wpa_supplicant.conf revision 252726
1189251Ssam##### Example wpa_supplicant configuration file ############################### 2189251Ssam# 3189902Sdougb# ***** Please check wpa_supplicant.conf(5) for details on these options ***** 4189902Sdougb# 5189251Ssam# This file describes configuration file format and lists all available option. 6189251Ssam# Please also take a look at simpler configuration examples in 'examples' 7189251Ssam# subdirectory. 8189251Ssam# 9189251Ssam# Empty lines and lines starting with # are ignored 10189251Ssam 11189251Ssam# NOTE! This file may contain password information and should probably be made 12189251Ssam# readable only by root user on multiuser systems. 13189251Ssam 14189251Ssam# Note: All file paths in this configuration file should use full (absolute, 15189251Ssam# not relative to working directory) path in order to allow working directory 16189251Ssam# to be changed. This can happen if wpa_supplicant is run in the background. 17189251Ssam 18189251Ssam# Whether to allow wpa_supplicant to update (overwrite) configuration 19189251Ssam# 20189251Ssam# This option can be used to allow wpa_supplicant to overwrite configuration 21189251Ssam# file whenever configuration is changed (e.g., new network block is added with 22189251Ssam# wpa_cli or wpa_gui, or a password is changed). This is required for 23189251Ssam# wpa_cli/wpa_gui to be able to store the configuration changes permanently. 24189251Ssam# Please note that overwriting configuration file will remove the comments from 25189251Ssam# it. 26189251Ssam#update_config=1 27189251Ssam 28189251Ssam# global configuration (shared by all network blocks) 29189251Ssam# 30189251Ssam# Parameters for the control interface. If this is specified, wpa_supplicant 31189251Ssam# will open a control interface that is available for external programs to 32189251Ssam# manage wpa_supplicant. The meaning of this string depends on which control 33252726Srpaulo# interface mechanism is used. For all cases, the existence of this parameter 34189251Ssam# in configuration is used to determine whether the control interface is 35189251Ssam# enabled. 36189251Ssam# 37189251Ssam# For UNIX domain sockets (default on Linux and BSD): This is a directory that 38189251Ssam# will be created for UNIX domain sockets for listening to requests from 39189251Ssam# external programs (CLI/GUI, etc.) for status information and configuration. 40189251Ssam# The socket file will be named based on the interface name, so multiple 41189251Ssam# wpa_supplicant processes can be run at the same time if more than one 42189251Ssam# interface is used. 43189251Ssam# /var/run/wpa_supplicant is the recommended directory for sockets and by 44189251Ssam# default, wpa_cli will use it when trying to connect with wpa_supplicant. 45189251Ssam# 46189251Ssam# Access control for the control interface can be configured by setting the 47189251Ssam# directory to allow only members of a group to use sockets. This way, it is 48189251Ssam# possible to run wpa_supplicant as root (since it needs to change network 49189251Ssam# configuration and open raw sockets) and still allow GUI/CLI components to be 50189251Ssam# run as non-root users. However, since the control interface can be used to 51189251Ssam# change the network configuration, this access needs to be protected in many 52189251Ssam# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you 53189251Ssam# want to allow non-root users to use the control interface, add a new group 54189251Ssam# and change this value to match with that group. Add users that should have 55189251Ssam# control interface access to this group. If this variable is commented out or 56189251Ssam# not included in the configuration file, group will not be changed from the 57189251Ssam# value it got by default when the directory or socket was created. 58189251Ssam# 59189251Ssam# When configuring both the directory and group, use following format: 60189251Ssam# DIR=/var/run/wpa_supplicant GROUP=wheel 61189251Ssam# DIR=/var/run/wpa_supplicant GROUP=0 62189251Ssam# (group can be either group name or gid) 63189251Ssam# 64189251Ssamctrl_interface=/var/run/wpa_supplicant 65189251Ssam 66189251Ssam# IEEE 802.1X/EAPOL version 67189251Ssam# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines 68189251Ssam# EAPOL version 2. However, there are many APs that do not handle the new 69189251Ssam# version number correctly (they seem to drop the frames completely). In order 70189251Ssam# to make wpa_supplicant interoperate with these APs, the version number is set 71189251Ssam# to 1 by default. This configuration value can be used to set it to the new 72189251Ssam# version (2). 73189251Ssameapol_version=1 74189251Ssam 75189251Ssam# AP scanning/selection 76189251Ssam# By default, wpa_supplicant requests driver to perform AP scanning and then 77189251Ssam# uses the scan results to select a suitable AP. Another alternative is to 78189251Ssam# allow the driver to take care of AP scanning and selection and use 79189251Ssam# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association 80189251Ssam# information from the driver. 81214734Srpaulo# 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to 82214734Srpaulo# the currently enabled networks are found, a new network (IBSS or AP mode 83214734Srpaulo# operation) may be initialized (if configured) (default) 84189251Ssam# 0: driver takes care of scanning, AP selection, and IEEE 802.11 association 85189251Ssam# parameters (e.g., WPA IE generation); this mode can also be used with 86189251Ssam# non-WPA drivers when using IEEE 802.1X mode; do not try to associate with 87189251Ssam# APs (i.e., external program needs to control association). This mode must 88189251Ssam# also be used when using wired Ethernet drivers. 89189251Ssam# 2: like 0, but associate with APs using security policy and SSID (but not 90189251Ssam# BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to 91189251Ssam# enable operation with hidden SSIDs and optimized roaming; in this mode, 92189251Ssam# the network blocks in the configuration file are tried one by one until 93189251Ssam# the driver reports successful association; each network block should have 94189251Ssam# explicit security policy (i.e., only one option in the lists) for 95189251Ssam# key_mgmt, pairwise, group, proto variables 96189902Sdougb# 97189902Sdougb# For use in FreeBSD with the wlan module ap_scan must be set to 1. 98214734Srpaulo# When using IBSS or AP mode, ap_scan=2 mode can force the new network to be 99214734Srpaulo# created immediately regardless of scan results. ap_scan=1 mode will first try 100214734Srpaulo# to scan for existing networks and only if no matches with the enabled 101214734Srpaulo# networks are found, a new IBSS or AP mode network is created. 102189251Ssamap_scan=1 103189251Ssam 104189251Ssam# EAP fast re-authentication 105189251Ssam# By default, fast re-authentication is enabled for all EAP methods that 106189251Ssam# support it. This variable can be used to disable fast re-authentication. 107189251Ssam# Normally, there is no need to disable this. 108189251Ssamfast_reauth=1 109189251Ssam 110189251Ssam# OpenSSL Engine support 111189251Ssam# These options can be used to load OpenSSL engines. 112189251Ssam# The two engines that are supported currently are shown below: 113189251Ssam# They are both from the opensc project (http://www.opensc.org/) 114189251Ssam# By default no engines are loaded. 