130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt##### Example wpa_supplicant configuration file ############################### 230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This file describes configuration file format and lists all available option. 430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Please also take a look at simpler configuration examples in 'examples' 530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# subdirectory. 630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Empty lines and lines starting with # are ignored 830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# NOTE! This file may contain password information and should probably be made 1030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# readable only by root user on multiuser systems. 1130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 1230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Note: All file paths in this configuration file should use full (absolute, 1330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# not relative to working directory) path in order to allow working directory 1430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to be changed. This can happen if wpa_supplicant is run in the background. 1530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 1630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Whether to allow wpa_supplicant to update (overwrite) configuration 1730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This option can be used to allow wpa_supplicant to overwrite configuration 1930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# file whenever configuration is changed (e.g., new network block is added with 2030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_cli or wpa_gui, or a password is changed). This is required for 2130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_cli/wpa_gui to be able to store the configuration changes permanently. 2230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Please note that overwriting configuration file will remove the comments from 2330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# it. 2430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#update_config=1 2530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 2630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# global configuration (shared by all network blocks) 2730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 2830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Parameters for the control interface. If this is specified, wpa_supplicant 2930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# will open a control interface that is available for external programs to 3030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# manage wpa_supplicant. The meaning of this string depends on which control 31c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# interface mechanism is used. For all cases, the existence of this parameter 3230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# in configuration is used to determine whether the control interface is 3330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# enabled. 3430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 3530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# For UNIX domain sockets (default on Linux and BSD): This is a directory that 3630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# will be created for UNIX domain sockets for listening to requests from 3730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# external programs (CLI/GUI, etc.) for status information and configuration. 3830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The socket file will be named based on the interface name, so multiple 3930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_supplicant processes can be run at the same time if more than one 4030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# interface is used. 4130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# /var/run/wpa_supplicant is the recommended directory for sockets and by 4230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# default, wpa_cli will use it when trying to connect with wpa_supplicant. 4330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 4430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Access control for the control interface can be configured by setting the 4530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# directory to allow only members of a group to use sockets. This way, it is 4630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# possible to run wpa_supplicant as root (since it needs to change network 4730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# configuration and open raw sockets) and still allow GUI/CLI components to be 4830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# run as non-root users. However, since the control interface can be used to 4930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# change the network configuration, this access needs to be protected in many 5030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you 5130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# want to allow non-root users to use the control interface, add a new group 5230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# and change this value to match with that group. Add users that should have 5330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# control interface access to this group. If this variable is commented out or 5430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# not included in the configuration file, group will not be changed from the 5530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# value it got by default when the directory or socket was created. 5630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 5730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# When configuring both the directory and group, use following format: 5830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# DIR=/var/run/wpa_supplicant GROUP=wheel 5930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# DIR=/var/run/wpa_supplicant GROUP=0 6030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (group can be either group name or gid) 6130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 6230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# For UDP connections (default on Windows): The value will be ignored. This 6330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# variable is just used to select that the control interface is to be created. 6430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The value can be set to, e.g., udp (ctrl_interface=udp) 6530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 6630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# For Windows Named Pipe: This value can be used to set the security descriptor 6730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# for controlling access to the control interface. Security descriptor can be 6830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# set using Security Descriptor String Format (see http://msdn.microsoft.com/ 6930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# library/default.asp?url=/library/en-us/secauthz/security/ 7030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# security_descriptor_string_format.asp). The descriptor string needs to be 7130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty 7230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# DACL (which will reject all connections). See README-Windows.txt for more 7330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# information about SDDL string format. 7430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 7530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtctrl_interface=/var/run/wpa_supplicant 7630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 7730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# IEEE 802.1X/EAPOL version 7830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines 7930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAPOL version 2. However, there are many APs that do not handle the new 8030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# version number correctly (they seem to drop the frames completely). In order 8130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to make wpa_supplicant interoperate with these APs, the version number is set 8230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to 1 by default. This configuration value can be used to set it to the new 8330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# version (2). 848d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidteapol_version=1 8530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 8630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# AP scanning/selection 8730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# By default, wpa_supplicant requests driver to perform AP scanning and then 8830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# uses the scan results to select a suitable AP. Another alternative is to 8930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# allow the driver to take care of AP scanning and selection and use 9030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association 9130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# information from the driver. 9230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to 9330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# the currently enabled networks are found, a new network (IBSS or AP mode 9430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# operation) may be initialized (if configured) (default) 9530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0: driver takes care of scanning, AP selection, and IEEE 802.11 association 9630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# parameters (e.g., WPA IE generation); this mode can also be used with 9730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# non-WPA drivers when using IEEE 802.1X mode; do not try to associate with 9830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# APs (i.e., external program needs to control association). This mode must 9930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# also be used when using wired Ethernet drivers. 10030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 2: like 0, but associate with APs using security policy and SSID (but not 10130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to 10230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# enable operation with hidden SSIDs and optimized roaming; in this mode, 10330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# the network blocks in the configuration file are tried one by one until 10430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# the driver reports successful association; each network block should have 10530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# explicit security policy (i.e., only one option in the lists) for 10630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# key_mgmt, pairwise, group, proto variables 10730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# When using IBSS or AP mode, ap_scan=2 mode can force the new network to be 10830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# created immediately regardless of scan results. ap_scan=1 mode will first try 10930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to scan for existing networks and only if no matches with the enabled 11030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# networks are found, a new IBSS or AP mode network is created. 1118d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtap_scan=1 11230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 11330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP fast re-authentication 11430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# By default, fast re-authentication is enabled for all EAP methods that 11530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# support it. This variable can be used to disable fast re-authentication. 11630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Normally, there is no need to disable this. 1178d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtfast_reauth=1 11830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 11930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# OpenSSL Engine support 12030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# These options can be used to load OpenSSL engines. 12130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The two engines that are supported currently are shown below: 12230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# They are both from the opensc project (http://www.opensc.org/) 12330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# By default no engines are loaded. 12430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# make the opensc engine available 12530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#opensc_engine_path=/usr/lib/opensc/engine_opensc.so 12630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# make the pkcs11 engine available 12730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so 12830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# configure the path to the pkcs11 module required by the pkcs11 engine 12930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so 13030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 13130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Dynamic EAP methods 13230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If EAP methods were built dynamically as shared object files, they need to be 13330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# loaded here before being used in the network blocks. By default, EAP methods 13430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# are included statically in the build, so these lines are not needed 13530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so 13630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so 13730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 13830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Driver interface parameters 13930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This field can be used to configure arbitrary driver interace parameters. The 14030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# format is specific to the selected driver interface. This field is not used 14130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# in most cases. 