From owner-freebsd-doc@FreeBSD.ORG Fri Dec 12 07:17:15 2008 Return-Path: Delivered-To: freebsd-doc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E8439106564A for ; Fri, 12 Dec 2008 07:17:14 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.freebsd.org (Postfix) with ESMTP id D2F898FC1B for ; Fri, 12 Dec 2008 07:17:13 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from kobe.laptop (adsl179-214.kln.forthnet.gr [77.49.0.214]) (authenticated bits=128) by igloo.linux.gr (8.14.3/8.14.3/Debian-5) with ESMTP id mBC6x3ED014033 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 12 Dec 2008 08:59:09 +0200 Received: from kobe.laptop (kobe.laptop [127.0.0.1]) by kobe.laptop (8.14.3/8.14.3) with ESMTP id mBC6x3Sp008943; Fri, 12 Dec 2008 08:59:03 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Received: (from keramida@localhost) by kobe.laptop (8.14.3/8.14.3/Submit) id mBC6x2Mn008942; Fri, 12 Dec 2008 08:59:02 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) From: Giorgos Keramidas To: "Murray Stokely" References: <871vwfn418.fsf@kobe.laptop> <2a7894eb0812101310v2123a452q26b0e07630e7f209@mail.gmail.com> <878wqnafso.fsf@kobe.laptop> <2a7894eb0812101322o77b12fc9k8208f83d62481ad3@mail.gmail.com> <87k5a63z2d.fsf@kobe.laptop> Date: Fri, 12 Dec 2008 08:59:02 +0200 In-Reply-To: <87k5a63z2d.fsf@kobe.laptop> (Giorgos Keramidas's message of "Fri, 12 Dec 2008 04:30:18 +0200") Message-ID: <87y6ylg9qh.fsf@kobe.laptop> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.60 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-MailScanner-ID: mBC6x3ED014033 X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-3.859, required 5, autolearn=not spam, ALL_TRUSTED -1.80, AWL 0.54, BAYES_00 -2.60) X-Hellug-MailScanner-From: keramida@ceid.upatras.gr X-Spam-Status: No Cc: freebsd-doc@freebsd.org Subject: Re: [PATCH] Adding elements to wlan Handbook section X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Dec 2008 07:17:15 -0000 On Fri, 12 Dec 2008 04:30:18 +0200, Giorgos Keramidas wrote: > On Wed, 10 Dec 2008 13:22:57 -0800, "Murray Stokely" wrote: >> In that case this looks great to me. I agree with Manolis that adding >> the role="definition" for the first instance of each acronym is >> helpful. I really thought we were already doing this in parts of the >> Handbook, but I may be misremembering. > > I started adding a role="" at the first instance of each WLAN-specific > acronym and I noticed that I was typing the same expansions again and > again all over the place. This is a bit error prone, so it seemed more > natural to add a ``set of "standard" acronym expansions''. > > Does something like this look useful for other sorts of acronyms too? Here is the full patch, including the role="" attributes for the wireless networking section. If there are no serious objections, I'll commit this in 1-2 days :) %%% diff -r 1649440b3588 -r 56b69b866c6f en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml --- a/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml Fri Dec 12 06:06:03 2008 +0000 +++ b/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml Fri Dec 12 08:37:20 2008 +0200 @@ -21,7 +21,7 @@ - How to set up IEEE 802.11 and &bluetooth; devices. + How to set up IEEE 802.11 and &bluetooth; devices. @@ -700,7 +700,8 @@ Wireless Networking Basics - Most wireless networks are based on the IEEE 802.11 + Most wireless networks are based on + the IEEE 802.11 standards. A basic wireless network consists of multiple stations communicating with radios that broadcast in either the 2.4GHz or 5GHz band (though this varies according to the @@ -710,19 +711,19 @@ 802.11 networks are organized in two ways: in infrastructure mode one station acts as a master with all the other stations associating to it; the - network is known as a BSS and the master station is termed an - access point (AP). In a BSS all communication passes through - the AP; even when one station wants to communicate with - another wireless station messages must go through the AP. In + network is known as a BSS and the master station is termed an + access point (AP). In a BSS all communication passes through + the AP; even when one station wants to communicate with + another wireless station messages must go through the AP. In the second form of network there is no master and stations - communicate directly. This form of network is termed an IBSS + communicate directly. This form of network is termed an IBSS and is commonly known as an ad-hoc network. 