wireless AP and WPA-PSK

[bluetick]

Wanting to add a wireless ap option. I like the idea of bridge mode, no extra subnet. But I want some form of encryption/security.

In bridge mode is it possible to run WPA-PSK on the ath0 interface?
I've set bridge mode up as this.
ifconfig -a
ath0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 00:40:96:a9:c7:54
media: IEEE 802.11 Wireless Ethernet DS/11Mbps <hostap> (DS/11Mbps <hostap>)
status: associated
ssid my_ap channel 1 (2412 Mhz 11g) bssid 00:40:96:a9:c7:54
authmode OPEN privacy OFF txpower 31.5 scanvalid 60 bgscan
bgscanintvl 300 bgscanidle 250 roam:rssi11g 7 roam:rate11g 5
protmode CTS burst dtimperiod 1
rl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:e0:18:3e:d2:4f
inet 10.10.1.10 netmask 0xffffff00 broadcast 10.10.1.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 9e:fb:04:4f:f0:28
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: rl0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
member: ath0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>

Starting dhcpd it errored on ath0, I guess no inet/ip setting caused this.
Starting hostapd, no errors, but the ath0 shows in open mode.

P.S. The happy faces came from somewhere other than me.

 

[bluetick]

Update

Updating my own thread, After fixing "whitespace" errors in the hostapd.config. I get the following debug message.

mars# hostapd -d -K /etc/hostapd.conf
Configuration file: /etc/hostapd.conf
ctrl_interface_group=0 (from group name 'wheel')
bsd_set_iface_flags: dev_up=0
BSS count 1, BSSID mask ff:ff:ff:ff:ff:ff (0 bits)
ath0: IEEE 802.11 Fetching hardware channel/rate support not supported.
Flushing old station entries
bsd_sta_deauth: addr=ff:ff:ff:ff:ff:ff reason_code=3
Deauthenticate all stations
bsd_set_privacy: enabled=0
bsd_del_key: addr=00:00:00:00:00:00 key_idx=0
bsd_del_key: addr=00:00:00:00:00:00 key_idx=1
bsd_del_key: addr=00:00:00:00:00:00 key_idx=2
bsd_del_key: addr=00:00:00:00:00:00 key_idx=3
bsd_get_ssid: ssid="myap"
Using interface ath0 with hwaddr and ssid 'myap'
SSID - hexdump_ascii(len=7):
myap
PSK (ASCII passphrase) - hexdump_ascii(len=21):
passphrase
passphrase
PSK (from passphrase) - hexdump(len=32):
bsd_set_ieee8021x: enabled=1
bsd_configure_wpa: group key cipher=TKIP (1)
bsd_configure_wpa: pairwise key ciphers=0x2
bsd_configure_wpa: key management algorithms=0x2
bsd_configure_wpa: rsn capabilities=0x0
bsd_configure_wpa: enable WPA= 0x1
ioctl[SIOCS80211]: Invalid argument
ath0: DRIVER Error enabling WPA/802.1X!
IEEE 802.1X initialization failed.
ath0: Unable to setup interface.
Flushing old station entries
bsd_sta_deauth: addr=ff:ff:ff:ff:ff:ff reason_code=3
Deauthenticate all stations
rmdir[ctrl_interface]: No such file or directory
bsd_set_ieee8021x: enabled=0
bsd_set_iface_flags: dev_up=0
### end
mars# ifconfig ath0 list caps
ath0=6783ed4f<WEP,TKIP,AES,AES_CCM,FF,IBSS,HOSTAP,AHDEMO,TXPMGT,SHSLOT,SHPREAMBLE,MONITOR,TKIPMIC,WPA1,WPA2,BURST,WME,BGSCAN,TXFRAG>

Cisco wireless card
>pciconf -lv
ath0@pci0:2:11:0: class=0x020000 card=0xcc2114b9 chip=0x0013168c rev=0x01 hdr=0x00
vendor = 'Atheros Communications Inc.'
device = 'AR5212, AR5213 802.11a/b/g Wireless Adapter'
class = network
subclass = ethernet

 

[SirDice]

You don't need to enable 802.1x for WPA-PSK. Post your hostapd.conf. I had mine running for a long time.