14230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#driver_param="field=value" 14330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 14430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Country code 14530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The ISO/IEC alpha2 country code for the country in which this device is 14630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# currently operating. 14730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#country=US 14830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 14930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Maximum lifetime for PMKSA in seconds; default 43200 15030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#dot11RSNAConfigPMKLifetime=43200 15130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Threshold for reauthentication (percentage of PMK lifetime); default 70 15230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#dot11RSNAConfigPMKReauthThreshold=70 15330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Timeout for security association negotiation in seconds; default 60 15430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#dot11RSNAConfigSATimeout=60 15530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 15630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Wi-Fi Protected Setup (WPS) parameters 15730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 15830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Universally Unique IDentifier (UUID; see RFC 4122) of the device 15930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not configured, UUID will be generated based on the local MAC address. 16030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#uuid=12345678-9abc-def0-1234-56789abcdef0 16130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 16230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Device Name 16330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# User-friendly description of device; up to 32 octets encoded in UTF-8 16430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#device_name=Wireless Client 16530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 16630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Manufacturer 16730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The manufacturer of the device (up to 64 ASCII characters) 16830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#manufacturer=Company 16930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 17030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Model Name 17130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Model of the device (up to 32 ASCII characters) 17230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#model_name=cmodel 17330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 17430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Model Number 17530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Additional device description (up to 32 ASCII characters) 17630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#model_number=123 17730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 17830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Serial Number 17930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Serial number of the device (up to 32 characters) 18030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#serial_number=12345 18130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 18230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Primary Device Type 18330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Used format: <categ>-<OUI>-<subcateg> 18430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# categ = Category as an integer value 18530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for 18630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# default WPS OUI 18730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# subcateg = OUI-specific Sub Category as an integer value 18830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Examples: 18930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1-0050F204-1 (Computer / PC) 19030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1-0050F204-2 (Computer / Server) 19130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 5-0050F204-1 (Storage / NAS) 19230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 6-0050F204-1 (Network Infrastructure / AP) 19330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#device_type=1-0050F204-1 19430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 19530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# OS Version 19630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 4-octet operating system version number (hex string) 19730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#os_version=01020300 19830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 19930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Config Methods 20030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# List of the supported configuration methods 20130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Available methods: usba ethernet label display ext_nfc_token int_nfc_token 20230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# nfc_interface push_button keypad virtual_display physical_display 20330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# virtual_push_button physical_push_button 20430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# For WSC 1.0: 20530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#config_methods=label display push_button keypad 20630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# For WSC 2.0: 20730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#config_methods=label virtual_display virtual_push_button keypad 20830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 20930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Credential processing 21030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = process received credentials internally (default) 21130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = do not process received credentials; just pass them over ctrl_iface to 21230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# external program(s) 21330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 2 = process received credentials internally and pass them over ctrl_iface 21430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to external program(s) 21530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#wps_cred_processing=0 21630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 21704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing 21804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# The vendor attribute contents to be added in M1 (hex string) 21904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#wps_vendor_ext_m1=000137100100020001 22004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt 22104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# NFC password token for WPS 22204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# These parameters can be used to configure a fixed NFC password token for the 22304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# station. This can be generated, e.g., with nfc_pw_token. When these 22404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# parameters are used, the station is assumed to be deployed with a NFC tag 22504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# that includes the matching NFC password token (e.g., written based on the 22604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# NDEF record from nfc_pw_token). 22704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 22804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#wps_nfc_dev_pw_id: Device Password ID (16..65535) 22904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#wps_nfc_dh_pubkey: Hexdump of DH Public Key 23004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#wps_nfc_dh_privkey: Hexdump of DH Private Key 23104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#wps_nfc_dev_pw: Hexdump of Device Password 23204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt 23330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Maximum number of BSS entries to keep in memory 23430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Default: 200 23530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This can be used to limit memory use on the BSS entries (cached scan 23630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# results). A larger value may be needed in environments that have huge number 23730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# of APs when using ap_scan=1 mode. 23830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#bss_max_count=200 23930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 24004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Automatic scan 24104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# This is an optional set of parameters for automatic scanning 24204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# within an interface in following format: 24304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#autoscan=<autoscan module name>:<module parameters> 24461d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# autoscan is like bgscan but on disconnected or inactive state. 24561d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# For instance, on exponential module parameters would be <base>:<limit> 24604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#autoscan=exponential:3:300 24704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Which means a delay between scans on a base exponential of 3, 24861d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# up to the limit of 300 seconds (3, 9, 27 ... 300) 24961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# For periodic module, parameters would be <fixed interval> 25004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#autoscan=periodic:30 25161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# So a delay of 30 seconds will be applied between each scan 25230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 25330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# filter_ssids - SSID-based scan result filtering 25430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = do not filter scan results (default) 25530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = only include configured SSIDs in scan results/BSS table 25630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#filter_ssids=0 25730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 25861d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# Password (and passphrase, etc.) backend for external storage 25961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# format: <backend name>[:<optional backend parameters>] 26061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt#ext_password_backend=test:pw1=password|pw2=testing 26161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt 26261d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# Timeout in seconds to detect STA inactivity (default: 300 seconds) 26361d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 26461d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# This timeout value is used in P2P GO mode to clean up 26561d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# inactive stations. 26661d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt#p2p_go_max_inactivity=300 26761d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt 268d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# Opportunistic Key Caching (also known as Proactive Key Caching) default 269d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# This parameter can be used to set the default behavior for the 270d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# proactive_key_caching parameter. By default, OKC is disabled unless enabled 271d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# with the global okc=1 parameter or with the per-network 272d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# proactive_key_caching=1 parameter. With okc=1, OKC is enabled by default, but 273d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# can be disabled with per-network proactive_key_caching=0 parameter. 274d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt#okc=0 275d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt 276d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# Protected Management Frames default 277d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# This parameter can be used to set the default behavior for the ieee80211w 278d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# parameter. By default, PMF is disabled unless enabled with the global pmf=1/2 279d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# parameter or with the per-network ieee80211w=1/2 parameter. With pmf=1/2, PMF 280d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# is enabled/required by default, but can be disabled with the per-network 281d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# ieee80211w parameter. 