1189251Ssam##### Example wpa_supplicant configuration file ############################### 2189251Ssam# 3189902Sdougb# ***** Please check wpa_supplicant.conf(5) for details on these options ***** 4189902Sdougb# 5189251Ssam# This file describes configuration file format and lists all available option. 6189251Ssam# Please also take a look at simpler configuration examples in 'examples' 7189251Ssam# subdirectory. 8189251Ssam# 9189251Ssam# Empty lines and lines starting with # are ignored 10189251Ssam 11189251Ssam# NOTE! This file may contain password information and should probably be made 12189251Ssam# readable only by root user on multiuser systems. 13189251Ssam 14189251Ssam# Note: All file paths in this configuration file should use full (absolute, 15189251Ssam# not relative to working directory) path in order to allow working directory 16189251Ssam# to be changed. This can happen if wpa_supplicant is run in the background. 17189251Ssam 18189251Ssam# Whether to allow wpa_supplicant to update (overwrite) configuration 19189251Ssam# 20189251Ssam# This option can be used to allow wpa_supplicant to overwrite configuration 21189251Ssam# file whenever configuration is changed (e.g., new network block is added with 22189251Ssam# wpa_cli or wpa_gui, or a password is changed). This is required for 23189251Ssam# wpa_cli/wpa_gui to be able to store the configuration changes permanently. 24189251Ssam# Please note that overwriting configuration file will remove the comments from 25189251Ssam# it. 26189251Ssam#update_config=1 27189251Ssam 28189251Ssam# global configuration (shared by all network blocks) 29189251Ssam# 30189251Ssam# Parameters for the control interface. If this is specified, wpa_supplicant 31189251Ssam# will open a control interface that is available for external programs to 32189251Ssam# manage wpa_supplicant. The meaning of this string depends on which control 33252726Srpaulo# interface mechanism is used. For all cases, the existence of this parameter 34189251Ssam# in configuration is used to determine whether the control interface is 35189251Ssam# enabled. 36189251Ssam# 37189251Ssam# For UNIX domain sockets (default on Linux and BSD): This is a directory that 38189251Ssam# will be created for UNIX domain sockets for listening to requests from 39189251Ssam# external programs (CLI/GUI, etc.) for status information and configuration. 40189251Ssam# The socket file will be named based on the interface name, so multiple 41189251Ssam# wpa_supplicant processes can be run at the same time if more than one 42189251Ssam# interface is used. 43189251Ssam# /var/run/wpa_supplicant is the recommended directory for sockets and by 44189251Ssam# default, wpa_cli will use it when trying to connect with wpa_supplicant. 45189251Ssam# 46189251Ssam# Access control for the control interface can be configured by setting the 47189251Ssam# directory to allow only members of a group to use sockets. This way, it is 48189251Ssam# possible to run wpa_supplicant as root (since it needs to change network 49189251Ssam# configuration and open raw sockets) and still allow GUI/CLI components to be 50189251Ssam# run as non-root users. However, since the control interface can be used to 51189251Ssam# change the network configuration, this access needs to be protected in many 52189251Ssam# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you 53189251Ssam# want to allow non-root users to use the control interface, add a new group 54189251Ssam# and change this value to match with that group. Add users that should have 55189251Ssam# control interface access to this group. If this variable is commented out or 56189251Ssam# not included in the configuration file, group will not be changed from the 57189251Ssam# value it got by default when the directory or socket was created. 58189251Ssam# 59189251Ssam# When configuring both the directory and group, use following format: 60189251Ssam# DIR=/var/run/wpa_supplicant GROUP=wheel 61189251Ssam# DIR=/var/run/wpa_supplicant GROUP=0 62189251Ssam# (group can be either group name or gid) 63189251Ssam# 64189251Ssamctrl_interface=/var/run/wpa_supplicant 65189251Ssam 66189251Ssam# IEEE 802.1X/EAPOL version 67189251Ssam# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines 68189251Ssam# EAPOL version 2. However, there are many APs that do not handle the new 69189251Ssam# version number correctly (they seem to drop the frames completely). In order 70189251Ssam# to make wpa_supplicant interoperate with these APs, the version number is set 71189251Ssam# to 1 by default. This configuration value can be used to set it to the new 72189251Ssam# version (2). 73281806Srpaulo# Note: When using MACsec, eapol_version shall be set to 3, which is 74281806Srpaulo# defined in IEEE Std 802.1X-2010. 75189251Ssameapol_version=1 76189251Ssam 77189251Ssam# AP scanning/selection 78189251Ssam# By default, wpa_supplicant requests driver to perform AP scanning and then 79189251Ssam# uses the scan results to select a suitable AP. Another alternative is to 80189251Ssam# allow the driver to take care of AP scanning and selection and use 81189251Ssam# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association 82189251Ssam# information from the driver. 83214734Srpaulo# 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to 84214734Srpaulo# the currently enabled networks are found, a new network (IBSS or AP mode 85214734Srpaulo# operation) may be initialized (if configured) (default) 86189251Ssam# 0: driver takes care of scanning, AP selection, and IEEE 802.11 association 87189251Ssam# parameters (e.g., WPA IE generation); this mode can also be used with 88189251Ssam# non-WPA drivers when using IEEE 802.1X mode; do not try to associate with 89189251Ssam# APs (i.e., external program needs to control association). This mode must 90346981Scy# also be used when using wired Ethernet drivers (including MACsec). 91189251Ssam# 2: like 0, but associate with APs using security policy and SSID (but not 92189251Ssam# BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to 93189251Ssam# enable operation with hidden SSIDs and optimized roaming; in this mode, 94189251Ssam# the network blocks in the configuration file are tried one by one until 95189251Ssam# the driver reports successful association; each network block should have 96189251Ssam# explicit security policy (i.e., only one option in the lists) for 97189251Ssam# key_mgmt, pairwise, group, proto variables 98189902Sdougb# 99189902Sdougb# For use in FreeBSD with the wlan module ap_scan must be set to 1. 100289549Srpaulo# 101214734Srpaulo# When using IBSS or AP mode, ap_scan=2 mode can force the new network to be 102214734Srpaulo# created immediately regardless of scan results. ap_scan=1 mode will first try 103214734Srpaulo# to scan for existing networks and only if no matches with the enabled 104214734Srpaulo# networks are found, a new IBSS or AP mode network is created. 105189251Ssamap_scan=1 106189251Ssam 107337817Scy# Whether to force passive scan for network connection 108337817Scy# 109337817Scy# By default, scans will send out Probe Request frames on channels that allow 110337817Scy# active scanning. This advertise the local station to the world. Normally this 111337817Scy# is fine, but users may wish to do passive scanning where the radio should only 112337817Scy# listen quietly for Beacon frames and not send any Probe Request frames. Actual 113337817Scy# functionality may be driver dependent. 114337817Scy# 115337817Scy# This parameter can be used to force only passive scanning to be used 116337817Scy# for network connection cases. It should be noted that this will slow 117337817Scy# down scan operations and reduce likelihood of finding the AP. In 118337817Scy# addition, some use cases will override this due to functional 119337817Scy# requirements, e.g., for finding an AP that uses hidden SSID 120337817Scy# (scan_ssid=1) or P2P device discovery. 121337817Scy# 122337817Scy# 0: Do normal scans (allow active scans) (default) 123337817Scy# 1: Do passive scans. 124337817Scy#passive_scan=0 125337817Scy 126281806Srpaulo# MPM residency 127281806Srpaulo# By default, wpa_supplicant implements the mesh peering manager (MPM) for an 128281806Srpaulo# open mesh. However, if the driver can implement the MPM, you may set this to 129281806Srpaulo# 0 to use the driver version. When AMPE is enabled, the wpa_supplicant MPM is 130281806Srpaulo# always used. 131281806Srpaulo# 0: MPM lives in the driver 132281806Srpaulo# 1: wpa_supplicant provides an MPM which handles peering (default) 133281806Srpaulo#user_mpm=1 134281806Srpaulo 135281806Srpaulo# Maximum number of peer links (0-255; default: 99) 136281806Srpaulo# Maximum number of mesh peering currently maintained by the STA. 137281806Srpaulo#max_peer_links=99 138281806Srpaulo 139281806Srpaulo# Timeout in seconds to detect STA inactivity (default: 300 seconds) 140281806Srpaulo# 141281806Srpaulo# This timeout value is used in mesh STA to clean up inactive stations. 142281806Srpaulo#mesh_max_inactivity=300 143281806Srpaulo 144281806Srpaulo# cert_in_cb - Whether to include a peer certificate dump in events 145281806Srpaulo# This controls whether peer certificates for authentication server and 146281806Srpaulo# its certificate chain are included in EAP peer certificate events. This is 147281806Srpaulo# enabled by default. 148281806Srpaulo#cert_in_cb=1 149281806Srpaulo 150189251Ssam# EAP fast re-authentication 151189251Ssam# By default, fast re-authentication is enabled for all EAP methods that 152189251Ssam# support it. This variable can be used to disable fast re-authentication. 153189251Ssam# Normally, there is no need to disable this. 154189251Ssamfast_reauth=1 155189251Ssam 156189251Ssam# OpenSSL Engine support 157337817Scy# These options can be used to load OpenSSL engines in special or legacy 158337817Scy# modes. 159189251Ssam# The two engines that are supported currently are shown below: 160189251Ssam# They are both from the opensc project (http://www.opensc.org/) 161337817Scy# By default the PKCS#11 engine is loaded if the client_cert or 162337817Scy# private_key option appear to be a PKCS#11 URI, and these options 163337817Scy# should not need to be used explicitly. 164189251Ssam# make the opensc engine available 165189251Ssam#opensc_engine_path=/usr/lib/opensc/engine_opensc.so 166189251Ssam# make the pkcs11 engine available 167189251Ssam#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so 168189251Ssam# configure the path to the pkcs11 module required by the pkcs11 engine 169189251Ssam#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so 170189251Ssam 171281806Srpaulo# OpenSSL cipher string 172281806Srpaulo# 173281806Srpaulo# This is an OpenSSL specific configuration option for configuring the default 174346981Scy# ciphers. If not set, the value configured at build time ("DEFAULT:!EXP:!LOW" 175346981Scy# by default) is used. 176281806Srpaulo# See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation 177281806Srpaulo# on cipher suite configuration. This is applicable only if wpa_supplicant is 178281806Srpaulo# built to use OpenSSL. 179281806Srpaulo#openssl_ciphers=DEFAULT:!EXP:!LOW 180281806Srpaulo 181189251Ssam# Dynamic EAP methods 182189251Ssam# If EAP methods were built dynamically as shared object files, they need to be 183189251Ssam# loaded here before being used in the network blocks. By default, EAP methods 184189251Ssam# are included statically in the build, so these lines are not needed 185189251Ssam#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so 186189251Ssam#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so 187189251Ssam 188189251Ssam# Driver interface parameters 189337817Scy# This field can be used to configure arbitrary driver interface parameters. The 190189251Ssam# format is specific to the selected driver interface. This field is not used 191189251Ssam# in most cases. 192189251Ssam#driver_param="field=value" 193189251Ssam 194189251Ssam# Country code 195189251Ssam# The ISO/IEC alpha2 country code for the country in which this device is 196189251Ssam# currently operating. 197189251Ssam#country=US 198189251Ssam 199189251Ssam# Maximum lifetime for PMKSA in seconds; default 43200 200189251Ssam#dot11RSNAConfigPMKLifetime=43200 201189251Ssam# Threshold for reauthentication (percentage of PMK lifetime); default 70 202189251Ssam#dot11RSNAConfigPMKReauthThreshold=70 203189251Ssam# Timeout for security association negotiation in seconds; default 60 204189251Ssam#dot11RSNAConfigSATimeout=60 205189251Ssam 206189251Ssam# Wi-Fi Protected Setup (WPS) parameters 207189251Ssam 208189251Ssam# Universally Unique IDentifier (UUID; see RFC 4122) of the device 209346981Scy# If not configured, UUID will be generated based on the mechanism selected with 210346981Scy# the auto_uuid parameter. 