# wireless AP and WPA-PSK



## bluetick (Nov 25, 2008)

Wanting to add a wireless ap option. I like the idea of bridge mode, no extra subnet. But I want some form of encryption/security.

In bridge mode is it possible to run WPA-PSK on the ath0 interface? 
I've set bridge mode up as this.
 ifconfig -a
ath0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 00:40:96:a9:c7:54
        media: IEEE 802.11 Wireless Ethernet DS/11Mbps <hostap> (DS/11Mbps <hostap>)
        status: associated
        ssid my_ap channel 1 (2412 Mhz 11g) bssid 00:40:96:a9:c7:54
        authmode OPEN privacy OFF txpower 31.5 scanvalid 60 bgscan
        bgscanintvl 300 bgscanidle 250 roam:rssi11g 7 roam:rate11g 5
        protmode CTS burst dtimperiod 1
rl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:e0:18:3e:d2:4f
        inet 10.10.1.10 netmask 0xffffff00 broadcast 10.10.1.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether 9e:fb:04:4f:f0:28
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: rl0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
        member: ath0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>

Starting dhcpd it errored on ath0, I guess no inet/ip setting caused this.  
Starting hostapd, no errors, but the ath0 shows in open mode.

P.S. The happy faces came from somewhere other than me.


----------



## bluetick (Nov 25, 2008)

*Update*

Updating my own thread, After fixing "whitespace" errors in the hostapd.config. I get the following debug message.

mars# hostapd -d -K /etc/hostapd.conf
Configuration file: /etc/hostapd.conf
ctrl_interface_group=0 (from group name 'wheel')
bsd_set_iface_flags: dev_up=0
BSS count 1, BSSID mask ff:ff:ff:ff:ff:ff (0 bits)
ath0: IEEE 802.11 Fetching hardware channel/rate support not supported.
Flushing old station entries
bsd_sta_deauth: addr=ff:ff:ff:ff:ff:ff reason_code=3
Deauthenticate all stations
bsd_set_privacy: enabled=0
bsd_del_key: addr=00:00:00:00:00:00 key_idx=0
bsd_del_key: addr=00:00:00:00:00:00 key_idx=1
bsd_del_key: addr=00:00:00:00:00:00 key_idx=2
bsd_del_key: addr=00:00:00:00:00:00 key_idx=3
bsd_get_ssid: ssid="myap"
Using interface ath0 with hwaddr  and ssid 'myap'
SSID - hexdump_ascii(len=7):
     myap
PSK (ASCII passphrase) - hexdump_ascii(len=21):
     passphrase
     passphrase
PSK (from passphrase) - hexdump(len=32):
bsd_set_ieee8021x: enabled=1
bsd_configure_wpa: group key cipher=TKIP (1)
bsd_configure_wpa: pairwise key ciphers=0x2
bsd_configure_wpa: key management algorithms=0x2
bsd_configure_wpa: rsn capabilities=0x0
bsd_configure_wpa: enable WPA= 0x1
ioctl[SIOCS80211]: Invalid argument
ath0: DRIVER Error enabling WPA/802.1X!
IEEE 802.1X initialization failed.
ath0: Unable to setup interface.
Flushing old station entries
bsd_sta_deauth: addr=ff:ff:ff:ff:ff:ff reason_code=3
Deauthenticate all stations
rmdir[ctrl_interface]: No such file or directory
bsd_set_ieee8021x: enabled=0
bsd_set_iface_flags: dev_up=0
### end
mars# ifconfig ath0 list caps
ath0=6783ed4f<WEP,TKIP,AES,AES_CCM,FF,IBSS,HOSTAP,AHDEMO,TXPMGT,SHSLOT,SHPREAMBLE,MONITOR,TKIPMIC,WPA1,WPA2,BURST,WME,BGSCAN,TXFRAG>

Cisco wireless card
>pciconf -lv
ath0@pci0:2:11:0:       class=0x020000 card=0xcc2114b9 chip=0x0013168c rev=0x01 hdr=0x00
    vendor     = 'Atheros Communications Inc.'
    device     = 'AR5212, AR5213 802.11a/b/g Wireless Adapter'
    class      = network
    subclass   = ethernet


----------



## SirDice (Nov 26, 2008)

You don't need to enable 802.1x for WPA-PSK. Post your hostapd.conf. I had mine running for a long time.