282d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt#pmf=0 28330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 284a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# Enabled SAE finite cyclic groups in preference order 285a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# By default (if this parameter is not set), the mandatory group 19 (ECC group 286a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# defined over a 256-bit prime order field) is preferred, but other groups are 287a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# also enabled. If this parameter is set, the groups will be tried in the 288a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# indicated order. The group values are listed in the IANA registry: 289a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9 290a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt#sae_groups=21 20 19 26 25 291a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt 2927a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt# Default value for DTIM period (if not overridden in network block) 2937a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt#dtim_period=2 2947a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt 2957a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt# Default value for Beacon interval (if not overridden in network block) 2967a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt#beacon_int=100 2977a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt 2980ccb66edb8d2a0a397320ace3ec2a03fb0d00d5fDmitry Shmidt# Additional vendor specific elements for Beacon and Probe Response frames 2990ccb66edb8d2a0a397320ace3ec2a03fb0d00d5fDmitry Shmidt# This parameter can be used to add additional vendor specific element(s) into 3000ccb66edb8d2a0a397320ace3ec2a03fb0d00d5fDmitry Shmidt# the end of the Beacon and Probe Response frames. The format for these 3010ccb66edb8d2a0a397320ace3ec2a03fb0d00d5fDmitry Shmidt# element(s) is a hexdump of the raw information elements (id+len+payload for 3020ccb66edb8d2a0a397320ace3ec2a03fb0d00d5fDmitry Shmidt# one or more elements). This is used in AP and P2P GO modes. 3030ccb66edb8d2a0a397320ace3ec2a03fb0d00d5fDmitry Shmidt#ap_vendor_elements=dd0411223301 3040ccb66edb8d2a0a397320ace3ec2a03fb0d00d5fDmitry Shmidt 305444d567b27731d8572ef37697dd12fd1c37c2f24Dmitry Shmidt# Ignore scan results older than request 306444d567b27731d8572ef37697dd12fd1c37c2f24Dmitry Shmidt# 307444d567b27731d8572ef37697dd12fd1c37c2f24Dmitry Shmidt# The driver may have a cache of scan results that makes it return 308444d567b27731d8572ef37697dd12fd1c37c2f24Dmitry Shmidt# information that is older than our scan trigger. This parameter can 309444d567b27731d8572ef37697dd12fd1c37c2f24Dmitry Shmidt# be used to configure such old information to be ignored instead of 310444d567b27731d8572ef37697dd12fd1c37c2f24Dmitry Shmidt# allowing it to update the internal BSS table. 311444d567b27731d8572ef37697dd12fd1c37c2f24Dmitry Shmidt#ignore_old_scan_res=0 312444d567b27731d8572ef37697dd12fd1c37c2f24Dmitry Shmidt 313ea69e84a6f4455c59348485895d3d5e3af77a65bDmitry Shmidt# scan_cur_freq: Whether to scan only the current frequency 314ea69e84a6f4455c59348485895d3d5e3af77a65bDmitry Shmidt# 0: Scan all available frequencies. (Default) 315ea69e84a6f4455c59348485895d3d5e3af77a65bDmitry Shmidt# 1: Scan current operating frequency if another VIF on the same radio 316ea69e84a6f4455c59348485895d3d5e3af77a65bDmitry Shmidt# is already associated. 317444d567b27731d8572ef37697dd12fd1c37c2f24Dmitry Shmidt 318c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# Interworking (IEEE 802.11u) 319c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt 320c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# Enable Interworking 321c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# interworking=1 322c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt 323c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# Homogenous ESS identifier 324c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# If this is set, scans will be used to request response only from BSSes 325c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# belonging to the specified Homogeneous ESS. This is used only if interworking 326c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# is enabled. 327c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# hessid=00:11:22:33:44:55 328c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt 32961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# Automatic network selection behavior 33061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 0 = do not automatically go through Interworking network selection 33161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# (i.e., require explicit interworking_select command for this; default) 33261d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 1 = perform Interworking network selection if one or more 33361d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# credentials have been configured and scan did not find a 33461d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# matching network block 33561d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt#auto_interworking=0 33661d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt 33704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# credential block 33804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 33904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Each credential used for automatic network selection is configured as a set 34004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# of parameters that are compared to the information advertised by the APs when 34104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# interworking_select and interworking_connect commands are used. 34204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 34304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# credential fields: 34404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 34504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# priority: Priority group 34604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# By default, all networks and credentials get the same priority group 34704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# (0). This field can be used to give higher priority for credentials 34804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# (and similarly in struct wpa_ssid for network blocks) to change the 34904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Interworking automatic networking selection behavior. The matching 35004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# network (based on either an enabled network block or a credential) 35104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# with the highest priority value will be selected. 35204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 35304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# pcsc: Use PC/SC and SIM/USIM card 35404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 35504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# realm: Home Realm for Interworking 35604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 35704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# username: Username for Interworking network selection 35804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 35904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# password: Password for Interworking network selection 36004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 36104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# ca_cert: CA certificate for Interworking network selection 36204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 36304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# client_cert: File path to client certificate file (PEM/DER) 36404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# This field is used with Interworking networking selection for a case 36504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# where client certificate/private key is used for authentication 36604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# (EAP-TLS). Full path to the file should be used since working 36704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# directory may change when wpa_supplicant is run in the background. 36804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 36904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Alternatively, a named configuration blob can be used by setting 37004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# this to blob://blob_name. 37104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 37204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# private_key: File path to client private key file (PEM/DER/PFX) 37304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be 37404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# commented out. Both the private key and certificate will be read 37504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# from the PKCS#12 file in this case. Full path to the file should be 37604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# used since working directory may change when wpa_supplicant is run 37704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# in the background. 37804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 37904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Windows certificate store can be used by leaving client_cert out and 38004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# configuring private_key in one of the following formats: 38104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 38204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# cert://substring_to_match 38304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 38404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# hash://certificate_thumbprint_in_hex 38504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 38604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# For example: private_key="hash://63093aa9c47f56ae88334c7b65a4" 38704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 38804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Note that when running wpa_supplicant as an application, the user 38904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# certificate store (My user account) is used, whereas computer store 39004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# (Computer account) is used when running wpasvc as a service. 39104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 39204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Alternatively, a named configuration blob can be used by setting 39304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# this to blob://blob_name. 39404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 39504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# private_key_passwd: Password for private key file 39604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 39704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format 39804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 39904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN> 40004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# format 40104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 40204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# domain: Home service provider FQDN 40304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# This is used to compare against the Domain Name List to figure out 40404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# whether the AP is operated by the Home SP. 40504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 40661d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# roaming_consortium: Roaming Consortium OI 40761d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# If roaming_consortium_len is non-zero, this field contains the 40861d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# Roaming Consortium OI that can be used to determine which access 40961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# points support authentication with this credential. This is an 41061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# alternative to the use of the realm parameter. When using Roaming 41161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# Consortium to match the network, the EAP parameters need to be 41261d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# pre-configured with the credential since the NAI Realm information 41361d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# may not be available or fetched. 41461d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 41561d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# eap: Pre-configured EAP method 41661d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# This optional field can be used to specify which EAP method will be 41761d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# used with this credential. If not set, the EAP method is selected 41861d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# automatically based on ANQP information (e.g., NAI Realm). 41961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 42061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# phase1: Pre-configure Phase 1 (outer authentication) parameters 42161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# This optional field is used with like the 'eap' parameter. 42261d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 42361d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# phase2: Pre-configure Phase 2 (inner authentication) parameters 42461d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# This optional field is used with like the 'eap' parameter. 