly comes with WPA Supplicant in base, but it is an older version (2.1) that will not be updated again. At the time of this writing, the version of WPA Supplicant in DPorts is 2.4. The version in base can be used as a fallback though.
11 ### Option 1: Install WPA Supplicant from binary package
13 > pkg install wpa_supplicant
15 ### Option 2: Build WPA Supplicant from source
17 Assuming DPorts has been installed and is up to date,
19 > cd /usr/dports/security/wpa_supplicant
20 > make clean ; make install
22 ### Update /etc/rc.conf
24 In order to use the new WPA Supplicant over the base version, it must be configured in rc.conf . The following will accomplish this on systems using default locations:
26 > echo wpa_supplicant_program="/usr/local/sbin/wpa_supplicant" >> /etc/rc.conf
30 Obtain the SSID (Service Set Identifier) and PSK (Pre-Shared Key) for the wireless network from the network administrator.
34 Identify the wireless adapter. The DragonFly GENERIC kernel includes drivers for many common wireless adapters. If the wireless adapter is one of those models, it will be shown in the output from ifconfig(8):
36 > ifconfig | grep -B3 -i wireless
38 If a wireless adapter is not listed, an additional kernel module might be required, or it might be a model not supported by DragonFly. This example shows the Ralink ral0 wireless adapter.
42 Recently, pure wlan devices are no longer listed by ifconfig, but rather requires a sysctl to be listed. If ifconfig is unsuccessful, try:
44 > sysctl net.wlan.devices
46 Hopefully the interface will be listed there instead. Should you not find your wireless device listed here either, there are two workarounds so you can connect to a network anyway: either you switch to Ethernet (which is normally faster and easier to configure but has, of course, the disadvantage of being wired), or you buy a USB wireless adapter powered by a supported WLAN device, e.g. URTWN(4) - these are very cheap, energy-efficient and tiny. There is no comprehensive list (yet) of supported WLAN devices in the handbook, but typing *apropos wireless | more* should get you on the right track. Yet another alternative is to ask the staff at the IRC channel for suggestions.
48 ## Configure WPA Supplicant
50 Add an entry for this network to */etc/wpa_supplicant.conf*. If the file does not exist, create it. Replace _myssid_ and _mypsk_ with the SSID and PSK provided by the network administrator.
59 Add entries to */etc/rc.conf* to configure the network on startup:
62 ifconfig_wlan0="WPA DHCP"
64 ## Start wireless service
66 Restart the computer, or restart the network service to connect to the network:
68 > service netif restart
72 ## Wireless Networking Basics
74 [ Shamelessly plagarized from Loader, Marc Fonvieille and Murray Stokely and FreeBSD Handbook ]
76 Most wireless networks are based on the IEEE® 802.11 standards. A basic wireless network consists of multiple stations communicating with radios that broadcast in either the 2.4GHz or 5GHz band, though this varies according to the locale and is also changing to enable communication in the 2.3GHz and 4.9GHz ranges.
78 802.11 networks are organized in two ways. In infrastructure mode, one station acts as a master with all the other stations associating to it, the network is known as a BSS, and the master station is termed an access point (AP). In a BSS, all communication passes through the AP; even when one station wants to communicate with another wireless station, messages must go through the AP. In the second form of network, there is no master and stations communicate directly. This form of network is termed an IBSS and is commonly known as an ad-hoc network.
80 802.11 networks were first deployed in the 2.4GHz band using protocols defined by the IEEE® 802.11 and 802.11b standard. These specifications include the operating frequencies and the MAC layer characteristics, including framing and transmission rates, as communication can occur at various rates. Later, the 802.11a standard defined operation in the 5GHz band, including different signaling mechanisms and higher transmission rates. Still later, the 802.11g standard defined the use of 802.11a signaling and transmission mechanisms in the 2.4GHz band in such a way as to be backwards compatible with 802.11b networks.
82 Separate from the underlying transmission techniques, 802.11 networks have a variety of security mechanisms. The original 802.11 specifications defined a simple security protocol called WEP. This protocol uses a fixed pre-shared key and the RC4 cryptographic cipher to encode data transmitted on a network. Stations must all agree on the fixed key in order to communicate. This scheme was shown to be easily broken and is now rarely used except to discourage transient users from joining networks. Current security practice is given by the IEEE® 802.11i specification that defines new cryptographic ciphers and an additional protocol to authenticate stations to an access point and exchange keys for data communication. Cryptographic keys are periodically refreshed and there are mechanisms for detecting and countering intrusion attempts. Another security protocol specification commonly used in wireless networks is termed WPA, which was a precursor to 802.11i. WPA specifies a subset of the requirements found in 802.11i and is designed for implementation on legacy hardware. Specifically, WPA requires only the TKIP cipher that is derived from the original WEP cipher. 802.11i permits use of TKIP but also requires support for a stronger cipher, AES-CCM, for encrypting data. The AES cipher was not required in WPA because it was deemed too computationally costly to be implemented on legacy hardware.