802.11 networks were first deployed in the 2.4GHz band - using protocols defined by the IEEE 802.11 and 802.11b + using protocols defined by the IEEE 802.11 and 802.11b standard. These specifications include the operating - frequencies, MAC layer characteristics including framing and + frequencies, MAC layer characteristics including framing and transmission rates (communication can be done at various rates). Later the 802.11a standard defined operation in the 5GHz band, including different signalling mechanisms and @@ -734,51 +735,52 @@ Separate from the underlying transmission techniques 802.11 networks have a variety of security mechanisms. The original 802.11 specifications defined a simple security - protocol called WEP. This protocol uses a fixed pre-shared key + protocol called WEP. This protocol uses a fixed pre-shared key and the RC4 cryptographic cipher to encode data transmitted on a network. Stations must all agree on the fixed key in order to communicate. This scheme was shown to be easily broken and is now rarely used except to discourage transient users from joining networks. Current security practice is given by the - IEEE 802.11i specification that defines new cryptographic + IEEE 802.11i specification that defines new cryptographic ciphers and an additional protocol to authenticate stations to an access point and exchange keys for doing data communication. Further, cryptographic keys are periodically refreshed and there are mechanisms for detecting intrusion attempts (and for countering intrusion attempts). Another security protocol specification commonly used in wireless - networks is termed WPA. This was a precursor to 802.11i + networks is termed WPA. This was a precursor to 802.11i defined by an industry group as an interim measure while - waiting for 802.11i to be ratified. WPA specifies a subset of + waiting for 802.11i to be ratified. WPA specifies a subset of the requirements found in 802.11i and is designed for - implementation on legacy hardware. Specifically WPA requires - only the TKIP cipher that is derived from the original WEP - cipher. 802.11i permits use of TKIP but also requires support - for a stronger cipher, AES-CCM, for encrypting data. (The AES - cipher was not required in WPA because it was deemed too + implementation on legacy hardware. Specifically WPA requires + only the TKIP cipher that is derived from the original WEP + cipher. 802.11i permits use of TKIP but also requires support + for a stronger cipher, AES-CCM, for encrypting data. (The AES + cipher was not required in WPA because it was deemed too computationally costly to be implemented on legacy hardware.) Other than the above protocol standards the other important standard to be aware of is 802.11e. This defines protocols for deploying multi-media applications such as - streaming video and voice over IP (VoIP) in an 802.11 network. + streaming video and voice over IP (VoIP) in an 802.11 network. Like 802.11i, 802.11e also has a precursor specification - termed WME (later renamed WMM) that has been defined by an + termed WME + (later renamed WMM) that has been defined by an industry group as a subset of 802.11e that can be deployed now to enable multi-media applications while waiting for the final ratification of 802.11e. The most important thing to know - about 802.11e and WME/WMM is that it enables prioritized + about 802.11e and WME/WMM is that it enables prioritized traffic use of a wireless network through Quality of Service (QoS) protocols and enhanced media access protocols. Proper implementation of these protocols enable high speed bursting of data and prioritized traffic flow. Since the 6.0 version, &os; supports networks that operate - using 802.11a, 802.11b, and 802.11g. The WPA and 802.11i + using 802.11a, 802.11b, and 802.11g. The WPA and 802.11i security protocols are likewise supported (in conjunction with any of 11a, 11b, and 11g) and QoS and traffic prioritization - required by the WME/WMM protocols are supported for a limited + required by the WME/WMM protocols are supported for a limited set of wireless devices. @@ -901,10 +903,10 @@ Infrastructure