115189251Ssam# make the opensc engine available 116189251Ssam#opensc_engine_path=/usr/lib/opensc/engine_opensc.so 117189251Ssam# make the pkcs11 engine available 118189251Ssam#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so 119189251Ssam# configure the path to the pkcs11 module required by the pkcs11 engine 120189251Ssam#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so 121189251Ssam 122189251Ssam# Dynamic EAP methods 123189251Ssam# If EAP methods were built dynamically as shared object files, they need to be 124189251Ssam# loaded here before being used in the network blocks. By default, EAP methods 125189251Ssam# are included statically in the build, so these lines are not needed 126189251Ssam#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so 127189251Ssam#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so 128189251Ssam 129189251Ssam# Driver interface parameters 130189251Ssam# This field can be used to configure arbitrary driver interace parameters. The 131189251Ssam# format is specific to the selected driver interface. This field is not used 132189251Ssam# in most cases. 133189251Ssam#driver_param="field=value" 134189251Ssam 135189251Ssam# Country code 136189251Ssam# The ISO/IEC alpha2 country code for the country in which this device is 137189251Ssam# currently operating. 138189251Ssam#country=US 139189251Ssam 140189251Ssam# Maximum lifetime for PMKSA in seconds; default 43200 141189251Ssam#dot11RSNAConfigPMKLifetime=43200 142189251Ssam# Threshold for reauthentication (percentage of PMK lifetime); default 70 143189251Ssam#dot11RSNAConfigPMKReauthThreshold=70 144189251Ssam# Timeout for security association negotiation in seconds; default 60 145189251Ssam#dot11RSNAConfigSATimeout=60 146189251Ssam 147189251Ssam# Wi-Fi Protected Setup (WPS) parameters 148189251Ssam 149189251Ssam# Universally Unique IDentifier (UUID; see RFC 4122) of the device 150189251Ssam# If not configured, UUID will be generated based on the local MAC address. 151189251Ssam#uuid=12345678-9abc-def0-1234-56789abcdef0 152189251Ssam 153189251Ssam# Device Name 154189251Ssam# User-friendly description of device; up to 32 octets encoded in UTF-8 155189251Ssam#device_name=Wireless Client 156189251Ssam 157189251Ssam# Manufacturer 158189251Ssam# The manufacturer of the device (up to 64 ASCII characters) 159189251Ssam#manufacturer=Company 160189251Ssam 161189251Ssam# Model Name 162189251Ssam# Model of the device (up to 32 ASCII characters) 163189251Ssam#model_name=cmodel 164189251Ssam 165189251Ssam# Model Number 166189251Ssam# Additional device description (up to 32 ASCII characters) 167189251Ssam#model_number=123 168189251Ssam 169189251Ssam# Serial Number 170189251Ssam# Serial number of the device (up to 32 characters) 171189251Ssam#serial_number=12345 172189251Ssam 173189251Ssam# Primary Device Type 174189251Ssam# Used format: <categ>-<OUI>-<subcateg> 175189251Ssam# categ = Category as an integer value 176189251Ssam# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for 177189251Ssam# default WPS OUI 178189251Ssam# subcateg = OUI-specific Sub Category as an integer value 179189251Ssam# Examples: 180189251Ssam# 1-0050F204-1 (Computer / PC) 181189251Ssam# 1-0050F204-2 (Computer / Server) 182189251Ssam# 5-0050F204-1 (Storage / NAS) 183189251Ssam# 6-0050F204-1 (Network Infrastructure / AP) 184189251Ssam#device_type=1-0050F204-1 185189251Ssam 186189251Ssam# OS Version 187189251Ssam# 4-octet operating system version number (hex string) 188189251Ssam#os_version=01020300 189189251Ssam 190214734Srpaulo# Config Methods 191214734Srpaulo# List of the supported configuration methods 192214734Srpaulo# Available methods: usba ethernet label display ext_nfc_token int_nfc_token 193252726Srpaulo# nfc_interface push_button keypad virtual_display physical_display 194252726Srpaulo# virtual_push_button physical_push_button 195252726Srpaulo# For WSC 1.0: 196214734Srpaulo#config_methods=label display push_button keypad 197252726Srpaulo# For WSC 2.0: 198252726Srpaulo#config_methods=label virtual_display virtual_push_button keypad 199214734Srpaulo 200189251Ssam# Credential processing 201189251Ssam# 0 = process received credentials internally (default) 202189251Ssam# 1 = do not process received credentials; just pass them over ctrl_iface to 203189251Ssam# external program(s) 204189251Ssam# 2 = process received credentials internally and pass them over ctrl_iface 205189251Ssam# to external program(s) 206189251Ssam#wps_cred_processing=0 207189251Ssam 208252726Srpaulo# Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing 209252726Srpaulo# The vendor attribute contents to be added in M1 (hex string) 210252726Srpaulo#wps_vendor_ext_m1=000137100100020001 211252726Srpaulo 212252726Srpaulo# NFC password token for WPS 213252726Srpaulo# These parameters can be used to configure a fixed NFC password token for the 214252726Srpaulo# station. This can be generated, e.g., with nfc_pw_token. When these 215252726Srpaulo# parameters are used, the station is assumed to be deployed with a NFC tag 216252726Srpaulo# that includes the matching NFC password token (e.g., written based on the 217252726Srpaulo# NDEF record from nfc_pw_token). 218252726Srpaulo# 219252726Srpaulo#wps_nfc_dev_pw_id: Device Password ID (16..65535) 220252726Srpaulo#wps_nfc_dh_pubkey: Hexdump of DH Public Key 221252726Srpaulo#wps_nfc_dh_privkey: Hexdump of DH Private Key 222252726Srpaulo#wps_nfc_dev_pw: Hexdump of Device Password 223252726Srpaulo 224214734Srpaulo# Maximum number of BSS entries to keep in memory 225214734Srpaulo# Default: 200 226214734Srpaulo# This can be used to limit memory use on the BSS entries (cached scan 227214734Srpaulo# results). A larger value may be needed in environments that have huge number 228214734Srpaulo# of APs when using ap_scan=1 mode. 229214734Srpaulo#bss_max_count=200 230214734Srpaulo 231252726Srpaulo# Automatic scan 232252726Srpaulo# This is an optional set of parameters for automatic scanning 233252726Srpaulo# within an interface in following format: 234252726Srpaulo#autoscan=<autoscan module name>:<module parameters> 235252726Srpaulo#��autoscan is like bgscan but on disconnected or inactive state. 236252726Srpaulo#��For instance, on exponential module parameters would be <base>:<limit> 237252726Srpaulo#autoscan=exponential:3:300 238252726Srpaulo# Which means a delay between scans on a base exponential of 3, 239252726Srpaulo#��up to the limit of 300 seconds (3, 9, 27 ... 300) 240252726Srpaulo#��For periodic module, parameters would be <fixed interval> 241252726Srpaulo#autoscan=periodic:30 242252726Srpaulo#��So a delay of 30 seconds will be applied between each scan 243214734Srpaulo 244214734Srpaulo# filter_ssids - SSID-based scan result filtering 245214734Srpaulo# 0 = do not filter scan results (default) 246214734Srpaulo# 1 = only include configured SSIDs in scan results/BSS table 247214734Srpaulo#filter_ssids=0 248214734Srpaulo 249252726Srpaulo# Password (and passphrase, etc.) backend for external storage 250252726Srpaulo# format: <backend name>[:<optional backend parameters>] 251252726Srpaulo#ext_password_backend=test:pw1=password|pw2=testing 252214734Srpaulo 253252726Srpaulo# Timeout in seconds to detect STA inactivity (default: 300 seconds) 254252726Srpaulo# 255252726Srpaulo# This timeout value is used in P2P GO mode to clean up 256252726Srpaulo# inactive stations. 257252726Srpaulo#p2p_go_max_inactivity=300 258252726Srpaulo 259252726Srpaulo# Opportunistic Key Caching (also known as Proactive Key Caching) default 260252726Srpaulo# This parameter can be used to set the default behavior for the 261252726Srpaulo# proactive_key_caching parameter. By default, OKC is disabled unless enabled 262252726Srpaulo# with the global okc=1 parameter or with the per-network 263252726Srpaulo# proactive_key_caching=1 parameter. With okc=1, OKC is enabled by default, but 264252726Srpaulo# can be disabled with per-network proactive_key_caching=0 parameter. 