All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.
$FreeBSD: head/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.conf.5 147020 2005-06-05 21:18:53Z sam $
.Dd June 3, 2005 .Dt WPA_SUPPLICANT.CONF 5 .Os .Sh NAME .Nm wpa_supplicant.conf .Nd "configuration file for wpa_supplicant utility" .Sh DESCRIPTION The .Xr wpa_supplicant 1 program is an implementation of the WPA Supplicant component, i.e., the part that runs in the client stations. .Nm wpa_supplicant implements WPA key negotiation with a WPA Authenticator and EAP authentication with Authentication Server using configuration information stored in a text file.
p The configuration file consists of one or more network blocks, e.g. one for each used SSID. .Nm wpa_supplicant will automatically select the best network based on the order of the network blocks in the configuration file, network security level (WPA/WPA2 is preferred), and signal strength. .Sh CERTIFICATES
p Some EAP authentication methods require use of certificates. EAP-TLS uses both server- and client-side certificates, whereas EAP-PEAP and EAP-TTLS only require a server-side certificate. When a client certificate is used, a matching private key file must also be included in configuration. If the private key uses a passphrase, this has to be configured in the wpa_supplicant.conf file as "private_key_passwd".
p .Nm wpa_supplicant supports X.509 certificates in PEM and DER formats. User certificate and private key can be included in the same file.
p If the user certificate and private key is received in PKCS#12/PFX format, they need to be converted to suitable PEM/DER format for use by .Nm wpa_supplicant. This can be done using the .Xr openssl 1 program, e.g. with following commands: d -literal # convert client certificate and private key to PEM format openssl pkcs12 -in example.pfx -out user.pem -clcerts # convert CA certificate (if included in PFX file) to PEM format openssl pkcs12 -in example.pfx -out ca.pem -cacerts -nokeys e .Sh EXAMPLES
p WPA-Personal (PSK) as a home network and WPA-Enterprise with EAP-TLS as a work network: d -literal # allow frontend (e.g., wpa_cli) to be used by all users in 'wheel' group ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel # # home network; allow all valid ciphers network={ ssid="home" scan_ssid=1 key_mgmt=WPA-PSK psk="very secret passphrase" } # # work network; use EAP-TLS with WPA; allow only CCMP and TKIP ciphers network={ ssid="work" scan_ssid=1 key_mgmt=WPA-EAP pairwise=CCMP TKIP group=CCMP TKIP eap=TLS identity="user@example.com" ca_cert="/etc/cert/ca.pem" client_cert="/etc/cert/user.pem" private_key="/etc/cert/user.prv" private_key_passwd="password" } .Ed
p WPA-RADIUS/EAP-PEAP/MSCHAPv2 with RADIUS servers that use old peaplabel (e.g., Funk Odyssey and SBR, Meetinghouse Aegis, Interlink RAD-Series): d -literal ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid="example" scan_ssid=1 key_mgmt=WPA-EAP eap=PEAP identity="user@example.com" password="foobar" ca_cert="/etc/cert/ca.pem" phase1="peaplabel=0" phase2="auth=MSCHAPV2" } .Ed
p EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the unencrypted use. Real identity is sent only within an encrypted TLS tunnel. d -literal ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid="example" scan_ssid=1 key_mgmt=WPA-EAP eap=TTLS identity="user@example.com" anonymous_identity="anonymous@example.com" password="foobar" ca_cert="/etc/cert/ca.pem" phase2="auth=MD5" } .Ed .Sh SEE ALSO .Xr wpa_supplicant 1 .Sh HISTORY The .Nm manual page and .Nm wpa_supplicant functionality first appeared in .Fx 6.0 . .Sh AUTHORS This manual page is derived from the README file in the .Nm wpa_supplicant distribution provided by .An Jouni Malinen Aq jkmaline@cc.hut.fi .