WPA setup using FreeBSD By Click Death Squad (C.D.S.) Revision 1.0 If you are still using WEP encryption support on your wireless router, it is highly recommended that you upgrade your security. WEP can be broken in very little time, and expose your network to unwanted intruders. If you're still using a WEP setup because you didn't want to take the time to set it up on your FreeBSD box, this will show you just how easily it can be accomplished. In some cases, people are willing to downgrade their wireless security for compatibility. This should never be the case. By using the "wpa_supplicant" tool packaged with FreeBSD 6.x and higher, you can quickly and easily create a configuration file that will allow you to connect to your secured network. In this example, we are using FreeBSD 7 with a WPA secured network, and all the commands issued are given in quotes, with the result of the commands being listed in grey. After each step, a screenshot is given so you may compare your output to what should be happening. Please note that not all the screenshots contain the exact same data which is given in the example, they are merely for reference purposes. Tools you will need to accomplish this task:
Step 1: Create a configuration file in /etc to be used for the setup. Log in to your FreeBSD box and create a profile that the wpa_supplicant program can use to connect to your network. Using sudo (never directly as root, right?) edit your configuration file in the /etc directory and review some options. "sudo nano /etc/wpa_supplicant.conf" ### create and edit the WPA configuration file.  Check out some of the options you should add to your configuration file. First, specify where the PID file should be stored once the wpa_supplicant program is daemonized in the background. The second option is specifying which users of what group may access or modify the configuration. It is always a good idea to set this to "wheel" in order to prevent regular users on the system from toying around. Now, setup a network profile which contains the actual configuration data. the SSID is pretty self explainitory, as is the BSSID aka MAC address of your wireless router. "Proto" is specified as WPA for the type of encryption you are wishing to use. "key_mgmt" specifies that you want to use the WPA-PSK (Pre Shared Key) management system. "Pairwise" is the big one that you should be concerned about. It is possible to set this value to TKIP, but as you are surely aware, this is considered to be insecure. Using TKIP by itself is subject to getting your WPA key cracked and it is HIGHLY recommended that you pair TKIP up with CCMP (AES) to ensure your key cannot be compromised. We use TKIP and CCMP (AES) both for the pairwise authentication in this configuration example. Finally, set "scan_ssid" to 1, which tells your box to scan for beacon frames and then connect. You don't necessarily have to set this option unless your access point is hidden, but it's good practice. Finally, specify the Pre Shared Key at the bottom. Step 2: Modify the permissions on your configuration file. It would be foolish to allow any user on your FreeBSD system to have access to the wpa_supplicant configuration file that was just created. If a regular user decided to "cat /etc/wpa_supplicant.conf" they could see the Pre Shared Key that your network uses in the configuration file. Unless you implicitly trust all the users on your FreeBSD box, we suggest you modify this file's permissions so that it is only readable by root. "sudo chmod 600 /etc/wpa_supplicant.conf" ### modify the file permissions so regular users cannot read the configuration. Step 3: Launch the wpa_supplicant into the background to make the configuration take effect. All your options have been set, and you can utilize the configuration immediately. Simply tell wpa_supplicant to read the configuration file and launch into the background on the interface of your choice. "sudo wpa_supplicant -B -c /etc/wpa_supplicant.conf -i ath0" ### where "-B' specifies background daemon, "-c" is the configuration file and "-i" is your interface. Now you can run a simple command such as "dhclient ath0" and get an IP address from your wireless router, because wpa_supplicant is handling the encryption settings for you. Step 4: Make wpa_supplicant run at boot time. If you want to, you can modify your rc.conf file and have your WPA settings applied at boot time. No big deal, just edit your /etc/rc.conf and add a line to turn it on when the machine boots. "sudo nano /etc/rc.conf" ### edit the rc.conf boot time options.  Save your configuration file after you add this entry and you're done! You already launched the wpa_supplicant daemon into the background, and next time you reboot your FreeBSD machine (which is probably only in the event of a power outage, because FreeBSD is so reliable) all your settings will take effect automatically. Don't sacrifice your network to WEP, when you can play it safe. Happy computing to you. |