wpa_supplicant.conf revision 337817
1189251Ssam##### Example wpa_supplicant configuration file ############################### 2189251Ssam# 3189902Sdougb# ***** Please check wpa_supplicant.conf(5) for details on these options ***** 4189902Sdougb# 5189251Ssam# This file describes configuration file format and lists all available option. 6189251Ssam# Please also take a look at simpler configuration examples in 'examples' 7189251Ssam# subdirectory. 8189251Ssam# 9189251Ssam# Empty lines and lines starting with # are ignored 10189251Ssam 11189251Ssam# NOTE! This file may contain password information and should probably be made 12189251Ssam# readable only by root user on multiuser systems. 13189251Ssam 14189251Ssam# Note: All file paths in this configuration file should use full (absolute, 15189251Ssam# not relative to working directory) path in order to allow working directory 16189251Ssam# to be changed. This can happen if wpa_supplicant is run in the background. 17189251Ssam 18189251Ssam# Whether to allow wpa_supplicant to update (overwrite) configuration 19189251Ssam# 20189251Ssam# This option can be used to allow wpa_supplicant to overwrite configuration 21189251Ssam# file whenever configuration is changed (e.g., new network block is added with 22189251Ssam# wpa_cli or wpa_gui, or a password is changed). This is required for 23189251Ssam# wpa_cli/wpa_gui to be able to store the configuration changes permanently. 24189251Ssam# Please note that overwriting configuration file will remove the comments from 25189251Ssam# it. 26189251Ssam#update_config=1 27189251Ssam 28189251Ssam# global configuration (shared by all network blocks) 29189251Ssam# 30189251Ssam# Parameters for the control interface. If this is specified, wpa_supplicant 31189251Ssam# will open a control interface that is available for external programs to 32189251Ssam# manage wpa_supplicant. The meaning of this string depends on which control 33252726Srpaulo# interface mechanism is used. For all cases, the existence of this parameter 34189251Ssam# in configuration is used to determine whether the control interface is 35189251Ssam# enabled. 36189251Ssam# 37189251Ssam# For UNIX domain sockets (default on Linux and BSD): This is a directory that 38189251Ssam# will be created for UNIX domain sockets for listening to requests from 39189251Ssam# external programs (CLI/GUI, etc.) for status information and configuration. 40189251Ssam# The socket file will be named based on the interface name, so multiple 41189251Ssam# wpa_supplicant processes can be run at the same time if more than one 42189251Ssam# interface is used. 43189251Ssam# /var/run/wpa_supplicant is the recommended directory for sockets and by 44189251Ssam# default, wpa_cli will use it when trying to connect with wpa_supplicant. 45189251Ssam# 46189251Ssam# Access control for the control interface can be configured by setting the 47189251Ssam# directory to allow only members of a group to use sockets. This way, it is 48189251Ssam# possible to run wpa_supplicant as root (since it needs to change network 49189251Ssam# configuration and open raw sockets) and still allow GUI/CLI components to be 50189251Ssam# run as non-root users. However, since the control interface can be used to 51189251Ssam# change the network configuration, this access needs to be protected in many 52189251Ssam# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you 53189251Ssam# want to allow non-root users to use the control interface, add a new group 54189251Ssam# and change this value to match with that group. Add users that should have 55189251Ssam# control interface access to this group. If this variable is commented out or 56189251Ssam# not included in the configuration file, group will not be changed from the 57189251Ssam# value it got by default when the directory or socket was created. 58189251Ssam# 59189251Ssam# When configuring both the directory and group, use following format: 60189251Ssam# DIR=/var/run/wpa_supplicant GROUP=wheel 61189251Ssam# DIR=/var/run/wpa_supplicant GROUP=0 62189251Ssam# (group can be either group name or gid) 63189251Ssam# 64189251Ssamctrl_interface=/var/run/wpa_supplicant 65189251Ssam 66189251Ssam# IEEE 802.1X/EAPOL version 67189251Ssam# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines 68189251Ssam# EAPOL version 2. However, there are many APs that do not handle the new 69189251Ssam# version number correctly (they seem to drop the frames completely). In order 70189251Ssam# to make wpa_supplicant interoperate with these APs, the version number is set 71189251Ssam# to 1 by default. This configuration value can be used to set it to the new 72189251Ssam# version (2). 73281806Srpaulo# Note: When using MACsec, eapol_version shall be set to 3, which is 74281806Srpaulo# defined in IEEE Std 802.1X-2010. 75189251Ssameapol_version=1 76189251Ssam 77189251Ssam# AP scanning/selection 78189251Ssam# By default, wpa_supplicant requests driver to perform AP scanning and then 79189251Ssam# uses the scan results to select a suitable AP. Another alternative is to 80189251Ssam# allow the driver to take care of AP scanning and selection and use 81189251Ssam# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association 82189251Ssam# information from the driver. 83214734Srpaulo# 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to 84214734Srpaulo# the currently enabled networks are found, a new network (IBSS or AP mode 85214734Srpaulo# operation) may be initialized (if configured) (default) 86189251Ssam# 0: driver takes care of scanning, AP selection, and IEEE 802.11 association 87189251Ssam# parameters (e.g., WPA IE generation); this mode can also be used with 88189251Ssam# non-WPA drivers when using IEEE 802.1X mode; do not try to associate with 89189251Ssam# APs (i.e., external program needs to control association). This mode must 90189251Ssam# also be used when using wired Ethernet drivers. 91281806Srpaulo# Note: macsec_qca driver is one type of Ethernet driver which implements 92281806Srpaulo# macsec feature. 93189251Ssam# 2: like 0, but associate with APs using security policy and SSID (but not 94189251Ssam# BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to 95189251Ssam# enable operation with hidden SSIDs and optimized roaming; in this mode, 96189251Ssam# the network blocks in the configuration file are tried one by one until 97189251Ssam# the driver reports successful association; each network block should have 98189251Ssam# explicit security policy (i.e., only one option in the lists) for 99189251Ssam# key_mgmt, pairwise, group, proto variables 100189902Sdougb# 101189902Sdougb# For use in FreeBSD with the wlan module ap_scan must be set to 1. 102289549Srpaulo# 103214734Srpaulo# When using IBSS or AP mode, ap_scan=2 mode can force the new network to be 104214734Srpaulo# created immediately regardless of scan results. ap_scan=1 mode will first try 105214734Srpaulo# to scan for existing networks and only if no matches with the enabled 106214734Srpaulo# networks are found, a new IBSS or AP mode network is created. 107189251Ssamap_scan=1 108189251Ssam 109337817Scy# Whether to force passive scan for network connection 110337817Scy# 111337817Scy# By default, scans will send out Probe Request frames on channels that allow 112337817Scy# active scanning. This advertise the local station to the world. Normally this 113337817Scy# is fine, but users may wish to do passive scanning where the radio should only 114337817Scy# listen quietly for Beacon frames and not send any Probe Request frames. Actual 115337817Scy# functionality may be driver dependent. 116337817Scy# 117337817Scy# This parameter can be used to force only passive scanning to be used 118337817Scy# for network connection cases. It should be noted that this will slow 119337817Scy# down scan operations and reduce likelihood of finding the AP. In 120337817Scy# addition, some use cases will override this due to functional 121337817Scy# requirements, e.g., for finding an AP that uses hidden SSID 122337817Scy# (scan_ssid=1) or P2P device discovery. 123337817Scy# 124337817Scy# 0: Do normal scans (allow active scans) (default) 125337817Scy# 1: Do passive scans. 126337817Scy#passive_scan=0 127337817Scy 128281806Srpaulo# MPM residency 129281806Srpaulo# By default, wpa_supplicant implements the mesh peering manager (MPM) for an 130281806Srpaulo# open mesh. However, if the driver can implement the MPM, you may set this to 131281806Srpaulo# 0 to use the driver version. When AMPE is enabled, the wpa_supplicant MPM is 132281806Srpaulo# always used. 133281806Srpaulo# 0: MPM lives in the driver 134281806Srpaulo# 1: wpa_supplicant provides an MPM which handles peering (default) 135281806Srpaulo#user_mpm=1 136281806Srpaulo 137281806Srpaulo# Maximum number of peer links (0-255; default: 99) 138281806Srpaulo# Maximum number of mesh peering currently maintained by the STA. 139281806Srpaulo#max_peer_links=99 140281806Srpaulo 141281806Srpaulo# Timeout in seconds to detect STA inactivity (default: 300 seconds) 142281806Srpaulo# 143281806Srpaulo# This timeout value is used in mesh STA to clean up inactive stations. 144281806Srpaulo#mesh_max_inactivity=300 145281806Srpaulo 146281806Srpaulo# cert_in_cb - Whether to include a peer certificate dump in events 147281806Srpaulo# This controls whether peer certificates for authentication server and 148281806Srpaulo# its certificate chain are included in EAP peer certificate events. This is 149281806Srpaulo# enabled by default. 150281806Srpaulo#cert_in_cb=1 151281806Srpaulo 152189251Ssam# EAP fast re-authentication 153189251Ssam# By default, fast re-authentication is enabled for all EAP methods that 154189251Ssam# support it. This variable can be used to disable fast re-authentication. 155189251Ssam# Normally, there is no need to disable this. 156189251Ssamfast_reauth=1 157189251Ssam 158189251Ssam# OpenSSL Engine support 159337817Scy# These options can be used to load OpenSSL engines in special or legacy 160337817Scy# modes. 161189251Ssam# The two engines that are supported currently are shown below: 162189251Ssam# They are both from the opensc project (http://www.opensc.org/) 163337817Scy# By default the PKCS#11 engine is loaded if the client_cert or 164337817Scy# private_key option appear to be a PKCS#11 URI, and these options 165337817Scy# should not need to be used explicitly. 166189251Ssam# make the opensc engine available 167189251Ssam#opensc_engine_path=/usr/lib/opensc/engine_opensc.so 168189251Ssam# make the pkcs11 engine available 169189251Ssam#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so 170189251Ssam# configure the path to the pkcs11 module required by the pkcs11 engine 171189251Ssam#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so 172189251Ssam 173281806Srpaulo# OpenSSL cipher string 174281806Srpaulo# 175281806Srpaulo# This is an OpenSSL specific configuration option for configuring the default 176281806Srpaulo# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default. 177281806Srpaulo# See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation 178281806Srpaulo# on cipher suite configuration. This is applicable only if wpa_supplicant is 179281806Srpaulo# built to use OpenSSL. 