1189251Ssam##### Example wpa_supplicant configuration file ############################### 2189251Ssam# 3189902Sdougb# ***** Please check wpa_supplicant.conf(5) for details on these options ***** 4189902Sdougb# 5189251Ssam# This file describes configuration file format and lists all available option. 6189251Ssam# Please also take a look at simpler configuration examples in 'examples' 7189251Ssam# subdirectory. 8189251Ssam# 9189251Ssam# Empty lines and lines starting with # are ignored 10189251Ssam 11189251Ssam# NOTE! This file may contain password information and should probably be made 12189251Ssam# readable only by root user on multiuser systems. 13189251Ssam 14189251Ssam# Note: All file paths in this configuration file should use full (absolute, 15189251Ssam# not relative to working directory) path in order to allow working directory 16189251Ssam# to be changed. This can happen if wpa_supplicant is run in the background. 17189251Ssam 18189251Ssam# Whether to allow wpa_supplicant to update (overwrite) configuration 19189251Ssam# 20189251Ssam# This option can be used to allow wpa_supplicant to overwrite configuration 21189251Ssam# file whenever configuration is changed (e.g., new network block is added with 22189251Ssam# wpa_cli or wpa_gui, or a password is changed). This is required for 23189251Ssam# wpa_cli/wpa_gui to be able to store the configuration changes permanently. 24189251Ssam# Please note that overwriting configuration file will remove the comments from 25189251Ssam# it. 26189251Ssam#update_config=1 27189251Ssam 28189251Ssam# global configuration (shared by all network blocks) 29189251Ssam# 30189251Ssam# Parameters for the control interface. If this is specified, wpa_supplicant 31189251Ssam# will open a control interface that is available for external programs to 32189251Ssam# manage wpa_supplicant. The meaning of this string depends on which control 33189251Ssam# interface mechanism is used. For all cases, the existance of this parameter 34189251Ssam# in configuration is used to determine whether the control interface is 35189251Ssam# enabled. 36189251Ssam# 37189251Ssam# For UNIX domain sockets (default on Linux and BSD): This is a directory that 38189251Ssam# will be created for UNIX domain sockets for listening to requests from 39189251Ssam# external programs (CLI/GUI, etc.) for status information and configuration. 40189251Ssam# The socket file will be named based on the interface name, so multiple 41189251Ssam# wpa_supplicant processes can be run at the same time if more than one 42189251Ssam# interface is used. 43189251Ssam# /var/run/wpa_supplicant is the recommended directory for sockets and by 44189251Ssam# default, wpa_cli will use it when trying to connect with wpa_supplicant. 45189251Ssam# 46189251Ssam# Access control for the control interface can be configured by setting the 47189251Ssam# directory to allow only members of a group to use sockets. This way, it is 48189251Ssam# possible to run wpa_supplicant as root (since it needs to change network 49189251Ssam# configuration and open raw sockets) and still allow GUI/CLI components to be 50189251Ssam# run as non-root users. However, since the control interface can be used to 51189251Ssam# change the network configuration, this access needs to be protected in many 52189251Ssam# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you 53189251Ssam# want to allow non-root users to use the control interface, add a new group 54189251Ssam# and change this value to match with that group. Add users that should have 55189251Ssam# control interface access to this group. If this variable is commented out or 56189251Ssam# not included in the configuration file, group will not be changed from the 57189251Ssam# value it got by default when the directory or socket was created. 58189251Ssam# 59189251Ssam# When configuring both the directory and group, use following format: 60189251Ssam# DIR=/var/run/wpa_supplicant GROUP=wheel 61189251Ssam# DIR=/var/run/wpa_supplicant GROUP=0 62189251Ssam# (group can be either group name or gid) 63189251Ssam# 64189251Ssamctrl_interface=/var/run/wpa_supplicant 65189251Ssam 66189251Ssam# IEEE 802.1X/EAPOL version 67189251Ssam# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines 68189251Ssam# EAPOL version 2. However, there are many APs that do not handle the new 69189251Ssam# version number correctly (they seem to drop the frames completely). In order 70189251Ssam# to make wpa_supplicant interoperate with these APs, the version number is set 71189251Ssam# to 1 by default. This configuration value can be used to set it to the new 72189251Ssam# version (2). 73189251Ssameapol_version=1 74189251Ssam 75189251Ssam# AP scanning/selection 76189251Ssam# By default, wpa_supplicant requests driver to perform AP scanning and then 77189251Ssam# uses the scan results to select a suitable AP. Another alternative is to 78189251Ssam# allow the driver to take care of AP scanning and selection and use 79189251Ssam# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association 80189251Ssam# information from the driver. 81214734Srpaulo# 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to 82214734Srpaulo# the currently enabled networks are found, a new network (IBSS or AP mode 83214734Srpaulo# operation) may be initialized (if configured) (default) 84189251Ssam# 0: driver takes care of scanning, AP selection, and IEEE 802.11 association 85189251Ssam# parameters (e.g., WPA IE generation); this mode can also be used with 86189251Ssam# non-WPA drivers when using IEEE 802.1X mode; do not try to associate with 87189251Ssam# APs (i.e., external program needs to control association). This mode must 88189251Ssam# also be used when using wired Ethernet drivers. 