wpa_supplicant.conf revision 2f023193a0fd630eb82ce6381b80911ad5a3462f
130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt##### Example wpa_supplicant configuration file ############################### 230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This file describes configuration file format and lists all available option. 430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Please also take a look at simpler configuration examples in 'examples' 530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# subdirectory. 630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Empty lines and lines starting with # are ignored 830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# NOTE! This file may contain password information and should probably be made 1030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# readable only by root user on multiuser systems. 1130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 1230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Note: All file paths in this configuration file should use full (absolute, 1330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# not relative to working directory) path in order to allow working directory 1430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to be changed. This can happen if wpa_supplicant is run in the background. 1530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 1630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Whether to allow wpa_supplicant to update (overwrite) configuration 1730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This option can be used to allow wpa_supplicant to overwrite configuration 1930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# file whenever configuration is changed (e.g., new network block is added with 2030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_cli or wpa_gui, or a password is changed). This is required for 2130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_cli/wpa_gui to be able to store the configuration changes permanently. 2230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Please note that overwriting configuration file will remove the comments from 2330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# it. 2430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#update_config=1 2530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 2630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# global configuration (shared by all network blocks) 2730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 2830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Parameters for the control interface. If this is specified, wpa_supplicant 2930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# will open a control interface that is available for external programs to 3030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# manage wpa_supplicant. The meaning of this string depends on which control 31c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# interface mechanism is used. For all cases, the existence of this parameter 3230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# in configuration is used to determine whether the control interface is 3330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# enabled. 3430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 3530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# For UNIX domain sockets (default on Linux and BSD): This is a directory that 3630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# will be created for UNIX domain sockets for listening to requests from 3730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# external programs (CLI/GUI, etc.) for status information and configuration. 3830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The socket file will be named based on the interface name, so multiple 3930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_supplicant processes can be run at the same time if more than one 4030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# interface is used. 4130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# /var/run/wpa_supplicant is the recommended directory for sockets and by 4230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# default, wpa_cli will use it when trying to connect with wpa_supplicant. 4330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 4430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Access control for the control interface can be configured by setting the 4530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# directory to allow only members of a group to use sockets. This way, it is 4630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# possible to run wpa_supplicant as root (since it needs to change network 4730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# configuration and open raw sockets) and still allow GUI/CLI components to be 4830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# run as non-root users. However, since the control interface can be used to 4930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# change the network configuration, this access needs to be protected in many 5030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you 5130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# want to allow non-root users to use the control interface, add a new group 5230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# and change this value to match with that group. Add users that should have 5330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# control interface access to this group. If this variable is commented out or 5430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# not included in the configuration file, group will not be changed from the 5530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# value it got by default when the directory or socket was created. 5630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 5730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# When configuring both the directory and group, use following format: 5830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# DIR=/var/run/wpa_supplicant GROUP=wheel 5930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# DIR=/var/run/wpa_supplicant GROUP=0 6030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (group can be either group name or gid) 6130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 6230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# For UDP connections (default on Windows): The value will be ignored. This 6330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# variable is just used to select that the control interface is to be created. 6430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The value can be set to, e.g., udp (ctrl_interface=udp) 6530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 6630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# For Windows Named Pipe: This value can be used to set the security descriptor 6730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# for controlling access to the control interface. Security descriptor can be 6830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# set using Security Descriptor String Format (see http://msdn.microsoft.com/ 6930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# library/default.asp?url=/library/en-us/secauthz/security/ 7030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# security_descriptor_string_format.asp). The descriptor string needs to be 7130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty 7230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# DACL (which will reject all connections). See README-Windows.txt for more 7330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# information about SDDL string format. 7430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 7530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtctrl_interface=/var/run/wpa_supplicant 7630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 7730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# IEEE 802.1X/EAPOL version 7830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines 7930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAPOL version 2. However, there are many APs that do not handle the new 8030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# version number correctly (they seem to drop the frames completely). In order 8130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to make wpa_supplicant interoperate with these APs, the version number is set 8230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to 1 by default. This configuration value can be used to set it to the new 8330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# version (2). 848d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidteapol_version=1 8530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 8630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# AP scanning/selection 8730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# By default, wpa_supplicant requests driver to perform AP scanning and then 8830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# uses the scan results to select a suitable AP. Another alternative is to 8930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# allow the driver to take care of AP scanning and selection and use 9030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association 9130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# information from the driver. 9230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to 9330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# the currently enabled networks are found, a new network (IBSS or AP mode 9430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# operation) may be initialized (if configured) (default) 9530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0: driver takes care of scanning, AP selection, and IEEE 802.11 association 9630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# parameters (e.g., WPA IE generation); this mode can also be used with 9730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# non-WPA drivers when using IEEE 802.1X mode; do not try to associate with 9830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# APs (i.e., external program needs to control association). This mode must 9930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# also be used when using wired Ethernet drivers. 10030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 2: like 0, but associate with APs using security policy and SSID (but not 10130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to 10230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# enable operation with hidden SSIDs and optimized roaming; in this mode, 10330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# the network blocks in the configuration file are tried one by one until 10430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# the driver reports successful association; each network block should have 10530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# explicit security policy (i.e., only one option in the lists) for 10630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# key_mgmt, pairwise, group, proto variables 10730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# When using IBSS or AP mode, ap_scan=2 mode can force the new network to be 10830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# created immediately regardless of scan results. ap_scan=1 mode will first try 10930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to scan for existing networks and only if no matches with the enabled 11030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# networks are found, a new IBSS or AP mode network is created. 1118d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtap_scan=1 11230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 11330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP fast re-authentication 11430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# By default, fast re-authentication is enabled for all EAP methods that 11530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# support it. This variable can be used to disable fast re-authentication. 11630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Normally, there is no need to disable this. 1178d520ff1dc2da35cdca849e982051b86468016d8Dmitry Shmidtfast_reauth=1 11830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 11930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# OpenSSL Engine support 12030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# These options can be used to load OpenSSL engines. 12130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The two engines that are supported currently are shown below: 12230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# They are both from the opensc project (http://www.opensc.org/) 12330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# By default no engines are loaded. 