180281806Srpaulo#openssl_ciphers=DEFAULT:!EXP:!LOW 181281806Srpaulo 182281806Srpaulo 183189251Ssam# Dynamic EAP methods 184189251Ssam# If EAP methods were built dynamically as shared object files, they need to be 185189251Ssam# loaded here before being used in the network blocks. By default, EAP methods 186189251Ssam# are included statically in the build, so these lines are not needed 187189251Ssam#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so 188189251Ssam#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so 189189251Ssam 190189251Ssam# Driver interface parameters 191337817Scy# This field can be used to configure arbitrary driver interface parameters. The 192189251Ssam# format is specific to the selected driver interface. This field is not used 193189251Ssam# in most cases. 194189251Ssam#driver_param="field=value" 195189251Ssam 196189251Ssam# Country code 197189251Ssam# The ISO/IEC alpha2 country code for the country in which this device is 198189251Ssam# currently operating. 199189251Ssam#country=US 200189251Ssam 201189251Ssam# Maximum lifetime for PMKSA in seconds; default 43200 202189251Ssam#dot11RSNAConfigPMKLifetime=43200 203189251Ssam# Threshold for reauthentication (percentage of PMK lifetime); default 70 204189251Ssam#dot11RSNAConfigPMKReauthThreshold=70 205189251Ssam# Timeout for security association negotiation in seconds; default 60 206189251Ssam#dot11RSNAConfigSATimeout=60 207189251Ssam 208189251Ssam# Wi-Fi Protected Setup (WPS) parameters 209189251Ssam 210189251Ssam# Universally Unique IDentifier (UUID; see RFC 4122) of the device 211189251Ssam# If not configured, UUID will be generated based on the local MAC address. 212189251Ssam#uuid=12345678-9abc-def0-1234-56789abcdef0 213189251Ssam 214189251Ssam# Device Name 215189251Ssam# User-friendly description of device; up to 32 octets encoded in UTF-8 216189251Ssam#device_name=Wireless Client 217189251Ssam 218189251Ssam# Manufacturer 219189251Ssam# The manufacturer of the device (up to 64 ASCII characters) 220189251Ssam#manufacturer=Company 221189251Ssam 222189251Ssam# Model Name 223189251Ssam# Model of the device (up to 32 ASCII characters) 224189251Ssam#model_name=cmodel 225189251Ssam 226189251Ssam# Model Number 227189251Ssam# Additional device description (up to 32 ASCII characters) 228189251Ssam#model_number=123 229189251Ssam 230189251Ssam# Serial Number 231189251Ssam# Serial number of the device (up to 32 characters) 232189251Ssam#serial_number=12345 233189251Ssam 234189251Ssam# Primary Device Type 235189251Ssam# Used format: <categ>-<OUI>-<subcateg> 236189251Ssam# categ = Category as an integer value 237189251Ssam# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for 238189251Ssam# default WPS OUI 239189251Ssam# subcateg = OUI-specific Sub Category as an integer value 240189251Ssam# Examples: 241189251Ssam# 1-0050F204-1 (Computer / PC) 242189251Ssam# 1-0050F204-2 (Computer / Server) 243189251Ssam# 5-0050F204-1 (Storage / NAS) 244189251Ssam# 6-0050F204-1 (Network Infrastructure / AP) 245189251Ssam#device_type=1-0050F204-1 246189251Ssam 247189251Ssam# OS Version 248189251Ssam# 4-octet operating system version number (hex string) 249189251Ssam#os_version=01020300 250189251Ssam 251214734Srpaulo# Config Methods 252214734Srpaulo# List of the supported configuration methods 253214734Srpaulo# Available methods: usba ethernet label display ext_nfc_token int_nfc_token 254252726Srpaulo# nfc_interface push_button keypad virtual_display physical_display 255252726Srpaulo# virtual_push_button physical_push_button 256252726Srpaulo# For WSC 1.0: 257214734Srpaulo#config_methods=label display push_button keypad 258252726Srpaulo# For WSC 2.0: 259252726Srpaulo#config_methods=label virtual_display virtual_push_button keypad 260214734Srpaulo 261189251Ssam# Credential processing 262189251Ssam# 0 = process received credentials internally (default) 263189251Ssam# 1 = do not process received credentials; just pass them over ctrl_iface to 264189251Ssam# external program(s) 265189251Ssam# 2 = process received credentials internally and pass them over ctrl_iface 266189251Ssam# to external program(s) 267189251Ssam#wps_cred_processing=0 268189251Ssam 269252726Srpaulo# Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing 270252726Srpaulo# The vendor attribute contents to be added in M1 (hex string) 271252726Srpaulo#wps_vendor_ext_m1=000137100100020001 272252726Srpaulo 273252726Srpaulo# NFC password token for WPS 274252726Srpaulo# These parameters can be used to configure a fixed NFC password token for the 275252726Srpaulo# station. This can be generated, e.g., with nfc_pw_token. When these 276252726Srpaulo# parameters are used, the station is assumed to be deployed with a NFC tag 277252726Srpaulo# that includes the matching NFC password token (e.g., written based on the 278252726Srpaulo# NDEF record from nfc_pw_token). 279252726Srpaulo# 280252726Srpaulo#wps_nfc_dev_pw_id: Device Password ID (16..65535) 281252726Srpaulo#wps_nfc_dh_pubkey: Hexdump of DH Public Key 282252726Srpaulo#wps_nfc_dh_privkey: Hexdump of DH Private Key 283252726Srpaulo#wps_nfc_dev_pw: Hexdump of Device Password 284252726Srpaulo 285289549Srpaulo# Priority for the networks added through WPS 286289549Srpaulo# This priority value will be set to each network profile that is added 287289549Srpaulo# by executing the WPS protocol. 288289549Srpaulo#wps_priority=0 289289549Srpaulo 290214734Srpaulo# Maximum number of BSS entries to keep in memory 291214734Srpaulo# Default: 200 292214734Srpaulo# This can be used to limit memory use on the BSS entries (cached scan 293214734Srpaulo# results). A larger value may be needed in environments that have huge number 294214734Srpaulo# of APs when using ap_scan=1 mode. 295214734Srpaulo#bss_max_count=200 296214734Srpaulo 297252726Srpaulo# Automatic scan 298252726Srpaulo# This is an optional set of parameters for automatic scanning 299252726Srpaulo# within an interface in following format: 300252726Srpaulo#autoscan=<autoscan module name>:<module parameters> 301281806Srpaulo# autoscan is like bgscan but on disconnected or inactive state. 302281806Srpaulo# For instance, on exponential module parameters would be <base>:<limit> 303252726Srpaulo#autoscan=exponential:3:300 304252726Srpaulo# Which means a delay between scans on a base exponential of 3, 305281806Srpaulo# up to the limit of 300 seconds (3, 9, 27 ... 300) 306281806Srpaulo# For periodic module, parameters would be <fixed interval> 307252726Srpaulo#autoscan=periodic:30 308337817Scy# So a delay of 30 seconds will be applied between each scan. 309337817Scy# Note: If sched_scan_plans are configured and supported by the driver, 310337817Scy# autoscan is ignored. 311214734Srpaulo 312214734Srpaulo# filter_ssids - SSID-based scan result filtering 313214734Srpaulo# 0 = do not filter scan results (default) 314214734Srpaulo# 1 = only include configured SSIDs in scan results/BSS table 315214734Srpaulo#filter_ssids=0 316214734Srpaulo 317252726Srpaulo# Password (and passphrase, etc.) backend for external storage 318252726Srpaulo# format: <backend name>[:<optional backend parameters>] 319252726Srpaulo#ext_password_backend=test:pw1=password|pw2=testing 320214734Srpaulo 321289549Srpaulo 322289549Srpaulo# Disable P2P functionality 323289549Srpaulo# p2p_disabled=1 324289549Srpaulo 325252726Srpaulo# Timeout in seconds to detect STA inactivity (default: 300 seconds) 326252726Srpaulo# 327252726Srpaulo# This timeout value is used in P2P GO mode to clean up 328252726Srpaulo# inactive stations. 329252726Srpaulo#p2p_go_max_inactivity=300 330252726Srpaulo 331281806Srpaulo# Passphrase length (8..63) for P2P GO 332281806Srpaulo# 333281806Srpaulo# This parameter controls the length of the random passphrase that is 334281806Srpaulo# generated at the GO. Default: 8. 335281806Srpaulo#p2p_passphrase_len=8 336281806Srpaulo 337281806Srpaulo# Extra delay between concurrent P2P search iterations 338281806Srpaulo# 339281806Srpaulo# This value adds extra delay in milliseconds between concurrent search 340281806Srpaulo# iterations to make p2p_find friendlier to concurrent operations by avoiding 341281806Srpaulo# it from taking 100% of radio resources. The default value is 500 ms. 342281806Srpaulo#p2p_search_delay=500 343281806Srpaulo 344252726Srpaulo# Opportunistic Key Caching (also known as Proactive Key Caching) default 345252726Srpaulo# This parameter can be used to set the default behavior for the 346252726Srpaulo# proactive_key_caching parameter. By default, OKC is disabled unless enabled 347252726Srpaulo# with the global okc=1 parameter or with the per-network 348252726Srpaulo# proactive_key_caching=1 parameter. With okc=1, OKC is enabled by default, but 349252726Srpaulo# can be disabled with per-network proactive_key_caching=0 parameter. 350252726Srpaulo#okc=0 351252726Srpaulo 352252726Srpaulo# Protected Management Frames default 353252726Srpaulo# This parameter can be used to set the default behavior for the ieee80211w 354337817Scy# parameter for RSN networks. By default, PMF is disabled unless enabled with 355337817Scy# the global pmf=1/2 parameter or with the per-network ieee80211w=1/2 parameter. 356337817Scy# With pmf=1/2, PMF is enabled/required by default, but can be disabled with the 357337817Scy# per-network ieee80211w parameter. This global default value does not apply 358337817Scy# for non-RSN networks (key_mgmt=NONE) since PMF is available only when using 359337817Scy# RSN. 360252726Srpaulo#pmf=0 361252726Srpaulo 362281806Srpaulo# Enabled SAE finite cyclic groups in preference order 363281806Srpaulo# By default (if this parameter is not set), the mandatory group 19 (ECC group 364281806Srpaulo# defined over a 256-bit prime order field) is preferred, but other groups are 365281806Srpaulo# also enabled. If this parameter is set, the groups will be tried in the 366281806Srpaulo# indicated order. The group values are listed in the IANA registry: 367281806Srpaulo# http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9 368281806Srpaulo#sae_groups=21 20 19 26 25 369281806Srpaulo 370281806Srpaulo# Default value for DTIM period (if not overridden in network block) 371281806Srpaulo#dtim_period=2 372281806Srpaulo 373281806Srpaulo# Default value for Beacon interval (if not overridden in network block) 374281806Srpaulo#beacon_int=100 375281806Srpaulo 376281806Srpaulo# Additional vendor specific elements for Beacon and Probe Response frames 377281806Srpaulo# This parameter can be used to add additional vendor specific element(s) into 378281806Srpaulo# the end of the Beacon and Probe Response frames. The format for these 379281806Srpaulo# element(s) is a hexdump of the raw information elements (id+len+payload for 380281806Srpaulo# one or more elements). This is used in AP and P2P GO modes. 381281806Srpaulo#ap_vendor_elements=dd0411223301 382281806Srpaulo 383281806Srpaulo# Ignore scan results older than request 384281806Srpaulo# 385281806Srpaulo# The driver may have a cache of scan results that makes it return 386281806Srpaulo# information that is older than our scan trigger. This parameter can 387281806Srpaulo# be used to configure such old information to be ignored instead of 388281806Srpaulo# allowing it to update the internal BSS table. 