wpa_supplicant.conf.sgml revision 8d520ff1dc2da35cdca849e982051b86468016d8 
1<!doctype refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
2<refentry>
3  <refmeta>
4    <refentrytitle>wpa_supplicant.conf</refentrytitle>
5    <manvolnum>5</manvolnum>
6  </refmeta>
7  <refnamediv>
8    <refname>wpa_supplicant.conf</refname>
9    <refpurpose>configuration file for wpa_supplicant</refpurpose>
10  </refnamediv>
11  <refsect1>
12    <title>Overview</title>
13
14    <para><command>wpa_supplicant</command> is configured using a text
15    file that lists all accepted networks and security policies,
16    including pre-shared keys. See the example configuration file,
17    probably in <command>/usr/share/doc/wpa_supplicant/</command>, for
18    detailed information about the configuration format and supported
19    fields.</para>
20
21    <para>All file paths in this configuration file should use full
22    (absolute, not relative to working directory) path in order to allow
23    working directory to be changed. This can happen if wpa_supplicant is
24    run in the background.</para>
25
26    <para>Changes to configuration file can be reloaded be sending
27    SIGHUP signal to <command>wpa_supplicant</command> ('killall -HUP
28    wpa_supplicant'). Similarly, reloading can be triggered with
29    the <emphasis>wpa_cli reconfigure</emphasis> command.</para>
30
31    <para>Configuration file can include one or more network blocks,
32    e.g., one for each used SSID. wpa_supplicant will automatically
33    select the best network based on the order of network blocks in
34    the configuration file, network security level (WPA/WPA2 is
35    preferred), and signal strength.</para>
36  </refsect1>
37
38  <refsect1>
39    <title>Quick Examples</title>
40
41    <orderedlist>
42      <listitem>
43
44      <para>WPA-Personal (PSK) as home network and WPA-Enterprise with
45      EAP-TLS as work network.</para>
46
47<blockquote><programlisting>
48# allow frontend (e.g., wpa_cli) to be used by all users in 'wheel' group
49ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
50#
51# home network; allow all valid ciphers
52network={
53	ssid="home"
54	scan_ssid=1
55	key_mgmt=WPA-PSK
56	psk="very secret passphrase"
57}
58#
59# work network; use EAP-TLS with WPA; allow only CCMP and TKIP ciphers
60network={
61	ssid="work"
62	scan_ssid=1
63	key_mgmt=WPA-EAP
64	pairwise=CCMP TKIP
65	group=CCMP TKIP
66	eap=TLS
67	identity="user@example.com"
68	ca_cert="/etc/cert/ca.pem"
69	client_cert="/etc/cert/user.pem"
70	private_key="/etc/cert/user.prv"
71	private_key_passwd="password"
72}
73</programlisting></blockquote>   
74      </listitem>
75
76      <listitem>
77	<para>WPA-RADIUS/EAP-PEAP/MSCHAPv2 with RADIUS servers that
78        use old peaplabel (e.g., Funk Odyssey and SBR, Meetinghouse
79        Aegis, Interlink RAD-Series)</para>
80
81<blockquote><programlisting>
82ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
83network={
84	ssid="example"
85	scan_ssid=1
86	key_mgmt=WPA-EAP
87	eap=PEAP
88	identity="user@example.com"
89	password="foobar"
90	ca_cert="/etc/cert/ca.pem"
91	phase1="peaplabel=0"
92	phase2="auth=MSCHAPV2"
93}
94</programlisting></blockquote>
95      </listitem>
96
97      <listitem>
98	<para>EAP-TTLS/EAP-MD5-Challenge configuration with anonymous
99        identity for the unencrypted use. Real identity is sent only
100        within an encrypted TLS tunnel.</para>
101
102
103<blockquote><programlisting>
104ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
105network={
106	ssid="example"
107	scan_ssid=1
108	key_mgmt=WPA-EAP
109	eap=TTLS
110	identity="user@example.com"
111	anonymous_identity="anonymous@example.com"
112	password="foobar"
113	ca_cert="/etc/cert/ca.pem"
114	phase2="auth=MD5"
115}
116</programlisting></blockquote>
117
118      </listitem>
119
120      <listitem>