12430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# make the opensc engine available 12530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#opensc_engine_path=/usr/lib/opensc/engine_opensc.so 12630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# make the pkcs11 engine available 12730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so 12830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# configure the path to the pkcs11 module required by the pkcs11 engine 12930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so 13030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 13130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Dynamic EAP methods 13230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If EAP methods were built dynamically as shared object files, they need to be 13330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# loaded here before being used in the network blocks. By default, EAP methods 13430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# are included statically in the build, so these lines are not needed 13530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so 13630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so 13730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 13830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Driver interface parameters 13930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This field can be used to configure arbitrary driver interace parameters. The 14030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# format is specific to the selected driver interface. This field is not used 14130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# in most cases. 14230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#driver_param="field=value" 14330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 14430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Country code 14530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The ISO/IEC alpha2 country code for the country in which this device is 14630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# currently operating. 14730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#country=US 14830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 14930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Maximum lifetime for PMKSA in seconds; default 43200 15030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#dot11RSNAConfigPMKLifetime=43200 15130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Threshold for reauthentication (percentage of PMK lifetime); default 70 15230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#dot11RSNAConfigPMKReauthThreshold=70 15330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Timeout for security association negotiation in seconds; default 60 15430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#dot11RSNAConfigSATimeout=60 15530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 15630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Wi-Fi Protected Setup (WPS) parameters 15730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 15830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Universally Unique IDentifier (UUID; see RFC 4122) of the device 15930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not configured, UUID will be generated based on the local MAC address. 16030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#uuid=12345678-9abc-def0-1234-56789abcdef0 16130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 16230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Device Name 16330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# User-friendly description of device; up to 32 octets encoded in UTF-8 16430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#device_name=Wireless Client 16530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 16630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Manufacturer 16730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The manufacturer of the device (up to 64 ASCII characters) 16830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#manufacturer=Company 16930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 17030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Model Name 17130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Model of the device (up to 32 ASCII characters) 17230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#model_name=cmodel 17330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 17430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Model Number 17530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Additional device description (up to 32 ASCII characters) 17630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#model_number=123 17730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 17830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Serial Number 17930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Serial number of the device (up to 32 characters) 18030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#serial_number=12345 18130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 18230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Primary Device Type 18330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Used format: <categ>-<OUI>-<subcateg> 18430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# categ = Category as an integer value 18530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for 18630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# default WPS OUI 18730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# subcateg = OUI-specific Sub Category as an integer value 18830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Examples: 18930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1-0050F204-1 (Computer / PC) 19030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1-0050F204-2 (Computer / Server) 19130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 5-0050F204-1 (Storage / NAS) 19230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 6-0050F204-1 (Network Infrastructure / AP) 19330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#device_type=1-0050F204-1 19430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 19530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# OS Version 19630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 4-octet operating system version number (hex string) 19730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#os_version=01020300 19830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 19930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Config Methods 20030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# List of the supported configuration methods 20130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Available methods: usba ethernet label display ext_nfc_token int_nfc_token 20230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# nfc_interface push_button keypad virtual_display physical_display 20330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# virtual_push_button physical_push_button 20430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# For WSC 1.0: 20530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#config_methods=label display push_button keypad 20630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# For WSC 2.0: 20730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#config_methods=label virtual_display virtual_push_button keypad 20830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 20930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Credential processing 21030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = process received credentials internally (default) 21130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = do not process received credentials; just pass them over ctrl_iface to 21230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# external program(s) 21330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 2 = process received credentials internally and pass them over ctrl_iface 21430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to external program(s) 21530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#wps_cred_processing=0 21630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 21704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing 21804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# The vendor attribute contents to be added in M1 (hex string) 21904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#wps_vendor_ext_m1=000137100100020001 22004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt 22104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# NFC password token for WPS 22204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# These parameters can be used to configure a fixed NFC password token for the 22304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# station. This can be generated, e.g., with nfc_pw_token. When these 22404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# parameters are used, the station is assumed to be deployed with a NFC tag 22504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# that includes the matching NFC password token (e.g., written based on the 22604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# NDEF record from nfc_pw_token). 22704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 22804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#wps_nfc_dev_pw_id: Device Password ID (16..65535) 22904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#wps_nfc_dh_pubkey: Hexdump of DH Public Key 23004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#wps_nfc_dh_privkey: Hexdump of DH Private Key 23104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#wps_nfc_dev_pw: Hexdump of Device Password 23204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt 23330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Maximum number of BSS entries to keep in memory 23430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Default: 200 23530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This can be used to limit memory use on the BSS entries (cached scan 23630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# results). A larger value may be needed in environments that have huge number 23730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# of APs when using ap_scan=1 mode. 23830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#bss_max_count=200 23930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 24004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Automatic scan 24104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# This is an optional set of parameters for automatic scanning 24204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# within an interface in following format: 24304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#autoscan=<autoscan module name>:<module parameters> 24461d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# autoscan is like bgscan but on disconnected or inactive state. 24561d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# For instance, on exponential module parameters would be <base>:<limit> 24604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#autoscan=exponential:3:300 24704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Which means a delay between scans on a base exponential of 3, 24861d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# up to the limit of 300 seconds (3, 9, 27 ... 300) 24961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# For periodic module, parameters would be <fixed interval> 25004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#autoscan=periodic:30 25161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# So a delay of 30 seconds will be applied between each scan 25230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 25330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# filter_ssids - SSID-based scan result filtering 25430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = do not filter scan results (default) 25530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = only include configured SSIDs in scan results/BSS table 25630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#filter_ssids=0 25730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 25861d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# Password (and passphrase, etc.) backend for external storage 25961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# format: <backend name>[:<optional backend parameters>] 26061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt#ext_password_backend=test:pw1=password|pw2=testing 26161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt 26261d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# Timeout in seconds to detect STA inactivity (default: 300 seconds) 26361d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 26461d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# This timeout value is used in P2P GO mode to clean up 26561d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# inactive stations. 26661d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt#p2p_go_max_inactivity=300 26761d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt 268d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# Opportunistic Key Caching (also known as Proactive Key Caching) default 269d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# This parameter can be used to set the default behavior for the 270d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# proactive_key_caching parameter. By default, OKC is disabled unless enabled 271d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# with the global okc=1 parameter or with the per-network 272d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# proactive_key_caching=1 parameter. With okc=1, OKC is enabled by default, but 273d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# can be disabled with per-network proactive_key_caching=0 parameter. 274d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt#okc=0 275d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt 276d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# Protected Management Frames default 277d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# This parameter can be used to set the default behavior for the ieee80211w 278d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# parameter. By default, PMF is disabled unless enabled with the global pmf=1/2 279d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# parameter or with the per-network ieee80211w=1/2 parameter. With pmf=1/2, PMF 280d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# is enabled/required by default, but can be disabled with the per-network 281d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# ieee80211w parameter. 