211189251Ssam#uuid=12345678-9abc-def0-1234-56789abcdef0 212189251Ssam 213346981Scy# Automatic UUID behavior 214346981Scy# 0 = generate static value based on the local MAC address (default) 215346981Scy# 1 = generate a random UUID every time wpa_supplicant starts 216346981Scy#auto_uuid=0 217346981Scy 218189251Ssam# Device Name 219189251Ssam# User-friendly description of device; up to 32 octets encoded in UTF-8 220189251Ssam#device_name=Wireless Client 221189251Ssam 222189251Ssam# Manufacturer 223189251Ssam# The manufacturer of the device (up to 64 ASCII characters) 224189251Ssam#manufacturer=Company 225189251Ssam 226189251Ssam# Model Name 227189251Ssam# Model of the device (up to 32 ASCII characters) 228189251Ssam#model_name=cmodel 229189251Ssam 230189251Ssam# Model Number 231189251Ssam# Additional device description (up to 32 ASCII characters) 232189251Ssam#model_number=123 233189251Ssam 234189251Ssam# Serial Number 235189251Ssam# Serial number of the device (up to 32 characters) 236189251Ssam#serial_number=12345 237189251Ssam 238189251Ssam# Primary Device Type 239189251Ssam# Used format: <categ>-<OUI>-<subcateg> 240189251Ssam# categ = Category as an integer value 241189251Ssam# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for 242189251Ssam# default WPS OUI 243189251Ssam# subcateg = OUI-specific Sub Category as an integer value 244189251Ssam# Examples: 245189251Ssam# 1-0050F204-1 (Computer / PC) 246189251Ssam# 1-0050F204-2 (Computer / Server) 247189251Ssam# 5-0050F204-1 (Storage / NAS) 248189251Ssam# 6-0050F204-1 (Network Infrastructure / AP) 249189251Ssam#device_type=1-0050F204-1 250189251Ssam 251189251Ssam# OS Version 252189251Ssam# 4-octet operating system version number (hex string) 253189251Ssam#os_version=01020300 254189251Ssam 255214734Srpaulo# Config Methods 256214734Srpaulo# List of the supported configuration methods 257214734Srpaulo# Available methods: usba ethernet label display ext_nfc_token int_nfc_token 258252726Srpaulo# nfc_interface push_button keypad virtual_display physical_display 259252726Srpaulo# virtual_push_button physical_push_button 260252726Srpaulo# For WSC 1.0: 261214734Srpaulo#config_methods=label display push_button keypad 262252726Srpaulo# For WSC 2.0: 263252726Srpaulo#config_methods=label virtual_display virtual_push_button keypad 264214734Srpaulo 265189251Ssam# Credential processing 266189251Ssam# 0 = process received credentials internally (default) 267189251Ssam# 1 = do not process received credentials; just pass them over ctrl_iface to 268189251Ssam# external program(s) 269189251Ssam# 2 = process received credentials internally and pass them over ctrl_iface 270189251Ssam# to external program(s) 271189251Ssam#wps_cred_processing=0 272189251Ssam 273346981Scy# Whether to enable SAE (WPA3-Personal transition mode) automatically for 274346981Scy# WPA2-PSK credentials received using WPS. 275346981Scy# 0 = only add the explicitly listed WPA2-PSK configuration (default) 276346981Scy# 1 = add both the WPA2-PSK and SAE configuration and enable PMF so that the 277346981Scy# station gets configured in WPA3-Personal transition mode (supports both 278346981Scy# WPA2-Personal (PSK) and WPA3-Personal (SAE) APs). 279346981Scy#wps_cred_add_sae=0 280346981Scy 281252726Srpaulo# Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing 282252726Srpaulo# The vendor attribute contents to be added in M1 (hex string) 283252726Srpaulo#wps_vendor_ext_m1=000137100100020001 284252726Srpaulo 285252726Srpaulo# NFC password token for WPS 286252726Srpaulo# These parameters can be used to configure a fixed NFC password token for the 287252726Srpaulo# station. This can be generated, e.g., with nfc_pw_token. When these 288252726Srpaulo# parameters are used, the station is assumed to be deployed with a NFC tag 289252726Srpaulo# that includes the matching NFC password token (e.g., written based on the 290252726Srpaulo# NDEF record from nfc_pw_token). 291252726Srpaulo# 292252726Srpaulo#wps_nfc_dev_pw_id: Device Password ID (16..65535) 293252726Srpaulo#wps_nfc_dh_pubkey: Hexdump of DH Public Key 294252726Srpaulo#wps_nfc_dh_privkey: Hexdump of DH Private Key 295252726Srpaulo#wps_nfc_dev_pw: Hexdump of Device Password 296252726Srpaulo 297289549Srpaulo# Priority for the networks added through WPS 298289549Srpaulo# This priority value will be set to each network profile that is added 299289549Srpaulo# by executing the WPS protocol. 300289549Srpaulo#wps_priority=0 301289549Srpaulo 302214734Srpaulo# Maximum number of BSS entries to keep in memory 303214734Srpaulo# Default: 200 304214734Srpaulo# This can be used to limit memory use on the BSS entries (cached scan 305214734Srpaulo# results). A larger value may be needed in environments that have huge number 306214734Srpaulo# of APs when using ap_scan=1 mode. 307214734Srpaulo#bss_max_count=200 308214734Srpaulo 309346981Scy# BSS expiration age in seconds. A BSS will be removed from the local cache 310346981Scy# if it is not in use and has not been seen for this time. Default is 180. 311346981Scy#bss_expiration_age=180 312346981Scy 313346981Scy# BSS expiration after number of scans. A BSS will be removed from the local 314346981Scy# cache if it is not seen in this number of scans. 315346981Scy# Default is 2. 316346981Scy#bss_expiration_scan_count=2 317346981Scy 318252726Srpaulo# Automatic scan 319252726Srpaulo# This is an optional set of parameters for automatic scanning 320252726Srpaulo# within an interface in following format: 321252726Srpaulo#autoscan=<autoscan module name>:<module parameters> 322281806Srpaulo# autoscan is like bgscan but on disconnected or inactive state. 323281806Srpaulo# For instance, on exponential module parameters would be <base>:<limit> 324252726Srpaulo#autoscan=exponential:3:300 325252726Srpaulo# Which means a delay between scans on a base exponential of 3, 326281806Srpaulo# up to the limit of 300 seconds (3, 9, 27 ... 300) 327281806Srpaulo# For periodic module, parameters would be <fixed interval> 328252726Srpaulo#autoscan=periodic:30 329337817Scy# So a delay of 30 seconds will be applied between each scan. 330337817Scy# Note: If sched_scan_plans are configured and supported by the driver, 331337817Scy# autoscan is ignored. 332214734Srpaulo 333214734Srpaulo# filter_ssids - SSID-based scan result filtering 334214734Srpaulo# 0 = do not filter scan results (default) 335214734Srpaulo# 1 = only include configured SSIDs in scan results/BSS table 336214734Srpaulo#filter_ssids=0 337214734Srpaulo 338252726Srpaulo# Password (and passphrase, etc.) backend for external storage 339252726Srpaulo# format: <backend name>[:<optional backend parameters>] 340252726Srpaulo#ext_password_backend=test:pw1=password|pw2=testing 341214734Srpaulo 342289549Srpaulo 343289549Srpaulo# Disable P2P functionality 344289549Srpaulo# p2p_disabled=1 345289549Srpaulo 346252726Srpaulo# Timeout in seconds to detect STA inactivity (default: 300 seconds) 347252726Srpaulo# 348252726Srpaulo# This timeout value is used in P2P GO mode to clean up 349252726Srpaulo# inactive stations. 350252726Srpaulo#p2p_go_max_inactivity=300 351252726Srpaulo 352281806Srpaulo# Passphrase length (8..63) for P2P GO 353281806Srpaulo# 354281806Srpaulo# This parameter controls the length of the random passphrase that is 355281806Srpaulo# generated at the GO. Default: 8. 356281806Srpaulo#p2p_passphrase_len=8 357281806Srpaulo 358281806Srpaulo# Extra delay between concurrent P2P search iterations 359281806Srpaulo# 360281806Srpaulo# This value adds extra delay in milliseconds between concurrent search 361281806Srpaulo# iterations to make p2p_find friendlier to concurrent operations by avoiding 362281806Srpaulo# it from taking 100% of radio resources. The default value is 500 ms. 363281806Srpaulo#p2p_search_delay=500 364281806Srpaulo 365252726Srpaulo# Opportunistic Key Caching (also known as Proactive Key Caching) default 366252726Srpaulo# This parameter can be used to set the default behavior for the 367252726Srpaulo# proactive_key_caching parameter. By default, OKC is disabled unless enabled 368252726Srpaulo# with the global okc=1 parameter or with the per-network 369252726Srpaulo# proactive_key_caching=1 parameter. With okc=1, OKC is enabled by default, but 370252726Srpaulo# can be disabled with per-network proactive_key_caching=0 parameter. 371252726Srpaulo#okc=0 372252726Srpaulo 373252726Srpaulo# Protected Management Frames default 374252726Srpaulo# This parameter can be used to set the default behavior for the ieee80211w 375337817Scy# parameter for RSN networks. By default, PMF is disabled unless enabled with 376337817Scy# the global pmf=1/2 parameter or with the per-network ieee80211w=1/2 parameter. 377337817Scy# With pmf=1/2, PMF is enabled/required by default, but can be disabled with the 378337817Scy# per-network ieee80211w parameter. This global default value does not apply 379337817Scy# for non-RSN networks (key_mgmt=NONE) since PMF is available only when using 380337817Scy# RSN. 381252726Srpaulo#pmf=0 382252726Srpaulo 383281806Srpaulo# Enabled SAE finite cyclic groups in preference order 384281806Srpaulo# By default (if this parameter is not set), the mandatory group 19 (ECC group 385346981Scy# defined over a 256-bit prime order field, NIST P-256) is preferred and groups 386346981Scy# 20 (NIST P-384) and 21 (NIST P-521) are also enabled. If this parameter is 387346981Scy# set, the groups will be tried in the indicated order. 388346981Scy# The group values are listed in the IANA registry: 389281806Srpaulo# http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9 390346981Scy# Note that groups 1, 2, 5, 22, 23, and 24 should not be used in production 391346981Scy# purposes due limited security (see RFC 8247). Groups that are not as strong as 392346981Scy# group 19 (ECC, NIST P-256) are unlikely to be useful for production use cases 393346981Scy# since all implementations are required to support group 19. 394346981Scy#sae_groups=19 20 21 395281806Srpaulo 396281806Srpaulo# Default value for DTIM period (if not overridden in network block) 397281806Srpaulo#dtim_period=2 398281806Srpaulo 399281806Srpaulo# Default value for Beacon interval (if not overridden in network block) 400281806Srpaulo#beacon_int=100 401281806Srpaulo 402281806Srpaulo# Additional vendor specific elements for Beacon and Probe Response frames 403281806Srpaulo# This parameter can be used to add additional vendor specific element(s) into 404281806Srpaulo# the end of the Beacon and Probe Response frames. The format for these 405281806Srpaulo# element(s) is a hexdump of the raw information elements (id+len+payload for 406281806Srpaulo# one or more elements). This is used in AP and P2P GO modes. 407281806Srpaulo#ap_vendor_elements=dd0411223301 408281806Srpaulo 409281806Srpaulo# Ignore scan results older than request 410281806Srpaulo# 411281806Srpaulo# The driver may have a cache of scan results that makes it return 412281806Srpaulo# information that is older than our scan trigger. This parameter can 413281806Srpaulo# be used to configure such old information to be ignored instead of 414281806Srpaulo# allowing it to update the internal BSS table. 415281806Srpaulo#ignore_old_scan_res=0 416281806Srpaulo 417281806Srpaulo# scan_cur_freq: Whether to scan only the current frequency 418281806Srpaulo# 0: Scan all available frequencies. (Default) 419281806Srpaulo# 1: Scan current operating frequency if another VIF on the same radio 420281806Srpaulo# is already associated. 421281806Srpaulo 422281806Srpaulo# MAC address policy default 423281806Srpaulo# 0 = use permanent MAC address 424281806Srpaulo# 1 = use random MAC address for each ESS connection 425281806Srpaulo# 2 = like 1, but maintain OUI (with local admin bit set) 426281806Srpaulo# 427281806Srpaulo# By default, permanent MAC address is used unless policy is changed by 428281806Srpaulo# the per-network mac_addr parameter. Global mac_addr=1 can be used to 429281806Srpaulo# change this default behavior. 430281806Srpaulo#mac_addr=0 431281806Srpaulo 432281806Srpaulo# Lifetime of random MAC address in seconds (default: 60) 433281806Srpaulo#rand_addr_lifetime=60 434281806Srpaulo 435281806Srpaulo# MAC address policy for pre-association operations (scanning, ANQP) 436281806Srpaulo# 0 = use permanent MAC address 437281806Srpaulo# 1 = use random MAC address 438281806Srpaulo# 2 = like 1, but maintain OUI (with local admin bit set) 439281806Srpaulo#preassoc_mac_addr=0 440281806Srpaulo 441346981Scy# MAC address policy for GAS operations 442346981Scy# 0 = use permanent MAC address 443346981Scy# 1 = use random MAC address 444346981Scy# 2 = like 1, but maintain OUI (with local admin bit set) 445346981Scy#gas_rand_mac_addr=0 446346981Scy 447346981Scy# Lifetime of GAS random MAC address in seconds (default: 60) 448346981Scy#gas_rand_addr_lifetime=60 449346981Scy 450252726Srpaulo# Interworking (IEEE 802.11u) 451252726Srpaulo 452252726Srpaulo# Enable Interworking 453252726Srpaulo# interworking=1 454252726Srpaulo 455346981Scy# Enable P2P GO advertisement of Interworking 456346981Scy# go_interworking=1 457346981Scy 458346981Scy# P2P GO Interworking: Access Network Type 459346981Scy# 0 = Private network 460346981Scy# 1 = Private network with guest access 461346981Scy# 2 = Chargeable public network 462346981Scy# 3 = Free public network 463346981Scy# 4 = Personal device network 464346981Scy# 5 = Emergency services only network 465346981Scy# 14 = Test or experimental 466346981Scy# 15 = Wildcard 467346981Scy#go_access_network_type=0 468346981Scy 469346981Scy# P2P GO Interworking: Whether the network provides connectivity to the Internet 470346981Scy# 0 = Unspecified 471346981Scy# 1 = Network provides connectivity to the Internet 472346981Scy#go_internet=1 473346981Scy 474346981Scy# P2P GO Interworking: Group Venue Info (optional) 475346981Scy# The available values are defined in IEEE Std 802.11-2016, 9.4.1.35. 