89189251Ssam# 2: like 0, but associate with APs using security policy and SSID (but not 90189251Ssam# BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to 91189251Ssam# enable operation with hidden SSIDs and optimized roaming; in this mode, 92189251Ssam# the network blocks in the configuration file are tried one by one until 93189251Ssam# the driver reports successful association; each network block should have 94189251Ssam# explicit security policy (i.e., only one option in the lists) for 95189251Ssam# key_mgmt, pairwise, group, proto variables 96189902Sdougb# 97189902Sdougb# For use in FreeBSD with the wlan module ap_scan must be set to 1. 98214734Srpaulo# When using IBSS or AP mode, ap_scan=2 mode can force the new network to be 99214734Srpaulo# created immediately regardless of scan results. ap_scan=1 mode will first try 100214734Srpaulo# to scan for existing networks and only if no matches with the enabled 101214734Srpaulo# networks are found, a new IBSS or AP mode network is created. 102189251Ssamap_scan=1 103189251Ssam 104189251Ssam# EAP fast re-authentication 105189251Ssam# By default, fast re-authentication is enabled for all EAP methods that 106189251Ssam# support it. This variable can be used to disable fast re-authentication. 107189251Ssam# Normally, there is no need to disable this. 108189251Ssamfast_reauth=1 109189251Ssam 110189251Ssam# OpenSSL Engine support 111189251Ssam# These options can be used to load OpenSSL engines. 112189251Ssam# The two engines that are supported currently are shown below: 113189251Ssam# They are both from the opensc project (http://www.opensc.org/) 114189251Ssam# By default no engines are loaded. 115189251Ssam# make the opensc engine available 116189251Ssam#opensc_engine_path=/usr/lib/opensc/engine_opensc.so 117189251Ssam# make the pkcs11 engine available 118189251Ssam#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so 119189251Ssam# configure the path to the pkcs11 module required by the pkcs11 engine 120189251Ssam#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so 121189251Ssam 122189251Ssam# Dynamic EAP methods 123189251Ssam# If EAP methods were built dynamically as shared object files, they need to be 124189251Ssam# loaded here before being used in the network blocks. By default, EAP methods 125189251Ssam# are included statically in the build, so these lines are not needed 126189251Ssam#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so 127189251Ssam#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so 128189251Ssam 129189251Ssam# Driver interface parameters 130189251Ssam# This field can be used to configure arbitrary driver interace parameters. The 131189251Ssam# format is specific to the selected driver interface. This field is not used 132189251Ssam# in most cases. 133189251Ssam#driver_param="field=value" 134189251Ssam 135189251Ssam# Country code 136189251Ssam# The ISO/IEC alpha2 country code for the country in which this device is 137189251Ssam# currently operating. 138189251Ssam#country=US 139189251Ssam 140189251Ssam# Maximum lifetime for PMKSA in seconds; default 43200 141189251Ssam#dot11RSNAConfigPMKLifetime=43200 142189251Ssam# Threshold for reauthentication (percentage of PMK lifetime); default 70 143189251Ssam#dot11RSNAConfigPMKReauthThreshold=70 144189251Ssam# Timeout for security association negotiation in seconds; default 60 145189251Ssam#dot11RSNAConfigSATimeout=60 146189251Ssam 147189251Ssam# Wi-Fi Protected Setup (WPS) parameters 148189251Ssam 149189251Ssam# Universally Unique IDentifier (UUID; see RFC 4122) of the device 150189251Ssam# If not configured, UUID will be generated based on the local MAC address. 151189251Ssam#uuid=12345678-9abc-def0-1234-56789abcdef0 152189251Ssam 153189251Ssam# Device Name 154189251Ssam# User-friendly description of device; up to 32 octets encoded in UTF-8 155189251Ssam#device_name=Wireless Client 156189251Ssam 157189251Ssam# Manufacturer 158189251Ssam# The manufacturer of the device (up to 64 ASCII characters) 159189251Ssam#manufacturer=Company 160189251Ssam 161189251Ssam# Model Name 162189251Ssam# Model of the device (up to 32 ASCII characters) 163189251Ssam#model_name=cmodel 164189251Ssam 165189251Ssam# Model Number 166189251Ssam# Additional device description (up to 32 ASCII characters) 167189251Ssam#model_number=123 168189251Ssam 169189251Ssam# Serial Number 170189251Ssam# Serial number of the device (up to 32 characters) 171189251Ssam#serial_number=12345 172189251Ssam 173189251Ssam# Primary Device Type 174189251Ssam# Used format: <categ>-<OUI>-<subcateg> 175189251Ssam# categ = Category as an integer value 176189251Ssam# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for 177189251Ssam# default WPS OUI 178189251Ssam# subcateg = OUI-specific Sub Category as an integer value 179189251Ssam# Examples: 180189251Ssam# 1-0050F204-1 (Computer / PC) 181189251Ssam# 1-0050F204-2 (Computer / Server) 182189251Ssam# 5-0050F204-1 (Storage / NAS) 183189251Ssam# 6-0050F204-1 (Network Infrastructure / AP) 184189251Ssam#device_type=1-0050F204-1 185189251Ssam 186189251Ssam# OS Version 187189251Ssam# 4-octet operating system version number (hex string) 188189251Ssam#os_version=01020300 189189251Ssam 190214734Srpaulo# Config Methods 191214734Srpaulo# List of the supported configuration methods 192214734Srpaulo# Available methods: usba ethernet label display ext_nfc_token int_nfc_token 193214734Srpaulo# nfc_interface push_button keypad 194214734Srpaulo#config_methods=label