----------



## bluetick (Nov 26, 2008)

as requested hostapd.conf

interface=ath0
debug=4
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
ssid=myap
wpa=1
wpa_passphrase=my_passphrase
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP


----------



## SirDice (Nov 26, 2008)

Is it already bridged? 
You might want to first get it working as a separate network segment.


----------



## Aic (Nov 29, 2008)

See 
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-wireless.html
and this #32.3.5.3.1 WPA-PSK 
In my case (7.0 RELEASE) in /etc/rc.conf (without DHCP & bridge) is:

hostapd_enable="YES"
ifconfig_ath0="WPA inet <my_hostap_IP> netmask <my_mask> ssid freebsdap mode 11g mediaopt hostap"

It's work. Also you may use wpa_passphrase(8) and/or wpa_psk=64(hexd) in
hostapd.conf


----------



## bluetick (Dec 5, 2008)

*AP with WPA in Bridge Mode.*

After searching and gathering bits from here and there. I have a working setup in bridge mode. 
The only problem, on startup the kernel will not load the wlan_xauth, it must be hand loaded then start hostapd. 
I have read about kernel panics with the wlan_xauth but have yet to have one.
YMMV

Kernel additions.
device          wlan            # 802.11 support
device          wlan_wep        # 802.11 WEP support
device          wlan_ccmp       # 802.11 CCMP support
device          wlan_tkip       # 802.11 TKIP support
device          wlan_xauth      # 802.11 WPA support
device          wlan_acl_load   # 802.11 support
device          wlan_amrr       # AMRR transmit rate control algorithm
device          wlan_scan_ap    # 802.11 AP mode scanning
device          wlan_scan_sta   # 802.11 STA mode scanning
device          ath             # Atheros pci/cardbus NIC's
device          ath_hal         # Atheros HAL (Hardware Access Layer)
device          ath_rate_sample # SampleRate tx rate control for ath

rc.conf
ifconfig_rl0="inet 10.10.1.10  netmask 255.255.255.0"
hostapd_enable="YES"
gateway_enable="YES"
natd_enable="YES"
natd_interface="rl0"
natd_flags="-m"
ifconfig_ath0="up ssid myap mode 11g mediaopt hostap"
cloned_interfaces="bridge0"
ifconfig_bridge0="addm ath0 addm rl0 up"

sysctl.conf 
net.inet.ip.check_interface=1

hostapd.conf
interface=ath0
debug=4
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
ssid=myap
wpa=1
wpa_passphrase=(pass)
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP TKIP

ifconfig -a
ath0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 2290
        ether 00:40:96:a9:c7:54
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
        status: associated
        ssid myap channel 1 (2412 Mhz 11g) bssid 00:40:96:a9:c7:54
        authmode WPA privacy MIXED deftxkey 2 TKIP 2:128-bit TKIP 3:128-bit
        txpower 31.5 scanvalid 60 bgscan bgscanintvl 300 bgscanidle 250
        roam:rssi11g 7 roam:rate11g 5 protmode CTS burst dtimperiod 1
rl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8<VLAN_MTU>
        ether 00:e0:18:3e:d2:4f
        inet 10.10.1.10 netmask 0xffffff00 broadcast 10.10.1.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether ce:15:dd:9b:7f:f8
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
        root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
        member: rl0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
        member: ath0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>


----------



## richardpl (Dec 5, 2008)

bluetick said:
			
		

> The only problem, on startup the kernel will not load the wlan_xauth, it must be hand loaded then start hostapd.



Adding:


			
				loader.conf said:
			
		

> wlan_xauth_load="YES"



doesn't work?


----------



## bluetick (Dec 5, 2008)

I have wlan_xauth compiled in the kernel.  
FreeBSD 7.0-RELEASE-p5 
dmesg error
ieee80211_load_module: load the wlan_xauth module by hand for now.

I'll reboot it tonight to test the loader.conf.


----------



## richardpl (Dec 5, 2008)

There is no need to modify loader.conf if wlan_xauth is part of kernel.


----------