282d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt#pmf=0 28330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 284a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# Enabled SAE finite cyclic groups in preference order 285a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# By default (if this parameter is not set), the mandatory group 19 (ECC group 286a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# defined over a 256-bit prime order field) is preferred, but other groups are 287a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# also enabled. If this parameter is set, the groups will be tried in the 288a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# indicated order. The group values are listed in the IANA registry: 289a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9 290a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt#sae_groups=21 20 19 26 25 291a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt 2927a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt# Default value for DTIM period (if not overridden in network block) 2937a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt#dtim_period=2 2947a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt 2957a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt# Default value for Beacon interval (if not overridden in network block) 2967a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt#beacon_int=100 2977a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt 298c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# Interworking (IEEE 802.11u) 299c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt 300c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# Enable Interworking 301c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# interworking=1 302c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt 303c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# Homogenous ESS identifier 304c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# If this is set, scans will be used to request response only from BSSes 305c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# belonging to the specified Homogeneous ESS. This is used only if interworking 306c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# is enabled. 307c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# hessid=00:11:22:33:44:55 308c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt 30961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# Automatic network selection behavior 31061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 0 = do not automatically go through Interworking network selection 31161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# (i.e., require explicit interworking_select command for this; default) 31261d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 1 = perform Interworking network selection if one or more 31361d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# credentials have been configured and scan did not find a 31461d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# matching network block 31561d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt#auto_interworking=0 31661d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt 31704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# credential block 31804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 31904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Each credential used for automatic network selection is configured as a set 32004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# of parameters that are compared to the information advertised by the APs when 32104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# interworking_select and interworking_connect commands are used. 32204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 32304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# credential fields: 32404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 32504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# priority: Priority group 32604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# By default, all networks and credentials get the same priority group 32704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# (0). This field can be used to give higher priority for credentials 32804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# (and similarly in struct wpa_ssid for network blocks) to change the 32904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Interworking automatic networking selection behavior. The matching 33004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# network (based on either an enabled network block or a credential) 33104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# with the highest priority value will be selected. 33204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 33304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# pcsc: Use PC/SC and SIM/USIM card 33404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 33504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# realm: Home Realm for Interworking 33604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 33704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# username: Username for Interworking network selection 33804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 33904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# password: Password for Interworking network selection 34004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 34104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# ca_cert: CA certificate for Interworking network selection 34204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 34304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# client_cert: File path to client certificate file (PEM/DER) 34404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# This field is used with Interworking networking selection for a case 34504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# where client certificate/private key is used for authentication 34604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# (EAP-TLS). Full path to the file should be used since working 34704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# directory may change when wpa_supplicant is run in the background. 34804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 34904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Alternatively, a named configuration blob can be used by setting 35004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# this to blob://blob_name. 35104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 35204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# private_key: File path to client private key file (PEM/DER/PFX) 35304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be 35404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# commented out. Both the private key and certificate will be read 35504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# from the PKCS#12 file in this case. Full path to the file should be 35604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# used since working directory may change when wpa_supplicant is run 35704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# in the background. 35804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 35904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Windows certificate store can be used by leaving client_cert out and 36004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# configuring private_key in one of the following formats: 36104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 36204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# cert://substring_to_match 36304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 36404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# hash://certificate_thumbprint_in_hex 36504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 36604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# For example: private_key="hash://63093aa9c47f56ae88334c7b65a4" 36704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 36804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Note that when running wpa_supplicant as an application, the user 36904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# certificate store (My user account) is used, whereas computer store 37004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# (Computer account) is used when running wpasvc as a service. 37104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 37204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Alternatively, a named configuration blob can be used by setting 37304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# this to blob://blob_name. 37404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 37504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# private_key_passwd: Password for private key file 37604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 37704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format 37804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 37904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN> 38004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# format 38104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 38204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# domain: Home service provider FQDN 38304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# This is used to compare against the Domain Name List to figure out 38404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# whether the AP is operated by the Home SP. 38504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 38661d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# roaming_consortium: Roaming Consortium OI 38761d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# If roaming_consortium_len is non-zero, this field contains the 38861d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# Roaming Consortium OI that can be used to determine which access 38961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# points support authentication with this credential. This is an 39061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# alternative to the use of the realm parameter. When using Roaming 39161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# Consortium to match the network, the EAP parameters need to be 39261d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# pre-configured with the credential since the NAI Realm information 39361d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# may not be available or fetched. 39461d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 39561d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# eap: Pre-configured EAP method 39661d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# This optional field can be used to specify which EAP method will be 39761d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# used with this credential. If not set, the EAP method is selected 39861d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# automatically based on ANQP information (e.g., NAI Realm). 39961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 40061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# phase1: Pre-configure Phase 1 (outer authentication) parameters 40161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# This optional field is used with like the 'eap' parameter. 40261d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 40361d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# phase2: Pre-configure Phase 2 (inner authentication) parameters 40461d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# This optional field is used with like the 'eap' parameter. 40561d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 406a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# excluded_ssid: Excluded SSID 407a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# This optional field can be used to excluded specific SSID(s) from 408a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# matching with the network. Multiple entries can be used to specify more 409a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# than one SSID. 410a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 41104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# for example: 41204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 41304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#cred={ 41404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# realm="example.com" 41504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# username="user@example.com" 41604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# password="password" 41704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# ca_cert="/etc/wpa_supplicant/ca.pem" 41804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# domain="example.com" 41904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#} 42004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 42104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#cred={ 42204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# imsi="310026-000000000" 42304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82" 42404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#} 42561d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 42661d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt#cred={ 42761d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# realm="example.com" 42861d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# username="user" 42961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# password="password" 43061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# ca_cert="/etc/wpa_supplicant/ca.pem" 43161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# domain="example.com" 43261d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# roaming_consortium=223344 43361d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# eap=TTLS 43461d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# phase2="auth=MSCHAPV2" 43561d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt#} 436c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt 43704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Hotspot 2.0 43804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# hs20=1 439c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt 44030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# network block 44130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 44230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Each network (usually AP's sharing the same SSID) is configured as a separate 44330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# block in this configuration file. The network blocks are in preference order 44430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (the first match is used). 