389281806Srpaulo#ignore_old_scan_res=0 390281806Srpaulo 391281806Srpaulo# scan_cur_freq: Whether to scan only the current frequency 392281806Srpaulo# 0: Scan all available frequencies. (Default) 393281806Srpaulo# 1: Scan current operating frequency if another VIF on the same radio 394281806Srpaulo# is already associated. 395281806Srpaulo 396281806Srpaulo# MAC address policy default 397281806Srpaulo# 0 = use permanent MAC address 398281806Srpaulo# 1 = use random MAC address for each ESS connection 399281806Srpaulo# 2 = like 1, but maintain OUI (with local admin bit set) 400281806Srpaulo# 401281806Srpaulo# By default, permanent MAC address is used unless policy is changed by 402281806Srpaulo# the per-network mac_addr parameter. Global mac_addr=1 can be used to 403281806Srpaulo# change this default behavior. 404281806Srpaulo#mac_addr=0 405281806Srpaulo 406281806Srpaulo# Lifetime of random MAC address in seconds (default: 60) 407281806Srpaulo#rand_addr_lifetime=60 408281806Srpaulo 409281806Srpaulo# MAC address policy for pre-association operations (scanning, ANQP) 410281806Srpaulo# 0 = use permanent MAC address 411281806Srpaulo# 1 = use random MAC address 412281806Srpaulo# 2 = like 1, but maintain OUI (with local admin bit set) 413281806Srpaulo#preassoc_mac_addr=0 414281806Srpaulo 415252726Srpaulo# Interworking (IEEE 802.11u) 416252726Srpaulo 417252726Srpaulo# Enable Interworking 418252726Srpaulo# interworking=1 419252726Srpaulo 420252726Srpaulo# Homogenous ESS identifier 421252726Srpaulo# If this is set, scans will be used to request response only from BSSes 422252726Srpaulo# belonging to the specified Homogeneous ESS. This is used only if interworking 423252726Srpaulo# is enabled. 424252726Srpaulo# hessid=00:11:22:33:44:55 425252726Srpaulo 426252726Srpaulo# Automatic network selection behavior 427252726Srpaulo# 0 = do not automatically go through Interworking network selection 428252726Srpaulo# (i.e., require explicit interworking_select command for this; default) 429252726Srpaulo# 1 = perform Interworking network selection if one or more 430252726Srpaulo# credentials have been configured and scan did not find a 431252726Srpaulo# matching network block 432252726Srpaulo#auto_interworking=0 433252726Srpaulo 434337817Scy# GAS Address3 field behavior 435337817Scy# 0 = P2P specification (Address3 = AP BSSID); default 436337817Scy# 1 = IEEE 802.11 standard compliant (Address3 = Wildcard BSSID when 437337817Scy# sent to not-associated AP; if associated, AP BSSID) 438337817Scy#gas_address3=0 439337817Scy 440337817Scy# Publish fine timing measurement (FTM) responder functionality in 441337817Scy# the Extended Capabilities element bit 70. 442337817Scy# Controls whether FTM responder functionality will be published by AP/STA. 443337817Scy# Note that actual FTM responder operation is managed outside wpa_supplicant. 444337817Scy# 0 = Do not publish; default 445337817Scy# 1 = Publish 446337817Scy#ftm_responder=0 447337817Scy 448337817Scy# Publish fine timing measurement (FTM) initiator functionality in 449337817Scy# the Extended Capabilities element bit 71. 450337817Scy# Controls whether FTM initiator functionality will be published by AP/STA. 451337817Scy# Note that actual FTM initiator operation is managed outside wpa_supplicant. 452337817Scy# 0 = Do not publish; default 453337817Scy# 1 = Publish 454337817Scy#ftm_initiator=0 455337817Scy 456252726Srpaulo# credential block 457252726Srpaulo# 458252726Srpaulo# Each credential used for automatic network selection is configured as a set 459252726Srpaulo# of parameters that are compared to the information advertised by the APs when 460252726Srpaulo# interworking_select and interworking_connect commands are used. 461252726Srpaulo# 462252726Srpaulo# credential fields: 463252726Srpaulo# 464281806Srpaulo# temporary: Whether this credential is temporary and not to be saved 465281806Srpaulo# 466252726Srpaulo# priority: Priority group 467252726Srpaulo# By default, all networks and credentials get the same priority group 468252726Srpaulo# (0). This field can be used to give higher priority for credentials 469252726Srpaulo# (and similarly in struct wpa_ssid for network blocks) to change the 470252726Srpaulo# Interworking automatic networking selection behavior. The matching 471252726Srpaulo# network (based on either an enabled network block or a credential) 472252726Srpaulo# with the highest priority value will be selected. 473252726Srpaulo# 474252726Srpaulo# pcsc: Use PC/SC and SIM/USIM card 475252726Srpaulo# 476252726Srpaulo# realm: Home Realm for Interworking 477252726Srpaulo# 478252726Srpaulo# username: Username for Interworking network selection 479252726Srpaulo# 480252726Srpaulo# password: Password for Interworking network selection 481252726Srpaulo# 482252726Srpaulo# ca_cert: CA certificate for Interworking network selection 483252726Srpaulo# 484252726Srpaulo# client_cert: File path to client certificate file (PEM/DER) 485252726Srpaulo# This field is used with Interworking networking selection for a case 486252726Srpaulo# where client certificate/private key is used for authentication 487252726Srpaulo# (EAP-TLS). Full path to the file should be used since working 488252726Srpaulo# directory may change when wpa_supplicant is run in the background. 489252726Srpaulo# 490337817Scy# Certificates from PKCS#11 tokens can be referenced by a PKCS#11 URI. 491337817Scy# 492337817Scy# For example: private_key="pkcs11:manufacturer=piv_II;id=%01" 493337817Scy# 494252726Srpaulo# Alternatively, a named configuration blob can be used by setting 495252726Srpaulo# this to blob://blob_name. 496252726Srpaulo# 497252726Srpaulo# private_key: File path to client private key file (PEM/DER/PFX) 498252726Srpaulo# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be 499252726Srpaulo# commented out. Both the private key and certificate will be read 500252726Srpaulo# from the PKCS#12 file in this case. Full path to the file should be 501252726Srpaulo# used since working directory may change when wpa_supplicant is run 502252726Srpaulo# in the background. 503252726Srpaulo# 504337817Scy# Keys in PKCS#11 tokens can be referenced by a PKCS#11 URI. 505337817Scy# For example: private_key="pkcs11:manufacturer=piv_II;id=%01" 506337817Scy# 507252726Srpaulo# Windows certificate store can be used by leaving client_cert out and 508252726Srpaulo# configuring private_key in one of the following formats: 509252726Srpaulo# 510252726Srpaulo# cert://substring_to_match 511252726Srpaulo# 512252726Srpaulo# hash://certificate_thumbprint_in_hex 513252726Srpaulo# 514252726Srpaulo# For example: private_key="hash://63093aa9c47f56ae88334c7b65a4" 515252726Srpaulo# 516252726Srpaulo# Note that when running wpa_supplicant as an application, the user 517252726Srpaulo# certificate store (My user account) is used, whereas computer store 518252726Srpaulo# (Computer account) is used when running wpasvc as a service. 519252726Srpaulo# 520252726Srpaulo# Alternatively, a named configuration blob can be used by setting 521252726Srpaulo# this to blob://blob_name. 522252726Srpaulo# 523252726Srpaulo# private_key_passwd: Password for private key file 524252726Srpaulo# 525252726Srpaulo# imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format 526252726Srpaulo# 527252726Srpaulo# milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN> 528252726Srpaulo# format 529252726Srpaulo# 530281806Srpaulo# domain: Home service provider FQDN(s) 531252726Srpaulo# This is used to compare against the Domain Name List to figure out 532281806Srpaulo# whether the AP is operated by the Home SP. Multiple domain entries can 533281806Srpaulo# be used to configure alternative FQDNs that will be considered home 534281806Srpaulo# networks. 535252726Srpaulo# 536252726Srpaulo# roaming_consortium: Roaming Consortium OI 537252726Srpaulo# If roaming_consortium_len is non-zero, this field contains the 538252726Srpaulo# Roaming Consortium OI that can be used to determine which access 539252726Srpaulo# points support authentication with this credential. This is an 540252726Srpaulo# alternative to the use of the realm parameter. When using Roaming 541252726Srpaulo# Consortium to match the network, the EAP parameters need to be 542252726Srpaulo# pre-configured with the credential since the NAI Realm information 543252726Srpaulo# may not be available or fetched. 544252726Srpaulo# 545252726Srpaulo# eap: Pre-configured EAP method 546252726Srpaulo# This optional field can be used to specify which EAP method will be 547252726Srpaulo# used with this credential. If not set, the EAP method is selected 548252726Srpaulo# automatically based on ANQP information (e.g., NAI Realm). 549252726Srpaulo# 550252726Srpaulo# phase1: Pre-configure Phase 1 (outer authentication) parameters 551252726Srpaulo# This optional field is used with like the 'eap' parameter. 552252726Srpaulo# 553252726Srpaulo# phase2: Pre-configure Phase 2 (inner authentication) parameters 554252726Srpaulo# This optional field is used with like the 'eap' parameter. 555252726Srpaulo# 556252726Srpaulo# excluded_ssid: Excluded SSID 557252726Srpaulo# This optional field can be used to excluded specific SSID(s) from 558252726Srpaulo# matching with the network. Multiple entries can be used to specify more 559252726Srpaulo# than one SSID. 560252726Srpaulo# 561281806Srpaulo# roaming_partner: Roaming partner information 562281806Srpaulo# This optional field can be used to configure preferences between roaming 563281806Srpaulo# partners. The field is a string in following format: 564281806Srpaulo# <FQDN>,<0/1 exact match>,<priority>,<* or country code> 565281806Srpaulo# (non-exact match means any subdomain matches the entry; priority is in 566281806Srpaulo# 0..255 range with 0 being the highest priority) 567281806Srpaulo# 568281806Srpaulo# update_identifier: PPS MO ID 569281806Srpaulo# (Hotspot 2.0 PerProviderSubscription/UpdateIdentifier) 570281806Srpaulo# 571281806Srpaulo# provisioning_sp: FQDN of the SP that provisioned the credential 572281806Srpaulo# This optional field can be used to keep track of the SP that provisioned 573281806Srpaulo# the credential to find the PPS MO (./Wi-Fi/<provisioning_sp>). 574281806Srpaulo# 575281806Srpaulo# Minimum backhaul threshold (PPS/<X+>/Policy/MinBackhauldThreshold/*) 576281806Srpaulo# These fields can be used to specify minimum download/upload backhaul 577281806Srpaulo# bandwidth that is preferred for the credential. This constraint is 578281806Srpaulo# ignored if the AP does not advertise WAN Metrics information or if the 579281806Srpaulo# limit would prevent any connection. Values are in kilobits per second. 580281806Srpaulo# min_dl_bandwidth_home 581281806Srpaulo# min_ul_bandwidth_home 582281806Srpaulo# min_dl_bandwidth_roaming 583281806Srpaulo# min_ul_bandwidth_roaming 584281806Srpaulo# 585281806Srpaulo# max_bss_load: Maximum BSS Load Channel Utilization (1..255) 586281806Srpaulo# (PPS/<X+>/Policy/MaximumBSSLoadValue) 587281806Srpaulo# This value is used as the maximum channel utilization for network 588281806Srpaulo# selection purposes for home networks. If the AP does not advertise 589281806Srpaulo# BSS Load or if the limit would prevent any connection, this constraint 590281806Srpaulo# will be ignored. 