476346981Scy# Example values (group,type): 477346981Scy# 0,0 = Unspecified 478346981Scy# 1,7 = Convention Center 479346981Scy# 1,13 = Coffee Shop 480346981Scy# 2,0 = Unspecified Business 481346981Scy# 7,1 Private Residence 482346981Scy#go_venue_group=7 483346981Scy#go_venue_type=1 484346981Scy 485252726Srpaulo# Homogenous ESS identifier 486252726Srpaulo# If this is set, scans will be used to request response only from BSSes 487252726Srpaulo# belonging to the specified Homogeneous ESS. This is used only if interworking 488252726Srpaulo# is enabled. 489252726Srpaulo# hessid=00:11:22:33:44:55 490252726Srpaulo 491252726Srpaulo# Automatic network selection behavior 492252726Srpaulo# 0 = do not automatically go through Interworking network selection 493252726Srpaulo# (i.e., require explicit interworking_select command for this; default) 494252726Srpaulo# 1 = perform Interworking network selection if one or more 495252726Srpaulo# credentials have been configured and scan did not find a 496252726Srpaulo# matching network block 497252726Srpaulo#auto_interworking=0 498252726Srpaulo 499337817Scy# GAS Address3 field behavior 500337817Scy# 0 = P2P specification (Address3 = AP BSSID); default 501337817Scy# 1 = IEEE 802.11 standard compliant (Address3 = Wildcard BSSID when 502337817Scy# sent to not-associated AP; if associated, AP BSSID) 503337817Scy#gas_address3=0 504337817Scy 505337817Scy# Publish fine timing measurement (FTM) responder functionality in 506337817Scy# the Extended Capabilities element bit 70. 507337817Scy# Controls whether FTM responder functionality will be published by AP/STA. 508337817Scy# Note that actual FTM responder operation is managed outside wpa_supplicant. 509337817Scy# 0 = Do not publish; default 510337817Scy# 1 = Publish 511337817Scy#ftm_responder=0 512337817Scy 513337817Scy# Publish fine timing measurement (FTM) initiator functionality in 514337817Scy# the Extended Capabilities element bit 71. 515337817Scy# Controls whether FTM initiator functionality will be published by AP/STA. 516337817Scy# Note that actual FTM initiator operation is managed outside wpa_supplicant. 517337817Scy# 0 = Do not publish; default 518337817Scy# 1 = Publish 519337817Scy#ftm_initiator=0 520337817Scy 521252726Srpaulo# credential block 522252726Srpaulo# 523252726Srpaulo# Each credential used for automatic network selection is configured as a set 524252726Srpaulo# of parameters that are compared to the information advertised by the APs when 525252726Srpaulo# interworking_select and interworking_connect commands are used. 526252726Srpaulo# 527252726Srpaulo# credential fields: 528252726Srpaulo# 529281806Srpaulo# temporary: Whether this credential is temporary and not to be saved 530281806Srpaulo# 531252726Srpaulo# priority: Priority group 532252726Srpaulo# By default, all networks and credentials get the same priority group 533252726Srpaulo# (0). This field can be used to give higher priority for credentials 534252726Srpaulo# (and similarly in struct wpa_ssid for network blocks) to change the 535252726Srpaulo# Interworking automatic networking selection behavior. The matching 536252726Srpaulo# network (based on either an enabled network block or a credential) 537252726Srpaulo# with the highest priority value will be selected. 538252726Srpaulo# 539252726Srpaulo# pcsc: Use PC/SC and SIM/USIM card 540252726Srpaulo# 541252726Srpaulo# realm: Home Realm for Interworking 542252726Srpaulo# 543252726Srpaulo# username: Username for Interworking network selection 544252726Srpaulo# 545252726Srpaulo# password: Password for Interworking network selection 546252726Srpaulo# 547252726Srpaulo# ca_cert: CA certificate for Interworking network selection 548252726Srpaulo# 549252726Srpaulo# client_cert: File path to client certificate file (PEM/DER) 550252726Srpaulo# This field is used with Interworking networking selection for a case 551252726Srpaulo# where client certificate/private key is used for authentication 552252726Srpaulo# (EAP-TLS). Full path to the file should be used since working 553252726Srpaulo# directory may change when wpa_supplicant is run in the background. 554252726Srpaulo# 555337817Scy# Certificates from PKCS#11 tokens can be referenced by a PKCS#11 URI. 556337817Scy# 557337817Scy# For example: private_key="pkcs11:manufacturer=piv_II;id=%01" 558337817Scy# 559252726Srpaulo# Alternatively, a named configuration blob can be used by setting 560252726Srpaulo# this to blob://blob_name. 561252726Srpaulo# 562252726Srpaulo# private_key: File path to client private key file (PEM/DER/PFX) 563252726Srpaulo# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be 564252726Srpaulo# commented out. Both the private key and certificate will be read 565252726Srpaulo# from the PKCS#12 file in this case. Full path to the file should be 566252726Srpaulo# used since working directory may change when wpa_supplicant is run 567252726Srpaulo# in the background. 568252726Srpaulo# 569337817Scy# Keys in PKCS#11 tokens can be referenced by a PKCS#11 URI. 570337817Scy# For example: private_key="pkcs11:manufacturer=piv_II;id=%01" 571337817Scy# 572252726Srpaulo# Windows certificate store can be used by leaving client_cert out and 573252726Srpaulo# configuring private_key in one of the following formats: 574252726Srpaulo# 575252726Srpaulo# cert://substring_to_match 576252726Srpaulo# 577252726Srpaulo# hash://certificate_thumbprint_in_hex 578252726Srpaulo# 579252726Srpaulo# For example: private_key="hash://63093aa9c47f56ae88334c7b65a4" 580252726Srpaulo# 581252726Srpaulo# Note that when running wpa_supplicant as an application, the user 582252726Srpaulo# certificate store (My user account) is used, whereas computer store 583252726Srpaulo# (Computer account) is used when running wpasvc as a service. 584252726Srpaulo# 585252726Srpaulo# Alternatively, a named configuration blob can be used by setting 586252726Srpaulo# this to blob://blob_name. 587252726Srpaulo# 588252726Srpaulo# private_key_passwd: Password for private key file 589252726Srpaulo# 590252726Srpaulo# imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format 591252726Srpaulo# 592252726Srpaulo# milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN> 593252726Srpaulo# format 594252726Srpaulo# 595281806Srpaulo# domain: Home service provider FQDN(s) 596252726Srpaulo# This is used to compare against the Domain Name List to figure out 597281806Srpaulo# whether the AP is operated by the Home SP. Multiple domain entries can 598281806Srpaulo# be used to configure alternative FQDNs that will be considered home 599281806Srpaulo# networks. 600252726Srpaulo# 601252726Srpaulo# roaming_consortium: Roaming Consortium OI 602252726Srpaulo# If roaming_consortium_len is non-zero, this field contains the 603252726Srpaulo# Roaming Consortium OI that can be used to determine which access 604252726Srpaulo# points support authentication with this credential. This is an 605252726Srpaulo# alternative to the use of the realm parameter. When using Roaming 606252726Srpaulo# Consortium to match the network, the EAP parameters need to be 607252726Srpaulo# pre-configured with the credential since the NAI Realm information 608252726Srpaulo# may not be available or fetched. 609252726Srpaulo# 610346981Scy# required_roaming_consortium: Required Roaming Consortium OI 611346981Scy# If required_roaming_consortium_len is non-zero, this field contains the 612346981Scy# Roaming Consortium OI that is required to be advertised by the AP for 613346981Scy# the credential to be considered matching. 614346981Scy# 615346981Scy# roaming_consortiums: Roaming Consortium OI(s) memberships 616346981Scy# This string field contains one or more comma delimited OIs (hexdump) 617346981Scy# identifying the roaming consortiums of which the provider is a member. 618346981Scy# The list is sorted from the most preferred one to the least preferred 619346981Scy# one. A match between the Roaming Consortium OIs advertised by an AP and 620346981Scy# the OIs in this list indicates that successful authentication is 621346981Scy# possible. 622346981Scy# (Hotspot 2.0 PerProviderSubscription/<X+>/HomeSP/RoamingConsortiumOI) 623346981Scy# 624252726Srpaulo# eap: Pre-configured EAP method 625252726Srpaulo# This optional field can be used to specify which EAP method will be 626252726Srpaulo# used with this credential. If not set, the EAP method is selected 627252726Srpaulo# automatically based on ANQP information (e.g., NAI Realm). 628252726Srpaulo# 629252726Srpaulo# phase1: Pre-configure Phase 1 (outer authentication) parameters 630252726Srpaulo# This optional field is used with like the 'eap' parameter. 631252726Srpaulo# 632252726Srpaulo# phase2: Pre-configure Phase 2 (inner authentication) parameters 633252726Srpaulo# This optional field is used with like the 'eap' parameter. 634252726Srpaulo# 635252726Srpaulo# excluded_ssid: Excluded SSID 636252726Srpaulo# This optional field can be used to excluded specific SSID(s) from 637252726Srpaulo# matching with the network. Multiple entries can be used to specify more 638252726Srpaulo# than one SSID. 639252726Srpaulo# 640281806Srpaulo# roaming_partner: Roaming partner information 641281806Srpaulo# This optional field can be used to configure preferences between roaming 642281806Srpaulo# partners. The field is a string in following format: 643281806Srpaulo# <FQDN>,<0/1 exact match>,<priority>,<* or country code> 644281806Srpaulo# (non-exact match means any subdomain matches the entry; priority is in 645281806Srpaulo# 0..255 range with 0 being the highest priority) 646281806Srpaulo# 647281806Srpaulo# update_identifier: PPS MO ID 648281806Srpaulo# (Hotspot 2.0 PerProviderSubscription/UpdateIdentifier) 649281806Srpaulo# 650281806Srpaulo# provisioning_sp: FQDN of the SP that provisioned the credential 651281806Srpaulo# This optional field can be used to keep track of the SP that provisioned 652281806Srpaulo# the credential to find the PPS MO (./Wi-Fi/<provisioning_sp>). 653281806Srpaulo# 654281806Srpaulo# Minimum backhaul threshold (PPS/<X+>/Policy/MinBackhauldThreshold/*) 655281806Srpaulo# These fields can be used to specify minimum download/upload backhaul 656281806Srpaulo# bandwidth that is preferred for the credential. This constraint is 657281806Srpaulo# ignored if the AP does not advertise WAN Metrics information or if the 658281806Srpaulo# limit would prevent any connection. Values are in kilobits per second. 659281806Srpaulo# min_dl_bandwidth_home 660281806Srpaulo# min_ul_bandwidth_home 661281806Srpaulo# min_dl_bandwidth_roaming 662281806Srpaulo# min_ul_bandwidth_roaming 663281806Srpaulo# 664281806Srpaulo# max_bss_load: Maximum BSS Load Channel Utilization (1..255) 665281806Srpaulo# (PPS/<X+>/Policy/MaximumBSSLoadValue) 666281806Srpaulo# This value is used as the maximum channel utilization for network 667281806Srpaulo# selection purposes for home networks. If the AP does not advertise 668281806Srpaulo# BSS Load or if the limit would prevent any connection, this constraint 669281806Srpaulo# will be ignored. 670281806Srpaulo# 671281806Srpaulo# req_conn_capab: Required connection capability 672281806Srpaulo# (PPS/<X+>/Policy/RequiredProtoPortTuple) 673281806Srpaulo# This value is used to configure set of required protocol/port pairs that 674281806Srpaulo# a roaming network shall support (include explicitly in Connection 675281806Srpaulo# Capability ANQP element). This constraint is ignored if the AP does not 676281806Srpaulo# advertise Connection Capability or if this constraint would prevent any 677281806Srpaulo# network connection. This policy is not used in home networks. 678281806Srpaulo# Format: <protocol>[:<comma-separated list of ports] 679281806Srpaulo# Multiple entries can be used to list multiple requirements. 