44530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 44630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# network block fields: 44730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 44830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# disabled: 44930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = this network can be used (default) 45030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = this network block is disabled (can be enabled through ctrl_iface, 45130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# e.g., with wpa_cli or wpa_gui) 45230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 45330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# id_str: Network identifier string for external scripts. This value is passed 45430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to external action script through wpa_cli as WPA_ID_STR environment 45530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# variable to make it easier to do network specific configuration. 45630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 45761d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# ssid: SSID (mandatory); network name in one of the optional formats: 45861d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# - an ASCII string with double quotation 45961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# - a hex string (two characters per octet of SSID) 46061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# - a printf-escaped ASCII string P"<escaped string>" 46130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 46230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# scan_ssid: 46330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = do not scan this SSID with specific Probe Request frames (default) 46430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = scan with SSID-specific Probe Request frames (this can be used to 46530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# find APs that do not accept broadcast SSID or use multiple SSIDs; 46630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# this will add latency to scanning, so enable this only when needed) 46730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 46830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# bssid: BSSID (optional); if set, this network block is used only when 46930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# associating with the AP using the configured BSSID 47030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 47130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# priority: priority group (integer) 47230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# By default, all networks will get same priority group (0). If some of the 47330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# networks are more desirable, this field can be used to change the order in 47430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# which wpa_supplicant goes through the networks when selecting a BSS. The 47530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# priority groups will be iterated in decreasing priority (i.e., the larger the 47630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# priority value, the sooner the network is matched against the scan results). 47730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Within each priority group, networks will be selected based on security 47830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# policy, signal strength, etc. 47930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not 48030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# using this priority to select the order for scanning. Instead, they try the 48130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# networks in the order that used in the configuration file. 48230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 48330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# mode: IEEE 802.11 operation mode 48430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = infrastructure (Managed) mode, i.e., associate with an AP (default) 48530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = IBSS (ad-hoc, peer-to-peer) 48630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 2 = AP (access point) 48730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) 48830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# and key_mgmt=WPA-NONE (fixed group key TKIP/CCMP). WPA-None requires 48930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# following network block options: 49030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not 49130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# both), and psk must also be set. 49230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 49330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# frequency: Channel frequency in megahertz (MHz) for IBSS, e.g., 49430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial 49530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode. 49630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# In addition, this value is only used by the station that creates the IBSS. If 49730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# an IBSS network with the configured SSID is already present, the frequency of 49830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# the network will be used instead of this configured value. 49930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 50030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# scan_freq: List of frequencies to scan 50130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Space-separated list of frequencies in MHz to scan when searching for this 50230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# BSS. If the subset of channels used by the network is known, this option can 50330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# be used to optimize scanning to not occur on channels that the network does 50430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# not use. Example: scan_freq=2412 2437 2462 50530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 50630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# freq_list: Array of allowed frequencies 50730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Space-separated list of frequencies in MHz to allow for selecting the BSS. If 50830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# set, scan results that do not match any of the specified frequencies are not 50930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# considered when selecting a BSS. 51030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 511a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# bgscan: Background scanning 512a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# wpa_supplicant behavior for background scanning can be specified by 513a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# configuring a bgscan module. These modules are responsible for requesting 514a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# background scans for the purpose of roaming within an ESS (i.e., within a 515a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# single network block with all the APs using the same SSID). The bgscan 516a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# parameter uses following format: "<bgscan module name>:<module parameters>" 517a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# Following bgscan modules are available: 518a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# simple - Periodic background scans based on signal strength 519a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# bgscan="simple:<short bgscan interval in seconds>:<signal strength threshold>: 520a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# <long interval>" 521a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# bgscan="simple:30:-45:300" 522a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# learn - Learn channels used by the network and try to avoid bgscans on other 523a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# channels (experimental) 524a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# bgscan="learn:<short bgscan interval in seconds>:<signal strength threshold>: 525a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# <long interval>[:<database file name>]" 526a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# bgscan="learn:30:-45:300:/etc/wpa_supplicant/network1.bgscan" 527a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 52830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# proto: list of accepted protocols 52930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA = WPA/IEEE 802.11i/D3.0 53030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN) 53130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not set, this defaults to: WPA RSN 53230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 53330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# key_mgmt: list of accepted authenticated key management protocols 53430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA-PSK = WPA pre-shared key (this requires 'psk' field) 53530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA-EAP = WPA using EAP authentication 53630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically 53730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# generated WEP keys 53830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# NONE = WPA is not used; plaintext or static WEP could be used 53930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms 54030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms 54130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not set, this defaults to: WPA-PSK WPA-EAP 54230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 54304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# ieee80211w: whether management frame protection is enabled 544d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# 0 = disabled (default unless changed with the global pmf parameter) 54504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 1 = optional 54604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 2 = required 54704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# The most common configuration options for this based on the PMF (protected 54804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# management frames) certification program are: 54904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256 55004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256 55104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used) 55204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 55330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# auth_alg: list of allowed IEEE 802.11 authentication algorithms 55430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# OPEN = Open System authentication (required for WPA/WPA2) 55530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# SHARED = Shared Key authentication (requires static WEP keys) 55630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# LEAP = LEAP/Network EAP (only used with LEAP) 55730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not set, automatic selection is used (Open System with LEAP enabled if 55830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# LEAP is allowed as one of the EAP methods). 55930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 56030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# pairwise: list of accepted pairwise (unicast) ciphers for WPA 56130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 56230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 56330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# NONE = Use only Group Keys (deprecated, should not be included if APs support 56430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# pairwise keys) 56530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not set, this defaults to: CCMP TKIP 56630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 56730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# group: list of accepted group (broadcast/multicast) ciphers for WPA 56830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 56930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 57030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key 57130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11] 57230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not set, this defaults to: CCMP TKIP WEP104 WEP40 57330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 57430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# psk: WPA preshared key; 256-bit pre-shared key 57530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e., 57630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be 57730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# generated using the passphrase and SSID). ASCII passphrase must be between 57861d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 8 and 63 characters (inclusive). ext:<name of external PSK field> format can 57961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# be used to indicate that the PSK/passphrase is stored in external storage. 