591281806Srpaulo# 592281806Srpaulo# req_conn_capab: Required connection capability 593281806Srpaulo# (PPS/<X+>/Policy/RequiredProtoPortTuple) 594281806Srpaulo# This value is used to configure set of required protocol/port pairs that 595281806Srpaulo# a roaming network shall support (include explicitly in Connection 596281806Srpaulo# Capability ANQP element). This constraint is ignored if the AP does not 597281806Srpaulo# advertise Connection Capability or if this constraint would prevent any 598281806Srpaulo# network connection. This policy is not used in home networks. 599281806Srpaulo# Format: <protocol>[:<comma-separated list of ports] 600281806Srpaulo# Multiple entries can be used to list multiple requirements. 601281806Srpaulo# For example, number of common TCP protocols: 602281806Srpaulo# req_conn_capab=6,22,80,443 603281806Srpaulo# For example, IPSec/IKE: 604281806Srpaulo# req_conn_capab=17:500 605281806Srpaulo# req_conn_capab=50 606281806Srpaulo# 607281806Srpaulo# ocsp: Whether to use/require OCSP to check server certificate 608281806Srpaulo# 0 = do not use OCSP stapling (TLS certificate status extension) 609281806Srpaulo# 1 = try to use OCSP stapling, but not require response 610281806Srpaulo# 2 = require valid OCSP stapling response 611337817Scy# 3 = require valid OCSP stapling response for all not-trusted 612337817Scy# certificates in the server certificate chain 613281806Srpaulo# 614281806Srpaulo# sim_num: Identifier for which SIM to use in multi-SIM devices 615281806Srpaulo# 616252726Srpaulo# for example: 617252726Srpaulo# 618252726Srpaulo#cred={ 619252726Srpaulo# realm="example.com" 620252726Srpaulo# username="user@example.com" 621252726Srpaulo# password="password" 622252726Srpaulo# ca_cert="/etc/wpa_supplicant/ca.pem" 623252726Srpaulo# domain="example.com" 624252726Srpaulo#} 625252726Srpaulo# 626252726Srpaulo#cred={ 627252726Srpaulo# imsi="310026-000000000" 628252726Srpaulo# milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82" 629252726Srpaulo#} 630252726Srpaulo# 631252726Srpaulo#cred={ 632252726Srpaulo# realm="example.com" 633252726Srpaulo# username="user" 634252726Srpaulo# password="password" 635252726Srpaulo# ca_cert="/etc/wpa_supplicant/ca.pem" 636252726Srpaulo# domain="example.com" 637252726Srpaulo# roaming_consortium=223344 638252726Srpaulo# eap=TTLS 639252726Srpaulo# phase2="auth=MSCHAPV2" 640252726Srpaulo#} 641252726Srpaulo 642252726Srpaulo# Hotspot 2.0 643252726Srpaulo# hs20=1 644252726Srpaulo 645337817Scy# Scheduled scan plans 646337817Scy# 647337817Scy# A space delimited list of scan plans. Each scan plan specifies the scan 648337817Scy# interval and number of iterations, delimited by a colon. The last scan plan 649337817Scy# will run infinitely and thus must specify only the interval and not the number 650337817Scy# of iterations. 651337817Scy# 652337817Scy# The driver advertises the maximum number of scan plans supported. If more scan 653337817Scy# plans than supported are configured, only the first ones are set (up to the 654337817Scy# maximum supported). The last scan plan that specifies only the interval is 655337817Scy# always set as the last plan. 656337817Scy# 657337817Scy# If the scan interval or the number of iterations for a scan plan exceeds the 658337817Scy# maximum supported, it will be set to the maximum supported value. 659337817Scy# 660337817Scy# Format: 661337817Scy# sched_scan_plans=<interval:iterations> <interval:iterations> ... <interval> 662337817Scy# 663337817Scy# Example: 664337817Scy# sched_scan_plans=10:100 20:200 30 665337817Scy 666337817Scy# Multi Band Operation (MBO) non-preferred channels 667337817Scy# A space delimited list of non-preferred channels where each channel is a colon 668337817Scy# delimited list of values. 669337817Scy# Format: 670337817Scy# non_pref_chan=<oper_class>:<chan>:<preference>:<reason> 671337817Scy# Example: 672337817Scy# non_pref_chan="81:5:10:2 81:1:0:2 81:9:0:2" 673337817Scy 674337817Scy# MBO Cellular Data Capabilities 675337817Scy# 1 = Cellular data connection available 676337817Scy# 2 = Cellular data connection not available 677337817Scy# 3 = Not cellular capable (default) 678337817Scy#mbo_cell_capa=3 679337817Scy 680189251Ssam# network block 681189251Ssam# 682189251Ssam# Each network (usually AP's sharing the same SSID) is configured as a separate 683189251Ssam# block in this configuration file. The network blocks are in preference order 684189251Ssam# (the first match is used). 685189251Ssam# 686189251Ssam# network block fields: 687189251Ssam# 688189251Ssam# disabled: 689189251Ssam# 0 = this network can be used (default) 690189251Ssam# 1 = this network block is disabled (can be enabled through ctrl_iface, 691189251Ssam# e.g., with wpa_cli or wpa_gui) 692189251Ssam# 693189251Ssam# id_str: Network identifier string for external scripts. This value is passed 694189251Ssam# to external action script through wpa_cli as WPA_ID_STR environment 695189251Ssam# variable to make it easier to do network specific configuration. 696189251Ssam# 697252726Srpaulo# ssid: SSID (mandatory); network name in one of the optional formats: 698252726Srpaulo# - an ASCII string with double quotation 699252726Srpaulo# - a hex string (two characters per octet of SSID) 700252726Srpaulo# - a printf-escaped ASCII string P"<escaped string>" 701189251Ssam# 702189251Ssam# scan_ssid: 703189251Ssam# 0 = do not scan this SSID with specific Probe Request frames (default) 704189251Ssam# 1 = scan with SSID-specific Probe Request frames (this can be used to 705189902Sdougb# find APs that hide (do not broadcast) SSID or use multiple SSIDs; 706189251Ssam# this will add latency to scanning, so enable this only when needed) 707189251Ssam# 708189251Ssam# bssid: BSSID (optional); if set, this network block is used only when 709189251Ssam# associating with the AP using the configured BSSID 710189251Ssam# 711189251Ssam# priority: priority group (integer) 712189251Ssam# By default, all networks will get same priority group (0). If some of the 713189251Ssam# networks are more desirable, this field can be used to change the order in 714189251Ssam# which wpa_supplicant goes through the networks when selecting a BSS. The 715189251Ssam# priority groups will be iterated in decreasing priority (i.e., the larger the 716189251Ssam# priority value, the sooner the network is matched against the scan results). 717189251Ssam# Within each priority group, networks will be selected based on security 718189251Ssam# policy, signal strength, etc. 719189251Ssam# Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not 720189251Ssam# using this priority to select the order for scanning. Instead, they try the 721189902Sdougb# networks in the order that they are listed in the configuration file. 722189251Ssam# 723189251Ssam# mode: IEEE 802.11 operation mode 724189251Ssam# 0 = infrastructure (Managed) mode, i.e., associate with an AP (default) 725189251Ssam# 1 = IBSS (ad-hoc, peer-to-peer) 726214734Srpaulo# 2 = AP (access point) 727281806Srpaulo# Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) and 728281806Srpaulo# WPA-PSK (with proto=RSN). In addition, key_mgmt=WPA-NONE (fixed group key 729281806Srpaulo# TKIP/CCMP) is available for backwards compatibility, but its use is 730281806Srpaulo# deprecated. WPA-None requires following network block options: 731189251Ssam# proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not 732189251Ssam# both), and psk must also be set. 733189251Ssam# 734189251Ssam# frequency: Channel frequency in megahertz (MHz) for IBSS, e.g., 735189251Ssam# 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial 736189251Ssam# channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode. 737189251Ssam# In addition, this value is only used by the station that creates the IBSS. If 738189251Ssam# an IBSS network with the configured SSID is already present, the frequency of 739189251Ssam# the network will be used instead of this configured value. 740189251Ssam# 741337817Scy# pbss: Whether to use PBSS. Relevant to IEEE 802.11ad networks only. 742337817Scy# 0 = do not use PBSS 743337817Scy# 1 = use PBSS 744337817Scy# 2 = don't care (not allowed in AP mode) 745337817Scy# Used together with mode configuration. When mode is AP, it means to start a 746337817Scy# PCP instead of a regular AP. When mode is infrastructure it means connect 747337817Scy# to a PCP instead of AP. In this mode you can also specify 2 (don't care) 748337817Scy# which means connect to either PCP or AP. 749337817Scy# P2P_GO and P2P_GROUP_FORMATION modes must use PBSS in IEEE 802.11ad network. 750337817Scy# For more details, see IEEE Std 802.11ad-2012. 751337817Scy# 752214734Srpaulo# scan_freq: List of frequencies to scan 753214734Srpaulo# Space-separated list of frequencies in MHz to scan when searching for this 754214734Srpaulo# BSS. If the subset of channels used by the network is known, this option can 755214734Srpaulo# be used to optimize scanning to not occur on channels that the network does 756214734Srpaulo# not use. Example: scan_freq=2412 2437 2462 757214734Srpaulo# 758214734Srpaulo# freq_list: Array of allowed frequencies 759214734Srpaulo# Space-separated list of frequencies in MHz to allow for selecting the BSS. If 760214734Srpaulo# set, scan results that do not match any of the specified frequencies are not 761214734Srpaulo# considered when selecting a BSS. 762214734Srpaulo# 763281806Srpaulo# This can also be set on the outside of the network block. In this case, 764281806Srpaulo# it limits the frequencies that will be scanned. 765281806Srpaulo# 766252726Srpaulo# bgscan: Background scanning 767252726Srpaulo# wpa_supplicant behavior for background scanning can be specified by 768252726Srpaulo# configuring a bgscan module. These modules are responsible for requesting 769252726Srpaulo# background scans for the purpose of roaming within an ESS (i.e., within a 770252726Srpaulo# single network block with all the APs using the same SSID). The bgscan 771252726Srpaulo# parameter uses following format: "<bgscan module name>:<module parameters>" 772252726Srpaulo# Following bgscan modules are available: 773252726Srpaulo# simple - Periodic background scans based on signal strength 774252726Srpaulo# bgscan="simple:<short bgscan interval in seconds>:<signal strength threshold>: 775252726Srpaulo# <long interval>" 776252726Srpaulo# bgscan="simple:30:-45:300" 777252726Srpaulo# learn - Learn channels used by the network and try to avoid bgscans on other 778252726Srpaulo# channels (experimental) 779252726Srpaulo# bgscan="learn:<short bgscan interval in seconds>:<signal strength threshold>: 780252726Srpaulo# <long interval>[:<database file name>]" 781252726Srpaulo# bgscan="learn:30:-45:300:/etc/wpa_supplicant/network1.bgscan" 782281806Srpaulo# Explicitly disable bgscan by setting 783281806Srpaulo# bgscan="" 784252726Srpaulo# 785281806Srpaulo# This option can also be set outside of all network blocks for the bgscan 786281806Srpaulo# parameter to apply for all the networks that have no specific bgscan 787281806Srpaulo# parameter. 