|
|
Sponsored Content
Operating Systems
BSD
FreeBSD DHCP wpa_supplicant Wi-Fi Issues
Post 302949707 by BrentBANKS on Tuesday 14th of July 2015 09:48:25 PM
07-14-2015
|
|
10 More Discussions You Might Find Interesting
1. UNIX Desktop Questions & Answers
question:
i just installed FreeBSD 4.7 on my laptop, when i log in as root, i can startx no problem at all but when i try to start it as a user, i can't. otiginally it told me i needed to be a member of the group 'wheel' to do startx, no problem, added myself in /etc/group, but for some reason i... (1 Reply)
Discussion started by: Calum
1 Replies
2. UNIX for Advanced & Expert Users
i'm following the, "How to setup and secure Snort, MySQL and Acid on FreeBSD 4.6 Release" off of the snort.org website.
in the documentation it says snort should be installed through the following:
-----
make -DWITH_MYSQL -DWITH_FLEXRESP ; make install
-----
later it says to do the... (13 Replies)
Discussion started by: xyyz
13 Replies
3. UNIX for Dummies Questions & Answers
I have been using Linux for 3 years now, and I think I am getting enough knowledge (and confidence) to try some more 'traditional' unix variants. I installed FreeBSD 5.0-CURRENT. I have a couple of questions for the time being:
1) Frequently when I need to compile software packages they can't... (16 Replies)
Discussion started by: cbkihong
16 Replies
4. IP Networking
I'm trying to make a transition from linux to unix, but one of the major hang ups is my networked internet connection.
(1) Cable Internet (Adelphia)
(2) Modem -> Cat5
(3) Cat5 -> D-Link Router
(4) D-Link Router -> Cat5
(5) Cat5 -> D-Link 10/100 Ethernet/USB Adapter
On boot it says it sees... (1 Reply)
Discussion started by: xviddivxoggmp3
1 Replies
5. UNIX for Dummies Questions & Answers
Is there a dhcp command in FreeBSD 5.3? I know in Linux, there was a command "dhcpcd" that I had to use in order for my WiFi NIC to get all the information that it needed. Is there something similar to this? Thanks. (1 Reply)
Discussion started by: cosmotron
1 Replies
6. BSD
All,
I am a bit of a BSD newbie and haven't really played with it for years, but I have had a recent situation whereby someone attempted to load a custom kernel module and ended up breaking my BSD server.
I managed to fix it by doing the following:
Booting into loader mode:
unload
set... (3 Replies)
Discussion started by: drbabbers
3 Replies
7. Web Development
Server: FreeBSD 7.2-RELEASE
MYSQL Version: MYSQL 5.1.36
PHP Version: 5.2.10 (apache2handler)
IP.Board Version: v3.0.2
Safe Mode: OFF
For the most part previously IP.Board, forum software, has run fine without any issues. Regular web pages and .php pages seem to load fine without any issues.... (2 Replies)
Discussion started by: Dark Severance
2 Replies
8. UNIX for Dummies Questions & Answers
I wrote a script to batch-create directories with .htaccess and .htpasswd files.
I am using the following line to create the .htpasswd file:
htpasswd -cb .htpasswd $USER $PASS
However, I keep getting this message in return:
Usage: htpasswd passwordfile username
The -c flag creates a new... (1 Reply)
Discussion started by: Spetnik
1 Replies
9. BSD
Hi!
I have a major issue with FreeBSD 7.1 i386.
We did a change in our Unix env where we exchanged home storage from a NetAPP running udp to a NetAPP running tcp.
Now I cant mount homedirs since NFS/AMD seem to fallback to udp :(
Trying to force it with amd options nfs_proto=tcp and so on.
... (0 Replies)
Discussion started by: Esaia
0 Replies
10. AIX
(1) Hi, Am working on FreeBSD 7.4/i386 and installed Opera 11.01 through ports collection manually... But when I run first time am getting "opera: cannot connect X server. Error: Unknown error: 0" What is this error all about???? Please help me to sort out this issue!!!