Mode - The infrastructure mode or BSS mode is the mode that is + The infrastructure mode or BSS mode is the mode that is typically used. In this mode, a number of wireless access points are connected to a wired network. Each wireless - network has its own name, this name is called the SSID of the + network has its own name, this name is called the SSID of the network. Wireless clients connect to the wireless access points. @@ -935,7 +937,7 @@ The output of a scan request lists each BSS/IBSS network found. Beside the name of the network, SSID, we find the - BSSID which is the MAC address of the + BSSID which is the MAC address of the access point. The CAPS field identifies the type of each network and the capabilities of the stations operating there: @@ -945,9 +947,9 @@ E - Extended Service Set (ESS). Indicates that the + Extended Service Set (ESS). Indicates that the station is part of an infrastructure network (in - contrast to an IBSS/ad-hoc network). + contrast to an IBSS/ad-hoc network). @@ -955,8 +957,8 @@ I - IBSS/ad-hoc network. Indicates that the station - is part of an ad-hoc network (in contrast to an ESS + IBSS/ad-hoc network. Indicates that the station + is part of an ad-hoc network (in contrast to an ESS network). @@ -966,10 +968,12 @@ Privacy. Data confidentiality is required for - all data frames exchanged within the BSS. This means - that this BSS requires the station to use - cryptographic means such as WEP, TKIP or AES-CCMP to - encrypt/decrypt data frames being exchanged with + all data frames exchanged within the BSS. This means + that this BSS requires the station to use + cryptographic means such as WEP, + TKIP or + AES-CCMP + to encrypt/decrypt data frames being exchanged with others. @@ -1037,16 +1041,17 @@ If there are multiple access points and you want to select a specific one, you can select it by its - SSID: + SSID: ifconfig_ath0="ssid your_ssid_here DHCP" In an environment where there are multiple access - points with the same SSID (often done to simplify + points with the same SSID (often done to simplify roaming) it may be necessary to associate to one specific device. In this case you can also specify the - BSSID of the access point (you can also leave off the - SSID): + BSSID + of the access point (you can also leave off the + SSID): ifconfig_ath0="ssid your_ssid_here bssid xx:xx:xx:xx:xx:xx DHCP" @@ -1084,16 +1089,20 @@ Other schemes require cryptographic handshakes be completed before data traffic can flow; either using pre-shared keys or secrets, or more complex schemes that - involve backend services such as RADIUS. Most users + involve backend services such as + RADIUS. + Most users will use open authentication which is the default - setting. Next most common setup is WPA-PSK, also known - as WPA Personal, which is described WPA-PSK, + also known + as WPA Personal, which is described below. If you have an &apple; &airport; Extreme base station for an access point you may need to configure - shared-key authentication together with a WEP key. + shared-key authentication together with a WEP key. This can be done in the /etc/rc.conf file or using the &man.wpa.supplicant.8; program. If you have a single @@ -1103,12 +1112,12 @@ ifconfig_ath0="authmode shared wepmode on weptxkey 1 wepkey 01234567 DHCP" In general shared key authentication is to be - avoided because it uses the WEP key material in a + avoided because it uses the WEP key material in a highly-constrained manner making it even easier to - crack the key. If WEP must be used (e.g., for + crack the key. If WEP must be used (e.g., for compatibility with legacy devices) it is better to use - WEP with open authentication. More - information regarding WEP can be found in the WEP with open authentication. More + information regarding WEP can be found in the . @@ -1119,7 +1128,7 @@ Once you have selected an access point and set the authentication parameters, you will have to get an IP address to communicate. Most of time you will obtain - your wireless IP address via DHCP. To achieve that, + your wireless IP address via DHCP. To achieve that, simply edit /etc/rc.conf and add DHCP to the configuration for your device as shown in various examples above: @@ -1149,7 +1158,7 @@ are connected to the wireless network (to the dlinkap network in our case). The