788281806Srpaulo# 789189251Ssam# proto: list of accepted protocols 790189251Ssam# WPA = WPA/IEEE 802.11i/D3.0 791189251Ssam# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN) 792189251Ssam# If not set, this defaults to: WPA RSN 793189251Ssam# 794189251Ssam# key_mgmt: list of accepted authenticated key management protocols 795189251Ssam# WPA-PSK = WPA pre-shared key (this requires 'psk' field) 796189251Ssam# WPA-EAP = WPA using EAP authentication 797189251Ssam# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically 798189251Ssam# generated WEP keys 799189251Ssam# NONE = WPA is not used; plaintext or static WEP could be used 800337817Scy# WPA-NONE = WPA-None for IBSS (deprecated; use proto=RSN key_mgmt=WPA-PSK 801337817Scy# instead) 802337817Scy# FT-PSK = Fast BSS Transition (IEEE 802.11r) with pre-shared key 803337817Scy# FT-EAP = Fast BSS Transition (IEEE 802.11r) with EAP authentication 804189251Ssam# WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms 805189251Ssam# WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms 806337817Scy# SAE = Simultaneous authentication of equals; pre-shared key/password -based 807337817Scy# authentication with stronger security than WPA-PSK especially when using 808337817Scy# not that strong password 809337817Scy# FT-SAE = SAE with FT 810337817Scy# WPA-EAP-SUITE-B = Suite B 128-bit level 811337817Scy# WPA-EAP-SUITE-B-192 = Suite B 192-bit level 812337817Scy# OSEN = Hotspot 2.0 Rel 2 online signup connection 813189251Ssam# If not set, this defaults to: WPA-PSK WPA-EAP 814189251Ssam# 815252726Srpaulo# ieee80211w: whether management frame protection is enabled 816252726Srpaulo# 0 = disabled (default unless changed with the global pmf parameter) 817252726Srpaulo# 1 = optional 818252726Srpaulo# 2 = required 819252726Srpaulo# The most common configuration options for this based on the PMF (protected 820252726Srpaulo# management frames) certification program are: 821252726Srpaulo# PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256 822252726Srpaulo# PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256 823252726Srpaulo# (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used) 824252726Srpaulo# 825189251Ssam# auth_alg: list of allowed IEEE 802.11 authentication algorithms 826189251Ssam# OPEN = Open System authentication (required for WPA/WPA2) 827189251Ssam# SHARED = Shared Key authentication (requires static WEP keys) 828189251Ssam# LEAP = LEAP/Network EAP (only used with LEAP) 829189251Ssam# If not set, automatic selection is used (Open System with LEAP enabled if 830189251Ssam# LEAP is allowed as one of the EAP methods). 831189251Ssam# 832189251Ssam# pairwise: list of accepted pairwise (unicast) ciphers for WPA 833189251Ssam# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 834189251Ssam# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 835189251Ssam# NONE = Use only Group Keys (deprecated, should not be included if APs support 836189251Ssam# pairwise keys) 837189251Ssam# If not set, this defaults to: CCMP TKIP 838189251Ssam# 839189251Ssam# group: list of accepted group (broadcast/multicast) ciphers for WPA 840189251Ssam# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 841189251Ssam# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 842189251Ssam# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key 843189251Ssam# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11] 844189251Ssam# If not set, this defaults to: CCMP TKIP WEP104 WEP40 845189251Ssam# 846189251Ssam# psk: WPA preshared key; 256-bit pre-shared key 847189251Ssam# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e., 848189251Ssam# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be 849189251Ssam# generated using the passphrase and SSID). ASCII passphrase must be between 850252726Srpaulo# 8 and 63 characters (inclusive). ext:<name of external PSK field> format can 851252726Srpaulo# be used to indicate that the PSK/passphrase is stored in external storage. 852189251Ssam# This field is not needed, if WPA-EAP is used. 853189251Ssam# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys 854189251Ssam# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant 855189251Ssam# startup and reconfiguration time can be optimized by generating the PSK only 856189251Ssam# only when the passphrase or SSID has actually changed. 857189251Ssam# 858289549Srpaulo# mem_only_psk: Whether to keep PSK/passphrase only in memory 859289549Srpaulo# 0 = allow psk/passphrase to be stored to the configuration file 860289549Srpaulo# 1 = do not store psk/passphrase to the configuration file 861289549Srpaulo#mem_only_psk=0 862289549Srpaulo# 863189251Ssam# eapol_flags: IEEE 802.1X/EAPOL options (bit field) 864189251Ssam# Dynamic WEP key required for non-WPA mode 865189251Ssam# bit0 (1): require dynamically generated unicast WEP key 866189251Ssam# bit1 (2): require dynamically generated broadcast WEP key 867189251Ssam# (3 = require both keys; default) 868281806Srpaulo# Note: When using wired authentication (including macsec_qca driver), 869281806Srpaulo# eapol_flags must be set to 0 for the authentication to be completed 870281806Srpaulo# successfully. 871189251Ssam# 872281806Srpaulo# macsec_policy: IEEE 802.1X/MACsec options 873281806Srpaulo# This determines how sessions are secured with MACsec. It is currently 874281806Srpaulo# applicable only when using the macsec_qca driver interface. 875281806Srpaulo# 0: MACsec not in use (default) 876281806Srpaulo# 1: MACsec enabled - Should secure, accept key server's advice to 877281806Srpaulo# determine whether to use a secure session or not. 878281806Srpaulo# 879189251Ssam# mixed_cell: This option can be used to configure whether so called mixed 880189251Ssam# cells, i.e., networks that use both plaintext and encryption in the same 881252726Srpaulo# SSID, are allowed when selecting a BSS from scan results. 882189251Ssam# 0 = disabled (default) 883189251Ssam# 1 = enabled 884189251Ssam# 885189251Ssam# proactive_key_caching: 886189251Ssam# Enable/disable opportunistic PMKSA caching for WPA2. 887252726Srpaulo# 0 = disabled (default unless changed with the global okc parameter) 888189251Ssam# 1 = enabled 889189251Ssam# 890189251Ssam# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or 891189251Ssam# hex without quotation, e.g., 0102030405) 892189251Ssam# wep_tx_keyidx: Default WEP key index (TX) (0..3) 893189251Ssam# 894189251Ssam# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is 895189251Ssam# allowed. This is only used with RSN/WPA2. 896189251Ssam# 0 = disabled (default) 897189251Ssam# 1 = enabled 898189251Ssam#peerkey=1 899189251Ssam# 900189251Ssam# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to 901189251Ssam# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies. 902189251Ssam# 903337817Scy# group_rekey: Group rekeying time in seconds. This value, if non-zero, is used 904337817Scy# as the dot11RSNAConfigGroupRekeyTime parameter when operating in 905337817Scy# Authenticator role in IBSS. 906337817Scy# 907189251Ssam# Following fields are only used with internal EAP implementation. 908189251Ssam# eap: space-separated list of accepted EAP methods 909337817Scy# MD5 = EAP-MD5 (insecure and does not generate keying material -> 910189251Ssam# cannot be used with WPA; to be used as a Phase 2 method 911189251Ssam# with EAP-PEAP or EAP-TTLS) 912189251Ssam# MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used 913189251Ssam# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 914189251Ssam# OTP = EAP-OTP (cannot be used separately with WPA; to be used 915189251Ssam# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 916189251Ssam# GTC = EAP-GTC (cannot be used separately with WPA; to be used 917189251Ssam# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 918189251Ssam# TLS = EAP-TLS (client and server certificate) 919189251Ssam# PEAP = EAP-PEAP (with tunnelled EAP authentication) 920189251Ssam# TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 921189251Ssam# authentication) 922189251Ssam# If not set, all compiled in methods are allowed. 923189251Ssam# 924189251Ssam# identity: Identity string for EAP 925189251Ssam# This field is also used to configure user NAI for 926189251Ssam# EAP-PSK/PAX/SAKE/GPSK. 927189251Ssam# anonymous_identity: Anonymous identity string for EAP (to be used as the 928189251Ssam# unencrypted identity with EAP types that support different tunnelled 929252726Srpaulo# identity, e.g., EAP-TTLS). This field can also be used with 930252726Srpaulo# EAP-SIM/AKA/AKA' to store the pseudonym identity. 931189251Ssam# password: Password string for EAP. This field can include either the 932189251Ssam# plaintext password (using ASCII or hex string) or a NtPasswordHash 933189251Ssam# (16-byte MD4 hash of password) in hash:<32 hex digits> format. 934189251Ssam# NtPasswordHash can only be used when the password is for MSCHAPv2 or 935189251Ssam# MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP). 936189251Ssam# EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit 937189251Ssam# PSK) is also configured using this field. For EAP-GPSK, this is a 938252726Srpaulo# variable length PSK. ext:<name of external password field> format can 939252726Srpaulo# be used to indicate that the password is stored in external storage. 940189251Ssam# ca_cert: File path to CA certificate file (PEM/DER). This file can have one 941189251Ssam# or more trusted CA certificates. If ca_cert and ca_path are not 942189251Ssam# included, server certificate will not be verified. This is insecure and 943189251Ssam# a trusted CA certificate should always be configured when using 944189251Ssam# EAP-TLS/TTLS/PEAP. Full path should be used since working directory may 945189251Ssam# change when wpa_supplicant is run in the background. 946214734Srpaulo# 947214734Srpaulo# Alternatively, this can be used to only perform matching of the server 948214734Srpaulo# certificate (SHA-256 hash of the DER encoded X.509 certificate). In 949214734Srpaulo# this case, the possible CA certificates in the server certificate chain 950214734Srpaulo# are ignored and only the server certificate is verified. This is 951214734Srpaulo# configured with the following format: 952214734Srpaulo# hash:://server/sha256/cert_hash_in_hex 953214734Srpaulo# For example: "hash://server/sha256/ 954214734Srpaulo# 5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a" 955214734Srpaulo# 956189251Ssam# On Windows, trusted CA certificates can be loaded from the system 957189251Ssam# certificate store by setting this to cert_store://<name>, e.g., 958189251Ssam# ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT". 959189251Ssam# Note that when running wpa_supplicant as an application, the user 960189251Ssam# certificate store (My user account) is used, whereas computer store 961189251Ssam# (Computer account) is used when running wpasvc as a service. 962189251Ssam# ca_path: Directory path for CA certificate files (PEM). This path may 963189251Ssam# contain multiple CA certificates in OpenSSL format. Common use for this 964189251Ssam# is to point to system trusted CA list which is often installed into 965189251Ssam# directory like /etc/ssl/certs. If configured, these certificates are 966189251Ssam# added to the list of trusted CAs. ca_cert may also be included in that 967189251Ssam# case, but it is not required. 968189251Ssam# client_cert: File path to client certificate file (PEM/DER) 969189251Ssam# Full path should be used since working directory may change when 970189251Ssam# wpa_supplicant is run in the background. 971189251Ssam# Alternatively, a named configuration blob can be used by setting this 972189251Ssam# to blob://<blob name>. 