Solved wpa_supplicant, multiple networks, and WPA

[forquare]

Evening all,

I've got FreeBSD-CURRENT running on my T440. I set up my /etc/rc.conf with the following:

wlans_iwm0="wlan0"
ifconfig_wlan0="WPA DHCP"

And in my /etc/wpa_supplicant.conf I have the following:

network={
  ssid="HomeWifi"
  psk="MySecretPassword"
}
network={
  ssid="Some hotel WiFi"
}
network={
  ssid="CORP-Guest"
}

At home this setup works well. However, on the other two networks the laptop fails to connect to either of the networks, neither of which have a PSK - you have to connect then open a browser and enter login information. In order to connect to these other two networks, I need to remove "WPA" from /etc/rc.conf and do a service netif restart - or at least that's as much as I've worked out.
The next problem is that when I go home, my laptop won't connect to my home Wifi where "WPA" is required.

Is there a way I can have the best of both worlds without continually editing files? I expect there is something I've missed in the wpa_supplicant.conf documentation...

Many thanks,
Ben

 

[sidetone]

You need more settings in wpa_supplicant.conf to tell it the protocol.

proto=
key-mgmt=
group=
pairwise=

Look at

scan_ssid=

in the configuration file.

For proto, use "RSN" to signify "WPA2". The other settings are also for the protocol. "scan_ssid" asks it whether to broadcast or directly handshake.

You can even add bssid and ssid to your rc.conf file settings on line ifconfig, like

ifconfig_wlan0="bssid <gateway's bssid> ssid homewifi WPA DHCP"

. Typing ifconfig from the commandline will give you your bssid.

 

[lme@]

You're missing

key_mgmt=NONE

for the unencrypted networks.

 

[sidetone]

You're missing

key_mgmt=NONE

for the unencrypted networks.

That's what it appears to do. The documentation on that is not clear. It makes it sound as if it's a protocol (like it's called open, like unrelated openssl, or opensoftware), when really, it means open network, no encryption. No encryption could technically, but it's a stretch, be called a protocol.

Also, I don't use that setting.

 

[forquare]

Thanks both. I'm currently at "Some hotel WiFi", but will make the changes and see what happens when I get home.

 

[sidetone]

I haven't tried this, but I was wondering if rc.conf could have "ifconfig_wlan0=" for the home network, "ifconfig_wlan1=" or "ifconfig_wlan2=" for the free access points wifi networks.

wlans_iwm0="wlan0 wlan1 wlan2"
ifconfig_wlan0="bssid <MAC-Address> ssid HomeWiki WPA DHCP"
ifconfig_wlan1="ssid somewifiexample WPA DHCP"
ifconfig_wlan2="ssid CORP-Guest WPA DHCP"

or maybe compress this to just home network, and other networks removing "ssid" from wifi networks in rc.conf

For the home section of wpa_supplicant.conf using WPA2, I have

key_mgmt=WPA-PSK
proto=RSN  #for regular WPA, this would simply be WPA or both could be listed here
group=CCMP
pairwise=CCMP

 

[forquare]

sidetone, I don’t suppose you could share the relevant sections on your rc.conf and wpa_supplicant.conf? It all worked perfectly for the hotel and work, but when I got home it just refused to connect to my home wifi…

 

[sidetone]

My wpa_supplicant.conf file is for WPA2 using preshared key:

ctrl_interface=/var/run/wpa_supplicant
eapol_version=1
ap_scan=1
fast_reauth=0

network={
ssid=""
bssid=
scan_ssid=1
psk=""
priority=9
proto=RSN
key_mgmt=WPA-PSK
group=CCMP
pairwise=CCMP
}

rc.conf

# Network
hostname="anything"
default_router="192.168.1.254"
wlans_ath0="wlan0"
ifconfig_wlan0="bssid <macaddress> ssid <myssid> WPA DHCP"
sendmail_enable="NONE"

I wouldn't expect my rc.conf setting to work with multiple access points. I use it to keep mine confined, and from wandering off to try to connect to anything, because wpa_supplicant.conf still lets it wander around. Haven't tried using wlan1, etc... because I don't have the ability to test that.

 

[forquare]

Thanks sidetone, I'll have a bit of a play over the next week or so and report back

 

[sidetone]

That's good, I'd like to see if also having wlan1 in rc.conf works. But of course 'ssid' and 'bssid' aren't needed in that file. Of course, I can only add 'bssid' later, after making it run, then running ifconfig.