bssid 00:13:46:49:41:76 part is the - MAC address of your access point; the + MAC address of your access point; the authmode line informs you that the communication is not encrypted (OPEN). @@ -1159,7 +1168,8 @@ Static IP Address In the case you cannot obtain an IP address from a - DHCP server, you can set a fixed IP address. Replace + DHCP + server, you can set a fixed IP address. Replace the DHCP keyword shown above with the address information. Be sure to retain any other parameters you have set up for selecting an access @@ -1172,34 +1182,37 @@ WPA - WPA (Wi-Fi Protected Access) is a security protocol + WPA (Wi-Fi Protected Access) is a security protocol used together with 802.11 networks to address the lack of - proper authentication and the weakness of WEP. WPA leverages + proper authentication and the weakness of + WEP. + WPA leverages the 802.1X authentication protocol and uses one of several - ciphers instead of WEP for data integrity. The only - cipher required by WPA is TKIP (Temporary Key Integrity + ciphers instead of WEP for data integrity. The only + cipher required by WPA is TKIP (Temporary Key Integrity Protocol) which is a cipher that extends the basic RC4 - cipher used by WEP by adding integrity checking, tamper + cipher used by WEP by adding integrity checking, tamper detection, and measures for responding to any detected - intrusions. TKIP is designed to work on legacy hardware + intrusions. TKIP is designed to work on legacy hardware with only software modification; it represents a compromise that improves security but is still not - entirely immune to attack. WPA also specifies the - AES-CCMP cipher as an alternative to TKIP and that is + entirely immune to attack. WPA also specifies the + AES-CCMP + cipher as an alternative to TKIP and that is preferred when possible; for this specification the term - WPA2 (or RSN) is commonly used. - - WPA defines authentication and encryption protocols. + WPA2 (or RSN) is commonly used. + + WPA defines authentication and encryption protocols. Authentication is most commonly done using one of two techniques: by 802.1X and a backend authentication service - such as RADIUS, or by a minimal handshake between the + such as RADIUS, + or by a minimal handshake between the station and the access point using a pre-shared secret. - The former is commonly termed WPA Enterprise with the - latter known as WPA Personal. Since most people will not - set up a RADIUS backend server for wireless network, - WPA-PSK is by far the most commonly encountered - configuration for WPA. + The former is commonly termed WPA Enterprise with the + latter known as WPA Personal. Since most people will not + set up a RADIUS backend server for wireless network, + WPA-PSK is by far the most commonly encountered + configuration for WPA. The control of the wireless connection and the authentication (key negotiation or authentication with a @@ -1212,11 +1225,12 @@ WPA-PSK - WPA-PSK also known as WPA-Personal is based on a - pre-shared key (PSK) generated from a given password and + WPA-PSK + also known as WPA-Personal is based on a + pre-shared key (PSK) generated from a given password and that will be used as the master key in the wireless network. This means every wireless user will share the - same key. WPA-PSK is intended for small networks where + same key. WPA-PSK is intended for small networks where the use of an authentication server is not possible or desired. @@ -1228,7 +1242,8 @@ The first step is the configuration of the /etc/wpa_supplicant.conf file with - the SSID and the pre-shared key of your network: + the SSID and + the pre-shared key of your network: network={ ssid="freebsdap" @@ -1237,8 +1252,8 @@ Then, in /etc/rc.conf, we indicate that the wireless device configuration will be - done with WPA and the IP address will be obtained with - DHCP: + done with WPA and the IP address will be obtained with + DHCP: ifconfig_ath0="WPA DHCP" @@ -1274,7 +1289,7 @@ The next operation is the launch of the dhclient command to get the IP - address from the DHCP server: + address from the DHCP server: &prompt.root; dhclient ath0 DHCPREQUEST on ath0 to 255.255.255.255 port 67 @@ -1301,7 +1316,7 @@ keys. - In the case where the use of DHCP is not possible, + In the case where the use of DHCP is not possible, you can set