wpa_supplicant.conf revision 04949598a23f501be6eec21697465fd46a28840a
130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt##### Example wpa_supplicant configuration file ############################### 230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This file describes configuration file format and lists all available option. 430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Please also take a look at simpler configuration examples in 'examples' 530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# subdirectory. 630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Empty lines and lines starting with # are ignored 830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# NOTE! This file may contain password information and should probably be made 1030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# readable only by root user on multiuser systems. 1130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 1230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Note: All file paths in this configuration file should use full (absolute, 1330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# not relative to working directory) path in order to allow working directory 1430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to be changed. This can happen if wpa_supplicant is run in the background. 1530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 1630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Whether to allow wpa_supplicant to update (overwrite) configuration 1730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This option can be used to allow wpa_supplicant to overwrite configuration 1930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# file whenever configuration is changed (e.g., new network block is added with 2030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_cli or wpa_gui, or a password is changed). This is required for 2130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_cli/wpa_gui to be able to store the configuration changes permanently. 2230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Please note that overwriting configuration file will remove the comments from 2330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# it. 2430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#update_config=1 2530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 2630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# global configuration (shared by all network blocks) 2730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 2830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Parameters for the control interface. If this is specified, wpa_supplicant 2930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# will open a control interface that is available for external programs to 3030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# manage wpa_supplicant. The meaning of this string depends on which control 31c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# interface mechanism is used. For all cases, the existence of this parameter 3230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# in configuration is used to determine whether the control interface is 3330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# enabled. 3430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 3530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# For UNIX domain sockets (default on Linux and BSD): This is a directory that 3630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# will be created for UNIX domain sockets for listening to requests from 3730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# external programs (CLI/GUI, etc.) for status information and configuration. 3830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The socket file will be named based on the interface name, so multiple 3930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_supplicant processes can be run at the same time if more than one 4030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# interface is used. 4130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# /var/run/wpa_supplicant is the recommended directory for sockets and by 4230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# default, wpa_cli will use it when trying to connect with wpa_supplicant. 4330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 4430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Access control for the control interface can be configured by setting the 4530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# directory to allow only members of a group to use sockets. This way, it is 4630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# possible to run wpa_supplicant as root (since it needs to change network 4730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# configuration and open raw sockets) and still allow GUI/CLI components to be 4830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# run as non-root users. However, since the control interface can be used to 4930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# change the network configuration, this access needs to be protected in many 5030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you 5130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# want to allow non-root users to use the control interface, add a new group 5230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# and change this value to match with that group. Add users that should have 5330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# control interface access to this group. If this variable is commented out or 5430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# not included in the configuration file, group will not be changed from the 5530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# value it got by default when the directory or socket was created. 5630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 5730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# When configuring both the directory and group, use following format: 5830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# DIR=/var/run/wpa_supplicant GROUP=wheel 5930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# DIR=/var/run/wpa_supplicant GROUP=0 6030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (group can be either group name or gid) 6130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 6230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# For UDP connections (default on Windows): The value will be ignored. This 6330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# variable is just used to select that the control interface is to be created. 6430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The value can be set to, e.g., udp (ctrl_interface=udp) 6530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 6630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# For Windows Named Pipe: This value can be used to set the security descriptor 6730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# for controlling access to the control interface. Security descriptor can be 6830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# set using Security Descriptor String Format (see http://msdn.microsoft.com/ 6930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# library/default.asp?url=/library/en-us/secauthz/security/ 7030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# security_descriptor_string_format.asp). The descriptor string needs to be 7130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty 7230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# DACL (which will reject all connections). See README-Windows.txt for more 7330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# information about SDDL string format. 7430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 7530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtctrl_interface=/var/run/wpa_supplicant 7630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 7730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# IEEE 802.1X/EAPOL version 7830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines 7930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAPOL version 2. However, there are many APs that do not handle the new 8030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# version number correctly (they seem to drop the frames completely). In order 8130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to make wpa_supplicant interoperate with these APs, the version number is set 8230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to 1 by default. This configuration value can be used to set it to the new 8330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# version (2). 848d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidteapol_version=1 8530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 8630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# AP scanning/selection 8730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# By default, wpa_supplicant requests driver to perform AP scanning and then 8830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# uses the scan results to select a suitable AP. Another alternative is to 8930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# allow the driver to take care of AP scanning and selection and use 9030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association 9130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# information from the driver. 9230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to 9330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# the currently enabled networks are found, a new network (IBSS or AP mode 9430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# operation) may be initialized (if configured) (default) 9530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0: driver takes care of scanning, AP selection, and IEEE 802.11 association 9630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# parameters (e.g., WPA IE generation); this mode can also be used with 9730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# non-WPA drivers when using IEEE 802.1X mode; do not try to associate with 9830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# APs (i.e., external program needs to control association). This mode must 9930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# also be used when using wired Ethernet drivers. 10030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 2: like 0, but associate with APs using security policy and SSID (but not 10130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to 10230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# enable operation with hidden SSIDs and optimized roaming; in this mode, 10330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# the network blocks in the configuration file are tried one by one until 10430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# the driver reports successful association; each network block should have 10530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# explicit security policy (i.e., only one option in the lists) for 10630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# key_mgmt, pairwise, group, proto variables 10730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# When using IBSS or AP mode, ap_scan=2 mode can force the new network to be 10830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# created immediately regardless of scan results. ap_scan=1 mode will first try 10930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to scan for existing networks and only if no matches with the enabled 11030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# networks are found, a new IBSS or AP mode network is created. 