Update the WPA-PSK access point section at Mark Felder's request, who

supplied the ifconfig output.  Also update some of the defaults and
suggestions for the current era: WPA2 and CCMP/AES.

Submitted by:	Mark Felder <feld@FreeBSD.org>
Reviewed by:	adrian
Differential Revision:

1 files changed, 57 insertions, 53 deletions

diff --git a/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml b/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml
index 7d7e8ac3ac..e57fc225de 100644
--- a/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.xml
@@ -1935,11 +1935,11 @@ freebsdap       00:11:95:c3:0d:ac    1   54M -66:-96  100 ES   WME</screen>
 	  roam:rate 5 protmode CTS wme burst</screen>
       </sect3>
 
-      <sect3>
-	<title><acronym>WPA</acronym> Host-based Access Point</title>
+      <sect3 xml:id="network-wireless-ap-wpa">
+	<title><acronym>WPA2</acronym> Host-based Access Point</title>
 
 	<para>This section focuses on setting up a &os;
-	  <acronym>AP</acronym> using the <acronym>WPA</acronym>
+	  access point using the <acronym>WPA2</acronym>
 	  security protocol.  More details regarding
 	  <acronym>WPA</acronym> and the configuration of
 	  <acronym>WPA</acronym>-based wireless clients can be found
@@ -1947,13 +1947,13 @@ freebsdap       00:11:95:c3:0d:ac    1   54M -66:-96  100 ES   WME</screen>
 
 	<para>The &man.hostapd.8; daemon is used to deal with client
 	  authentication and key management on the
-	  <acronym>WPA</acronym>-enabled <acronym>AP</acronym>.</para>
+	  <acronym>WPA2</acronym>-enabled <acronym>AP</acronym>.</para>
 
 	<para>The following configuration operations are performed
 	  on the &os; machine acting as the <acronym>AP</acronym>.
 	  Once the <acronym>AP</acronym> is correctly working,
-	  &man.hostapd.8; should be automatically enabled at boot
-	  with the following line in
+	  &man.hostapd.8; can be automatically started at boot
+	  with this line in
 	  <filename>/etc/rc.conf</filename>:</para>
 
 	<programlisting>hostapd_enable="YES"</programlisting>
@@ -1963,95 +1963,95 @@ freebsdap       00:11:95:c3:0d:ac    1   54M -66:-96  100 ES   WME</screen>
 	    linkend="network-wireless-ap-basic"/>.</para>
 
 	<sect4>
-	  <title><acronym>WPA-PSK</acronym></title>
+	  <title><acronym>WPA2-PSK</acronym></title>
 
-	  <para><acronym>WPA-PSK</acronym> is intended for small
+	  <para><acronym>WPA2-PSK</acronym> is intended for small
 	    networks where the use of a backend authentication server
 	    is not possible or desired.</para>
 
 	  <para>The configuration is done in
 	    <filename>/etc/hostapd.conf</filename>:</para>
 
-	  <programlisting>interface=wlan0 <co xml:id="co-ap-wpapsk-iface"/>
-debug=1 <co xml:id="co-ap-wpapsk-dbug"/>
-ctrl_interface=/var/run/hostapd <co xml:id="co-ap-wpapsk-ciface"/>
-ctrl_interface_group=wheel <co xml:id="co-ap-wpapsk-cifacegrp"/>
-ssid=freebsdap <co xml:id="co-ap-wpapsk-ssid"/>
-wpa=1 <co xml:id="co-ap-wpapsk-wpa"/>
-wpa_passphrase=freebsdmall <co xml:id="co-ap-wpapsk-pass"/>
-wpa_key_mgmt=WPA-PSK <co xml:id="co-ap-wpapsk-kmgmt"/>
-wpa_pairwise=CCMP TKIP <co xml:id="co-ap-wpapsk-pwise"/></programlisting>
+	  <programlisting>interface=wlan0                  <co xml:id="co-ap-wpapsk-iface"/>
+debug=1                          <co xml:id="co-ap-wpapsk-dbug"/>
+ctrl_interface=/var/run/hostapd  <co xml:id="co-ap-wpapsk-ciface"/>
+ctrl_interface_group=wheel       <co xml:id="co-ap-wpapsk-cifacegrp"/>
+ssid=freebsdap                   <co xml:id="co-ap-wpapsk-ssid"/>
+wpa=2                            <co xml:id="co-ap-wpapsk-wpa"/>
+wpa_passphrase=freebsdmall       <co xml:id="co-ap-wpapsk-pass"/>
+wpa_key_mgmt=WPA-PSK             <co xml:id="co-ap-wpapsk-kmgmt"/>
+wpa_pairwise=CCMP                <co xml:id="co-ap-wpapsk-pwise"/></programlisting>
 
 	  <calloutlist>
 	    <callout arearefs="co-ap-wpapsk-iface">
-	      <para>This field indicates the wireless interface used
-		for the <acronym>AP</acronym>.</para>
+	      <para>Wireless interface used
+		for the access point.</para>
 	    </callout>
 
 	    <callout arearefs="co-ap-wpapsk-dbug">
-	      <para>This field sets the level of verbosity during the
+	      <para>Level of verbosity used during the
 		execution of &man.hostapd.8;.  A value of
 		<literal>1</literal> represents the minimal
 		level.</para>
 	    </callout>
 
