wpa_supplicant.conf 48 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233
  1. ##### Example wpa_supplicant configuration file ###############################
  2. #
  3. # This file describes configuration file format and lists all available option.
  4. # Please also take a look at simpler configuration examples in 'examples'
  5. # subdirectory.
  6. #
  7. # Empty lines and lines starting with # are ignored
  8. # NOTE! This file may contain password information and should probably be made
  9. # readable only by root user on multiuser systems.
  10. # Note: All file paths in this configuration file should use full (absolute,
  11. # not relative to working directory) path in order to allow working directory
  12. # to be changed. This can happen if wpa_supplicant is run in the background.
  13. # Whether to allow wpa_supplicant to update (overwrite) configuration
  14. #
  15. # This option can be used to allow wpa_supplicant to overwrite configuration
  16. # file whenever configuration is changed (e.g., new network block is added with
  17. # wpa_cli or wpa_gui, or a password is changed). This is required for
  18. # wpa_cli/wpa_gui to be able to store the configuration changes permanently.
  19. # Please note that overwriting configuration file will remove the comments from
  20. # it.
  21. #update_config=1
  22. # global configuration (shared by all network blocks)
  23. #
  24. # Parameters for the control interface. If this is specified, wpa_supplicant
  25. # will open a control interface that is available for external programs to
  26. # manage wpa_supplicant. The meaning of this string depends on which control
  27. # interface mechanism is used. For all cases, the existence of this parameter
  28. # in configuration is used to determine whether the control interface is
  29. # enabled.
  30. #
  31. # For UNIX domain sockets (default on Linux and BSD): This is a directory that
  32. # will be created for UNIX domain sockets for listening to requests from
  33. # external programs (CLI/GUI, etc.) for status information and configuration.
  34. # The socket file will be named based on the interface name, so multiple
  35. # wpa_supplicant processes can be run at the same time if more than one
  36. # interface is used.
  37. # /var/run/wpa_supplicant is the recommended directory for sockets and by
  38. # default, wpa_cli will use it when trying to connect with wpa_supplicant.
  39. #
  40. # Access control for the control interface can be configured by setting the
  41. # directory to allow only members of a group to use sockets. This way, it is
  42. # possible to run wpa_supplicant as root (since it needs to change network
  43. # configuration and open raw sockets) and still allow GUI/CLI components to be
  44. # run as non-root users. However, since the control interface can be used to
  45. # change the network configuration, this access needs to be protected in many
  46. # cases. By default, wpa_supplicant is configured to use gid 0 (root). If you
  47. # want to allow non-root users to use the control interface, add a new group
  48. # and change this value to match with that group. Add users that should have
  49. # control interface access to this group. If this variable is commented out or
  50. # not included in the configuration file, group will not be changed from the
  51. # value it got by default when the directory or socket was created.
  52. #
  53. # When configuring both the directory and group, use following format:
  54. # DIR=/var/run/wpa_supplicant GROUP=wheel
  55. # DIR=/var/run/wpa_supplicant GROUP=0
  56. # (group can be either group name or gid)
  57. #
  58. # For UDP connections (default on Windows): The value will be ignored. This
  59. # variable is just used to select that the control interface is to be created.
  60. # The value can be set to, e.g., udp (ctrl_interface=udp)
  61. #
  62. # For Windows Named Pipe: This value can be used to set the security descriptor
  63. # for controlling access to the control interface. Security descriptor can be
  64. # set using Security Descriptor String Format (see http://msdn.microsoft.com/
  65. # library/default.asp?url=/library/en-us/secauthz/security/
  66. # security_descriptor_string_format.asp). The descriptor string needs to be
  67. # prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty
  68. # DACL (which will reject all connections). See README-Windows.txt for more
  69. # information about SDDL string format.
  70. #
  71. ctrl_interface=/var/run/wpa_supplicant
  72. # IEEE 802.1X/EAPOL version
  73. # wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines
  74. # EAPOL version 2. However, there are many APs that do not handle the new
  75. # version number correctly (they seem to drop the frames completely). In order
  76. # to make wpa_supplicant interoperate with these APs, the version number is set
  77. # to 1 by default. This configuration value can be used to set it to the new
  78. # version (2).
  79. eapol_version=1
  80. # AP scanning/selection
  81. # By default, wpa_supplicant requests driver to perform AP scanning and then
  82. # uses the scan results to select a suitable AP. Another alternative is to
  83. # allow the driver to take care of AP scanning and selection and use
  84. # wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association
  85. # information from the driver.
  86. # 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to
  87. # the currently enabled networks are found, a new network (IBSS or AP mode
  88. # operation) may be initialized (if configured) (default)
  89. # 0: driver takes care of scanning, AP selection, and IEEE 802.11 association
  90. # parameters (e.g., WPA IE generation); this mode can also be used with
  91. # non-WPA drivers when using IEEE 802.1X mode; do not try to associate with
  92. # APs (i.e., external program needs to control association). This mode must
  93. # also be used when using wired Ethernet drivers.