1118d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtap_scan=1 11230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 11330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP fast re-authentication 11430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# By default, fast re-authentication is enabled for all EAP methods that 11530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# support it. This variable can be used to disable fast re-authentication. 11630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Normally, there is no need to disable this. 1178d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtfast_reauth=1 11830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 11930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# OpenSSL Engine support 12030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# These options can be used to load OpenSSL engines. 12130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The two engines that are supported currently are shown below: 12230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# They are both from the opensc project (http://www.opensc.org/) 12330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# By default no engines are loaded. 12430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# make the opensc engine available 12530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#opensc_engine_path=/usr/lib/opensc/engine_opensc.so 12630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# make the pkcs11 engine available 12730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so 12830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# configure the path to the pkcs11 module required by the pkcs11 engine 12930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so 13030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 13130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Dynamic EAP methods 13230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If EAP methods were built dynamically as shared object files, they need to be 13330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# loaded here before being used in the network blocks. By default, EAP methods 13430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# are included statically in the build, so these lines are not needed 13530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so 13630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so 13730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 13830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Driver interface parameters 13930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This field can be used to configure arbitrary driver interace parameters. The 14030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# format is specific to the selected driver interface. This field is not used 14130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# in most cases. 14230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#driver_param="field=value" 14330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 14430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Country code 14530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The ISO/IEC alpha2 country code for the country in which this device is 14630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# currently operating. 14730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#country=US 14830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 14930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Maximum lifetime for PMKSA in seconds; default 43200 15030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#dot11RSNAConfigPMKLifetime=43200 15130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Threshold for reauthentication (percentage of PMK lifetime); default 70 15230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#dot11RSNAConfigPMKReauthThreshold=70 15330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Timeout for security association negotiation in seconds; default 60 15430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#dot11RSNAConfigSATimeout=60 15530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 15630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Wi-Fi Protected Setup (WPS) parameters 15730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 15830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Universally Unique IDentifier (UUID; see RFC 4122) of the device 15930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not configured, UUID will be generated based on the local MAC address. 16030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#uuid=12345678-9abc-def0-1234-56789abcdef0 16130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 16230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Device Name 16330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# User-friendly description of device; up to 32 octets encoded in UTF-8 16430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#device_name=Wireless Client 16530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 16630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Manufacturer 16730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The manufacturer of the device (up to 64 ASCII characters) 16830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#manufacturer=Company 16930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 17030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Model Name 17130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Model of the device (up to 32 ASCII characters) 17230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#model_name=cmodel 17330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 17430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Model Number 17530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Additional device description (up to 32 ASCII characters) 17630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#model_number=123 17730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 17830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Serial Number 17930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Serial number of the device (up to 32 characters) 18030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#serial_number=12345 18130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 18230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Primary Device Type 18330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Used format: <categ>-<OUI>-<subcateg> 18430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# categ = Category as an integer value 18530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for 18630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# default WPS OUI 18730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# subcateg = OUI-specific Sub Category as an integer value 18830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Examples: 18930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1-0050F204-1 (Computer / PC) 19030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1-0050F204-2 (Computer / Server) 19130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 5-0050F204-1 (Storage / NAS) 19230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 6-0050F204-1 (Network Infrastructure / AP) 19330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#device_type=1-0050F204-1 19430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 19530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# OS Version 19630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 4-octet operating system version number (hex string) 19730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#os_version=01020300 19830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 19930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Config Methods 20030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# List of the supported configuration methods 20130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Available methods: usba ethernet label display ext_nfc_token int_nfc_token 20230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# nfc_interface push_button keypad virtual_display physical_display 20330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# virtual_push_button physical_push_button 20430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# For WSC 1.0: 20530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#config_methods=label display push_button keypad 20630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# For WSC 2.0: 20730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#config_methods=label virtual_display virtual_push_button keypad 20830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 20930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Credential processing 21030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = process received credentials internally (default) 21130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = do not process received credentials; just pass them over ctrl_iface to 21230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# external program(s) 21330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 2 = process received credentials internally and pass them over ctrl_iface 21430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to external program(s) 21530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#wps_cred_processing=0 21630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 21704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing 21804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# The vendor attribute contents to be added in M1 (hex string) 21904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#wps_vendor_ext_m1=000137100100020001 22004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt 22104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# NFC password token for WPS 22204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# These parameters can be used to configure a fixed NFC password token for the 22304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# station. This can be generated, e.g., with nfc_pw_token. When these 22404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# parameters are used, the station is assumed to be deployed with a NFC tag 22504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# that includes the matching NFC password token (e.g., written based on the 22604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# NDEF record from nfc_pw_token). 22704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 22804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#wps_nfc_dev_pw_id: Device Password ID (16..65535) 22904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#wps_nfc_dh_pubkey: Hexdump of DH Public Key 23004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#wps_nfc_dh_privkey: Hexdump of DH Private Key 23104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#wps_nfc_dev_pw: Hexdump of Device Password 23204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt 23330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Maximum number of BSS entries to keep in memory 23430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Default: 200 23530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This can be used to limit memory use on the BSS entries (cached scan 23630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# results). A larger value may be needed in environments that have huge number 23730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# of APs when using ap_scan=1 mode. 23830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#bss_max_count=200 23930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 24004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Automatic scan 24104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# This is an optional set of parameters for automatic scanning 24204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# within an interface in following format: 24304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#autoscan=<autoscan module name>:<module parameters> 24404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#�autoscan is like bgscan but on disconnected or inactive state. 