a static IP address after wpa_supplicant has authenticated the station: @@ -1318,7 +1333,7 @@ authmode WPA privacy ON deftxkey UNDEF TKIP 2:128-bit txpowmax 36 protmode CTS roaming MANUAL bintval 100 - When DHCP is not used, you also have to manually set + When DHCP is not used, you also have to manually set up the default gateway and the nameserver: &prompt.root; route add default your_default_router @@ -1328,29 +1343,32 @@ WPA with EAP-TLS - The second way to use WPA is with an 802.1X backend - authentication server, in this case WPA is called - WPA-Enterprise to make difference with the less secure - WPA-Personal with its pre-shared key. The - authentication in WPA-Enterprise is based on EAP + The second way to use WPA is with an 802.1X backend + authentication server, in this case WPA is called + WPA-Enterprise to make difference with the less secure + WPA-Personal with its pre-shared key. The + authentication in WPA-Enterprise is based on EAP (Extensible Authentication Protocol). - EAP does not come with an encryption method, it was - decided to embed EAP inside an encrypted tunnel. Many - types of EAP authentication methods have been designed, - the most common methods are EAP-TLS, EAP-TTLS and - EAP-PEAP. - - EAP-TLS (EAP with Transport Layer Security) is a + EAP does not come with an encryption method, it was + decided to embed EAP inside an encrypted tunnel. Many + types of EAP authentication methods have been designed, + the most common methods are + EAP-TLS, + EAP-TTLS + and + EAP-PEAP. + + EAP-TLS (EAP with Transport Layer Security) is a very well-supported authentication protocol in the - wireless world since it was the first EAP method to be + wireless world since it was the first EAP method to be certified by the Wi-Fi alliance. - EAP-TLS will require three certificates to run: the CA + EAP-TLS will require three certificates to run: the CA certificate (installed on all machines), the server certificate for your authentication server, and one client certificate for each wireless client. In this - EAP method, both authentication server and wireless + EAP method, both authentication server and wireless client authenticate each other in presenting their respective certificates, and they verify that these certificates were signed by your organization's @@ -1374,35 +1392,35 @@ This field indicates the network name - (SSID). + (SSID). - Here, we use RSN (IEEE 802.11i) protocol, i.e., - WPA2. + Here, we use RSN + (IEEE 802.11i) protocol, i.e., WPA2. The key_mgmt line refers to the key management protocol we use. In our case it - is WPA using EAP authentication: + is WPA using EAP authentication: WPA-EAP. - In this field, we mention the EAP method for our + In this field, we mention the EAP method for our connection. The identity field contains - the identity string for EAP. + the identity string for EAP. The ca_cert field indicates - the pathname of the CA certificate file. This file - is needed to verify the server certificate. + the pathname of the CA certificate file. This file + is needed to verify the server certificat. @@ -1457,13 +1475,17 @@ WPA with EAP-TTLS - With EAP-TLS both the authentication server and the - client need a certificate, with EAP-TTLS (EAP-Tunneled - Transport Layer Security) a client certificate is + With EAP-TLS + both the authentication server and the + client need a certificate, with + EAP-TTLS + (EAP-Tunneled Transport Layer Security) + a client certificate is optional. This method is close to what some secure web - sites do , where the web server can create a secure SSL + sites do, where the web server can create a secure SSL tunnel even if the visitors do not have client-side - certificates. EAP-TTLS will use the encrypted TLS + certificates. EAP-TTLS will use the + encrypted TLS tunnel for safe transport of the authentication data. @@ -1484,31 +1506,31 @@ - In this field, we mention the EAP method for our + In this field, we mention the EAP method for our connection. The identity field contains - the identity string for EAP authentication inside - the encrypted TLS tunnel. + the identity string for EAP authentication inside + the encrypted TLS tunnel. The password field contains - the passphrase for the EAP authentication. + the passphrase for the EAP authentication. The ca_cert field indicates - the pathname of the CA certificate file. This file - is needed to verify the server certificat. + the pathname of the CA certificate file. This file + is needed to verify the server certificate. In this field, we mention the authentication - method used in the encrypted TLS tunnel. In our - case, EAP with MD5-Challenge has been used. The + method used in the encrypted TLS tunnel. In our + case, EAP with MD5-Challenge has been used. The inner authentication phase is often called phase2. @@ -1542,29 +1564,33 @@ WPA with EAP-PEAP - PEAP (Protected EAP) has been designed as an - alternative to EAP-TTLS. There are two types of PEAP - methods, the most common one is PEAPv0/EAP-MSCHAPv2. In - the rest of this document, we will use the PEAP term to - refer to that EAP method. PEAP is the most used EAP - standard after EAP-TLS, in other words if you have a - network with mixed OSes, PEAP should be the most - supported standard after EAP-TLS. - - PEAP is similar to EAP-TTLS: it uses a server-side + PEAP + (Protected EAP) has been designed as an + alternative to + EAP-TTLS. + There are two types of PEAP + methods, the most common one is + PEAPv0/EAPMSCHAPv2. + In the rest of this document, we will use the PEAP term to + refer to that EAP method. PEAP is the most used EAP + standard after EAP-TLS, in other words if you have a + network with mixed OSes, PEAP should be the most + supported standard after EAP-TLS. + + PEAP is similar to EAP-TTLS: it uses a server-side certificate to authenticate clients by creating an - encrypted TLS tunnel between the client and the + encrypted TLS tunnel between the client and the authentication server, which protects the ensuing exchange of authentication information. In term of - security the difference between EAP-TTLS and PEAP is - that PEAP authentication broadcasts the username in - clear, only the password is sent in the encrypted TLS - tunnel. EAP-TTLS will use the TLS tunnel for both + security the difference between EAP-TTLS and PEAP is + that PEAP authentication broadcasts the username in + clear, only the password is sent in the encrypted TLS + tunnel. EAP-TTLS will use the TLS tunnel for both username and password. We have to edit the /etc/wpa_supplicant.conf file and - add the EAP-PEAP related settings: + add the EAP-PEAP related settings: network={ ssid="freebsdap" @@ -1580,30 +1606,30 @@ - In this field, we mention the EAP method for our + In this field, we mention the EAP method for our connection. The identity field contains - the identity string for EAP authentication inside - the encrypted TLS tunnel. + the identity string for EAP authentication inside + the encrypted TLS tunnel. The password field contains - the passphrase for the EAP authentication. + the passphrase for the EAP authentication. The ca_cert field indicates - the pathname of the CA certificate file. This file + the pathname of the CA certificate file. This file is needed to verify the server certificat. This field contains the parameters for the - first phase of the authentication (the TLS + first phase of the authentication (the TLS tunnel). According to the authentication server used, you will have to specify a specific label for the authentication. Most of time, the label @@ -1615,8 +1641,8 @@ In this field, we mention the authentication - protocol used in the encrypted TLS tunnel. In the - case of PEAP, it is + protocol used in the encrypted TLS tunnel. In the + case of PEAP, it is auth=MSCHAPV2. @@ -1650,7 +1676,7 @@ WEP - WEP (Wired Equivalent Privacy) is part of the original + WEP (Wired Equivalent Privacy) is part of the original 802.11 standard. There is no authentication mechanism, only a weak form of access control, and it is easily to be cracked. @@ -1663,7 +1689,7 @@ - The weptxkey means which WEP + The weptxkey means which WEP key will be used in the transmission. Here we used the third key. This must match the setting in the access point. If you do not have any idea of what is the key @@ -1674,7 +1700,7 @@ The wepkey means setting the - selected WEP key. It should in the format + selected WEP key. It should in the format index:key, if the index is not given, key 1 is set. That is to say we need to set the index if we use keys other @@ -1692,7 +1718,7 @@ page for further information. The wpa_supplicant facility also - can