  94. # 2: like 0, but associate with APs using security policy and SSID (but not
  95. # BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to
  96. # enable operation with hidden SSIDs and optimized roaming; in this mode,
  97. # the network blocks in the configuration file are tried one by one until
  98. # the driver reports successful association; each network block should have
  99. # explicit security policy (i.e., only one option in the lists) for
  100. # key_mgmt, pairwise, group, proto variables
  101. # When using IBSS or AP mode, ap_scan=2 mode can force the new network to be
  102. # created immediately regardless of scan results. ap_scan=1 mode will first try
  103. # to scan for existing networks and only if no matches with the enabled
  104. # networks are found, a new IBSS or AP mode network is created.
  105. ap_scan=1
  106. # EAP fast re-authentication
  107. # By default, fast re-authentication is enabled for all EAP methods that
  108. # support it. This variable can be used to disable fast re-authentication.
  109. # Normally, there is no need to disable this.
  110. fast_reauth=1
  111. # OpenSSL Engine support
  112. # These options can be used to load OpenSSL engines.
  113. # The two engines that are supported currently are shown below:
  114. # They are both from the opensc project (http://www.opensc.org/)
  115. # By default no engines are loaded.
  116. # make the opensc engine available
  117. #opensc_engine_path=/usr/lib/opensc/engine_opensc.so
  118. # make the pkcs11 engine available
  119. #pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so
  120. # configure the path to the pkcs11 module required by the pkcs11 engine
  121. #pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so
  122. # Dynamic EAP methods
  123. # If EAP methods were built dynamically as shared object files, they need to be
  124. # loaded here before being used in the network blocks. By default, EAP methods
  125. # are included statically in the build, so these lines are not needed
  126. #load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so
  127. #load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so
  128. # Driver interface parameters
  129. # This field can be used to configure arbitrary driver interace parameters. The
  130. # format is specific to the selected driver interface. This field is not used
  131. # in most cases.
  132. #driver_param="field=value"
  133. # Country code
  134. # The ISO/IEC alpha2 country code for the country in which this device is
  135. # currently operating.
  136. #country=US
  137. # Maximum lifetime for PMKSA in seconds; default 43200
  138. #dot11RSNAConfigPMKLifetime=43200
  139. # Threshold for reauthentication (percentage of PMK lifetime); default 70
  140. #dot11RSNAConfigPMKReauthThreshold=70
  141. # Timeout for security association negotiation in seconds; default 60
  142. #dot11RSNAConfigSATimeout=60
  143. # Wi-Fi Protected Setup (WPS) parameters
  144. # Universally Unique IDentifier (UUID; see RFC 4122) of the device
  145. # If not configured, UUID will be generated based on the local MAC address.
  146. #uuid=12345678-9abc-def0-1234-56789abcdef0
  147. # Device Name
  148. # User-friendly description of device; up to 32 octets encoded in UTF-8
  149. #device_name=Wireless Client
  150. # Manufacturer
  151. # The manufacturer of the device (up to 64 ASCII characters)
  152. #manufacturer=Company
  153. # Model Name
  154. # Model of the device (up to 32 ASCII characters)
  155. #model_name=cmodel
  156. # Model Number
  157. # Additional device description (up to 32 ASCII characters)
  158. #model_number=123
  159. # Serial Number
  160. # Serial number of the device (up to 32 characters)
  161. #serial_number=12345
  162. # Primary Device Type
  163. # Used format: <categ>-<OUI>-<subcateg>
  164. # categ = Category as an integer value
  165. # OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for
  166. # default WPS OUI
  167. # subcateg = OUI-specific Sub Category as an integer value
  168. # Examples:
  169. # 1-0050F204-1 (Computer / PC)
  170. # 1-0050F204-2 (Computer / Server)
  171. # 5-0050F204-1 (Storage / NAS)
  172. # 6-0050F204-1 (Network Infrastructure / AP)
  173. #device_type=1-0050F204-1
  174. # OS Version
  175. # 4-octet operating system version number (hex string)
  176. #os_version=01020300
  177. # Config Methods
  178. # List of the supported configuration methods
  179. # Available methods: usba ethernet label display ext_nfc_token int_nfc_token
  180. # nfc_interface push_button keypad virtual_display physical_display
  181. # virtual_push_button physical_push_button
  182. # For WSC 1.0:
  183. #config_methods=label display push_button keypad
  184. # For WSC 2.0:
  185. #config_methods=label virtual_display virtual_push_button keypad
  186. # Credential processing
  187. # 0 = process received credentials internally (default)
  188. # 1 = do not process received credentials; just pass them over ctrl_iface to
  189. # external program(s)
  190. # 2 = process received credentials internally and pass them over ctrl_iface
  191. # to external program(s)
  192. #wps_cred_processing=0
  193. # Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing
  194. # The vendor attribute contents to be added in M1 (hex string)
  195. #wps_vendor_ext_m1=000137100100020001
  196. # NFC password token for WPS
  197. # These parameters can be used to configure a fixed NFC password token for the
  198. # station. This can be generated, e.g., with nfc_pw_token. When these
  199. # parameters are used, the station is assumed to be deployed with a NFC tag
  200. # that includes the matching NFC password token (e.g., written based on the
  201. # NDEF record from nfc_pw_token).