265252726Srpaulo#okc=0 266252726Srpaulo 267252726Srpaulo# Protected Management Frames default 268252726Srpaulo# This parameter can be used to set the default behavior for the ieee80211w 269252726Srpaulo# parameter. By default, PMF is disabled unless enabled with the global pmf=1/2 270252726Srpaulo# parameter or with the per-network ieee80211w=1/2 parameter. With pmf=1/2, PMF 271252726Srpaulo# is enabled/required by default, but can be disabled with the per-network 272252726Srpaulo# ieee80211w parameter. 273252726Srpaulo#pmf=0 274252726Srpaulo 275252726Srpaulo# Interworking (IEEE 802.11u) 276252726Srpaulo 277252726Srpaulo# Enable Interworking 278252726Srpaulo# interworking=1 279252726Srpaulo 280252726Srpaulo# Homogenous ESS identifier 281252726Srpaulo# If this is set, scans will be used to request response only from BSSes 282252726Srpaulo# belonging to the specified Homogeneous ESS. This is used only if interworking 283252726Srpaulo# is enabled. 284252726Srpaulo# hessid=00:11:22:33:44:55 285252726Srpaulo 286252726Srpaulo# Automatic network selection behavior 287252726Srpaulo# 0 = do not automatically go through Interworking network selection 288252726Srpaulo# (i.e., require explicit interworking_select command for this; default) 289252726Srpaulo# 1 = perform Interworking network selection if one or more 290252726Srpaulo# credentials have been configured and scan did not find a 291252726Srpaulo# matching network block 292252726Srpaulo#auto_interworking=0 293252726Srpaulo 294252726Srpaulo# credential block 295252726Srpaulo# 296252726Srpaulo# Each credential used for automatic network selection is configured as a set 297252726Srpaulo# of parameters that are compared to the information advertised by the APs when 298252726Srpaulo# interworking_select and interworking_connect commands are used. 299252726Srpaulo# 300252726Srpaulo# credential fields: 301252726Srpaulo# 302252726Srpaulo# priority: Priority group 303252726Srpaulo# By default, all networks and credentials get the same priority group 304252726Srpaulo# (0). This field can be used to give higher priority for credentials 305252726Srpaulo# (and similarly in struct wpa_ssid for network blocks) to change the 306252726Srpaulo# Interworking automatic networking selection behavior. The matching 307252726Srpaulo# network (based on either an enabled network block or a credential) 308252726Srpaulo# with the highest priority value will be selected. 309252726Srpaulo# 310252726Srpaulo# pcsc: Use PC/SC and SIM/USIM card 311252726Srpaulo# 312252726Srpaulo# realm: Home Realm for Interworking 313252726Srpaulo# 314252726Srpaulo# username: Username for Interworking network selection 315252726Srpaulo# 316252726Srpaulo# password: Password for Interworking network selection 317252726Srpaulo# 318252726Srpaulo# ca_cert: CA certificate for Interworking network selection 319252726Srpaulo# 320252726Srpaulo# client_cert: File path to client certificate file (PEM/DER) 321252726Srpaulo# This field is used with Interworking networking selection for a case 322252726Srpaulo# where client certificate/private key is used for authentication 323252726Srpaulo# (EAP-TLS). Full path to the file should be used since working 324252726Srpaulo# directory may change when wpa_supplicant is run in the background. 325252726Srpaulo# 326252726Srpaulo# Alternatively, a named configuration blob can be used by setting 327252726Srpaulo# this to blob://blob_name. 328252726Srpaulo# 329252726Srpaulo# private_key: File path to client private key file (PEM/DER/PFX) 330252726Srpaulo# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be 331252726Srpaulo# commented out. Both the private key and certificate will be read 332252726Srpaulo# from the PKCS#12 file in this case. Full path to the file should be 333252726Srpaulo# used since working directory may change when wpa_supplicant is run 334252726Srpaulo# in the background. 335252726Srpaulo# 336252726Srpaulo# Windows certificate store can be used by leaving client_cert out and 337252726Srpaulo# configuring private_key in one of the following formats: 338252726Srpaulo# 339252726Srpaulo# cert://substring_to_match 340252726Srpaulo# 341252726Srpaulo# hash://certificate_thumbprint_in_hex 342252726Srpaulo# 343252726Srpaulo# For example: private_key="hash://63093aa9c47f56ae88334c7b65a4" 344252726Srpaulo# 345252726Srpaulo# Note that when running wpa_supplicant as an application, the user 346252726Srpaulo# certificate store (My user account) is used, whereas computer store 347252726Srpaulo# (Computer account) is used when running wpasvc as a service. 348252726Srpaulo# 349252726Srpaulo# Alternatively, a named configuration blob can be used by setting 350252726Srpaulo# this to blob://blob_name. 351252726Srpaulo# 352252726Srpaulo# private_key_passwd: Password for private key file 353252726Srpaulo# 354252726Srpaulo# imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format 355252726Srpaulo# 356252726Srpaulo# milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN> 357252726Srpaulo# format 358252726Srpaulo# 359252726Srpaulo# domain: Home service provider FQDN 360252726Srpaulo# This is used to compare against the Domain Name List to figure out 361252726Srpaulo# whether the AP is operated by the Home SP. 362252726Srpaulo# 363252726Srpaulo# roaming_consortium: Roaming Consortium OI 364252726Srpaulo# If roaming_consortium_len is non-zero, this field contains the 365252726Srpaulo# Roaming Consortium OI that can be used to determine which access 366252726Srpaulo# points support authentication with this credential. This is an 367252726Srpaulo# alternative to the use of the realm parameter. When using Roaming 368252726Srpaulo# Consortium to match the network, the EAP parameters need to be 369252726Srpaulo# pre-configured with the credential since the NAI Realm information 370252726Srpaulo# may not be available or fetched. 371252726Srpaulo# 372252726Srpaulo# eap: Pre-configured EAP method 373252726Srpaulo# This optional field can be used to specify which EAP method will be 374252726Srpaulo# used with this credential. If not set, the EAP method is selected 375252726Srpaulo# automatically based on ANQP information (e.g., NAI Realm). 376252726Srpaulo# 377252726Srpaulo# phase1: Pre-configure Phase 1 (outer authentication) parameters 378252726Srpaulo# This optional field is used with like the 'eap' parameter. 379252726Srpaulo# 380252726Srpaulo# phase2: Pre-configure Phase 2 (inner authentication) parameters 381252726Srpaulo# This optional field is used with like the 'eap' parameter. 382252726Srpaulo# 383252726Srpaulo# excluded_ssid: Excluded SSID 384252726Srpaulo# This optional field can be used to excluded specific SSID(s) from 385252726Srpaulo# matching with the network. Multiple entries can be used to specify more 386252726Srpaulo# than one SSID. 387252726Srpaulo# 388252726Srpaulo# for example: 389252726Srpaulo# 390252726Srpaulo#cred={ 391252726Srpaulo# realm="example.com" 392252726Srpaulo# username="user@example.com" 393252726Srpaulo# password="password" 394252726Srpaulo# ca_cert="/etc/wpa_supplicant/ca.pem" 395252726Srpaulo# domain="example.com" 396252726Srpaulo#} 397252726Srpaulo# 398252726Srpaulo#cred={ 399252726Srpaulo# imsi="310026-000000000" 400252726Srpaulo# milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82" 401252726Srpaulo#} 402252726Srpaulo# 403252726Srpaulo#cred={ 404252726Srpaulo# realm="example.com" 405252726Srpaulo# username="user" 406252726Srpaulo# password="password" 407252726Srpaulo# ca_cert="/etc/wpa_supplicant/ca.pem" 408252726Srpaulo# domain="example.com" 409252726Srpaulo# roaming_consortium=223344 410252726Srpaulo# eap=TTLS 411252726Srpaulo# phase2="auth=MSCHAPV2" 412252726Srpaulo#} 413252726Srpaulo 414252726Srpaulo# Hotspot 2.0 415252726Srpaulo# hs20=1 416252726Srpaulo 417189251Ssam# network block 418189251Ssam# 419189251Ssam# Each network (usually AP's sharing the same SSID) is configured as a separate 420189251Ssam# block in this configuration file. The network blocks are in preference order 421189251Ssam# (the first match is used). 