Source string Read only

(itstool) path: sect5/screen
860/8600
Context English State
Wi-Fi Protected Access (<acronym>WPA</acronym>) is a security protocol used together with 802.11 networks to address the lack of proper authentication and the weakness of <acronym>WEP</acronym>. WPA leverages the 802.1X authentication protocol and uses one of several ciphers instead of <acronym>WEP</acronym> for data integrity. The only cipher required by <acronym>WPA</acronym> is the Temporary Key Integrity Protocol (<acronym>TKIP</acronym>). <acronym>TKIP</acronym> is a cipher that extends the basic RC4 cipher used by <acronym>WEP</acronym> by adding integrity checking, tamper detection, and measures for responding to detected intrusions. <acronym>TKIP</acronym> is designed to work on legacy hardware with only software modification. It represents a compromise that improves security but is still not entirely immune to attack. <acronym>WPA</acronym> also specifies the <acronym>AES-CCMP</acronym> cipher as an alternative to <acronym>TKIP</acronym>, and that is preferred when possible. For this specification, the term <acronym>WPA2</acronym> or <acronym>RSN</acronym> is commonly used.
<acronym>WPA</acronym> defines authentication and encryption protocols. Authentication is most commonly done using one of two techniques: by 802.1X and a backend authentication service such as <acronym>RADIUS</acronym>, or by a minimal handshake between the station and the access point using a pre-shared secret. The former is commonly termed <acronym>WPA</acronym> Enterprise and the latter is known as <acronym>WPA</acronym> Personal. Since most people will not set up a <acronym>RADIUS</acronym> backend server for their wireless network, <acronym>WPA-PSK</acronym> is by far the most commonly encountered configuration for <acronym>WPA</acronym>.
The control of the wireless connection and the key negotiation or authentication with a server is done using <citerefentry><refentrytitle>wpa_supplicant</refentrytitle><manvolnum>8</manvolnum></citerefentry>. This program requires a configuration file, <filename>/etc/wpa_supplicant.conf</filename>, to run. More information regarding this file can be found in <citerefentry><refentrytitle>wpa_supplicant.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
<acronym>WPA-PSK</acronym>
<acronym>WPA-PSK</acronym>, also known as <acronym>WPA</acronym> Personal, is based on a pre-shared key (<acronym>PSK</acronym>) which is generated from a given password and used as the master key in the wireless network. This means every wireless user will share the same key. <acronym>WPA-PSK</acronym> is intended for small networks where the use of an authentication server is not possible or desired.
Always use strong passwords that are sufficiently long and made from a rich alphabet so that they will not be easily guessed or attacked.
The first step is the configuration of <filename>/etc/wpa_supplicant.conf</filename> with the <acronym>SSID</acronym> and the pre-shared key of the network:
network={
ssid="freebsdap"
psk="freebsdmall"
}
Then, in <filename>/etc/rc.conf</filename>, indicate that the wireless device configuration will be done with <acronym>WPA</acronym> and the <acronym>IP</acronym> address will be obtained with <acronym>DHCP</acronym>:
wlans_ath0="wlan0"
ifconfig_wlan0="WPA DHCP"
Then, bring up the interface:
<prompt>#</prompt> <userinput>service netif start</userinput>
Starting wpa_supplicant.
DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 5
DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 6
DHCPOFFER from 192.168.0.1
DHCPREQUEST on wlan0 to 255.255.255.255 port 67
DHCPACK from 192.168.0.1
bound to 192.168.0.254 -- renewal in 300 seconds.
wlan0: flags=8843&lt;UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST&gt; mtu 1500
ether 00:11:95:d5:43:62
inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
media: IEEE 802.11 Wireless Ethernet OFDM/36Mbps mode 11g
status: associated
ssid freebsdap channel 1 (2412 Mhz 11g) bssid 00:11:95:c3:0d:ac
country US ecm authmode WPA2/802.11i privacy ON deftxkey UNDEF
AES-CCM 3:128-bit txpower 21.5 bmiss 7 scanvalid 450 bgscan
bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS
wme burst roaming MANUAL
Or, try to configure the interface manually using the information in <filename>/etc/wpa_supplicant.conf</filename>:
<prompt>#</prompt> <userinput>wpa_supplicant -i <replaceable>wlan0</replaceable> -c /etc/wpa_supplicant.conf</userinput>
Trying to associate with 00:11:95:c3:0d:ac (SSID='freebsdap' freq=2412 MHz)
Associated with 00:11:95:c3:0d:ac
WPA: Key negotiation completed with 00:11:95:c3:0d:ac [PTK=CCMP GTK=CCMP]
CTRL-EVENT-CONNECTED - Connection to 00:11:95:c3:0d:ac completed (auth) [id=0 id_str=]
The next operation is to launch <citerefentry><refentrytitle>dhclient</refentrytitle><manvolnum>8</manvolnum></citerefentry> to get the <acronym>IP</acronym> address from the <acronym>DHCP</acronym> server:
<prompt>#</prompt> <userinput>dhclient <replaceable>wlan0</replaceable></userinput>
DHCPREQUEST on wlan0 to 255.255.255.255 port 67
DHCPACK from 192.168.0.1
bound to 192.168.0.254 -- renewal in 300 seconds.
<prompt>#</prompt> <userinput>ifconfig <replaceable>wlan0</replaceable></userinput>