  202. #
  203. #wps_nfc_dev_pw_id: Device Password ID (16..65535)
  204. #wps_nfc_dh_pubkey: Hexdump of DH Public Key
  205. #wps_nfc_dh_privkey: Hexdump of DH Private Key
  206. #wps_nfc_dev_pw: Hexdump of Device Password
  207. # Maximum number of BSS entries to keep in memory
  208. # Default: 200
  209. # This can be used to limit memory use on the BSS entries (cached scan
  210. # results). A larger value may be needed in environments that have huge number
  211. # of APs when using ap_scan=1 mode.
  212. #bss_max_count=200
  213. # Automatic scan
  214. # This is an optional set of parameters for automatic scanning
  215. # within an interface in following format:
  216. #autoscan=<autoscan module name>:<module parameters>
  217. # autoscan is like bgscan but on disconnected or inactive state.
  218. # For instance, on exponential module parameters would be <base>:<limit>
  219. #autoscan=exponential:3:300
  220. # Which means a delay between scans on a base exponential of 3,
  221. # up to the limit of 300 seconds (3, 9, 27 ... 300)
  222. # For periodic module, parameters would be <fixed interval>
  223. #autoscan=periodic:30
  224. # So a delay of 30 seconds will be applied between each scan
  225. # filter_ssids - SSID-based scan result filtering
  226. # 0 = do not filter scan results (default)
  227. # 1 = only include configured SSIDs in scan results/BSS table
  228. #filter_ssids=0
  229. # Password (and passphrase, etc.) backend for external storage
  230. # format: <backend name>[:<optional backend parameters>]
  231. #ext_password_backend=test:pw1=password|pw2=testing
  232. # Timeout in seconds to detect STA inactivity (default: 300 seconds)
  233. #
  234. # This timeout value is used in P2P GO mode to clean up
  235. # inactive stations.
  236. #p2p_go_max_inactivity=300
  237. # Opportunistic Key Caching (also known as Proactive Key Caching) default
  238. # This parameter can be used to set the default behavior for the
  239. # proactive_key_caching parameter. By default, OKC is disabled unless enabled
  240. # with the global okc=1 parameter or with the per-network
  241. # proactive_key_caching=1 parameter. With okc=1, OKC is enabled by default, but
  242. # can be disabled with per-network proactive_key_caching=0 parameter.
  243. #okc=0
  244. # Protected Management Frames default
  245. # This parameter can be used to set the default behavior for the ieee80211w
  246. # parameter. By default, PMF is disabled unless enabled with the global pmf=1/2
  247. # parameter or with the per-network ieee80211w=1/2 parameter. With pmf=1/2, PMF
  248. # is enabled/required by default, but can be disabled with the per-network
  249. # ieee80211w parameter.
  250. #pmf=0
  251. # Enabled SAE finite cyclic groups in preference order
  252. # By default (if this parameter is not set), the mandatory group 19 (ECC group
  253. # defined over a 256-bit prime order field) is preferred, but other groups are
  254. # also enabled. If this parameter is set, the groups will be tried in the
  255. # indicated order. The group values are listed in the IANA registry:
  256. # http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9
  257. #sae_groups=21 20 19 26 25
  258. # Default value for DTIM period (if not overridden in network block)
  259. #dtim_period=2
  260. # Default value for Beacon interval (if not overridden in network block)
  261. #beacon_int=100
  262. # Additional vendor specific elements for Beacon and Probe Response frames
  263. # This parameter can be used to add additional vendor specific element(s) into
  264. # the end of the Beacon and Probe Response frames. The format for these
  265. # element(s) is a hexdump of the raw information elements (id+len+payload for
  266. # one or more elements). This is used in AP and P2P GO modes.
  267. #ap_vendor_elements=dd0411223301
  268. # Ignore scan results older than request
  269. #
  270. # The driver may have a cache of scan results that makes it return
  271. # information that is older than our scan trigger. This parameter can
  272. # be used to configure such old information to be ignored instead of
  273. # allowing it to update the internal BSS table.
  274. #ignore_old_scan_res=0
  275. # Interworking (IEEE 802.11u)
  276. # Enable Interworking
  277. # interworking=1
  278. # Homogenous ESS identifier
  279. # If this is set, scans will be used to request response only from BSSes
  280. # belonging to the specified Homogeneous ESS. This is used only if interworking
  281. # is enabled.
