For WPA support the wpa_supplicant is used. The supplicant in the base system does not support 802.1x or WPA2 by default. This how-to shows how to enable the base wpa_supplicant for 802.1x and configure it.

To enable 802.1x and WPA2 support in the supplicant

# echo ENABLE_WPA_SUPPLICANT_EAPOL=\"YES\" >> /etc/make.conf

Rebuild the wpa_supplicant and tools

# cd /usr/src/usr.sbin/wpa
# make clean
# make
# make install

Configure the wpa_supplicant

Create the /etc/wpa_supplicant.conf file. The following is a copy of the file I use.

ctrl_interface_group=/var/run/wpa_supplicant
ctrl_interface_group=wheel
eapol_version=1
ap_scan=1
fast_reauth=1
network={
    ssid="VE6KIK"
    scan_mgmt=WPA-PSK
    psk="SHARED_KEY"
}
network={
    ssid="dot1x"
    scan_ssid=1
    key_mgmt=WPA-EAP
    eap=TTLS
    pairwise=TKIP
    group=TKIP
    identity="EDU\username"
    anonymous_identity="EDU\username"
    password="password"
    phase2="auth=MSCHAPV2"
}

Make it work at startup

Edit /etc/rc.conf and modify the ifconfig variable for your network device.  My wireless card device is ath0 so the ifconfig variable in my rc.conf file looks like: ifconfig_ath0="DHCP WPA"

Restart the wireless device.

# /etc/rc.d/netif stop ath0
# /etc/rc.d/netif start ath0