 

[bluetick]

as requested hostapd.conf

interface=ath0
debug=4
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
ssid=myap
wpa=1
wpa_passphrase=my_passphrase
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP

 

[SirDice]

Is it already bridged?
You might want to first get it working as a separate network segment.

 

[Aic]

See
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-wireless.html
and this #32.3.5.3.1 WPA-PSK
In my case (7.0 RELEASE) in /etc/rc.conf (without DHCP & bridge) is:

hostapd_enable="YES"
ifconfig_ath0="WPA inet <my_hostap_IP> netmask <my_mask> ssid freebsdap mode 11g mediaopt hostap"

It's work. Also you may use wpa_passphrase(8) and/or wpa_psk=64(hexd) in
hostapd.conf

 

[bluetick]

AP with WPA in Bridge Mode.

After searching and gathering bits from here and there. I have a working setup in bridge mode.
The only problem, on startup the kernel will not load the wlan_xauth, it must be hand loaded then start hostapd.
I have read about kernel panics with the wlan_xauth but have yet to have one.
YMMV

Kernel additions.
device wlan # 802.11 support
device wlan_wep # 802.11 WEP support
device wlan_ccmp # 802.11 CCMP support
device wlan_tkip # 802.11 TKIP support
device wlan_xauth # 802.11 WPA support
device wlan_acl_load # 802.11 support
device wlan_amrr # AMRR transmit rate control algorithm
device wlan_scan_ap # 802.11 AP mode scanning
device wlan_scan_sta # 802.11 STA mode scanning
device ath # Atheros pci/cardbus NIC's
device ath_hal # Atheros HAL (Hardware Access Layer)
device ath_rate_sample # SampleRate tx rate control for ath

rc.conf
ifconfig_rl0="inet 10.10.1.10 netmask 255.255.255.0"
hostapd_enable="YES"
gateway_enable="YES"
natd_enable="YES"
natd_interface="rl0"
natd_flags="-m"
ifconfig_ath0="up ssid myap mode 11g mediaopt hostap"
cloned_interfaces="bridge0"
ifconfig_bridge0="addm ath0 addm rl0 up"

sysctl.conf
net.inet.ip.check_interface=1

hostapd.conf
interface=ath0
debug=4
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
ssid=myap
wpa=1
wpa_passphrase=(pass)
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP TKIP

ifconfig -a
ath0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 2290
ether 00:40:96:a9:c7:54
media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
status: associated
ssid myap channel 1 (2412 Mhz 11g) bssid 00:40:96:a9:c7:54
authmode WPA privacy MIXED deftxkey 2 TKIP 2:128-bit TKIP 3:128-bit
txpower 31.5 scanvalid 60 bgscan bgscanintvl 300 bgscanidle 250
roam:rssi11g 7 roam:rate11g 5 protmode CTS burst dtimperiod 1
rl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8<VLAN_MTU>
ether 00:e0:18:3e:d2:4f
inet 10.10.1.10 netmask 0xffffff00 broadcast 10.10.1.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether ce:15:dd:9b:7f:f8
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 100 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: rl0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
member: ath0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>

 

[richardpl]

The only problem, on startup the kernel will not load the wlan_xauth, it must be hand loaded then start hostapd.

Adding:

wlan_xauth_load="YES"

doesn't work?

 

[bluetick]

I have wlan_xauth compiled in the kernel.
FreeBSD 7.0-RELEASE-p5
dmesg error
ieee80211_load_module: load the wlan_xauth module by hand for now.

I'll reboot it tonight to test the loader.conf.

 

[richardpl]

There is no need to modify loader.conf if wlan_xauth is part of kernel.