802.1X on OpenBSD

I have been using OpenBSD on a daily basis recently, and I have found it possible do do almost everything that I need to in a smooth and well-documented environment, but there are a few quirks that can be difficult to figure out. One such example is that many educational institutions and other large organizations tend to use WPA enterpise / WPA-802.1X mode for authentication to their wireless networks. This is not supported by OpenBSD base (yet?), but wpa_supplicant does a fine job and is in Ports.

If you are running -current, you can use the join network syntax. If still using 6.3-stable or earlier, the nwid syntax for ifconfig works fine. First bring up the interface and connect to the SSID that you wish to authenticate to:

$ doas ifconfig <interface> nwid "Institutional Network" wpa wpaakms 802.1x
$ doas dhclient <interface>

Alternatively add this to the proper config file at /etc/hostname.if:

join "Institutional Network" wpa wpaakms 802.1x
dhcp

It is necessary to have a configuration file for wpa_supplicant, containing login credentials and the type of connection:

# $OpenBSD: wpa_supplicant.conf,v 1.4 2017/02/08 12:53:46 sthen Exp $
# Sample wpa_supplicant configuration file for wired IEEE 802.1x
# port authentication. See wpa_supplicant.conf(5).

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel

ap_scan=0

# If your authentication servers are broken with TLSv1.1/1.2, you may need:
# phase1="tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1"

# wireless network:

network={
    ssid="Institutional Network"
    key_mgmt=WPA-EAP
    eap=TTLS PEAP
    identity="username"
    password="password"
    phase1="peaplable=0"
    phase2="auth=MSCHAPV2"
}

Then start wpa_supplicant in the foreground on the command-line to see that everything is working correctly. You may need to specify the path of a certificate. If so, consult the man page for the syntax.

$ doas wpa_supplicant -i <interface> -c /etc/wpa_supplicant.conf

Assuming everything works, you should now be connected to your institution’s WiFi on OpenBSD. If this works, wpa_supplicant can be backgrounded with the -B flag:

$ doas wpa_supplicant -B -i <interface> -c /etc/wpa_supplicant.conf

Through trial-and-error, I found that I didn’t need to specify many of the above configuration options. My simplified, working config is below:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel

network={
    ssid="Institutional Network"
    key_mgmt=WPA-EAP
    identity="username"
    password="password"
}

wpa_supplicant can be made to start with the proper configuration on boot, using rcctl, OpenBSD’s daemon and service manager. This requires editing /etc/rc.conf.local to add the flags for wpa_supplicant:

wpa_supplicant_flags=-i <interface> -c /etc/wpa_supplicant.conf

Then, wpa_supplicant can be started with:

doas rcctl start wpa_supplicant

and enabled to start up at boot with:

doas rcctl enable wpa_supplicant