58030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This field is not needed, if WPA-EAP is used. 58130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys 58230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant 58330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# startup and reconfiguration time can be optimized by generating the PSK only 58430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# only when the passphrase or SSID has actually changed. 58530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 58630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# eapol_flags: IEEE 802.1X/EAPOL options (bit field) 58730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Dynamic WEP key required for non-WPA mode 58830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# bit0 (1): require dynamically generated unicast WEP key 58930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# bit1 (2): require dynamically generated broadcast WEP key 59030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (3 = require both keys; default) 59130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Note: When using wired authentication, eapol_flags must be set to 0 for the 59230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication to be completed successfully. 59330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 59430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# mixed_cell: This option can be used to configure whether so called mixed 59530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# cells, i.e., networks that use both plaintext and encryption in the same 596c5ec7f57ead87efa365800228aa0b09a12d9e6c4Dmitry Shmidt# SSID, are allowed when selecting a BSS from scan results. 59730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = disabled (default) 59830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = enabled 59930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 60030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# proactive_key_caching: 60130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Enable/disable opportunistic PMKSA caching for WPA2. 602d5e4923d04122f81300fa68fb07d64ede28fd44dDmitry Shmidt# 0 = disabled (default unless changed with the global okc parameter) 60330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = enabled 60430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 60530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or 60630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# hex without quotation, e.g., 0102030405) 60730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wep_tx_keyidx: Default WEP key index (TX) (0..3) 60830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 60930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is 61030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# allowed. This is only used with RSN/WPA2. 61130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = disabled (default) 61230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = enabled 61330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt#peerkey=1 61430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 61530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to 61630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies. 61730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 61830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Following fields are only used with internal EAP implementation. 61930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# eap: space-separated list of accepted EAP methods 62030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# MD5 = EAP-MD5 (unsecure and does not generate keying material -> 62130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# cannot be used with WPA; to be used as a Phase 2 method 62230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# with EAP-PEAP or EAP-TTLS) 62330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used 62430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 62530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# OTP = EAP-OTP (cannot be used separately with WPA; to be used 62630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 62730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# GTC = EAP-GTC (cannot be used separately with WPA; to be used 62830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 62930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# TLS = EAP-TLS (client and server certificate) 63030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# PEAP = EAP-PEAP (with tunnelled EAP authentication) 63130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 63230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication) 63330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If not set, all compiled in methods are allowed. 63430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 63530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# identity: Identity string for EAP 63630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This field is also used to configure user NAI for 63730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-PSK/PAX/SAKE/GPSK. 63830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# anonymous_identity: Anonymous identity string for EAP (to be used as the 63930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# unencrypted identity with EAP types that support different tunnelled 6404530cfd4d14a77c58e35393b91e40f8dd9d62697Dmitry Shmidt# identity, e.g., EAP-TTLS). This field can also be used with 6414530cfd4d14a77c58e35393b91e40f8dd9d62697Dmitry Shmidt# EAP-SIM/AKA/AKA' to store the pseudonym identity. 64230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# password: Password string for EAP. This field can include either the 64330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# plaintext password (using ASCII or hex string) or a NtPasswordHash 64430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (16-byte MD4 hash of password) in hash:<32 hex digits> format. 64530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# NtPasswordHash can only be used when the password is for MSCHAPv2 or 64630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP). 64730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit 64830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# PSK) is also configured using this field. For EAP-GPSK, this is a 64961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# variable length PSK. ext:<name of external password field> format can 65061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# be used to indicate that the password is stored in external storage. 65130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# ca_cert: File path to CA certificate file (PEM/DER). This file can have one 65230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# or more trusted CA certificates. If ca_cert and ca_path are not 65330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# included, server certificate will not be verified. This is insecure and 65430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# a trusted CA certificate should always be configured when using 65530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-TLS/TTLS/PEAP. Full path should be used since working directory may 65630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# change when wpa_supplicant is run in the background. 65730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 65830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Alternatively, this can be used to only perform matching of the server 65930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# certificate (SHA-256 hash of the DER encoded X.509 certificate). In 66030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# this case, the possible CA certificates in the server certificate chain 66130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# are ignored and only the server certificate is verified. This is 66230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# configured with the following format: 66330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# hash:://server/sha256/cert_hash_in_hex 66430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# For example: "hash://server/sha256/ 66530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a" 66630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 66730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# On Windows, trusted CA certificates can be loaded from the system 66830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# certificate store by setting this to cert_store://<name>, e.g., 66930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT". 67030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Note that when running wpa_supplicant as an application, the user 67130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# certificate store (My user account) is used, whereas computer store 67230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (Computer account) is used when running wpasvc as a service. 67330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# ca_path: Directory path for CA certificate files (PEM). This path may 67430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# contain multiple CA certificates in OpenSSL format. Common use for this 67530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# is to point to system trusted CA list which is often installed into 67630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# directory like /etc/ssl/certs. If configured, these certificates are 67730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# added to the list of trusted CAs. ca_cert may also be included in that 67830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# case, but it is not required. 67930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# client_cert: File path to client certificate file (PEM/DER) 68030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Full path should be used since working directory may change when 68130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_supplicant is run in the background. 68230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Alternatively, a named configuration blob can be used by setting this 68330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to blob://<blob name>. 68430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# private_key: File path to client private key file (PEM/DER/PFX) 68530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be 68630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# commented out. Both the private key and certificate will be read from 68730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# the PKCS#12 file in this case. Full path should be used since working 68830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# directory may change when wpa_supplicant is run in the background. 68930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Windows certificate store can be used by leaving client_cert out and 69030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# configuring private_key in one of the following formats: 69130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# cert://substring_to_match 69230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# hash://certificate_thumbprint_in_hex 69330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# for example: private_key="hash://63093aa9c47f56ae88334c7b65a4" 69430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Note that when running wpa_supplicant as an application, the user 69530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# certificate store (My user account) is used, whereas computer store 69630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (Computer account) is used when running wpasvc as a service. 69730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Alternatively, a named configuration blob can be used by setting this 69830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to blob://<blob name>. 69930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# private_key_passwd: Password for private key file (if left out, this will be 70030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# asked through control interface) 70130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# dh_file: File path to DH/DSA parameters file (in PEM format) 70230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This is an optional configuration file for setting parameters for an 70330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# ephemeral DH key exchange. In most cases, the default RSA 70430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication does not use this configuration. However, it is possible 70530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# setup RSA to use ephemeral DH key exchange. In addition, ciphers with 70630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# DSA keys always use ephemeral DH keys. This can be used to achieve 70730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# forward secrecy. If the file is in DSA parameters format, it will be 70830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# automatically converted into DH params. 