24504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#�For instance, on exponential module parameters would be <base>:<limit> 24604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#autoscan=exponential:3:300 24704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Which means a delay between scans on a base exponential of 3, 24804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#�up to the limit of 300 seconds (3, 9, 27 ... 300) 24904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#�For periodic module, parameters would be <fixed interval> 25004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#autoscan=periodic:30 25104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#�So a delay of 30 seconds will be applied between each scan 25230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 25330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# filter_ssids - SSID-based scan result filtering 25430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = do not filter scan results (default) 25530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = only include configured SSIDs in scan results/BSS table 25630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#filter_ssids=0 25730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 25830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 259c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# Interworking (IEEE 802.11u) 260c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt 261c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# Enable Interworking 262c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# interworking=1 263c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt 264c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# Homogenous ESS identifier 265c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# If this is set, scans will be used to request response only from BSSes 266c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# belonging to the specified Homogeneous ESS. This is used only if interworking 267c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# is enabled. 268c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# hessid=00:11:22:33:44:55 269c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt 27004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# credential block 27104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 27204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Each credential used for automatic network selection is configured as a set 27304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# of parameters that are compared to the information advertised by the APs when 27404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# interworking_select and interworking_connect commands are used. 27504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 27604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# credential fields: 27704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 27804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# priority: Priority group 27904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# By default, all networks and credentials get the same priority group 28004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# (0). This field can be used to give higher priority for credentials 28104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# (and similarly in struct wpa_ssid for network blocks) to change the 28204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Interworking automatic networking selection behavior. The matching 28304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# network (based on either an enabled network block or a credential) 28404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# with the highest priority value will be selected. 28504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 28604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# pcsc: Use PC/SC and SIM/USIM card 28704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 28804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# realm: Home Realm for Interworking 28904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 29004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# username: Username for Interworking network selection 29104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 29204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# password: Password for Interworking network selection 29304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 29404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# ca_cert: CA certificate for Interworking network selection 29504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 29604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# client_cert: File path to client certificate file (PEM/DER) 29704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# This field is used with Interworking networking selection for a case 29804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# where client certificate/private key is used for authentication 29904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# (EAP-TLS). Full path to the file should be used since working 30004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# directory may change when wpa_supplicant is run in the background. 30104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 30204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Alternatively, a named configuration blob can be used by setting 30304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# this to blob://blob_name. 30404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 30504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# private_key: File path to client private key file (PEM/DER/PFX) 30604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be 30704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# commented out. Both the private key and certificate will be read 30804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# from the PKCS#12 file in this case. Full path to the file should be 30904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# used since working directory may change when wpa_supplicant is run 31004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# in the background. 31104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 31204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Windows certificate store can be used by leaving client_cert out and 31304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# configuring private_key in one of the following formats: 31404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 31504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# cert://substring_to_match 31604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 31704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# hash://certificate_thumbprint_in_hex 31804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 31904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# For example: private_key="hash://63093aa9c47f56ae88334c7b65a4" 32004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 32104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Note that when running wpa_supplicant as an application, the user 32204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# certificate store (My user account) is used, whereas computer store 32304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# (Computer account) is used when running wpasvc as a service. 32404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 32504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Alternatively, a named configuration blob can be used by setting 32604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# this to blob://blob_name. 32704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 32804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# private_key_passwd: Password for private key file 32904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 33004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format 33104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 33204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN> 33304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# format 33404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 33504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# domain: Home service provider FQDN 33604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# This is used to compare against the Domain Name List to figure out 33704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# whether the AP is operated by the Home SP. 33804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 33904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# for example: 34004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 34104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#cred={ 34204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# realm="example.com" 34304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# username="user@example.com" 34404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# password="password" 34504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# ca_cert="/etc/wpa_supplicant/ca.pem" 34604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# domain="example.com" 34704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#} 34804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 34904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#cred={ 35004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# imsi="310026-000000000" 35104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82" 35204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#} 353c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt 35404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Hotspot 2.0 35504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# hs20=1 356c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt 35730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# network block 35830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 35930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Each network (usually AP's sharing the same SSID) is configured as a separate 36030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# block in this configuration file. The network blocks are in preference order 36130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (the first match is used). 