42561d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 426a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# excluded_ssid: Excluded SSID 427a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# This optional field can be used to excluded specific SSID(s) from 428a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# matching with the network. Multiple entries can be used to specify more 429a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# than one SSID. 430a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 43104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# for example: 43204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 43304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#cred={ 43404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# realm="example.com" 43504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# username="user@example.com" 43604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# password="password" 43704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# ca_cert="/etc/wpa_supplicant/ca.pem" 43804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# domain="example.com" 43904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#} 44004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 44104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#cred={ 44204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# imsi="310026-000000000" 44304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82" 44404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#} 44561d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 44661d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt#cred={ 44761d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# realm="example.com" 44861d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# username="user" 44961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# password="password" 45061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# ca_cert="/etc/wpa_supplicant/ca.pem" 45161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# domain="example.com" 45261d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# roaming_consortium=223344 45361d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# eap=TTLS 45461d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# phase2="auth=MSCHAPV2" 45561d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt#} 456c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt 45704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Hotspot 2.0 45804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# hs20=1 459c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt 46030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# network block 46130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 46230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Each network (usually AP's sharing the same SSID) is configured as a separate 46330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# block in this configuration file. The network blocks are in preference order 46430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (the first match is used). 46530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 46630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# network block fields: 46730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 46830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# disabled: 46930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = this network can be used (default) 47030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = this network block is disabled (can be enabled through ctrl_iface, 47130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# e.g., with wpa_cli or wpa_gui) 47230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 47330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# id_str: Network identifier string for external scripts. This value is passed 47430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to external action script through wpa_cli as WPA_ID_STR environment 47530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# variable to make it easier to do network specific configuration. 47630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 47761d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# ssid: SSID (mandatory); network name in one of the optional formats: 47861d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# - an ASCII string with double quotation 47961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# - a hex string (two characters per octet of SSID) 48061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# - a printf-escaped ASCII string P"<escaped string>" 48130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 48230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# scan_ssid: 48330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = do not scan this SSID with specific Probe Request frames (default) 48430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = scan with SSID-specific Probe Request frames (this can be used to 48530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# find APs that do not accept broadcast SSID or use multiple SSIDs; 48630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# this will add latency to scanning, so enable this only when needed) 48730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 48830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# bssid: BSSID (optional); if set, this network block is used only when 48930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# associating with the AP using the configured BSSID 49030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 49130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# priority: priority group (integer) 49230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# By default, all networks will get same priority group (0). If some of the 49330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# networks are more desirable, this field can be used to change the order in 49430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# which wpa_supplicant goes through the networks when selecting a BSS. The 49530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# priority groups will be iterated in decreasing priority (i.e., the larger the 49630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# priority value, the sooner the network is matched against the scan results). 49730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Within each priority group, networks will be selected based on security 49830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# policy, signal strength, etc. 49930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not 50030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# using this priority to select the order for scanning. Instead, they try the 50130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# networks in the order that used in the configuration file. 50230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 50330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# mode: IEEE 802.11 operation mode 50430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = infrastructure (Managed) mode, i.e., associate with an AP (default) 50530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = IBSS (ad-hoc, peer-to-peer) 50630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 2 = AP (access point) 50730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) 50830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# and key_mgmt=WPA-NONE (fixed group key TKIP/CCMP). WPA-None requires 50930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# following network block options: 51030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not 51130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# both), and psk must also be set. 51230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 51330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# frequency: Channel frequency in megahertz (MHz) for IBSS, e.g., 51430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial 51530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode. 51630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# In addition, this value is only used by the station that creates the IBSS. If 51730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# an IBSS network with the configured SSID is already present, the frequency of 51830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# the network will be used instead of this configured value. 51930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 52030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# scan_freq: List of frequencies to scan 52130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Space-separated list of frequencies in MHz to scan when searching for this 52230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# BSS. If the subset of channels used by the network is known, this option can 52330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# be used to optimize scanning to not occur on channels that the network does 52430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# not use. Example: scan_freq=2412 2437 2462 52530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 52630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# freq_list: Array of allowed frequencies 52730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Space-separated list of frequencies in MHz to allow for selecting the BSS. If 52830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# set, scan results that do not match any of the specified frequencies are not 52930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# considered when selecting a BSS. 53030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 53151b6ea882f234c14cd1fe1332a3840cf61fafccaDmitry Shmidt# This can also be set on the outside of the network block. In this case, 53251b6ea882f234c14cd1fe1332a3840cf61fafccaDmitry Shmidt# it limits the frequencies that will be scanned. 53351b6ea882f234c14cd1fe1332a3840cf61fafccaDmitry Shmidt# 534a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# bgscan: Background scanning 535a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# wpa_supplicant behavior for background scanning can be specified by 536a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# configuring a bgscan module. These modules are responsible for requesting 537a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# background scans for the purpose of roaming within an ESS (i.e., within a 538a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# single network block with all the APs using the same SSID). The bgscan 539a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# parameter uses following format: "<bgscan module name>:<module parameters>" 540a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# Following bgscan modules are available: 541a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# simple - Periodic background scans based on signal strength 542a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# bgscan="simple:<short bgscan interval in seconds>:<signal strength threshold>: 543a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# <long interval>" 544a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# bgscan="simple:30:-45:300" 545a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# learn - Learn channels used by the network and try to avoid bgscans on other 546a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# channels (experimental) 547a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# bgscan="learn:<short bgscan interval in seconds>:<signal strength threshold>: 548a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# <long interval>[:<database file name>]" 549a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# bgscan="learn:30:-45:300:/etc/wpa_supplicant/network1.bgscan" 550a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 55130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# proto: list of accepted protocols 55230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA = WPA/IEEE 802.11i/D3.0 55330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN) 55430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not set, this defaults to: WPA RSN 55530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 55630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# key_mgmt: list of accepted authenticated key management protocols 55730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA-PSK = WPA pre-shared key (this requires 'psk' field) 55830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA-EAP = WPA using EAP authentication 55930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically 56030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# generated WEP keys 56130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# NONE = WPA is not used; plaintext or static WEP could be used 56230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms 56330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms 56430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not set, this defaults to: WPA-PSK WPA-EAP 56530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 56604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# ieee80211w: whether management frame protection is enabled 567d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# 0 = disabled (default unless changed with the global pmf parameter) 56804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 1 = optional 56904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 2 = required 57004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# The most common configuration options for this based on the PMF (protected 57104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# management frames) certification program are: 57204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256 57304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256 57404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used) 57504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 57630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# auth_alg: list of allowed IEEE 802.11 authentication algorithms 57730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# OPEN = Open System authentication (required for WPA/WPA2) 57830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# SHARED = Shared Key authentication (requires static WEP keys) 57930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# LEAP = LEAP/Network EAP (only used with LEAP) 58030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not set, automatic selection is used (Open System with LEAP enabled if 58130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# LEAP is allowed as one of the EAP methods). 