680281806Srpaulo# For example, number of common TCP protocols: 681281806Srpaulo# req_conn_capab=6,22,80,443 682281806Srpaulo# For example, IPSec/IKE: 683281806Srpaulo# req_conn_capab=17:500 684281806Srpaulo# req_conn_capab=50 685281806Srpaulo# 686281806Srpaulo# ocsp: Whether to use/require OCSP to check server certificate 687281806Srpaulo# 0 = do not use OCSP stapling (TLS certificate status extension) 688281806Srpaulo# 1 = try to use OCSP stapling, but not require response 689281806Srpaulo# 2 = require valid OCSP stapling response 690337817Scy# 3 = require valid OCSP stapling response for all not-trusted 691337817Scy# certificates in the server certificate chain 692281806Srpaulo# 693281806Srpaulo# sim_num: Identifier for which SIM to use in multi-SIM devices 694281806Srpaulo# 695252726Srpaulo# for example: 696252726Srpaulo# 697252726Srpaulo#cred={ 698252726Srpaulo# realm="example.com" 699252726Srpaulo# username="user@example.com" 700252726Srpaulo# password="password" 701252726Srpaulo# ca_cert="/etc/wpa_supplicant/ca.pem" 702252726Srpaulo# domain="example.com" 703252726Srpaulo#} 704252726Srpaulo# 705252726Srpaulo#cred={ 706252726Srpaulo# imsi="310026-000000000" 707252726Srpaulo# milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82" 708252726Srpaulo#} 709252726Srpaulo# 710252726Srpaulo#cred={ 711252726Srpaulo# realm="example.com" 712252726Srpaulo# username="user" 713252726Srpaulo# password="password" 714252726Srpaulo# ca_cert="/etc/wpa_supplicant/ca.pem" 715252726Srpaulo# domain="example.com" 716252726Srpaulo# roaming_consortium=223344 717252726Srpaulo# eap=TTLS 718252726Srpaulo# phase2="auth=MSCHAPV2" 719252726Srpaulo#} 720252726Srpaulo 721252726Srpaulo# Hotspot 2.0 722252726Srpaulo# hs20=1 723252726Srpaulo 724337817Scy# Scheduled scan plans 725337817Scy# 726337817Scy# A space delimited list of scan plans. Each scan plan specifies the scan 727337817Scy# interval and number of iterations, delimited by a colon. The last scan plan 728337817Scy# will run infinitely and thus must specify only the interval and not the number 729337817Scy# of iterations. 730337817Scy# 731337817Scy# The driver advertises the maximum number of scan plans supported. If more scan 732337817Scy# plans than supported are configured, only the first ones are set (up to the 733337817Scy# maximum supported). The last scan plan that specifies only the interval is 734337817Scy# always set as the last plan. 735337817Scy# 736337817Scy# If the scan interval or the number of iterations for a scan plan exceeds the 737337817Scy# maximum supported, it will be set to the maximum supported value. 738337817Scy# 739337817Scy# Format: 740337817Scy# sched_scan_plans=<interval:iterations> <interval:iterations> ... <interval> 741337817Scy# 742337817Scy# Example: 743337817Scy# sched_scan_plans=10:100 20:200 30 744337817Scy 745337817Scy# Multi Band Operation (MBO) non-preferred channels 746337817Scy# A space delimited list of non-preferred channels where each channel is a colon 747337817Scy# delimited list of values. 748337817Scy# Format: 749337817Scy# non_pref_chan=<oper_class>:<chan>:<preference>:<reason> 750337817Scy# Example: 751346981Scy# non_pref_chan=81:5:10:2 81:1:0:2 81:9:0:2 752337817Scy 753337817Scy# MBO Cellular Data Capabilities 754337817Scy# 1 = Cellular data connection available 755337817Scy# 2 = Cellular data connection not available 756337817Scy# 3 = Not cellular capable (default) 757337817Scy#mbo_cell_capa=3 758337817Scy 759346981Scy# Optimized Connectivity Experience (OCE) 760346981Scy# oce: Enable OCE features (bitmap) 761346981Scy# Set BIT(0) to Enable OCE in non-AP STA mode (default; disabled if the driver 762346981Scy# does not indicate support for OCE in STA mode) 763346981Scy# Set BIT(1) to Enable OCE in STA-CFON mode 764346981Scy#oce=1 765346981Scy 766189251Ssam# network block 767189251Ssam# 768189251Ssam# Each network (usually AP's sharing the same SSID) is configured as a separate 769189251Ssam# block in this configuration file. The network blocks are in preference order 770189251Ssam# (the first match is used). 771189251Ssam# 772189251Ssam# network block fields: 773189251Ssam# 774189251Ssam# disabled: 775189251Ssam# 0 = this network can be used (default) 776189251Ssam# 1 = this network block is disabled (can be enabled through ctrl_iface, 777189251Ssam# e.g., with wpa_cli or wpa_gui) 778189251Ssam# 779189251Ssam# id_str: Network identifier string for external scripts. This value is passed 780189251Ssam# to external action script through wpa_cli as WPA_ID_STR environment 781189251Ssam# variable to make it easier to do network specific configuration. 782189251Ssam# 783252726Srpaulo# ssid: SSID (mandatory); network name in one of the optional formats: 784252726Srpaulo# - an ASCII string with double quotation 785252726Srpaulo# - a hex string (two characters per octet of SSID) 786252726Srpaulo# - a printf-escaped ASCII string P"<escaped string>" 787189251Ssam# 788189251Ssam# scan_ssid: 789189251Ssam# 0 = do not scan this SSID with specific Probe Request frames (default) 790189251Ssam# 1 = scan with SSID-specific Probe Request frames (this can be used to 791189902Sdougb# find APs that hide (do not broadcast) SSID or use multiple SSIDs; 792189251Ssam# this will add latency to scanning, so enable this only when needed) 793189251Ssam# 794189251Ssam# bssid: BSSID (optional); if set, this network block is used only when 795189251Ssam# associating with the AP using the configured BSSID 796189251Ssam# 797189251Ssam# priority: priority group (integer) 798189251Ssam# By default, all networks will get same priority group (0). If some of the 799189251Ssam# networks are more desirable, this field can be used to change the order in 800189251Ssam# which wpa_supplicant goes through the networks when selecting a BSS. The 801189251Ssam# priority groups will be iterated in decreasing priority (i.e., the larger the 802189251Ssam# priority value, the sooner the network is matched against the scan results). 803189251Ssam# Within each priority group, networks will be selected based on security 804189251Ssam# policy, signal strength, etc. 805189251Ssam# Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not 806189251Ssam# using this priority to select the order for scanning. Instead, they try the 807189902Sdougb# networks in the order that they are listed in the configuration file. 808189251Ssam# 809189251Ssam# mode: IEEE 802.11 operation mode 810189251Ssam# 0 = infrastructure (Managed) mode, i.e., associate with an AP (default) 811189251Ssam# 1 = IBSS (ad-hoc, peer-to-peer) 812214734Srpaulo# 2 = AP (access point) 813281806Srpaulo# Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) and 814281806Srpaulo# WPA-PSK (with proto=RSN). In addition, key_mgmt=WPA-NONE (fixed group key 815281806Srpaulo# TKIP/CCMP) is available for backwards compatibility, but its use is 816281806Srpaulo# deprecated. WPA-None requires following network block options: 817189251Ssam# proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not 818189251Ssam# both), and psk must also be set. 819189251Ssam# 820189251Ssam# frequency: Channel frequency in megahertz (MHz) for IBSS, e.g., 821189251Ssam# 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial 822189251Ssam# channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode. 823189251Ssam# In addition, this value is only used by the station that creates the IBSS. If 824189251Ssam# an IBSS network with the configured SSID is already present, the frequency of 825189251Ssam# the network will be used instead of this configured value. 826189251Ssam# 827337817Scy# pbss: Whether to use PBSS. Relevant to IEEE 802.11ad networks only. 828337817Scy# 0 = do not use PBSS 829337817Scy# 1 = use PBSS 830337817Scy# 2 = don't care (not allowed in AP mode) 831337817Scy# Used together with mode configuration. When mode is AP, it means to start a 832337817Scy# PCP instead of a regular AP. When mode is infrastructure it means connect 833337817Scy# to a PCP instead of AP. In this mode you can also specify 2 (don't care) 834337817Scy# which means connect to either PCP or AP. 835337817Scy# P2P_GO and P2P_GROUP_FORMATION modes must use PBSS in IEEE 802.11ad network. 836337817Scy# For more details, see IEEE Std 802.11ad-2012. 837337817Scy# 838214734Srpaulo# scan_freq: List of frequencies to scan 839214734Srpaulo# Space-separated list of frequencies in MHz to scan when searching for this 840214734Srpaulo# BSS. If the subset of channels used by the network is known, this option can 841214734Srpaulo# be used to optimize scanning to not occur on channels that the network does 842214734Srpaulo# not use. Example: scan_freq=2412 2437 2462 843214734Srpaulo# 844214734Srpaulo# freq_list: Array of allowed frequencies 845214734Srpaulo# Space-separated list of frequencies in MHz to allow for selecting the BSS. If 846214734Srpaulo# set, scan results that do not match any of the specified frequencies are not 847214734Srpaulo# considered when selecting a BSS. 848214734Srpaulo# 849281806Srpaulo# This can also be set on the outside of the network block. In this case, 850281806Srpaulo# it limits the frequencies that will be scanned. 851281806Srpaulo# 852252726Srpaulo# bgscan: Background scanning 853252726Srpaulo# wpa_supplicant behavior for background scanning can be specified by 854252726Srpaulo# configuring a bgscan module. These modules are responsible for requesting 855252726Srpaulo# background scans for the purpose of roaming within an ESS (i.e., within a 856252726Srpaulo# single network block with all the APs using the same SSID). The bgscan 857252726Srpaulo# parameter uses following format: "<bgscan module name>:<module parameters>" 858252726Srpaulo# Following bgscan modules are available: 859252726Srpaulo# simple - Periodic background scans based on signal strength 860252726Srpaulo# bgscan="simple:<short bgscan interval in seconds>:<signal strength threshold>: 861252726Srpaulo# <long interval>" 862252726Srpaulo# bgscan="simple:30:-45:300" 863252726Srpaulo# learn - Learn channels used by the network and try to avoid bgscans on other 864252726Srpaulo# channels (experimental) 865252726Srpaulo# bgscan="learn:<short bgscan interval in seconds>:<signal strength threshold>: 866252726Srpaulo# <long interval>[:<database file name>]" 867252726Srpaulo# bgscan="learn:30:-45:300:/etc/wpa_supplicant/network1.bgscan" 868281806Srpaulo# Explicitly disable bgscan by setting 869281806Srpaulo# bgscan="" 870252726Srpaulo# 871281806Srpaulo# This option can also be set outside of all network blocks for the bgscan 872281806Srpaulo# parameter to apply for all the networks that have no specific bgscan 873281806Srpaulo# parameter. 874281806Srpaulo# 875189251Ssam# proto: list of accepted protocols 876189251Ssam# WPA = WPA/IEEE 802.11i/D3.0 877189251Ssam# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN) 878346981Scy# Note that RSN is used also for WPA3. 879189251Ssam# If not set, this defaults to: WPA RSN 880189251Ssam# 881189251Ssam# key_mgmt: list of accepted authenticated key management protocols 882189251Ssam# WPA-PSK = WPA pre-shared key (this requires 'psk' field) 883189251Ssam# WPA-EAP = WPA using EAP authentication 884189251Ssam# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically 885189251Ssam# generated WEP keys 886189251Ssam# NONE = WPA is not used; plaintext or static WEP could be used 887337817Scy# WPA-NONE = WPA-None for IBSS (deprecated; use proto=RSN key_mgmt=WPA-PSK 888337817Scy# instead) 889337817Scy# FT-PSK = Fast BSS Transition (IEEE 802.11r) with pre-shared key 890337817Scy# FT-EAP = Fast BSS Transition (IEEE 802.11r) with EAP authentication 891346981Scy# FT-EAP-SHA384 = Fast BSS Transition (IEEE 802.11r) with EAP authentication 892346981Scy# and using SHA384 893189251Ssam# WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms 894189251Ssam# WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms 895337817Scy# SAE = Simultaneous authentication of equals; pre-shared key/password -based 896337817Scy# authentication with stronger security than WPA-PSK especially when using 897346981Scy# not that strong password; a.k.a. WPA3-Personal 898337817Scy# FT-SAE = SAE with FT 899337817Scy# WPA-EAP-SUITE-B = Suite B 128-bit level 900337817Scy# WPA-EAP-SUITE-B-192 = Suite B 192-bit level 901337817Scy# OSEN = Hotspot 2.0 Rel 2 online signup connection 902346981Scy# FILS-SHA256 = Fast Initial Link Setup with SHA256 903346981Scy# FILS-SHA384 = Fast Initial Link Setup with SHA384 904346981Scy# FT-FILS-SHA256 = FT and Fast Initial Link Setup with SHA256 905346981Scy# FT-FILS-SHA384 = FT and Fast Initial Link Setup with SHA384 906346981Scy# OWE = Opportunistic Wireless Encryption (a.k.a. Enhanced Open) 907346981Scy# DPP = Device Provisioning Protocol 908189251Ssam# If not set, this defaults to: WPA-PSK WPA-EAP 909189251Ssam# 910252726Srpaulo# ieee80211w: whether management frame protection is enabled 911252726Srpaulo# 0 = disabled (default unless changed with the global pmf parameter) 912252726Srpaulo# 1 = optional 913252726Srpaulo# 2 = required 914252726Srpaulo# The most common configuration options for this based on the PMF (protected 915252726Srpaulo# management frames) certification program are: 916252726Srpaulo# PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256 917252726Srpaulo# PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256 918252726Srpaulo# (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used) 919252726Srpaulo# 920346981Scy# ocv: whether operating channel validation is enabled 921346981Scy# This is a countermeasure against multi-channel man-in-the-middle attacks. 