70930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# subject_match: Substring to be matched against the subject of the 71030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication server certificate. If this string is set, the server 71130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# sertificate is only accepted if it contains this string in the subject. 71230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# The subject string is in following format: 71330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com 71430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# altsubject_match: Semicolon separated string of entries to be matched against 71530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# the alternative subject name of the authentication server certificate. 71630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# If this string is set, the server sertificate is only accepted if it 71730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# contains one of the entries in an alternative subject name extension. 71830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# altSubjectName string is in following format: TYPE:VALUE 71930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Example: EMAIL:server@example.com 72030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Example: DNS:server.example.com;DNS:server2.example.com 72130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Following types are supported: EMAIL, DNS, URI 72230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters 72330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (string with field-value pairs, e.g., "peapver=0" or 72430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# "peapver=1 peaplabel=1") 72530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 'peapver' can be used to force which PEAP version (0 or 1) is used. 72630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 'peaplabel=1' can be used to force new label, "client PEAP encryption", 72730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to be used during key derivation when PEAPv1 or newer. Most existing 72830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# PEAPv1 implementation seem to be using the old label, "client EAP 72930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# encryption", and wpa_supplicant is now using that as the default value. 73030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Some servers, e.g., Radiator, may require peaplabel=1 configuration to 73130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# interoperate with PEAPv1; see eap_testing.txt for more details. 73230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 'peap_outer_success=0' can be used to terminate PEAP authentication on 73330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# tunneled EAP-Success. This is required with some RADIUS servers that 73430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g., 73530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode) 73630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# include_tls_length=1 can be used to force wpa_supplicant to include 73730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# TLS Message Length field in all TLS messages even if they are not 73830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# fragmented. 73930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# sim_min_num_chal=3 can be used to configure EAP-SIM to require three 74030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# challenges (by default, it accepts 2 or 3) 74130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use 74230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# protected result indication. 74330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 'crypto_binding' option can be used to control PEAPv0 cryptobinding 74430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# behavior: 74530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# * 0 = do not use cryptobinding (default) 74630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# * 1 = use cryptobinding if server supports it 74730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# * 2 = require cryptobinding 74830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-WSC (WPS) uses following options: pin=<Device Password> or 74930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# pbc=1. 75030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# phase2: Phase2 (inner authentication with TLS tunnel) parameters 75130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or 75230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS) 75361d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 75461d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# TLS-based methods can use the following parameters to control TLS behavior 75561d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# (these are normally in the phase1 parameter, but can be used also in the 75661d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# phase2 parameter when EAP-TLS is used within the inner tunnel): 75761d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# tls_allow_md5=1 - allow MD5-based certificate signatures (depending on the 75861d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# TLS library, these may be disabled by default to enforce stronger 75961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# security) 76061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# tls_disable_time_checks=1 - ignore certificate validity time (this requests 76161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# the TLS library to accept certificates even if they are not currently 76261d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# valid, i.e., have expired or have not yet become valid; this should be 76361d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# used only for testing purposes) 76461d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# tls_disable_session_ticket=1 - disable TLS Session Ticket extension 76561d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# tls_disable_session_ticket=0 - allow TLS Session Ticket extension to be used 76661d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# Note: If not set, this is automatically set to 1 for EAP-TLS/PEAP/TTLS 76761d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# as a workaround for broken authentication server implementations unless 76861d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# EAP workarounds are disabled with eap_workarounds=0. 76961d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# For EAP-FAST, this must be set to 0 (or left unconfigured for the 77061d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# default value to be used automatically). 77161d9df3e62aaa0e87ad05452fcb95142159a17b6Dmitry Shmidt# 77230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Following certificate/private key fields are used in inner Phase2 77330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication when using EAP-TTLS or EAP-PEAP. 77430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# ca_cert2: File path to CA certificate file. This file can have one or more 77530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# trusted CA certificates. If ca_cert2 and ca_path2 are not included, 77630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# server certificate will not be verified. This is insecure and a trusted 77730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# CA certificate should always be configured. 77830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# ca_path2: Directory path for CA certificate files (PEM) 77930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# client_cert2: File path to client certificate file 78030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# private_key2: File path to client private key file 78130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# private_key2_passwd: Password for private key file 78230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# dh_file2: File path to DH/DSA parameters file (in PEM format) 78330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# subject_match2: Substring to be matched against the subject of the 78430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication server certificate. 78530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# altsubject_match2: Substring to be matched against the alternative subject 78630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# name of the authentication server certificate. 78730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 78830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# fragment_size: Maximum EAP fragment size in bytes (default 1398). 78930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# This value limits the fragment size for EAP methods that support 79030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set 79130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# small enough to make the EAP messages fit in MTU of the network 79230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# interface used for EAPOL. The default value is suitable for most 79330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# cases. 79430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 79530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-FAST variables: 79630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# pac_file: File path for the PAC entries. wpa_supplicant will need to be able 79730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# to create this file and write updates to it when PAC is being 79830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# provisioned or refreshed. Full path to the file should be used since 79930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# working directory may change when wpa_supplicant is run in the 80030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# background. Alternatively, a named configuration blob can be used by 80130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# setting this to blob://<blob name> 80230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# phase1: fast_provisioning option can be used to enable in-line provisioning 80330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# of EAP-FAST credentials (PAC): 80430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 0 = disabled, 80530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 1 = allow unauthenticated provisioning, 80630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 2 = allow authenticated provisioning, 80730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 3 = allow both unauthenticated and authenticated provisioning 80830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# fast_max_pac_list_len=<num> option can be used to set the maximum 80930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# number of PAC entries to store in a PAC list (default: 10) 81030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# fast_pac_format=binary option can be used to select binary format for 81130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# storing PAC entries in order to save some space (the default 81230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# text format uses about 2.5 times the size of minimal binary 81330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# format) 81430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# 81530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# wpa_supplicant supports number of "EAP workarounds" to work around 81630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# interoperability issues with incorrectly behaving authentication servers. 81730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# These are enabled by default because some of the issues are present in large 81830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# number of authentication servers. Strict EAP conformance mode can be 81930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# configured by disabling workarounds with eap_workaround=0. 82030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 82104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# Station inactivity limit 82204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 82304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# If a station does not send anything in ap_max_inactivity seconds, an 82404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# empty data frame is sent to it in order to verify whether it is 82504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# still in range. If this frame is not ACKed, the station will be 82604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# disassociated and then deauthenticated. This feature is used to 82704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# clear station table of old entries when the STAs move out of the 82804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# range. 82904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# 83004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# The station can associate again with the AP if it is still in range; 83104949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# this inactivity poll is just used as a nicer way of verifying 83204949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# inactivity; i.e., client will not report broken connection because 83304949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# disassociation frame is not sent immediately without first polling 83404949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# the STA with a data frame. 