36230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 36330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# network block fields: 36430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 36530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# disabled: 36630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = this network can be used (default) 36730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = this network block is disabled (can be enabled through ctrl_iface, 36830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# e.g., with wpa_cli or wpa_gui) 36930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 37030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# id_str: Network identifier string for external scripts. This value is passed 37130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to external action script through wpa_cli as WPA_ID_STR environment 37230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# variable to make it easier to do network specific configuration. 37330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 37430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# ssid: SSID (mandatory); either as an ASCII string with double quotation or 37530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# as hex string; network name 37630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 37730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# scan_ssid: 37830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = do not scan this SSID with specific Probe Request frames (default) 37930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = scan with SSID-specific Probe Request frames (this can be used to 38030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# find APs that do not accept broadcast SSID or use multiple SSIDs; 38130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# this will add latency to scanning, so enable this only when needed) 38230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 38330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# bssid: BSSID (optional); if set, this network block is used only when 38430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# associating with the AP using the configured BSSID 38530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 38630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# priority: priority group (integer) 38730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# By default, all networks will get same priority group (0). If some of the 38830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# networks are more desirable, this field can be used to change the order in 38930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# which wpa_supplicant goes through the networks when selecting a BSS. The 39030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# priority groups will be iterated in decreasing priority (i.e., the larger the 39130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# priority value, the sooner the network is matched against the scan results). 39230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Within each priority group, networks will be selected based on security 39330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# policy, signal strength, etc. 39430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not 39530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# using this priority to select the order for scanning. Instead, they try the 39630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# networks in the order that used in the configuration file. 39730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 39830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# mode: IEEE 802.11 operation mode 39930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = infrastructure (Managed) mode, i.e., associate with an AP (default) 40030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = IBSS (ad-hoc, peer-to-peer) 40130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 2 = AP (access point) 40230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) 40330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# and key_mgmt=WPA-NONE (fixed group key TKIP/CCMP). WPA-None requires 40430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# following network block options: 40530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not 40630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# both), and psk must also be set. 40730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 40830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# frequency: Channel frequency in megahertz (MHz) for IBSS, e.g., 40930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial 41030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode. 41130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# In addition, this value is only used by the station that creates the IBSS. If 41230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# an IBSS network with the configured SSID is already present, the frequency of 41330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# the network will be used instead of this configured value. 41430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 41530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# scan_freq: List of frequencies to scan 41630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Space-separated list of frequencies in MHz to scan when searching for this 41730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# BSS. If the subset of channels used by the network is known, this option can 41830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# be used to optimize scanning to not occur on channels that the network does 41930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# not use. Example: scan_freq=2412 2437 2462 42030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 42130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# freq_list: Array of allowed frequencies 42230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Space-separated list of frequencies in MHz to allow for selecting the BSS. If 42330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# set, scan results that do not match any of the specified frequencies are not 42430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# considered when selecting a BSS. 42530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 42630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# proto: list of accepted protocols 42730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA = WPA/IEEE 802.11i/D3.0 42830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN) 42930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not set, this defaults to: WPA RSN 43030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 43130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# key_mgmt: list of accepted authenticated key management protocols 43230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA-PSK = WPA pre-shared key (this requires 'psk' field) 43330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA-EAP = WPA using EAP authentication 43430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically 43530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# generated WEP keys 43630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# NONE = WPA is not used; plaintext or static WEP could be used 43730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms 43830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms 43930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not set, this defaults to: WPA-PSK WPA-EAP 44030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 44104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# ieee80211w: whether management frame protection is enabled 44204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 0 = disabled (default) 44304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 1 = optional 44404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 2 = required 44504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# The most common configuration options for this based on the PMF (protected 44604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# management frames) certification program are: 44704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256 44804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256 44904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used) 45004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 45130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# auth_alg: list of allowed IEEE 802.11 authentication algorithms 45230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# OPEN = Open System authentication (required for WPA/WPA2) 45330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# SHARED = Shared Key authentication (requires static WEP keys) 45430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# LEAP = LEAP/Network EAP (only used with LEAP) 45530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not set, automatic selection is used (Open System with LEAP enabled if 45630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# LEAP is allowed as one of the EAP methods). 45730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 45830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# pairwise: list of accepted pairwise (unicast) ciphers for WPA 45930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 46030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 46130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# NONE = Use only Group Keys (deprecated, should not be included if APs support 46230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# pairwise keys) 46330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not set, this defaults to: CCMP TKIP 46430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 46530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# group: list of accepted group (broadcast/multicast) ciphers for WPA 46630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 46730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 46830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key 46930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11] 47030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not set, this defaults to: CCMP TKIP WEP104 WEP40 47130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 47230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# psk: WPA preshared key; 256-bit pre-shared key 47330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e., 47430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be 47530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# generated using the passphrase and SSID). ASCII passphrase must be between 47630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 8 and 63 characters (inclusive). 47730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This field is not needed, if WPA-EAP is used. 47830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys 47930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant 48030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# startup and reconfiguration time can be optimized by generating the PSK only 48130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# only when the passphrase or SSID has actually changed. 48230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 48330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# eapol_flags: IEEE 802.1X/EAPOL options (bit field) 48430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Dynamic WEP key required for non-WPA mode 48530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# bit0 (1): require dynamically generated unicast WEP key 48630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# bit1 (2): require dynamically generated broadcast WEP key 48730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (3 = require both keys; default) 48830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Note: When using wired authentication, eapol_flags must be set to 0 for the 48930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication to be completed successfully. 