(2) Hi, currently am... (12 Replies)
Discussion started by: Priya Amaresh
12 Replies
LEARN ABOUT FREEBSD
wpa_supplicant.conf
WPA_SUPPLICANT.CONF(5) BSD File Formats Manual WPA_SUPPLICANT.CONF(5) NAME
wpa_supplicant.conf -- configuration file for wpa_supplicant(8) DESCRIPTION
The wpa_supplicant(8) utility is an implementation of the WPA Supplicant component, i.e., the part that runs in the client stations. It implements WPA key negotiation with a WPA Authenticator and EAP authentication with Authentication Server using configuration information stored in a text file. The configuration file consists of optional global parameter settings and one or more network blocks, e.g. one for each used SSID. The wpa_supplicant(8) utility will automatically select the best network based on the order of the network blocks in the configuration file, net- work security level (WPA/WPA2 is preferred), and signal strength. Comments are indicated with the '#' character; all text to the end of the line will be ignored. GLOBAL PARAMETERS
Default parameters used by wpa_supplicant(8) may be overridden by specifying parameter=value in the configuration file (note no spaces are allowed). Values with embedded spaces must be enclosed in quote marks. The following parameters are recognized: ctrl_interface The pathname of the directory in which wpa_supplicant(8) creates UNIX domain socket files for communication with frontend programs such as wpa_cli(8). ctrl_interface_group A group name or group ID to use in setting protection on the control interface file. This can be set to allow non-root users to access the control interface files. If no group is specified, the group ID of the control interface is not modified and will, typi- cally, be the group ID of the directory in which the socket is created. eapol_version The IEEE 802.1x/EAPOL protocol version to use; either 1 (default) or 2. The wpa_supplicant(8) utility is implemented according to IEEE 802-1X-REV-d8 which defines EAPOL version to be 2. However, some access points do not work when presented with this version so by default wpa_supplicant(8) will announce that it is using EAPOL version 1. If version 2 must be announced for correct operation with an access point, this value may be set to 2. ap_scan Access point scanning and selection control; one of 0, 1 (default), or 2. Only setting 1 should be used with the wlan(4) module; the other settings are for use on other operating systems. fast_reauth EAP fast re-authentication; either 1 (default) or 0. Control fast re-authentication support in EAP methods that support it. NETWORK BLOCKS
Each potential network/access point should have a ``network block'' that describes how to identify it and how to set up security. When mul- tiple network blocks are listed in a configuration file, the highest priority one is selected for use or, if multiple networks with the same priority are identified, the first one listed in the configuration file is used. A network block description is of the form: network={ parameter=value ... } (note the leading "network={" may have no spaces). The block specification contains one or more parameters from the following list: ssid (required) Network name (as announced by the access point). An ASCII or hex string enclosed in quotation marks. scan_ssid SSID scan technique; 0 (default) or 1. Technique 0 scans for the SSID using a broadcast Probe Request frame while 1 uses a directed Probe Request frame. Access points that cloak themselves by not broadcasting their SSID require technique 1, but beware that this scheme can cause scanning to take longer to complete. bssid Network BSSID (typically the MAC address of the access point). priority The priority of a network when selecting among multiple networks; a higher value means a network is more desirable. By default net- works have priority 0. When multiple networks with the same priority are considered for selection, other information such as secu- rity policy and signal strength are used to select one. mode IEEE 802.11 operation mode; either 0 (infrastructure, default) or 1 (IBSS). Note that IBSS (adhoc) mode can only be used with key_mgmt set to NONE (plaintext and static WEP), or key_mgmt set to WPA-NONE (fixed group key TKIP/CCMP). In addition, ap_scan has to be set to 2 for IBSS. WPA-NONE requires proto set to WPA, key_mgmt set to WPA-NONE, pairwise set to NONE, group set to either CCMP or TKIP (but not both), and psk must also be set. proto List of acceptable protocols; one or more of: WPA (IEEE 802.11i/D3.0) and RSN (IEEE 802.11i). WPA2 is another name for RSN. If not set this defaults to "WPA RSN". key_mgmt List of acceptable key management protocols; one or more of: WPA-PSK (WPA pre-shared key), WPA-EAP (WPA using EAP authentication), IEEE8021X (IEEE 802.1x using EAP authentication and, optionally, dynamically generated WEP keys), NONE (plaintext or static WEP keys). If not set this defaults to "WPA-PSK WPA-EAP". auth_alg List of allowed