  282. # hessid=00:11:22:33:44:55
  283. # Automatic network selection behavior
  284. # 0 = do not automatically go through Interworking network selection
  285. # (i.e., require explicit interworking_select command for this; default)
  286. # 1 = perform Interworking network selection if one or more
  287. # credentials have been configured and scan did not find a
  288. # matching network block
  289. #auto_interworking=0
  290. # credential block
  291. #
  292. # Each credential used for automatic network selection is configured as a set
  293. # of parameters that are compared to the information advertised by the APs when
  294. # interworking_select and interworking_connect commands are used.
  295. #
  296. # credential fields:
  297. #
  298. # priority: Priority group
  299. # By default, all networks and credentials get the same priority group
  300. # (0). This field can be used to give higher priority for credentials
  301. # (and similarly in struct wpa_ssid for network blocks) to change the
  302. # Interworking automatic networking selection behavior. The matching
  303. # network (based on either an enabled network block or a credential)
  304. # with the highest priority value will be selected.
  305. #
  306. # pcsc: Use PC/SC and SIM/USIM card
  307. #
  308. # realm: Home Realm for Interworking
  309. #
  310. # username: Username for Interworking network selection
  311. #
  312. # password: Password for Interworking network selection
  313. #
  314. # ca_cert: CA certificate for Interworking network selection
  315. #
  316. # client_cert: File path to client certificate file (PEM/DER)
  317. # This field is used with Interworking networking selection for a case
  318. # where client certificate/private key is used for authentication
  319. # (EAP-TLS). Full path to the file should be used since working
  320. # directory may change when wpa_supplicant is run in the background.
  321. #
  322. # Alternatively, a named configuration blob can be used by setting
  323. # this to blob://blob_name.
  324. #
  325. # private_key: File path to client private key file (PEM/DER/PFX)
  326. # When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
  327. # commented out. Both the private key and certificate will be read
  328. # from the PKCS#12 file in this case. Full path to the file should be
  329. # used since working directory may change when wpa_supplicant is run
  330. # in the background.
  331. #
  332. # Windows certificate store can be used by leaving client_cert out and
  333. # configuring private_key in one of the following formats:
  334. #
  335. # cert://substring_to_match
  336. #
  337. # hash://certificate_thumbprint_in_hex
  338. #
  339. # For example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
  340. #
  341. # Note that when running wpa_supplicant as an application, the user
  342. # certificate store (My user account) is used, whereas computer store
  343. # (Computer account) is used when running wpasvc as a service.
  344. #
  345. # Alternatively, a named configuration blob can be used by setting
  346. # this to blob://blob_name.
  347. #
  348. # private_key_passwd: Password for private key file
  349. #
  350. # imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format
  351. #
  352. # milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN>
  353. # format
  354. #
  355. # domain: Home service provider FQDN
  356. # This is used to compare against the Domain Name List to figure out
  357. # whether the AP is operated by the Home SP.
  358. #
  359. # roaming_consortium: Roaming Consortium OI
  360. # If roaming_consortium_len is non-zero, this field contains the
  361. # Roaming Consortium OI that can be used to determine which access
  362. # points support authentication with this credential. This is an
  363. # alternative to the use of the realm parameter. When using Roaming
  364. # Consortium to match the network, the EAP parameters need to be
  365. # pre-configured with the credential since the NAI Realm information
  366. # may not be available or fetched.
  367. #
  368. # eap: Pre-configured EAP method
  369. # This optional field can be used to specify which EAP method will be
  370. # used with this credential. If not set, the EAP method is selected
  371. # automatically based on ANQP information (e.g., NAI Realm).
  372. #
  373. # phase1: Pre-configure Phase 1 (outer authentication) parameters
  374. # This optional field is used with like the 'eap' parameter.
  375. #
  376. # phase2: Pre-configure Phase 2 (inner authentication) parameters
  377. # This optional field is used with like the 'eap' parameter.
  378. #
  379. # excluded_ssid: Excluded SSID
  380. # This optional field can be used to excluded specific SSID(s) from
  381. # matching with the network. Multiple entries can be used to specify more
  382. # than one SSID.
  383. #
  384. # for example:
  385. #
  386. #cred={
  387. # realm="example.com"
  388. # username="user@example.com"
  389. # password="password"
  390. # ca_cert="/etc/wpa_supplicant/ca.pem"
  391. # domain="example.com"
  392. #}
  393. #
  394. #cred={
  395. # imsi="310026-000000000"
  396. # milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82"
  397. #}
  398. #
  399. #cred={
  400. # realm="example.com"
  401. # username="user"
  402. # password="password"
  403. # ca_cert="/etc/wpa_supplicant/ca.pem"
  404. # domain="example.com"
  405. # roaming_consortium=223344
  406. # eap=TTLS
  407. # phase2="auth=MSCHAPV2"
  408. #}
  409. # Hotspot 2.0
  410. # hs20=1
  411. # network block
  412. #
  413. # Each network (usually AP's sharing the same SSID) is configured as a separate
  414. # block in this configuration file. The network blocks are in preference order
  415. # (the first match is used).