973189251Ssam# private_key: File path to client private key file (PEM/DER/PFX) 974189251Ssam# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be 975189251Ssam# commented out. Both the private key and certificate will be read from 976189251Ssam# the PKCS#12 file in this case. Full path should be used since working 977189251Ssam# directory may change when wpa_supplicant is run in the background. 978189251Ssam# Windows certificate store can be used by leaving client_cert out and 979189251Ssam# configuring private_key in one of the following formats: 980189251Ssam# cert://substring_to_match 981189251Ssam# hash://certificate_thumbprint_in_hex 982189251Ssam# for example: private_key="hash://63093aa9c47f56ae88334c7b65a4" 983189251Ssam# Note that when running wpa_supplicant as an application, the user 984189251Ssam# certificate store (My user account) is used, whereas computer store 985189251Ssam# (Computer account) is used when running wpasvc as a service. 986189251Ssam# Alternatively, a named configuration blob can be used by setting this 987189251Ssam# to blob://<blob name>. 988189251Ssam# private_key_passwd: Password for private key file (if left out, this will be 989189251Ssam# asked through control interface) 990189251Ssam# dh_file: File path to DH/DSA parameters file (in PEM format) 991189251Ssam# This is an optional configuration file for setting parameters for an 992189251Ssam# ephemeral DH key exchange. In most cases, the default RSA 993189251Ssam# authentication does not use this configuration. However, it is possible 994189251Ssam# setup RSA to use ephemeral DH key exchange. In addition, ciphers with 995189251Ssam# DSA keys always use ephemeral DH keys. This can be used to achieve 996189251Ssam# forward secrecy. If the file is in DSA parameters format, it will be 997189251Ssam# automatically converted into DH params. 998189251Ssam# subject_match: Substring to be matched against the subject of the 999189251Ssam# authentication server certificate. If this string is set, the server 1000337817Scy# certificate is only accepted if it contains this string in the subject. 1001189251Ssam# The subject string is in following format: 1002189251Ssam# /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com 1003337817Scy# Note: Since this is a substring match, this cannot be used securely to 1004281806Srpaulo# do a suffix match against a possible domain name in the CN entry. For 1005281806Srpaulo# such a use case, domain_suffix_match or domain_match should be used 1006281806Srpaulo# instead. 1007189251Ssam# altsubject_match: Semicolon separated string of entries to be matched against 1008189251Ssam# the alternative subject name of the authentication server certificate. 1009337817Scy# If this string is set, the server certificate is only accepted if it 1010189251Ssam# contains one of the entries in an alternative subject name extension. 1011189251Ssam# altSubjectName string is in following format: TYPE:VALUE 1012189251Ssam# Example: EMAIL:server@example.com 1013189251Ssam# Example: DNS:server.example.com;DNS:server2.example.com 1014189251Ssam# Following types are supported: EMAIL, DNS, URI 1015281806Srpaulo# domain_suffix_match: Constraint for server domain name. If set, this FQDN is 1016337817Scy# used as a suffix match requirement for the AAA server certificate in 1017281806Srpaulo# SubjectAltName dNSName element(s). If a matching dNSName is found, this 1018281806Srpaulo# constraint is met. If no dNSName values are present, this constraint is 1019281806Srpaulo# matched against SubjectName CN using same suffix match comparison. 1020281806Srpaulo# 1021281806Srpaulo# Suffix match here means that the host/domain name is compared one label 1022281806Srpaulo# at a time starting from the top-level domain and all the labels in 1023281806Srpaulo# domain_suffix_match shall be included in the certificate. The 1024281806Srpaulo# certificate may include additional sub-level labels in addition to the 1025281806Srpaulo# required labels. 1026281806Srpaulo# 1027281806Srpaulo# For example, domain_suffix_match=example.com would match 1028281806Srpaulo# test.example.com but would not match test-example.com. 1029281806Srpaulo# domain_match: Constraint for server domain name 1030281806Srpaulo# If set, this FQDN is used as a full match requirement for the 1031281806Srpaulo# server certificate in SubjectAltName dNSName element(s). If a 1032281806Srpaulo# matching dNSName is found, this constraint is met. If no dNSName 1033281806Srpaulo# values are present, this constraint is matched against SubjectName CN 1034281806Srpaulo# using same full match comparison. This behavior is similar to 1035281806Srpaulo# domain_suffix_match, but has the requirement of a full match, i.e., 1036281806Srpaulo# no subdomains or wildcard matches are allowed. Case-insensitive 1037281806Srpaulo# comparison is used, so "Example.com" matches "example.com", but would 1038281806Srpaulo# not match "test.Example.com". 1039189251Ssam# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters 1040189251Ssam# (string with field-value pairs, e.g., "peapver=0" or 1041189251Ssam# "peapver=1 peaplabel=1") 1042189251Ssam# 'peapver' can be used to force which PEAP version (0 or 1) is used. 1043189251Ssam# 'peaplabel=1' can be used to force new label, "client PEAP encryption", 1044189251Ssam# to be used during key derivation when PEAPv1 or newer. Most existing 1045189251Ssam# PEAPv1 implementation seem to be using the old label, "client EAP 1046189251Ssam# encryption", and wpa_supplicant is now using that as the default value. 1047189251Ssam# Some servers, e.g., Radiator, may require peaplabel=1 configuration to 1048189251Ssam# interoperate with PEAPv1; see eap_testing.txt for more details. 1049189251Ssam# 'peap_outer_success=0' can be used to terminate PEAP authentication on 1050189251Ssam# tunneled EAP-Success. This is required with some RADIUS servers that 1051189251Ssam# implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g., 1052189251Ssam# Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode) 1053189251Ssam# include_tls_length=1 can be used to force wpa_supplicant to include 1054189251Ssam# TLS Message Length field in all TLS messages even if they are not 1055189251Ssam# fragmented. 1056189251Ssam# sim_min_num_chal=3 can be used to configure EAP-SIM to require three 1057189251Ssam# challenges (by default, it accepts 2 or 3) 1058189251Ssam# result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use 1059189251Ssam# protected result indication. 1060189251Ssam# 'crypto_binding' option can be used to control PEAPv0 cryptobinding 1061189251Ssam# behavior: 1062189251Ssam# * 0 = do not use cryptobinding (default) 1063189251Ssam# * 1 = use cryptobinding if server supports it 1064189251Ssam# * 2 = require cryptobinding 1065189251Ssam# EAP-WSC (WPS) uses following options: pin=<Device Password> or 1066189251Ssam# pbc=1. 1067281806Srpaulo# 1068281806Srpaulo# For wired IEEE 802.1X authentication, "allow_canned_success=1" can be 1069281806Srpaulo# used to configure a mode that allows EAP-Success (and EAP-Failure) 1070281806Srpaulo# without going through authentication step. Some switches use such 1071281806Srpaulo# sequence when forcing the port to be authorized/unauthorized or as a 1072281806Srpaulo# fallback option if the authentication server is unreachable. By default, 1073281806Srpaulo# wpa_supplicant discards such frames to protect against potential attacks 1074281806Srpaulo# by rogue devices, but this option can be used to disable that protection 1075281806Srpaulo# for cases where the server/authenticator does not need to be 1076281806Srpaulo# authenticated. 1077189251Ssam# phase2: Phase2 (inner authentication with TLS tunnel) parameters 1078189251Ssam# (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or 1079281806Srpaulo# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS). "mschapv2_retry=0" can be 1080281806Srpaulo# used to disable MSCHAPv2 password retry in authentication failure cases. 1081252726Srpaulo# 1082252726Srpaulo# TLS-based methods can use the following parameters to control TLS behavior 1083252726Srpaulo# (these are normally in the phase1 parameter, but can be used also in the 1084252726Srpaulo# phase2 parameter when EAP-TLS is used within the inner tunnel): 1085252726Srpaulo# tls_allow_md5=1 - allow MD5-based certificate signatures (depending on the 1086252726Srpaulo# TLS library, these may be disabled by default to enforce stronger 1087252726Srpaulo# security) 1088252726Srpaulo# tls_disable_time_checks=1 - ignore certificate validity time (this requests 1089252726Srpaulo# the TLS library to accept certificates even if they are not currently 1090252726Srpaulo# valid, i.e., have expired or have not yet become valid; this should be 1091252726Srpaulo# used only for testing purposes) 1092252726Srpaulo# tls_disable_session_ticket=1 - disable TLS Session Ticket extension 1093252726Srpaulo# tls_disable_session_ticket=0 - allow TLS Session Ticket extension to be used 1094252726Srpaulo# Note: If not set, this is automatically set to 1 for EAP-TLS/PEAP/TTLS 1095252726Srpaulo# as a workaround for broken authentication server implementations unless 1096289549Srpaulo# EAP workarounds are disabled with eap_workaround=0. 1097252726Srpaulo# For EAP-FAST, this must be set to 0 (or left unconfigured for the 1098252726Srpaulo# default value to be used automatically). 1099289549Srpaulo# tls_disable_tlsv1_0=1 - disable use of TLSv1.0 1100281806Srpaulo# tls_disable_tlsv1_1=1 - disable use of TLSv1.1 (a workaround for AAA servers 1101281806Srpaulo# that have issues interoperating with updated TLS version) 1102281806Srpaulo# tls_disable_tlsv1_2=1 - disable use of TLSv1.2 (a workaround for AAA servers 1103281806Srpaulo# that have issues interoperating with updated TLS version) 1104337817Scy# tls_ext_cert_check=0 - No external server certificate validation (default) 1105337817Scy# tls_ext_cert_check=1 - External server certificate validation enabled; this 1106337817Scy# requires an external program doing validation of server certificate 1107337817Scy# chain when receiving CTRL-RSP-EXT_CERT_CHECK event from the control 1108337817Scy# interface and report the result of the validation with 1109337817Scy# CTRL-RSP_EXT_CERT_CHECK. 1110252726Srpaulo# 1111189251Ssam# Following certificate/private key fields are used in inner Phase2 1112189251Ssam# authentication when using EAP-TTLS or EAP-PEAP. 1113189251Ssam# ca_cert2: File path to CA certificate file. This file can have one or more 1114189251Ssam# trusted CA certificates. If ca_cert2 and ca_path2 are not included, 1115189251Ssam# server certificate will not be verified. This is insecure and a trusted 1116189251Ssam# CA certificate should always be configured. 1117189251Ssam# ca_path2: Directory path for CA certificate files (PEM) 1118189251Ssam# client_cert2: File path to client certificate file 1119189251Ssam# private_key2: File path to client private key file 1120189251Ssam# private_key2_passwd: Password for private key file 1121189251Ssam# dh_file2: File path to DH/DSA parameters file (in PEM format) 1122189251Ssam# subject_match2: Substring to be matched against the subject of the 1123281806Srpaulo# authentication server certificate. See subject_match for more details. 