display push_button keypad 195214734Srpaulo 196189251Ssam# Credential processing 197189251Ssam# 0 = process received credentials internally (default) 198189251Ssam# 1 = do not process received credentials; just pass them over ctrl_iface to 199189251Ssam# external program(s) 200189251Ssam# 2 = process received credentials internally and pass them over ctrl_iface 201189251Ssam# to external program(s) 202189251Ssam#wps_cred_processing=0 203189251Ssam 204214734Srpaulo# Maximum number of BSS entries to keep in memory 205214734Srpaulo# Default: 200 206214734Srpaulo# This can be used to limit memory use on the BSS entries (cached scan 207214734Srpaulo# results). A larger value may be needed in environments that have huge number 208214734Srpaulo# of APs when using ap_scan=1 mode. 209214734Srpaulo#bss_max_count=200 210214734Srpaulo 211214734Srpaulo 212214734Srpaulo# filter_ssids - SSID-based scan result filtering 213214734Srpaulo# 0 = do not filter scan results (default) 214214734Srpaulo# 1 = only include configured SSIDs in scan results/BSS table 215214734Srpaulo#filter_ssids=0 216214734Srpaulo 217214734Srpaulo 218189251Ssam# network block 219189251Ssam# 220189251Ssam# Each network (usually AP's sharing the same SSID) is configured as a separate 221189251Ssam# block in this configuration file. The network blocks are in preference order 222189251Ssam# (the first match is used). 223189251Ssam# 224189251Ssam# network block fields: 225189251Ssam# 226189251Ssam# disabled: 227189251Ssam# 0 = this network can be used (default) 228189251Ssam# 1 = this network block is disabled (can be enabled through ctrl_iface, 229189251Ssam# e.g., with wpa_cli or wpa_gui) 230189251Ssam# 231189251Ssam# id_str: Network identifier string for external scripts. This value is passed 232189251Ssam# to external action script through wpa_cli as WPA_ID_STR environment 233189251Ssam# variable to make it easier to do network specific configuration. 234189251Ssam# 235189251Ssam# ssid: SSID (mandatory); either as an ASCII string with double quotation or 236189251Ssam# as hex string; network name 237189251Ssam# 238189251Ssam# scan_ssid: 239189251Ssam# 0 = do not scan this SSID with specific Probe Request frames (default) 240189251Ssam# 1 = scan with SSID-specific Probe Request frames (this can be used to 241189902Sdougb# find APs that hide (do not broadcast) SSID or use multiple SSIDs; 242189251Ssam# this will add latency to scanning, so enable this only when needed) 243189251Ssam# 244189251Ssam# bssid: BSSID (optional); if set, this network block is used only when 245189251Ssam# associating with the AP using the configured BSSID 246189251Ssam# 247189251Ssam# priority: priority group (integer) 248189251Ssam# By default, all networks will get same priority group (0). If some of the 249189251Ssam# networks are more desirable, this field can be used to change the order in 250189251Ssam# which wpa_supplicant goes through the networks when selecting a BSS. The 251189251Ssam# priority groups will be iterated in decreasing priority (i.e., the larger the 252189251Ssam# priority value, the sooner the network is matched against the scan results). 253189251Ssam# Within each priority group, networks will be selected based on security 254189251Ssam# policy, signal strength, etc. 255189251Ssam# Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not 256189251Ssam# using this priority to select the order for scanning. Instead, they try the 257189902Sdougb# networks in the order that they are listed in the configuration file. 258189251Ssam# 259189251Ssam# mode: IEEE 802.11 operation mode 260189251Ssam# 0 = infrastructure (Managed) mode, i.e., associate with an AP (default) 261189251Ssam# 1 = IBSS (ad-hoc, peer-to-peer) 262214734Srpaulo# 2 = AP (access point) 263189251Ssam# Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) 264214734Srpaulo# and key_mgmt=WPA-NONE (fixed group key TKIP/CCMP). WPA-None requires 265214734Srpaulo# following network block options: 266189251Ssam# proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not 267189251Ssam# both), and psk must also be set. 268189251Ssam# 269189251Ssam# frequency: Channel frequency in megahertz (MHz) for IBSS, e.g., 270189251Ssam# 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial 271189251Ssam# channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode. 272189251Ssam# In addition, this value is only used by the station that creates the IBSS. If 273189251Ssam# an IBSS network with the configured SSID is already present, the frequency of 274189251Ssam# the network will be used instead of this configured value. 275189251Ssam# 276214734Srpaulo# scan_freq: List of frequencies to scan 277214734Srpaulo# Space-separated list of frequencies in MHz to scan when searching for this 278214734Srpaulo# BSS. If the subset of channels used by the network is known, this option can 279214734Srpaulo# be used to optimize scanning to not occur on channels that the network does 280214734Srpaulo# not use. Example: scan_freq=2412 2437 2462 281214734Srpaulo# 282214734Srpaulo# freq_list: Array of allowed frequencies 283214734Srpaulo# Space-separated list of frequencies in MHz to allow for selecting the BSS. If 284214734Srpaulo# set, scan results that do not match any of the specified frequencies are not 285214734Srpaulo# considered when selecting a BSS. 286214734Srpaulo# 287189251Ssam# proto: list of accepted protocols 288189251Ssam# WPA = WPA/IEEE 802.11i/D3.0 289189251Ssam# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN) 290189251Ssam# If not set, this defaults to: WPA RSN 291189251Ssam# 