  416. #
  417. # network block fields:
  418. #
  419. # disabled:
  420. # 0 = this network can be used (default)
  421. # 1 = this network block is disabled (can be enabled through ctrl_iface,
  422. # e.g., with wpa_cli or wpa_gui)
  423. #
  424. # id_str: Network identifier string for external scripts. This value is passed
  425. # to external action script through wpa_cli as WPA_ID_STR environment
  426. # variable to make it easier to do network specific configuration.
  427. #
  428. # ssid: SSID (mandatory); network name in one of the optional formats:
  429. # - an ASCII string with double quotation
  430. # - a hex string (two characters per octet of SSID)
  431. # - a printf-escaped ASCII string P"<escaped string>"
  432. #
  433. # scan_ssid:
  434. # 0 = do not scan this SSID with specific Probe Request frames (default)
  435. # 1 = scan with SSID-specific Probe Request frames (this can be used to
  436. # find APs that do not accept broadcast SSID or use multiple SSIDs;
  437. # this will add latency to scanning, so enable this only when needed)
  438. #
  439. # bssid: BSSID (optional); if set, this network block is used only when
  440. # associating with the AP using the configured BSSID
  441. #
  442. # priority: priority group (integer)
  443. # By default, all networks will get same priority group (0). If some of the
  444. # networks are more desirable, this field can be used to change the order in
  445. # which wpa_supplicant goes through the networks when selecting a BSS. The
  446. # priority groups will be iterated in decreasing priority (i.e., the larger the
  447. # priority value, the sooner the network is matched against the scan results).
  448. # Within each priority group, networks will be selected based on security
  449. # policy, signal strength, etc.
  450. # Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not
  451. # using this priority to select the order for scanning. Instead, they try the
  452. # networks in the order that used in the configuration file.
  453. #
  454. # mode: IEEE 802.11 operation mode
  455. # 0 = infrastructure (Managed) mode, i.e., associate with an AP (default)
  456. # 1 = IBSS (ad-hoc, peer-to-peer)
  457. # 2 = AP (access point)
  458. # Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP)
  459. # and key_mgmt=WPA-NONE (fixed group key TKIP/CCMP). WPA-None requires
  460. # following network block options:
  461. # proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not
  462. # both), and psk must also be set.
  463. #
  464. # frequency: Channel frequency in megahertz (MHz) for IBSS, e.g.,
  465. # 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial
  466. # channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode.
  467. # In addition, this value is only used by the station that creates the IBSS. If
  468. # an IBSS network with the configured SSID is already present, the frequency of
  469. # the network will be used instead of this configured value.
  470. #
  471. # scan_freq: List of frequencies to scan
  472. # Space-separated list of frequencies in MHz to scan when searching for this
  473. # BSS. If the subset of channels used by the network is known, this option can
  474. # be used to optimize scanning to not occur on channels that the network does
  475. # not use. Example: scan_freq=2412 2437 2462
  476. #
  477. # freq_list: Array of allowed frequencies
  478. # Space-separated list of frequencies in MHz to allow for selecting the BSS. If
  479. # set, scan results that do not match any of the specified frequencies are not
  480. # considered when selecting a BSS.
  481. #
  482. # bgscan: Background scanning
  483. # wpa_supplicant behavior for background scanning can be specified by
  484. # configuring a bgscan module. These modules are responsible for requesting
  485. # background scans for the purpose of roaming within an ESS (i.e., within a
  486. # single network block with all the APs using the same SSID). The bgscan
  487. # parameter uses following format: "<bgscan module name>:<module parameters>"
  488. # Following bgscan modules are available:
  489. # simple - Periodic background scans based on signal strength
  490. # bgscan="simple:<short bgscan interval in seconds>:<signal strength threshold>:
  491. # <long interval>"
  492. # bgscan="simple:30:-45:300"
  493. # learn - Learn channels used by the network and try to avoid bgscans on other
  494. # channels (experimental)
  495. # bgscan="learn:<short bgscan interval in seconds>:<signal strength threshold>:
  496. # <long interval>[:<database file name>]"
  497. # bgscan="learn:30:-45:300:/etc/wpa_supplicant/network1.bgscan"
  498. #
  499. # proto: list of accepted protocols
  500. # WPA = WPA/IEEE 802.11i/D3.0
  501. # RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN)
  502. # If not set, this defaults to: WPA RSN
  503. #
  504. # key_mgmt: list of accepted authenticated key management protocols
  505. # WPA-PSK = WPA pre-shared key (this requires 'psk' field)
  506. # WPA-EAP = WPA using EAP authentication
  507. # IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically
  508. # generated WEP keys
  509. # NONE = WPA is not used; plaintext or static WEP could be used
  510. # WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms
  511. # WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms
  512. # If not set, this defaults to: WPA-PSK WPA-EAP
  513. #
  514. # ieee80211w: whether management frame protection is enabled
  515. # 0 = disabled (default unless changed with the global pmf parameter)
  516. # 1 = optional
  517. # 2 = required
  518. # The most common configuration options for this based on the PMF (protected
  519. # management frames) certification program are:
  520. # PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256
  521. # PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256
  522. # (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used)
  523. #
  524. # auth_alg: list of allowed IEEE 802.11 authentication algorithms
  525. # OPEN = Open System authentication (required for WPA/WPA2)
  526. # SHARED = Shared Key authentication (requires static WEP keys)
  527. # LEAP = LEAP/Network EAP (only used with LEAP)
  528. # If not set, automatic selection is used (Open System with LEAP enabled if
  529. # LEAP is allowed as one of the EAP methods).