IEEE 802.11 authentication algorithms; one or more of: OPEN (Open System authentication, required for WPA/WPA2), SHARED (Shared Key authentication), LEAP (LEAP/Network EAP). If not set automatic selection is used (Open System with LEAP enabled if LEAP is allowed as one of the EAP methods). pairwise List of acceptable pairwise (unicast) ciphers for WPA; one or more of: CCMP (AES in Counter mode with CBC-MAC, RFC 3610, IEEE 802.11i/D7.0), TKIP (Temporal Key Integrity Protocol, IEEE 802.11i/D7.0), NONE (deprecated). If not set this defaults to "CCMP TKIP". group List of acceptable group (multicast) ciphers for WPA; one or more of: CCMP (AES in Counter mode with CBC-MAC, RFC 3610, IEEE 802.11i/D7.0), TKIP (Temporal Key Integrity Protocol, IEEE 802.11i/D7.0), WEP104 (WEP with 104-bit key), WEP40 (WEP with 40-bit key). If not set this defaults to "CCMP TKIP WEP104 WEP40". psk WPA preshared key used in WPA-PSK mode. The key is specified as 64 hex digits or as an 8-63 character ASCII passphrase. ASCII passphrases are dynamically converted to a 256-bit key at runtime using the network SSID, or they can be statically converted at con- figuration time using the wpa_passphrase(8) utility. eapol_flags Dynamic WEP key usage for non-WPA mode, specified as a bit field. Bit 0 (1) forces dynamically generated unicast WEP keys to be used. Bit 1 (2) forces dynamically generated broadcast WEP keys to be used. By default this is set to 3 (use both). eap List of acceptable EAP methods; one or more of: MD5 (EAP-MD5, cannot be used with WPA, used only as a Phase 2 method with EAP-PEAP or EAP-TTLS), MSCHAPV2 (EAP-MSCHAPV2, cannot be used with WPA; used only as a Phase 2 method with EAP-PEAP or EAP-TTLS), OTP (EAP-OTP, cannot be used with WPA; used only as a Phase 2 metod with EAP-PEAP or EAP-TTLS), GTC (EAP-GTC, cannot be used with WPA; used only as a Phase 2 metod with EAP-PEAP or EAP-TTLS), TLS (EAP-TLS, client and server certificate), PEAP (EAP-PEAP, with tunneled EAP authenti- cation), TTLS (EAP-TTLS, with tunneled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 authentication). If not set this defaults to all available methods compiled in to wpa_supplicant(8). Note that by default wpa_supplicant(8) is compiled with EAP support; see make.conf(5) for the NO_WPA_SUPPLICANT_EAPOL configuration variable that can be used to disable EAP support. identity Identity string for EAP. anonymous_identity Anonymous identity string for EAP (to be used as the unencrypted identity with EAP types that support different tunneled identities; e.g. EAP-TTLS). mixed_cell Configure whether networks that allow both plaintext and encryption are allowed when selecting a BSS from the scan results. By default this is set to 0 (disabled). password Password string for EAP. ca_cert Pathname to CA certificate file. This file can have one or more trusted CA certificates. If ca_cert is not included, server cer- tificates will not be verified (not recommended). client_cert Pathname to client certificate file (PEM/DER). private_key Pathname to a client private key file (PEM/DER/PFX). When a PKCS#12/PFX file is used, then client_cert should not be specified as both the private key and certificate will be read from PKCS#12 file. private_key_passwd Password for any private key file. dh_file Pathname to a file holding DH/DSA parameters (in PEM format). This file holds parameters for an ephemeral DH key exchange. In most cases, the default RSA authentication does not use this configuration. However, it is possible to set up RSA to use an ephemeral DH key exchange. In addition, ciphers with DSA keys always use ephemeral DH keys. This can be used to achieve forward secrecy. If the dh_file is in DSA parameters format, it will be automatically converted into DH parameters. subject_match Substring to be matched against the subject of the authentication server certificate. If this string is set, the server certificate is only accepted if it contains this string in the subject. The subject string is in following format: /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com phase1 Phase1 (outer authentication, i.e., TLS tunnel) parameters (string with field-value pairs, e.g., "peapver=0" or "peapver=1 peaplabel=1"). peapver can be used to force which PEAP version (0 or 1) is used. peaplabel=1 can be used to force new label, ``client PEAP encryption'', to be used during key derivation when PEAPv1 or newer. Most existing PEAPv1 implementations seem to be using the old label, ``client EAP encryption'', and wpa_supplicant(8) is now using that as the default value. Some servers, e.g., Radiator, may require peaplabel=1 configuration to interoperate with PEAPv1; see eap_testing.txt for more details. peap_outer_success=0 can be used to terminate PEAP authentication on tunneled EAP-Success. This is required with some RADIUS servers that implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g., Lucent NavisRadius v4.4.0 with PEAP in ``IETF Draft 