422189251Ssam# 423189251Ssam# network block fields: 424189251Ssam# 425189251Ssam# disabled: 426189251Ssam# 0 = this network can be used (default) 427189251Ssam# 1 = this network block is disabled (can be enabled through ctrl_iface, 428189251Ssam# e.g., with wpa_cli or wpa_gui) 429189251Ssam# 430189251Ssam# id_str: Network identifier string for external scripts. This value is passed 431189251Ssam# to external action script through wpa_cli as WPA_ID_STR environment 432189251Ssam# variable to make it easier to do network specific configuration. 433189251Ssam# 434252726Srpaulo# ssid: SSID (mandatory); network name in one of the optional formats: 435252726Srpaulo# - an ASCII string with double quotation 436252726Srpaulo# - a hex string (two characters per octet of SSID) 437252726Srpaulo# - a printf-escaped ASCII string P"<escaped string>" 438189251Ssam# 439189251Ssam# scan_ssid: 440189251Ssam# 0 = do not scan this SSID with specific Probe Request frames (default) 441189251Ssam# 1 = scan with SSID-specific Probe Request frames (this can be used to 442189902Sdougb# find APs that hide (do not broadcast) SSID or use multiple SSIDs; 443189251Ssam# this will add latency to scanning, so enable this only when needed) 444189251Ssam# 445189251Ssam# bssid: BSSID (optional); if set, this network block is used only when 446189251Ssam# associating with the AP using the configured BSSID 447189251Ssam# 448189251Ssam# priority: priority group (integer) 449189251Ssam# By default, all networks will get same priority group (0). If some of the 450189251Ssam# networks are more desirable, this field can be used to change the order in 451189251Ssam# which wpa_supplicant goes through the networks when selecting a BSS. The 452189251Ssam# priority groups will be iterated in decreasing priority (i.e., the larger the 453189251Ssam# priority value, the sooner the network is matched against the scan results). 454189251Ssam# Within each priority group, networks will be selected based on security 455189251Ssam# policy, signal strength, etc. 456189251Ssam# Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not 457189251Ssam# using this priority to select the order for scanning. Instead, they try the 458189902Sdougb# networks in the order that they are listed in the configuration file. 459189251Ssam# 460189251Ssam# mode: IEEE 802.11 operation mode 461189251Ssam# 0 = infrastructure (Managed) mode, i.e., associate with an AP (default) 462189251Ssam# 1 = IBSS (ad-hoc, peer-to-peer) 463214734Srpaulo# 2 = AP (access point) 464189251Ssam# Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) 465214734Srpaulo# and key_mgmt=WPA-NONE (fixed group key TKIP/CCMP). WPA-None requires 466214734Srpaulo# following network block options: 467189251Ssam# proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not 468189251Ssam# both), and psk must also be set. 469189251Ssam# 470189251Ssam# frequency: Channel frequency in megahertz (MHz) for IBSS, e.g., 471189251Ssam# 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial 472189251Ssam# channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode. 473189251Ssam# In addition, this value is only used by the station that creates the IBSS. If 474189251Ssam# an IBSS network with the configured SSID is already present, the frequency of 475189251Ssam# the network will be used instead of this configured value. 476189251Ssam# 477214734Srpaulo# scan_freq: List of frequencies to scan 478214734Srpaulo# Space-separated list of frequencies in MHz to scan when searching for this 479214734Srpaulo# BSS. If the subset of channels used by the network is known, this option can 480214734Srpaulo# be used to optimize scanning to not occur on channels that the network does 481214734Srpaulo# not use. Example: scan_freq=2412 2437 2462 482214734Srpaulo# 483214734Srpaulo# freq_list: Array of allowed frequencies 484214734Srpaulo# Space-separated list of frequencies in MHz to allow for selecting the BSS. If 485214734Srpaulo# set, scan results that do not match any of the specified frequencies are not 486214734Srpaulo# considered when selecting a BSS. 487214734Srpaulo# 488252726Srpaulo# bgscan: Background scanning 489252726Srpaulo# wpa_supplicant behavior for background scanning can be specified by 490252726Srpaulo# configuring a bgscan module. These modules are responsible for requesting 491252726Srpaulo# background scans for the purpose of roaming within an ESS (i.e., within a 492252726Srpaulo# single network block with all the APs using the same SSID). The bgscan 493252726Srpaulo# parameter uses following format: "<bgscan module name>:<module parameters>" 494252726Srpaulo# Following bgscan modules are available: 495252726Srpaulo# simple - Periodic background scans based on signal strength 496252726Srpaulo# bgscan="simple:<short bgscan interval in seconds>:<signal strength threshold>: 497252726Srpaulo# <long interval>" 498252726Srpaulo# bgscan="simple:30:-45:300" 499252726Srpaulo# learn - Learn channels used by the network and try to avoid bgscans on other 500252726Srpaulo# channels (experimental) 501252726Srpaulo# bgscan="learn:<short bgscan interval in seconds>:<signal strength threshold>: 502252726Srpaulo# <long interval>[:<database file name>]" 503252726Srpaulo# bgscan="learn:30:-45:300:/etc/wpa_supplicant/network1.bgscan" 504252726Srpaulo# 505189251Ssam# proto: list of accepted protocols 506189251Ssam# WPA = WPA/IEEE 802.11i/D3.0 507189251Ssam# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN) 508189251Ssam# If not set, this defaults to: WPA RSN 509189251Ssam# 510189251Ssam# key_mgmt: list of accepted authenticated key management protocols 511189251Ssam# WPA-PSK = WPA pre-shared key (this requires 'psk' field) 512189251Ssam# WPA-EAP = WPA using EAP authentication 513189251Ssam# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically 514189251Ssam# generated WEP keys 515189251Ssam# NONE = WPA is not used; plaintext or static WEP could be used 516189251Ssam# WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms 517189251Ssam# WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms 518189251Ssam# If not set, this defaults to: WPA-PSK WPA-EAP 519189251Ssam# 520252726Srpaulo# ieee80211w: whether management frame protection is enabled 521252726Srpaulo# 0 = disabled (default unless changed with the global pmf parameter) 522252726Srpaulo# 1 = optional 523252726Srpaulo# 2 = required 524252726Srpaulo# The most common configuration options for this based on the PMF (protected 525252726Srpaulo# management frames) certification program are: 526252726Srpaulo# PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256 527252726Srpaulo# PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256 528252726Srpaulo# (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used) 529252726Srpaulo# 530189251Ssam# auth_alg: list of allowed IEEE 802.11 authentication algorithms 531189251Ssam# OPEN = Open System authentication (required for WPA/WPA2) 532189251Ssam# SHARED = Shared Key authentication (requires static WEP keys) 533189251Ssam# LEAP = LEAP/Network EAP (only used with LEAP) 534189251Ssam# If not set, automatic selection is used (Open System with LEAP enabled if 535189251Ssam# LEAP is allowed as one of the EAP methods). 