WPA2 / 802.11i WLAN
So you have installed OpenBSD on your system, presumably because you are interested in its high security, although maybe because you would like an operating system that is even more efficient on low-end hardware than Linux while still providing a rich and powerful user environment. And see my page on installing and running OpenBSD on a Dell laptop for details on getting the operating system into place.
Now you would like to make a wireless network connection, and since you're probably interested in OpenBSD's high security, you would like for the wireless connection to be appropriately secure.
802 LAN refers to a local-area network technology based on decisions made at an IEEE conference in February, 1980. Yes, 802 = 1980, 2.
802.11 refers to the LANs considered by group number 11, the microwave wireless networks. "Wi-Fi" as it's generally called.
802.11a, 802.11b, 802.11g, and so on refer to specific microwave frequencies — for example, 2.4 GHz (802.11b, 802.11g, 802.11n) versus 5.2 GHz (802.11a) — and signalling standards — for example, OFDM with QPSK (802.11a, 802.11g), DSSS with CCK (802.11b), or OFDM with 64-QAM (802.11n). See my page with WLAN specifications if you want to see more.
WEP is an early attempt at securing wireless LAN connections. It is rather insecure and should not be relied upon.
WEP2 and WPA were interim standards, they also should be avoided.
WPA2, also known as 802.11i, is the best available standard for wireless security. WPA2 uses:
AES (Advanced Encryption Standard) cipher operating in CCMP mode. That's Counter Mode CBC-MAC, or to complete, Counter Mode Cipher Block Chaining Message Authentication Code Protocol. The short version is that AES-CCMP is the best known way to do it, so that's what WPA2 does!
Short-term session keys are automatically negotiated and maintained with TKIP (Temporal Key Integrity Protocol). Every node to node connection uses a randomly generated 256-bit key, and either node can decide that enough time or ciphertext has passed that a new session key should be automatically chosen.
Diffie-Hellman key agreement securely negotiates those session keys.
WPA with PSK (Pre-Shared Key) uses AES and a fixed key which you must manually configure.
WPA2-Enterprise refers to WPA2 with a Radius server for host-to-host authentication with digital certificates. WPA2-Enterprise is the best choice for organizations with the infrastructure, including network engineer skill, to maintain a RADIUS server.
Kernel Drivers and WPA2 on OpenBSD
You must use a wireless card for which there is support for WPA2 both in the hardware and in the OpenBSD kernel module. This will require you to figure out which kernel driver is appropriate for the card. This is not nearly as hard as it sounds!
First, look at the end of the kernel ring buffer:
% dmesg | tail
Next, simply plug in the wireless card and see what
has been appended to the kernel ring buffer!
You should see two lines or so where the appropriate
kernel driver reports detecting the new hardware.
You are looking for something like this:
xyz0 at cardbus0 ....
xyz is the name of the kernel driver.
Plug in the card and see what's new:
% dmesg | tail
For the two wireless cards that I own, I see this:
Netgear MA521 802.11b
rtw0 at cardbus0 dev 0 function 0 "Realtek 8180" rev 0x20: irq 268505353 rtw0: ver RTL8180F, radio SA2400A, amp SA2411, address 00:09:5b:8e:3a:87
Linksys MPC55AG (ver 1.1) 802.11a + 802.11b + 802.11g
ath0 at cardbus0 dev 0 function 0 "Atheros AR5212" rev 0x01: irq 268505353 ath0: AR5213 5.6 phy 4.1 rf5112a 3.6, FCC1A, address 00:0f:66:1a:0f:81
So, the Netgear MA521 card was recognized as device
rtw0 and therefore the
driver recognized it.
The manual page for
says that this uses the Realtek RTL8180L chipset
and provides a list of cards known to be based on
rtw driver does not support
WPA2, presumably because the manufacturer has not provided
the needed details to the open source community.
It does support WEP, but as the manual page warns:
It is strongly recommended that WEP not be used
as the sole mechanism to secure wireless
communication, due to serious weaknesses in it.
The Linksys MPC55AG was recognized as
ath manual page
indicates that this driver recognizes the Atheros
AR5210, AR5211, and AR5212 chips.
Cards using those chips include:
IBM 11ABG WL LAN;
Proxim Skyline 4030 and 4032;
Sony PCWA-C500; and
And, WPA2 is supported by the Atheros driver!
