130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt##### Example wpa_supplicant configuration file ############################### 230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This file describes configuration file format and lists all available option. 430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Please also take a look at simpler configuration examples in 'examples' 530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# subdirectory. 630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Empty lines and lines starting with # are ignored 830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# NOTE! This file may contain password information and should probably be made 1030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# readable only by root user on multiuser systems. 1130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 1230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Note: All file paths in this configuration file should use full (absolute, 1330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# not relative to working directory) path in order to allow working directory 1430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to be changed. This can happen if wpa_supplicant is run in the background. 1530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 1630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Whether to allow wpa_supplicant to update (overwrite) configuration 1730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This option can be used to allow wpa_supplicant to overwrite configuration 1930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# file whenever configuration is changed (e.g., new network block is added with 2030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_cli or wpa_gui, or a password is changed). This is required for 2130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_cli/wpa_gui to be able to store the configuration changes permanently. 2230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Please note that overwriting configuration file will remove the comments from 2330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# it. 2430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#update_config=1 2530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 2630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# global configuration (shared by all network blocks) 2730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 2830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Parameters for the control interface. If this is specified, wpa_supplicant 2930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# will open a control interface that is available for external programs to 3030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# manage wpa_supplicant. The meaning of this string depends on which control 31c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# interface mechanism is used. For all cases, the existence of this parameter 3230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# in configuration is used to determine whether the control interface is 3330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# enabled. 3430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 3530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# For UNIX domain sockets (default on Linux and BSD): This is a directory that 3630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# will be created for UNIX domain sockets for listening to requests from 3730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# external programs (CLI/GUI, etc.) for status information and configuration. 3830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The socket file will be named based on the interface name, so multiple 3930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_supplicant processes can be run at the same time if more than one 4030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# interface is used. 4130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# /var/run/wpa_supplicant is the recommended directory for sockets and by 4230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# default, wpa_cli will use it when trying to connect with wpa_supplicant. 4330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 4430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Access control for the control interface can be configured by setting the 4530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# directory to allow only members of a group to use sockets. This way, it is 4630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# possible to run wpa_supplicant as root (since it needs to change network 4730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# configuration and open raw sockets) and still allow GUI/CLI components to be 4830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# run as non-root users. However, since the control interface can be used to 4930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# change the network configuration, this access needs to be protected in many 5030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you 5130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# want to allow non-root users to use the control interface, add a new group 5230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# and change this value to match with that group. Add users that should have 5330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# control interface access to this group. If this variable is commented out or 5430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# not included in the configuration file, group will not be changed from the 5530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# value it got by default when the directory or socket was created. 5630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 5730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# When configuring both the directory and group, use following format: 5830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# DIR=/var/run/wpa_supplicant GROUP=wheel 5930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# DIR=/var/run/wpa_supplicant GROUP=0 6030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (group can be either group name or gid) 6130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 6230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# For UDP connections (default on Windows): The value will be ignored. This 6330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# variable is just used to select that the control interface is to be created. 6430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The value can be set to, e.g., udp (ctrl_interface=udp) 6530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 6630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# For Windows Named Pipe: This value can be used to set the security descriptor 6730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# for controlling access to the control interface. Security descriptor can be 6830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# set using Security Descriptor String Format (see http://msdn.microsoft.com/ 6930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# library/default.asp?url=/library/en-us/secauthz/security/ 7030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# security_descriptor_string_format.asp). The descriptor string needs to be 7130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty 7230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# DACL (which will reject all connections). See README-Windows.txt for more 7330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# information about SDDL string format. 7430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 7530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtctrl_interface=/var/run/wpa_supplicant 7630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 7730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# IEEE 802.1X/EAPOL version 7830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines 7930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAPOL version 2. However, there are many APs that do not handle the new 8030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# version number correctly (they seem to drop the frames completely). In order 8130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to make wpa_supplicant interoperate with these APs, the version number is set 8230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to 1 by default. This configuration value can be used to set it to the new 8330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# version (2). 845a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt# Note: When using MACsec, eapol_version shall be set to 3, which is 855a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt# defined in IEEE Std 802.1X-2010. 868d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidteapol_version=1 8730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 8830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# AP scanning/selection 8930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# By default, wpa_supplicant requests driver to perform AP scanning and then 9030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# uses the scan results to select a suitable AP. Another alternative is to 9130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# allow the driver to take care of AP scanning and selection and use 9230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association 9330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# information from the driver. 9430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to 9530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# the currently enabled networks are found, a new network (IBSS or AP mode 9630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# operation) may be initialized (if configured) (default) 9730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0: driver takes care of scanning, AP selection, and IEEE 802.11 association 9830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# parameters (e.g., WPA IE generation); this mode can also be used with 9930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# non-WPA drivers when using IEEE 802.1X mode; do not try to associate with 10030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# APs (i.e., external program needs to control association). This mode must 10130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# also be used when using wired Ethernet drivers. 1025a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt# Note: macsec_qca driver is one type of Ethernet driver which implements 1035a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt# macsec feature. 10430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 2: like 0, but associate with APs using security policy and SSID (but not 10530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to 10630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# enable operation with hidden SSIDs and optimized roaming; in this mode, 10730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# the network blocks in the configuration file are tried one by one until 10830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# the driver reports successful association; each network block should have 10930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# explicit security policy (i.e., only one option in the lists) for 11030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# key_mgmt, pairwise, group, proto variables 11130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# When using IBSS or AP mode, ap_scan=2 mode can force the new network to be 11230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# created immediately regardless of scan results. ap_scan=1 mode will first try 11330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to scan for existing networks and only if no matches with the enabled 11430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# networks are found, a new IBSS or AP mode network is created. 1158d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtap_scan=1 11630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 11730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP fast re-authentication 11830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# By default, fast re-authentication is enabled for all EAP methods that 11930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# support it. This variable can be used to disable fast re-authentication. 12030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Normally, there is no need to disable this. 1218d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtfast_reauth=1 12230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 12330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# OpenSSL Engine support 12430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# These options can be used to load OpenSSL engines. 12530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The two engines that are supported currently are shown below: 12630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# They are both from the opensc project (http://www.opensc.org/) 12730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# By default no engines are loaded. 12830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# make the opensc engine available 12930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#opensc_engine_path=/usr/lib/opensc/engine_opensc.so 13030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# make the pkcs11 engine available 13130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so 13230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# configure the path to the pkcs11 module required by the pkcs11 engine 13330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so 13430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 13530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Dynamic EAP methods 13630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If EAP methods were built dynamically as shared object files, they need to be 13730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# loaded here before being used in the network blocks. By default, EAP methods 13830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# are included statically in the build, so these lines are not needed 13930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so 14030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so 14130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 14230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Driver interface parameters 14330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This field can be used to configure arbitrary driver interace parameters. The 14430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# format is specific to the selected driver interface. This field is not used 14530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# in most cases. 14630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#driver_param="field=value" 14730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 14830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Country code 14930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The ISO/IEC alpha2 country code for the country in which this device is 15030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# currently operating. 