121	<para>IEEE 802.1X (i.e., no WPA) with dynamic WEP keys
122        (require both unicast and broadcast); use EAP-TLS for
123        authentication</para>
124
125<blockquote><programlisting>
126ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
127network={
128	ssid="1x-test"
129	scan_ssid=1
130	key_mgmt=IEEE8021X
131	eap=TLS
132	identity="user@example.com"
133	ca_cert="/etc/cert/ca.pem"
134	client_cert="/etc/cert/user.pem"
135	private_key="/etc/cert/user.prv"
136	private_key_passwd="password"
137	eapol_flags=3
138}
139</programlisting></blockquote>
140      </listitem>
141
142
143      <listitem>
144	<para>Catch all example that allows more or less all
145        configuration modes. The configuration options are used based
146        on what security policy is used in the selected SSID. This is
147        mostly for testing and is not recommended for normal
148        use.</para>
149
150<blockquote><programlisting>
151ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
152network={
153	ssid="example"
154	scan_ssid=1
155	key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
156	pairwise=CCMP TKIP
157	group=CCMP TKIP WEP104 WEP40
158	psk="very secret passphrase"
159	eap=TTLS PEAP TLS
160	identity="user@example.com"
161	password="foobar"
162	ca_cert="/etc/cert/ca.pem"
163	client_cert="/etc/cert/user.pem"
164	private_key="/etc/cert/user.prv"
165	private_key_passwd="password"
166	phase1="peaplabel=0"
167	ca_cert2="/etc/cert/ca2.pem"
168	client_cert2="/etc/cer/user.pem"
169	private_key2="/etc/cer/user.prv"
170	private_key2_passwd="password"
171}
172</programlisting></blockquote>
173      </listitem>
174
175      <listitem>
176	<para>Authentication for wired Ethernet. This can be used with
177        <emphasis>wired</emphasis> or <emphasis>roboswitch</emphasis> interface
178        (-Dwired or -Droboswitch on command line).</para>
179
180<blockquote><programlisting>
181ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
182ap_scan=0
183network={
184	key_mgmt=IEEE8021X
185	eap=MD5
186	identity="user"
187	password="password"
188	eapol_flags=0
189}
190</programlisting></blockquote>
191      </listitem>
192    </orderedlist>
193
194
195
196
197
198  </refsect1>
199  <refsect1>
200    <title>Certificates</title>
201
202    <para>Some EAP authentication methods require use of
203    certificates. EAP-TLS uses both server side and client
204    certificates whereas EAP-PEAP and EAP-TTLS only require the server
205    side certificate. When client certificate is used, a matching
206    private key file has to also be included in configuration. If the
207    private key uses a passphrase, this has to be configured in
208    wpa_supplicant.conf ("private_key_passwd").</para>
209
210    <para>wpa_supplicant supports X.509 certificates in PEM and DER
211    formats. User certificate and private key can be included in the
212    same file.</para>
213
214    <para>If the user certificate and private key is received in
215    PKCS#12/PFX format, they need to be converted to suitable PEM/DER
216    format for wpa_supplicant. This can be done, e.g., with following
217    commands:</para>
218<blockquote><programlisting>
219# convert client certificate and private key to PEM format
220openssl pkcs12 -in example.pfx -out user.pem -clcerts
221# convert CA certificate (if included in PFX file) to PEM format
222openssl pkcs12 -in example.pfx -out ca.pem -cacerts -nokeys
223</programlisting></blockquote>
224  </refsect1>
225
226  <refsect1>
227    <title>See Also</title>
228    <para>
229      <citerefentry>
230	<refentrytitle>wpa_supplicant</refentrytitle>
231	<manvolnum>8</manvolnum>
232      </citerefentry>
233      <citerefentry>
234	<refentrytitle>openssl</refentrytitle>
235	<manvolnum>1</manvolnum>
236      </citerefentry>
237    </para>
238  </refsect1>
239</refentry>
240