1124281806Srpaulo# altsubject_match2: Semicolon separated string of entries to be matched 1125281806Srpaulo# against the alternative subject name of the authentication server 1126281806Srpaulo# certificate. See altsubject_match documentation for more details. 1127281806Srpaulo# domain_suffix_match2: Constraint for server domain name. See 1128281806Srpaulo# domain_suffix_match for more details. 1129189251Ssam# 1130189251Ssam# fragment_size: Maximum EAP fragment size in bytes (default 1398). 1131189251Ssam# This value limits the fragment size for EAP methods that support 1132189251Ssam# fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set 1133189251Ssam# small enough to make the EAP messages fit in MTU of the network 1134189251Ssam# interface used for EAPOL. The default value is suitable for most 1135189251Ssam# cases. 1136189251Ssam# 1137281806Srpaulo# ocsp: Whether to use/require OCSP to check server certificate 1138281806Srpaulo# 0 = do not use OCSP stapling (TLS certificate status extension) 1139281806Srpaulo# 1 = try to use OCSP stapling, but not require response 1140281806Srpaulo# 2 = require valid OCSP stapling response 1141337817Scy# 3 = require valid OCSP stapling response for all not-trusted 1142337817Scy# certificates in the server certificate chain 1143281806Srpaulo# 1144281806Srpaulo# openssl_ciphers: OpenSSL specific cipher configuration 1145281806Srpaulo# This can be used to override the global openssl_ciphers configuration 1146281806Srpaulo# parameter (see above). 1147281806Srpaulo# 1148281806Srpaulo# erp: Whether EAP Re-authentication Protocol (ERP) is enabled 1149281806Srpaulo# 1150189251Ssam# EAP-FAST variables: 1151189251Ssam# pac_file: File path for the PAC entries. wpa_supplicant will need to be able 1152189251Ssam# to create this file and write updates to it when PAC is being 1153189251Ssam# provisioned or refreshed. Full path to the file should be used since 1154189251Ssam# working directory may change when wpa_supplicant is run in the 1155189251Ssam# background. Alternatively, a named configuration blob can be used by 1156189251Ssam# setting this to blob://<blob name> 1157189251Ssam# phase1: fast_provisioning option can be used to enable in-line provisioning 1158189251Ssam# of EAP-FAST credentials (PAC): 1159189251Ssam# 0 = disabled, 1160189251Ssam# 1 = allow unauthenticated provisioning, 1161189251Ssam# 2 = allow authenticated provisioning, 1162189251Ssam# 3 = allow both unauthenticated and authenticated provisioning 1163189251Ssam# fast_max_pac_list_len=<num> option can be used to set the maximum 1164189251Ssam# number of PAC entries to store in a PAC list (default: 10) 1165189251Ssam# fast_pac_format=binary option can be used to select binary format for 1166189251Ssam# storing PAC entries in order to save some space (the default 1167189251Ssam# text format uses about 2.5 times the size of minimal binary 1168189251Ssam# format) 1169189251Ssam# 1170189251Ssam# wpa_supplicant supports number of "EAP workarounds" to work around 1171189251Ssam# interoperability issues with incorrectly behaving authentication servers. 1172189251Ssam# These are enabled by default because some of the issues are present in large 1173189251Ssam# number of authentication servers. Strict EAP conformance mode can be 1174189251Ssam# configured by disabling workarounds with eap_workaround=0. 1175189251Ssam 1176337817Scy# update_identifier: PPS MO ID 1177337817Scy# (Hotspot 2.0 PerProviderSubscription/UpdateIdentifier) 1178337817Scy 1179252726Srpaulo# Station inactivity limit 1180252726Srpaulo# 1181252726Srpaulo# If a station does not send anything in ap_max_inactivity seconds, an 1182252726Srpaulo# empty data frame is sent to it in order to verify whether it is 1183252726Srpaulo# still in range. If this frame is not ACKed, the station will be 1184252726Srpaulo# disassociated and then deauthenticated. This feature is used to 1185252726Srpaulo# clear station table of old entries when the STAs move out of the 1186252726Srpaulo# range. 1187252726Srpaulo# 1188252726Srpaulo# The station can associate again with the AP if it is still in range; 1189252726Srpaulo# this inactivity poll is just used as a nicer way of verifying 1190252726Srpaulo# inactivity; i.e., client will not report broken connection because 1191252726Srpaulo# disassociation frame is not sent immediately without first polling 1192252726Srpaulo# the STA with a data frame. 1193252726Srpaulo# default: 300 (i.e., 5 minutes) 1194252726Srpaulo#ap_max_inactivity=300 1195252726Srpaulo 1196252726Srpaulo# DTIM period in Beacon intervals for AP mode (default: 2) 1197252726Srpaulo#dtim_period=2 1198252726Srpaulo 1199281806Srpaulo# Beacon interval (default: 100 TU) 1200281806Srpaulo#beacon_int=100 1201281806Srpaulo 1202337817Scy# WPS in AP mode 1203337817Scy# 0 = WPS enabled and configured (default) 1204337817Scy# 1 = WPS disabled 1205337817Scy#wps_disabled=0 1206337817Scy 1207281806Srpaulo# MAC address policy 1208281806Srpaulo# 0 = use permanent MAC address 1209281806Srpaulo# 1 = use random MAC address for each ESS connection 1210281806Srpaulo# 2 = like 1, but maintain OUI (with local admin bit set) 1211281806Srpaulo#mac_addr=0 1212281806Srpaulo 1213252726Srpaulo# disable_ht: Whether HT (802.11n) should be disabled. 1214252726Srpaulo# 0 = HT enabled (if AP supports it) 1215252726Srpaulo# 1 = HT disabled 1216252726Srpaulo# 1217252726Srpaulo# disable_ht40: Whether HT-40 (802.11n) should be disabled. 1218252726Srpaulo# 0 = HT-40 enabled (if AP supports it) 1219252726Srpaulo# 1 = HT-40 disabled 1220252726Srpaulo# 1221252726Srpaulo# disable_sgi: Whether SGI (short guard interval) should be disabled. 1222252726Srpaulo# 0 = SGI enabled (if AP supports it) 1223252726Srpaulo# 1 = SGI disabled 1224252726Srpaulo# 1225281806Srpaulo# disable_ldpc: Whether LDPC should be disabled. 1226281806Srpaulo# 0 = LDPC enabled (if AP supports it) 1227281806Srpaulo# 1 = LDPC disabled 1228281806Srpaulo# 1229281806Srpaulo# ht40_intolerant: Whether 40 MHz intolerant should be indicated. 1230281806Srpaulo# 0 = 40 MHz tolerant (default) 1231281806Srpaulo# 1 = 40 MHz intolerant 1232281806Srpaulo# 1233252726Srpaulo# ht_mcs: Configure allowed MCS rates. 1234252726Srpaulo# Parsed as an array of bytes, in base-16 (ascii-hex) 1235252726Srpaulo# ht_mcs="" // Use all available (default) 1236252726Srpaulo# ht_mcs="0xff 00 00 00 00 00 00 00 00 00 " // Use MCS 0-7 only 1237252726Srpaulo# ht_mcs="0xff ff 00 00 00 00 00 00 00 00 " // Use MCS 0-15 only 1238252726Srpaulo# 1239252726Srpaulo# disable_max_amsdu: Whether MAX_AMSDU should be disabled. 1240252726Srpaulo# -1 = Do not make any changes. 1241252726Srpaulo# 0 = Enable MAX-AMSDU if hardware supports it. 1242252726Srpaulo# 1 = Disable AMSDU 1243252726Srpaulo# 1244281806Srpaulo# ampdu_factor: Maximum A-MPDU Length Exponent 1245281806Srpaulo# Value: 0-3, see 7.3.2.56.3 in IEEE Std 802.11n-2009. 1246281806Srpaulo# 1247252726Srpaulo# ampdu_density: Allow overriding AMPDU density configuration. 1248252726Srpaulo# Treated as hint by the kernel. 1249252726Srpaulo# -1 = Do not make any changes. 1250252726Srpaulo# 0-3 = Set AMPDU density (aka factor) to specified value. 1251252726Srpaulo 1252281806Srpaulo# disable_vht: Whether VHT should be disabled. 1253281806Srpaulo# 0 = VHT enabled (if AP supports it) 1254281806Srpaulo# 1 = VHT disabled 1255281806Srpaulo# 1256281806Srpaulo# vht_capa: VHT capabilities to set in the override 1257281806Srpaulo# vht_capa_mask: mask of VHT capabilities 1258281806Srpaulo# 1259281806Srpaulo# vht_rx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for RX NSS 1-8 1260281806Srpaulo# vht_tx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for TX NSS 1-8 1261281806Srpaulo# 0: MCS 0-7 1262281806Srpaulo# 1: MCS 0-8 1263281806Srpaulo# 2: MCS 0-9 1264281806Srpaulo# 3: not supported 1265281806Srpaulo 1266289549Srpaulo##### Fast Session Transfer (FST) support ##################################### 1267289549Srpaulo# 1268289549Srpaulo# The options in this section are only available when the build configuration 1269337817Scy# option CONFIG_FST is set while compiling wpa_supplicant. They allow this 1270337817Scy# interface to be a part of FST setup. 1271289549Srpaulo# 1272289549Srpaulo# FST is the transfer of a session from a channel to another channel, in the 1273289549Srpaulo# same or different frequency bands. 1274289549Srpaulo# 1275337817Scy# For details, see IEEE Std 802.11ad-2012. 1276289549Srpaulo 1277289549Srpaulo# Identifier of an FST Group the interface belongs to. 1278289549Srpaulo#fst_group_id=bond0 1279289549Srpaulo 1280289549Srpaulo# Interface priority within the FST Group. 1281289549Srpaulo# Announcing a higher priority for an interface means declaring it more 1282289549Srpaulo# preferable for FST switch. 1283289549Srpaulo# fst_priority is in 1..255 range with 1 being the lowest priority. 1284289549Srpaulo#fst_priority=100 1285289549Srpaulo 1286289549Srpaulo# Default LLT value for this interface in milliseconds. The value used in case 1287289549Srpaulo# no value provided during session setup. Default is 50 msec. 1288289549Srpaulo# fst_llt is in 1..4294967 range (due to spec limitation, see 10.32.2.2 1289289549Srpaulo# Transitioning between states). 1290289549Srpaulo#fst_llt=100 1291289549Srpaulo 1292189251Ssam# Example blocks: 1293189251Ssam 1294189251Ssam# Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers 1295189251Ssamnetwork={ 1296189251Ssam ssid="simple" 1297189251Ssam psk="very secret passphrase" 1298189251Ssam priority=5 1299189251Ssam} 1300189251Ssam 1301189251Ssam# Same as previous, but request SSID-specific scanning (for APs that reject 1302189251Ssam# broadcast SSID) 1303189251Ssamnetwork={ 1304189251Ssam ssid="second ssid" 1305189251Ssam scan_ssid=1 1306189251Ssam psk="very secret passphrase" 1307189251Ssam priority=2 1308189251Ssam} 1309189251Ssam 1310189251Ssam# Only WPA-PSK is used. Any valid cipher combination is accepted. 1311189251Ssamnetwork={ 1312189251Ssam ssid="example" 1313189251Ssam proto=WPA 1314189251Ssam key_mgmt=WPA-PSK 1315189251Ssam pairwise=CCMP TKIP 1316189251Ssam group=CCMP TKIP WEP104 WEP40 1317189251Ssam psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb 1318189251Ssam priority=2 1319189251Ssam} 1320189251Ssam 1321189251Ssam# WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying 1322189251Ssamnetwork={ 1323189251Ssam ssid="example" 1324189251Ssam proto=WPA 1325189251Ssam key_mgmt=WPA-PSK 1326189251Ssam pairwise=TKIP 1327189251Ssam group=TKIP 1328189251Ssam psk="not so secure passphrase" 1329189251Ssam wpa_ptk_rekey=600 1330189251Ssam} 1331189251Ssam 1332189251Ssam# Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104 1333189251Ssam# or WEP40 as the group cipher will not be accepted. 1334189251Ssamnetwork={ 1335189251Ssam ssid="example" 1336189251Ssam proto=RSN 1337189251Ssam key_mgmt=WPA-EAP 1338189251Ssam pairwise=CCMP TKIP 1339189251Ssam group=CCMP TKIP 1340189251Ssam eap=TLS 1341189251Ssam identity="user@example.com" 1342189251Ssam ca_cert="/etc/cert/ca.pem" 1343189251Ssam client_cert="/etc/cert/user.pem" 1344189251Ssam private_key="/etc/cert/user.prv" 1345189251Ssam private_key_passwd="password" 1346189251Ssam priority=1 1347189251Ssam} 1348189251Ssam 1349189251Ssam# EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel 1350189251Ssam# (e.g., Radiator) 1351189251Ssamnetwork={ 1352189251Ssam ssid="example" 1353189251Ssam key_mgmt=WPA-EAP 1354189251Ssam eap=PEAP 1355189251Ssam identity="user@example.com" 1356189251Ssam password="foobar" 1357189251Ssam ca_cert="/etc/cert/ca.pem" 1358189251Ssam phase1="peaplabel=1" 1359189251Ssam phase2="auth=MSCHAPV2" 1360189251Ssam priority=10 1361189251Ssam} 1362189251Ssam 1363189251Ssam# EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the 1364189251Ssam# unencrypted use. Real identity is sent only within an encrypted TLS tunnel. 