15130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#country=US 15230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 15330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Maximum lifetime for PMKSA in seconds; default 43200 15430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#dot11RSNAConfigPMKLifetime=43200 15530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Threshold for reauthentication (percentage of PMK lifetime); default 70 15630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#dot11RSNAConfigPMKReauthThreshold=70 15730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Timeout for security association negotiation in seconds; default 60 15830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#dot11RSNAConfigSATimeout=60 15930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 16030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Wi-Fi Protected Setup (WPS) parameters 16130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 16230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Universally Unique IDentifier (UUID; see RFC 4122) of the device 16330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not configured, UUID will be generated based on the local MAC address. 16430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#uuid=12345678-9abc-def0-1234-56789abcdef0 16530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 16630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Device Name 16730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# User-friendly description of device; up to 32 octets encoded in UTF-8 16830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#device_name=Wireless Client 16930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 17030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Manufacturer 17130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The manufacturer of the device (up to 64 ASCII characters) 17230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#manufacturer=Company 17330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 17430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Model Name 17530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Model of the device (up to 32 ASCII characters) 17630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#model_name=cmodel 17730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 17830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Model Number 17930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Additional device description (up to 32 ASCII characters) 18030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#model_number=123 18130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 18230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Serial Number 18330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Serial number of the device (up to 32 characters) 18430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#serial_number=12345 18530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 18630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Primary Device Type 18730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Used format: <categ>-<OUI>-<subcateg> 18830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# categ = Category as an integer value 18930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for 19030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# default WPS OUI 19130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# subcateg = OUI-specific Sub Category as an integer value 19230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Examples: 19330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1-0050F204-1 (Computer / PC) 19430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1-0050F204-2 (Computer / Server) 19530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 5-0050F204-1 (Storage / NAS) 19630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 6-0050F204-1 (Network Infrastructure / AP) 19730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#device_type=1-0050F204-1 19830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 19930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# OS Version 20030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 4-octet operating system version number (hex string) 20130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#os_version=01020300 20230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 20330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Config Methods 20430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# List of the supported configuration methods 20530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Available methods: usba ethernet label display ext_nfc_token int_nfc_token 20630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# nfc_interface push_button keypad virtual_display physical_display 20730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# virtual_push_button physical_push_button 20830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# For WSC 1.0: 20930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#config_methods=label display push_button keypad 21030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# For WSC 2.0: 21130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#config_methods=label virtual_display virtual_push_button keypad 21230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 21330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Credential processing 21430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = process received credentials internally (default) 21530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = do not process received credentials; just pass them over ctrl_iface to 21630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# external program(s) 21730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 2 = process received credentials internally and pass them over ctrl_iface 21830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to external program(s) 21930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#wps_cred_processing=0 22030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 22104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing 22204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# The vendor attribute contents to be added in M1 (hex string) 22304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#wps_vendor_ext_m1=000137100100020001 22404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt 22504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# NFC password token for WPS 22604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# These parameters can be used to configure a fixed NFC password token for the 22704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# station. This can be generated, e.g., with nfc_pw_token. When these 22804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# parameters are used, the station is assumed to be deployed with a NFC tag 22904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# that includes the matching NFC password token (e.g., written based on the 23004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# NDEF record from nfc_pw_token). 23104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 23204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#wps_nfc_dev_pw_id: Device Password ID (16..65535) 23304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#wps_nfc_dh_pubkey: Hexdump of DH Public Key 23404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#wps_nfc_dh_privkey: Hexdump of DH Private Key 23504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#wps_nfc_dev_pw: Hexdump of Device Password 23604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt 23730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Maximum number of BSS entries to keep in memory 23830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Default: 200 23930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This can be used to limit memory use on the BSS entries (cached scan 24030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# results). A larger value may be needed in environments that have huge number 24130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# of APs when using ap_scan=1 mode. 24230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#bss_max_count=200 24330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 24404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Automatic scan 24504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# This is an optional set of parameters for automatic scanning 24604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# within an interface in following format: 24704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#autoscan=<autoscan module name>:<module parameters> 248cce06667447b5aec83452adb0c15100ada531095Dmitry Shmidt# autoscan is like bgscan but on disconnected or inactive state. 249cce06667447b5aec83452adb0c15100ada531095Dmitry Shmidt# For instance, on exponential module parameters would be <base>:<limit> 25004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#autoscan=exponential:3:300 25104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Which means a delay between scans on a base exponential of 3, 252cce06667447b5aec83452adb0c15100ada531095Dmitry Shmidt# up to the limit of 300 seconds (3, 9, 27 ... 300) 253cce06667447b5aec83452adb0c15100ada531095Dmitry Shmidt# For periodic module, parameters would be <fixed interval> 25404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#autoscan=periodic:30 255cce06667447b5aec83452adb0c15100ada531095Dmitry Shmidt# So a delay of 30 seconds will be applied between each scan 25630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 25730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# filter_ssids - SSID-based scan result filtering 25830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = do not filter scan results (default) 25930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = only include configured SSIDs in scan results/BSS table 26030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#filter_ssids=0 26130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 26261d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# Password (and passphrase, etc.) backend for external storage 26361d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# format: <backend name>[:<optional backend parameters>] 26461d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt#ext_password_backend=test:pw1=password|pw2=testing 26561d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt 26661d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# Timeout in seconds to detect STA inactivity (default: 300 seconds) 26761d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 26861d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# This timeout value is used in P2P GO mode to clean up 26961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# inactive stations. 27061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt#p2p_go_max_inactivity=300 27161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt 2722271d3fdd5982d0e5e81cf9999a861bba933eacbDmitry Shmidt# Passphrase length (8..63) for P2P GO 2732271d3fdd5982d0e5e81cf9999a861bba933eacbDmitry Shmidt# 2742271d3fdd5982d0e5e81cf9999a861bba933eacbDmitry Shmidt# This parameter controls the length of the random passphrase that is 2752271d3fdd5982d0e5e81cf9999a861bba933eacbDmitry Shmidt# generated at the GO. Default: 8. 2762271d3fdd5982d0e5e81cf9999a861bba933eacbDmitry Shmidt#p2p_passphrase_len=8 2772271d3fdd5982d0e5e81cf9999a861bba933eacbDmitry Shmidt 27809f57babfc1e4473db20ced4f58a4c9f082c8ed8Dmitry Shmidt# Extra delay between concurrent P2P search iterations 27909f57babfc1e4473db20ced4f58a4c9f082c8ed8Dmitry Shmidt# 28009f57babfc1e4473db20ced4f58a4c9f082c8ed8Dmitry Shmidt# This value adds extra delay in milliseconds between concurrent search 28109f57babfc1e4473db20ced4f58a4c9f082c8ed8Dmitry Shmidt# iterations to make p2p_find friendlier to concurrent operations by avoiding 28209f57babfc1e4473db20ced4f58a4c9f082c8ed8Dmitry Shmidt# it from taking 100% of radio resources. The default value is 500 ms. 28309f57babfc1e4473db20ced4f58a4c9f082c8ed8Dmitry Shmidt#p2p_search_delay=500 28409f57babfc1e4473db20ced4f58a4c9f082c8ed8Dmitry Shmidt 285d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# Opportunistic Key Caching (also known as Proactive Key Caching) default 286d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# This parameter can be used to set the default behavior for the 287d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# proactive_key_caching parameter. By default, OKC is disabled unless enabled 288d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# with the global okc=1 parameter or with the per-network 289d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# proactive_key_caching=1 parameter. With okc=1, OKC is enabled by default, but 290d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# can be disabled with per-network proactive_key_caching=0 parameter. 291d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt#okc=0 292d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt 293d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# Protected Management Frames default 294d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# This parameter can be used to set the default behavior for the ieee80211w 295d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# parameter. By default, PMF is disabled unless enabled with the global pmf=1/2 296d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# parameter or with the per-network ieee80211w=1/2 parameter. With pmf=1/2, PMF 297d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# is enabled/required by default, but can be disabled with the per-network 298d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# ieee80211w parameter. 299d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt#pmf=0 30030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 301a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# Enabled SAE finite cyclic groups in preference order 302a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# By default (if this parameter is not set), the mandatory group 19 (ECC group 303a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# defined over a 256-bit prime order field) is preferred, but other groups are 304a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# also enabled. If this parameter is set, the groups will be tried in the 305a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# indicated order. The group values are listed in the IANA registry: 306a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9 307a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt#sae_groups=21 20 19 26 25 308a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt 3097a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt# Default value for DTIM period (if not overridden in network block) 3107a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt#dtim_period=2 3117a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt 3127a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt# Default value for Beacon interval (if not overridden in network block) 3137a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt#beacon_int=100 3147a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt 3150ccb66edb8d2a0a397320ace3ec2a03fb0d00d5fDmitry Shmidt# Additional vendor specific elements for Beacon and Probe Response frames 3160ccb66edb8d2a0a397320ace3ec2a03fb0d00d5fDmitry Shmidt# This parameter can be used to add additional vendor specific element(s) into 3170ccb66edb8d2a0a397320ace3ec2a03fb0d00d5fDmitry Shmidt# the end of the Beacon and Probe Response frames. The format for these 3180ccb66edb8d2a0a397320ace3ec2a03fb0d00d5fDmitry Shmidt# element(s) is a hexdump of the raw information elements (id+len+payload for 3190ccb66edb8d2a0a397320ace3ec2a03fb0d00d5fDmitry Shmidt# one or more elements). This is used in AP and P2P GO modes. 3200ccb66edb8d2a0a397320ace3ec2a03fb0d00d5fDmitry Shmidt#ap_vendor_elements=dd0411223301 3210ccb66edb8d2a0a397320ace3ec2a03fb0d00d5fDmitry Shmidt 322444d567b27731d8572ef37697dd12fd1c37c2f24Dmitry Shmidt# Ignore scan results older than request 323444d567b27731d8572ef37697dd12fd1c37c2f24Dmitry Shmidt# 324444d567b27731d8572ef37697dd12fd1c37c2f24Dmitry Shmidt# The driver may have a cache of scan results that makes it return 325444d567b27731d8572ef37697dd12fd1c37c2f24Dmitry Shmidt# information that is older than our scan trigger. This parameter can 326444d567b27731d8572ef37697dd12fd1c37c2f24Dmitry Shmidt# be used to configure such old information to be ignored instead of 327444d567b27731d8572ef37697dd12fd1c37c2f24Dmitry Shmidt# allowing it to update the internal BSS table. 