58230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 58330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# pairwise: list of accepted pairwise (unicast) ciphers for WPA 58430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 58530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 58630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# NONE = Use only Group Keys (deprecated, should not be included if APs support 58730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# pairwise keys) 58830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not set, this defaults to: CCMP TKIP 58930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 59030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# group: list of accepted group (broadcast/multicast) ciphers for WPA 59130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 59230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 59330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key 59430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11] 59530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not set, this defaults to: CCMP TKIP WEP104 WEP40 59630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 59730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# psk: WPA preshared key; 256-bit pre-shared key 59830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e., 59930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be 60030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# generated using the passphrase and SSID). ASCII passphrase must be between 60161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 8 and 63 characters (inclusive). ext:<name of external PSK field> format can 60261d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# be used to indicate that the PSK/passphrase is stored in external storage. 60330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This field is not needed, if WPA-EAP is used. 60430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys 60530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant 60630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# startup and reconfiguration time can be optimized by generating the PSK only 60730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# only when the passphrase or SSID has actually changed. 60830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 60930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# eapol_flags: IEEE 802.1X/EAPOL options (bit field) 61030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Dynamic WEP key required for non-WPA mode 61130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# bit0 (1): require dynamically generated unicast WEP key 61230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# bit1 (2): require dynamically generated broadcast WEP key 61330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (3 = require both keys; default) 61430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Note: When using wired authentication, eapol_flags must be set to 0 for the 61530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication to be completed successfully. 61630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 61730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# mixed_cell: This option can be used to configure whether so called mixed 61830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# cells, i.e., networks that use both plaintext and encryption in the same 619c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# SSID, are allowed when selecting a BSS from scan results. 62030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = disabled (default) 62130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = enabled 62230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 62330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# proactive_key_caching: 62430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Enable/disable opportunistic PMKSA caching for WPA2. 625d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# 0 = disabled (default unless changed with the global okc parameter) 62630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = enabled 62730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 62830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or 62930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# hex without quotation, e.g., 0102030405) 63030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wep_tx_keyidx: Default WEP key index (TX) (0..3) 63130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 63230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is 63330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# allowed. This is only used with RSN/WPA2. 63430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = disabled (default) 63530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = enabled 63630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#peerkey=1 63730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 63830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to 63930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies. 64030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 64130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Following fields are only used with internal EAP implementation. 64230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# eap: space-separated list of accepted EAP methods 64330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# MD5 = EAP-MD5 (unsecure and does not generate keying material -> 64430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# cannot be used with WPA; to be used as a Phase 2 method 64530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# with EAP-PEAP or EAP-TTLS) 64630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used 64730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 64830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# OTP = EAP-OTP (cannot be used separately with WPA; to be used 64930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 65030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# GTC = EAP-GTC (cannot be used separately with WPA; to be used 65130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 65230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# TLS = EAP-TLS (client and server certificate) 65330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# PEAP = EAP-PEAP (with tunnelled EAP authentication) 65430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 65530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication) 65630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not set, all compiled in methods are allowed. 65730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 65830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# identity: Identity string for EAP 65930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This field is also used to configure user NAI for 66030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-PSK/PAX/SAKE/GPSK. 66130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# anonymous_identity: Anonymous identity string for EAP (to be used as the 66230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# unencrypted identity with EAP types that support different tunnelled 6634530cfd4d14a77c58e35393b91e40f8dd9d62697Dmitry Shmidt# identity, e.g., EAP-TTLS). This field can also be used with 6644530cfd4d14a77c58e35393b91e40f8dd9d62697Dmitry Shmidt# EAP-SIM/AKA/AKA' to store the pseudonym identity. 66530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# password: Password string for EAP. This field can include either the 66630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# plaintext password (using ASCII or hex string) or a NtPasswordHash 66730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (16-byte MD4 hash of password) in hash:<32 hex digits> format. 66830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# NtPasswordHash can only be used when the password is for MSCHAPv2 or 66930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP). 67030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit 67130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# PSK) is also configured using this field. For EAP-GPSK, this is a 67261d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# variable length PSK. ext:<name of external password field> format can 67361d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# be used to indicate that the password is stored in external storage. 67430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# ca_cert: File path to CA certificate file (PEM/DER). This file can have one 67530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# or more trusted CA certificates. If ca_cert and ca_path are not 67630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# included, server certificate will not be verified. This is insecure and 67730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# a trusted CA certificate should always be configured when using 67830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-TLS/TTLS/PEAP. Full path should be used since working directory may 67930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# change when wpa_supplicant is run in the background. 68030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 68130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Alternatively, this can be used to only perform matching of the server 68230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# certificate (SHA-256 hash of the DER encoded X.509 certificate). In 68330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# this case, the possible CA certificates in the server certificate chain 68430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# are ignored and only the server certificate is verified. This is 68530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# configured with the following format: 68630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# hash:://server/sha256/cert_hash_in_hex 68730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# For example: "hash://server/sha256/ 68830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a" 68930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 69030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# On Windows, trusted CA certificates can be loaded from the system 69130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# certificate store by setting this to cert_store://<name>, e.g., 69230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT". 69330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Note that when running wpa_supplicant as an application, the user 69430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# certificate store (My user account) is used, whereas computer store 69530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (Computer account) is used when running wpasvc as a service. 69630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# ca_path: Directory path for CA certificate files (PEM). This path may 69730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# contain multiple CA certificates in OpenSSL format. Common use for this 69830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# is to point to system trusted CA list which is often installed into 69930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# directory like /etc/ssl/certs. If configured, these certificates are 70030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# added to the list of trusted CAs. ca_cert may also be included in that 70130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# case, but it is not required. 70230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# client_cert: File path to client certificate file (PEM/DER) 70330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Full path should be used since working directory may change when 70430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_supplicant is run in the background. 70530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Alternatively, a named configuration blob can be used by setting this 70630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to blob://<blob name>. 70730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# private_key: File path to client private key file (PEM/DER/PFX) 70830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be 70930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# commented out. Both the private key and certificate will be read from 71030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# the PKCS#12 file in this case. Full path should be used since working 71130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# directory may change when wpa_supplicant is run in the background. 71230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Windows certificate store can be used by leaving client_cert out and 71330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# configuring private_key in one of the following formats: 71430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# cert://substring_to_match 71530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# hash://certificate_thumbprint_in_hex 71630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# for example: private_key="hash://63093aa9c47f56ae88334c7b65a4" 71730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Note that when running wpa_supplicant as an application, the user 71830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# certificate store (My user account) is used, whereas computer store 71930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (Computer account) is used when running wpasvc as a service. 72030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Alternatively, a named configuration blob can be used by setting this 72130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to blob://<blob name>. 72230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# private_key_passwd: Password for private key file (if left out, this will be 72330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# asked through control interface) 72430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# dh_file: File path to DH/DSA parameters file (in PEM format) 72530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This is an optional configuration file for setting parameters for an 72630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# ephemeral DH key exchange. In most cases, the default RSA 72730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication does not use this configuration. However, it is possible 72830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# setup RSA to use ephemeral DH key exchange. In addition, ciphers with 72930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# DSA keys always use ephemeral DH keys. This can be used to achieve 73030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# forward secrecy. If the file is in DSA parameters format, it will be 73130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# automatically converted into DH params. 