84 The other standard to be aware of is 802.11e. It defines protocols for deploying multimedia applications, such as streaming video and voice over IP (VoIP), in an 802.11 network. Like 802.11i, 802.11e also has a precursor specification termed WME (later renamed WMM) that has been defined by an industry group as a subset of 802.11e that can be deployed now to enable multimedia applications while waiting for the final ratification of 802.11e. The most important thing to know about 802.11e and WME/WMM is that it enables prioritized traffic over a wireless network through Quality of Service (QoS) protocols and enhanced media access protocols. Proper implementation of these protocols enables high speed bursting of data and prioritized traffic flow.
86 DragonFly supports networks that operate using 802.11a, 802.11b, and 802.11g. The WPA and 802.11i security protocols are likewise supported (in conjunction with any of 11a, 11b, and 11g) and QoS and traffic prioritization required by the WME/WMM protocols are supported for a limited set of wireless devices.
90 ### Kernel Configuration
92 In the GENERIC kernel, all supported wireless devices are built into the kernel by default. In the normal case, nothing needs to be done. However, a custom kernel might have all the devices commented out in its configuration, so in this case loading the module will be required for wireless support.
94 The most commonly used wireless devices are those that use parts made by Atheros, which will be used as an example. These devices are supported by ath(4) and require the following line to be added to /boot/loader.conf:
98 The Atheros driver is split up into three separate pieces: the driver (ath(4)), the hardware support layer that handles chip-specific functions (ath_hal(4)), and an algorithm for selecting the rate for transmitting frames. When this support is loaded as kernel modules, any dependencies are automatically handled. To load support for a different type of wireless device, specify the module for that device. This example is for devices based on the Intersil Prism parts (wi(4)) driver:
102 In addition, the modules that implement cryptographic support for the security protocols to use must be loaded. These are intended to be dynamically loaded on demand by the wlan(4) module, but for now they must be manually configured. The following modules are available: wlan_wep(4), wlan_ccmp(4), and wlan_tkip(4). The wlan_ccmp(4) and wlan_tkip(4) drivers are only needed when using the WPA or 802.11i security protocols. If the network does not use encryption, wlan_wep(4) support is not needed. To load these modules at boot time, add the following lines to /boot/loader.conf:
108 Once this information has been added to /boot/loader.conf, reboot the DragonFly box. Alternately, load the modules by hand using kldload(8). Information about the wireless device should appear in the boot messages, like this:
110 ath0: <Atheros 5212> mem 0x88000000-0x8800ffff irq 11 at device 0.0 on cardbus1
112 ath0: AR2413 mac 7.9 RF2413 phy 4.5
114 ## Infrastructure Mode
116 Infrastructure (BSS) mode is the mode that is typically used. In this mode, a number of wireless access points are connected to a wired network. Each wireless network has its own name, called the SSID. Wireless clients connect to the wireless access points.
118 ### How to Find Access Points
120 To scan for available networks, use ifconfig(8). This request may take a few moments to complete as it requires the system to switch to each available wireless frequency and probe for available access points. Only the superuser can initiate a scan:
122 > ifconfig wlan0 create wlandev ath0
123 > ifconfig wlan0 up scan
124 SSID/MESH ID BSSID CHAN RATE S:N INT CAPS
125 dlinkap 00:13:46:49:41:76 11 54M -90:96 100 EPS WPA WME
126 dragonap 00:11:95:c3:0d:ac 1 54M -83:96 100 EPS WPA
128 Note: The interface must be up before it can scan. Subsequent scan requests do not require the interface to be marked as up again.
130 The output of a scan request lists each BSS/IBSS network found. Besides listing the name of the network, the SSID, the output also shows the BSSID, which is the MAC address of the access point. The CAPS field identifies the type of each network and the capabilities of the stations operating there:
133 Code |Station Capability Code Meaning
134 E|Extended Service Set (ESS). Indicates that the station is part of an infrastructure network rather than an IBSS/ad-hoc network.
135 I|IBSS/ad-hoc network. Indicates that the station is part of an ad-hoc network rather than an ESS network.
136 P|Privacy. Encryption is required for all data frames exchanged within the BSS using cryptographic means such as WEP, TKIP or AES-CCMP.
137 S|Short Preamble. Indicates that the network is using short preambles, defined in 802.11b High Rate/DSSS PHY, and utilizes a 56 bit sync field rather than the 128 bit field used in long preamble mode.
138 s|Short slot time. Indicates that the 802.11g network is using a short slot time because there are no legacy (802.11b) stations present.
141 One can also display the current list of known networks with:
143 > ifconfig wlan0 list scan
145 This information may be updated automatically by the adapter or manually with a scan request. Old data is automatically removed from the cache, so over time this list may shrink unless more scans are done.
149 This section provides a simple example of how to make the wireless network adapter work in DragonFly without encryption. Once familiar with these concepts, it is strongly recommend to use WPA to set up the wireless network.
151 There are three basic steps to configure a wireless network: select an access point, authenticate the station, and configure an IP address. The following sections discuss each step.
