Re: Is wpa_supplicant supposed to work with a hidden ssid?

From: Doug Barton <dougb_at_FreeBSD.org>
Date: Mon, 16 Mar 2009 15:33:46 -0700
Sam Leffler wrote:
> Doug Barton wrote:
>> I spent a pretty long, frustrating evening last night getting
>> wpa_supplicant working with my Intel 3945abg (wpi) card. I could
>> connect when the network was open, or using WEP just fine. However it
>> turned out that I could not connect with WPA unless the AP was showing
>> the ssid.
>>
>> Now hiding ssid is not a show-stopper for me, I just think it's odd
>> that I can't do it. FWIW, I vaguely recall that the same thing was
>> true with ath-based cards as well. I still have one somewhere, and I
>> can double-check this if anyone is interested.
>>
>> Now this seems to be related to the fact that we can only use
>> ap_scan=1 with the wlan module. The description in the example conf
>> file seems to indicate that setting that option to 2 would do the
>> trick, but the man page for wpa_supplicant.conf says that we can only
>> use ap_scan=1. Therefore I'd like to propose the attached patch which
>> would have saved me a lot of time flailing around with this (since I
>> assumed that the example conf file had the necessary information).
>> Since we have svn now, the "pristine" copy of the file will still live
>> on in the vendor tree, and there is no "expense" to changing things in
>> contrib like there was with cvs.
>>
>>   
> 
> If you use a driver that uses net80211 to handle scanning then hidden
> ssid is automatically handled for you regardless of the ap_scan
> setting.  For drivers like wpi where scanning is done in firmware you
> need to coerce wpa_supplicant to ask net80211 to send directed probe
> request frames that include the ssid of the ap.  That used to be done
> with ap_scan=1 (I believe). 

The scan_ssid=1 option that Michael suggested worked for me.

> If it is not then something is broken and
> you can identify where the problem is using the normal debug
> mechanisms--e.g. wlandebug will help you check net80211 operation.

Ok, if anyone interested in improving wpi(4) to deal with this issue
wants to work with me on this I'll be happy to do whatever testing is
required. Updating the driver myself is beyond my ability.

> FWIW hidden ssid is useless as a security mechanism; about as effective
> as mac address filtering.

Yeah, that's why I use a nice strong WPA key. :)  To be honest this is
more of an issue of playing with knobs than anything else.

Meanwhile, what do you think of the attached patch for the example
wpa_supplicant.conf file? It also seems to me that there are a lot of
options in that sample conf file that don't work for FreeBSD. For
example if I try to set device_name I get:

Line 8: unknown global field 'device_name=foo'.
Line 8: Invalid configuration line 'device_name=foo'.
Failed to read or parse configuration '/etc/wpa_supplicant.conf'.

Would it be worthwhile to also delete unusable options from the
example file, and if so, which are the ones that are not usable?


Doug

-- 

    This .signature sanitized for your protection


Index: wpa_supplicant.conf
===================================================================
--- wpa_supplicant.conf	(revision 189866)
+++ wpa_supplicant.conf	(working copy)
_at__at_ -1,5 +1,7 _at__at_
 ##### Example wpa_supplicant configuration file ###############################
 #
+# ***** Please check wpa_supplicant.conf(5) for details on these options *****
+#
 # This file describes configuration file format and lists all available option.
 # Please also take a look at simpler configuration examples in 'examples'
 # subdirectory.
_at__at_ -59,19 +61,6 _at__at_
 # DIR=/var/run/wpa_supplicant GROUP=0
 # (group can be either group name or gid)
 #
-# For UDP connections (default on Windows): The value will be ignored. This
-# variable is just used to select that the control interface is to be created.
-# The value can be set to, e.g., udp (ctrl_interface=udp)
-#
-# For Windows Named Pipe: This value can be used to set the security descriptor
-# for controlling access to the control interface. Security descriptor can be
-# set using Security Descriptor String Format (see http://msdn.microsoft.com/
-# library/default.asp?url=/library/en-us/secauthz/security/
-# security_descriptor_string_format.asp). The descriptor string needs to be
-# prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty
-# DACL (which will reject all connections). See README-Windows.txt for more
-# information about SDDL string format.
-#
 ctrl_interface=/var/run/wpa_supplicant
 
 # IEEE 802.1X/EAPOL version
_at__at_ -102,6 +91,8 _at__at_
 #    the driver reports successful association; each network block should have
 #    explicit security policy (i.e., only one option in the lists) for
 #    key_mgmt, pairwise, group, proto variables
+#
+# For use in FreeBSD with the wlan module ap_scan must be set to 1.
 ap_scan=1
 
 # EAP fast re-authentication
_at__at_ -221,7 +212,7 _at__at_
 # scan_ssid:
 #	0 = do not scan this SSID with specific Probe Request frames (default)
 #	1 = scan with SSID-specific Probe Request frames (this can be used to
-#	    find APs that do not accept broadcast SSID or use multiple SSIDs;
+#	    find APs that hide (do not broadcast) SSID or use multiple SSIDs;
 #	    this will add latency to scanning, so enable this only when needed)
 #
 # bssid: BSSID (optional); if set, this network block is used only when
_at__at_ -237,7 +228,7 _at__at_
 # policy, signal strength, etc.
 # Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not
 # using this priority to select the order for scanning. Instead, they try the
-# networks in the order that used in the configuration file.
+# networks in the order that they are listed in the configuration file.
 #
 # mode: IEEE 802.11 operation mode
 # 0 = infrastructure (Managed) mode, i.e., associate with an AP (default)
Received on Mon Mar 16 2009 - 21:33:53 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:44 UTC