49030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 49130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# mixed_cell: This option can be used to configure whether so called mixed 49230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# cells, i.e., networks that use both plaintext and encryption in the same 493c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# SSID, are allowed when selecting a BSS from scan results. 49430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = disabled (default) 49530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = enabled 49630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 49730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# proactive_key_caching: 49830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Enable/disable opportunistic PMKSA caching for WPA2. 49930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = disabled (default) 50030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = enabled 50130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 50230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or 50330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# hex without quotation, e.g., 0102030405) 50430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wep_tx_keyidx: Default WEP key index (TX) (0..3) 50530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 50630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is 50730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# allowed. This is only used with RSN/WPA2. 50830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = disabled (default) 50930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = enabled 51030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#peerkey=1 51130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 51230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to 51330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies. 51430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 51530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Following fields are only used with internal EAP implementation. 51630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# eap: space-separated list of accepted EAP methods 51730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# MD5 = EAP-MD5 (unsecure and does not generate keying material -> 51830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# cannot be used with WPA; to be used as a Phase 2 method 51930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# with EAP-PEAP or EAP-TTLS) 52030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used 52130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 52230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# OTP = EAP-OTP (cannot be used separately with WPA; to be used 52330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 52430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# GTC = EAP-GTC (cannot be used separately with WPA; to be used 52530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 52630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# TLS = EAP-TLS (client and server certificate) 52730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# PEAP = EAP-PEAP (with tunnelled EAP authentication) 52830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 52930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication) 53030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not set, all compiled in methods are allowed. 53130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 53230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# identity: Identity string for EAP 53330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This field is also used to configure user NAI for 53430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-PSK/PAX/SAKE/GPSK. 53530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# anonymous_identity: Anonymous identity string for EAP (to be used as the 53630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# unencrypted identity with EAP types that support different tunnelled 53730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# identity, e.g., EAP-TTLS) 53830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# password: Password string for EAP. This field can include either the 53930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# plaintext password (using ASCII or hex string) or a NtPasswordHash 54030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (16-byte MD4 hash of password) in hash:<32 hex digits> format. 54130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# NtPasswordHash can only be used when the password is for MSCHAPv2 or 54230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP). 54330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit 54430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# PSK) is also configured using this field. For EAP-GPSK, this is a 54530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# variable length PSK. 54630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# ca_cert: File path to CA certificate file (PEM/DER). This file can have one 54730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# or more trusted CA certificates. If ca_cert and ca_path are not 54830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# included, server certificate will not be verified. This is insecure and 54930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# a trusted CA certificate should always be configured when using 55030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-TLS/TTLS/PEAP. Full path should be used since working directory may 55130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# change when wpa_supplicant is run in the background. 55230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 55330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Alternatively, this can be used to only perform matching of the server 55430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# certificate (SHA-256 hash of the DER encoded X.509 certificate). In 55530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# this case, the possible CA certificates in the server certificate chain 55630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# are ignored and only the server certificate is verified. This is 55730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# configured with the following format: 55830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# hash:://server/sha256/cert_hash_in_hex 55930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# For example: "hash://server/sha256/ 56030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a" 56130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 56230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# On Windows, trusted CA certificates can be loaded from the system 56330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# certificate store by setting this to cert_store://<name>, e.g., 56430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT". 56530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Note that when running wpa_supplicant as an application, the user 56630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# certificate store (My user account) is used, whereas computer store 56730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (Computer account) is used when running wpasvc as a service. 56830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# ca_path: Directory path for CA certificate files (PEM). This path may 56930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# contain multiple CA certificates in OpenSSL format. Common use for this 57030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# is to point to system trusted CA list which is often installed into 57130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# directory like /etc/ssl/certs. If configured, these certificates are 57230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# added to the list of trusted CAs. ca_cert may also be included in that 57330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# case, but it is not required. 57430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# client_cert: File path to client certificate file (PEM/DER) 57530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Full path should be used since working directory may change when 57630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_supplicant is run in the background. 57730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Alternatively, a named configuration blob can be used by setting this 57830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to blob://<blob name>. 57930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# private_key: File path to client private key file (PEM/DER/PFX) 58030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be 58130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# commented out. Both the private key and certificate will be read from 58230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# the PKCS#12 file in this case. Full path should be used since working 58330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# directory may change when wpa_supplicant is run in the background. 58430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Windows certificate store can be used by leaving client_cert out and 58530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# configuring private_key in one of the following formats: 58630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# cert://substring_to_match 58730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# hash://certificate_thumbprint_in_hex 58830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# for example: private_key="hash://63093aa9c47f56ae88334c7b65a4" 58930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Note that when running wpa_supplicant as an application, the user 59030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# certificate store (My user account) is used, whereas computer store 59130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (Computer account) is used when running wpasvc as a service. 59230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Alternatively, a named configuration blob can be used by setting this 59330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to blob://<blob name>. 59430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# private_key_passwd: Password for private key file (if left out, this will be 59530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# asked through control interface) 59630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# dh_file: File path to DH/DSA parameters file (in PEM format) 59730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This is an optional configuration file for setting parameters for an 59830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# ephemeral DH key exchange. In most cases, the default RSA 59930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication does not use this configuration. However, it is possible 60030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# setup RSA to use ephemeral DH key exchange. In addition, ciphers with 60130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# DSA keys always use ephemeral DH keys. This can be used to achieve 60230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# forward secrecy. If the file is in DSA parameters format, it will be 60330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# automatically converted into DH params. 