 	    <callout arearefs="co-ap-wpapsk-ciface">
-	      <para>The <literal>ctrl_interface</literal> field gives
-		the pathname of the directory used by &man.hostapd.8;
-		to store its domain socket files for the communication
+	      <para>Pathname of the directory used by &man.hostapd.8;
+		to store domain socket files for communication
 		with external programs such as &man.hostapd.cli.8;.
 		The default value is used in this example.</para>
 	    </callout>
 
 	    <callout arearefs="co-ap-wpapsk-cifacegrp">
-	      <para>The <literal>ctrl_interface_group</literal> line
-		sets the group which is allowed to access the control
+	      <para>The group allowed to access the control
 		interface files.</para>
 	    </callout>
 
 	    <callout arearefs="co-ap-wpapsk-ssid">
-	      <para>This field sets the network name.</para>
+	      <para>The wireless network name, or
+		<acronym>SSID</acronym>, that will appear in wireless
+		scans.</para>
 	    </callout>
 
 	    <callout arearefs="co-ap-wpapsk-wpa">
-	      <para>The <literal>wpa</literal> field enables
-		<acronym>WPA</acronym> and specifies which
+	      <para>Enable
+		<acronym>WPA</acronym> and specify which
 		<acronym>WPA</acronym> authentication protocol will
-		be required.  A value of <literal>1</literal>
+		be required.  A value of <literal>2</literal>
 		configures the <acronym>AP</acronym> for
-		<acronym>WPA-PSK</acronym>.</para>
+		<acronym>WPA2</acronym> and is recommended.
+		Set to <literal>1</literal> only if the obsolete
+		<acronym>WPA</acronym> is required.</para>
 	    </callout>
 
 	    <callout arearefs="co-ap-wpapsk-pass">
-	      <para>The <literal>wpa_passphrase</literal> field
-		contains the ASCII passphrase for
+	      <para>ASCII passphrase for
 		<acronym>WPA</acronym> authentication.</para>
 
 	      <warning>
-		<para>Always use strong passwords that are
-		  sufficiently long and made from a rich alphabet so
+		<para>Always use strong passwords that are at least
+		  8 characters long and made from a rich alphabet so
 		  that they will not be easily guessed or
 		  attacked.</para>
 	      </warning>
 	    </callout>
 
 	    <callout arearefs="co-ap-wpapsk-kmgmt">
-	      <para>The <literal>wpa_key_mgmt</literal> line refers
-		to the key management protocol to use.  This example
+	      <para>The
+		key management protocol to use.  This example
 		sets <acronym>WPA-PSK</acronym>.</para>
 	    </callout>
 
 	    <callout arearefs="co-ap-wpapsk-pwise">
-	      <para>The <literal>wpa_pairwise</literal> field
-		indicates the set of accepted encryption algorithms by
-		the <acronym>AP</acronym>.  In this example, both
-		<acronym>TKIP</acronym> (<acronym>WPA</acronym>) and
-		<acronym>CCMP</acronym> (<acronym>WPA2</acronym>)
-		ciphers are accepted.  The <acronym>CCMP</acronym>
-		cipher is an alternative to <acronym>TKIP</acronym>
+	      <para>Encryption algorithms accepted by
+		the access point.  In this example, only
+		the
+		<acronym>CCMP</acronym> (<acronym>AES</acronym>)
+		cipher is accepted.  <acronym>CCMP</acronym>
+		is an alternative to <acronym>TKIP</acronym>
 		and is strongly preferred when possible.
-		<acronym>TKIP</acronym> should be used solely for
-		stations incapable of doing
+		<acronym>TKIP</acronym> should be allowed only when
+		there are stations incapable of using
 		<acronym>CCMP</acronym>.</para>
 	    </callout>
 	  </calloutlist>
@@ -2061,14 +2061,18 @@ wpa_pairwise=CCMP TKIP <co xml:id="co-ap-wpapsk-pwise"/></programlisting>
 	  <screen>&prompt.root; <userinput>service hostapd forcestart</userinput></screen>
 
 	  <screen>&prompt.root; <userinput>ifconfig <replaceable>wlan0</replaceable></userinput>
-  wlan0: flags=8843&lt;UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST&gt; mtu 2290
-	  inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
-	  inet6 fe80::211:95ff:fec3:dac%ath0 prefixlen 64 scopeid 0x4
-	  ether 00:11:95:c3:0d:ac
-	  media: IEEE 802.11 Wireless Ethernet autoselect mode 11g &lt;hostap&gt;
-	  status: associated
-	  ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac
-	  authmode WPA2/802.11i privacy MIXED deftxkey 2 TKIP 2:128-bit txpowmax 36 protmode CTS dtimperiod 1 bintval 100</screen>
+wlan0: flags=8943&lt;UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST&gt; metric 0 mtu 1500
+	ether 04:f0:21:16:8e:10
+	inet6 fe80::6f0:21ff:fe16:8e10%wlan0 prefixlen 64 scopeid 0x9
+	nd6 options=21&lt;PERFORMNUD,AUTO_LINKLOCAL&gt;
+	media: IEEE 802.11 Wireless Ethernet autoselect mode 11na &lt;hostap&gt;
+	status: running
+	ssid No5ignal channel 36 (5180 MHz 11a ht/40+) bssid 04:f0:21:16:8e:10
+	country US ecm authmode WPA2/802.11i privacy MIXED deftxkey 2
+	AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 17 mcastrate 6 mgmtrate 6
+	scanvalid 60 ampdulimit 64k ampdudensity 8 shortgi wme burst
+	dtimperiod 1 -dfs
+	groups: wlan</screen>
 
 	  <para>Once the <acronym>AP</acronym> is running, the
 	    clients can associate with it.  See <xref