Wanting to add a wireless ap option. I like the idea of bridge mode, no extra subnet. But I want some form of encryption/security.

In bridge mode is it possible to run WPA-PSK on the ath0 interface?
I've set bridge mode up as this.
ifconfig -a
ath0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 00:40:96:a9:c7:54
media: IEEE 802.11 Wireless Ethernet DS/11Mbps <hostap> (DS/11Mbps <hostap>)
status: associated
ssid my_ap channel 1 (2412 Mhz 11g) bssid 00:40:96:a9:c7:54
authmode OPEN privacy OFF txpower 31.5 scanvalid 60 bgscan
bgscanintvl 300 bgscanidle 250 roam:rssi11g 7 roam:rate11g 5
protmode CTS burst dtimperiod 1
rl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:e0:18:3e:d2:4f
inet 10.10.1.10 netmask 0xffffff00 broadcast 10.10.1.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 9e:fb:04:4f:f0:28
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: rl0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
member: ath0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>

Starting dhcpd it errored on ath0, I guess no inet/ip setting caused this.
Starting hostapd, no errors, but the ath0 shows in open mode.

P.S. The happy faces came from somewhere other than me.

Updating my own thread, After fixing "whitespace" errors in the hostapd.config. I get the following debug message.

mars# hostapd -d -K /etc/hostapd.conf
Configuration file: /etc/hostapd.conf
ctrl_interface_group=0 (from group name 'wheel')
bsd_set_iface_flags: dev_up=0
BSS count 1, BSSID mask ff:ff:ff:ff:ff:ff (0 bits)
ath0: IEEE 802.11 Fetching hardware channel/rate support not supported.
Flushing old station entries
bsd_sta_deauth: addr=ff:ff:ff:ff:ff:ff reason_code=3
Deauthenticate all stations
bsd_set_privacy: enabled=0
bsd_del_key: addr=00:00:00:00:00:00 key_idx=0
bsd_del_key: addr=00:00:00:00:00:00 key_idx=1
bsd_del_key: addr=00:00:00:00:00:00 key_idx=2
bsd_del_key: addr=00:00:00:00:00:00 key_idx=3
bsd_get_ssid: ssid="myap"
Using interface ath0 with hwaddr and ssid 'myap'
SSID - hexdump_ascii(len=7):
myap
PSK (ASCII passphrase) - hexdump_ascii(len=21):
passphrase
passphrase
PSK (from passphrase) - hexdump(len=32):
bsd_set_ieee8021x: enabled=1
bsd_configure_wpa: group key cipher=TKIP (1)
bsd_configure_wpa: pairwise key ciphers=0x2
bsd_configure_wpa: key management algorithms=0x2
bsd_configure_wpa: rsn capabilities=0x0
bsd_configure_wpa: enable WPA= 0x1
ioctl[SIOCS80211]: Invalid argument
ath0: DRIVER Error enabling WPA/802.1X!
IEEE 802.1X initialization failed.
ath0: Unable to setup interface.
Flushing old station entries
bsd_sta_deauth: addr=ff:ff:ff:ff:ff:ff reason_code=3
Deauthenticate all stations
rmdir[ctrl_interface]: No such file or directory
bsd_set_ieee8021x: enabled=0
bsd_set_iface_flags: dev_up=0
### end
mars# ifconfig ath0 list caps
ath0=6783ed4f<WEP,TKIP,AES,AES_CCM,FF,IBSS,HOSTAP,AHDEMO,TXPMGT, SHSLOT,SHPREAMBLE,MONITOR,TKIPMIC,WPA1,WPA2,BURST, WME,BGSCAN,TXFRAG>

Cisco wireless card
>pciconf -lv
ath0@pci0:2:11:0: class=0x020000 card=0xcc2114b9 chip=0x0013168c rev=0x01 hdr=0x00
vendor = 'Atheros Communications Inc.'
device = 'AR5212, AR5213 802.11a/b/g Wireless Adapter'
class = network
subclass = ethernet

You don't need to enable 802.1x for WPA-PSK. Post your hostapd.conf. I had mine running for a long time.

as requested hostapd.conf

interface=ath0
debug=4
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
ssid=myap
wpa=1
wpa_passphrase=my_passphrase
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP

Is it already bridged?
You might want to first get it working as a separate network segment.

See
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-wireless.html
and this #32.3.5.3.1 WPA-PSK
In my case (7.0 RELEASE) in /etc/rc.conf (without DHCP & bridge) is:

hostapd_enable="YES"
ifconfig_ath0="WPA inet <my_hostap_IP> netmask <my_mask> ssid freebsdap mode 11g mediaopt hostap"

It's work. Also you may use wpa_passphrase(8) and/or wpa_psk=64(hexd) in
hostapd.conf

After searching and gathering bits from here and there. I have a working setup in bridge mode.
The only problem, on startup the kernel will not load the wlan_xauth, it must be hand loaded then start hostapd.
I have read about kernel panics with the wlan_xauth but have yet to have one.
YMMV

Kernel additions.
device wlan # 802.11 support
device wlan_wep # 802.11 WEP support
device wlan_ccmp # 802.11 CCMP support
device wlan_tkip # 802.11 TKIP support
device wlan_xauth # 802.11 WPA support
device wlan_acl_load # 802.11 support
device wlan_amrr # AMRR transmit rate control algorithm
device wlan_scan_ap # 802.11 AP mode scanning
device wlan_scan_sta # 802.11 STA mode scanning
device ath # Atheros pci/cardbus NIC's
device ath_hal # Atheros HAL (Hardware Access Layer)
device ath_rate_sample # SampleRate tx rate control for ath

rc.conf
ifconfig_rl0="inet 10.10.1.10 netmask 255.255.255.0"
hostapd_enable="YES"
gateway_enable="YES"
natd_enable="YES"
natd_interface="rl0"
natd_flags="-m"
ifconfig_ath0="up ssid myap mode 11g mediaopt hostap"
cloned_interfaces="bridge0"
ifconfig_bridge0="addm ath0 addm rl0 up"

sysctl.conf
net.inet.ip.check_interface=1

hostapd.conf
interface=ath0
debug=4
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
ssid=myap
wpa=1
wpa_passphrase=(pass)
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP TKIP

ifconfig -a
ath0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 2290
ether 00:40:96:a9:c7:54
media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
status: associated
ssid myap channel 1 (2412 Mhz 11g) bssid 00:40:96:a9:c7:54
authmode WPA privacy MIXED deftxkey 2 TKIP 2:128-bit TKIP 3:128-bit
txpower 31.5 scanvalid 60 bgscan bgscanintvl 300 bgscanidle 250
roam:rssi11g 7 roam:rate11g 5 protmode CTS burst dtimperiod 1
rl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:e0:18:3e:d2:4f
inet 10.10.1.10 netmask 0xffffff00 broadcast 10.10.1.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether ce:15:dd:9b:7f:f8
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: rl0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
member: ath0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>

The only problem, on startup the kernel will not load the wlan_xauth, it must be hand loaded then start hostapd.


Adding:

wlan_xauth_load="YES"


doesn't work?

I have wlan_xauth compiled in the kernel.
FreeBSD 7.0-RELEASE-p5
dmesg error
ieee80211_load_module: load the wlan_xauth module by hand for now.

I'll reboot it tonight to test the loader.conf.

There is no need to modify loader.conf if wlan_xauth is part of kernel.