922346981Scy# Enabling this automatically also enables ieee80211w, if not yet enabled. 923346981Scy# 0 = disabled (default) 924346981Scy# 1 = enabled 925346981Scy#ocv=1 926346981Scy# 927189251Ssam# auth_alg: list of allowed IEEE 802.11 authentication algorithms 928189251Ssam# OPEN = Open System authentication (required for WPA/WPA2) 929189251Ssam# SHARED = Shared Key authentication (requires static WEP keys) 930189251Ssam# LEAP = LEAP/Network EAP (only used with LEAP) 931189251Ssam# If not set, automatic selection is used (Open System with LEAP enabled if 932189251Ssam# LEAP is allowed as one of the EAP methods). 933189251Ssam# 934189251Ssam# pairwise: list of accepted pairwise (unicast) ciphers for WPA 935189251Ssam# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 936189251Ssam# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 937189251Ssam# NONE = Use only Group Keys (deprecated, should not be included if APs support 938189251Ssam# pairwise keys) 939189251Ssam# If not set, this defaults to: CCMP TKIP 940189251Ssam# 941189251Ssam# group: list of accepted group (broadcast/multicast) ciphers for WPA 942189251Ssam# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 943189251Ssam# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 944189251Ssam# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key 945189251Ssam# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11] 946189251Ssam# If not set, this defaults to: CCMP TKIP WEP104 WEP40 947189251Ssam# 948346981Scy# group_mgmt: list of accepted group management ciphers for RSN (PMF) 949346981Scy# AES-128-CMAC = BIP-CMAC-128 950346981Scy# BIP-GMAC-128 951346981Scy# BIP-GMAC-256 952346981Scy# BIP-CMAC-256 953346981Scy# If not set, no constraint on the cipher, i.e., accept whichever cipher the AP 954346981Scy# indicates. 955346981Scy# 956189251Ssam# psk: WPA preshared key; 256-bit pre-shared key 957189251Ssam# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e., 958189251Ssam# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be 959189251Ssam# generated using the passphrase and SSID). ASCII passphrase must be between 960252726Srpaulo# 8 and 63 characters (inclusive). ext:<name of external PSK field> format can 961252726Srpaulo# be used to indicate that the PSK/passphrase is stored in external storage. 962189251Ssam# This field is not needed, if WPA-EAP is used. 963189251Ssam# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys 964189251Ssam# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant 965189251Ssam# startup and reconfiguration time can be optimized by generating the PSK only 966189251Ssam# only when the passphrase or SSID has actually changed. 967189251Ssam# 968289549Srpaulo# mem_only_psk: Whether to keep PSK/passphrase only in memory 969289549Srpaulo# 0 = allow psk/passphrase to be stored to the configuration file 970289549Srpaulo# 1 = do not store psk/passphrase to the configuration file 971289549Srpaulo#mem_only_psk=0 972289549Srpaulo# 973346981Scy# sae_password: SAE password 974346981Scy# This parameter can be used to set a password for SAE. By default, the 975346981Scy# passphrase from the psk parameter is used if this separate parameter is not 976346981Scy# used, but psk follows the WPA-PSK constraints (8..63 characters) even though 977346981Scy# SAE passwords do not have such constraints. 978346981Scy# 979346981Scy# sae_password_id: SAE password identifier 980346981Scy# This parameter can be used to set an identifier for the SAE password. By 981346981Scy# default, no such identifier is used. If set, the specified identifier value 982346981Scy# is used by the other peer to select which password to use for authentication. 983346981Scy# 984189251Ssam# eapol_flags: IEEE 802.1X/EAPOL options (bit field) 985189251Ssam# Dynamic WEP key required for non-WPA mode 986189251Ssam# bit0 (1): require dynamically generated unicast WEP key 987189251Ssam# bit1 (2): require dynamically generated broadcast WEP key 988189251Ssam# (3 = require both keys; default) 989346981Scy# Note: When using wired authentication (including MACsec drivers), 990281806Srpaulo# eapol_flags must be set to 0 for the authentication to be completed 991281806Srpaulo# successfully. 992189251Ssam# 993281806Srpaulo# macsec_policy: IEEE 802.1X/MACsec options 994346981Scy# This determines how sessions are secured with MACsec (only for MACsec 995346981Scy# drivers). 996281806Srpaulo# 0: MACsec not in use (default) 997281806Srpaulo# 1: MACsec enabled - Should secure, accept key server's advice to 998281806Srpaulo# determine whether to use a secure session or not. 999281806Srpaulo# 1000346981Scy# macsec_integ_only: IEEE 802.1X/MACsec transmit mode 1001346981Scy# This setting applies only when MACsec is in use, i.e., 1002346981Scy# - macsec_policy is enabled 1003346981Scy# - the key server has decided to enable MACsec 1004346981Scy# 0: Encrypt traffic (default) 1005346981Scy# 1: Integrity only 1006346981Scy# 1007346981Scy# macsec_replay_protect: IEEE 802.1X/MACsec replay protection 1008346981Scy# This setting applies only when MACsec is in use, i.e., 1009346981Scy# - macsec_policy is enabled 1010346981Scy# - the key server has decided to enable MACsec 1011346981Scy# 0: Replay protection disabled (default) 1012346981Scy# 1: Replay protection enabled 1013346981Scy# 1014346981Scy# macsec_replay_window: IEEE 802.1X/MACsec replay protection window 1015346981Scy# This determines a window in which replay is tolerated, to allow receipt 1016346981Scy# of frames that have been misordered by the network. 1017346981Scy# This setting applies only when MACsec replay protection active, i.e., 1018346981Scy# - macsec_replay_protect is enabled 1019346981Scy# - the key server has decided to enable MACsec 1020346981Scy# 0: No replay window, strict check (default) 1021346981Scy# 1..2^32-1: number of packets that could be misordered 1022346981Scy# 1023346981Scy# macsec_port: IEEE 802.1X/MACsec port 1024346981Scy# Port component of the SCI 1025346981Scy# Range: 1-65534 (default: 1) 1026346981Scy# 1027346981Scy# mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode 1028346981Scy# This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair. 1029346981Scy# In this mode, instances of wpa_supplicant can act as MACsec peers. The peer 1030346981Scy# with lower priority will become the key server and start distributing SAKs. 1031346981Scy# mka_cak (CAK = Secure Connectivity Association Key) takes a 16-byte (128-bit) 1032346981Scy# hex-string (32 hex-digits) or a 32-byte (256-bit) hex-string (64 hex-digits) 1033346981Scy# mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string 1034346981Scy# (2..64 hex-digits) 1035346981Scy# mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being 1036346981Scy# default priority 1037346981Scy# 1038189251Ssam# mixed_cell: This option can be used to configure whether so called mixed 1039189251Ssam# cells, i.e., networks that use both plaintext and encryption in the same 1040252726Srpaulo# SSID, are allowed when selecting a BSS from scan results. 1041189251Ssam# 0 = disabled (default) 1042189251Ssam# 1 = enabled 1043189251Ssam# 1044189251Ssam# proactive_key_caching: 1045189251Ssam# Enable/disable opportunistic PMKSA caching for WPA2. 1046252726Srpaulo# 0 = disabled (default unless changed with the global okc parameter) 1047189251Ssam# 1 = enabled 1048189251Ssam# 1049351611Scy# ft_eap_pmksa_caching: 1050351611Scy# Whether FT-EAP PMKSA caching is allowed 1051351611Scy# 0 = do not try to use PMKSA caching with FT-EAP (default) 1052351611Scy# 1 = try to use PMKSA caching with FT-EAP 1053351611Scy# This controls whether to try to use PMKSA caching with FT-EAP for the 1054351611Scy# FT initial mobility domain association. 1055351611Scy#ft_eap_pmksa_caching=0 1056351611Scy# 1057189251Ssam# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or 1058189251Ssam# hex without quotation, e.g., 0102030405) 1059189251Ssam# wep_tx_keyidx: Default WEP key index (TX) (0..3) 1060189251Ssam# 1061189251Ssam# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to 1062189251Ssam# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies. 1063189251Ssam# 1064337817Scy# group_rekey: Group rekeying time in seconds. This value, if non-zero, is used 1065337817Scy# as the dot11RSNAConfigGroupRekeyTime parameter when operating in 1066346981Scy# Authenticator role in IBSS, or in AP and mesh modes. 1067337817Scy# 1068189251Ssam# Following fields are only used with internal EAP implementation. 1069189251Ssam# eap: space-separated list of accepted EAP methods 1070337817Scy# MD5 = EAP-MD5 (insecure and does not generate keying material -> 1071189251Ssam# cannot be used with WPA; to be used as a Phase 2 method 1072189251Ssam# with EAP-PEAP or EAP-TTLS) 1073189251Ssam# MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used 1074189251Ssam# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 1075189251Ssam# OTP = EAP-OTP (cannot be used separately with WPA; to be used 1076189251Ssam# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 1077189251Ssam# GTC = EAP-GTC (cannot be used separately with WPA; to be used 1078189251Ssam# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 1079189251Ssam# TLS = EAP-TLS (client and server certificate) 1080189251Ssam# PEAP = EAP-PEAP (with tunnelled EAP authentication) 1081189251Ssam# TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 1082189251Ssam# authentication) 1083189251Ssam# If not set, all compiled in methods are allowed. 1084189251Ssam# 1085189251Ssam# identity: Identity string for EAP 1086189251Ssam# This field is also used to configure user NAI for 1087189251Ssam# EAP-PSK/PAX/SAKE/GPSK. 1088189251Ssam# anonymous_identity: Anonymous identity string for EAP (to be used as the 1089189251Ssam# unencrypted identity with EAP types that support different tunnelled 1090252726Srpaulo# identity, e.g., EAP-TTLS). This field can also be used with 1091252726Srpaulo# EAP-SIM/AKA/AKA' to store the pseudonym identity. 1092189251Ssam# password: Password string for EAP. This field can include either the 1093189251Ssam# plaintext password (using ASCII or hex string) or a NtPasswordHash 1094189251Ssam# (16-byte MD4 hash of password) in hash:<32 hex digits> format. 1095189251Ssam# NtPasswordHash can only be used when the password is for MSCHAPv2 or 1096189251Ssam# MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP). 1097189251Ssam# EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit 1098189251Ssam# PSK) is also configured using this field. For EAP-GPSK, this is a 1099252726Srpaulo# variable length PSK. ext:<name of external password field> format can 1100252726Srpaulo# be used to indicate that the password is stored in external storage. 1101189251Ssam# ca_cert: File path to CA certificate file (PEM/DER). This file can have one 1102189251Ssam# or more trusted CA certificates. If ca_cert and ca_path are not 1103189251Ssam# included, server certificate will not be verified. This is insecure and 1104189251Ssam# a trusted CA certificate should always be configured when using 1105189251Ssam# EAP-TLS/TTLS/PEAP. Full path should be used since working directory may 1106189251Ssam# change when wpa_supplicant is run in the background. 1107214734Srpaulo# 1108214734Srpaulo# Alternatively, this can be used to only perform matching of the server 1109214734Srpaulo# certificate (SHA-256 hash of the DER encoded X.509 certificate). In 1110214734Srpaulo# this case, the possible CA certificates in the server certificate chain 1111214734Srpaulo# are ignored and only the server certificate is verified. This is 1112214734Srpaulo# configured with the following format: 1113214734Srpaulo# hash:://server/sha256/cert_hash_in_hex 1114214734Srpaulo# For example: "hash://server/sha256/ 1115214734Srpaulo# 5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a" 1116214734Srpaulo# 1117189251Ssam# On Windows, trusted CA certificates can be loaded from the system 1118189251Ssam# certificate store by setting this to cert_store://<name>, e.g., 1119189251Ssam# ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT". 1120189251Ssam# Note that when running wpa_supplicant as an application, the user 1121189251Ssam# certificate store (My user account) is used, whereas computer store 1122189251Ssam# (Computer account) is used when running wpasvc as a service. 