wlan0: flags=8843&lt;UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST&gt; mtu 1500
ether 00:11:95:d5:43:62
inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
media: IEEE 802.11 Wireless Ethernet OFDM/36Mbps mode 11g
status: associated
ssid freebsdap channel 1 (2412 Mhz 11g) bssid 00:11:95:c3:0d:ac
country US ecm authmode WPA2/802.11i privacy ON deftxkey UNDEF
AES-CCM 3:128-bit txpower 21.5 bmiss 7 scanvalid 450 bgscan
bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS
wme burst roaming MANUAL
If <filename>/etc/rc.conf</filename> has an <literal>ifconfig_wlan0="DHCP"</literal> entry, <citerefentry><refentrytitle>dhclient</refentrytitle><manvolnum>8</manvolnum></citerefentry> will be launched automatically after <citerefentry><refentrytitle>wpa_supplicant</refentrytitle><manvolnum>8</manvolnum></citerefentry> associates with the access point.
If <acronym>DHCP</acronym> is not possible or desired, set a static <acronym>IP</acronym> address after <citerefentry><refentrytitle>wpa_supplicant</refentrytitle><manvolnum>8</manvolnum></citerefentry> has authenticated the station:
<prompt>#</prompt> <userinput>ifconfig <replaceable>wlan0</replaceable> inet <replaceable>192.168.0.100</replaceable> netmask <replaceable>255.255.255.0</replaceable></userinput>
<prompt>#</prompt> <userinput>ifconfig <replaceable>wlan0</replaceable></userinput>
wlan0: flags=8843&lt;UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST&gt; mtu 1500
ether 00:11:95:d5:43:62
inet 192.168.0.100 netmask 0xffffff00 broadcast 192.168.0.255
media: IEEE 802.11 Wireless Ethernet OFDM/36Mbps mode 11g
status: associated
ssid freebsdap channel 1 (2412 Mhz 11g) bssid 00:11:95:c3:0d:ac
country US ecm authmode WPA2/802.11i privacy ON deftxkey UNDEF
AES-CCM 3:128-bit txpower 21.5 bmiss 7 scanvalid 450 bgscan
bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS
wme burst roaming MANUAL
When <acronym>DHCP</acronym> is not used, the default gateway and the nameserver also have to be manually set:
<prompt>#</prompt> <userinput>route add default <replaceable>your_default_router</replaceable></userinput>
<prompt>#</prompt> <userinput>echo "nameserver <replaceable>your_DNS_server</replaceable>" &gt;&gt; /etc/resolv.conf</userinput>
<acronym>WPA</acronym> with <acronym>EAP-TLS</acronym>
The second way to use <acronym>WPA</acronym> is with an 802.1X backend authentication server. In this case, <acronym>WPA</acronym> is called <acronym>WPA</acronym> Enterprise to differentiate it from the less secure <acronym>WPA</acronym> Personal. Authentication in <acronym>WPA</acronym> Enterprise is based on the Extensible Authentication Protocol (<acronym>EAP</acronym>).
<acronym>EAP</acronym> does not come with an encryption method. Instead, <acronym>EAP</acronym> is embedded inside an encrypted tunnel. There are many <acronym>EAP</acronym> authentication methods, but <acronym>EAP-TLS</acronym>, <acronym>EAP-TTLS</acronym>, and <acronym>EAP-PEAP</acronym> are the most common.
EAP with Transport Layer Security (<acronym>EAP-TLS</acronym>) is a well-supported wireless authentication protocol since it was the first <acronym>EAP</acronym> method to be certified by the <link xlink:href="http://www.wi-fi.org/">Wi-Fi Alliance</link>. <acronym>EAP-TLS</acronym> requires three certificates to run: the certificate of the Certificate Authority (<acronym>CA</acronym>) installed on all machines, the server certificate for the authentication server, and one client certificate for each wireless client. In this <acronym>EAP</acronym> method, both the authentication server and wireless client authenticate each other by presenting their respective certificates, and then verify that these certificates were signed by the organization's <acronym>CA</acronym>.
As previously, the configuration is done via <filename>/etc/wpa_supplicant.conf</filename>:
network={
ssid="freebsdap" <co xml:id="co-tls-ssid"/>
proto=RSN <co xml:id="co-tls-proto"/>
key_mgmt=WPA-EAP <co xml:id="co-tls-kmgmt"/>
eap=TLS <co xml:id="co-tls-eap"/>
identity="loader" <co xml:id="co-tls-id"/>
ca_cert="/etc/certs/cacert.pem" <co xml:id="co-tls-cacert"/>
client_cert="/etc/certs/clientcert.pem" <co xml:id="co-tls-clientcert"/>
private_key="/etc/certs/clientkey.pem" <co xml:id="co-tls-pkey"/>
private_key_passwd="freebsdmallclient" <co xml:id="co-tls-pwd"/>
}
This field indicates the network name (<acronym>SSID</acronym>).
This example uses the <acronym>RSN</acronym> <trademark class="registered">IEEE</trademark> 802.11i protocol, also known as <acronym>WPA2</acronym>.
The <literal>key_mgmt</literal> line refers to the key management protocol to use. In this example, it is <acronym>WPA</acronym> using <acronym>EAP</acronym> authentication.
This field indicates the <acronym>EAP</acronym> method for the connection.

Loading…

No matching activity found.

Browse all component changes

Things to check

Multiple failing checks

The translations in several languages have failing checks

Reset

Glossary

English English
No related strings found in the glossary.

Source information

Source string comment
(itstool) path: sect5/screen
Flags
no-wrap, read-only
Source string location
book.translate.xml:65338
String age
a year ago
Source string age
a year ago
Translation file
books/handbook.pot, string 10707