be used to configure your wireless interface with WEP. + can be used to configure your wireless interface with WEP. The example above can be set up by adding the following lines to /etc/wpa_supplicant.conf: @@ -1716,11 +1742,11 @@ Ad-hoc Mode - IBSS mode, also called ad-hoc mode, is designed for point + IBSS mode, also called ad-hoc mode, is designed for point to point connections. For example, to establish an ad-hoc network between the machine A and the machine B we will just need to choose two IP adresses - and a SSID. + and a SSID. On the box A: @@ -1736,7 +1762,7 @@ authmode OPEN privacy OFF txpowmax 36 protmode CTS bintval 100 The adhoc parameter indicates the - interface is running in the IBSS mode. + interface is running in the IBSS mode. On B, we should be able to detect A: @@ -1768,15 +1794,15 @@ &os; Host Access Points - &os; can act as an Access Point (AP) which eliminates the - need to buy a hardware AP or run an ad-hoc network. This can be + &os; can act as an Access Point (AP) which eliminates the + need to buy a hardware AP or run an ad-hoc network. This can be particularly useful when your &os; machine is acting as a gateway to another network (e.g., the Internet). Basic Settings - Before configuring your &os; machine as an AP, the + Before configuring your &os; machine as an AP, the kernel must be configured with the appropriate wireless networking support for your wireless card. You also have to add the support for the security protocols you intend to @@ -1785,8 +1811,8 @@ The use of the NDIS driver wrapper and the &windows; - drivers do not allow currently the AP operation. Only - native &os; wireless drivers support AP mode. + drivers do not allow currently the AP operation. Only + native &os; wireless drivers support AP mode. Once the wireless networking support is loaded, you can @@ -1799,12 +1825,16 @@ This output displays the card capabilities; the HOSTAP word confirms this wireless card can act as an Access Point. Various supported ciphers are - also mentioned: WEP, TKIP, WPA2, etc., these informations + also mentioned: + WEP, + TKIP, + WPA2, etc., these informations are important to know what security protocols could be set on the Access Point. The wireless device can now be put into hostap mode and - configured with the correct SSID and IP address: + configured with the correct + SSID and IP address: &prompt.root; ifconfig ath0 ssid freebsdap mode 11g mediaopt hostap inet 192.168.0.1 netmask 255.255.255.0 @@ -1836,12 +1866,13 @@ Host-based Access Point without Authentication or Encryption - Although it is not recommended to run an AP without any + Although it is not recommended to run an + AP without any authentication or encryption, this is a simple way to check - if your AP is working. This configuration is also important + if your AP is working. This configuration is also important for debugging client issues. - Once the AP configured as previously shown, it is + Once the AP configured as previously shown, it is possible from another wireless machine to initiate a scan to find the AP: @@ -1868,17 +1899,18 @@ WPA Host-based Access Point This section will focus on setting up &os; Access Point - using the WPA security protocol. More details regarding WPA - and the configuration of WPA-based wireless clients can be + using the WPA security protocol. + More details regarding WPA + and the configuration of WPA-based wireless clients can be found in the . The hostapd daemon is used to deal with client authentication and keys management on the - WPA enabled Access Point. + WPA enabled Access Point. In the following, all the configuration operations will - be performed on the &os; machine acting as AP. Once the - AP is correctly working, hostapd + be performed on the &os; machine acting as AP. Once the + AP is correctly working, hostapd should be automatically enabled at boot with the following line in /etc/rc.conf: @@ -1892,7 +1924,8 @@ WPA-PSK - WPA-PSK is intended for small networks where the use + WPA-PSK + is intended for small networks where the use of an backend authentication server is not possible or desired. @@ -1944,14 +1977,14 @@ The wpa field enables WPA and - specifies which WPA authentication protocol will be + specifies which WPA authentication protocol will be required. A value of 1 configures the AP