153 #### Selecting an Access Point
155 Most of the time, it is sufficient to let the system choose an access point using the builtin heuristics. This is the default behaviour when an interface is marked as up or it is listed in */etc/rc.conf*:
158 ifconfig_wlan0="DHCP"
160 If there are multiple access points, a specific one can be selected by its SSID:
163 ifconfig_wlan0="ssid your_ssid_here DHCP"
165 In an environment where there are multiple access points with the same SSID, which is often done to simplify roaming, it may be necessary to associate to one specific device. In this case, the BSSID of the access point can be specified, with or without the SSID:
168 ifconfig_wlan0="ssid your_ssid_here bssid xx:xx:xx:xx:xx:xx DHCP"
170 There are other ways to constrain the choice of an access point, such as limiting the set of frequencies the system will scan on. This may be useful for a multi-band wireless card as scanning all the possible channels can be time-consuming. To limit operation to a specific band, use the mode parameter:
173 ifconfig_wlan0="mode 11g ssid your_ssid_here DHCP"
175 This example will force the card to operate in 802.11g, which is defined only for 2.4GHz frequencies so any 5GHz channels will not be considered. This can also be achieved with the channel parameter, which locks operation to one specific frequency, and the chanlist parameter, to specify a list of channels for scanning. More information about these parameters can be found in ifconfig(8).
179 Once an access point is selected, the station needs to authenticate before it can pass data. Authentication can happen in several ways. The most common scheme, open authentication, allows any station to join the network and communicate. This is the authentication to use for test purposes the first time a wireless network is setup. Other schemes require cryptographic handshakes to be completed before data traffic can flow, either using pre-shared keys or secrets, or more complex schemes that involve backend services such as RADIUS. Open authentication is the default setting. The next most common setup is WPA-PSK, also known as WPA Personal.
181 _Note_: If using an Apple® AirPort® Extreme base station for an access point, shared-key authentication together with a WEP key needs to be configured. This can be configured in */etc/rc.conf* or by using wpa_supplicant(8). For a single AirPort® base station, access can be configured with:
184 ifconfig_wlan0="authmode shared wepmode on weptxkey 1 wepkey 01234567 DHCP"
186 In general, shared key authentication should be avoided because it uses the WEP key material in a highly-constrained manner, making it even easier to crack the key. If WEP must be used for compatibility with legacy devices, it is better to use WEP with open authentication.
188 #### Getting an IP Address with DHCP
190 Once an access point is selected and the authentication parameters are set, an IP address must be obtained in order to communicate. Most of the time, the IP address is obtained via DHCP. To achieve that, edit */etc/rc.conf* and add DHCP to the configuration for the device:
193 ifconfig_wlan0="DHCP"
195 The wireless interface is now ready to bring up:
197 > service netif start
199 Once the interface is running, use ifconfig(8) to see the status of the interface ath0:
202 wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
203 ether 00:11:95:d5:43:62
204 inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
205 media: IEEE 802.11 Wireless Ethernet OFDM/54Mbps mode 11g
207 ssid dlinkap channel 11 (2462 Mhz 11g) bssid 00:13:46:49:41:76
208 country US ecm authmode OPEN privacy OFF txpower 21.5 bmiss 7
209 scanvalid 60 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7
210 roam:rate 5 protmode CTS wme burst
212 The *status: associated line* means that it is connected to the wireless network. The bssid *00:13:46:49:41:76* is the MAC address of the access point and authmode OPEN indicates that the communication is not encrypted.
214 #### Static IP Address
216 In an IP address cannot be obtained from a DHCP server, set a fixed IP address. Replace the DHCP keyword shown above with the address information. Be sure to retain any other parameters for selecting the access point:
219 ifconfig_wlan0="inet 192.168.1.100 netmask 255.255.255.0 ssid your_ssid_here"
223 Wi-Fi Protected Access (WPA) is a security protocol used together with 802.11 networks to address the lack of proper authentication and the weakness of WEP. WPA leverages the 802.1X authentication protocol and uses one of several ciphers instead of WEP for data integrity. The only cipher required by WPA is the Temporary Key Integrity Protocol (TKIP). TKIP is a cipher that extends the basic RC4 cipher used by WEP by adding integrity checking, tamper detection, and measures for responding to detected intrusions. TKIP is designed to work on legacy hardware with only software modification. It represents a compromise that improves security but is still not entirely immune to attack. WPA also specifies the AES-CCMP cipher as an alternative to TKIP, and that is preferred when possible. For this specification, the term WPA2 or RSN is commonly used.
225 WPA defines authentication and encryption protocols. Authentication is most commonly done using one of two techniques: by 802.1X and a backend authentication service such as RADIUS, or by a minimal handshake between the station and the access point using a pre-shared secret. The former is commonly termed WPA Enterprise and the latter is known as WPA Personal. Since most people will not set up a RADIUS backend server for their wireless network, WPA-PSK is by far the most commonly encountered configuration for WPA.
227 The control of the wireless connection and the key negotiation or authentication with a server is done using wpa_supplicant(8). This program requires a configuration file, */etc/wpa_supplicant.conf*, to run. More information regarding this file can be found in wpa_supplicant.conf(5).