  530. #
  531. # pairwise: list of accepted pairwise (unicast) ciphers for WPA
  532. # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
  533. # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
  534. # NONE = Use only Group Keys (deprecated, should not be included if APs support
  535. # pairwise keys)
  536. # If not set, this defaults to: CCMP TKIP
  537. #
  538. # group: list of accepted group (broadcast/multicast) ciphers for WPA
  539. # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
  540. # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
  541. # WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key
  542. # WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11]
  543. # If not set, this defaults to: CCMP TKIP WEP104 WEP40
  544. #
  545. # psk: WPA preshared key; 256-bit pre-shared key
  546. # The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e.,
  547. # 32 bytes or as an ASCII passphrase (in which case, the real PSK will be
  548. # generated using the passphrase and SSID). ASCII passphrase must be between
  549. # 8 and 63 characters (inclusive). ext:<name of external PSK field> format can
  550. # be used to indicate that the PSK/passphrase is stored in external storage.
  551. # This field is not needed, if WPA-EAP is used.
  552. # Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys
  553. # from ASCII passphrase. This process uses lot of CPU and wpa_supplicant
  554. # startup and reconfiguration time can be optimized by generating the PSK only
  555. # only when the passphrase or SSID has actually changed.
  556. #
  557. # eapol_flags: IEEE 802.1X/EAPOL options (bit field)
  558. # Dynamic WEP key required for non-WPA mode
  559. # bit0 (1): require dynamically generated unicast WEP key
  560. # bit1 (2): require dynamically generated broadcast WEP key
  561. # (3 = require both keys; default)
  562. # Note: When using wired authentication, eapol_flags must be set to 0 for the
  563. # authentication to be completed successfully.
  564. #
  565. # mixed_cell: This option can be used to configure whether so called mixed
  566. # cells, i.e., networks that use both plaintext and encryption in the same
  567. # SSID, are allowed when selecting a BSS from scan results.
  568. # 0 = disabled (default)
  569. # 1 = enabled
  570. #
  571. # proactive_key_caching:
  572. # Enable/disable opportunistic PMKSA caching for WPA2.
  573. # 0 = disabled (default unless changed with the global okc parameter)
  574. # 1 = enabled
  575. #
  576. # wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or
  577. # hex without quotation, e.g., 0102030405)
  578. # wep_tx_keyidx: Default WEP key index (TX) (0..3)
  579. #
  580. # peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is
  581. # allowed. This is only used with RSN/WPA2.
  582. # 0 = disabled (default)
  583. # 1 = enabled
  584. #peerkey=1
  585. #
  586. # wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to
  587. # enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies.
  588. #
  589. # Following fields are only used with internal EAP implementation.
  590. # eap: space-separated list of accepted EAP methods
  591. # MD5 = EAP-MD5 (unsecure and does not generate keying material ->
  592. # cannot be used with WPA; to be used as a Phase 2 method
  593. # with EAP-PEAP or EAP-TTLS)
  594. # MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used
  595. # as a Phase 2 method with EAP-PEAP or EAP-TTLS)
  596. # OTP = EAP-OTP (cannot be used separately with WPA; to be used
  597. # as a Phase 2 method with EAP-PEAP or EAP-TTLS)
  598. # GTC = EAP-GTC (cannot be used separately with WPA; to be used
  599. # as a Phase 2 method with EAP-PEAP or EAP-TTLS)
  600. # TLS = EAP-TLS (client and server certificate)
  601. # PEAP = EAP-PEAP (with tunnelled EAP authentication)
  602. # TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2
  603. # authentication)
  604. # If not set, all compiled in methods are allowed.
  605. #
  606. # identity: Identity string for EAP
  607. # This field is also used to configure user NAI for
  608. # EAP-PSK/PAX/SAKE/GPSK.
  609. # anonymous_identity: Anonymous identity string for EAP (to be used as the
  610. # unencrypted identity with EAP types that support different tunnelled
  611. # identity, e.g., EAP-TTLS). This field can also be used with
  612. # EAP-SIM/AKA/AKA' to store the pseudonym identity.