536189251Ssam# 537189251Ssam# pairwise: list of accepted pairwise (unicast) ciphers for WPA 538189251Ssam# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 539189251Ssam# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 540189251Ssam# NONE = Use only Group Keys (deprecated, should not be included if APs support 541189251Ssam# pairwise keys) 542189251Ssam# If not set, this defaults to: CCMP TKIP 543189251Ssam# 544189251Ssam# group: list of accepted group (broadcast/multicast) ciphers for WPA 545189251Ssam# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 546189251Ssam# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 547189251Ssam# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key 548189251Ssam# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11] 549189251Ssam# If not set, this defaults to: CCMP TKIP WEP104 WEP40 550189251Ssam# 551189251Ssam# psk: WPA preshared key; 256-bit pre-shared key 552189251Ssam# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e., 553189251Ssam# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be 554189251Ssam# generated using the passphrase and SSID). ASCII passphrase must be between 555252726Srpaulo# 8 and 63 characters (inclusive). ext:<name of external PSK field> format can 556252726Srpaulo# be used to indicate that the PSK/passphrase is stored in external storage. 557189251Ssam# This field is not needed, if WPA-EAP is used. 558189251Ssam# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys 559189251Ssam# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant 560189251Ssam# startup and reconfiguration time can be optimized by generating the PSK only 561189251Ssam# only when the passphrase or SSID has actually changed. 562189251Ssam# 563189251Ssam# eapol_flags: IEEE 802.1X/EAPOL options (bit field) 564189251Ssam# Dynamic WEP key required for non-WPA mode 565189251Ssam# bit0 (1): require dynamically generated unicast WEP key 566189251Ssam# bit1 (2): require dynamically generated broadcast WEP key 567189251Ssam# (3 = require both keys; default) 568189251Ssam# Note: When using wired authentication, eapol_flags must be set to 0 for the 569189251Ssam# authentication to be completed successfully. 570189251Ssam# 571189251Ssam# mixed_cell: This option can be used to configure whether so called mixed 572189251Ssam# cells, i.e., networks that use both plaintext and encryption in the same 573252726Srpaulo# SSID, are allowed when selecting a BSS from scan results. 574189251Ssam# 0 = disabled (default) 575189251Ssam# 1 = enabled 576189251Ssam# 577189251Ssam# proactive_key_caching: 578189251Ssam# Enable/disable opportunistic PMKSA caching for WPA2. 579252726Srpaulo# 0 = disabled (default unless changed with the global okc parameter) 580189251Ssam# 1 = enabled 581189251Ssam# 582189251Ssam# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or 583189251Ssam# hex without quotation, e.g., 0102030405) 584189251Ssam# wep_tx_keyidx: Default WEP key index (TX) (0..3) 585189251Ssam# 586189251Ssam# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is 587189251Ssam# allowed. This is only used with RSN/WPA2. 588189251Ssam# 0 = disabled (default) 589189251Ssam# 1 = enabled 590189251Ssam#peerkey=1 591189251Ssam# 592189251Ssam# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to 593189251Ssam# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies. 594189251Ssam# 595189251Ssam# Following fields are only used with internal EAP implementation. 596189251Ssam# eap: space-separated list of accepted EAP methods 597189251Ssam# MD5 = EAP-MD5 (unsecure and does not generate keying material -> 598189251Ssam# cannot be used with WPA; to be used as a Phase 2 method 599189251Ssam# with EAP-PEAP or EAP-TTLS) 600189251Ssam# MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used 601189251Ssam# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 602189251Ssam# OTP = EAP-OTP (cannot be used separately with WPA; to be used 603189251Ssam# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 604189251Ssam# GTC = EAP-GTC (cannot be used separately with WPA; to be used 605189251Ssam# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 606189251Ssam# TLS = EAP-TLS (client and server certificate) 607189251Ssam# PEAP = EAP-PEAP (with tunnelled EAP authentication) 608189251Ssam# TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 609189251Ssam# authentication) 610189251Ssam# If not set, all compiled in methods are allowed. 611189251Ssam# 612189251Ssam# identity: Identity string for EAP 613189251Ssam# This field is also used to configure user NAI for 614189251Ssam# EAP-PSK/PAX/SAKE/GPSK. 615189251Ssam# anonymous_identity: Anonymous identity string for EAP (to be used as the 616189251Ssam# unencrypted identity with EAP types that support different tunnelled 617252726Srpaulo# identity, e.g., EAP-TTLS). This field can also be used with 618252726Srpaulo# EAP-SIM/AKA/AKA' to store the pseudonym identity. 619189251Ssam# password: Password string for EAP. This field can include either the 620189251Ssam# plaintext password (using ASCII or hex string) or a NtPasswordHash 621189251Ssam# (16-byte MD4 hash of password) in hash:<32 hex digits> format. 622189251Ssam# NtPasswordHash can only be used when the password is for MSCHAPv2 or 623189251Ssam# MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP). 624189251Ssam# EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit 625189251Ssam# PSK) is also configured using this field. For EAP-GPSK, this is a 626252726Srpaulo# variable length PSK. ext:<name of external password field> format can 627252726Srpaulo# be used to indicate that the password is stored in external storage. 628189251Ssam# ca_cert: File path to CA certificate file (PEM/DER). This file can have one 629189251Ssam# or more trusted CA certificates. If ca_cert and ca_path are not 630189251Ssam# included, server certificate will not be verified. This is insecure and 631189251Ssam# a trusted CA certificate should always be configured when using 632189251Ssam# EAP-TLS/TTLS/PEAP. Full path should be used since working directory may 633189251Ssam# change when wpa_supplicant is run in the background. 634214734Srpaulo# 635214734Srpaulo# Alternatively, this can be used to only perform matching of the server 636214734Srpaulo# certificate (SHA-256 hash of the DER encoded X.509 certificate). In 637214734Srpaulo# this case, the possible CA certificates in the server certificate chain 638214734Srpaulo# are ignored and only the server certificate is verified. This is 639214734Srpaulo# configured with the following format: 640214734Srpaulo# hash:://server/sha256/cert_hash_in_hex 641214734Srpaulo# For example: "hash://server/sha256/ 642214734Srpaulo# 5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a" 643214734Srpaulo# 644189251Ssam# On Windows, trusted CA certificates can be loaded from the system 645189251Ssam# certificate store by setting this to cert_store://<name>, e.g., 646189251Ssam# ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT". 647189251Ssam# Note that when running wpa_supplicant as an application, the user 648189251Ssam# certificate store (My user account) is used, whereas computer store 649189251Ssam# (Computer account) is used when running wpasvc as a service. 650189251Ssam# ca_path: Directory path for CA certificate files (PEM). This path may 651189251Ssam# contain multiple CA certificates in OpenSSL format. Common use for this 652189251Ssam# is to point to system trusted CA list which is often installed into 653189251Ssam# directory like /etc/ssl/certs. If configured, these certificates are 654189251Ssam# added to the list of trusted CAs. ca_cert may also be included in that 655189251Ssam# case, but it is not required. 656189251Ssam# client_cert: File path to client certificate file (PEM/DER) 657189251Ssam# Full path should be used since working directory may change when 658189251Ssam# wpa_supplicant is run in the background. 659189251Ssam# Alternatively, a named configuration blob can be used by setting this 660189251Ssam# to blob://<blob name>. 