328444d567b27731d8572ef37697dd12fd1c37c2f24Dmitry Shmidt#ignore_old_scan_res=0 329444d567b27731d8572ef37697dd12fd1c37c2f24Dmitry Shmidt 330ea69e84a6f4455c59348485895d3d5e3af77a65bDmitry Shmidt# scan_cur_freq: Whether to scan only the current frequency 331ea69e84a6f4455c59348485895d3d5e3af77a65bDmitry Shmidt# 0: Scan all available frequencies. (Default) 332ea69e84a6f4455c59348485895d3d5e3af77a65bDmitry Shmidt# 1: Scan current operating frequency if another VIF on the same radio 333ea69e84a6f4455c59348485895d3d5e3af77a65bDmitry Shmidt# is already associated. 334444d567b27731d8572ef37697dd12fd1c37c2f24Dmitry Shmidt 335661b4f78e48c697429dc46154a4125892c001718Dmitry Shmidt# MAC address policy default 336661b4f78e48c697429dc46154a4125892c001718Dmitry Shmidt# 0 = use permanent MAC address 337661b4f78e48c697429dc46154a4125892c001718Dmitry Shmidt# 1 = use random MAC address for each ESS connection 338661b4f78e48c697429dc46154a4125892c001718Dmitry Shmidt# 2 = like 1, but maintain OUI (with local admin bit set) 339661b4f78e48c697429dc46154a4125892c001718Dmitry Shmidt# 340661b4f78e48c697429dc46154a4125892c001718Dmitry Shmidt# By default, permanent MAC address is used unless policy is changed by 341661b4f78e48c697429dc46154a4125892c001718Dmitry Shmidt# the per-network mac_addr parameter. Global mac_addr=1 can be used to 342661b4f78e48c697429dc46154a4125892c001718Dmitry Shmidt# change this default behavior. 343661b4f78e48c697429dc46154a4125892c001718Dmitry Shmidt#mac_addr=0 344661b4f78e48c697429dc46154a4125892c001718Dmitry Shmidt 345661b4f78e48c697429dc46154a4125892c001718Dmitry Shmidt# Lifetime of random MAC address in seconds (default: 60) 346661b4f78e48c697429dc46154a4125892c001718Dmitry Shmidt#rand_addr_lifetime=60 347661b4f78e48c697429dc46154a4125892c001718Dmitry Shmidt 348661b4f78e48c697429dc46154a4125892c001718Dmitry Shmidt# MAC address policy for pre-association operations (scanning, ANQP) 349661b4f78e48c697429dc46154a4125892c001718Dmitry Shmidt# 0 = use permanent MAC address 350661b4f78e48c697429dc46154a4125892c001718Dmitry Shmidt# 1 = use random MAC address 351661b4f78e48c697429dc46154a4125892c001718Dmitry Shmidt# 2 = like 1, but maintain OUI (with local admin bit set) 352661b4f78e48c697429dc46154a4125892c001718Dmitry Shmidt#preassoc_mac_addr=0 353661b4f78e48c697429dc46154a4125892c001718Dmitry Shmidt 354c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# Interworking (IEEE 802.11u) 355c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt 356c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# Enable Interworking 357c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# interworking=1 358c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt 359c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# Homogenous ESS identifier 360c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# If this is set, scans will be used to request response only from BSSes 361c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# belonging to the specified Homogeneous ESS. This is used only if interworking 362c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# is enabled. 363c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# hessid=00:11:22:33:44:55 364c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt 36561d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# Automatic network selection behavior 36661d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 0 = do not automatically go through Interworking network selection 36761d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# (i.e., require explicit interworking_select command for this; default) 36861d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 1 = perform Interworking network selection if one or more 36961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# credentials have been configured and scan did not find a 37061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# matching network block 37161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt#auto_interworking=0 37261d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt 37304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# credential block 37404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 37504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Each credential used for automatic network selection is configured as a set 37604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# of parameters that are compared to the information advertised by the APs when 37704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# interworking_select and interworking_connect commands are used. 37804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 37904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# credential fields: 38004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 381fb79edc9df1f20461e90e478363d207348213d35Dmitry Shmidt# temporary: Whether this credential is temporary and not to be saved 382fb79edc9df1f20461e90e478363d207348213d35Dmitry Shmidt# 38304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# priority: Priority group 38404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# By default, all networks and credentials get the same priority group 38504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# (0). This field can be used to give higher priority for credentials 38604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# (and similarly in struct wpa_ssid for network blocks) to change the 38704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Interworking automatic networking selection behavior. The matching 38804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# network (based on either an enabled network block or a credential) 38904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# with the highest priority value will be selected. 39004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 39104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# pcsc: Use PC/SC and SIM/USIM card 39204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 39304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# realm: Home Realm for Interworking 39404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 39504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# username: Username for Interworking network selection 39604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 39704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# password: Password for Interworking network selection 39804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 39904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# ca_cert: CA certificate for Interworking network selection 40004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 40104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# client_cert: File path to client certificate file (PEM/DER) 40204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# This field is used with Interworking networking selection for a case 40304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# where client certificate/private key is used for authentication 40404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# (EAP-TLS). Full path to the file should be used since working 40504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# directory may change when wpa_supplicant is run in the background. 40604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 40704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Alternatively, a named configuration blob can be used by setting 40804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# this to blob://blob_name. 40904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 41004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# private_key: File path to client private key file (PEM/DER/PFX) 41104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be 41204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# commented out. Both the private key and certificate will be read 41304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# from the PKCS#12 file in this case. Full path to the file should be 41404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# used since working directory may change when wpa_supplicant is run 41504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# in the background. 41604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 41704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Windows certificate store can be used by leaving client_cert out and 41804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# configuring private_key in one of the following formats: 41904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 42004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# cert://substring_to_match 42104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 42204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# hash://certificate_thumbprint_in_hex 42304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 42404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# For example: private_key="hash://63093aa9c47f56ae88334c7b65a4" 42504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 42604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Note that when running wpa_supplicant as an application, the user 42704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# certificate store (My user account) is used, whereas computer store 42804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# (Computer account) is used when running wpasvc as a service. 42904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 43004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Alternatively, a named configuration blob can be used by setting 43104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# this to blob://blob_name. 43204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 43304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# private_key_passwd: Password for private key file 43404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 43504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format 43604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 43704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN> 43804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# format 43904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 440051af73b8f8014eff33330aead0f36944b3403e6Dmitry Shmidt# domain: Home service provider FQDN(s) 44104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# This is used to compare against the Domain Name List to figure out 442051af73b8f8014eff33330aead0f36944b3403e6Dmitry Shmidt# whether the AP is operated by the Home SP. Multiple domain entries can 443051af73b8f8014eff33330aead0f36944b3403e6Dmitry Shmidt# be used to configure alternative FQDNs that will be considered home 444051af73b8f8014eff33330aead0f36944b3403e6Dmitry Shmidt# networks. 44504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 44661d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# roaming_consortium: Roaming Consortium OI 44761d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# If roaming_consortium_len is non-zero, this field contains the 44861d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# Roaming Consortium OI that can be used to determine which access 44961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# points support authentication with this credential. This is an 45061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# alternative to the use of the realm parameter. When using Roaming 45161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# Consortium to match the network, the EAP parameters need to be 45261d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# pre-configured with the credential since the NAI Realm information 45361d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# may not be available or fetched. 45461d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 45561d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# eap: Pre-configured EAP method 45661d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# This optional field can be used to specify which EAP method will be 45761d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# used with this credential. If not set, the EAP method is selected 45861d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# automatically based on ANQP information (e.g., NAI Realm). 45961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 46061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# phase1: Pre-configure Phase 1 (outer authentication) parameters 46161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# This optional field is used with like the 'eap' parameter. 46261d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 46361d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# phase2: Pre-configure Phase 2 (inner authentication) parameters 46461d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# This optional field is used with like the 'eap' parameter. 46561d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 466a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# excluded_ssid: Excluded SSID 467a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# This optional field can be used to excluded specific SSID(s) from 468a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# matching with the network. Multiple entries can be used to specify more 469a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# than one SSID. 470a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 471f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# roaming_partner: Roaming partner information 472f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# This optional field can be used to configure preferences between roaming 473f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# partners. The field is a string in following format: 474f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# <FQDN>,<0/1 exact match>,<priority>,<* or country code> 475f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# (non-exact match means any subdomain matches the entry; priority is in 476f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# 0..255 range with 0 being the highest priority) 477f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# 478f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# update_identifier: PPS MO ID 479f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# (Hotspot 2.0 PerProviderSubscription/UpdateIdentifier) 480f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# 481f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# provisioning_sp: FQDN of the SP that provisioned the credential 482f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# This optional field can be used to keep track of the SP that provisioned 483f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# the credential to find the PPS MO (./Wi-Fi/<provisioning_sp>). 484f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# 485f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# Minimum backhaul threshold (PPS/<X+>/Policy/MinBackhauldThreshold/*) 486f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# These fields can be used to specify minimum download/upload backhaul 487f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# bandwidth that is preferred for the credential. This constraint is 488f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# ignored if the AP does not advertise WAN Metrics information or if the 489f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# limit would prevent any connection. Values are in kilobits per second. 