Viewable by the world

Configuring WPA for Free BSD

This configuration guide is for a user who would like to connect their laptop running FreeBSD 6.0 to the LBLnet secured wireless network. The instructions are specific to laptops running FreeBSD 6.0 kernel and equipped with Cisco Aironet 802.11 a/b/g wireless adapter (AIR-CB21AG-A-K9), though they may apply to other similar operating systems.

All the information contained in this configuration guide was collected from a laptop installed with the freeBSD "user" standard distribution set and the FreeBSD ports collection. If you would like additional information regarding FreeBSD installation, see the following FreeBSD guide:

http://www.freebsd.org/doc/en/books/handbook/network-wireless.html 

From hereafter, we assume a functional FreeBSD 6.0 laptop with the Cisco Aironet wireless adapter, the login user is root and home directory is /root.

The /boot/loader.conf file

Add the following two lines to the loader.conf file:

        wlan_ccmp_load="YES"
        wlan_tkip_load="YES"

These two lines load the crypto services support that is required for the secured wireless connection. The CCMP module provides AES-CCMP crypto support and the TKIP module provides TKIP+Michael crypto support for 802.11 devices.

Build the wpa_supplicant from FreeBSD ports collection

Before building the wpa_supplicant software form the ports collection, take time to verify that there is no other wpa_supplicant installed with the "user" distribution set. The default wpa_supplicant may not be built with the required EAP support.

You may find the wpa_supplicant at /usr/ports/security/wpa_supplicant. The current FreeBSD ports collection of the wpa_supplicant is v0.3.8. Simply cd to the directory and issue the command "make install" will compile and install the executable into /usr/local/sbin.

After installing the wpa_supplicant, you will need to modify the wpa_supplicant.conf with LBLnet site specific connection instructions. There is a sample configuration file at /usr/ports/security/wpa_supplicant/work/wpa_supplicant-0.3.8.

Copy the wpa_supplicant.conf file to your home directory or other designated directory. Please remove all the sample "network" blocks from the wpa_supplicant.conf file (that is everything below the line "# Example blocks:". Some of them may contain options that are not supported with the default build configuration. Add the following LBLnet specific network block to the bottom of the wpa_supplicant.conf file:

network {
        ssid="lblnet AP's ssid"
        proto=RSN WPA
        key_mgmt=WPA-EAP
        pairwise=CCMP TKIP
        group=CCMP TKIP
        eap=TTLS
        identity="your ldap id"
        password="your ldap password"
        phase2="auth=PAP"
        ca_cert="/usr/local/etc/rad.lbl.gov.crt"
        priority=1
}

If you don't know the ssid of the AP, plug-in the Cisco Aironet wireless adapter and use the following command to scan the RF for the AP in range.

        ifconfig wlan0 create wlandev ath0
        ifconfig wlan0 up scan

(The supported Cisco Aironet card uses the Atheros chip, thus the device name is ath0)

Note that you will need a separate network block for each of the SSID you intend to connect to.

Click here to download the latest LBL certificate (valid until August 2024) 

(In some browsers, you may have to right-click and choose Save Link As...)

This file is required for the TTLS tunnel ssl encryption. Please make sure that the file is placed in the directory as specified in the wpa_supplicant.conf ca_cert directive.

Verification

If you would like to verify the authenticity of this file, you can use the below:

Digest:

# openssl dgst -sha1 -c rad.lbl.gov.crt
SHA1(rad.lbl.gov.crt)= 68:2f:9b:9f:55:f2:93:a4:98:a9:36:b1:d5:68:e5:68:87:74:0d:29
# openssl dgst -md5 -c rad.lbl.gov.crt
MD5(rad.lbl.gov.crt)= f0:13:ee:5c:ba:df:a3:90:dc:32:28:98:3d:7b:41:1ez

x509:

# openssl x509 -noout -in rad.lbl.gov.crt -fingerprint -md5
MD5 Fingerprint=55:A8:F0:EB:25:EC:18:D4:45:57:C6:4C:F6:CB:FC:D4
# openssl x509 -noout -in rad.lbl.gov.crt -fingerprint -sha1
SHA1 Fingerprint=2F:6F:1B:4D:D0:47:58:BD:1B:E7:6B:64:B0:D1:7C:37:34:85:15:7A

Connect to the LBLnet Secured Wireless Network

To connect to the LBLnet secured wireless network, bring up the wireless network interface and run the wpa_supplicant software in background mode. After successful AP association and authentication, request the client network IP from LBLnet using the dhclient. The commands are as follow:

        ifconfig wlan0 up
        /usr/local/sbin/wpa_supplicant -B -i wlan0 -c /root/wpa_supplicant.conf
        dhclient wlan0

As you may have noticed, you will need to login first to bring up the wireless connection using those three commands. How to configure the system to connect to the LBLnet secured wireless network at system bootup is beyond the scope of this configuration guide. If you have a suggested system configuration, please share it.


  • No labels