1365189251Ssamnetwork={ 1366189251Ssam ssid="example" 1367189251Ssam key_mgmt=WPA-EAP 1368189251Ssam eap=TTLS 1369189251Ssam identity="user@example.com" 1370189251Ssam anonymous_identity="anonymous@example.com" 1371189251Ssam password="foobar" 1372189251Ssam ca_cert="/etc/cert/ca.pem" 1373189251Ssam priority=2 1374189251Ssam} 1375189251Ssam 1376189251Ssam# EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted 1377189251Ssam# use. Real identity is sent only within an encrypted TLS tunnel. 1378189251Ssamnetwork={ 1379189251Ssam ssid="example" 1380189251Ssam key_mgmt=WPA-EAP 1381189251Ssam eap=TTLS 1382189251Ssam identity="user@example.com" 1383189251Ssam anonymous_identity="anonymous@example.com" 1384189251Ssam password="foobar" 1385189251Ssam ca_cert="/etc/cert/ca.pem" 1386189251Ssam phase2="auth=MSCHAPV2" 1387189251Ssam} 1388189251Ssam 1389189251Ssam# WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner 1390189251Ssam# authentication. 1391189251Ssamnetwork={ 1392189251Ssam ssid="example" 1393189251Ssam key_mgmt=WPA-EAP 1394189251Ssam eap=TTLS 1395189251Ssam # Phase1 / outer authentication 1396189251Ssam anonymous_identity="anonymous@example.com" 1397189251Ssam ca_cert="/etc/cert/ca.pem" 1398189251Ssam # Phase 2 / inner authentication 1399189251Ssam phase2="autheap=TLS" 1400189251Ssam ca_cert2="/etc/cert/ca2.pem" 1401189251Ssam client_cert2="/etc/cer/user.pem" 1402189251Ssam private_key2="/etc/cer/user.prv" 1403189251Ssam private_key2_passwd="password" 1404189251Ssam priority=2 1405189251Ssam} 1406189251Ssam 1407189251Ssam# Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and 1408189251Ssam# group cipher. 1409189251Ssamnetwork={ 1410189251Ssam ssid="example" 1411189251Ssam bssid=00:11:22:33:44:55 1412189251Ssam proto=WPA RSN 1413189251Ssam key_mgmt=WPA-PSK WPA-EAP 1414189251Ssam pairwise=CCMP 1415189251Ssam group=CCMP 1416189251Ssam psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb 1417189251Ssam} 1418189251Ssam 1419189251Ssam# Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP 1420189251Ssam# and all valid ciphers. 1421189251Ssamnetwork={ 1422189251Ssam ssid=00010203 1423189251Ssam psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 1424189251Ssam} 1425189251Ssam 1426189251Ssam 1427189251Ssam# EAP-SIM with a GSM SIM or USIM 1428189251Ssamnetwork={ 1429189251Ssam ssid="eap-sim-test" 1430189251Ssam key_mgmt=WPA-EAP 1431189251Ssam eap=SIM 1432189251Ssam pin="1234" 1433189251Ssam pcsc="" 1434189251Ssam} 1435189251Ssam 1436189251Ssam 1437189251Ssam# EAP-PSK 1438189251Ssamnetwork={ 1439189251Ssam ssid="eap-psk-test" 1440189251Ssam key_mgmt=WPA-EAP 1441189251Ssam eap=PSK 1442189251Ssam anonymous_identity="eap_psk_user" 1443189251Ssam password=06b4be19da289f475aa46a33cb793029 1444189251Ssam identity="eap_psk_user@example.com" 1445189251Ssam} 1446189251Ssam 1447189251Ssam 1448189251Ssam# IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using 1449189251Ssam# EAP-TLS for authentication and key generation; require both unicast and 1450189251Ssam# broadcast WEP keys. 1451189251Ssamnetwork={ 1452189251Ssam ssid="1x-test" 1453189251Ssam key_mgmt=IEEE8021X 1454189251Ssam eap=TLS 1455189251Ssam identity="user@example.com" 1456189251Ssam ca_cert="/etc/cert/ca.pem" 1457189251Ssam client_cert="/etc/cert/user.pem" 1458189251Ssam private_key="/etc/cert/user.prv" 1459189251Ssam private_key_passwd="password" 1460189251Ssam eapol_flags=3 1461189251Ssam} 1462189251Ssam 1463189251Ssam 1464189251Ssam# LEAP with dynamic WEP keys 1465189251Ssamnetwork={ 1466189251Ssam ssid="leap-example" 1467189251Ssam key_mgmt=IEEE8021X 1468189251Ssam eap=LEAP 1469189251Ssam identity="user" 1470189251Ssam password="foobar" 1471189251Ssam} 1472189251Ssam 1473189251Ssam# EAP-IKEv2 using shared secrets for both server and peer authentication 1474189251Ssamnetwork={ 1475189251Ssam ssid="ikev2-example" 1476189251Ssam key_mgmt=WPA-EAP 1477189251Ssam eap=IKEV2 1478189251Ssam identity="user" 1479189251Ssam password="foobar" 1480189251Ssam} 1481189251Ssam 1482189251Ssam# EAP-FAST with WPA (WPA or WPA2) 1483189251Ssamnetwork={ 1484189251Ssam ssid="eap-fast-test" 1485189251Ssam key_mgmt=WPA-EAP 1486189251Ssam eap=FAST 1487189251Ssam anonymous_identity="FAST-000102030405" 1488189251Ssam identity="username" 1489189251Ssam password="password" 1490189251Ssam phase1="fast_provisioning=1" 1491189251Ssam pac_file="/etc/wpa_supplicant.eap-fast-pac" 1492189251Ssam} 1493189251Ssam 1494189251Ssamnetwork={ 1495189251Ssam ssid="eap-fast-test" 1496189251Ssam key_mgmt=WPA-EAP 1497189251Ssam eap=FAST 1498189251Ssam anonymous_identity="FAST-000102030405" 1499189251Ssam identity="username" 1500189251Ssam password="password" 1501189251Ssam phase1="fast_provisioning=1" 1502189251Ssam pac_file="blob://eap-fast-pac" 1503189251Ssam} 1504189251Ssam 1505189251Ssam# Plaintext connection (no WPA, no IEEE 802.1X) 1506189251Ssamnetwork={ 1507189251Ssam ssid="plaintext-test" 1508189251Ssam key_mgmt=NONE 1509189251Ssam} 1510189251Ssam 1511189251Ssam 1512189251Ssam# Shared WEP key connection (no WPA, no IEEE 802.1X) 1513189251Ssamnetwork={ 1514189251Ssam ssid="static-wep-test" 1515189251Ssam key_mgmt=NONE 1516189251Ssam wep_key0="abcde" 1517189251Ssam wep_key1=0102030405 1518189251Ssam wep_key2="1234567890123" 1519189251Ssam wep_tx_keyidx=0 1520189251Ssam priority=5 1521189251Ssam} 1522189251Ssam 1523189251Ssam 1524189251Ssam# Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key 1525189251Ssam# IEEE 802.11 authentication 1526189251Ssamnetwork={ 1527189251Ssam ssid="static-wep-test2" 1528189251Ssam key_mgmt=NONE 1529189251Ssam wep_key0="abcde" 1530189251Ssam wep_key1=0102030405 1531189251Ssam wep_key2="1234567890123" 1532189251Ssam wep_tx_keyidx=0 1533189251Ssam priority=5 1534189251Ssam auth_alg=SHARED 1535189251Ssam} 1536189251Ssam 1537189251Ssam 1538281806Srpaulo# IBSS/ad-hoc network with RSN 1539189251Ssamnetwork={ 1540281806Srpaulo ssid="ibss-rsn" 1541281806Srpaulo key_mgmt=WPA-PSK 1542281806Srpaulo proto=RSN 1543281806Srpaulo psk="12345678" 1544281806Srpaulo mode=1 1545281806Srpaulo frequency=2412 1546281806Srpaulo pairwise=CCMP 1547281806Srpaulo group=CCMP 1548281806Srpaulo} 1549281806Srpaulo 1550281806Srpaulo# IBSS/ad-hoc network with WPA-None/TKIP (deprecated) 1551281806Srpaulonetwork={ 1552189251Ssam ssid="test adhoc" 1553189251Ssam mode=1 1554189251Ssam frequency=2412 1555189251Ssam proto=WPA 1556189251Ssam key_mgmt=WPA-NONE 1557189251Ssam pairwise=NONE 1558189251Ssam group=TKIP 1559189251Ssam psk="secret passphrase" 1560189251Ssam} 1561189251Ssam 1562281806Srpaulo# open mesh network 1563281806Srpaulonetwork={ 1564281806Srpaulo ssid="test mesh" 1565281806Srpaulo mode=5 1566281806Srpaulo frequency=2437 1567281806Srpaulo key_mgmt=NONE 1568281806Srpaulo} 1569189251Ssam 1570281806Srpaulo# secure (SAE + AMPE) network 1571281806Srpaulonetwork={ 1572281806Srpaulo ssid="secure mesh" 1573281806Srpaulo mode=5 1574281806Srpaulo frequency=2437 1575281806Srpaulo key_mgmt=SAE 1576281806Srpaulo psk="very secret passphrase" 1577281806Srpaulo} 1578281806Srpaulo 1579281806Srpaulo 1580189251Ssam# Catch all example that allows more or less all configuration modes 1581189251Ssamnetwork={ 1582189251Ssam ssid="example" 1583189251Ssam scan_ssid=1 1584189251Ssam key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE 1585189251Ssam pairwise=CCMP TKIP 1586189251Ssam group=CCMP TKIP WEP104 WEP40 1587189251Ssam psk="very secret passphrase" 1588189251Ssam eap=TTLS PEAP TLS 1589189251Ssam identity="user@example.com" 1590189251Ssam password="foobar" 1591189251Ssam ca_cert="/etc/cert/ca.pem" 1592189251Ssam client_cert="/etc/cert/user.pem" 1593189251Ssam private_key="/etc/cert/user.prv" 1594189251Ssam private_key_passwd="password" 1595189251Ssam phase1="peaplabel=0" 1596189251Ssam} 1597189251Ssam 1598189251Ssam# Example of EAP-TLS with smartcard (openssl engine) 1599189251Ssamnetwork={ 1600189251Ssam ssid="example" 1601189251Ssam key_mgmt=WPA-EAP 1602189251Ssam eap=TLS 1603189251Ssam proto=RSN 1604189251Ssam pairwise=CCMP TKIP 1605189251Ssam group=CCMP TKIP 1606189251Ssam identity="user@example.com" 1607189251Ssam ca_cert="/etc/cert/ca.pem" 1608189251Ssam 1609337817Scy # Certificate and/or key identified by PKCS#11 URI (RFC7512) 1610337817Scy client_cert="pkcs11:manufacturer=piv_II;id=%01" 1611337817Scy private_key="pkcs11:manufacturer=piv_II;id=%01" 1612189251Ssam 1613189251Ssam # Optional PIN configuration; this can be left out and PIN will be 1614189251Ssam # asked through the control interface 1615189251Ssam pin="1234" 1616189251Ssam} 1617189251Ssam 1618189251Ssam# Example configuration showing how to use an inlined blob as a CA certificate 1619189251Ssam# data instead of using external file 1620189251Ssamnetwork={ 1621189251Ssam ssid="example" 1622189251Ssam key_mgmt=WPA-EAP 1623189251Ssam eap=TTLS 1624189251Ssam identity="user@example.com" 1625189251Ssam anonymous_identity="anonymous@example.com" 1626189251Ssam password="foobar" 1627189251Ssam ca_cert="blob://exampleblob" 1628189251Ssam priority=20 1629189251Ssam} 1630189251Ssam 1631189251Ssamblob-base64-exampleblob={ 1632189251SsamSGVsbG8gV29ybGQhCg== 1633189251Ssam} 1634189251Ssam 1635189251Ssam 1636189251Ssam# Wildcard match for SSID (plaintext APs only). This example select any 1637189251Ssam# open AP regardless of its SSID. 1638189251Ssamnetwork={ 1639189251Ssam key_mgmt=NONE 1640189251Ssam} 1641281806Srpaulo 1642281806Srpaulo# Example configuration blacklisting two APs - these will be ignored 1643281806Srpaulo# for this network. 1644281806Srpaulonetwork={ 1645281806Srpaulo ssid="example" 1646281806Srpaulo psk="very secret passphrase" 1647281806Srpaulo bssid_blacklist=02:11:22:33:44:55 02:22:aa:44:55:66 1648281806Srpaulo} 1649281806Srpaulo 1650281806Srpaulo# Example configuration limiting AP selection to a specific set of APs; 1651281806Srpaulo# any other AP not matching the masked address will be ignored. 1652281806Srpaulonetwork={ 1653281806Srpaulo ssid="example" 1654281806Srpaulo psk="very secret passphrase" 1655281806Srpaulo bssid_whitelist=02:55:ae:bc:00:00/ff:ff:ff:ff:00:00 00:00:77:66:55:44/00:00:ff:ff:ff:ff 1656281806Srpaulo} 1657281806Srpaulo 1658281806Srpaulo# Example config file that will only scan on channel 36. 1659281806Srpaulofreq_list=5180 1660281806Srpaulonetwork={ 1661281806Srpaulo key_mgmt=NONE 1662281806Srpaulo} 1663281806Srpaulo 1664281806Srpaulo 1665281806Srpaulo# Example MACsec configuration 1666281806Srpaulo#network={ 1667281806Srpaulo# key_mgmt=IEEE8021X 1668281806Srpaulo# eap=TTLS 1669281806Srpaulo# phase2="auth=PAP" 1670281806Srpaulo# anonymous_identity="anonymous@example.com" 1671281806Srpaulo# identity="user@example.com" 1672281806Srpaulo# password="secretr" 1673281806Srpaulo# ca_cert="/etc/cert/ca.pem" 1674281806Srpaulo# eapol_flags=0 1675281806Srpaulo# macsec_policy=1 1676281806Srpaulo#} 1677