231 WPA-PSK, also known as WPA Personal, is based on a pre-shared key (PSK) which is generated from a given password and used as the master key in the wireless network. This means every wireless user will share the same key. WPA-PSK is intended for small networks where the use of an authentication server is not possible or desired.
233 The first step is the configuration of */etc/wpa_supplicant.conf* with the SSID and the pre-shared key of the network:
240 Then, in */etc/rc.conf*, indicate that the wireless device configuration will be done with WPA and the IP address will be obtained with DHCP:
243 ifconfig_wlan0="WPA DHCP"
245 Then, bring up the interface:
247 > service netif start
248 Starting wpa_supplicant.
249 DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 5
250 DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 6
251 DHCPOFFER from 192.168.0.1
252 DHCPREQUEST on wlan0 to 255.255.255.255 port 67
253 DHCPACK from 192.168.0.1
254 bound to 192.168.0.254 -- renewal in 300 seconds.
255 wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
256 ether 00:11:95:d5:43:62
257 inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
258 media: IEEE 802.11 Wireless Ethernet OFDM/36Mbps mode 11g
260 ssid dragonap channel 1 (2412 Mhz 11g) bssid 00:11:95:c3:0d:ac
261 country US ecm authmode WPA2/802.11i privacy ON deftxkey UNDEF
262 AES-CCM 3:128-bit txpower 21.5 bmiss 7 scanvalid 450 bgscan
263 bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS
264 wme burst roaming MANUAL
266 Or, try to configure the interface manually using the information in */etc/wpa_supplicant.conf*:
268 > wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf
269 Trying to associate with 00:11:95:c3:0d:ac (SSID='dragonap' freq=2412 MHz)
270 Associated with 00:11:95:c3:0d:ac
271 WPA: Key negotiation completed with 00:11:95:c3:0d:ac [PTK=CCMP GTK=CCMP]
272 CTRL-EVENT-CONNECTED - Connection to 00:11:95:c3:0d:ac completed (auth) [id=0 id_str=]
274 The next operation is to launch dhclient(8) to get the IP address from the DHCP server:
277 DHCPREQUEST on wlan0 to 255.255.255.255 port 67
278 DHCPACK from 192.168.0.1
279 bound to 192.168.0.254 -- renewal in 300 seconds.
281 wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
282 ether 00:11:95:d5:43:62
283 inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
284 media: IEEE 802.11 Wireless Ethernet OFDM/36Mbps mode 11g
286 ssid dragonap channel 1 (2412 Mhz 11g) bssid 00:11:95:c3:0d:ac
287 country US ecm authmode WPA2/802.11i privacy ON deftxkey UNDEF
288 AES-CCM 3:128-bit txpower 21.5 bmiss 7 scanvalid 450 bgscan
289 bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS
290 wme burst roaming MANUAL
292 _Note_: If */etc/rc.conf* has an ifconfig_wlan0="DHCP" entry, dhclient(8) will be launched automatically after wpa_supplicant(8) associates with the access point.
294 If DHCP is not possible or desired, set a static IP address after wpa_supplicant(8) has authenticated the station:
296 > ifconfig wlan0 inet 192.168.0.100 netmask 255.255.255.0
298 wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
299 ether 00:11:95:d5:43:62
300 inet 192.168.0.100 netmask 0xffffff00 broadcast 192.168.0.255
301 media: IEEE 802.11 Wireless Ethernet OFDM/36Mbps mode 11g
303 ssid dragonap channel 1 (2412 Mhz 11g) bssid 00:11:95:c3:0d:ac
304 country US ecm authmode WPA2/802.11i privacy ON deftxkey UNDEF
305 AES-CCM 3:128-bit txpower 21.5 bmiss 7 scanvalid 450 bgscan
306 bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS
307 wme burst roaming MANUAL
309 When DHCP is not used, the default gateway and the nameserver also have to be manually set:
311 > route add default your_default_router
312 > echo "nameserver your_DNS_server" >> /etc/resolv.conf
314 #### WPA with EAP-TLS
316 The second way to use WPA is with an 802.1X backend authentication server. In this case, WPA is called WPA Enterprise to differentiate it from the less secure WPA Personal. Authentication in WPA Enterprise is based on the Extensible Authentication Protocol (EAP).
318 EAP does not come with an encryption method. Instead, EAP is embedded inside an encrypted tunnel. There are many EAP authentication methods, but EAP-TLS, EAP-TTLS, and EAP-PEAP are the most common.
320 EAP with Transport Layer Security (EAP-TLS) is a well-supported wireless authentication protocol since it was the first EAP method to be certified by the Wi-Fi Alliance. EAP-TLS requires three certificates to run: the certificate of the Certificate Authority (CA) installed on all machines, the server certificate for the authentication server, and one client certificate for each wireless client. In this EAP method, both the authentication server and wireless client authenticate each other by presenting their respective certificates, and then verify that these certificates were signed by the organization's CA.
322 As previously, the configuration is done via */etc/wpa_supplicant.conf*:
329 identity="loader" [5]
330 ca_cert="/etc/certs/cacert.pem" [6]
331 client_cert="/etc/certs/clientcert.pem" [7]
332 private_key="/etc/certs/clientkey.pem" [8]
333 private_key_passwd="dragonmallclient" [9]
336 1. This field indicates the network name (SSID).