73230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# subject_match: Substring to be matched against the subject of the 73330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication server certificate. If this string is set, the server 73430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# sertificate is only accepted if it contains this string in the subject. 73530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The subject string is in following format: 73630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com 73730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# altsubject_match: Semicolon separated string of entries to be matched against 73830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# the alternative subject name of the authentication server certificate. 73930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If this string is set, the server sertificate is only accepted if it 74030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# contains one of the entries in an alternative subject name extension. 74130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# altSubjectName string is in following format: TYPE:VALUE 74230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Example: EMAIL:server@example.com 74330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Example: DNS:server.example.com;DNS:server2.example.com 74430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Following types are supported: EMAIL, DNS, URI 74530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters 74630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (string with field-value pairs, e.g., "peapver=0" or 74730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# "peapver=1 peaplabel=1") 74830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 'peapver' can be used to force which PEAP version (0 or 1) is used. 74930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 'peaplabel=1' can be used to force new label, "client PEAP encryption", 75030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to be used during key derivation when PEAPv1 or newer. Most existing 75130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# PEAPv1 implementation seem to be using the old label, "client EAP 75230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# encryption", and wpa_supplicant is now using that as the default value. 75330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Some servers, e.g., Radiator, may require peaplabel=1 configuration to 75430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# interoperate with PEAPv1; see eap_testing.txt for more details. 75530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 'peap_outer_success=0' can be used to terminate PEAP authentication on 75630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# tunneled EAP-Success. This is required with some RADIUS servers that 75730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g., 75830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode) 75930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# include_tls_length=1 can be used to force wpa_supplicant to include 76030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# TLS Message Length field in all TLS messages even if they are not 76130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# fragmented. 76230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# sim_min_num_chal=3 can be used to configure EAP-SIM to require three 76330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# challenges (by default, it accepts 2 or 3) 76430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use 76530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# protected result indication. 76630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 'crypto_binding' option can be used to control PEAPv0 cryptobinding 76730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# behavior: 76830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# * 0 = do not use cryptobinding (default) 76930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# * 1 = use cryptobinding if server supports it 77030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# * 2 = require cryptobinding 77130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-WSC (WPS) uses following options: pin=<Device Password> or 77230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# pbc=1. 77330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# phase2: Phase2 (inner authentication with TLS tunnel) parameters 77430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or 77530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS) 77661d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 77761d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# TLS-based methods can use the following parameters to control TLS behavior 77861d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# (these are normally in the phase1 parameter, but can be used also in the 77961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# phase2 parameter when EAP-TLS is used within the inner tunnel): 78061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# tls_allow_md5=1 - allow MD5-based certificate signatures (depending on the 78161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# TLS library, these may be disabled by default to enforce stronger 78261d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# security) 78361d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# tls_disable_time_checks=1 - ignore certificate validity time (this requests 78461d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# the TLS library to accept certificates even if they are not currently 78561d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# valid, i.e., have expired or have not yet become valid; this should be 78661d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# used only for testing purposes) 78761d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# tls_disable_session_ticket=1 - disable TLS Session Ticket extension 78861d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# tls_disable_session_ticket=0 - allow TLS Session Ticket extension to be used 78961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# Note: If not set, this is automatically set to 1 for EAP-TLS/PEAP/TTLS 79061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# as a workaround for broken authentication server implementations unless 79161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# EAP workarounds are disabled with eap_workarounds=0. 79261d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# For EAP-FAST, this must be set to 0 (or left unconfigured for the 79361d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# default value to be used automatically). 79461d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 79530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Following certificate/private key fields are used in inner Phase2 79630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication when using EAP-TTLS or EAP-PEAP. 79730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# ca_cert2: File path to CA certificate file. This file can have one or more 79830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# trusted CA certificates. If ca_cert2 and ca_path2 are not included, 79930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# server certificate will not be verified. This is insecure and a trusted 80030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# CA certificate should always be configured. 80130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# ca_path2: Directory path for CA certificate files (PEM) 80230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# client_cert2: File path to client certificate file 80330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# private_key2: File path to client private key file 80430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# private_key2_passwd: Password for private key file 80530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# dh_file2: File path to DH/DSA parameters file (in PEM format) 80630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# subject_match2: Substring to be matched against the subject of the 80730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication server certificate. 80830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# altsubject_match2: Substring to be matched against the alternative subject 80930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# name of the authentication server certificate. 81030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 81130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# fragment_size: Maximum EAP fragment size in bytes (default 1398). 81230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This value limits the fragment size for EAP methods that support 81330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set 81430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# small enough to make the EAP messages fit in MTU of the network 81530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# interface used for EAPOL. The default value is suitable for most 81630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# cases. 81730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 81834af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt# ocsp: Whether to use/require OCSP to check server certificate 81934af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt# 0 = do not use OCSP stapling (TLS certificate status extension) 82034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt# 1 = try to use OCSP stapling, but not require response 82134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt# 2 = require valid OCSP stapling response 82234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt# 82330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-FAST variables: 82430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# pac_file: File path for the PAC entries. wpa_supplicant will need to be able 82530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to create this file and write updates to it when PAC is being 82630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# provisioned or refreshed. Full path to the file should be used since 82730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# working directory may change when wpa_supplicant is run in the 82830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# background. Alternatively, a named configuration blob can be used by 82930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# setting this to blob://<blob name> 83030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# phase1: fast_provisioning option can be used to enable in-line provisioning 83130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# of EAP-FAST credentials (PAC): 83230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = disabled, 83330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = allow unauthenticated provisioning, 83430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 2 = allow authenticated provisioning, 83530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 3 = allow both unauthenticated and authenticated provisioning 83630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# fast_max_pac_list_len=<num> option can be used to set the maximum 83730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# number of PAC entries to store in a PAC list (default: 10) 83830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# fast_pac_format=binary option can be used to select binary format for 83930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# storing PAC entries in order to save some space (the default 84030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# text format uses about 2.5 times the size of minimal binary 84130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# format) 84230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 84330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_supplicant supports number of "EAP workarounds" to work around 84430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# interoperability issues with incorrectly behaving authentication servers. 84530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# These are enabled by default because some of the issues are present in large 84630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# number of authentication servers. Strict EAP conformance mode can be 84730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# configured by disabling workarounds with eap_workaround=0. 84830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 84904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Station inactivity limit 85004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 85104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# If a station does not send anything in ap_max_inactivity seconds, an 85204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# empty data frame is sent to it in order to verify whether it is 85304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# still in range. If this frame is not ACKed, the station will be 85404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# disassociated and then deauthenticated. This feature is used to 85504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# clear station table of old entries when the STAs move out of the 85604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# range. 85704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 85804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# The station can associate again with the AP if it is still in range; 85904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# this inactivity poll is just used as a nicer way of verifying 86004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# inactivity; i.e., client will not report broken connection because 86104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# disassociation frame is not sent immediately without first polling 86204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# the STA with a data frame. 