diff options
author | sam <sam@FreeBSD.org> | 2006-03-07 05:26:33 +0000 |
---|---|---|
committer | sam <sam@FreeBSD.org> | 2006-03-07 05:26:33 +0000 |
commit | 840099f34d8de1ca769f02fae379c4d8e5d6688a (patch) | |
tree | 0c0ff34569d807e7bceb062a6210ce68490a8764 /contrib/wpa_supplicant/README | |
parent | 34dbcde8dfa5b3d152d250b6d69965e001238e49 (diff) | |
download | FreeBSD-src-840099f34d8de1ca769f02fae379c4d8e5d6688a.zip FreeBSD-src-840099f34d8de1ca769f02fae379c4d8e5d6688a.tar.gz |
Import of WPA supplicant 0.4.8
Diffstat (limited to 'contrib/wpa_supplicant/README')
-rw-r--r-- | contrib/wpa_supplicant/README | 209 |
1 files changed, 135 insertions, 74 deletions
diff --git a/contrib/wpa_supplicant/README b/contrib/wpa_supplicant/README index bab25d5..831756b 100644 --- a/contrib/wpa_supplicant/README +++ b/contrib/wpa_supplicant/README @@ -1,7 +1,7 @@ WPA Supplicant ============== -Copyright (c) 2003-2005, Jouni Malinen <jkmaline@cc.hut.fi> and +Copyright (c) 2003-2006, Jouni Malinen <jkmaline@cc.hut.fi> and contributors All Rights Reserved. @@ -89,6 +89,7 @@ Supported WPA/IEEE 802.11i features: * EAP-SIM * EAP-AKA * EAP-PSK + * EAP-PAX * LEAP (note: requires special support from the driver for IEEE 802.11 authentication) (following methods are supported, but since they do not generate keying @@ -97,8 +98,6 @@ Supported WPA/IEEE 802.11i features: * EAP-MSCHAPv2 * EAP-GTC * EAP-OTP - Alternatively, an external program, e.g., Xsupplicant, can be used for EAP - authentication. - key management for CCMP, TKIP, WEP104, WEP40 - RSN/WPA2 (IEEE 802.11i) * pre-authentication @@ -112,6 +111,7 @@ Requirements Current hardware/software requirements: - Linux kernel 2.4.x or 2.6.x with Linux Wireless Extensions v15 or newer - FreeBSD 6-CURRENT +- NetBSD-current - Microsoft Windows with WinPcap (at least WinXP, may work with other versions) - drivers: Host AP driver for Prism2/2.5/3 (development snapshot/v0.2.x) @@ -164,8 +164,10 @@ Current hardware/software requirements: used with IEEE 802.1X (i.e., not WPA) when using ap_scan=0 option in configuration file. + Wired Ethernet drivers (with ap_scan=0) + BSD net80211 layer (e.g., Atheros driver) - At the moment, this is for FreeBSD 6-CURRENT branch. + At the moment, this is for FreeBSD 6-CURRENT branch and NetBSD-current. Windows NDIS The current Windows port requires WinPcap (http://winpcap.polito.it/). @@ -173,7 +175,8 @@ Current hardware/software requirements: wpa_supplicant was designed to be portable for different drivers and operating systems. Hopefully, support for more wlan cards and OSes will be -added in the future. See developer.txt for more information about the +added in the future. See developer's documentation +(http://hostap.epitest.fi/wpa_supplicant/devel/) for more information about the design of wpa_supplicant and porting to other drivers. One main goal is to add full WPA/WPA2 support to Linux wireless extensions to allow new drivers to be supported without having to implement new @@ -221,8 +224,7 @@ networks that require some kind of security. Task group I (Security) of IEEE 802.11 working group (http://www.ieee802.org/11/) has worked to address the flaws of the base standard and has in practice completed its work in May 2004. The IEEE 802.11i amendment to the IEEE -802.11 standard was approved in June 2004 and this amendment is likely -to be published in July 2004. +802.11 standard was approved in June 2004 and published in July 2004. Wi-Fi Alliance (http://www.wi-fi.org/) used a draft version of the IEEE 802.11i work (draft 3.0) to define a subset of the security @@ -277,14 +279,6 @@ robust encryption algorithm (CCMP: AES in Counter mode with CBC-MAC) to replace TKIP and optimizations for handoff (reduced number of messages in initial key handshake, pre-authentication, and PMKSA caching). -Some wireless LAN vendors are already providing support for CCMP in -their WPA products. There is no "official" interoperability -certification for CCMP and/or mixed modes using both TKIP and CCMP, so -some interoperability issues can be expected even though many -combinations seem to be working with equipment from different vendors. -Certification for WPA2 is likely to start during the second half of -2004. - wpa_supplicant @@ -307,9 +301,9 @@ Following steps are used when associating with an AP using WPA: - wpa_supplicant selects a BSS based on its configuration - wpa_supplicant requests the kernel driver to associate with the chosen BSS -- If WPA-EAP: integrated IEEE 802.1X Supplicant or external Xsupplicant - completes EAP authentication with the authentication server (proxied - by the Authenticator in the AP) +- If WPA-EAP: integrated IEEE 802.1X Supplicant completes EAP + authentication with the authentication server (proxied by the + Authenticator in the AP) - If WPA-EAP: master key is received from the IEEE 802.1X Supplicant - If WPA-PSK: wpa_supplicant uses PSK as the master session key - wpa_supplicant completes WPA 4-Way Handshake and Group Key Handshake @@ -352,6 +346,7 @@ CONFIG_EAP_OTP=y CONFIG_EAP_SIM=y CONFIG_EAP_AKA=y CONFIG_EAP_PSK=y +CONFIG_EAP_PAX=y CONFIG_EAP_LEAP=y Following option can be used to include GSM SIM/USIM interface for GSM/UMTS @@ -366,13 +361,12 @@ interface with libpcap/libdnet. CONFIG_DNET_PCAP=y Following options can be added to .config to select which driver -interfaces are included. Prism54.org driver is not yet complete and -Hermes driver interface needs to be downloaded from Agere (see above). -Most Linux driver need to include CONFIG_WIRELESS_EXTENSION. +interfaces are included. Hermes driver interface needs to be downloaded +from Agere (see above). CONFIG_WIRELESS_EXTENSION will be used +automatically if any of the selected drivers need it. CONFIG_WIRELESS_EXTENSION=y CONFIG_DRIVER_HOSTAP=y -CONFIG_DRIVER_PRISM54=y CONFIG_DRIVER_HERMES=y CONFIG_DRIVER_MADWIFI=y CONFIG_DRIVER_ATMEL=y @@ -387,7 +381,6 @@ Following example includes all features and driver interfaces that are included in the wpa_supplicant package: CONFIG_DRIVER_HOSTAP=y -CONFIG_DRIVER_PRISM54=y CONFIG_DRIVER_HERMES=y CONFIG_DRIVER_MADWIFI=y CONFIG_DRIVER_ATMEL=y @@ -409,6 +402,7 @@ CONFIG_EAP_OTP=y CONFIG_EAP_SIM=y CONFIG_EAP_AKA=y CONFIG_EAP_PSK=y +CONFIG_EAP_PAX=y CONFIG_EAP_LEAP=y CONFIG_PCSC=y @@ -463,8 +457,6 @@ options: -d = increase debugging verbosity (-dd even more) -K = include keys (passwords, etc.) in debug output -t = include timestamp in debug messages - -e = use external IEEE 802.1X Supplicant (e.g., xsupplicant) - (this disables the internal Supplicant) -h = show this help text -L = show license (GPL and BSD) -q = decrease debugging verbosity (-qq even less) @@ -475,8 +467,6 @@ options: drivers: hostap = Host AP driver (Intersil Prism2/2.5/3) [default] (this can also be used with Linuxant DriverLoader) - prism54 = Prism54.org driver (Intersil Prism GT/Duette/Indigo) - not yet fully implemented hermes = Agere Systems Inc. driver (Hermes-I/Hermes-II) madwifi = MADWIFI 802.11 support (Atheros, etc.) atmel = ATMEL AT76C5XXx (USB, PCMCIA) @@ -484,6 +474,7 @@ drivers: ndiswrapper = Linux ndiswrapper broadcom = Broadcom wl.o driver ipw = Intel ipw2100/2200 driver + wired = wpa_supplicant wired Ethernet driver bsd = BSD 802.11 support (Atheros, etc.) ndis = Windows NDIS driver @@ -647,6 +638,21 @@ network={ } +6) Authentication for wired Ethernet. This can be used with 'wired' interface + (-Dwired on command line). + +ctrl_interface=/var/run/wpa_supplicant +ctrl_interface_group=wheel +ap_scan=0 +network={ + key_mgmt=IEEE8021X + eap=MD5 + identity="user" + password="password" + eapol_flags=0 +} + + Certificates ------------ @@ -681,7 +687,7 @@ wpa_supplicant. It is used to query current status, change configuration, trigger events, and request interactive user input. wpa_cli can show the current authentication status, selected security -mode, dot11 and dot1x MIBs, etc. In addition, it can configuring some +mode, dot11 and dot1x MIBs, etc. In addition, it can configure some variables like EAPOL state machine parameters and trigger events like reassociation and IEEE 802.1X logoff/logon. wpa_cli provides a user interface to request authentication information, like username and @@ -757,11 +763,83 @@ wpa_cli commands preauthenticate <BSSID> = force preauthentication identity <network id> <identity> = configure identity for an SSID password <network id> <password> = configure password for an SSID + pin <network id> <pin> = configure pin for an SSID otp <network id> <password> = configure one-time-password for an SSID + passphrase <network id> <passphrase> = configure private key passphrase + for an SSID + bssid <network id> <BSSID> = set preferred BSSID for an SSID + list_networks = list configured networks + select_network <network id> = select a network (disable others) + enable_network <network id> = enable a network + disable_network <network id> = disable a network + add_network = add a network + remove_network <network id> = remove a network + set_network <network id> <variable> <value> = set network variables (shows + list of variables when run without arguments) + get_network <network id> <variable> = get network variables + save_config = save the current configuration + disconnect = disconnect and wait for reassociate command before connecting + scan = request new BSS scan + scan_results = get latest scan results + get_capability <eap/pairwise/group/key_mgmt/proto/auth_alg> = get capabilies terminate = terminate wpa_supplicant quit = exit wpa_cli +wpa_cli command line options + +wpa_cli [-p<path to ctrl sockets>] [-i<ifname>] [-hvB] [-a<action file>] \ + [-P<pid file>] [-g<global ctrl>] [command..] + -h = help (show this usage text) + -v = shown version information + -a = run in daemon mode executing the action file based on events from + wpa_supplicant + -B = run a daemon in the background + default path: /var/run/wpa_supplicant + default interface: first interface found in socket path + + +Using wpa_cli to run external program on connect/disconnect +----------------------------------------------------------- + +wpa_cli can used to run external programs whenever wpa_supplicant +connects or disconnects from a network. This can be used, e.g., to +update network configuration and/or trigget DHCP client to update IP +addresses, etc. + +One wpa_cli process in "action" mode needs to be started for each +interface. For example, the following command starts wpa_cli for the +default ingterface (-i can be used to select the interface in case of +more than one interface being used at the same time): + +wpa_cli -a/sbin/wpa_action.sh -B + +The action file (-a option, /sbin/wpa_action.sh in this example) will +be executed whenever wpa_supplicant completes authentication (connect +event) or detects disconnection). The action script will be called +with two command line arguments: interface name and event (CONNECTED +or DISCONNECTED). If the action script needs to get more information +about the current network, it can use 'wpa_cli status' to query +wpa_supplicant for more information. + +Following example can be used as a simple template for an action +script: + +#!