490f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# min_dl_bandwidth_home 491f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# min_ul_bandwidth_home 492f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# min_dl_bandwidth_roaming 493f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# min_ul_bandwidth_roaming 494f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# 495f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# max_bss_load: Maximum BSS Load Channel Utilization (1..255) 496f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# (PPS/<X+>/Policy/MaximumBSSLoadValue) 497f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# This value is used as the maximum channel utilization for network 498f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# selection purposes for home networks. If the AP does not advertise 499f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# BSS Load or if the limit would prevent any connection, this constraint 500f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# will be ignored. 501f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# 502f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# req_conn_capab: Required connection capability 503f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# (PPS/<X+>/Policy/RequiredProtoPortTuple) 504f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# This value is used to configure set of required protocol/port pairs that 505f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# a roaming network shall support (include explicitly in Connection 506f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# Capability ANQP element). This constraint is ignored if the AP does not 507f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# advertise Connection Capability or if this constraint would prevent any 508f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# network connection. This policy is not used in home networks. 509f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# Format: <protocol>[:<comma-separated list of ports] 510f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# Multiple entries can be used to list multiple requirements. 511f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# For example, number of common TCP protocols: 512f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# req_conn_capab=6,22,80,443 513f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# For example, IPSec/IKE: 514f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# req_conn_capab=17:500 515f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# req_conn_capab=50 516f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# 517f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# ocsp: Whether to use/require OCSP to check server certificate 518f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# 0 = do not use OCSP stapling (TLS certificate status extension) 519f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# 1 = try to use OCSP stapling, but not require response 520f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# 2 = require valid OCSP stapling response 521f21452aea786ac056eb01f1cbba4f553bd502747Dmitry Shmidt# 522f9bdef99ce3b2858f2812c745a3d6bb093fb0e5dDmitry Shmidt# sim_num: Identifier for which SIM to use in multi-SIM devices 523f9bdef99ce3b2858f2812c745a3d6bb093fb0e5dDmitry Shmidt# 52404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# for example: 52504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 52604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#cred={ 52704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# realm="example.com" 52804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# username="user@example.com" 52904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# password="password" 53004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# ca_cert="/etc/wpa_supplicant/ca.pem" 53104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# domain="example.com" 53204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#} 53304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 53404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#cred={ 53504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# imsi="310026-000000000" 53604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82" 53704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#} 53861d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 53961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt#cred={ 54061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# realm="example.com" 54161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# username="user" 54261d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# password="password" 54361d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# ca_cert="/etc/wpa_supplicant/ca.pem" 54461d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# domain="example.com" 54561d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# roaming_consortium=223344 54661d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# eap=TTLS 54761d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# phase2="auth=MSCHAPV2" 54861d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt#} 549c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt 55004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Hotspot 2.0 55104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# hs20=1 552c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt 55330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# network block 55430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 55530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Each network (usually AP's sharing the same SSID) is configured as a separate 55630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# block in this configuration file. The network blocks are in preference order 55730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (the first match is used). 55830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 55930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# network block fields: 56030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 56130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# disabled: 56230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = this network can be used (default) 56330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = this network block is disabled (can be enabled through ctrl_iface, 56430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# e.g., with wpa_cli or wpa_gui) 56530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 56630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# id_str: Network identifier string for external scripts. This value is passed 56730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to external action script through wpa_cli as WPA_ID_STR environment 56830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# variable to make it easier to do network specific configuration. 56930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 57061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# ssid: SSID (mandatory); network name in one of the optional formats: 57161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# - an ASCII string with double quotation 57261d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# - a hex string (two characters per octet of SSID) 57361d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# - a printf-escaped ASCII string P"<escaped string>" 57430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 57530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# scan_ssid: 57630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = do not scan this SSID with specific Probe Request frames (default) 57730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = scan with SSID-specific Probe Request frames (this can be used to 57830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# find APs that do not accept broadcast SSID or use multiple SSIDs; 57930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# this will add latency to scanning, so enable this only when needed) 58030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 58130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# bssid: BSSID (optional); if set, this network block is used only when 58230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# associating with the AP using the configured BSSID 58330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 58430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# priority: priority group (integer) 58530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# By default, all networks will get same priority group (0). If some of the 58630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# networks are more desirable, this field can be used to change the order in 58730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# which wpa_supplicant goes through the networks when selecting a BSS. The 58830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# priority groups will be iterated in decreasing priority (i.e., the larger the 58930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# priority value, the sooner the network is matched against the scan results). 59030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Within each priority group, networks will be selected based on security 59130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# policy, signal strength, etc. 59230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not 59330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# using this priority to select the order for scanning. Instead, they try the 59430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# networks in the order that used in the configuration file. 59530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 59630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# mode: IEEE 802.11 operation mode 59730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = infrastructure (Managed) mode, i.e., associate with an AP (default) 59830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = IBSS (ad-hoc, peer-to-peer) 59930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 2 = AP (access point) 600fb79edc9df1f20461e90e478363d207348213d35Dmitry Shmidt# Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) and 601fb79edc9df1f20461e90e478363d207348213d35Dmitry Shmidt# WPA-PSK (with proto=RSN). In addition, key_mgmt=WPA-NONE (fixed group key 602fb79edc9df1f20461e90e478363d207348213d35Dmitry Shmidt# TKIP/CCMP) is available for backwards compatibility, but its use is 603fb79edc9df1f20461e90e478363d207348213d35Dmitry Shmidt# deprecated. WPA-None requires following network block options: 60430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not 60530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# both), and psk must also be set. 60630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 60730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# frequency: Channel frequency in megahertz (MHz) for IBSS, e.g., 60830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial 60930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode. 61030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# In addition, this value is only used by the station that creates the IBSS. If 61130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# an IBSS network with the configured SSID is already present, the frequency of 61230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# the network will be used instead of this configured value. 61330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 61430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# scan_freq: List of frequencies to scan 61530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Space-separated list of frequencies in MHz to scan when searching for this 61630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# BSS. If the subset of channels used by the network is known, this option can 61730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# be used to optimize scanning to not occur on channels that the network does 61830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# not use. Example: scan_freq=2412 2437 2462 61930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 62030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# freq_list: Array of allowed frequencies 62130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Space-separated list of frequencies in MHz to allow for selecting the BSS. If 62230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# set, scan results that do not match any of the specified frequencies are not 62330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# considered when selecting a BSS. 62430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 62551b6ea882f234c14cd1fe1332a3840cf61fafccaDmitry Shmidt# This can also be set on the outside of the network block. In this case, 62651b6ea882f234c14cd1fe1332a3840cf61fafccaDmitry Shmidt# it limits the frequencies that will be scanned. 62751b6ea882f234c14cd1fe1332a3840cf61fafccaDmitry Shmidt# 628a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# bgscan: Background scanning 629a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# wpa_supplicant behavior for background scanning can be specified by 630a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# configuring a bgscan module. These modules are responsible for requesting 631a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# background scans for the purpose of roaming within an ESS (i.e., within a 632a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# single network block with all the APs using the same SSID). The bgscan 633a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# parameter uses following format: "<bgscan module name>:<module parameters>" 634a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# Following bgscan modules are available: 635a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# simple - Periodic background scans based on signal strength 636a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# bgscan="simple:<short bgscan interval in seconds>:<signal strength threshold>: 637a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# <long interval>" 638a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# bgscan="simple:30:-45:300" 639a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# learn - Learn channels used by the network and try to avoid bgscans on other 640a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# channels (experimental) 641a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# bgscan="learn:<short bgscan interval in seconds>:<signal strength threshold>: 642a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# <long interval>[:<database file name>]" 643a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# bgscan="learn:30:-45:300:/etc/wpa_supplicant/network1.bgscan" 644a38abf9af7bec7e89dbfb39ac7bb77223fe47c72Dmitry Shmidt# Explicitly disable bgscan by setting 645a38abf9af7bec7e89dbfb39ac7bb77223fe47c72Dmitry Shmidt# bgscan="" 646a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 647b96dad47218788efffa3db0fe7f1b54a7d19e366Dmitry Shmidt# This option can also be set outside of all network blocks for the bgscan 648b96dad47218788efffa3db0fe7f1b54a7d19e366Dmitry Shmidt# parameter to apply for all the networks that have no specific bgscan 649b96dad47218788efffa3db0fe7f1b54a7d19e366Dmitry Shmidt# parameter. 