1123189251Ssam# ca_path: Directory path for CA certificate files (PEM). This path may 1124189251Ssam# contain multiple CA certificates in OpenSSL format. Common use for this 1125189251Ssam# is to point to system trusted CA list which is often installed into 1126189251Ssam# directory like /etc/ssl/certs. If configured, these certificates are 1127189251Ssam# added to the list of trusted CAs. ca_cert may also be included in that 1128189251Ssam# case, but it is not required. 1129189251Ssam# client_cert: File path to client certificate file (PEM/DER) 1130189251Ssam# Full path should be used since working directory may change when 1131189251Ssam# wpa_supplicant is run in the background. 1132189251Ssam# Alternatively, a named configuration blob can be used by setting this 1133189251Ssam# to blob://<blob name>. 1134189251Ssam# private_key: File path to client private key file (PEM/DER/PFX) 1135189251Ssam# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be 1136189251Ssam# commented out. Both the private key and certificate will be read from 1137189251Ssam# the PKCS#12 file in this case. Full path should be used since working 1138189251Ssam# directory may change when wpa_supplicant is run in the background. 1139189251Ssam# Windows certificate store can be used by leaving client_cert out and 1140189251Ssam# configuring private_key in one of the following formats: 1141189251Ssam# cert://substring_to_match 1142189251Ssam# hash://certificate_thumbprint_in_hex 1143189251Ssam# for example: private_key="hash://63093aa9c47f56ae88334c7b65a4" 1144189251Ssam# Note that when running wpa_supplicant as an application, the user 1145189251Ssam# certificate store (My user account) is used, whereas computer store 1146189251Ssam# (Computer account) is used when running wpasvc as a service. 1147189251Ssam# Alternatively, a named configuration blob can be used by setting this 1148189251Ssam# to blob://<blob name>. 1149189251Ssam# private_key_passwd: Password for private key file (if left out, this will be 1150189251Ssam# asked through control interface) 1151189251Ssam# dh_file: File path to DH/DSA parameters file (in PEM format) 1152189251Ssam# This is an optional configuration file for setting parameters for an 1153189251Ssam# ephemeral DH key exchange. In most cases, the default RSA 1154189251Ssam# authentication does not use this configuration. However, it is possible 1155189251Ssam# setup RSA to use ephemeral DH key exchange. In addition, ciphers with 1156189251Ssam# DSA keys always use ephemeral DH keys. This can be used to achieve 1157189251Ssam# forward secrecy. If the file is in DSA parameters format, it will be 1158189251Ssam# automatically converted into DH params. 1159189251Ssam# subject_match: Substring to be matched against the subject of the 1160189251Ssam# authentication server certificate. If this string is set, the server 1161337817Scy# certificate is only accepted if it contains this string in the subject. 1162189251Ssam# The subject string is in following format: 1163189251Ssam# /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com 1164337817Scy# Note: Since this is a substring match, this cannot be used securely to 1165281806Srpaulo# do a suffix match against a possible domain name in the CN entry. For 1166281806Srpaulo# such a use case, domain_suffix_match or domain_match should be used 1167281806Srpaulo# instead. 1168189251Ssam# altsubject_match: Semicolon separated string of entries to be matched against 1169189251Ssam# the alternative subject name of the authentication server certificate. 1170337817Scy# If this string is set, the server certificate is only accepted if it 1171189251Ssam# contains one of the entries in an alternative subject name extension. 1172189251Ssam# altSubjectName string is in following format: TYPE:VALUE 1173189251Ssam# Example: EMAIL:server@example.com 1174189251Ssam# Example: DNS:server.example.com;DNS:server2.example.com 1175189251Ssam# Following types are supported: EMAIL, DNS, URI 1176281806Srpaulo# domain_suffix_match: Constraint for server domain name. If set, this FQDN is 1177337817Scy# used as a suffix match requirement for the AAA server certificate in 1178281806Srpaulo# SubjectAltName dNSName element(s). If a matching dNSName is found, this 1179281806Srpaulo# constraint is met. If no dNSName values are present, this constraint is 1180281806Srpaulo# matched against SubjectName CN using same suffix match comparison. 1181281806Srpaulo# 1182281806Srpaulo# Suffix match here means that the host/domain name is compared one label 1183281806Srpaulo# at a time starting from the top-level domain and all the labels in 1184281806Srpaulo# domain_suffix_match shall be included in the certificate. The 1185281806Srpaulo# certificate may include additional sub-level labels in addition to the 1186281806Srpaulo# required labels. 1187281806Srpaulo# 1188346981Scy# More than one match string can be provided by using semicolons to 1189346981Scy# separate the strings (e.g., example.org;example.com). When multiple 1190346981Scy# strings are specified, a match with any one of the values is considered 1191346981Scy# a sufficient match for the certificate, i.e., the conditions are ORed 1192346981Scy# together. 1193346981Scy# 1194281806Srpaulo# For example, domain_suffix_match=example.com would match 1195281806Srpaulo# test.example.com but would not match test-example.com. 1196281806Srpaulo# domain_match: Constraint for server domain name 1197281806Srpaulo# If set, this FQDN is used as a full match requirement for the 1198281806Srpaulo# server certificate in SubjectAltName dNSName element(s). If a 1199281806Srpaulo# matching dNSName is found, this constraint is met. If no dNSName 1200281806Srpaulo# values are present, this constraint is matched against SubjectName CN 1201281806Srpaulo# using same full match comparison. This behavior is similar to 1202281806Srpaulo# domain_suffix_match, but has the requirement of a full match, i.e., 1203281806Srpaulo# no subdomains or wildcard matches are allowed. Case-insensitive 1204281806Srpaulo# comparison is used, so "Example.com" matches "example.com", but would 1205281806Srpaulo# not match "test.Example.com". 1206346981Scy# 1207346981Scy# More than one match string can be provided by using semicolons to 1208346981Scy# separate the strings (e.g., example.org;example.com). When multiple 1209346981Scy# strings are specified, a match with any one of the values is considered 1210346981Scy# a sufficient match for the certificate, i.e., the conditions are ORed 1211346981Scy# together. 1212189251Ssam# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters 1213189251Ssam# (string with field-value pairs, e.g., "peapver=0" or 1214189251Ssam# "peapver=1 peaplabel=1") 1215189251Ssam# 'peapver' can be used to force which PEAP version (0 or 1) is used. 1216189251Ssam# 'peaplabel=1' can be used to force new label, "client PEAP encryption", 1217189251Ssam# to be used during key derivation when PEAPv1 or newer. Most existing 1218189251Ssam# PEAPv1 implementation seem to be using the old label, "client EAP 1219189251Ssam# encryption", and wpa_supplicant is now using that as the default value. 1220189251Ssam# Some servers, e.g., Radiator, may require peaplabel=1 configuration to 1221189251Ssam# interoperate with PEAPv1; see eap_testing.txt for more details. 1222189251Ssam# 'peap_outer_success=0' can be used to terminate PEAP authentication on 1223189251Ssam# tunneled EAP-Success. This is required with some RADIUS servers that 1224189251Ssam# implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g., 1225189251Ssam# Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode) 1226189251Ssam# include_tls_length=1 can be used to force wpa_supplicant to include 1227189251Ssam# TLS Message Length field in all TLS messages even if they are not 1228189251Ssam# fragmented. 1229189251Ssam# sim_min_num_chal=3 can be used to configure EAP-SIM to require three 1230189251Ssam# challenges (by default, it accepts 2 or 3) 1231189251Ssam# result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use 1232189251Ssam# protected result indication. 1233189251Ssam# 'crypto_binding' option can be used to control PEAPv0 cryptobinding 1234189251Ssam# behavior: 1235189251Ssam# * 0 = do not use cryptobinding (default) 1236189251Ssam# * 1 = use cryptobinding if server supports it 1237189251Ssam# * 2 = require cryptobinding 1238189251Ssam# EAP-WSC (WPS) uses following options: pin=<Device Password> or 1239189251Ssam# pbc=1. 1240281806Srpaulo# 1241281806Srpaulo# For wired IEEE 802.1X authentication, "allow_canned_success=1" can be 1242281806Srpaulo# used to configure a mode that allows EAP-Success (and EAP-Failure) 1243281806Srpaulo# without going through authentication step. Some switches use such 1244281806Srpaulo# sequence when forcing the port to be authorized/unauthorized or as a 1245281806Srpaulo# fallback option if the authentication server is unreachable. By default, 1246281806Srpaulo# wpa_supplicant discards such frames to protect against potential attacks 1247281806Srpaulo# by rogue devices, but this option can be used to disable that protection 1248281806Srpaulo# for cases where the server/authenticator does not need to be 1249281806Srpaulo# authenticated. 1250189251Ssam# phase2: Phase2 (inner authentication with TLS tunnel) parameters 1251189251Ssam# (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or 1252281806Srpaulo# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS). "mschapv2_retry=0" can be 1253281806Srpaulo# used to disable MSCHAPv2 password retry in authentication failure cases. 1254252726Srpaulo# 1255252726Srpaulo# TLS-based methods can use the following parameters to control TLS behavior 1256252726Srpaulo# (these are normally in the phase1 parameter, but can be used also in the 1257252726Srpaulo# phase2 parameter when EAP-TLS is used within the inner tunnel): 1258252726Srpaulo# tls_allow_md5=1 - allow MD5-based certificate signatures (depending on the 1259252726Srpaulo# TLS library, these may be disabled by default to enforce stronger 1260252726Srpaulo# security) 1261252726Srpaulo# tls_disable_time_checks=1 - ignore certificate validity time (this requests 1262252726Srpaulo# the TLS library to accept certificates even if they are not currently 1263252726Srpaulo# valid, i.e., have expired or have not yet become valid; this should be 1264252726Srpaulo# used only for testing purposes) 1265252726Srpaulo# tls_disable_session_ticket=1 - disable TLS Session Ticket extension 1266252726Srpaulo# tls_disable_session_ticket=0 - allow TLS Session Ticket extension to be used 1267252726Srpaulo# Note: If not set, this is automatically set to 1 for EAP-TLS/PEAP/TTLS 1268252726Srpaulo# as a workaround for broken authentication server implementations unless 1269289549Srpaulo# EAP workarounds are disabled with eap_workaround=0. 1270252726Srpaulo# For EAP-FAST, this must be set to 0 (or left unconfigured for the 1271252726Srpaulo# default value to be used automatically). 1272289549Srpaulo# tls_disable_tlsv1_0=1 - disable use of TLSv1.0 1273346981Scy# tls_disable_tlsv1_0=0 - explicitly enable use of TLSv1.0 (this allows 1274346981Scy# systemwide TLS policies to be overridden) 1275281806Srpaulo# tls_disable_tlsv1_1=1 - disable use of TLSv1.1 (a workaround for AAA servers 1276281806Srpaulo# that have issues interoperating with updated TLS version) 1277346981Scy# tls_disable_tlsv1_1=0 - explicitly enable use of TLSv1.1 (this allows 1278346981Scy# systemwide TLS policies to be overridden) 1279281806Srpaulo# tls_disable_tlsv1_2=1 - disable use of TLSv1.2 (a workaround for AAA servers 1280281806Srpaulo# that have issues interoperating with updated TLS version) 1281346981Scy# tls_disable_tlsv1_2=0 - explicitly enable use of TLSv1.2 (this allows 1282346981Scy# systemwide TLS policies to be overridden) 1283346981Scy# tls_disable_tlsv1_3=1 - disable use of TLSv1.3 (a workaround for AAA servers 1284346981Scy# that have issues interoperating with updated TLS version) 1285346981Scy# tls_disable_tlsv1_3=0 - enable TLSv1.3 (experimental - disabled by default) 1286337817Scy# tls_ext_cert_check=0 - No external server certificate validation (default) 1287337817Scy# tls_ext_cert_check=1 - External server certificate validation enabled; this 1288337817Scy# requires an external program doing validation of server certificate 1289337817Scy# chain when receiving CTRL-RSP-EXT_CERT_CHECK event from the control 1290337817Scy# interface and report the result of the validation with 1291337817Scy# CTRL-RSP_EXT_CERT_CHECK. 1292346981Scy# tls_suiteb=0 - do not apply Suite B 192-bit constraints on TLS (default) 1293346981Scy# tls_suiteb=1 - apply Suite B 192-bit constraints on TLS; this is used in 1294346981Scy# particular when using Suite B with RSA keys of >= 3K (3072) bits 1295252726Srpaulo# 1296189251Ssam# Following certificate/private key fields are used in inner Phase2 1297189251Ssam# authentication when using EAP-TTLS or EAP-PEAP. 1298189251Ssam# ca_cert2: File path to CA certificate file. This file can have one or more 1299189251Ssam# trusted CA certificates. If ca_cert2 and ca_path2 are not included, 1300189251Ssam# server certificate will not be verified. This is insecure and a trusted 1301189251Ssam# CA certificate should always be configured. 