for WPA-PSK. The wpa_passphrase field - contains the ASCII passphrase for the WPA + contains the ASCII passphrase for the WPA authentication. @@ -1964,17 +1997,19 @@ The wpa_key_mgmt line refers to the key management protocol we use. In our case it is - WPA-PSK. + WPA-PSK. The wpa_pairwise field indicates the set of accepted encryption algorithms by - the Access Point. Here both TKIP (WPA) and CCMP - (WPA2) ciphers are accepted. CCMP cipher is an - alternative to TKIP and that is strongly preferred - when possible; TKIP should be used solely for stations - incapable of doing CCMP. + the Access Point. Here both + TKIP (WPA) and + CCMP WPA2) ciphers are accepted. + CCMP cipher is an + alternative to TKIP and that is strongly preferred + when possible; TKIP should be used solely for stations + incapable of doing CCMP. @@ -1996,7 +2031,7 @@ The Access Point is running, the clients can now be associated with it, see for more details. It is - possible to see the stations associated with the AP using + possible to see the stations associated with the AP using the ifconfig ath0 list sta command. @@ -2005,22 +2040,22 @@ WEP Host-based Access Point - It is not recommended to use WEP for setting up an + It is not recommended to use WEP for setting up an Access Point since there is no authentication mechanism and it is easily to be cracked. Some legacy wireless cards only - support WEP as security protocol, these cards will only - allow to set up AP without authentication or encryption or - using the WEP protocol. + support WEP as security protocol, these cards will only + allow to set up AP without authentication or encryption or + using the WEP protocol. The wireless device can now be put into hostap mode and - configured with the correct SSID and IP address: + configured with the correct SSID and IP address: &prompt.root; ifconfig ath0 ssid freebsdap wepmode on weptxkey 3 wepkey 3:0x3456789012 mode 11g mediaopt hostap \ inet 192.168.0.1 netmask 255.255.255.0 - The weptxkey means which WEP + The weptxkey means which WEP key will be used in the transmission. Here we used the third key (note that the key numbering starts with 1). This parameter must be specified @@ -2029,7 +2064,7 @@ The wepkey means setting the - selected WEP key. It should in the format + selected WEP key. It should in the format index:key, if the index is not given, key 1 is set. That is to say we need to set the index if we use keys other @@ -2084,7 +2119,8 @@ access point. This includes the authentication scheme and any security protocols. Simplify your configuration as much as possible. If you are using a security protocol - such as WPA or WEP configure the access point for open + such as WPA + or WEP configure the access point for open authentication and no security to see if you can get traffic to pass. @@ -3245,7 +3281,7 @@ lacp - Supports the IEEE 802.3ad Link Aggregation Control Protocol + Supports the IEEE 802.3ad Link Aggregation Control Protocol (LACP) and the Marker Protocol. LACP will negotiate a set of aggregable links with the peer in to one or more Link Aggregated Groups. Each LAG is composed of ports of the same speed, set to diff -r 1649440b3588 -r 56b69b866c6f share/sgml/acronyms.ent --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/share/sgml/acronyms.ent Fri Dec 12 08:37:20 2008 +0200 @@ -0,0 +1,41 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff -r 1649440b3588 -r 56b69b866c6f share/sgml/articles.ent --- a/share/sgml/articles.ent Fri Dec 12 06:06:03 2008 +0000 +++ b/share/sgml/articles.ent Fri Dec 12 08:37:20 2008 +0200 @@ -8,6 +8,8 @@ %man; %freebsd; + +%acronyms; %authors; diff -r 1649440b3588 -r 56b69b866c6f share/sgml/books.ent --- a/share/sgml/books.ent Fri Dec 12 06:06:03 2008 +0000 +++ b/share/sgml/books.ent Fri Dec 12 08:37:20 2008 +0200 @@ -10,6 +10,8 @@ %bookinfo; %freebsd; + +%acronyms; %authors; diff -r 1649440b3588 -r 56b69b866c6f share/sgml/catalog --- a/share/sgml/catalog Fri Dec 12 06:06:03 2008 +0000 +++ b/share/sgml/catalog Fri Dec 12 08:37:20 2008 +0200 @@ -23,6 +23,9 @@ PUBLIC "-//FreeBSD//DOCUMENT DocBook Language Neutral Stylesheet//EN" "freebsd.dsl" +PUBLIC "-//FreeBSD//ENTITIES DocBook FreeBSD Acronyms Entity Set//EN" + "acronyms.ent" + PUBLIC "-//FreeBSD//ENTITIES DocBook FreeBSD Articles Entity Set//EN" "articles.ent" %%%