337 2. This example uses the RSN IEEE® 802.11i protocol, also known as WPA2.
338 3. The key_mgmt line refers to the key management protocol to use. In this example, it is WPA using EAP authentication.
339 4. This field indicates the EAP method for the connection.
340 5. The identity field contains the identity string for EAP.
341 6. The ca_cert field indicates the pathname of the CA certificate file. This file is needed to verify the server certificate.
342 7. The client_cert line gives the pathname to the client certificate file. This certificate is unique to each wireless client of the network.
343 8. The private_key field is the pathname to the client certificate private key file.
344 9. The private_key_passwd field contains the passphrase for the private key.
346 Then, add the following lines to */etc/rc.conf*:
349 ifconfig_wlan0="WPA DHCP"
351 The next step is to bring up the interface:
353 > service netif start
354 Starting wpa_supplicant.
355 DHCPREQUEST on wlan0 to 255.255.255.255 port 67 interval 7
356 DHCPREQUEST on wlan0 to 255.255.255.255 port 67 interval 15
357 DHCPACK from 192.168.0.20
358 bound to 192.168.0.254 -- renewal in 300 seconds.
359 wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
360 ether 00:11:95:d5:43:62
361 inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
362 media: IEEE 802.11 Wireless Ethernet DS/11Mbps mode 11g
364 ssid dragonap channel 1 (2412 Mhz 11g) bssid 00:11:95:c3:0d:ac
365 country US ecm authmode WPA2/802.11i privacy ON deftxkey UNDEF
366 AES-CCM 3:128-bit txpower 21.5 bmiss 7 scanvalid 450 bgscan
367 bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS
368 wme burst roaming MANUAL
370 It is also possible to bring up the interface manually using wpa_supplicant(8) and ifconfig(8).
372 #### WPA with EAP-TTLS
374 With EAP-TTLS, both the authentication server and the client need a certificate. With EAP-TTLS, a client certificate is optional. This method is similar to a web server which creates a secure SSL tunnel even if visitors do not have client-side certificates. EAP-TTLS uses an encrypted TLS tunnel for safe transport of the authentication data.
376 The required configuration can be added to /etc/wpa_supplicant.conf:
385 ca_cert="/etc/certs/cacert.pem" [4]
386 phase2="auth=MD5" [5]
389 1. This field specifies the EAP method for the connection.
390 2. The identity field contains the identity string for EAP authentication inside the encrypted TLS tunnel.
391 3. The password field contains the passphrase for the EAP authentication.
392 4. The ca_cert field indicates the pathname of the CA certificate file. This file is needed to verify the server certificate.
393 5. This field specifies the authentication method used in the encrypted TLS tunnel. In this example, EAP with MD5-Challenge is used. The “inner authentication” phase is often called “phase2”.
395 Next, add the following lines to */etc/rc.conf*:
398 ifconfig_wlan0="WPA DHCP"
400 The next step is to bring up the interface:
402 > service netif start
403 Starting wpa_supplicant.
404 DHCPREQUEST on wlan0 to 255.255.255.255 port 67 interval 7
405 DHCPREQUEST on wlan0 to 255.255.255.255 port 67 interval 15
406 DHCPREQUEST on wlan0 to 255.255.255.255 port 67 interval 21
407 DHCPACK from 192.168.0.20
408 bound to 192.168.0.254 -- renewal in 300 seconds.
409 wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
410 ether 00:11:95:d5:43:62
411 inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
412 media: IEEE 802.11 Wireless Ethernet DS/11Mbps mode 11g
414 ssid dragonap channel 1 (2412 Mhz 11g) bssid 00:11:95:c3:0d:ac
415 country US ecm authmode WPA2/802.11i privacy ON deftxkey UNDEF
416 AES-CCM 3:128-bit txpower 21.5 bmiss 7 scanvalid 450 bgscan
417 bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS
418 wme burst roaming MANUAL
420 #### WPA with EAP-PEAP
422 _Note_: PEAPv0/EAP-MSCHAPv2 is the most common PEAP method. In this chapter, the term PEAP is used to refer to that method.
424 Protected EAP (PEAP) is designed as an alternative to EAP-TTLS and is the most used EAP standard after EAP-TLS. In a network with mixed operating systems, PEAP should be the most supported standard after EAP-TLS.
426 PEAP is similar to EAP-TTLS as it uses a server-side certificate to authenticate clients by creating an encrypted TLS tunnel between the client and the authentication server, which protects the ensuing exchange of authentication information. PEAP authentication differs from EAP-TTLS as it broadcasts the username in the clear and only the password is sent in the encrypted TLS tunnel. EAP-TTLS will use the TLS tunnel for both the username and password.
428 Add the following lines to */etc/wpa_supplicant.conf* to configure the EAP-PEAP related settings:
437 ca_cert="/etc/certs/cacert.pem" [4]
438 phase1="peaplabel=0" [5]
439 phase2="auth=MSCHAPV2" [6]
442 1. This field specifies the EAP method for the connection.