86304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# default: 300 (i.e., 5 minutes) 86404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#ap_max_inactivity=300 86504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt 86604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# DTIM period in Beacon intervals for AP mode (default: 2) 86704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#dtim_period=2 86804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt 8697a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt# Beacon interval (default: 100 TU) 8707a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt#beacon_int=100 8717a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt 872a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# disable_ht: Whether HT (802.11n) should be disabled. 873a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 0 = HT enabled (if AP supports it) 874a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 1 = HT disabled 875a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 876a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# disable_ht40: Whether HT-40 (802.11n) should be disabled. 877a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 0 = HT-40 enabled (if AP supports it) 878a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 1 = HT-40 disabled 879a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 880a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# disable_sgi: Whether SGI (short guard interval) should be disabled. 881a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 0 = SGI enabled (if AP supports it) 882a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 1 = SGI disabled 883a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 884a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# ht_mcs: Configure allowed MCS rates. 885a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# Parsed as an array of bytes, in base-16 (ascii-hex) 886a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# ht_mcs="" // Use all available (default) 887a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# ht_mcs="0xff 00 00 00 00 00 00 00 00 00 " // Use MCS 0-7 only 888a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# ht_mcs="0xff ff 00 00 00 00 00 00 00 00 " // Use MCS 0-15 only 889a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 890a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# disable_max_amsdu: Whether MAX_AMSDU should be disabled. 891a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# -1 = Do not make any changes. 892a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 0 = Enable MAX-AMSDU if hardware supports it. 893a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 1 = Disable AMSDU 894a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 895a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# ampdu_density: Allow overriding AMPDU density configuration. 896a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# Treated as hint by the kernel. 897a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# -1 = Do not make any changes. 898a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 0-3 = Set AMPDU density (aka factor) to specified value. 899a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt 9002f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# disable_vht: Whether VHT should be disabled. 9012f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# 0 = VHT enabled (if AP supports it) 9022f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# 1 = VHT disabled 9032f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# 9042f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# vht_capa: VHT capabilities to set in the override 9052f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# vht_capa_mask: mask of VHT capabilities 9062f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# 9072f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# vht_rx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for RX NSS 1-8 9082f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# vht_tx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for TX NSS 1-8 9092f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# 0: MCS 0-7 9102f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# 1: MCS 0-8 9112f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# 2: MCS 0-9 9122f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# 3: not supported 9132f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt 91430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Example blocks: 91530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 91630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers 91730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 91830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="simple" 91930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk="very secret passphrase" 92030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=5 92130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 92230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 92330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Same as previous, but request SSID-specific scanning (for APs that reject 92430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# broadcast SSID) 92530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 92630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="second ssid" 92730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt scan_ssid=1 92830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk="very secret passphrase" 92930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=2 93030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 93130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 93230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Only WPA-PSK is used. Any valid cipher combination is accepted. 93330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 93430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 93530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt proto=WPA 93630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-PSK 93730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=CCMP TKIP 93830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=CCMP TKIP WEP104 WEP40 93930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb 94030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=2 94130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 94230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 94330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying 94430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 94530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 94630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt proto=WPA 94730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-PSK 94830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=TKIP 94930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=TKIP 95030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk="not so secure passphrase" 95130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wpa_ptk_rekey=600 95230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 95330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 95430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104 95530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# or WEP40 as the group cipher will not be accepted. 95630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 95730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 95830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt proto=RSN 95930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 96030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=CCMP TKIP 96130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=CCMP TKIP 96230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TLS 96330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 96430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 96530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt client_cert="/etc/cert/user.pem" 96630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key="/etc/cert/user.prv" 96730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key_passwd="password" 96830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=1 96930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 97030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 97130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel 97230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (e.g., Radiator) 97330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 97430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 97530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 97630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=PEAP 97730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 97830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 97930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 98030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase1="peaplabel=1" 98130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase2="auth=MSCHAPV2" 98230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=10 98330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 98430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 98530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the 98630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# unencrypted use. Real identity is sent only within an encrypted TLS tunnel. 98730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 98830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 98930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 99030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TTLS 99130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 99230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="anonymous@example.com" 99330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 99430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 99530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=2 99630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 99730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 99830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted 99930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# use. Real identity is sent only within an encrypted TLS tunnel. 100030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 100130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 100230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 100330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TTLS 100430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 100530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="anonymous@example.com" 100630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 100730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 100830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase2="auth=MSCHAPV2" 100930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 101030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 101130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner 101230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication. 101330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 101430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 101530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 101630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TTLS 101730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # Phase1 / outer authentication 101830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="anonymous@example.com" 101930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 102030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # Phase 2 / inner authentication 102130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase2="autheap=TLS" 102230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert2="/etc/cert/ca2.pem" 102330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt client_cert2="/etc/cer/user.pem" 102430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key2="/etc/cer/user.prv" 102530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key2_passwd="password" 102630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=2 102730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 102830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 102930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and 103030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# group cipher. 103130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 103230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 103330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt bssid=00:11:22:33:44:55 103430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt proto=WPA RSN 103530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-PSK WPA-EAP 103630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=CCMP 103730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=CCMP 103830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb 103930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 104030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 104130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP 104230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# and all valid ciphers. 