650b96dad47218788efffa3db0fe7f1b54a7d19e366Dmitry Shmidt# 65130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# proto: list of accepted protocols 65230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA = WPA/IEEE 802.11i/D3.0 65330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN) 65430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not set, this defaults to: WPA RSN 65530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 65630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# key_mgmt: list of accepted authenticated key management protocols 65730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA-PSK = WPA pre-shared key (this requires 'psk' field) 65830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA-EAP = WPA using EAP authentication 65930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically 66030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# generated WEP keys 66130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# NONE = WPA is not used; plaintext or static WEP could be used 66230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms 66330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms 66430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not set, this defaults to: WPA-PSK WPA-EAP 66530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 66604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# ieee80211w: whether management frame protection is enabled 667d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# 0 = disabled (default unless changed with the global pmf parameter) 66804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 1 = optional 66904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 2 = required 67004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# The most common configuration options for this based on the PMF (protected 67104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# management frames) certification program are: 67204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256 67304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256 67404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used) 67504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 67630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# auth_alg: list of allowed IEEE 802.11 authentication algorithms 67730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# OPEN = Open System authentication (required for WPA/WPA2) 67830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# SHARED = Shared Key authentication (requires static WEP keys) 67930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# LEAP = LEAP/Network EAP (only used with LEAP) 68030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not set, automatic selection is used (Open System with LEAP enabled if 68130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# LEAP is allowed as one of the EAP methods). 68230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 68330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# pairwise: list of accepted pairwise (unicast) ciphers for WPA 68430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 68530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 68630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# NONE = Use only Group Keys (deprecated, should not be included if APs support 68730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# pairwise keys) 68830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not set, this defaults to: CCMP TKIP 68930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 69030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# group: list of accepted group (broadcast/multicast) ciphers for WPA 69130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 69230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 69330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key 69430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11] 69530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not set, this defaults to: CCMP TKIP WEP104 WEP40 69630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 69730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# psk: WPA preshared key; 256-bit pre-shared key 69830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e., 69930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be 70030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# generated using the passphrase and SSID). ASCII passphrase must be between 70161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 8 and 63 characters (inclusive). ext:<name of external PSK field> format can 70261d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# be used to indicate that the PSK/passphrase is stored in external storage. 70330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This field is not needed, if WPA-EAP is used. 70430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys 70530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant 70630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# startup and reconfiguration time can be optimized by generating the PSK only 70730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# only when the passphrase or SSID has actually changed. 70830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 70930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# eapol_flags: IEEE 802.1X/EAPOL options (bit field) 71030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Dynamic WEP key required for non-WPA mode 71130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# bit0 (1): require dynamically generated unicast WEP key 71230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# bit1 (2): require dynamically generated broadcast WEP key 71330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (3 = require both keys; default) 7145a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt# Note: When using wired authentication (including macsec_qca driver), 7155a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt# eapol_flags must be set to 0 for the authentication to be completed 7165a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt# successfully. 7175a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt# 7185a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt# macsec_policy: IEEE 802.1X/MACsec options 7195a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt# This determines how sessions are secured with MACsec. It is currently 7205a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt# applicable only when using the macsec_qca driver interface. 7215a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt# 0: MACsec not in use (default) 7225a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt# 1: MACsec enabled - Should secure, accept key server's advice to 7235a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt# determine whether to use a secure session or not. 72430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 72530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# mixed_cell: This option can be used to configure whether so called mixed 72630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# cells, i.e., networks that use both plaintext and encryption in the same 727c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# SSID, are allowed when selecting a BSS from scan results. 72830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = disabled (default) 72930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = enabled 73030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 73130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# proactive_key_caching: 73230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Enable/disable opportunistic PMKSA caching for WPA2. 733d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# 0 = disabled (default unless changed with the global okc parameter) 73430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = enabled 73530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 73630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or 73730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# hex without quotation, e.g., 0102030405) 73830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wep_tx_keyidx: Default WEP key index (TX) (0..3) 73930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 74030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is 74130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# allowed. This is only used with RSN/WPA2. 74230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = disabled (default) 74330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = enabled 74430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#peerkey=1 74530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 74630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to 74730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies. 74830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 74930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Following fields are only used with internal EAP implementation. 75030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# eap: space-separated list of accepted EAP methods 75130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# MD5 = EAP-MD5 (unsecure and does not generate keying material -> 75230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# cannot be used with WPA; to be used as a Phase 2 method 75330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# with EAP-PEAP or EAP-TTLS) 75430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used 75530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 75630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# OTP = EAP-OTP (cannot be used separately with WPA; to be used 75730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 75830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# GTC = EAP-GTC (cannot be used separately with WPA; to be used 75930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 76030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# TLS = EAP-TLS (client and server certificate) 76130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# PEAP = EAP-PEAP (with tunnelled EAP authentication) 76230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 76330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication) 76430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not set, all compiled in methods are allowed. 76530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 76630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# identity: Identity string for EAP 76730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This field is also used to configure user NAI for 76830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-PSK/PAX/SAKE/GPSK. 76930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# anonymous_identity: Anonymous identity string for EAP (to be used as the 77030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# unencrypted identity with EAP types that support different tunnelled 7714530cfd4d14a77c58e35393b91e40f8dd9d62697Dmitry Shmidt# identity, e.g., EAP-TTLS). This field can also be used with 7724530cfd4d14a77c58e35393b91e40f8dd9d62697Dmitry Shmidt# EAP-SIM/AKA/AKA' to store the pseudonym identity. 77330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# password: Password string for EAP. This field can include either the 77430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# plaintext password (using ASCII or hex string) or a NtPasswordHash 77530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (16-byte MD4 hash of password) in hash:<32 hex digits> format. 77630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# NtPasswordHash can only be used when the password is for MSCHAPv2 or 77730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP). 77830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit 77930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# PSK) is also configured using this field. For EAP-GPSK, this is a 78061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# variable length PSK. ext:<name of external password field> format can 78161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# be used to indicate that the password is stored in external storage. 78230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# ca_cert: File path to CA certificate file (PEM/DER). This file can have one 78330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# or more trusted CA certificates. If ca_cert and ca_path are not 78430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# included, server certificate will not be verified. This is insecure and 78530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# a trusted CA certificate should always be configured when using 78630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-TLS/TTLS/PEAP. Full path should be used since working directory may 78730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# change when wpa_supplicant is run in the background. 78830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 78930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Alternatively, this can be used to only perform matching of the server 79030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# certificate (SHA-256 hash of the DER encoded X.509 certificate). In 79130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# this case, the possible CA certificates in the server certificate chain 79230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# are ignored and only the server certificate is verified. This is 79330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# configured with the following format: 79430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# hash:://server/sha256/cert_hash_in_hex 79530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# For example: "hash://server/sha256/ 79630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a" 79730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 79830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# On Windows, trusted CA certificates can be loaded from the system 79930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# certificate store by setting this to cert_store://<name>, e.g., 80030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT". 80130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Note that when running wpa_supplicant as an application, the user 80230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# certificate store (My user account) is used, whereas computer store 80330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (Computer account) is used when running wpasvc as a service. 80430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# ca_path: Directory path for CA certificate files (PEM). This path may 80530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# contain multiple CA certificates in OpenSSL format. Common use for this 80630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# is to point to system trusted CA list which is often installed into 80730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# directory like /etc/ssl/certs. If configured, these certificates are 80830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# added to the list of trusted CAs. ca_cert may also be included in that 80930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# case, but it is not required. 81030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# client_cert: File path to client certificate file (PEM/DER) 81130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Full path should be used since working directory may change when 81230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_supplicant is run in the background. 81330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Alternatively, a named configuration blob can be used by setting this 81430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to blob://<blob name>. 81530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# private_key: File path to client private key file (PEM/DER/PFX) 81630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be 81730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# commented out. Both the private key and certificate will be read from 81830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# the PKCS#12 file in this case. Full path should be used since working 81930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# directory may change when wpa_supplicant is run in the background. 82030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Windows certificate store can be used by leaving client_cert out and 82130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# configuring private_key in one of the following formats: 82230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# cert://substring_to_match 82330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# hash://certificate_thumbprint_in_hex 82430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# for example: private_key="hash://63093aa9c47f56ae88334c7b65a4" 82530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Note that when running wpa_supplicant as an application, the user 82630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# certificate store (My user account) is used, whereas computer store 82730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (Computer account) is used when running wpasvc as a service. 