  613. # password: Password string for EAP. This field can include either the
  614. # plaintext password (using ASCII or hex string) or a NtPasswordHash
  615. # (16-byte MD4 hash of password) in hash:<32 hex digits> format.
  616. # NtPasswordHash can only be used when the password is for MSCHAPv2 or
  617. # MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP).
  618. # EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit
  619. # PSK) is also configured using this field. For EAP-GPSK, this is a
  620. # variable length PSK. ext:<name of external password field> format can
  621. # be used to indicate that the password is stored in external storage.
  622. # ca_cert: File path to CA certificate file (PEM/DER). This file can have one
  623. # or more trusted CA certificates. If ca_cert and ca_path are not
  624. # included, server certificate will not be verified. This is insecure and
  625. # a trusted CA certificate should always be configured when using
  626. # EAP-TLS/TTLS/PEAP. Full path should be used since working directory may
  627. # change when wpa_supplicant is run in the background.
  628. #
  629. # Alternatively, this can be used to only perform matching of the server
  630. # certificate (SHA-256 hash of the DER encoded X.509 certificate). In
  631. # this case, the possible CA certificates in the server certificate chain
  632. # are ignored and only the server certificate is verified. This is
  633. # configured with the following format:
  634. # hash:://server/sha256/cert_hash_in_hex
  635. # For example: "hash://server/sha256/
  636. # 5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"
  637. #
  638. # On Windows, trusted CA certificates can be loaded from the system
  639. # certificate store by setting this to cert_store://<name>, e.g.,
  640. # ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".
  641. # Note that when running wpa_supplicant as an application, the user
  642. # certificate store (My user account) is used, whereas computer store
  643. # (Computer account) is used when running wpasvc as a service.
  644. # ca_path: Directory path for CA certificate files (PEM). This path may
  645. # contain multiple CA certificates in OpenSSL format. Common use for this
  646. # is to point to system trusted CA list which is often installed into
  647. # directory like /etc/ssl/certs. If configured, these certificates are
  648. # added to the list of trusted CAs. ca_cert may also be included in that
  649. # case, but it is not required.
  650. # client_cert: File path to client certificate file (PEM/DER)
  651. # Full path should be used since working directory may change when
  652. # wpa_supplicant is run in the background.
  653. # Alternatively, a named configuration blob can be used by setting this
  654. # to blob://<blob name>.
  655. # private_key: File path to client private key file (PEM/DER/PFX)
  656. # When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
  657. # commented out. Both the private key and certificate will be read from
  658. # the PKCS#12 file in this case. Full path should be used since working
  659. # directory may change when wpa_supplicant is run in the background.
  660. # Windows certificate store can be used by leaving client_cert out and
  661. # configuring private_key in one of the following formats:
  662. # cert://substring_to_match
  663. # hash://certificate_thumbprint_in_hex
  664. # for example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
  665. # Note that when running wpa_supplicant as an application, the user
  666. # certificate store (My user account) is used, whereas computer store
  667. # (Computer account) is used when running wpasvc as a service.
  668. # Alternatively, a named configuration blob can be used by setting this
  669. # to blob://<blob name>.
  670. # private_key_passwd: Password for private key file (if left out, this will be
  671. # asked through control interface)
  672. # dh_file: File path to DH/DSA parameters file (in PEM format)
  673. # This is an optional configuration file for setting parameters for an
  674. # ephemeral DH key exchange. In most cases, the default RSA
  675. # authentication does not use this configuration. However, it is possible
  676. # setup RSA to use ephemeral DH key exchange. In addition, ciphers with
  677. # DSA keys always use ephemeral DH keys. This can be used to achieve
  678. # forward secrecy. If the file is in DSA parameters format, it will be
  679. # automatically converted into DH params.
  680. # subject_match: Substring to be matched against the subject of the
  681. # authentication server certificate. If this string is set, the server
  682. # sertificate is only accepted if it contains this string in the subject.
  683. # The subject string is in following format:
  684. # /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com
  685. # altsubject_match: Semicolon separated string of entries to be matched against
  686. # the alternative subject name of the authentication server certificate.
  687. # If this string is set, the server sertificate is only accepted if it
  688. # contains one of the entries in an alternative subject name extension.
  689. # altSubjectName string is in following format: TYPE:VALUE
  690. # Example: EMAIL:server@example.com
  691. # Example: DNS:server.example.com;DNS:server2.example.com
  692. # Following types are supported: EMAIL, DNS, URI
  693. # phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters
  694. # (string with field-value pairs, e.g., "peapver=0" or
  695. # "peapver=1 peaplabel=1")
  696. # 'peapver' can be used to force which PEAP version (0 or 1) is used.
  697. # 'peaplabel=1' can be used to force new label, "client PEAP encryption",
  698. # to be used during key derivation when PEAPv1 or newer. Most existing
  699. # PEAPv1 implementation seem to be using the old label, "client EAP
  700. # encryption", and wpa_supplicant is now using that as the default value.