60430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# subject_match: Substring to be matched against the subject of the 60530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication server certificate. If this string is set, the server 60630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# sertificate is only accepted if it contains this string in the subject. 60730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The subject string is in following format: 60830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com 60930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# altsubject_match: Semicolon separated string of entries to be matched against 61030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# the alternative subject name of the authentication server certificate. 61130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If this string is set, the server sertificate is only accepted if it 61230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# contains one of the entries in an alternative subject name extension. 61330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# altSubjectName string is in following format: TYPE:VALUE 61430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Example: EMAIL:server@example.com 61530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Example: DNS:server.example.com;DNS:server2.example.com 61630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Following types are supported: EMAIL, DNS, URI 61730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters 61830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (string with field-value pairs, e.g., "peapver=0" or 61930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# "peapver=1 peaplabel=1") 62030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 'peapver' can be used to force which PEAP version (0 or 1) is used. 62130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 'peaplabel=1' can be used to force new label, "client PEAP encryption", 62230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to be used during key derivation when PEAPv1 or newer. Most existing 62330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# PEAPv1 implementation seem to be using the old label, "client EAP 62430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# encryption", and wpa_supplicant is now using that as the default value. 62530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Some servers, e.g., Radiator, may require peaplabel=1 configuration to 62630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# interoperate with PEAPv1; see eap_testing.txt for more details. 62730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 'peap_outer_success=0' can be used to terminate PEAP authentication on 62830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# tunneled EAP-Success. This is required with some RADIUS servers that 62930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g., 63030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode) 63130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# include_tls_length=1 can be used to force wpa_supplicant to include 63230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# TLS Message Length field in all TLS messages even if they are not 63330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# fragmented. 63430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# sim_min_num_chal=3 can be used to configure EAP-SIM to require three 63530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# challenges (by default, it accepts 2 or 3) 63630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use 63730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# protected result indication. 63830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 'crypto_binding' option can be used to control PEAPv0 cryptobinding 63930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# behavior: 64030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# * 0 = do not use cryptobinding (default) 64130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# * 1 = use cryptobinding if server supports it 64230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# * 2 = require cryptobinding 64330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-WSC (WPS) uses following options: pin=<Device Password> or 64430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# pbc=1. 64530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# phase2: Phase2 (inner authentication with TLS tunnel) parameters 64630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or 64730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS) 64830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Following certificate/private key fields are used in inner Phase2 64930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication when using EAP-TTLS or EAP-PEAP. 65030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# ca_cert2: File path to CA certificate file. This file can have one or more 65130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# trusted CA certificates. If ca_cert2 and ca_path2 are not included, 65230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# server certificate will not be verified. This is insecure and a trusted 65330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# CA certificate should always be configured. 65430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# ca_path2: Directory path for CA certificate files (PEM) 65530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# client_cert2: File path to client certificate file 65630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# private_key2: File path to client private key file 65730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# private_key2_passwd: Password for private key file 65830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# dh_file2: File path to DH/DSA parameters file (in PEM format) 65930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# subject_match2: Substring to be matched against the subject of the 66030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication server certificate. 66130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# altsubject_match2: Substring to be matched against the alternative subject 66230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# name of the authentication server certificate. 66330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 66430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# fragment_size: Maximum EAP fragment size in bytes (default 1398). 66530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This value limits the fragment size for EAP methods that support 66630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set 66730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# small enough to make the EAP messages fit in MTU of the network 66830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# interface used for EAPOL. The default value is suitable for most 66930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# cases. 67030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 67130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-FAST variables: 67230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# pac_file: File path for the PAC entries. wpa_supplicant will need to be able 67330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to create this file and write updates to it when PAC is being 67430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# provisioned or refreshed. Full path to the file should be used since 67530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# working directory may change when wpa_supplicant is run in the 67630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# background. Alternatively, a named configuration blob can be used by 67730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# setting this to blob://<blob name> 67830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# phase1: fast_provisioning option can be used to enable in-line provisioning 67930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# of EAP-FAST credentials (PAC): 68030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = disabled, 68130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = allow unauthenticated provisioning, 68230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 2 = allow authenticated provisioning, 68330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 3 = allow both unauthenticated and authenticated provisioning 68430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# fast_max_pac_list_len=<num> option can be used to set the maximum 68530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# number of PAC entries to store in a PAC list (default: 10) 68630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# fast_pac_format=binary option can be used to select binary format for 68730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# storing PAC entries in order to save some space (the default 68830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# text format uses about 2.5 times the size of minimal binary 68930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# format) 69030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 69130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_supplicant supports number of "EAP workarounds" to work around 69230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# interoperability issues with incorrectly behaving authentication servers. 69330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# These are enabled by default because some of the issues are present in large 69430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# number of authentication servers. Strict EAP conformance mode can be 69530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# configured by disabling workarounds with eap_workaround=0. 69630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 69704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Station inactivity limit 69804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 69904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# If a station does not send anything in ap_max_inactivity seconds, an 70004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# empty data frame is sent to it in order to verify whether it is 70104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# still in range. If this frame is not ACKed, the station will be 70204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# disassociated and then deauthenticated. This feature is used to 70304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# clear station table of old entries when the STAs move out of the 70404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# range. 70504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 70604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# The station can associate again with the AP if it is still in range; 70704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# this inactivity poll is just used as a nicer way of verifying 70804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# inactivity; i.e., client will not report broken connection because 70904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# disassociation frame is not sent immediately without first polling 71004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# the STA with a data frame. 