Atheros supports the open source community, which in turn helps Atheros sell hardware by writing drivers of interest to security-conscious administrators. See Atheros' site for an up to date list of products using these chips.
Configuring an Atheros WLAN card for WPA2 from the command line
First, find the network ID (or Service Set Identifier, SSID)
and the passphrase.
You can find the network ID with something like
but you will have to get the passphrase from the network
Note that both the passphrase and the network ID
are case sensitive!
For the sake of this example let's assume:
Network ID =
Run the following command to join the network. Notice that those are back-quotes for command completion!
# ifconfig ath0 nwid my_net wpa wpapsk `wpa-psk my_net my_passphrase`
What's going on here?
Let's try this one step at a time. First, run that embedded
wpa-psk command by itself:
# wpa-psk my_net my_passphrase 0x0aad103e71babddd8ab549fb97d76e9fe515485d9e492273387cb8d397c6e178
That big and random-looking string is a 256-bit
pre-shared key based on an SSID and the passphrase.
The SSID must be from 1 to 32 octets, and the passphrase
must be a sequence of 8 to 63 ASCII encoded characters.
wpa-psk command applies the Password-Based
Key Derivation Function 2 (PBKDF2) in which the passphrase
is hashed 4096 times using the
cryptographic hash function.
If the passphrase contains any special characters (white space, or most any punctuation mark), the passphrase should be hidden from the shell with appropriate quoting or escape characters. The third and fourth examples show that there are multiple ways of accomplishing this:
# wpa-psk my_net "Peter O'Toole" 0xb2b2f82ed6a7f1ebbf42cc1e26b257d16c1fe9b9431e98395d47d37628cffdfa # wpa-psk my_net 'Say "Cheese!"' 0x50a6d3adb18726fb6f7f340d35ae4786f31ee8ad148522f4378f0fdb7581a892 # wpa-psk my_net Peter\ O\'Toole\ says\ \"Cheese\!\" 0xea2d7af57f4475016cd914362394e913299ae585f8c30e8fe238746f5e84b04f # wpa-psk my_net "Peter O'Toole says "'"Cheese!"' 0xea2d7af57f4475016cd914362394e913299ae585f8c30e8fe238746f5e84b04f
So, going back to our simple example, the part within the backquotes executes first. Its output replaces the backquoted string, so it is as if you had really typed:
# ifconfig ath0 nwid my_net wpa wpapsk 0x0aad103e71babddd8ab549fb97d76e9fe515485d9e492273387cb8d397c6e178
You could add an IP address, the word
and the netmask to assign a static IP address.
However, a notebook with a WLAN card usually means DHCP
and you don't want to fuss too much with the details, so:
Configuring an Atheros WLAN card for automated boot with DHCP
You need a file named
if is replaced with the interface name.
So, my example file
will be used to configure interface
when the network configuration script
Put something like the following in that file:
dhcp nwid my_net wpakey my_passphrase`
If you need to specify any other parameters, you can do so:
dhcp chan 1 nwid my_net wpakey my_passphrase`
Figuring this out
It's pretty straightforward — just read the relevant manual page for the WLAN card kernel driver. But why did I first have to figure this out?
After doing a lot of traveling and having no trouble getting wireless networking up and running, I ran into a situation where I could not simply bring up the interface with DHCP and no authentication at all (the wide-open wireless networking in most hotels catering to business travelers, coffeeshops, and so on) or with the very weak WEP security.
Hey, this was a system that very casually required the much higher security of WPA2! Good for them! Where was this?
At the Hilltop Hostel in Washington D.C.
That's right — travellers from major corporations and supposedly security conscious government agencies stay at hotels and recklessly use the wide-open cleartext wireless. I know because I have run tools like Kismet and Wireshark while staying at those hotels (and being careful to do nothing myself except through an SSH or SSL tunnel).
But a hippie crash-pad where you pay $20 a night for a bed in a shared room uses WPA2. Good for the Hilltop, too bad for the rest.
Why do the hotels catering to business travelers have poor network security? Because those hotels are in business to make money. And network security would frustrate the usually clueless business traveler, who would conclude that the network doesn't work and stay somewhere else the next time.