661189251Ssam# private_key: File path to client private key file (PEM/DER/PFX) 662189251Ssam# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be 663189251Ssam# commented out. Both the private key and certificate will be read from 664189251Ssam# the PKCS#12 file in this case. Full path should be used since working 665189251Ssam# directory may change when wpa_supplicant is run in the background. 666189251Ssam# Windows certificate store can be used by leaving client_cert out and 667189251Ssam# configuring private_key in one of the following formats: 668189251Ssam# cert://substring_to_match 669189251Ssam# hash://certificate_thumbprint_in_hex 670189251Ssam# for example: private_key="hash://63093aa9c47f56ae88334c7b65a4" 671189251Ssam# Note that when running wpa_supplicant as an application, the user 672189251Ssam# certificate store (My user account) is used, whereas computer store 673189251Ssam# (Computer account) is used when running wpasvc as a service. 674189251Ssam# Alternatively, a named configuration blob can be used by setting this 675189251Ssam# to blob://<blob name>. 676189251Ssam# private_key_passwd: Password for private key file (if left out, this will be 677189251Ssam# asked through control interface) 678189251Ssam# dh_file: File path to DH/DSA parameters file (in PEM format) 679189251Ssam# This is an optional configuration file for setting parameters for an 680189251Ssam# ephemeral DH key exchange. In most cases, the default RSA 681189251Ssam# authentication does not use this configuration. However, it is possible 682189251Ssam# setup RSA to use ephemeral DH key exchange. In addition, ciphers with 683189251Ssam# DSA keys always use ephemeral DH keys. This can be used to achieve 684189251Ssam# forward secrecy. If the file is in DSA parameters format, it will be 685189251Ssam# automatically converted into DH params. 686189251Ssam# subject_match: Substring to be matched against the subject of the 687189251Ssam# authentication server certificate. If this string is set, the server 688189251Ssam# sertificate is only accepted if it contains this string in the subject. 689189251Ssam# The subject string is in following format: 690189251Ssam# /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com 691189251Ssam# altsubject_match: Semicolon separated string of entries to be matched against 692189251Ssam# the alternative subject name of the authentication server certificate. 693189251Ssam# If this string is set, the server sertificate is only accepted if it 694189251Ssam# contains one of the entries in an alternative subject name extension. 695189251Ssam# altSubjectName string is in following format: TYPE:VALUE 696189251Ssam# Example: EMAIL:server@example.com 697189251Ssam# Example: DNS:server.example.com;DNS:server2.example.com 698189251Ssam# Following types are supported: EMAIL, DNS, URI 699189251Ssam# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters 700189251Ssam# (string with field-value pairs, e.g., "peapver=0" or 701189251Ssam# "peapver=1 peaplabel=1") 702189251Ssam# 'peapver' can be used to force which PEAP version (0 or 1) is used. 703189251Ssam# 'peaplabel=1' can be used to force new label, "client PEAP encryption", 704189251Ssam# to be used during key derivation when PEAPv1 or newer. Most existing 705189251Ssam# PEAPv1 implementation seem to be using the old label, "client EAP 706189251Ssam# encryption", and wpa_supplicant is now using that as the default value. 707189251Ssam# Some servers, e.g., Radiator, may require peaplabel=1 configuration to 708189251Ssam# interoperate with PEAPv1; see eap_testing.txt for more details. 709189251Ssam# 'peap_outer_success=0' can be used to terminate PEAP authentication on 710189251Ssam# tunneled EAP-Success. This is required with some RADIUS servers that 711189251Ssam# implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g., 712189251Ssam# Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode) 713189251Ssam# include_tls_length=1 can be used to force wpa_supplicant to include 714189251Ssam# TLS Message Length field in all TLS messages even if they are not 715189251Ssam# fragmented. 716189251Ssam# sim_min_num_chal=3 can be used to configure EAP-SIM to require three 717189251Ssam# challenges (by default, it accepts 2 or 3) 718189251Ssam# result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use 719189251Ssam# protected result indication. 720189251Ssam# 'crypto_binding' option can be used to control PEAPv0 cryptobinding 721189251Ssam# behavior: 722189251Ssam# * 0 = do not use cryptobinding (default) 723189251Ssam# * 1 = use cryptobinding if server supports it 724189251Ssam# * 2 = require cryptobinding 725189251Ssam# EAP-WSC (WPS) uses following options: pin=<Device Password> or 726189251Ssam# pbc=1. 727189251Ssam# phase2: Phase2 (inner authentication with TLS tunnel) parameters 728189251Ssam# (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or 729189251Ssam# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS) 730252726Srpaulo# 731252726Srpaulo# TLS-based methods can use the following parameters to control TLS behavior 732252726Srpaulo# (these are normally in the phase1 parameter, but can be used also in the 733252726Srpaulo# phase2 parameter when EAP-TLS is used within the inner tunnel): 734252726Srpaulo# tls_allow_md5=1 - allow MD5-based certificate signatures (depending on the 735252726Srpaulo# TLS library, these may be disabled by default to enforce stronger 736252726Srpaulo# security) 737252726Srpaulo# tls_disable_time_checks=1 - ignore certificate validity time (this requests 738252726Srpaulo# the TLS library to accept certificates even if they are not currently 739252726Srpaulo# valid, i.e., have expired or have not yet become valid; this should be 740252726Srpaulo# used only for testing purposes) 741252726Srpaulo# tls_disable_session_ticket=1 - disable TLS Session Ticket extension 742252726Srpaulo# tls_disable_session_ticket=0 - allow TLS Session Ticket extension to be used 743252726Srpaulo# Note: If not set, this is automatically set to 1 for EAP-TLS/PEAP/TTLS 744252726Srpaulo# as a workaround for broken authentication server implementations unless 745252726Srpaulo# EAP workarounds are disabled with eap_workarounds=0. 746252726Srpaulo# For EAP-FAST, this must be set to 0 (or left unconfigured for the 747252726Srpaulo# default value to be used automatically). 748252726Srpaulo# 749189251Ssam# Following certificate/private key fields are used in inner Phase2 750189251Ssam# authentication when using EAP-TTLS or EAP-PEAP. 751189251Ssam# ca_cert2: File path to CA certificate file. This file can have one or more 752189251Ssam# trusted CA certificates. If ca_cert2 and ca_path2 are not included, 753189251Ssam# server certificate will not be verified. This is insecure and a trusted 754189251Ssam# CA certificate should always be configured. 755189251Ssam# ca_path2: Directory path for CA certificate files (PEM) 756189251Ssam# client_cert2: File path to client certificate file 757189251Ssam# private_key2: File path to client private key file 758189251Ssam# private_key2_passwd: Password for private key file 759189251Ssam# dh_file2: File path to DH/DSA parameters file (in PEM format) 760189251Ssam# subject_match2: Substring to be matched against the subject of the 761189251Ssam# authentication server certificate. 762189251Ssam# altsubject_match2: Substring to be matched against the alternative subject 763189251Ssam# name of the authentication server certificate. 764189251Ssam# 765189251Ssam# fragment_size: Maximum EAP fragment size in bytes (default 1398). 766189251Ssam# This value limits the fragment size for EAP methods that support 767189251Ssam# fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set 768189251Ssam# small enough to make the EAP messages fit in MTU of the network 769189251Ssam# interface used for EAPOL. The default value is suitable for most 770189251Ssam# cases. 