292189251Ssam# key_mgmt: list of accepted authenticated key management protocols 293189251Ssam# WPA-PSK = WPA pre-shared key (this requires 'psk' field) 294189251Ssam# WPA-EAP = WPA using EAP authentication 295189251Ssam# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically 296189251Ssam# generated WEP keys 297189251Ssam# NONE = WPA is not used; plaintext or static WEP could be used 298189251Ssam# WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms 299189251Ssam# WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms 300189251Ssam# If not set, this defaults to: WPA-PSK WPA-EAP 301189251Ssam# 302189251Ssam# auth_alg: list of allowed IEEE 802.11 authentication algorithms 303189251Ssam# OPEN = Open System authentication (required for WPA/WPA2) 304189251Ssam# SHARED = Shared Key authentication (requires static WEP keys) 305189251Ssam# LEAP = LEAP/Network EAP (only used with LEAP) 306189251Ssam# If not set, automatic selection is used (Open System with LEAP enabled if 307189251Ssam# LEAP is allowed as one of the EAP methods). 308189251Ssam# 309189251Ssam# pairwise: list of accepted pairwise (unicast) ciphers for WPA 310189251Ssam# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 311189251Ssam# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 312189251Ssam# NONE = Use only Group Keys (deprecated, should not be included if APs support 313189251Ssam# pairwise keys) 314189251Ssam# If not set, this defaults to: CCMP TKIP 315189251Ssam# 316189251Ssam# group: list of accepted group (broadcast/multicast) ciphers for WPA 317189251Ssam# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 318189251Ssam# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 319189251Ssam# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key 320189251Ssam# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11] 321189251Ssam# If not set, this defaults to: CCMP TKIP WEP104 WEP40 322189251Ssam# 323189251Ssam# psk: WPA preshared key; 256-bit pre-shared key 324189251Ssam# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e., 325189251Ssam# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be 326189251Ssam# generated using the passphrase and SSID). ASCII passphrase must be between 327189251Ssam# 8 and 63 characters (inclusive). 328189251Ssam# This field is not needed, if WPA-EAP is used. 329189251Ssam# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys 330189251Ssam# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant 331189251Ssam# startup and reconfiguration time can be optimized by generating the PSK only 332189251Ssam# only when the passphrase or SSID has actually changed. 333189251Ssam# 334189251Ssam# eapol_flags: IEEE 802.1X/EAPOL options (bit field) 335189251Ssam# Dynamic WEP key required for non-WPA mode 336189251Ssam# bit0 (1): require dynamically generated unicast WEP key 337189251Ssam# bit1 (2): require dynamically generated broadcast WEP key 338189251Ssam# (3 = require both keys; default) 339189251Ssam# Note: When using wired authentication, eapol_flags must be set to 0 for the 340189251Ssam# authentication to be completed successfully. 341189251Ssam# 342189251Ssam# mixed_cell: This option can be used to configure whether so called mixed 343189251Ssam# cells, i.e., networks that use both plaintext and encryption in the same 344189251Ssam# SSID, are allowed when selecting a BSS form scan results. 345189251Ssam# 0 = disabled (default) 346189251Ssam# 1 = enabled 347189251Ssam# 348189251Ssam# proactive_key_caching: 349189251Ssam# Enable/disable opportunistic PMKSA caching for WPA2. 350189251Ssam# 0 = disabled (default) 351189251Ssam# 1 = enabled 352189251Ssam# 353189251Ssam# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or 354189251Ssam# hex without quotation, e.g., 0102030405) 355189251Ssam# wep_tx_keyidx: Default WEP key index (TX) (0..3) 356189251Ssam# 357189251Ssam# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is 358189251Ssam# allowed. This is only used with RSN/WPA2. 359189251Ssam# 0 = disabled (default) 360189251Ssam# 1 = enabled 361189251Ssam#peerkey=1 362189251Ssam# 363189251Ssam# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to 364189251Ssam# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies. 365189251Ssam# 366189251Ssam# Following fields are only used with internal EAP implementation. 367189251Ssam# eap: space-separated list of accepted EAP methods 368189251Ssam# MD5 = EAP-MD5 (unsecure and does not generate keying material -> 369189251Ssam# cannot be used with WPA; to be used as a Phase 2 method 370189251Ssam# with EAP-PEAP or EAP-TTLS) 371189251Ssam# MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used 372189251Ssam# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 373189251Ssam# OTP = EAP-OTP (cannot be used separately with WPA; to be used 374189251Ssam# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 375189251Ssam# GTC = EAP-GTC (cannot be used separately with WPA; to be used 376189251Ssam# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 377189251Ssam# TLS = EAP-TLS (client and server certificate) 378189251Ssam# PEAP = EAP-PEAP (with tunnelled EAP authentication) 379189251Ssam# TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 380189251Ssam# authentication) 381189251Ssam# If not set, all compiled in methods are allowed. 382189251Ssam# 383189251Ssam# identity: Identity string for EAP 384189251Ssam# This field is also used to configure user NAI for 385189251Ssam# EAP-PSK/PAX/SAKE/GPSK. 386189251Ssam# anonymous_identity: Anonymous identity string for EAP (to be used as the 387189251Ssam# unencrypted identity with EAP types that support different tunnelled 388189251Ssam# identity, e.g., EAP-TTLS) 389189251Ssam# password: Password string for EAP. This field can include either the 390189251Ssam# plaintext password (using ASCII or hex string) or a NtPasswordHash 391189251Ssam# (16-byte MD4 hash of password) in hash:<32 hex digits> format. 