82830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Alternatively, a named configuration blob can be used by setting this 82930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to blob://<blob name>. 83030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# private_key_passwd: Password for private key file (if left out, this will be 83130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# asked through control interface) 83230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# dh_file: File path to DH/DSA parameters file (in PEM format) 83330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This is an optional configuration file for setting parameters for an 83430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# ephemeral DH key exchange. In most cases, the default RSA 83530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication does not use this configuration. However, it is possible 83630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# setup RSA to use ephemeral DH key exchange. In addition, ciphers with 83730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# DSA keys always use ephemeral DH keys. This can be used to achieve 83830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# forward secrecy. If the file is in DSA parameters format, it will be 83930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# automatically converted into DH params. 84030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# subject_match: Substring to be matched against the subject of the 84130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication server certificate. If this string is set, the server 84230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# sertificate is only accepted if it contains this string in the subject. 84330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The subject string is in following format: 84430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com 84530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# altsubject_match: Semicolon separated string of entries to be matched against 84630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# the alternative subject name of the authentication server certificate. 84730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If this string is set, the server sertificate is only accepted if it 84830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# contains one of the entries in an alternative subject name extension. 84930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# altSubjectName string is in following format: TYPE:VALUE 85030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Example: EMAIL:server@example.com 85130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Example: DNS:server.example.com;DNS:server2.example.com 85230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Following types are supported: EMAIL, DNS, URI 85330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters 85430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (string with field-value pairs, e.g., "peapver=0" or 85530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# "peapver=1 peaplabel=1") 85630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 'peapver' can be used to force which PEAP version (0 or 1) is used. 85730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 'peaplabel=1' can be used to force new label, "client PEAP encryption", 85830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to be used during key derivation when PEAPv1 or newer. Most existing 85930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# PEAPv1 implementation seem to be using the old label, "client EAP 86030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# encryption", and wpa_supplicant is now using that as the default value. 86130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Some servers, e.g., Radiator, may require peaplabel=1 configuration to 86230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# interoperate with PEAPv1; see eap_testing.txt for more details. 86330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 'peap_outer_success=0' can be used to terminate PEAP authentication on 86430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# tunneled EAP-Success. This is required with some RADIUS servers that 86530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g., 86630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode) 86730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# include_tls_length=1 can be used to force wpa_supplicant to include 86830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# TLS Message Length field in all TLS messages even if they are not 86930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# fragmented. 87030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# sim_min_num_chal=3 can be used to configure EAP-SIM to require three 87130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# challenges (by default, it accepts 2 or 3) 87230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use 87330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# protected result indication. 87430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 'crypto_binding' option can be used to control PEAPv0 cryptobinding 87530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# behavior: 87630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# * 0 = do not use cryptobinding (default) 87730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# * 1 = use cryptobinding if server supports it 87830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# * 2 = require cryptobinding 87930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-WSC (WPS) uses following options: pin=<Device Password> or 88030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# pbc=1. 88130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# phase2: Phase2 (inner authentication with TLS tunnel) parameters 88230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or 88330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS) 88461d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 88561d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# TLS-based methods can use the following parameters to control TLS behavior 88661d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# (these are normally in the phase1 parameter, but can be used also in the 88761d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# phase2 parameter when EAP-TLS is used within the inner tunnel): 88861d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# tls_allow_md5=1 - allow MD5-based certificate signatures (depending on the 88961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# TLS library, these may be disabled by default to enforce stronger 89061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# security) 89161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# tls_disable_time_checks=1 - ignore certificate validity time (this requests 89261d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# the TLS library to accept certificates even if they are not currently 89361d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# valid, i.e., have expired or have not yet become valid; this should be 89461d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# used only for testing purposes) 89561d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# tls_disable_session_ticket=1 - disable TLS Session Ticket extension 89661d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# tls_disable_session_ticket=0 - allow TLS Session Ticket extension to be used 89761d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# Note: If not set, this is automatically set to 1 for EAP-TLS/PEAP/TTLS 89861d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# as a workaround for broken authentication server implementations unless 89961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# EAP workarounds are disabled with eap_workarounds=0. 90061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# For EAP-FAST, this must be set to 0 (or left unconfigured for the 90161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# default value to be used automatically). 90213ca8d8ea51a1aa5e24c6c956473a11b0c7daed4Dmitry Shmidt# tls_disable_tlsv1_1=1 - disable use of TLSv1.1 (a workaround for AAA servers 90313ca8d8ea51a1aa5e24c6c956473a11b0c7daed4Dmitry Shmidt# that have issues interoperating with updated TLS version) 90413ca8d8ea51a1aa5e24c6c956473a11b0c7daed4Dmitry Shmidt# tls_disable_tlsv1_2=1 - disable use of TLSv1.2 (a workaround for AAA servers 90513ca8d8ea51a1aa5e24c6c956473a11b0c7daed4Dmitry Shmidt# that have issues interoperating with updated TLS version) 90661d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 90730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Following certificate/private key fields are used in inner Phase2 90830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication when using EAP-TTLS or EAP-PEAP. 90930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# ca_cert2: File path to CA certificate file. This file can have one or more 91030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# trusted CA certificates. If ca_cert2 and ca_path2 are not included, 91130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# server certificate will not be verified. This is insecure and a trusted 91230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# CA certificate should always be configured. 91330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# ca_path2: Directory path for CA certificate files (PEM) 91430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# client_cert2: File path to client certificate file 91530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# private_key2: File path to client private key file 91630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# private_key2_passwd: Password for private key file 91730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# dh_file2: File path to DH/DSA parameters file (in PEM format) 91830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# subject_match2: Substring to be matched against the subject of the 91930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication server certificate. 92030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# altsubject_match2: Substring to be matched against the alternative subject 92130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# name of the authentication server certificate. 92230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 92330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# fragment_size: Maximum EAP fragment size in bytes (default 1398). 92430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This value limits the fragment size for EAP methods that support 92530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set 92630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# small enough to make the EAP messages fit in MTU of the network 92730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# interface used for EAPOL. The default value is suitable for most 92830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# cases. 92930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 93034af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt# ocsp: Whether to use/require OCSP to check server certificate 93134af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt# 0 = do not use OCSP stapling (TLS certificate status extension) 93234af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt# 1 = try to use OCSP stapling, but not require response 93334af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt# 2 = require valid OCSP stapling response 93434af306c42b7ccf956508e7cd23f0ba90606e360Dmitry Shmidt# 93530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-FAST variables: 93630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# pac_file: File path for the PAC entries. wpa_supplicant will need to be able 93730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to create this file and write updates to it when PAC is being 93830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# provisioned or refreshed. Full path to the file should be used since 93930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# working directory may change when wpa_supplicant is run in the 94030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# background. Alternatively, a named configuration blob can be used by 94130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# setting this to blob://<blob name> 94230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# phase1: fast_provisioning option can be used to enable in-line provisioning 94330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# of EAP-FAST credentials (PAC): 94430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = disabled, 94530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = allow unauthenticated provisioning, 94630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 2 = allow authenticated provisioning, 94730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 3 = allow both unauthenticated and authenticated provisioning 94830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# fast_max_pac_list_len=<num> option can be used to set the maximum 94930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# number of PAC entries to store in a PAC list (default: 10) 95030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# fast_pac_format=binary option can be used to select binary format for 95130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# storing PAC entries in order to save some space (the default 95230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# text format uses about 2.5 times the size of minimal binary 95330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# format) 95430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 95530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_supplicant supports number of "EAP workarounds" to work around 95630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# interoperability issues with incorrectly behaving authentication servers. 95730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# These are enabled by default because some of the issues are present in large 95830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# number of authentication servers. Strict EAP conformance mode can be 95930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# configured by disabling workarounds with eap_workaround=0. 96030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 96104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Station inactivity limit 96204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 96304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# If a station does not send anything in ap_max_inactivity seconds, an 96404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# empty data frame is sent to it in order to verify whether it is 96504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# still in range. If this frame is not ACKed, the station will be 96604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# disassociated and then deauthenticated. This feature is used to 96704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# clear station table of old entries when the STAs move out of the 96804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# range. 