104330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 104430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid=00010203 104530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 104630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 104730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 104830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 104930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-SIM with a GSM SIM or USIM 105030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 105130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="eap-sim-test" 105230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 105330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=SIM 105430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pin="1234" 105530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pcsc="" 105630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 105730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 105830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 105930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-PSK 106030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 106130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="eap-psk-test" 106230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 106330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=PSK 106430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="eap_psk_user" 106530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password=06b4be19da289f475aa46a33cb793029 106630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="eap_psk_user@example.com" 106730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 106830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 106930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 107030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using 107130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-TLS for authentication and key generation; require both unicast and 107230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# broadcast WEP keys. 107330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 107430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="1x-test" 107530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=IEEE8021X 107630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TLS 107730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 107830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 107930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt client_cert="/etc/cert/user.pem" 108030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key="/etc/cert/user.prv" 108130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key_passwd="password" 108230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eapol_flags=3 108330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 108430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 108530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 108630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# LEAP with dynamic WEP keys 108730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 108830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="leap-example" 108930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=IEEE8021X 109030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=LEAP 109130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user" 109230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 109330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 109430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 109530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-IKEv2 using shared secrets for both server and peer authentication 109630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 109730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="ikev2-example" 109830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 109930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=IKEV2 110030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user" 110130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 110230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 110330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 110430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-FAST with WPA (WPA or WPA2) 110530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 110630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="eap-fast-test" 110730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 110830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=FAST 110930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="FAST-000102030405" 111030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="username" 111130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="password" 111230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase1="fast_provisioning=1" 111330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pac_file="/etc/wpa_supplicant.eap-fast-pac" 111430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 111530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 111630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 111730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="eap-fast-test" 111830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 111930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=FAST 112030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="FAST-000102030405" 112130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="username" 112230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="password" 112330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase1="fast_provisioning=1" 112430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pac_file="blob://eap-fast-pac" 112530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 112630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 112730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Plaintext connection (no WPA, no IEEE 802.1X) 112830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 112930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="plaintext-test" 113030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=NONE 113130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 113230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 113330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 113430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Shared WEP key connection (no WPA, no IEEE 802.1X) 113530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 113630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="static-wep-test" 113730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=NONE 113830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_key0="abcde" 113930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_key1=0102030405 114030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_key2="1234567890123" 114130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_tx_keyidx=0 114230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=5 114330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 114430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 114530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 114630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key 114730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# IEEE 802.11 authentication 114830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 114930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="static-wep-test2" 115030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=NONE 115130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_key0="abcde" 115230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_key1=0102030405 115330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_key2="1234567890123" 115430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_tx_keyidx=0 115530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=5 115630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt auth_alg=SHARED 115730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 115830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 115930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 116030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# IBSS/ad-hoc network with WPA-None/TKIP. 116130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 116230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="test adhoc" 116330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt mode=1 116430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt frequency=2412 116530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt proto=WPA 116630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-NONE 116730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=NONE 116830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=TKIP 116930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk="secret passphrase" 117030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 117130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 117230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 117330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Catch all example that allows more or less all configuration modes 117430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 117530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 117630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt scan_ssid=1 117730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE 117830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=CCMP TKIP 117930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=CCMP TKIP WEP104 WEP40 118030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk="very secret passphrase" 118130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TTLS PEAP TLS 118230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 118330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 118430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 118530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt client_cert="/etc/cert/user.pem" 118630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key="/etc/cert/user.prv" 118730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key_passwd="password" 118830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase1="peaplabel=0" 118930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 119030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 119130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Example of EAP-TLS with smartcard (openssl engine) 119230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 119330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 119430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 119530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TLS 119630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt proto=RSN 119730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=CCMP TKIP 119830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=CCMP TKIP 119930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 120030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 120130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt client_cert="/etc/cert/user.pem" 120230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 120330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt engine=1 120430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 120530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # The engine configured here must be available. Look at 120630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # OpenSSL engine support in the global section. 120730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # The key available through the engine must be the private key 120830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # matching the client certificate configured above. 120930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 121030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # use the opensc engine 121130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt #engine_id="opensc" 121230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt #key_id="45" 121330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 121430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # use the pkcs11 engine 121530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt engine_id="pkcs11" 121630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_id="id_45" 121730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 121830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # Optional PIN configuration; this can be left out and PIN will be 121930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # asked through the control interface 122030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pin="1234" 122130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 122230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 122330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Example configuration showing how to use an inlined blob as a CA certificate 122430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# data instead of using external file 122530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 122630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 122730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 122830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TTLS 122930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 123030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="anonymous@example.com" 123130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 123230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="blob://exampleblob" 123330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=20 123430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 123530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 123630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtblob-base64-exampleblob={ 123730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry ShmidtSGVsbG8gV29ybGQhCg== 123830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 123930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 124030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 124130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Wildcard match for SSID (plaintext APs only). This example select any 124230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# open AP regardless of its SSID. 124330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 124430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=NONE 124530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 124651b6ea882f234c14cd1fe1332a3840cf61fafccaDmitry Shmidt 124751b6ea882f234c14cd1fe1332a3840cf61fafccaDmitry Shmidt 124851b6ea882f234c14cd1fe1332a3840cf61fafccaDmitry Shmidt# Example config file that will only scan on channel 36. 124951b6ea882f234c14cd1fe1332a3840cf61fafccaDmitry Shmidtfreq_list=5180 125051b6ea882f234c14cd1fe1332a3840cf61fafccaDmitry Shmidtnetwork={ 125151b6ea882f234c14cd1fe1332a3840cf61fafccaDmitry Shmidt key_mgmt=NONE 125251b6ea882f234c14cd1fe1332a3840cf61fafccaDmitry Shmidt} 1253