392189251Ssam# NtPasswordHash can only be used when the password is for MSCHAPv2 or 393189251Ssam# MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP). 394189251Ssam# EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit 395189251Ssam# PSK) is also configured using this field. For EAP-GPSK, this is a 396189251Ssam# variable length PSK. 397189251Ssam# ca_cert: File path to CA certificate file (PEM/DER). This file can have one 398189251Ssam# or more trusted CA certificates. If ca_cert and ca_path are not 399189251Ssam# included, server certificate will not be verified. This is insecure and 400189251Ssam# a trusted CA certificate should always be configured when using 401189251Ssam# EAP-TLS/TTLS/PEAP. Full path should be used since working directory may 402189251Ssam# change when wpa_supplicant is run in the background. 403214734Srpaulo# 404214734Srpaulo# Alternatively, this can be used to only perform matching of the server 405214734Srpaulo# certificate (SHA-256 hash of the DER encoded X.509 certificate). In 406214734Srpaulo# this case, the possible CA certificates in the server certificate chain 407214734Srpaulo# are ignored and only the server certificate is verified. This is 408214734Srpaulo# configured with the following format: 409214734Srpaulo# hash:://server/sha256/cert_hash_in_hex 410214734Srpaulo# For example: "hash://server/sha256/ 411214734Srpaulo# 5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a" 412214734Srpaulo# 413189251Ssam# On Windows, trusted CA certificates can be loaded from the system 414189251Ssam# certificate store by setting this to cert_store://<name>, e.g., 415189251Ssam# ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT". 416189251Ssam# Note that when running wpa_supplicant as an application, the user 417189251Ssam# certificate store (My user account) is used, whereas computer store 418189251Ssam# (Computer account) is used when running wpasvc as a service. 419189251Ssam# ca_path: Directory path for CA certificate files (PEM). This path may 420189251Ssam# contain multiple CA certificates in OpenSSL format. Common use for this 421189251Ssam# is to point to system trusted CA list which is often installed into 422189251Ssam# directory like /etc/ssl/certs. If configured, these certificates are 423189251Ssam# added to the list of trusted CAs. ca_cert may also be included in that 424189251Ssam# case, but it is not required. 425189251Ssam# client_cert: File path to client certificate file (PEM/DER) 426189251Ssam# Full path should be used since working directory may change when 427189251Ssam# wpa_supplicant is run in the background. 428189251Ssam# Alternatively, a named configuration blob can be used by setting this 429189251Ssam# to blob://<blob name>. 430189251Ssam# private_key: File path to client private key file (PEM/DER/PFX) 431189251Ssam# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be 432189251Ssam# commented out. Both the private key and certificate will be read from 433189251Ssam# the PKCS#12 file in this case. Full path should be used since working 434189251Ssam# directory may change when wpa_supplicant is run in the background. 435189251Ssam# Windows certificate store can be used by leaving client_cert out and 436189251Ssam# configuring private_key in one of the following formats: 437189251Ssam# cert://substring_to_match 438189251Ssam# hash://certificate_thumbprint_in_hex 439189251Ssam# for example: private_key="hash://63093aa9c47f56ae88334c7b65a4" 440189251Ssam# Note that when running wpa_supplicant as an application, the user 441189251Ssam# certificate store (My user account) is used, whereas computer store 442189251Ssam# (Computer account) is used when running wpasvc as a service. 443189251Ssam# Alternatively, a named configuration blob can be used by setting this 444189251Ssam# to blob://<blob name>. 445189251Ssam# private_key_passwd: Password for private key file (if left out, this will be 446189251Ssam# asked through control interface) 447189251Ssam# dh_file: File path to DH/DSA parameters file (in PEM format) 448189251Ssam# This is an optional configuration file for setting parameters for an 449189251Ssam# ephemeral DH key exchange. In most cases, the default RSA 450189251Ssam# authentication does not use this configuration. However, it is possible 451189251Ssam# setup RSA to use ephemeral DH key exchange. In addition, ciphers with 452189251Ssam# DSA keys always use ephemeral DH keys. This can be used to achieve 453189251Ssam# forward secrecy. If the file is in DSA parameters format, it will be 454189251Ssam# automatically converted into DH params. 455189251Ssam# subject_match: Substring to be matched against the subject of the 456189251Ssam# authentication server certificate. If this string is set, the server 457189251Ssam# sertificate is only accepted if it contains this string in the subject. 458189251Ssam# The subject string is in following format: 459189251Ssam# /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com 460189251Ssam# altsubject_match: Semicolon separated string of entries to be matched against 461189251Ssam# the alternative subject name of the authentication server certificate. 462189251Ssam# If this string is set, the server sertificate is only accepted if it 463189251Ssam# contains one of the entries in an alternative subject name extension. 