83504949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# default: 300 (i.e., 5 minutes) 83604949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#ap_max_inactivity=300 83704949598a23f501be6eec21697465fd46a28840aDmitry Shmidt 83804949598a23f501be6eec21697465fd46a28840aDmitry Shmidt# DTIM period in Beacon intervals for AP mode (default: 2) 83904949598a23f501be6eec21697465fd46a28840aDmitry Shmidt#dtim_period=2 84004949598a23f501be6eec21697465fd46a28840aDmitry Shmidt 8417a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt# Beacon interval (default: 100 TU) 8427a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt#beacon_int=100 8437a5e50a0554bee77a9da492ea3d86f46147f1671Dmitry Shmidt 844a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# disable_ht: Whether HT (802.11n) should be disabled. 845a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 0 = HT enabled (if AP supports it) 846a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 1 = HT disabled 847a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 848a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# disable_ht40: Whether HT-40 (802.11n) should be disabled. 849a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 0 = HT-40 enabled (if AP supports it) 850a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 1 = HT-40 disabled 851a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 852a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# disable_sgi: Whether SGI (short guard interval) should be disabled. 853a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 0 = SGI enabled (if AP supports it) 854a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 1 = SGI disabled 855a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 856a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# ht_mcs: Configure allowed MCS rates. 857a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# Parsed as an array of bytes, in base-16 (ascii-hex) 858a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# ht_mcs="" // Use all available (default) 859a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# ht_mcs="0xff 00 00 00 00 00 00 00 00 00 " // Use MCS 0-7 only 860a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# ht_mcs="0xff ff 00 00 00 00 00 00 00 00 " // Use MCS 0-15 only 861a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 862a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# disable_max_amsdu: Whether MAX_AMSDU should be disabled. 863a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# -1 = Do not make any changes. 864a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 0 = Enable MAX-AMSDU if hardware supports it. 865a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 1 = Disable AMSDU 866a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 867a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# ampdu_density: Allow overriding AMPDU density configuration. 868a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# Treated as hint by the kernel. 869a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# -1 = Do not make any changes. 870a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt# 0-3 = Set AMPDU density (aka factor) to specified value. 871a54fa5fb807eaeff45464139b5a7759f060cec68Dmitry Shmidt 8722f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# disable_vht: Whether VHT should be disabled. 8732f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# 0 = VHT enabled (if AP supports it) 8742f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# 1 = VHT disabled 8752f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# 8762f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# vht_capa: VHT capabilities to set in the override 8772f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# vht_capa_mask: mask of VHT capabilities 8782f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# 8792f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# vht_rx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for RX NSS 1-8 8802f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# vht_tx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for TX NSS 1-8 8812f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# 0: MCS 0-7 8822f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# 1: MCS 0-8 8832f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# 2: MCS 0-9 8842f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt# 3: not supported 8852f023193a0fd630eb82ce6381b80911ad5a3462fDmitry Shmidt 88630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Example blocks: 88730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 88830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers 88930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 89030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="simple" 89130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk="very secret passphrase" 89230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=5 89330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 89430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 89530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Same as previous, but request SSID-specific scanning (for APs that reject 89630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# broadcast SSID) 89730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 89830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="second ssid" 89930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt scan_ssid=1 90030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk="very secret passphrase" 90130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=2 90230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 90330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 90430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Only WPA-PSK is used. Any valid cipher combination is accepted. 90530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 90630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 90730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt proto=WPA 90830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-PSK 90930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=CCMP TKIP 91030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=CCMP TKIP WEP104 WEP40 91130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb 91230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=2 91330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 91430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 91530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying 91630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 91730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 91830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt proto=WPA 91930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-PSK 92030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=TKIP 92130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=TKIP 92230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk="not so secure passphrase" 92330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wpa_ptk_rekey=600 92430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 92530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 92630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104 92730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# or WEP40 as the group cipher will not be accepted. 92830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 92930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 93030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt proto=RSN 93130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 93230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=CCMP TKIP 93330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=CCMP TKIP 93430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TLS 93530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 93630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 93730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt client_cert="/etc/cert/user.pem" 93830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key="/etc/cert/user.prv" 93930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key_passwd="password" 94030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=1 94130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 94230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 94330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel 94430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# (e.g., Radiator) 94530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 94630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 94730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 94830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=PEAP 94930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 95030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 95130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 95230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase1="peaplabel=1" 95330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase2="auth=MSCHAPV2" 95430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=10 95530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 95630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 95730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the 95830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# unencrypted use. Real identity is sent only within an encrypted TLS tunnel. 95930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 96030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 96130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 96230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TTLS 96330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 96430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="anonymous@example.com" 96530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 96630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 96730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=2 96830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 96930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 97030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted 97130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# use. Real identity is sent only within an encrypted TLS tunnel. 97230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 97330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 97430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 97530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TTLS 97630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 97730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="anonymous@example.com" 97830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 97930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 98030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase2="auth=MSCHAPV2" 98130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 98230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 98330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner 98430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# authentication. 98530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 98630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 98730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 98830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TTLS 98930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # Phase1 / outer authentication 99030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="anonymous@example.com" 99130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 99230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # Phase 2 / inner authentication 99330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase2="autheap=TLS" 99430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert2="/etc/cert/ca2.pem" 99530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt client_cert2="/etc/cer/user.pem" 99630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key2="/etc/cer/user.prv" 99730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key2_passwd="password" 99830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=2 99930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 100030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 100130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and 100230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# group cipher. 100330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 100430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 100530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt bssid=00:11:22:33:44:55 100630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt proto=WPA RSN 100730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-PSK WPA-EAP 100830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=CCMP 100930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=CCMP 101030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb 101130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 101230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 101330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP 101430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# and all valid ciphers. 