443 2. The identity field contains the identity string for EAP authentication inside the encrypted TLS tunnel.
444 3. The password field contains the passphrase for the EAP authentication.
445 4. The ca_cert field indicates the pathname of the CA certificate file. This file is needed to verify the server certificate.
446 5. This field contains the parameters for the first phase of authentication, the TLS tunnel. According to the authentication server used, specify a specific label for authentication. Most of the time, the label will be “client EAP encryption” which is set by using peaplabel=0. More information can be found in wpa_supplicant.conf(5).
447 6. This field specifies the authentication protocol used in the encrypted TLS tunnel. In the case of PEAP, it is auth=MSCHAPV2.
449 Add the following to */etc/rc.conf*:
452 ifconfig_wlan0="WPA DHCP"
454 Then, bring up the interface:
456 > service netif start
457 Starting wpa_supplicant.
458 DHCPREQUEST on wlan0 to 255.255.255.255 port 67 interval 7
459 DHCPREQUEST on wlan0 to 255.255.255.255 port 67 interval 15
460 DHCPREQUEST on wlan0 to 255.255.255.255 port 67 interval 21
461 DHCPACK from 192.168.0.20
462 bound to 192.168.0.254 -- renewal in 300 seconds.
463 wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
464 ether 00:11:95:d5:43:62
465 inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
466 media: IEEE 802.11 Wireless Ethernet DS/11Mbps mode 11g
468 ssid dragonap channel 1 (2412 Mhz 11g) bssid 00:11:95:c3:0d:ac
469 country US ecm authmode WPA2/802.11i privacy ON deftxkey UNDEF
470 AES-CCM 3:128-bit txpower 21.5 bmiss 7 scanvalid 450 bgscan
471 bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS
472 wme burst roaming MANUAL
476 Wired Equivalent Privacy (WEP) is part of the original 802.11 standard. There is no authentication mechanism, only a weak form of access control which is easily cracked.
478 WEP can be set up using ifconfig(8):
480 > ifconfig wlan0 create wlandev ath0
481 > ifconfig wlan0 inet 192.168.1.100 netmask 255.255.255.0 \
482 ssid my_net wepmode on weptxkey 3 wepkey 3:0x3456789012
484 + The *weptxkey* specifies which WEP key will be used in the transmission. This example uses the third key. This must match the setting on the access point. When unsure which key is used by the access point, try 1 (the first key) for this value.
485 + The *wepkey* selects one of the WEP keys. It should be in the format *index:key*. Key 1 is used by default; the index only needs to be set when using a key other than the first key.
487 _Note_: Replace the 0x3456789012 with the key configured for use on the access point.
489 Refer to ifconfig(8) for further information.
491 The wpa_supplicant(8) facility can be used to configure a wireless interface with WEP. The example above can be set up by adding the following lines to */etc/wpa_supplicant.conf*:
502 > wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf
503 Trying to associate with 00:13:46:49:41:76 (SSID='dlinkap' freq=2437 MHz)
504 Associated with 00:13:46:49:41:76
508 IBSS mode, also called ad-hoc mode, is designed for point to point connections. For example, to establish an ad-hoc network between the machines _A_ and _B_, choose two IP addresses and a SSID.
512 > ifconfig wlan0 create wlandev ath0 wlanmode adhoc
513 > ifconfig wlan0 inet 192.168.0.1 netmask 255.255.255.0 ssid dragonap
515 wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
516 ether 00:11:95:c3:0d:ac
517 inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
518 media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <adhoc>
520 ssid dragonap channel 2 (2417 Mhz 11g) bssid 02:11:95:c3:0d:ac
521 country US ecm authmode OPEN privacy OFF txpower 21.5 scanvalid 60
522 protmode CTS wme burst
524 The *adhoc* parameter indicates that the interface is running in IBSS mode.
526 _B_ should now be able to detect _A_:
528 > ifconfig wlan0 create wlandev ath0 wlanmode adhoc
529 > ifconfig wlan0 up scan
530 SSID/MESH ID BSSID CHAN RATE S:N INT CAPS
531 dragonap 02:11:95:c3:0d:ac 2 54M -64:-96 100 IS WME
533 The *I* in the output confirms that _A_ is in ad-hoc mode. Now, configure _B_ with a different IP address:
535 > ifconfig wlan0 inet 192.168.0.2 netmask 255.255.255.0 ssid dragonap
537 wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
538 ether 00:11:95:d5:43:62
539 inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
540 media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <adhoc>
542 ssid dragonap channel 2 (2417 Mhz 11g) bssid 02:11:95:c3:0d:ac
543 country US ecm authmode OPEN privacy OFF txpower 21.5 scanvalid 60
544 protmode CTS wme burst
546 Both _A_ and _B_ are now ready to exchange information.
548 ## DragonFly Host Access Points
550 DragonFly BSD can act as an Access Point (AP) which eliminates the need to buy a hardware AP or run an ad-hoc network. This can be particularly useful when a DragonFly machine is acting as a gateway to another network such as the Internet.