71104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# default: 300 (i.e., 5 minutes) 71204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#ap_max_inactivity=300 71304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt 71404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# DTIM period in Beacon intervals for AP mode (default: 2) 71504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#dtim_period=2 71604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt 71730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Example blocks: 71830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 71930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers 72030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 72130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="simple" 72230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk="very secret passphrase" 72330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=5 72430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 72530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 72630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Same as previous, but request SSID-specific scanning (for APs that reject 72730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# broadcast SSID) 72830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 72930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="second ssid" 73030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt scan_ssid=1 73130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk="very secret passphrase" 73230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=2 73330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 73430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 73530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Only WPA-PSK is used. Any valid cipher combination is accepted. 73630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 73730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 73830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt proto=WPA 73930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-PSK 74030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=CCMP TKIP 74130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=CCMP TKIP WEP104 WEP40 74230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb 74330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=2 74430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 74530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 74630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying 74730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 74830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 74930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt proto=WPA 75030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-PSK 75130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=TKIP 75230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=TKIP 75330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk="not so secure passphrase" 75430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wpa_ptk_rekey=600 75530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 75630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 75730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104 75830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# or WEP40 as the group cipher will not be accepted. 75930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 76030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 76130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt proto=RSN 76230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 76330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=CCMP TKIP 76430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=CCMP TKIP 76530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TLS 76630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 76730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 76830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt client_cert="/etc/cert/user.pem" 76930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key="/etc/cert/user.prv" 77030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key_passwd="password" 77130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=1 77230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 77330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 77430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel 77530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (e.g., Radiator) 77630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 77730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 77830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 77930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=PEAP 78030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 78130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 78230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 78330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase1="peaplabel=1" 78430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase2="auth=MSCHAPV2" 78530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=10 78630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 78730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 78830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the 78930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# unencrypted use. Real identity is sent only within an encrypted TLS tunnel. 79030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 79130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 79230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 79330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TTLS 79430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 79530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="anonymous@example.com" 79630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 79730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 79830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=2 79930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 80030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 80130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted 80230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# use. Real identity is sent only within an encrypted TLS tunnel. 80330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 80430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 80530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 80630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TTLS 80730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 80830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="anonymous@example.com" 80930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 81030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 81130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase2="auth=MSCHAPV2" 81230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 81330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 81430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner 81530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication. 81630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 81730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 81830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 81930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TTLS 82030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # Phase1 / outer authentication 82130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="anonymous@example.com" 82230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 82330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # Phase 2 / inner authentication 82430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase2="autheap=TLS" 82530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert2="/etc/cert/ca2.pem" 82630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt client_cert2="/etc/cer/user.pem" 82730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key2="/etc/cer/user.prv" 82830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key2_passwd="password" 82930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=2 83030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 83130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 83230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and 83330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# group cipher. 83430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 83530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 83630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt bssid=00:11:22:33:44:55 83730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt proto=WPA RSN 83830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-PSK WPA-EAP 83930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=CCMP 84030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=CCMP 84130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb 84230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 84330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 84430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP 84530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# and all valid ciphers. 84630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 84730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid=00010203 84830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 84930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 85030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 85130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 85230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-SIM with a GSM SIM or USIM 85330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 85430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="eap-sim-test" 85530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 85630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=SIM 85730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pin="1234" 85830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pcsc="" 85930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 86030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 86130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 86230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-PSK 86330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 86430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="eap-psk-test" 86530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 86630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=PSK 86730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="eap_psk_user" 86830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password=06b4be19da289f475aa46a33cb793029 86930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="eap_psk_user@example.com" 87030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 87130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 87230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 87330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using 87430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-TLS for authentication and key generation; require both unicast and 87530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# broadcast WEP keys. 87630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 87730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="1x-test" 87830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=IEEE8021X 87930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TLS 88030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 88130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 88230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt client_cert="/etc/cert/user.pem" 88330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key="/etc/cert/user.prv" 88430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key_passwd="password" 88530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eapol_flags=3 