101530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 101630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid=00010203 101730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 101830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 101930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 102030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 102130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-SIM with a GSM SIM or USIM 102230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 102330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="eap-sim-test" 102430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 102530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=SIM 102630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pin="1234" 102730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pcsc="" 102830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 102930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 103030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 103130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-PSK 103230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 103330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="eap-psk-test" 103430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 103530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=PSK 103630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="eap_psk_user" 103730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password=06b4be19da289f475aa46a33cb793029 103830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="eap_psk_user@example.com" 103930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 104030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 104130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 104230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using 104330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-TLS for authentication and key generation; require both unicast and 104430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# broadcast WEP keys. 104530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 104630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="1x-test" 104730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=IEEE8021X 104830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TLS 104930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 105030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 105130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt client_cert="/etc/cert/user.pem" 105230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key="/etc/cert/user.prv" 105330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key_passwd="password" 105430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eapol_flags=3 105530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 105630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 105730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 105830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# LEAP with dynamic WEP keys 105930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 106030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="leap-example" 106130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=IEEE8021X 106230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=LEAP 106330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user" 106430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 106530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 106630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 106730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-IKEv2 using shared secrets for both server and peer authentication 106830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 106930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="ikev2-example" 107030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 107130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=IKEV2 107230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user" 107330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 107430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 107530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 107630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# EAP-FAST with WPA (WPA or WPA2) 107730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 107830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="eap-fast-test" 107930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 108030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=FAST 108130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="FAST-000102030405" 108230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="username" 108330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="password" 108430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase1="fast_provisioning=1" 108530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pac_file="/etc/wpa_supplicant.eap-fast-pac" 108630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 108730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 108830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 108930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="eap-fast-test" 109030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 109130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=FAST 109230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="FAST-000102030405" 109330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="username" 109430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="password" 109530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase1="fast_provisioning=1" 109630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pac_file="blob://eap-fast-pac" 109730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 109830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 109930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Plaintext connection (no WPA, no IEEE 802.1X) 110030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 110130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="plaintext-test" 110230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=NONE 110330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 110430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 110530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 110630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Shared WEP key connection (no WPA, no IEEE 802.1X) 110730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 110830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="static-wep-test" 110930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=NONE 111030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_key0="abcde" 111130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_key1=0102030405 111230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_key2="1234567890123" 111330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_tx_keyidx=0 111430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=5 111530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 111630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 111730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 111830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key 111930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# IEEE 802.11 authentication 112030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 112130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="static-wep-test2" 112230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=NONE 112330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_key0="abcde" 112430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_key1=0102030405 112530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_key2="1234567890123" 112630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt wep_tx_keyidx=0 112730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=5 112830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt auth_alg=SHARED 112930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 113030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 113130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 113230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# IBSS/ad-hoc network with WPA-None/TKIP. 113330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 113430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="test adhoc" 113530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt mode=1 113630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt frequency=2412 113730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt proto=WPA 113830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-NONE 113930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=NONE 114030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=TKIP 114130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk="secret passphrase" 114230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 114330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 114430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 114530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Catch all example that allows more or less all configuration modes 114630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 114730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 114830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt scan_ssid=1 114930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE 115030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=CCMP TKIP 115130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=CCMP TKIP WEP104 WEP40 115230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt psk="very secret passphrase" 115330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TTLS PEAP TLS 115430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 115530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 115630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 115730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt client_cert="/etc/cert/user.pem" 115830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key="/etc/cert/user.prv" 115930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt private_key_passwd="password" 116030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt phase1="peaplabel=0" 116130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 116230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 116330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Example of EAP-TLS with smartcard (openssl engine) 116430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 116530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 116630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 116730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TLS 116830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt proto=RSN 116930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pairwise=CCMP TKIP 117030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt group=CCMP TKIP 117130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 117230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="/etc/cert/ca.pem" 117330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt client_cert="/etc/cert/user.pem" 117430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 117530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt engine=1 117630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 117730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # The engine configured here must be available. Look at 117830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # OpenSSL engine support in the global section. 117930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # The key available through the engine must be the private key 118030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # matching the client certificate configured above. 118130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 118230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # use the opensc engine 118330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt #engine_id="opensc" 118430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt #key_id="45" 118530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 118630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # use the pkcs11 engine 118730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt engine_id="pkcs11" 118830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_id="id_45" 118930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 119030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # Optional PIN configuration; this can be left out and PIN will be 119130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt # asked through the control interface 119230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt pin="1234" 119330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 119430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 119530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Example configuration showing how to use an inlined blob as a CA certificate 119630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# data instead of using external file 119730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 119830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ssid="example" 119930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=WPA-EAP 120030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt eap=TTLS 120130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt identity="user@example.com" 120230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt anonymous_identity="anonymous@example.com" 120330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt password="foobar" 120430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt ca_cert="blob://exampleblob" 120530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt priority=20 120630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 120730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 120830f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtblob-base64-exampleblob={ 120930f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry ShmidtSGVsbG8gV29ybGQhCg== 121030f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 121130f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 121230f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt 121330f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# Wildcard match for SSID (plaintext APs only). This example select any 121430f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt# open AP regardless of its SSID. 121530f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidtnetwork={ 121630f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt key_mgmt=NONE 121730f94813e7f35e3812c5d31ebc53630c26c4e4b2Dmitry Shmidt} 1218