1302189251Ssam# ca_path2: Directory path for CA certificate files (PEM) 1303189251Ssam# client_cert2: File path to client certificate file 1304189251Ssam# private_key2: File path to client private key file 1305189251Ssam# private_key2_passwd: Password for private key file 1306189251Ssam# dh_file2: File path to DH/DSA parameters file (in PEM format) 1307189251Ssam# subject_match2: Substring to be matched against the subject of the 1308281806Srpaulo# authentication server certificate. See subject_match for more details. 1309281806Srpaulo# altsubject_match2: Semicolon separated string of entries to be matched 1310281806Srpaulo# against the alternative subject name of the authentication server 1311281806Srpaulo# certificate. See altsubject_match documentation for more details. 1312281806Srpaulo# domain_suffix_match2: Constraint for server domain name. See 1313281806Srpaulo# domain_suffix_match for more details. 1314189251Ssam# 1315189251Ssam# fragment_size: Maximum EAP fragment size in bytes (default 1398). 1316189251Ssam# This value limits the fragment size for EAP methods that support 1317189251Ssam# fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set 1318189251Ssam# small enough to make the EAP messages fit in MTU of the network 1319189251Ssam# interface used for EAPOL. The default value is suitable for most 1320189251Ssam# cases. 1321189251Ssam# 1322281806Srpaulo# ocsp: Whether to use/require OCSP to check server certificate 1323281806Srpaulo# 0 = do not use OCSP stapling (TLS certificate status extension) 1324281806Srpaulo# 1 = try to use OCSP stapling, but not require response 1325281806Srpaulo# 2 = require valid OCSP stapling response 1326337817Scy# 3 = require valid OCSP stapling response for all not-trusted 1327337817Scy# certificates in the server certificate chain 1328281806Srpaulo# 1329281806Srpaulo# openssl_ciphers: OpenSSL specific cipher configuration 1330281806Srpaulo# This can be used to override the global openssl_ciphers configuration 1331281806Srpaulo# parameter (see above). 1332281806Srpaulo# 1333281806Srpaulo# erp: Whether EAP Re-authentication Protocol (ERP) is enabled 1334281806Srpaulo# 1335189251Ssam# EAP-FAST variables: 1336189251Ssam# pac_file: File path for the PAC entries. wpa_supplicant will need to be able 1337189251Ssam# to create this file and write updates to it when PAC is being 1338189251Ssam# provisioned or refreshed. Full path to the file should be used since 1339189251Ssam# working directory may change when wpa_supplicant is run in the 1340189251Ssam# background. Alternatively, a named configuration blob can be used by 1341189251Ssam# setting this to blob://<blob name> 1342189251Ssam# phase1: fast_provisioning option can be used to enable in-line provisioning 1343189251Ssam# of EAP-FAST credentials (PAC): 1344189251Ssam# 0 = disabled, 1345189251Ssam# 1 = allow unauthenticated provisioning, 1346189251Ssam# 2 = allow authenticated provisioning, 1347189251Ssam# 3 = allow both unauthenticated and authenticated provisioning 1348189251Ssam# fast_max_pac_list_len=<num> option can be used to set the maximum 1349189251Ssam# number of PAC entries to store in a PAC list (default: 10) 1350189251Ssam# fast_pac_format=binary option can be used to select binary format for 1351189251Ssam# storing PAC entries in order to save some space (the default 1352189251Ssam# text format uses about 2.5 times the size of minimal binary 1353189251Ssam# format) 1354189251Ssam# 1355189251Ssam# wpa_supplicant supports number of "EAP workarounds" to work around 1356189251Ssam# interoperability issues with incorrectly behaving authentication servers. 1357189251Ssam# These are enabled by default because some of the issues are present in large 1358189251Ssam# number of authentication servers. Strict EAP conformance mode can be 1359189251Ssam# configured by disabling workarounds with eap_workaround=0. 1360189251Ssam 1361337817Scy# update_identifier: PPS MO ID 1362337817Scy# (Hotspot 2.0 PerProviderSubscription/UpdateIdentifier) 1363346981Scy# 1364346981Scy# roaming_consortium_selection: Roaming Consortium Selection 1365346981Scy# The matching Roaming Consortium OI that was used to generate this 1366346981Scy# network profile. 1367337817Scy 1368252726Srpaulo# Station inactivity limit 1369252726Srpaulo# 1370252726Srpaulo# If a station does not send anything in ap_max_inactivity seconds, an 1371252726Srpaulo# empty data frame is sent to it in order to verify whether it is 1372252726Srpaulo# still in range. If this frame is not ACKed, the station will be 1373252726Srpaulo# disassociated and then deauthenticated. This feature is used to 1374252726Srpaulo# clear station table of old entries when the STAs move out of the 1375252726Srpaulo# range. 1376252726Srpaulo# 1377252726Srpaulo# The station can associate again with the AP if it is still in range; 1378252726Srpaulo# this inactivity poll is just used as a nicer way of verifying 1379252726Srpaulo# inactivity; i.e., client will not report broken connection because 1380252726Srpaulo# disassociation frame is not sent immediately without first polling 1381252726Srpaulo# the STA with a data frame. 1382252726Srpaulo# default: 300 (i.e., 5 minutes) 1383252726Srpaulo#ap_max_inactivity=300 1384252726Srpaulo 1385252726Srpaulo# DTIM period in Beacon intervals for AP mode (default: 2) 1386252726Srpaulo#dtim_period=2 1387252726Srpaulo 1388281806Srpaulo# Beacon interval (default: 100 TU) 1389281806Srpaulo#beacon_int=100 1390281806Srpaulo 1391337817Scy# WPS in AP mode 1392337817Scy# 0 = WPS enabled and configured (default) 1393337817Scy# 1 = WPS disabled 1394337817Scy#wps_disabled=0 1395337817Scy 1396346981Scy# FILS DH Group 1397346981Scy# 0 = PFS disabled with FILS shared key authentication (default) 1398346981Scy# 1-65535 = DH Group to use for FILS PFS 1399346981Scy#fils_dh_group=0 1400346981Scy 1401281806Srpaulo# MAC address policy 1402281806Srpaulo# 0 = use permanent MAC address 1403281806Srpaulo# 1 = use random MAC address for each ESS connection 1404281806Srpaulo# 2 = like 1, but maintain OUI (with local admin bit set) 1405281806Srpaulo#mac_addr=0 1406281806Srpaulo 1407252726Srpaulo# disable_ht: Whether HT (802.11n) should be disabled. 1408252726Srpaulo# 0 = HT enabled (if AP supports it) 1409252726Srpaulo# 1 = HT disabled 1410252726Srpaulo# 1411252726Srpaulo# disable_ht40: Whether HT-40 (802.11n) should be disabled. 1412252726Srpaulo# 0 = HT-40 enabled (if AP supports it) 1413252726Srpaulo# 1 = HT-40 disabled 1414252726Srpaulo# 1415252726Srpaulo# disable_sgi: Whether SGI (short guard interval) should be disabled. 1416252726Srpaulo# 0 = SGI enabled (if AP supports it) 1417252726Srpaulo# 1 = SGI disabled 1418252726Srpaulo# 1419281806Srpaulo# disable_ldpc: Whether LDPC should be disabled. 1420281806Srpaulo# 0 = LDPC enabled (if AP supports it) 1421281806Srpaulo# 1 = LDPC disabled 1422281806Srpaulo# 1423281806Srpaulo# ht40_intolerant: Whether 40 MHz intolerant should be indicated. 1424281806Srpaulo# 0 = 40 MHz tolerant (default) 1425281806Srpaulo# 1 = 40 MHz intolerant 1426281806Srpaulo# 1427252726Srpaulo# ht_mcs: Configure allowed MCS rates. 1428252726Srpaulo# Parsed as an array of bytes, in base-16 (ascii-hex) 1429252726Srpaulo# ht_mcs="" // Use all available (default) 1430252726Srpaulo# ht_mcs="0xff 00 00 00 00 00 00 00 00 00 " // Use MCS 0-7 only 1431252726Srpaulo# ht_mcs="0xff ff 00 00 00 00 00 00 00 00 " // Use MCS 0-15 only 1432252726Srpaulo# 1433252726Srpaulo# disable_max_amsdu: Whether MAX_AMSDU should be disabled. 1434252726Srpaulo# -1 = Do not make any changes. 1435252726Srpaulo# 0 = Enable MAX-AMSDU if hardware supports it. 1436252726Srpaulo# 1 = Disable AMSDU 1437252726Srpaulo# 1438281806Srpaulo# ampdu_factor: Maximum A-MPDU Length Exponent 1439281806Srpaulo# Value: 0-3, see 7.3.2.56.3 in IEEE Std 802.11n-2009. 1440281806Srpaulo# 1441252726Srpaulo# ampdu_density: Allow overriding AMPDU density configuration. 1442252726Srpaulo# Treated as hint by the kernel. 1443252726Srpaulo# -1 = Do not make any changes. 1444252726Srpaulo# 0-3 = Set AMPDU density (aka factor) to specified value. 1445346981Scy# 1446346981Scy# tx_stbc: Allow overriding STBC support for TX streams 1447346981Scy# Value: 0-1, see IEEE Std 802.11-2016, 9.4.2.56.2. 1448346981Scy# -1 = Do not make any changes (default) 1449346981Scy# 0 = Set if not supported 1450346981Scy# 1 = Set if supported 1451346981Scy# 1452346981Scy# rx_stbc: Allow overriding STBC support for RX streams 1453346981Scy# Value: 0-3, see IEEE Std 802.11-2016, 9.4.2.56.2. 1454346981Scy# -1 = Do not make any changes (default) 1455346981Scy# 0 = Set if not supported 1456346981Scy# 1 = Set for support of one spatial stream 1457346981Scy# 2 = Set for support of one and two spatial streams 1458346981Scy# 3 = Set for support of one, two and three spatial streams 1459252726Srpaulo 1460281806Srpaulo# disable_vht: Whether VHT should be disabled. 1461281806Srpaulo# 0 = VHT enabled (if AP supports it) 1462281806Srpaulo# 1 = VHT disabled 1463281806Srpaulo# 1464281806Srpaulo# vht_capa: VHT capabilities to set in the override 1465281806Srpaulo# vht_capa_mask: mask of VHT capabilities 1466281806Srpaulo# 1467281806Srpaulo# vht_rx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for RX NSS 1-8 1468281806Srpaulo# vht_tx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for TX NSS 1-8 1469281806Srpaulo# 0: MCS 0-7 1470281806Srpaulo# 1: MCS 0-8 1471281806Srpaulo# 2: MCS 0-9 1472281806Srpaulo# 3: not supported 1473281806Srpaulo 1474346981Scy# multi_ap_backhaul_sta: Multi-AP backhaul STA functionality 1475346981Scy# 0 = normal STA (default) 1476346981Scy# 1 = backhaul STA 1477346981Scy# A backhaul STA sends the Multi-AP IE, fails to associate if the AP does not 1478346981Scy# support Multi-AP, and sets 4-address mode if it does. Thus, the netdev can be 1479346981Scy# added to a bridge to allow forwarding frames over this backhaul link. 1480346981Scy 1481289549Srpaulo##### Fast Session Transfer (FST) support ##################################### 1482289549Srpaulo# 1483289549Srpaulo# The options in this section are only available when the build configuration 1484337817Scy# option CONFIG_FST is set while compiling wpa_supplicant. They allow this 1485337817Scy# interface to be a part of FST setup. 1486289549Srpaulo# 1487289549Srpaulo# FST is the transfer of a session from a channel to another channel, in the 1488289549Srpaulo# same or different frequency bands. 1489289549Srpaulo# 1490337817Scy# For details, see IEEE Std 802.11ad-2012. 1491289549Srpaulo 1492289549Srpaulo# Identifier of an FST Group the interface belongs to. 1493289549Srpaulo#fst_group_id=bond0 1494289549Srpaulo 1495289549Srpaulo# Interface priority within the FST Group. 1496289549Srpaulo# Announcing a higher priority for an interface means declaring it more 1497289549Srpaulo# preferable for FST switch. 1498289549Srpaulo# fst_priority is in 1..255 range with 1 being the lowest priority. 1499289549Srpaulo#fst_priority=100 1500289549Srpaulo 1501289549Srpaulo# Default LLT value for this interface in milliseconds. The value used in case 1502289549Srpaulo# no value provided during session setup. Default is 50 msec. 1503289549Srpaulo# fst_llt is in 1..4294967 range (due to spec limitation, see 10.32.2.2 1504289549Srpaulo# Transitioning between states). 1505289549Srpaulo#fst_llt=100 1506289549Srpaulo 1507351611Scy# BSS Transition Management 1508351611Scy# disable_btm - Disable BSS transition management in STA 1509351611Scy# Set to 0 to enable BSS transition management (default behavior) 1510351611Scy# Set to 1 to disable BSS transition management 1511351611Scy#disable_btm=0 1512351611Scy 1513189251Ssam# Example blocks: 1514189251Ssam 1515189251Ssam# Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers 1516189251Ssamnetwork={ 1517189251Ssam ssid="simple" 1518189251Ssam psk="very secret passphrase" 1519189251Ssam priority=5 1520189251Ssam} 1521189251Ssam 1522189251Ssam# Same as previous, but request SSID-specific scanning (for APs that reject 1523189251Ssam# broadcast SSID) 1524189251Ssamnetwork={ 1525189251Ssam ssid="second ssid" 1526189251Ssam scan_ssid=1 1527189251Ssam psk="very secret passphrase" 1528189251Ssam priority=2 1529189251Ssam} 1530189251Ssam 1531189251Ssam# Only WPA-PSK is used. Any valid cipher combination is accepted. 