464189251Ssam# altSubjectName string is in following format: TYPE:VALUE 465189251Ssam# Example: EMAIL:server@example.com 466189251Ssam# Example: DNS:server.example.com;DNS:server2.example.com 467189251Ssam# Following types are supported: EMAIL, DNS, URI 468189251Ssam# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters 469189251Ssam# (string with field-value pairs, e.g., "peapver=0" or 470189251Ssam# "peapver=1 peaplabel=1") 471189251Ssam# 'peapver' can be used to force which PEAP version (0 or 1) is used. 472189251Ssam# 'peaplabel=1' can be used to force new label, "client PEAP encryption", 473189251Ssam# to be used during key derivation when PEAPv1 or newer. Most existing 474189251Ssam# PEAPv1 implementation seem to be using the old label, "client EAP 475189251Ssam# encryption", and wpa_supplicant is now using that as the default value. 476189251Ssam# Some servers, e.g., Radiator, may require peaplabel=1 configuration to 477189251Ssam# interoperate with PEAPv1; see eap_testing.txt for more details. 478189251Ssam# 'peap_outer_success=0' can be used to terminate PEAP authentication on 479189251Ssam# tunneled EAP-Success. This is required with some RADIUS servers that 480189251Ssam# implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g., 481189251Ssam# Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode) 482189251Ssam# include_tls_length=1 can be used to force wpa_supplicant to include 483189251Ssam# TLS Message Length field in all TLS messages even if they are not 484189251Ssam# fragmented. 485189251Ssam# sim_min_num_chal=3 can be used to configure EAP-SIM to require three 486189251Ssam# challenges (by default, it accepts 2 or 3) 487189251Ssam# result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use 488189251Ssam# protected result indication. 489189251Ssam# 'crypto_binding' option can be used to control PEAPv0 cryptobinding 490189251Ssam# behavior: 491189251Ssam# * 0 = do not use cryptobinding (default) 492189251Ssam# * 1 = use cryptobinding if server supports it 493189251Ssam# * 2 = require cryptobinding 494189251Ssam# EAP-WSC (WPS) uses following options: pin=<Device Password> or 495189251Ssam# pbc=1. 496189251Ssam# phase2: Phase2 (inner authentication with TLS tunnel) parameters 497189251Ssam# (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or 498189251Ssam# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS) 499189251Ssam# Following certificate/private key fields are used in inner Phase2 500189251Ssam# authentication when using EAP-TTLS or EAP-PEAP. 501189251Ssam# ca_cert2: File path to CA certificate file. This file can have one or more 502189251Ssam# trusted CA certificates. If ca_cert2 and ca_path2 are not included, 503189251Ssam# server certificate will not be verified. This is insecure and a trusted 504189251Ssam# CA certificate should always be configured. 505189251Ssam# ca_path2: Directory path for CA certificate files (PEM) 506189251Ssam# client_cert2: File path to client certificate file 507189251Ssam# private_key2: File path to client private key file 508189251Ssam# private_key2_passwd: Password for private key file 509189251Ssam# dh_file2: File path to DH/DSA parameters file (in PEM format) 510189251Ssam# subject_match2: Substring to be matched against the subject of the 511189251Ssam# authentication server certificate. 512189251Ssam# altsubject_match2: Substring to be matched against the alternative subject 513189251Ssam# name of the authentication server certificate. 514189251Ssam# 515189251Ssam# fragment_size: Maximum EAP fragment size in bytes (default 1398). 516189251Ssam# This value limits the fragment size for EAP methods that support 517189251Ssam# fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set 518189251Ssam# small enough to make the EAP messages fit in MTU of the network 519189251Ssam# interface used for EAPOL. The default value is suitable for most 520189251Ssam# cases. 521189251Ssam# 522189251Ssam# EAP-FAST variables: 523189251Ssam# pac_file: File path for the PAC entries. wpa_supplicant will need to be able 524189251Ssam# to create this file and write updates to it when PAC is being 525189251Ssam# provisioned or refreshed. Full path to the file should be used since 526189251Ssam# working directory may change when wpa_supplicant is run in the 527189251Ssam# background. Alternatively, a named configuration blob can be used by 528189251Ssam# setting this to blob://<blob name> 529189251Ssam# phase1: fast_provisioning option can be used to enable in-line provisioning 530189251Ssam# of EAP-FAST credentials (PAC): 531189251Ssam# 0 = disabled, 532189251Ssam# 1 = allow unauthenticated provisioning, 533189251Ssam# 2 = allow authenticated provisioning, 534189251Ssam# 3 = allow both unauthenticated and authenticated provisioning 535189251Ssam# fast_max_pac_list_len=<num> option can be used to set the maximum 536189251Ssam# number of PAC entries to store in a PAC list (default: 10) 537189251Ssam# fast_pac_format=binary option can be used to select binary format for 538189251Ssam# storing PAC entries in order to save some space (the default 539189251Ssam# text format uses about 2.5 times the size of minimal binary 540189251Ssam# format) 541189251Ssam# 542189251Ssam# wpa_supplicant supports number of "EAP workarounds" to work around 543189251Ssam# interoperability issues with incorrectly behaving authentication servers. 544189251Ssam# These are enabled by default because some of the issues are present in large 545189251Ssam# number of authentication servers. Strict EAP conformance mode can be 546189251Ssam# configured by disabling workarounds with eap_workaround=0. 