/bin/sh + +IFNAME=$1 +CMD=$2 + +if [ "$CMD" == "CONNECTED" ]; then + SSID=`wpa_cli -i$IFNAME status | grep ^ssid= | cut -f2- -d=` + # configure network, signal DHCP client, etc. +fi + +if [ "$CMD" == "DISCONNECTED" ]; then + # remove network configuration, if needed +fi + + Integrating with pcmcia-cs/cardmgr scripts ------------------------------------------ @@ -804,55 +882,38 @@ started--and will then negotiate keys with the AP. -Optional integration with Xsupplicant -------------------------------------- - -wpa_supplicant has an integrated IEEE 802.1X Supplicant that supports -most commonly used EAP methods. In addition, wpa_supplicant has an -experimental interface for integrating it with Xsupplicant -(http://www.open1x.org/) for the WPA with EAP authentication. - -When using WPA-EAP, both wpa_supplicant and Xsupplicant must be -configured with the network security policy. See Xsupplicant documents -for information about its configuration. Please also note, that a new -command line option -W (enable WPA) must be used when starting -xsupplicant. - -Example configuration for xsupplicant: - -network_list = all -default_netname = jkm - -jkm -{ - type = wireless - allow_types = eap_peap - identity = <BEGIN_ID>jkm<END_ID> - eap-peap { - random_file = /dev/urandom - root_cert = /home/jkm/CA.pem - chunk_size = 1398 - allow_types = eap_mschapv2 - eap-mschapv2 { - username = <BEGIN_UNAME>jkm<END_UNAME> - password = <BEGIN_PASS>jkm<END_PASS> - } - } -} +Dynamic interface add and operation without configuration files +--------------------------------------------------------------- +wpa_supplicant can be started without any configuration files or +network interfaces. When used in this way, a global (i.e., per +wpa_supplicant process) control interface is used to add and remove +network interfaces. Each network interface can then be configured +through a per-network interface control interface. For example, +following commands show how to start wpa_supplicant without any +network interfaces and then add a network interface and configure a +network (SSID): -Example configuration for wpa_supplicant: +# Start wpa_supplicant in the background +wpa_supplicant -g/var/run/wpa_supplicant-global -B -network={ - ssid="jkm" - key_mgmt=WPA-EAP -} +# Add a new interface (wlan0, no configuration file, driver=wext, and +# enable control interface) +wpa_cli -g/var/run/wpa_supplicant-global interface_add wlan0 \ + "" wext /var/run/wpa_supplicant +# Configure a network using the newly added network interface: +wpa_cli -iwlan0 add_network +wpa_cli -iwlan0 set_network 0 ssid '"test"' +wpa_cli -iwlan0 set_network 0 key_mgmt WPA-PSK +wpa_cli -iwlan0 set_network 0 psk '"12345678"' +wpa_cli -iwlan0 set_network 0 pairwise TKIP +wpa_cli -iwlan0 set_network 0 group TKIP +wpa_cli -iwlan0 set_network 0 proto WPA +wpa_cli -iwlan0 enable_network 0 -Both wpa_supplicant and xsupplicant need to be started. Please remember -to add '-W' option for xsupplicant in order to provide keying material -for wpa_supplicant and '-e' option for wpa_supplicant to disable internal -IEEE 802.1X implementation. +# At this point, the new network interface should start trying to associate +# with the WPA-PSK network using SSID test. -wpa_supplicant -iwlan0 -cwpa_supplicant.conf -e -xsupplicant -iwlan0 -cxsupplicant.conf -W +# Remove network interface +wpa_cli -g/var/run/wpa_supplicant-global interface_remove wlan0 |