5'' mode). include_tls_length=1 can be used to force wpa_supplicant(8) to include TLS Message Length field in all TLS messages even if they are not fragmented. sim_min_num_chal=3 can be used to configure EAP-SIM to require three challenges (by default, it accepts 2 or 3). fast_provisioning=1 option enables in-line provisioning of EAP-FAST credentials (PAC). phase2 phase2: Phase2 (inner authentication with TLS tunnel) parameters (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS). ca_cert2 Like ca_cert but for EAP inner Phase 2. client_cert2 Like client_cert but for EAP inner Phase 2. private_key2 Like private_key but for EAP inner Phase 2. private_key2_passwd Like private_key_passwd but for EAP inner Phase 2. dh_file2 Like dh_file but for EAP inner Phase 2. subject_match2 Like subject_match but for EAP inner Phase 2. eappsk 16-byte pre-shared key in hex format for use with EAP-PSK. nai User NAI for use with EAP-PSK. server_nai Authentication Server NAI for use with EAP-PSK. pac_file Pathname to the file to use for PAC entries with EAP-FAST. The wpa_supplicant(8) utility must be able to create this file and write updates to it when PAC is being provisioned or refreshed. eap_workaround Enable/disable EAP workarounds for various interoperability issues with misbehaving authentication servers. By default these work- arounds are enabled. Strict EAP conformance can be configured by setting this to 0. wep_tx_keyidx which key to use for transmission of packets. wep_keyN key An ASCII string enclosed in quotation marks to encode the WEP key. Without quotes this is a hex string of the actual key. WEP is considered insecure and should be avoided. The exact translation from an ASCII key to a hex key varies. Use hex keys where possi- ble. CERTIFICATES
Some EAP authentication methods require use of certificates. EAP-TLS uses both server- and client-side certificates, whereas EAP-PEAP and EAP-TTLS only require a server-side certificate. When a client certificate is used, a matching private key file must also be included in configuration. If the private key uses a passphrase, this has to be configured in the wpa_supplicant.conf file as private_key_passwd. The wpa_supplicant(8) utility supports X.509 certificates in PEM and DER formats. User certificate and private key can be included in the same file. If the user certificate and private key is received in PKCS#12/PFX format, they need to be converted to a suitable PEM/DER format for use by wpa_supplicant(8). This can be done using the openssl(1) program, e.g. with the following commands: # convert client certificate and private key to PEM format openssl pkcs12 -in example.pfx -out user.pem -clcerts # convert CA certificate (if included in PFX file) to PEM format openssl pkcs12 -in example.pfx -out ca.pem -cacerts -nokeys FILES
/etc/wpa_supplicant.conf /usr/share/examples/etc/wpa_supplicant.conf EXAMPLES
WPA-Personal (PSK) as a home network and WPA-Enterprise with EAP-TLS as a work network: # allow frontend (e.g., wpa_cli) to be used by all users in 'wheel' group ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel # # home network; allow all valid ciphers network={ ssid="home" scan_ssid=1 key_mgmt=WPA-PSK psk="very secret passphrase" } # # work network; use EAP-TLS with WPA; allow only CCMP and TKIP ciphers network={ ssid="work" scan_ssid=1 key_mgmt=WPA-EAP pairwise=CCMP TKIP group=CCMP TKIP eap=TLS identity="user@example.com" ca_cert="/etc/cert/ca.pem" client_cert="/etc/cert/user.pem" private_key="/etc/cert/user.prv" private_key_passwd="password" } WPA-RADIUS/EAP-PEAP/MSCHAPv2 with RADIUS servers that use old peaplabel (e.g., Funk Odyssey and SBR, Meetinghouse Aegis, Interlink RAD- Series): ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid="example" scan_ssid=1 key_mgmt=WPA-EAP eap=PEAP identity="user@example.com" password="foobar" ca_cert="/etc/cert/ca.pem" phase1="peaplabel=0" phase2="auth=MSCHAPV2" } EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the unencrypted use. Real identity is sent only within an encrypted TLS tunnel. ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid="example" scan_ssid=1 key_mgmt=WPA-EAP eap=TTLS identity="user@example.com" anonymous_identity="anonymous@example.com" password="foobar" ca_cert="/etc/cert/ca.pem" phase2="auth=MD5" } Traditional WEP configuration with 104 bit key specified in hexadecimal. Note the WEP key is not quoted. ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid="example" scan_ssid=1 key_mgmt=NONE wep_tx_keyidx=0 # hex keys denoted without quotes wep_key0=42FEEDDEAFBABEDEAFBEEFAA55 # ASCII keys denoted with quotes. wep_key1="FreeBSDr0cks!" } SEE ALSO
wpa_cli(8), wpa_passphrase(8), wpa_supplicant(8) HISTORY
The wpa_supplicant.conf manual page and wpa_supplicant(8) functionality first appeared in FreeBSD 6.0. AUTHORS
This manual page is derived from the README and wpa_supplicant.conf files in the wpa_supplicant distribution provided by Jouni Malinen <j@w1.fi>. BSD
April 10, 2010 BSD