771189251Ssam# 772189251Ssam# EAP-FAST variables: 773189251Ssam# pac_file: File path for the PAC entries. wpa_supplicant will need to be able 774189251Ssam# to create this file and write updates to it when PAC is being 775189251Ssam# provisioned or refreshed. Full path to the file should be used since 776189251Ssam# working directory may change when wpa_supplicant is run in the 777189251Ssam# background. Alternatively, a named configuration blob can be used by 778189251Ssam# setting this to blob://<blob name> 779189251Ssam# phase1: fast_provisioning option can be used to enable in-line provisioning 780189251Ssam# of EAP-FAST credentials (PAC): 781189251Ssam# 0 = disabled, 782189251Ssam# 1 = allow unauthenticated provisioning, 783189251Ssam# 2 = allow authenticated provisioning, 784189251Ssam# 3 = allow both unauthenticated and authenticated provisioning 785189251Ssam# fast_max_pac_list_len=<num> option can be used to set the maximum 786189251Ssam# number of PAC entries to store in a PAC list (default: 10) 787189251Ssam# fast_pac_format=binary option can be used to select binary format for 788189251Ssam# storing PAC entries in order to save some space (the default 789189251Ssam# text format uses about 2.5 times the size of minimal binary 790189251Ssam# format) 791189251Ssam# 792189251Ssam# wpa_supplicant supports number of "EAP workarounds" to work around 793189251Ssam# interoperability issues with incorrectly behaving authentication servers. 794189251Ssam# These are enabled by default because some of the issues are present in large 795189251Ssam# number of authentication servers. Strict EAP conformance mode can be 796189251Ssam# configured by disabling workarounds with eap_workaround=0. 797189251Ssam 798252726Srpaulo# Station inactivity limit 799252726Srpaulo# 800252726Srpaulo# If a station does not send anything in ap_max_inactivity seconds, an 801252726Srpaulo# empty data frame is sent to it in order to verify whether it is 802252726Srpaulo# still in range. If this frame is not ACKed, the station will be 803252726Srpaulo# disassociated and then deauthenticated. This feature is used to 804252726Srpaulo# clear station table of old entries when the STAs move out of the 805252726Srpaulo# range. 806252726Srpaulo# 807252726Srpaulo# The station can associate again with the AP if it is still in range; 808252726Srpaulo# this inactivity poll is just used as a nicer way of verifying 809252726Srpaulo# inactivity; i.e., client will not report broken connection because 810252726Srpaulo# disassociation frame is not sent immediately without first polling 811252726Srpaulo# the STA with a data frame. 812252726Srpaulo# default: 300 (i.e., 5 minutes) 813252726Srpaulo#ap_max_inactivity=300 814252726Srpaulo 815252726Srpaulo# DTIM period in Beacon intervals for AP mode (default: 2) 816252726Srpaulo#dtim_period=2 817252726Srpaulo 818252726Srpaulo# disable_ht: Whether HT (802.11n) should be disabled. 819252726Srpaulo# 0 = HT enabled (if AP supports it) 820252726Srpaulo# 1 = HT disabled 821252726Srpaulo# 822252726Srpaulo# disable_ht40: Whether HT-40 (802.11n) should be disabled. 823252726Srpaulo# 0 = HT-40 enabled (if AP supports it) 824252726Srpaulo# 1 = HT-40 disabled 825252726Srpaulo# 826252726Srpaulo# disable_sgi: Whether SGI (short guard interval) should be disabled. 827252726Srpaulo# 0 = SGI enabled (if AP supports it) 828252726Srpaulo# 1 = SGI disabled 829252726Srpaulo# 830252726Srpaulo# ht_mcs: Configure allowed MCS rates. 831252726Srpaulo# Parsed as an array of bytes, in base-16 (ascii-hex) 832252726Srpaulo# ht_mcs="" // Use all available (default) 833252726Srpaulo# ht_mcs="0xff 00 00 00 00 00 00 00 00 00 " // Use MCS 0-7 only 834252726Srpaulo# ht_mcs="0xff ff 00 00 00 00 00 00 00 00 " // Use MCS 0-15 only 835252726Srpaulo# 836252726Srpaulo# disable_max_amsdu: Whether MAX_AMSDU should be disabled. 837252726Srpaulo# -1 = Do not make any changes. 838252726Srpaulo# 0 = Enable MAX-AMSDU if hardware supports it. 839252726Srpaulo# 1 = Disable AMSDU 840252726Srpaulo# 841252726Srpaulo# ampdu_density: Allow overriding AMPDU density configuration. 842252726Srpaulo# Treated as hint by the kernel. 843252726Srpaulo# -1 = Do not make any changes. 844252726Srpaulo# 0-3 = Set AMPDU density (aka factor) to specified value. 845252726Srpaulo 846189251Ssam# Example blocks: 847189251Ssam 848189251Ssam# Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers 849189251Ssamnetwork={ 850189251Ssam ssid="simple" 851189251Ssam psk="very secret passphrase" 852189251Ssam priority=5 853189251Ssam} 854189251Ssam 855189251Ssam# Same as previous, but request SSID-specific scanning (for APs that reject 856189251Ssam# broadcast SSID) 857189251Ssamnetwork={ 858189251Ssam ssid="second ssid" 859189251Ssam scan_ssid=1 860189251Ssam psk="very secret passphrase" 861189251Ssam priority=2 862189251Ssam} 863189251Ssam 864189251Ssam# Only WPA-PSK is used. Any valid cipher combination is accepted. 865189251Ssamnetwork={ 866189251Ssam ssid="example" 867189251Ssam proto=WPA 868189251Ssam key_mgmt=WPA-PSK 869189251Ssam pairwise=CCMP TKIP 870189251Ssam group=CCMP TKIP WEP104 WEP40 871189251Ssam psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb 872189251Ssam priority=2 873189251Ssam} 874189251Ssam 875189251Ssam# WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying 876189251Ssamnetwork={ 877189251Ssam ssid="example" 878189251Ssam proto=WPA 879189251Ssam key_mgmt=WPA-PSK 880189251Ssam pairwise=TKIP 881189251Ssam group=TKIP 882189251Ssam psk="not so secure passphrase" 883189251Ssam wpa_ptk_rekey=600 884189251Ssam} 885189251Ssam 886189251Ssam# Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104 887189251Ssam# or WEP40 as the group cipher will not be accepted. 888189251Ssamnetwork={ 889189251Ssam ssid="example" 890189251Ssam proto=RSN 891189251Ssam key_mgmt=WPA-EAP 892189251Ssam pairwise=CCMP TKIP 893189251Ssam group=CCMP TKIP 894189251Ssam eap=TLS 895189251Ssam identity="user@example.com" 896189251Ssam ca_cert="/etc/cert/ca.pem" 897189251Ssam client_cert="/etc/cert/user.pem" 898189251Ssam private_key="/etc/cert/user.prv" 899189251Ssam private_key_passwd="password" 900189251Ssam priority=1 901189251Ssam} 902189251Ssam 903189251Ssam# EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel 904189251Ssam# (e.g., Radiator) 905189251Ssamnetwork={ 906189251Ssam ssid="example" 907189251Ssam key_mgmt=WPA-EAP 908189251Ssam eap=PEAP 909189251Ssam identity="user@example.com" 910189251Ssam password="foobar" 911189251Ssam ca_cert="/etc/cert/ca.pem" 912189251Ssam phase1="peaplabel=1" 913189251Ssam phase2="auth=MSCHAPV2" 914189251Ssam priority=10 915189251Ssam} 916189251Ssam 917189251Ssam# EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the 918189251Ssam# unencrypted use. Real identity is sent only within an encrypted TLS tunnel. 919189251Ssamnetwork={ 920189251Ssam ssid="example" 921189251Ssam key_mgmt=WPA-EAP 922189251Ssam eap=TTLS 923189251Ssam identity="user@example.com" 924189251Ssam anonymous_identity="anonymous@example.com" 925189251Ssam password="foobar" 926189251Ssam ca_cert="/etc/cert/ca.pem" 927189251Ssam priority=2 928189251Ssam} 929189251Ssam 930189251Ssam# EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted 931189251Ssam# use. Real identity is sent only within an encrypted TLS tunnel. 932189251Ssamnetwork={ 933189251Ssam ssid="example" 934189251Ssam key_mgmt=WPA-EAP 935189251Ssam eap=TTLS 936189251Ssam identity="user@example.com" 937189251Ssam anonymous_identity="anonymous@example.com" 938189251Ssam password="foobar" 939189251Ssam ca_cert="/etc/cert/ca.pem" 940189251Ssam phase2="auth=MSCHAPV2" 941189251Ssam} 942189251Ssam 943189251Ssam# WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner 944189251Ssam# authentication. 