96904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 97004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# The station can associate again with the AP if it is still in range; 97104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# this inactivity poll is just used as a nicer way of verifying 97204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# inactivity; i.e., client will not report broken connection because 97304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# disassociation frame is not sent immediately without first polling 97404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# the STA with a data frame. 97504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# default: 300 (i.e., 5 minutes) 97604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#ap_max_inactivity=300 97704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt 97804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# DTIM period in Beacon intervals for AP mode (default: 2) 97904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#dtim_period=2 98004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt 9817a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt# Beacon interval (default: 100 TU) 9827a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt#beacon_int=100 9837a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt 984661b4f78e48c697429dc46154a4125892c001718Dmitry Shmidt# MAC address policy 985661b4f78e48c697429dc46154a4125892c001718Dmitry Shmidt# 0 = use permanent MAC address 986661b4f78e48c697429dc46154a4125892c001718Dmitry Shmidt# 1 = use random MAC address for each ESS connection 987661b4f78e48c697429dc46154a4125892c001718Dmitry Shmidt# 2 = like 1, but maintain OUI (with local admin bit set) 988661b4f78e48c697429dc46154a4125892c001718Dmitry Shmidt#mac_addr=0 989661b4f78e48c697429dc46154a4125892c001718Dmitry Shmidt 990a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# disable_ht: Whether HT (802.11n) should be disabled. 991a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 0 = HT enabled (if AP supports it) 992a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 1 = HT disabled 993a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 994a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# disable_ht40: Whether HT-40 (802.11n) should be disabled. 995a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 0 = HT-40 enabled (if AP supports it) 996a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 1 = HT-40 disabled 997a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 998a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# disable_sgi: Whether SGI (short guard interval) should be disabled. 999a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 0 = SGI enabled (if AP supports it) 1000a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 1 = SGI disabled 1001a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 1002df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt# disable_ldpc: Whether LDPC should be disabled. 1003df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt# 0 = LDPC enabled (if AP supports it) 1004df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt# 1 = LDPC disabled 1005df5a7e4c5c64890c2425bb47d665bbce4992b676Dmitry Shmidt# 100661593f02176862f4880ddefcb1f54cb5f5d9f043Dmitry Shmidt# ht40_intolerant: Whether 40 MHz intolerant should be indicated. 100761593f02176862f4880ddefcb1f54cb5f5d9f043Dmitry Shmidt# 0 = 40 MHz tolerant (default) 100861593f02176862f4880ddefcb1f54cb5f5d9f043Dmitry Shmidt# 1 = 40 MHz intolerant 100961593f02176862f4880ddefcb1f54cb5f5d9f043Dmitry Shmidt# 1010a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# ht_mcs: Configure allowed MCS rates. 1011a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# Parsed as an array of bytes, in base-16 (ascii-hex) 1012a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# ht_mcs="" // Use all available (default) 1013a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# ht_mcs="0xff 00 00 00 00 00 00 00 00 00 " // Use MCS 0-7 only 1014a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# ht_mcs="0xff ff 00 00 00 00 00 00 00 00 " // Use MCS 0-15 only 1015a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 1016a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# disable_max_amsdu: Whether MAX_AMSDU should be disabled. 1017a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# -1 = Do not make any changes. 1018a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 0 = Enable MAX-AMSDU if hardware supports it. 1019a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 1 = Disable AMSDU 1020a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 10217dba0e5708da7276a43a44cf479aa743564e15b9Dmitry Shmidt# ampdu_factor: Maximum A-MPDU Length Exponent 10227dba0e5708da7276a43a44cf479aa743564e15b9Dmitry Shmidt# Value: 0-3, see 7.3.2.56.3 in IEEE Std 802.11n-2009. 10237dba0e5708da7276a43a44cf479aa743564e15b9Dmitry Shmidt# 1024a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# ampdu_density: Allow overriding AMPDU density configuration. 1025a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# Treated as hint by the kernel. 1026a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# -1 = Do not make any changes. 1027a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 0-3 = Set AMPDU density (aka factor) to specified value. 1028a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt 10292f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# disable_vht: Whether VHT should be disabled. 10302f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# 0 = VHT enabled (if AP supports it) 10312f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# 1 = VHT disabled 10322f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# 10332f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# vht_capa: VHT capabilities to set in the override 10342f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# vht_capa_mask: mask of VHT capabilities 10352f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# 10362f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# vht_rx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for RX NSS 1-8 10372f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# vht_tx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for TX NSS 1-8 10382f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# 0: MCS 0-7 10392f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# 1: MCS 0-8 10402f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# 2: MCS 0-9 10412f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# 3: not supported 10422f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt 104330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Example blocks: 104430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 104530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers 104630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 104730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="simple" 104830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk="very secret passphrase" 104930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=5 105030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 105130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 105230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Same as previous, but request SSID-specific scanning (for APs that reject 105330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# broadcast SSID) 105430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 105530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="second ssid" 105630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt scan_ssid=1 105730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk="very secret passphrase" 105830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=2 105930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 106030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 106130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Only WPA-PSK is used. Any valid cipher combination is accepted. 106230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 106330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 106430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt proto=WPA 106530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-PSK 106630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=CCMP TKIP 106730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=CCMP TKIP WEP104 WEP40 106830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb 106930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=2 107030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 107130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 107230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying 107330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 107430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 107530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt proto=WPA 107630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-PSK 107730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=TKIP 107830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=TKIP 107930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk="not so secure passphrase" 108030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wpa_ptk_rekey=600 108130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 108230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 108330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104 108430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# or WEP40 as the group cipher will not be accepted. 108530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 108630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 108730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt proto=RSN 108830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 108930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=CCMP TKIP 109030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=CCMP TKIP 109130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TLS 109230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 109330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 109430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt client_cert="/etc/cert/user.pem" 109530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key="/etc/cert/user.prv" 109630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key_passwd="password" 109730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=1 109830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 109930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 110030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel 110130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (e.g., Radiator) 110230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 110330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 110430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 110530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=PEAP 110630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 110730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 110830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 110930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase1="peaplabel=1" 111030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase2="auth=MSCHAPV2" 111130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=10 111230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 111330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 111430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the 111530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# unencrypted use. Real identity is sent only within an encrypted TLS tunnel. 111630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 111730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 111830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 111930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TTLS 112030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 112130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="anonymous@example.com" 112230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 112330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 112430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=2 112530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 112630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 112730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted 112830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# use. Real identity is sent only within an encrypted TLS tunnel. 112930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 113030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 113130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 113230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TTLS 113330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 113430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="anonymous@example.com" 113530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 113630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 113730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase2="auth=MSCHAPV2" 113830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 113930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 114030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner 114130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication. 114230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 114330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 114430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 114530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TTLS 114630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # Phase1 / outer authentication 114730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="anonymous@example.com" 114830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 114930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # Phase 2 / inner authentication 115030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase2="autheap=TLS" 115130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert2="/etc/cert/ca2.pem" 115230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt client_cert2="/etc/cer/user.pem" 115330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key2="/etc/cer/user.prv" 115430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key2_passwd="password" 115530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=2 115630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 115730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 115830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and 115930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# group cipher. 116030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 116130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 116230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt bssid=00:11:22:33:44:55 116330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt proto=WPA RSN 116430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-PSK WPA-EAP 116530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=CCMP 116630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=CCMP 116730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb 116830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 116930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 117030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP 117130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# and all valid ciphers. 