554 Before configuring a DragonFly machine as an AP, the kernel must be configured with the appropriate networking support for the wireless card as well as the security protocols being used. For more details, see "Basic Setup"
556 _Note_: The NDIS driver wrapper for Windows® drivers does not currently support AP operation. Only native DragonFly wireless drivers support AP mode.
558 Once wireless networking support is loaded, check if the wireless device supports the host-based access point mode, also known as hostap mode:
560 > ifconfig wlan0 create wlandev ath0
561 > ifconfig wlan0 list caps
562 drivercaps=6f85edc1<STA,FF,TURBOP,IBSS,HOSTAP,AHDEMO,TXPMGT,SHSLOT,SHPREAMBLE,MONITOR,MBSS,WPA1,WPA2,BURST,WME,WDS,BGSCAN,TXFRAG>
563 cryptocaps=1f<WEP,TKIP,AES,AES_CCM,TKIPMIC>
565 This output displays the card's capabilities. The HOSTAP word confirms that this wireless card can act as an AP. Various supported ciphers are also listed: WEP, TKIP, and AES. This information indicates which security protocols can be used on the AP.
567 The wireless device can only be put into hostap mode during the creation of the network pseudo-device, so a previously created device must be destroyed first:
569 > ifconfig wlan0 destroy
571 then regenerated with the correct option before setting the other parameters:
573 > ifconfig wlan0 create wlandev ath0 wlanmode hostap
574 > ifconfig wlan0 inet 192.168.0.1 netmask 255.255.255.0 ssid dragonap mode 11g channel 1
576 Use ifconfig(8) again to see the status of the wlan0 interface:
579 wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
580 ether 00:11:95:c3:0d:ac
581 inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
582 media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
584 ssid dragonap channel 1 (2412 Mhz 11g) bssid 00:11:95:c3:0d:ac
585 country US ecm authmode OPEN privacy OFF txpower 21.5 scanvalid 60
586 protmode CTS wme burst dtimperiod 1 -dfs
588 The hostap parameter indicates the interface is running in the host-based access point mode.
590 The interface configuration can be done automatically at boot time by adding the following lines to */etc/rc.conf*:
593 create_args_wlan0="wlanmode hostap"
594 ifconfig_wlan0="inet 192.168.0.1 netmask 255.255.255.0 ssid dragonap mode 11g channel 1"
596 ### Host-based Access Point Without Authentication or Encryption
598 Although it is not recommended to run an AP without any authentication or encryption, this is a simple way to check if the AP is working. This configuration is also important for debugging client issues.
600 Once the AP is configured, initiate a scan from another wireless machine to find the AP:
602 > ifconfig wlan0 create wlandev ath0
603 > ifconfig wlan0 up scan
604 SSID/MESH ID BSSID CHAN RATE S:N INT CAPS
605 dragonap 00:11:95:c3:0d:ac 1 54M -66:-96 100 ES WME
607 The client machine found the AP and can be associated with it:
609 > ifconfig wlan0 inet 192.168.0.2 netmask 255.255.255.0 ssid dragonap
611 wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
612 ether 00:11:95:d5:43:62
613 inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
614 media: IEEE 802.11 Wireless Ethernet OFDM/54Mbps mode 11g
616 ssid dragonfap channel 1 (2412 Mhz 11g) bssid 00:11:95:c3:0d:ac
617 country US ecm authmode OPEN privacy OFF txpower 21.5 bmiss 7
618 scanvalid 60 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7
619 roam:rate 5 protmode CTS wme burst
621 ### WPA Host-based Access Point
623 This section focuses on setting up a DragonFly AP using the WPA security protocol. More details regarding WPA and the configuration of WPA-based wireless clients can be found in "WPA" Section.
625 The hostapd(8) daemon is used to deal with client authentication and key management on the WPA-enabled AP.
627 The following configuration operations are performed on the DragonFly machine acting as the AP. Once the AP is correctly working, hostapd(8) should be automatically enabled at boot with the following line in */etc/rc.conf*:
631 Before trying to configure hostapd(8), first configure the basic settings.
635 WPA-PSK is intended for small networks where the use of a backend authentication server is not possible or desired.
637 The configuration is done in */etc/hostapd.conf*:
641 ctrl_interface=/var/run/hostapd [3]
642 ctrl_interface_group=wheel [4]
645 wpa_passphrase=dragonmall [7]
646 wpa_key_mgmt=WPA-PSK [8]
647 wpa_pairwise=CCMP TKIP [9]
649 1. This field indicates the wireless interface used for the AP.
650 2. This field sets the level of verbosity during the execution of hostapd(8). A value of 1 represents the minimal level.
651 3. The ctrl_interface field gives the pathname of the directory used by hostapd(8) to store its domain socket files for the communication with external programs such as hostapd_cli(8). The default value is used in this example.
652 4. The ctrl_interface_group line sets the group which is allowed to access the control interface files.
653 5. This field sets the network name.
654 6. The wpa field enables WPA and specifies which WPA authentication protocol will be required. A value of 1 configures the AP for WPA-PSK.
655 7. The wpa_passphrase field contains the ASCII passphrase for WPA authentication.