547189251Ssam 548189251Ssam# Example blocks: 549189251Ssam 550189251Ssam# Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers 551189251Ssamnetwork={ 552189251Ssam ssid="simple" 553189251Ssam psk="very secret passphrase" 554189251Ssam priority=5 555189251Ssam} 556189251Ssam 557189251Ssam# Same as previous, but request SSID-specific scanning (for APs that reject 558189251Ssam# broadcast SSID) 559189251Ssamnetwork={ 560189251Ssam ssid="second ssid" 561189251Ssam scan_ssid=1 562189251Ssam psk="very secret passphrase" 563189251Ssam priority=2 564189251Ssam} 565189251Ssam 566189251Ssam# Only WPA-PSK is used. Any valid cipher combination is accepted. 567189251Ssamnetwork={ 568189251Ssam ssid="example" 569189251Ssam proto=WPA 570189251Ssam key_mgmt=WPA-PSK 571189251Ssam pairwise=CCMP TKIP 572189251Ssam group=CCMP TKIP WEP104 WEP40 573189251Ssam psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb 574189251Ssam priority=2 575189251Ssam} 576189251Ssam 577189251Ssam# WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying 578189251Ssamnetwork={ 579189251Ssam ssid="example" 580189251Ssam proto=WPA 581189251Ssam key_mgmt=WPA-PSK 582189251Ssam pairwise=TKIP 583189251Ssam group=TKIP 584189251Ssam psk="not so secure passphrase" 585189251Ssam wpa_ptk_rekey=600 586189251Ssam} 587189251Ssam 588189251Ssam# Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104 589189251Ssam# or WEP40 as the group cipher will not be accepted. 590189251Ssamnetwork={ 591189251Ssam ssid="example" 592189251Ssam proto=RSN 593189251Ssam key_mgmt=WPA-EAP 594189251Ssam pairwise=CCMP TKIP 595189251Ssam group=CCMP TKIP 596189251Ssam eap=TLS 597189251Ssam identity="user@example.com" 598189251Ssam ca_cert="/etc/cert/ca.pem" 599189251Ssam client_cert="/etc/cert/user.pem" 600189251Ssam private_key="/etc/cert/user.prv" 601189251Ssam private_key_passwd="password" 602189251Ssam priority=1 603189251Ssam} 604189251Ssam 605189251Ssam# EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel 606189251Ssam# (e.g., Radiator) 607189251Ssamnetwork={ 608189251Ssam ssid="example" 609189251Ssam key_mgmt=WPA-EAP 610189251Ssam eap=PEAP 611189251Ssam identity="user@example.com" 612189251Ssam password="foobar" 613189251Ssam ca_cert="/etc/cert/ca.pem" 614189251Ssam phase1="peaplabel=1" 615189251Ssam phase2="auth=MSCHAPV2" 616189251Ssam priority=10 617189251Ssam} 618189251Ssam 619189251Ssam# EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the 620189251Ssam# unencrypted use. Real identity is sent only within an encrypted TLS tunnel. 621189251Ssamnetwork={ 622189251Ssam ssid="example" 623189251Ssam key_mgmt=WPA-EAP 624189251Ssam eap=TTLS 625189251Ssam identity="user@example.com" 626189251Ssam anonymous_identity="anonymous@example.com" 627189251Ssam password="foobar" 628189251Ssam ca_cert="/etc/cert/ca.pem" 629189251Ssam priority=2 630189251Ssam} 631189251Ssam 632189251Ssam# EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted 633189251Ssam# use. Real identity is sent only within an encrypted TLS tunnel. 634189251Ssamnetwork={ 635189251Ssam ssid="example" 636189251Ssam key_mgmt=WPA-EAP 637189251Ssam eap=TTLS 638189251Ssam identity="user@example.com" 639189251Ssam anonymous_identity="anonymous@example.com" 640189251Ssam password="foobar" 641189251Ssam ca_cert="/etc/cert/ca.pem" 642189251Ssam phase2="auth=MSCHAPV2" 643189251Ssam} 644189251Ssam 645189251Ssam# WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner 646189251Ssam# authentication. 647189251Ssamnetwork={ 648189251Ssam ssid="example" 649189251Ssam key_mgmt=WPA-EAP 650189251Ssam eap=TTLS 651189251Ssam # Phase1 / outer authentication 652189251Ssam anonymous_identity="anonymous@example.com" 653189251Ssam ca_cert="/etc/cert/ca.pem" 654189251Ssam # Phase 2 / inner authentication 655189251Ssam phase2="autheap=TLS" 656189251Ssam ca_cert2="/etc/cert/ca2.pem" 657189251Ssam client_cert2="/etc/cer/user.pem" 658189251Ssam private_key2="/etc/cer/user.prv" 659189251Ssam private_key2_passwd="password" 660189251Ssam priority=2 661189251Ssam} 662189251Ssam 663189251Ssam# Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and 664189251Ssam# group cipher. 665189251Ssamnetwork={ 666189251Ssam ssid="example" 667189251Ssam bssid=00:11:22:33:44:55 668189251Ssam proto=WPA RSN 669189251Ssam key_mgmt=WPA-PSK WPA-EAP 670189251Ssam pairwise=CCMP 671189251Ssam group=CCMP 672189251Ssam psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb 673189251Ssam} 674189251Ssam 675189251Ssam# Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP 676189251Ssam# and all valid ciphers. 677189251Ssamnetwork={ 678189251Ssam ssid=00010203 679189251Ssam psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 680189251Ssam} 681189251Ssam 682189251Ssam 683189251Ssam# EAP-SIM with a GSM SIM or USIM 684189251Ssamnetwork={ 685189251Ssam ssid="eap-sim-test" 686189251Ssam key_mgmt=WPA-EAP 687189251Ssam eap=SIM 688189251Ssam pin="1234" 689189251Ssam pcsc="" 690189251Ssam} 691189251Ssam 692189251Ssam 693189251Ssam# EAP-PSK 694189251Ssamnetwork={ 695189251Ssam ssid="eap-psk-test" 696189251Ssam key_mgmt=WPA-EAP 697189251Ssam eap=PSK 698189251Ssam anonymous_identity="eap_psk_user" 699189251Ssam password=06b4be19da289f475aa46a33cb793029 700189251Ssam identity="eap_psk_user@example.com" 701189251Ssam} 702189251Ssam 703189251Ssam 704189251Ssam# IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using 705189251Ssam# EAP-TLS for authentication and key generation; require both unicast and 706189251Ssam# broadcast WEP keys. 707189251Ssamnetwork={ 708189251Ssam ssid="1x-test" 709189251Ssam