dhclient and wpa_supplicant

Tue Aug 2 04:10:00 GMT 2005

Sam Leffler wrote:
> Eric Schuele wrote:
> 
>> Sam Leffler wrote:
>>
>>> Eric Schuele wrote:
>>>
>>>> Sam Leffler wrote:
>>>>
>>>>> Eric Schuele wrote:
>>>>>
>>>>
>>>> <big-snip>
>>>>
>>>>>> dhclient.conf contains
>>>>>> ===========================
>>>>>> interface "ath0" {
>>>>>>   #send option host-name "myhost";
>>>>>>   #send option domain-name "nxdomain.org";
>>>>>>   send dhcp-client-identifier "myhost";
>>>>>>
>>>>>>   media
>>>>>>   ### Home
>>>>>>   "ssid <home_ssid> mode 11b channel 11 wepmode on weptxkey 1 
>>>>>> wepkey 0x<home_wepkey>",
>>>>>>   ### Office
>>>>>>   "ssid <office_ssid mode 11b channel 6 wepmode on weptxkey 1 
>>>>>> wepkey 0x<office_wepkey>";
>>>>>>       request subnet-mask, broadcast-address, routers, 
>>>>>> domain-name-servers, domain-name;
>>>>>> }
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Do not use media statements to setup wireless parameters; this does 
>>>>> not work.  You need to run wpa_supplicant and let it identify the 
>>>>> network and setup the key parameters.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> How do I tell wpa_supplicant about the network media?  I had found 
>>>> an older post of yours regarding NOT doing it in dhclient.conf.... 
>>>> but I've found no other way to accomplish it.
>>>
>>>
>>>
>>>
>>> The above dhclient.conf lists media settings that are all handled by 
>>> wpa_supplicant so you don't specify any of them.  Specifically you 
>>> set ssid, band, channel, and wep parameters; all these are handled by 
>>> wpa_supplicant.
>>
>>
>>
>> ok... I removed the lines from dhclient.conf.  I reboot, and run 
>> wpa_supplicant manually with -d.  The output is attached.  My AP shows 
>> up as "", while my neighbors ssids are not hidden ('linksys' and 
>> 'default').
>>
>>>
>>> The intent is that dhclient deal only with the dhcp protocol and stop 
>>> being involved in the discovery and selection of wireless networks (a 
>>> job wpa_supplicant is better equipped to handle).
>>>
>>>>
>>>>>
>>>>>>
>>>>>> wpa_supplicant.conf
>>>>>> =============================
>>>>>> ctrl_interface=/var/run/wpa_supplicant
>>>>>> ctrl_interface_group=wheel
>>>>>>
>>>>>> # Home Network
>>>>>> network={
>>>>>>    ssid="<home_ssid>"
>>>>>>    scan_ssid=1
>>>>>>    key_mgmt=NONE
>>>>>>    wep_tx_keyidx=0
>>>>>>    wep_key0="<home_wepkey>"
>>>>>> }
>>>>>>
>>>>>> # Office Network
>>>>>> network={
>>>>>>    ssid="<office_ssid>"
>>>>>>    scan_ssid=1
>>>>>>    key_mgmt=NONE
>>>>>>    wep_tx_keyidx=0
>>>>>>    wep_key0="<office_wepkey>"
>>>>>> }
>>>>>>
>>>>>
>>>>> Not sure you need scan_ssid set, I'd leave it out.
>>>>>
>>>>> If you have problems try disabling auto-startup of ath0 and run 
>>>>> wpa_supplicant by hand with the -d flag to see what it's doing.  
>>>>> Once that's going then enable startup in rc.conf.  If you continue 
>>>>> to have problems provide the output wpa_supplicant -d -i ath0 -c 
>>>>> /etc/wpa_supplicant.conf (or similar) when you have trouble.  There is
>>>>> also a pending issue with locating some ap's that are setup to hide 
>>>>> their ssid.  If one of the ap's is configured in this way contact 
>>>>> me directly--I've been trying to collect the info I need to 
>>>>> identify what's going on.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Both my APs (home and office) hide their ssids.  One is a wrt54g 
>>>> (home), the other is linksys as well... though I forget the model at 
>>>> the moment (FWIW its a/b/g).  What can I do to provide the info you 
>>>> need?
>>>
>>>
>>>
>>>
>>> These should work; I've had reports of problems with certain Cisco 
>>> ap's.  Note however that configuring an ap to hide it's ssid adds no 
>>> real security.
>>
>>
>>
>> I realize hidden ssids are of no real world use... but they keep *my* 
>> neighbors out (you'll notice their ssids in the wpa_supp output).
> 
> 
> Actually you can do just as well using mac acl's to restrict access. 

Yes... I restrict those as well.

> Neither hidden ssid or mac acls are particularly useful except to keep 
> nuisance traffic out.  Both can be trivially subverted; you need to go 
> to something like 802.1x or wpa for reasonable authentication of 
> stations (wpa-psk is inexpensive and easy to setup and is my preferred 
> method).

I'm on my way to wpa+... just wanted to confirm I had things working in 
their previously operational configuration (WEP was all that was 
available at the time).

> 
> Understand that hidden ssid use comes at a price.  Normally a station 
> will scan by sending a "broadcast probe request" frame on a channel and 
> listen for responses from all ap's.  When an ap hides its ssid the 
> station must send a "directed probe request" frame for each ap that it 
> might be looking for.  If you've got lots of ap's on the wire and/or 
> lots of ap's you're searching for your scan will take more time and soak 
> more air time.  Given that it's trivial to passively monitor a network 
> and collect the ssid for an ap you can see why I suggest it's better to 
> use a mac acl if your intent is just to keep out naive users.
> 

Noted.  Thanks.

>>
>>>
>>>     Sam
>>> _______________________________________________
>>> freebsd-questions at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> To unsubscribe, send any mail to 
>>> "freebsd-questions-unsubscribe at freebsd.org"
>>>
>>
>> Any idea why my machine will never associate with my AP using 
>> wpa_supplicant?  Anything else I can provide that may shed some light? 
>> I am using WEP... not WPA... could that part of the problem.  Since 
>> WPA was not previously supported I had been using WEP... and figured 
>> I'd move up to WPA one step at a time.
>>
>> All help is appreciated.
> 
> 
>     <...stuff deleted...>
> 
> The problem is that the current wpa_supplicant scanning code is pretty 
> simplistic.  wpa_supplicant is a great bit of work but was written for 
> the least-common denominator device.  When scanning it does not (yet) 
> handle ap's using hidden ssid except by deferring the work to the 
> operating system.  Unfortunately the current scanning code in the os 
> also is very simplistic.  The end result is that wpa_supplicant can only 
> scan for 1 ap using a hidden ssid and when it does that it can't also 
> scan for ap's that don't hide their ssid (you get one or the other).  To 
> do the right thing the api provided by the kernel must be changed.  I've 
> got work that does that uncommitted but it's unlikely to go into 6.x 
> because it'll break internal ABI's and that's a no-no.
> 
> Bottom line is for the monent avoid using hidden ssid.  

Ok.  I'll avoid hidden ssids till future dates.

I'll see if I
> can come up with an interim solution but it's unlikely to happen before 
> 6.0 releases. Sorry.

No apologies necessary.  I appreciate your responses, and all your work 
towards the project as a whole.

> 
>     Sam
> 
> 

-- 
Regards,
Eric