656 8. The wpa_key_mgmt line refers to the key management protocol to use. This example sets WPA-PSK.
657 9. The wpa_pairwise field indicates the set of accepted encryption algorithms by the AP. In this example, both TKIP (WPA) and CCMP (WPA2) ciphers are accepted. The CCMP cipher is an alternative to TKIP and is strongly preferred when possible. TKIP should be used solely for stations incapable of doing CCMP.
659 The next step is to start hostapd(8):
661 > service hostapd forcestart
664 wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2290
665 inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
666 inet6 fe80::211:95ff:fec3:dac%ath0 prefixlen 64 scopeid 0x4
667 ether 00:11:95:c3:0d:ac
668 media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
670 ssid dragonap channel 1 bssid 00:11:95:c3:0d:ac
671 authmode WPA2/802.11i privacy MIXED deftxkey 2 TKIP 2:128-bit txpowmax 36 protmode CTS dtimperiod 1 bintval 100
673 Once the AP is running, the clients can associate with it. See "WPA" Section for more details. It is possible to see the stations associated with the AP using *ifconfig wlan0 list sta*.
675 ### WEP Host-based Access Point
677 It is not recommended to use WEP for setting up an AP since there is no authentication mechanism and the encryption is easily cracked. Some legacy wireless cards only support WEP and these cards will only support an AP without authentication or encryption.
679 The wireless device can now be put into hostap mode and configured with the correct SSID and IP address:
681 > ifconfig wlan0 create wlandev ath0 wlanmode hostap
682 > ifconfig wlan0 inet 192.168.0.1 netmask 255.255.255.0 \
683 ssid dragonap wepmode on weptxkey 3 wepkey 3:0x3456789012 mode 11g
685 + The *weptxkey* indicates which WEP key will be used in the transmission. This example uses the third key as key numbering starts with 1. This parameter must be specified in order to encrypt the data.
686 + The *wepkey* sets the selected WEP key. It should be in the format *index:key*. If the index is not given, key 1 is set. The index needs to be set when using keys other than the first key.
688 Use ifconfig(8) to see the status of the wlan0 interface:
691 wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
692 ether 00:11:95:c3:0d:ac
693 inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
694 media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
696 ssid dragonap channel 4 (2427 Mhz 11g) bssid 00:11:95:c3:0d:ac
697 country US ecm authmode OPEN privacy ON deftxkey 3 wepkey 3:40-bit
698 txpower 21.5 scanvalid 60 protmode CTS wme burst dtimperiod 1 -dfs
700 From another wireless machine, it is now possible to initiate a scan to find the AP:
702 > ifconfig wlan0 create wlandev ath0
703 > ifconfig wlan0 up scan
704 SSID BSSID CHAN RATE S:N INT CAPS
705 dragonfap 00:11:95:c3:0d:ac 1 54M 22:1 100 EPS
707 In this example, the client machine found the AP and can associate with it using the correct parameters. See "WEP" for more details.
709 ## Using Both Wired and Wireless Connections
711 A wired connection provides better performance and reliability, while a wireless connection provides flexibility and mobility. Laptop users typically want to roam seamlessly between the two types of connections.
713 On DragonFly, it is possible to combine two or even more network interfaces together in a “failover” fashion (see lagg(4)). This type of configuration uses the most preferred and available connection from a group of network interfaces, and the operating system switches automatically when the link state changes.
717 This section describes a number of steps to help troubleshoot common wireless networking problems.
719 + If the access point is not listed when scanning, check that the configuration has not limited the wireless device to a limited set of channels.
720 + If the device cannot associate with an access point, verify that the configuration matches the settings on the access point. This includes the authentication scheme and any security protocols. Simplify the configuration as much as possible. If using a security protocol such as WPA or WEP, configure the access point for open authentication and no security to see if traffic will pass. Debugging support is provided by wpa_supplicant(8). Try running this utility manually with -dd and look at the system logs.
721 + Once the system can associate with the access point, diagnose the network configuration using tools like ping(8).
722 + There are many lower-level debugging tools. Debugging messages can be enabled in the 802.11 protocol support layer using wlandebug(8).
724 > wlandebug -i ath0 +scan+auth+debug+assoc
725 net.wlan.0.debug: 0 => 0xc80000<assoc,auth,scan>
729 When instantiating an access point using a Tenda 311u+, which relies on run,
730 (Make sure your kernel has both the driver and firmware enabled,
731 or maybe you could add them to your loader.conf)
735 > wlans_run0="wlan0" # wlan0 is a safe name to use
736 > create_args_wlan0="wlanmode hostap" # the driver does have other caps
738 It's possible to create a WEP secured access point without hostapd.
740 If you want wpa, hostapd seems to be the best option.
745 > hostapd_enable="YES" # not strictly necessary. hostapd can be started outside of rc.conf, but this does work
748 The big take-away is that any ifconfig operations on the wlan0 interface in rc.conf break things.
749 Use ifconfig to configure the interface *after* hostapd has done its thing.
751 Any variation of "ifconfig_wlan0=..." in rc.conf with hostapd_enable="YES" will break things, if you are using a Tenda 311u+ and want wpa/wpa2.