key_mgmt=IEEE8021X 710189251Ssam eap=TLS 711189251Ssam identity="user@example.com" 712189251Ssam ca_cert="/etc/cert/ca.pem" 713189251Ssam client_cert="/etc/cert/user.pem" 714189251Ssam private_key="/etc/cert/user.prv" 715189251Ssam private_key_passwd="password" 716189251Ssam eapol_flags=3 717189251Ssam} 718189251Ssam 719189251Ssam 720189251Ssam# LEAP with dynamic WEP keys 721189251Ssamnetwork={ 722189251Ssam ssid="leap-example" 723189251Ssam key_mgmt=IEEE8021X 724189251Ssam eap=LEAP 725189251Ssam identity="user" 726189251Ssam password="foobar" 727189251Ssam} 728189251Ssam 729189251Ssam# EAP-IKEv2 using shared secrets for both server and peer authentication 730189251Ssamnetwork={ 731189251Ssam ssid="ikev2-example" 732189251Ssam key_mgmt=WPA-EAP 733189251Ssam eap=IKEV2 734189251Ssam identity="user" 735189251Ssam password="foobar" 736189251Ssam} 737189251Ssam 738189251Ssam# EAP-FAST with WPA (WPA or WPA2) 739189251Ssamnetwork={ 740189251Ssam ssid="eap-fast-test" 741189251Ssam key_mgmt=WPA-EAP 742189251Ssam eap=FAST 743189251Ssam anonymous_identity="FAST-000102030405" 744189251Ssam identity="username" 745189251Ssam password="password" 746189251Ssam phase1="fast_provisioning=1" 747189251Ssam pac_file="/etc/wpa_supplicant.eap-fast-pac" 748189251Ssam} 749189251Ssam 750189251Ssamnetwork={ 751189251Ssam ssid="eap-fast-test" 752189251Ssam key_mgmt=WPA-EAP 753189251Ssam eap=FAST 754189251Ssam anonymous_identity="FAST-000102030405" 755189251Ssam identity="username" 756189251Ssam password="password" 757189251Ssam phase1="fast_provisioning=1" 758189251Ssam pac_file="blob://eap-fast-pac" 759189251Ssam} 760189251Ssam 761189251Ssam# Plaintext connection (no WPA, no IEEE 802.1X) 762189251Ssamnetwork={ 763189251Ssam ssid="plaintext-test" 764189251Ssam key_mgmt=NONE 765189251Ssam} 766189251Ssam 767189251Ssam 768189251Ssam# Shared WEP key connection (no WPA, no IEEE 802.1X) 769189251Ssamnetwork={ 770189251Ssam ssid="static-wep-test" 771189251Ssam key_mgmt=NONE 772189251Ssam wep_key0="abcde" 773189251Ssam wep_key1=0102030405 774189251Ssam wep_key2="1234567890123" 775189251Ssam wep_tx_keyidx=0 776189251Ssam priority=5 777189251Ssam} 778189251Ssam 779189251Ssam 780189251Ssam# Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key 781189251Ssam# IEEE 802.11 authentication 782189251Ssamnetwork={ 783189251Ssam ssid="static-wep-test2" 784189251Ssam key_mgmt=NONE 785189251Ssam wep_key0="abcde" 786189251Ssam wep_key1=0102030405 787189251Ssam wep_key2="1234567890123" 788189251Ssam wep_tx_keyidx=0 789189251Ssam priority=5 790189251Ssam auth_alg=SHARED 791189251Ssam} 792189251Ssam 793189251Ssam 794189251Ssam# IBSS/ad-hoc network with WPA-None/TKIP. 795189251Ssamnetwork={ 796189251Ssam ssid="test adhoc" 797189251Ssam mode=1 798189251Ssam frequency=2412 799189251Ssam proto=WPA 800189251Ssam key_mgmt=WPA-NONE 801189251Ssam pairwise=NONE 802189251Ssam group=TKIP 803189251Ssam psk="secret passphrase" 804189251Ssam} 805189251Ssam 806189251Ssam 807189251Ssam# Catch all example that allows more or less all configuration modes 808189251Ssamnetwork={ 809189251Ssam ssid="example" 810189251Ssam scan_ssid=1 811189251Ssam key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE 812189251Ssam pairwise=CCMP TKIP 813189251Ssam group=CCMP TKIP WEP104 WEP40 814189251Ssam psk="very secret passphrase" 815189251Ssam eap=TTLS PEAP TLS 816189251Ssam identity="user@example.com" 817189251Ssam password="foobar" 818189251Ssam ca_cert="/etc/cert/ca.pem" 819189251Ssam client_cert="/etc/cert/user.pem" 820189251Ssam private_key="/etc/cert/user.prv" 821189251Ssam private_key_passwd="password" 822189251Ssam phase1="peaplabel=0" 823189251Ssam} 824189251Ssam 825189251Ssam# Example of EAP-TLS with smartcard (openssl engine) 826189251Ssamnetwork={ 827189251Ssam ssid="example" 828189251Ssam key_mgmt=WPA-EAP 829189251Ssam eap=TLS 830189251Ssam proto=RSN 831189251Ssam pairwise=CCMP TKIP 832189251Ssam group=CCMP TKIP 833189251Ssam identity="user@example.com" 834189251Ssam ca_cert="/etc/cert/ca.pem" 835189251Ssam client_cert="/etc/cert/user.pem" 836189251Ssam 837189251Ssam engine=1 838189251Ssam 839189251Ssam # The engine configured here must be available. Look at 840189251Ssam # OpenSSL engine support in the global section. 841189251Ssam # The key available through the engine must be the private key 842189251Ssam # matching the client certificate configured above. 843189251Ssam 844189251Ssam # use the opensc engine 845189251Ssam #engine_id="opensc" 846189251Ssam #key_id="45" 847189251Ssam 848189251Ssam # use the pkcs11 engine 849189251Ssam engine_id="pkcs11" 850189251Ssam key_id="id_45" 851189251Ssam 852189251Ssam # Optional PIN configuration; this can be left out and PIN will be 853189251Ssam # asked through the control interface 854189251Ssam pin="1234" 855189251Ssam} 856189251Ssam 857189251Ssam# Example configuration showing how to use an inlined blob as a CA certificate 858189251Ssam# data instead of using external file 859189251Ssamnetwork={ 860189251Ssam ssid="example" 861189251Ssam key_mgmt=WPA-EAP 862189251Ssam eap=TTLS 863189251Ssam identity="user@example.com" 864189251Ssam anonymous_identity="anonymous@example.com" 865189251Ssam password="foobar" 866189251Ssam ca_cert="blob://exampleblob" 867189251Ssam priority=20 868189251Ssam} 869189251Ssam 870189251Ssamblob-base64-exampleblob={ 871189251SsamSGVsbG8gV29ybGQhCg== 872189251Ssam} 873189251Ssam 874189251Ssam 875189251Ssam# Wildcard match for SSID (plaintext APs only). This example select any 876189251Ssam# open AP regardless of its SSID. 877189251Ssamnetwork={ 878189251Ssam key_mgmt=NONE 879189251Ssam} 880