 

[forquare]

That's good, I'd like to see if also having wlan1 in rc.conf works. But of course ssid and bssid aren't needed in that file.

Alas it doesn’t seem to
I get an I/O error partway through service netif restart and when it all finished wlan0 is the only “wlan device” when doing ifconfig -a

 

[sidetone]

Ok, I tried replacing mine with wlan1 and even using both for one connection, it didn't recognize it.

Better yet, maybe adding 'ifconfig_wlan0_alias0' in rc.conf for a second network, etc.

ifconfig_iwm0_alias0="inet 192.168.1.?? ssid SomehotelWiFi"
ifconfig_iwm0_alias1="inet 192.168.1.?? ssid CORP-Guest

Alias doesn't seem to work with WPA or DHCP options.

There's no change to

wlans_iwm0="wlan0"

The 'bssid' argument wouldn't be practical with the open networks. I also run wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf &

 

[sidetone]

Open isn't secure, and WEP is barely better, but does anyone know if/how WEP or anything better can be used on free-wifi networks?

 

[sidetone]

I looked at the vlan option, but it may possibly have the same restrictions as alias, where it doesn't use DHCP or WPA as arguments.

Maybe include all that are similar in rc.conf, but letting it drop the ones that don't work:

ifconfig_wlan0="bssid <macaddress> ssid <homenetwork> WPA DHCP"
ifconfig_wlan0="ssid <hotel> WPA DHCP"
ifconfig_wlan0="ssid <corp-guest> WPA DHCP"

I tried something like this on my fstab file, using similar replicate lines for one mount-point but two different filetypes, without a problem. You could also drop bssid and ssid arguments with their repeated lines altogether.

 

[kpa]

I looked at the vlan option, but it may possibly have the same restrictions as alias, where it doesn't use DHCP or WPA as arguments.

Maybe include all that are similar in rc.conf, but letting it drop the ones that don't work:

ifconfig_wlan0="bssid <macaddress> ssid <homenetwork> WPA DHCP"
ifconfig_wlan0="ssid <hotel> WPA DHCP"
ifconfig_wlan0="ssid <corp-guest> WPA DHCP"

I tried something like this on my fstab file, using similar replicate lines for one mount-point but two different filetypes, without a problem. You could also drop bssid and ssid arguments with their repeated lines altogether.

That's never going to work because you're overriding the same variable twice. The only setting in effect will be the last line and the first two are ignored:

ifconfig_wlan0="ssid <corp-guest> WPA DHCP"

The /etc/rc.conf file is nothing but an sh(1) script that gets sourced with the . command of the shell.

 

[sidetone]

I know it's not necessary in rc.conf, except once without specific options. So how would you limit the network choices to three options from rc.conf using DHCP. It actually helps make the connection stronger from other network interference to do so.

 

[sidetone]

vlan appears to allow dhcp, Thread rc-conf-vlan-and-dhclient.7321. It's syntax slightly varies. You can try tinkering with that, or uncomment whichever line in rc.conf to get the applicable network working.

 

[sidetone]

For rc.conf, just

ifconfig_wlan0="WPA DHCP"

will simply work for multiple networks that are defined in wpa_supplicant.conf. I'm not sure if I made this clear.

 

[wblock@]

Open isn't secure, and WEP is barely better, but does anyone know if/how WEP or anything better can be used on free-wifi networks?

Your cannot override what is available from the access point. The only option for unsecured networks (including WEP), is to use encryption. SSH does that, so does SSL. Tunneling over SSH can be used for other connections, or if you have control of the far end of the connection, use a VPN.

 

[sidetone]

option for unsecured networks (including WEP), is to use encryption. SSH does that, so does SSL. Tunneling over SSH can be used for other connections, or if you have control of the far end of the connection, use a VPN.

And a firewall.

 

[forquare]

For rc.conf, just

ifconfig_wlan0="WPA DHCP"

will simply work for multiple networks that are defined in wpa_supplicant.conf. I'm not sure if I made this clear.

That's what I had to begin with, and it didn't work - however, at the beginning of the week I upgraded to FreeBSD-CURRENT r290646, and have come away to the hotel and corp network again, and now it works! So something fairly recent must have changed the behaviour/fixed it

 

[lme@]

There are a lot of improvements and fixes in CURRENT compared to 10.2.