1532189251Ssamnetwork={ 1533189251Ssam ssid="example" 1534189251Ssam proto=WPA 1535189251Ssam key_mgmt=WPA-PSK 1536189251Ssam pairwise=CCMP TKIP 1537189251Ssam group=CCMP TKIP WEP104 WEP40 1538189251Ssam psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb 1539189251Ssam priority=2 1540189251Ssam} 1541189251Ssam 1542189251Ssam# WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying 1543189251Ssamnetwork={ 1544189251Ssam ssid="example" 1545189251Ssam proto=WPA 1546189251Ssam key_mgmt=WPA-PSK 1547189251Ssam pairwise=TKIP 1548189251Ssam group=TKIP 1549189251Ssam psk="not so secure passphrase" 1550189251Ssam wpa_ptk_rekey=600 1551189251Ssam} 1552189251Ssam 1553189251Ssam# Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104 1554189251Ssam# or WEP40 as the group cipher will not be accepted. 1555189251Ssamnetwork={ 1556189251Ssam ssid="example" 1557189251Ssam proto=RSN 1558189251Ssam key_mgmt=WPA-EAP 1559189251Ssam pairwise=CCMP TKIP 1560189251Ssam group=CCMP TKIP 1561189251Ssam eap=TLS 1562189251Ssam identity="user@example.com" 1563189251Ssam ca_cert="/etc/cert/ca.pem" 1564189251Ssam client_cert="/etc/cert/user.pem" 1565189251Ssam private_key="/etc/cert/user.prv" 1566189251Ssam private_key_passwd="password" 1567189251Ssam priority=1 1568189251Ssam} 1569189251Ssam 1570189251Ssam# EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel 1571189251Ssam# (e.g., Radiator) 1572189251Ssamnetwork={ 1573189251Ssam ssid="example" 1574189251Ssam key_mgmt=WPA-EAP 1575189251Ssam eap=PEAP 1576189251Ssam identity="user@example.com" 1577189251Ssam password="foobar" 1578189251Ssam ca_cert="/etc/cert/ca.pem" 1579189251Ssam phase1="peaplabel=1" 1580189251Ssam phase2="auth=MSCHAPV2" 1581189251Ssam priority=10 1582189251Ssam} 1583189251Ssam 1584189251Ssam# EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the 1585189251Ssam# unencrypted use. Real identity is sent only within an encrypted TLS tunnel. 1586189251Ssamnetwork={ 1587189251Ssam ssid="example" 1588189251Ssam key_mgmt=WPA-EAP 1589189251Ssam eap=TTLS 1590189251Ssam identity="user@example.com" 1591189251Ssam anonymous_identity="anonymous@example.com" 1592189251Ssam password="foobar" 1593189251Ssam ca_cert="/etc/cert/ca.pem" 1594189251Ssam priority=2 1595189251Ssam} 1596189251Ssam 1597189251Ssam# EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted 1598189251Ssam# use. Real identity is sent only within an encrypted TLS tunnel. 1599189251Ssamnetwork={ 1600189251Ssam ssid="example" 1601189251Ssam key_mgmt=WPA-EAP 1602189251Ssam eap=TTLS 1603189251Ssam identity="user@example.com" 1604189251Ssam anonymous_identity="anonymous@example.com" 1605189251Ssam password="foobar" 1606189251Ssam ca_cert="/etc/cert/ca.pem" 1607189251Ssam phase2="auth=MSCHAPV2" 1608189251Ssam} 1609189251Ssam 1610189251Ssam# WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner 1611189251Ssam# authentication. 1612189251Ssamnetwork={ 1613189251Ssam ssid="example" 1614189251Ssam key_mgmt=WPA-EAP 1615189251Ssam eap=TTLS 1616189251Ssam # Phase1 / outer authentication 1617189251Ssam anonymous_identity="anonymous@example.com" 1618189251Ssam ca_cert="/etc/cert/ca.pem" 1619189251Ssam # Phase 2 / inner authentication 1620189251Ssam phase2="autheap=TLS" 1621189251Ssam ca_cert2="/etc/cert/ca2.pem" 1622189251Ssam client_cert2="/etc/cer/user.pem" 1623189251Ssam private_key2="/etc/cer/user.prv" 1624189251Ssam private_key2_passwd="password" 1625189251Ssam priority=2 1626189251Ssam} 1627189251Ssam 1628189251Ssam# Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and 1629189251Ssam# group cipher. 1630189251Ssamnetwork={ 1631189251Ssam ssid="example" 1632189251Ssam bssid=00:11:22:33:44:55 1633189251Ssam proto=WPA RSN 1634189251Ssam key_mgmt=WPA-PSK WPA-EAP 1635189251Ssam pairwise=CCMP 1636189251Ssam group=CCMP 1637189251Ssam psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb 1638189251Ssam} 1639189251Ssam 1640189251Ssam# Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP 1641189251Ssam# and all valid ciphers. 1642189251Ssamnetwork={ 1643189251Ssam ssid=00010203 1644189251Ssam psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 1645189251Ssam} 1646189251Ssam 1647189251Ssam 1648189251Ssam# EAP-SIM with a GSM SIM or USIM 1649189251Ssamnetwork={ 1650189251Ssam ssid="eap-sim-test" 1651189251Ssam key_mgmt=WPA-EAP 1652189251Ssam eap=SIM 1653189251Ssam pin="1234" 1654189251Ssam pcsc="" 1655189251Ssam} 1656189251Ssam 1657189251Ssam 1658189251Ssam# EAP-PSK 1659189251Ssamnetwork={ 1660189251Ssam ssid="eap-psk-test" 1661189251Ssam key_mgmt=WPA-EAP 1662189251Ssam eap=PSK 1663189251Ssam anonymous_identity="eap_psk_user" 1664189251Ssam password=06b4be19da289f475aa46a33cb793029 1665189251Ssam identity="eap_psk_user@example.com" 1666189251Ssam} 1667189251Ssam 1668189251Ssam 1669189251Ssam# IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using 1670189251Ssam# EAP-TLS for authentication and key generation; require both unicast and 1671189251Ssam# broadcast WEP keys. 1672189251Ssamnetwork={ 1673189251Ssam ssid="1x-test" 1674189251Ssam key_mgmt=IEEE8021X 1675189251Ssam eap=TLS 1676189251Ssam identity="user@example.com" 1677189251Ssam ca_cert="/etc/cert/ca.pem" 1678189251Ssam client_cert="/etc/cert/user.pem" 1679189251Ssam private_key="/etc/cert/user.prv" 1680189251Ssam private_key_passwd="password" 1681189251Ssam eapol_flags=3 1682189251Ssam} 1683189251Ssam 1684189251Ssam 1685189251Ssam# LEAP with dynamic WEP keys 1686189251Ssamnetwork={ 1687189251Ssam ssid="leap-example" 1688189251Ssam key_mgmt=IEEE8021X 1689189251Ssam eap=LEAP 1690189251Ssam identity="user" 1691189251Ssam password="foobar" 1692189251Ssam} 1693189251Ssam 1694189251Ssam# EAP-IKEv2 using shared secrets for both server and peer authentication 1695189251Ssamnetwork={ 1696189251Ssam ssid="ikev2-example" 1697189251Ssam key_mgmt=WPA-EAP 1698189251Ssam eap=IKEV2 1699189251Ssam identity="user" 1700189251Ssam password="foobar" 1701189251Ssam} 1702189251Ssam 1703189251Ssam# EAP-FAST with WPA (WPA or WPA2) 1704189251Ssamnetwork={ 1705189251Ssam ssid="eap-fast-test" 1706189251Ssam key_mgmt=WPA-EAP 1707189251Ssam eap=FAST 1708189251Ssam anonymous_identity="FAST-000102030405" 1709189251Ssam identity="username" 1710189251Ssam password="password" 1711189251Ssam phase1="fast_provisioning=1" 1712189251Ssam pac_file="/etc/wpa_supplicant.eap-fast-pac" 1713189251Ssam} 1714189251Ssam 1715189251Ssamnetwork={ 1716189251Ssam ssid="eap-fast-test" 1717189251Ssam key_mgmt=WPA-EAP 1718189251Ssam eap=FAST 1719189251Ssam anonymous_identity="FAST-000102030405" 1720189251Ssam identity="username" 1721189251Ssam password="password" 1722189251Ssam phase1="fast_provisioning=1" 1723189251Ssam pac_file="blob://eap-fast-pac" 1724189251Ssam} 1725189251Ssam 1726189251Ssam# Plaintext connection (no WPA, no IEEE 802.1X) 1727189251Ssamnetwork={ 1728189251Ssam ssid="plaintext-test" 1729189251Ssam key_mgmt=NONE 1730189251Ssam} 1731189251Ssam 1732189251Ssam 1733189251Ssam# Shared WEP key connection (no WPA, no IEEE 802.1X) 1734189251Ssamnetwork={ 1735189251Ssam ssid="static-wep-test" 1736189251Ssam key_mgmt=NONE 1737189251Ssam wep_key0="abcde" 1738189251Ssam wep_key1=0102030405 1739189251Ssam wep_key2="1234567890123" 1740189251Ssam wep_tx_keyidx=0 1741189251Ssam priority=5 1742189251Ssam} 1743189251Ssam 1744189251Ssam 1745189251Ssam# Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key 1746189251Ssam# IEEE 802.11 authentication 1747189251Ssamnetwork={ 1748189251Ssam ssid="static-wep-test2" 1749189251Ssam key_mgmt=NONE 1750189251Ssam wep_key0="abcde" 1751189251Ssam wep_key1=0102030405 1752189251Ssam wep_key2="1234567890123" 1753189251Ssam wep_tx_keyidx=0 1754189251Ssam priority=5 1755189251Ssam auth_alg=SHARED 1756189251Ssam} 1757189251Ssam 1758189251Ssam 1759281806Srpaulo# IBSS/ad-hoc network with RSN 1760189251Ssamnetwork={ 1761281806Srpaulo ssid="ibss-rsn" 1762281806Srpaulo key_mgmt=WPA-PSK 1763281806Srpaulo proto=RSN 1764281806Srpaulo psk="12345678" 1765281806Srpaulo mode=1 1766281806Srpaulo frequency=2412 1767281806Srpaulo pairwise=CCMP 1768281806Srpaulo group=CCMP 1769281806Srpaulo} 1770281806Srpaulo 1771281806Srpaulo# IBSS/ad-hoc network with WPA-None/TKIP (deprecated) 1772281806Srpaulonetwork={ 1773189251Ssam ssid="test adhoc" 1774189251Ssam mode=1 1775189251Ssam frequency=2412 1776189251Ssam proto=WPA 1777189251Ssam key_mgmt=WPA-NONE 1778189251Ssam pairwise=NONE 1779189251Ssam group=TKIP 1780189251Ssam psk="secret passphrase" 1781189251Ssam} 1782189251Ssam 1783281806Srpaulo# open mesh network 1784281806Srpaulonetwork={ 1785281806Srpaulo ssid="test mesh" 1786281806Srpaulo mode=5 1787281806Srpaulo frequency=2437 1788281806Srpaulo key_mgmt=NONE 1789281806Srpaulo} 1790189251Ssam 1791281806Srpaulo# secure (SAE + AMPE) network 1792281806Srpaulonetwork={ 1793281806Srpaulo ssid="secure mesh" 1794281806Srpaulo mode=5 1795281806Srpaulo frequency=2437 1796281806Srpaulo key_mgmt=SAE 1797281806Srpaulo psk="very secret passphrase" 1798281806Srpaulo} 1799281806Srpaulo 1800281806Srpaulo 1801189251Ssam# Catch all example that allows more or less all configuration modes 1802189251Ssamnetwork={ 1803189251Ssam ssid="example" 1804189251Ssam scan_ssid=1 1805189251Ssam key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE 1806189251Ssam pairwise=CCMP TKIP 1807189251Ssam group=CCMP TKIP WEP104 WEP40 1808189251Ssam psk="very secret passphrase" 1809189251Ssam eap=TTLS PEAP TLS 1810189251Ssam identity="user@example.com" 1811189251Ssam password="foobar" 1812189251Ssam ca_cert="/etc/cert/ca.pem" 1813189251Ssam client_cert="/etc/cert/user.pem" 1814189251Ssam private_key="/etc/cert/user.prv" 1815189251Ssam private_key_passwd="password" 1816189251Ssam phase1="peaplabel=0" 1817189251Ssam} 1818189251Ssam 1819189251Ssam# Example of EAP-TLS with smartcard (openssl engine) 1820189251Ssamnetwork={ 1821189251Ssam ssid="example" 1822189251Ssam key_mgmt=WPA-EAP 1823189251Ssam eap=TLS 1824189251Ssam proto=RSN 1825189251Ssam pairwise=CCMP TKIP 1826189251Ssam group=CCMP TKIP 1827189251Ssam identity="user@example.com" 1828189251Ssam ca_cert="/etc/cert/ca.pem" 1829189251Ssam 1830337817Scy # Certificate and/or key identified by PKCS#11 URI (RFC7512) 1831337817Scy client_cert="pkcs11:manufacturer=piv_II;id=%01" 1832337817Scy private_key="pkcs11:manufacturer=piv_II;id=%01" 1833189251Ssam 1834189251Ssam # Optional PIN configuration; this can be left out and PIN will be 1835189251Ssam # asked through the control interface 1836189251Ssam pin="1234" 1837189251Ssam} 1838189251Ssam 1839189251Ssam# Example configuration showing how to use an inlined blob as a CA certificate 1840189251Ssam# data instead of using external file 1841189251Ssamnetwork={ 1842189251Ssam ssid="example" 1843189251Ssam key_mgmt=WPA-EAP 1844189251Ssam eap=TTLS 1845189251Ssam identity="user@example.com" 1846189251Ssam anonymous_identity="anonymous@example.com" 1847189251Ssam password="foobar" 1848189251Ssam ca_cert="blob://exampleblob" 1849189251Ssam priority=20 1850189251Ssam} 1851189251Ssam 1852189251Ssamblob-base64-exampleblob={ 1853189251SsamSGVsbG8gV29ybGQhCg== 1854189251Ssam} 1855189251Ssam 1856189251Ssam 1857189251Ssam# Wildcard match for SSID (plaintext APs only). This example select any 1858189251Ssam# open AP regardless of its SSID. 1859189251Ssamnetwork={ 1860189251Ssam key_mgmt=NONE 1861189251Ssam} 1862281806Srpaulo 1863281806Srpaulo# Example configuration blacklisting two APs - these will be ignored 1864281806Srpaulo# for this network. 1865281806Srpaulonetwork={ 1866281806Srpaulo ssid="example" 1867281806Srpaulo psk="very secret passphrase" 1868281806Srpaulo bssid_blacklist=02:11:22:33:44:55 02:22:aa:44:55:66 1869281806Srpaulo} 1870281806Srpaulo 1871281806Srpaulo# Example configuration limiting AP selection to a specific set of APs; 1872281806Srpaulo# any other AP not matching the masked address will be ignored. 1873281806Srpaulonetwork={ 1874281806Srpaulo ssid="example" 1875281806Srpaulo psk="very secret passphrase" 1876281806Srpaulo bssid_whitelist=02:55:ae:bc:00:00/ff:ff:ff:ff:00:00 00:00:77:66:55:44/00:00:ff:ff:ff:ff 1877281806Srpaulo} 1878281806Srpaulo 1879281806Srpaulo# Example config file that will only scan on channel 36. 1880281806Srpaulofreq_list=5180 1881281806Srpaulonetwork={ 1882281806Srpaulo key_mgmt=NONE 1883281806Srpaulo} 1884281806Srpaulo 1885281806Srpaulo 1886346981Scy# Example configuration using EAP-TTLS for authentication and key 1887346981Scy# generation for MACsec 1888346981Scynetwork={ 1889346981Scy key_mgmt=IEEE8021X 1890346981Scy eap=TTLS 1891346981Scy phase2="auth=PAP" 1892346981Scy anonymous_identity="anonymous@example.com" 1893346981Scy identity="user@example.com" 1894346981Scy password="secretr" 1895346981Scy ca_cert="/etc/cert/ca.pem" 1896346981Scy eapol_flags=0 1897346981Scy macsec_policy=1 1898346981Scy} 1899346981Scy 1900346981Scy# Example configuration for MACsec with preshared key 1901346981Scynetwork={ 1902346981Scy key_mgmt=NONE 1903346981Scy eapol_flags=0 1904346981Scy macsec_policy=1 1905346981Scy mka_cak=0123456789ABCDEF0123456789ABCDEF 1906346981Scy mka_ckn=6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435 1907346981Scy mka_priority=128 1908346981Scy} 1909