88630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 88730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 88830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 88930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# LEAP with dynamic WEP keys 89030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 89130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="leap-example" 89230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=IEEE8021X 89330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=LEAP 89430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user" 89530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 89630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 89730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 89830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-IKEv2 using shared secrets for both server and peer authentication 89930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 90030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="ikev2-example" 90130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 90230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=IKEV2 90330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user" 90430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 90530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 90630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 90730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-FAST with WPA (WPA or WPA2) 90830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 90930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="eap-fast-test" 91030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 91130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=FAST 91230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="FAST-000102030405" 91330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="username" 91430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="password" 91530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase1="fast_provisioning=1" 91630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pac_file="/etc/wpa_supplicant.eap-fast-pac" 91730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 91830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 91930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 92030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="eap-fast-test" 92130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 92230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=FAST 92330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="FAST-000102030405" 92430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="username" 92530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="password" 92630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase1="fast_provisioning=1" 92730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pac_file="blob://eap-fast-pac" 92830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 92930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 93030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Plaintext connection (no WPA, no IEEE 802.1X) 93130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 93230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="plaintext-test" 93330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=NONE 93430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 93530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 93630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 93730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Shared WEP key connection (no WPA, no IEEE 802.1X) 93830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 93930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="static-wep-test" 94030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=NONE 94130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_key0="abcde" 94230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_key1=0102030405 94330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_key2="1234567890123" 94430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_tx_keyidx=0 94530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=5 94630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 94730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 94830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 94930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key 95030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# IEEE 802.11 authentication 95130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 95230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="static-wep-test2" 95330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=NONE 95430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_key0="abcde" 95530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_key1=0102030405 95630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_key2="1234567890123" 95730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_tx_keyidx=0 95830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=5 95930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt auth_alg=SHARED 96030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 96130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 96230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 96330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# IBSS/ad-hoc network with WPA-None/TKIP. 96430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 96530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="test adhoc" 96630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt mode=1 96730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt frequency=2412 96830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt proto=WPA 96930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-NONE 97030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=NONE 97130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=TKIP 97230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk="secret passphrase" 97330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 97430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 97530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 97630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Catch all example that allows more or less all configuration modes 97730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 97830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 97930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt scan_ssid=1 98030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE 98130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=CCMP TKIP 98230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=CCMP TKIP WEP104 WEP40 98330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk="very secret passphrase" 98430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TTLS PEAP TLS 98530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 98630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 98730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 98830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt client_cert="/etc/cert/user.pem" 98930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key="/etc/cert/user.prv" 99030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key_passwd="password" 99130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase1="peaplabel=0" 99230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 99330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 99430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Example of EAP-TLS with smartcard (openssl engine) 99530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 99630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 99730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 99830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TLS 99930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt proto=RSN 100030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=CCMP TKIP 100130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=CCMP TKIP 100230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 100330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 100430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt client_cert="/etc/cert/user.pem" 100530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 100630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt engine=1 100730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 100830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # The engine configured here must be available. Look at 100930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # OpenSSL engine support in the global section. 101030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # The key available through the engine must be the private key 101130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # matching the client certificate configured above. 101230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 101330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # use the opensc engine 101430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt #engine_id="opensc" 101530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt #key_id="45" 101630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 101730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # use the pkcs11 engine 101830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt engine_id="pkcs11" 101930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_id="id_45" 102030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 102130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # Optional PIN configuration; this can be left out and PIN will be 102230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # asked through the control interface 102330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pin="1234" 102430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 102530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 102630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Example configuration showing how to use an inlined blob as a CA certificate 102730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# data instead of using external file 102830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 102930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 103030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 103130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TTLS 103230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 103330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="anonymous@example.com" 103430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 103530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="blob://exampleblob" 103630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=20 103730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 103830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 103930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtblob-base64-exampleblob={ 104030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry ShmidtSGVsbG8gV29ybGQhCg== 104130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 104230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 104330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 104430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Wildcard match for SSID (plaintext APs only). This example select any 104530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# open AP regardless of its SSID. 104630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 104730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=NONE 104830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 1049