117230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 117330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid=00010203 117430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 117530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 117630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 117730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 117830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-SIM with a GSM SIM or USIM 117930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 118030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="eap-sim-test" 118130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 118230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=SIM 118330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pin="1234" 118430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pcsc="" 118530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 118630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 118730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 118830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-PSK 118930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 119030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="eap-psk-test" 119130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 119230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=PSK 119330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="eap_psk_user" 119430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password=06b4be19da289f475aa46a33cb793029 119530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="eap_psk_user@example.com" 119630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 119730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 119830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 119930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using 120030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-TLS for authentication and key generation; require both unicast and 120130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# broadcast WEP keys. 120230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 120330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="1x-test" 120430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=IEEE8021X 120530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TLS 120630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 120730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 120830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt client_cert="/etc/cert/user.pem" 120930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key="/etc/cert/user.prv" 121030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key_passwd="password" 121130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eapol_flags=3 121230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 121330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 121430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 121530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# LEAP with dynamic WEP keys 121630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 121730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="leap-example" 121830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=IEEE8021X 121930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=LEAP 122030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user" 122130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 122230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 122330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 122430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-IKEv2 using shared secrets for both server and peer authentication 122530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 122630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="ikev2-example" 122730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 122830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=IKEV2 122930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user" 123030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 123130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 123230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 123330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-FAST with WPA (WPA or WPA2) 123430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 123530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="eap-fast-test" 123630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 123730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=FAST 123830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="FAST-000102030405" 123930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="username" 124030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="password" 124130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase1="fast_provisioning=1" 124230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pac_file="/etc/wpa_supplicant.eap-fast-pac" 124330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 124430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 124530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 124630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="eap-fast-test" 124730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 124830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=FAST 124930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="FAST-000102030405" 125030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="username" 125130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="password" 125230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase1="fast_provisioning=1" 125330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pac_file="blob://eap-fast-pac" 125430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 125530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 125630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Plaintext connection (no WPA, no IEEE 802.1X) 125730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 125830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="plaintext-test" 125930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=NONE 126030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 126130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 126230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 126330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Shared WEP key connection (no WPA, no IEEE 802.1X) 126430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 126530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="static-wep-test" 126630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=NONE 126730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_key0="abcde" 126830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_key1=0102030405 126930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_key2="1234567890123" 127030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_tx_keyidx=0 127130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=5 127230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 127330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 127430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 127530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key 127630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# IEEE 802.11 authentication 127730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 127830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="static-wep-test2" 127930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=NONE 128030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_key0="abcde" 128130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_key1=0102030405 128230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_key2="1234567890123" 128330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_tx_keyidx=0 128430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=5 128530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt auth_alg=SHARED 128630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 128730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 128830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 1289fb79edc9df1f20461e90e478363d207348213d35Dmitry Shmidt# IBSS/ad-hoc network with RSN 1290fb79edc9df1f20461e90e478363d207348213d35Dmitry Shmidtnetwork={ 1291fb79edc9df1f20461e90e478363d207348213d35Dmitry Shmidt ssid="ibss-rsn" 1292fb79edc9df1f20461e90e478363d207348213d35Dmitry Shmidt key_mgmt=WPA-PSK 1293fb79edc9df1f20461e90e478363d207348213d35Dmitry Shmidt proto=RSN 1294fb79edc9df1f20461e90e478363d207348213d35Dmitry Shmidt psk="12345678" 1295fb79edc9df1f20461e90e478363d207348213d35Dmitry Shmidt mode=1 1296fb79edc9df1f20461e90e478363d207348213d35Dmitry Shmidt frequency=2412 1297fb79edc9df1f20461e90e478363d207348213d35Dmitry Shmidt pairwise=CCMP 1298fb79edc9df1f20461e90e478363d207348213d35Dmitry Shmidt group=CCMP 1299fb79edc9df1f20461e90e478363d207348213d35Dmitry Shmidt} 1300fb79edc9df1f20461e90e478363d207348213d35Dmitry Shmidt 1301fb79edc9df1f20461e90e478363d207348213d35Dmitry Shmidt# IBSS/ad-hoc network with WPA-None/TKIP (deprecated) 130230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 130330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="test adhoc" 130430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt mode=1 130530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt frequency=2412 130630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt proto=WPA 130730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-NONE 130830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=NONE 130930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=TKIP 131030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk="secret passphrase" 131130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 131230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 131330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 131430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Catch all example that allows more or less all configuration modes 131530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 131630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 131730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt scan_ssid=1 131830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE 131930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=CCMP TKIP 132030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=CCMP TKIP WEP104 WEP40 132130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk="very secret passphrase" 132230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TTLS PEAP TLS 132330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 132430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 132530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 132630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt client_cert="/etc/cert/user.pem" 132730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key="/etc/cert/user.prv" 132830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key_passwd="password" 132930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase1="peaplabel=0" 133030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 133130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 133230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Example of EAP-TLS with smartcard (openssl engine) 133330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 133430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 133530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 133630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TLS 133730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt proto=RSN 133830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=CCMP TKIP 133930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=CCMP TKIP 134030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 134130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 134230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt client_cert="/etc/cert/user.pem" 134330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 134430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt engine=1 134530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 134630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # The engine configured here must be available. Look at 134730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # OpenSSL engine support in the global section. 134830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # The key available through the engine must be the private key 134930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # matching the client certificate configured above. 135030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 135130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # use the opensc engine 135230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt #engine_id="opensc" 135330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt #key_id="45" 135430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 135530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # use the pkcs11 engine 135630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt engine_id="pkcs11" 135730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_id="id_45" 135830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 135930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # Optional PIN configuration; this can be left out and PIN will be 136030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # asked through the control interface 136130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pin="1234" 136230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 136330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 136430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Example configuration showing how to use an inlined blob as a CA certificate 136530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# data instead of using external file 136630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 136730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 136830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 136930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TTLS 137030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 137130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="anonymous@example.com" 137230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 137330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="blob://exampleblob" 137430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=20 137530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 137630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 137730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtblob-base64-exampleblob={ 137830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry ShmidtSGVsbG8gV29ybGQhCg== 137930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 138030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 138130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 138230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Wildcard match for SSID (plaintext APs only). This example select any 138330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# open AP regardless of its SSID. 138430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 138530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=NONE 138630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 138751b6ea882f234c14cd1fe1332a3840cf61fafccaDmitry Shmidt 138851b6ea882f234c14cd1fe1332a3840cf61fafccaDmitry Shmidt 138951b6ea882f234c14cd1fe1332a3840cf61fafccaDmitry Shmidt# Example config file that will only scan on channel 36. 139051b6ea882f234c14cd1fe1332a3840cf61fafccaDmitry Shmidtfreq_list=5180 139151b6ea882f234c14cd1fe1332a3840cf61fafccaDmitry Shmidtnetwork={ 139251b6ea882f234c14cd1fe1332a3840cf61fafccaDmitry Shmidt key_mgmt=NONE 139351b6ea882f234c14cd1fe1332a3840cf61fafccaDmitry Shmidt} 13945a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt 13955a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt 13965a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt# Example MACsec configuration 13975a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt#network={ 13985a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt# key_mgmt=IEEE8021X 13995a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt# eap=TTLS 14005a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt# phase2="auth=PAP" 14015a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt# anonymous_identity="anonymous@example.com" 14025a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt# identity="user@example.com" 14035a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt# password="secretr" 14045a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt# ca_cert="/etc/cert/ca.pem" 14055a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt# eapol_flags=0 14065a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt# macsec_policy=1 14075a1480c7c46c4236d93bfd303dde32062bee04acDmitry Shmidt#} 1408