945189251Ssamnetwork={ 946189251Ssam ssid="example" 947189251Ssam key_mgmt=WPA-EAP 948189251Ssam eap=TTLS 949189251Ssam # Phase1 / outer authentication 950189251Ssam anonymous_identity="anonymous@example.com" 951189251Ssam ca_cert="/etc/cert/ca.pem" 952189251Ssam # Phase 2 / inner authentication 953189251Ssam phase2="autheap=TLS" 954189251Ssam ca_cert2="/etc/cert/ca2.pem" 955189251Ssam client_cert2="/etc/cer/user.pem" 956189251Ssam private_key2="/etc/cer/user.prv" 957189251Ssam private_key2_passwd="password" 958189251Ssam priority=2 959189251Ssam} 960189251Ssam 961189251Ssam# Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and 962189251Ssam# group cipher. 963189251Ssamnetwork={ 964189251Ssam ssid="example" 965189251Ssam bssid=00:11:22:33:44:55 966189251Ssam proto=WPA RSN 967189251Ssam key_mgmt=WPA-PSK WPA-EAP 968189251Ssam pairwise=CCMP 969189251Ssam group=CCMP 970189251Ssam psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb 971189251Ssam} 972189251Ssam 973189251Ssam# Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP 974189251Ssam# and all valid ciphers. 975189251Ssamnetwork={ 976189251Ssam ssid=00010203 977189251Ssam psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 978189251Ssam} 979189251Ssam 980189251Ssam 981189251Ssam# EAP-SIM with a GSM SIM or USIM 982189251Ssamnetwork={ 983189251Ssam ssid="eap-sim-test" 984189251Ssam key_mgmt=WPA-EAP 985189251Ssam eap=SIM 986189251Ssam pin="1234" 987189251Ssam pcsc="" 988189251Ssam} 989189251Ssam 990189251Ssam 991189251Ssam# EAP-PSK 992189251Ssamnetwork={ 993189251Ssam ssid="eap-psk-test" 994189251Ssam key_mgmt=WPA-EAP 995189251Ssam eap=PSK 996189251Ssam anonymous_identity="eap_psk_user" 997189251Ssam password=06b4be19da289f475aa46a33cb793029 998189251Ssam identity="eap_psk_user@example.com" 999189251Ssam} 1000189251Ssam 1001189251Ssam 1002189251Ssam# IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using 1003189251Ssam# EAP-TLS for authentication and key generation; require both unicast and 1004189251Ssam# broadcast WEP keys. 1005189251Ssamnetwork={ 1006189251Ssam ssid="1x-test" 1007189251Ssam key_mgmt=IEEE8021X 1008189251Ssam eap=TLS 1009189251Ssam identity="user@example.com" 1010189251Ssam ca_cert="/etc/cert/ca.pem" 1011189251Ssam client_cert="/etc/cert/user.pem" 1012189251Ssam private_key="/etc/cert/user.prv" 1013189251Ssam private_key_passwd="password" 1014189251Ssam eapol_flags=3 1015189251Ssam} 1016189251Ssam 1017189251Ssam 1018189251Ssam# LEAP with dynamic WEP keys 1019189251Ssamnetwork={ 1020189251Ssam ssid="leap-example" 1021189251Ssam key_mgmt=IEEE8021X 1022189251Ssam eap=LEAP 1023189251Ssam identity="user" 1024189251Ssam password="foobar" 1025189251Ssam} 1026189251Ssam 1027189251Ssam# EAP-IKEv2 using shared secrets for both server and peer authentication 1028189251Ssamnetwork={ 1029189251Ssam ssid="ikev2-example" 1030189251Ssam key_mgmt=WPA-EAP 1031189251Ssam eap=IKEV2 1032189251Ssam identity="user" 1033189251Ssam password="foobar" 1034189251Ssam} 1035189251Ssam 1036189251Ssam# EAP-FAST with WPA (WPA or WPA2) 1037189251Ssamnetwork={ 1038189251Ssam ssid="eap-fast-test" 1039189251Ssam key_mgmt=WPA-EAP 1040189251Ssam eap=FAST 1041189251Ssam anonymous_identity="FAST-000102030405" 1042189251Ssam identity="username" 1043189251Ssam password="password" 1044189251Ssam phase1="fast_provisioning=1" 1045189251Ssam pac_file="/etc/wpa_supplicant.eap-fast-pac" 1046189251Ssam} 1047189251Ssam 1048189251Ssamnetwork={ 1049189251Ssam ssid="eap-fast-test" 1050189251Ssam key_mgmt=WPA-EAP 1051189251Ssam eap=FAST 1052189251Ssam anonymous_identity="FAST-000102030405" 1053189251Ssam identity="username" 1054189251Ssam password="password" 1055189251Ssam phase1="fast_provisioning=1" 1056189251Ssam pac_file="blob://eap-fast-pac" 1057189251Ssam} 1058189251Ssam 1059189251Ssam# Plaintext connection (no WPA, no IEEE 802.1X) 1060189251Ssamnetwork={ 1061189251Ssam ssid="plaintext-test" 1062189251Ssam key_mgmt=NONE 1063189251Ssam} 1064189251Ssam 1065189251Ssam 1066189251Ssam# Shared WEP key connection (no WPA, no IEEE 802.1X) 1067189251Ssamnetwork={ 1068189251Ssam ssid="static-wep-test" 1069189251Ssam key_mgmt=NONE 1070189251Ssam wep_key0="abcde" 1071189251Ssam wep_key1=0102030405 1072189251Ssam wep_key2="1234567890123" 1073189251Ssam wep_tx_keyidx=0 1074189251Ssam priority=5 1075189251Ssam} 1076189251Ssam 1077189251Ssam 1078189251Ssam# Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key 1079189251Ssam# IEEE 802.11 authentication 1080189251Ssamnetwork={ 1081189251Ssam ssid="static-wep-test2" 1082189251Ssam key_mgmt=NONE 1083189251Ssam wep_key0="abcde" 1084189251Ssam wep_key1=0102030405 1085189251Ssam wep_key2="1234567890123" 1086189251Ssam wep_tx_keyidx=0 1087189251Ssam priority=5 1088189251Ssam auth_alg=SHARED 1089189251Ssam} 1090189251Ssam 1091189251Ssam 1092189251Ssam# IBSS/ad-hoc network with WPA-None/TKIP. 1093189251Ssamnetwork={ 1094189251Ssam ssid="test adhoc" 1095189251Ssam mode=1 1096189251Ssam frequency=2412 1097189251Ssam proto=WPA 1098189251Ssam key_mgmt=WPA-NONE 1099189251Ssam pairwise=NONE 1100189251Ssam group=TKIP 1101189251Ssam psk="secret passphrase" 1102189251Ssam} 1103189251Ssam 1104189251Ssam 1105189251Ssam# Catch all example that allows more or less all configuration modes 1106189251Ssamnetwork={ 1107189251Ssam ssid="example" 1108189251Ssam scan_ssid=1 1109189251Ssam key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE 1110189251Ssam pairwise=CCMP TKIP 1111189251Ssam group=CCMP TKIP WEP104 WEP40 1112189251Ssam psk="very secret passphrase" 1113189251Ssam eap=TTLS PEAP TLS 1114189251Ssam identity="user@example.com" 1115189251Ssam password="foobar" 1116189251Ssam ca_cert="/etc/cert/ca.pem" 1117189251Ssam client_cert="/etc/cert/user.pem" 1118189251Ssam private_key="/etc/cert/user.prv" 1119189251Ssam private_key_passwd="password" 1120189251Ssam phase1="peaplabel=0" 1121189251Ssam} 1122189251Ssam 1123189251Ssam# Example of EAP-TLS with smartcard (openssl engine) 1124189251Ssamnetwork={ 1125189251Ssam ssid="example" 1126189251Ssam key_mgmt=WPA-EAP 1127189251Ssam eap=TLS 1128189251Ssam proto=RSN 1129189251Ssam pairwise=CCMP TKIP 1130189251Ssam group=CCMP TKIP 1131189251Ssam identity="user@example.com" 1132189251Ssam ca_cert="/etc/cert/ca.pem" 1133189251Ssam client_cert="/etc/cert/user.pem" 1134189251Ssam 1135189251Ssam engine=1 1136189251Ssam 1137189251Ssam # The engine configured here must be available. Look at 1138189251Ssam # OpenSSL engine support in the global section. 1139189251Ssam # The key available through the engine must be the private key 1140189251Ssam # matching the client certificate configured above. 1141189251Ssam 1142189251Ssam # use the opensc engine 1143189251Ssam #engine_id="opensc" 1144189251Ssam #key_id="45" 1145189251Ssam 1146189251Ssam # use the pkcs11 engine 1147189251Ssam engine_id="pkcs11" 1148189251Ssam key_id="id_45" 1149189251Ssam 1150189251Ssam # Optional PIN configuration; this can be left out and PIN will be 1151189251Ssam # asked through the control interface 1152189251Ssam pin="1234" 1153189251Ssam} 1154189251Ssam 1155189251Ssam# Example configuration showing how to use an inlined blob as a CA certificate 1156189251Ssam# data instead of using external file 1157189251Ssamnetwork={ 1158189251Ssam ssid="example" 1159189251Ssam key_mgmt=WPA-EAP 1160189251Ssam eap=TTLS 1161189251Ssam identity="user@example.com" 1162189251Ssam anonymous_identity="anonymous@example.com" 1163189251Ssam password="foobar" 1164189251Ssam ca_cert="blob://exampleblob" 1165189251Ssam priority=20 1166189251Ssam} 1167189251Ssam 1168189251Ssamblob-base64-exampleblob={ 1169189251SsamSGVsbG8gV29ybGQhCg== 1170189251Ssam} 1171189251Ssam 1172189251Ssam 1173189251Ssam# Wildcard match for SSID (plaintext APs only). This example select any 1174189251Ssam# open AP regardless of its SSID. 1175189251Ssamnetwork={ 1176189251Ssam key_mgmt=NONE 1177189251Ssam} 1178