  701. # Some servers, e.g., Radiator, may require peaplabel=1 configuration to
  702. # interoperate with PEAPv1; see eap_testing.txt for more details.
  703. # 'peap_outer_success=0' can be used to terminate PEAP authentication on
  704. # tunneled EAP-Success. This is required with some RADIUS servers that
  705. # implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
  706. # Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode)
  707. # include_tls_length=1 can be used to force wpa_supplicant to include
  708. # TLS Message Length field in all TLS messages even if they are not
  709. # fragmented.
  710. # sim_min_num_chal=3 can be used to configure EAP-SIM to require three
  711. # challenges (by default, it accepts 2 or 3)
  712. # result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use
  713. # protected result indication.
  714. # 'crypto_binding' option can be used to control PEAPv0 cryptobinding
  715. # behavior:
  716. # * 0 = do not use cryptobinding (default)
  717. # * 1 = use cryptobinding if server supports it
  718. # * 2 = require cryptobinding
  719. # EAP-WSC (WPS) uses following options: pin=<Device Password> or
  720. # pbc=1.
  721. # phase2: Phase2 (inner authentication with TLS tunnel) parameters
  722. # (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
  723. # "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS)
  724. #
  725. # TLS-based methods can use the following parameters to control TLS behavior
  726. # (these are normally in the phase1 parameter, but can be used also in the
  727. # phase2 parameter when EAP-TLS is used within the inner tunnel):
  728. # tls_allow_md5=1 - allow MD5-based certificate signatures (depending on the
  729. # TLS library, these may be disabled by default to enforce stronger
  730. # security)
  731. # tls_disable_time_checks=1 - ignore certificate validity time (this requests
  732. # the TLS library to accept certificates even if they are not currently
  733. # valid, i.e., have expired or have not yet become valid; this should be
  734. # used only for testing purposes)
  735. # tls_disable_session_ticket=1 - disable TLS Session Ticket extension
  736. # tls_disable_session_ticket=0 - allow TLS Session Ticket extension to be used
  737. # Note: If not set, this is automatically set to 1 for EAP-TLS/PEAP/TTLS
  738. # as a workaround for broken authentication server implementations unless
  739. # EAP workarounds are disabled with eap_workarounds=0.
  740. # For EAP-FAST, this must be set to 0 (or left unconfigured for the
  741. # default value to be used automatically).
  742. #
  743. # Following certificate/private key fields are used in inner Phase2
  744. # authentication when using EAP-TTLS or EAP-PEAP.
  745. # ca_cert2: File path to CA certificate file. This file can have one or more
  746. # trusted CA certificates. If ca_cert2 and ca_path2 are not included,
  747. # server certificate will not be verified. This is insecure and a trusted
  748. # CA certificate should always be configured.
  749. # ca_path2: Directory path for CA certificate files (PEM)
  750. # client_cert2: File path to client certificate file
  751. # private_key2: File path to client private key file
  752. # private_key2_passwd: Password for private key file
  753. # dh_file2: File path to DH/DSA parameters file (in PEM format)
  754. # subject_match2: Substring to be matched against the subject of the
  755. # authentication server certificate.
  756. # altsubject_match2: Substring to be matched against the alternative subject
  757. # name of the authentication server certificate.
  758. #
  759. # fragment_size: Maximum EAP fragment size in bytes (default 1398).
  760. # This value limits the fragment size for EAP methods that support
  761. # fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set
  762. # small enough to make the EAP messages fit in MTU of the network
  763. # interface used for EAPOL. The default value is suitable for most
  764. # cases.
  765. #
  766. # EAP-FAST variables:
  767. # pac_file: File path for the PAC entries. wpa_supplicant will need to be able
  768. # to create this file and write updates to it when PAC is being
  769. # provisioned or refreshed. Full path to the file should be used since
  770. # working directory may change when wpa_supplicant is run in the
  771. # background. Alternatively, a named configuration blob can be used by
  772. # setting this to blob://<blob name>
  773. # phase1: fast_provisioning option can be used to enable in-line provisioning
  774. # of EAP-FAST credentials (PAC):
  775. # 0 = disabled,
  776. # 1 = allow unauthenticated provisioning,
  777. # 2 = allow authenticated provisioning,
  778. # 3 = allow both unauthenticated and authenticated provisioning
  779. # fast_max_pac_list_len=<num> option can be used to set the maximum
  780. # number of PAC entries to store in a PAC list (default: 10)
  781. # fast_pac_format=binary option can be used to select binary format for
  782. # storing PAC entries in order to save some space (the default
  783. # text format uses about 2.5 times the size of minimal binary
  784. # format)
  785. #
  786. # wpa_supplicant supports number of "EAP workarounds" to work around
  787. # interoperability issues with incorrectly behaving authentication servers.
  788. # These are enabled by default because some of the issues are present in large
  789. # number of authentication servers. Strict EAP conformance mode can be
  790. # configured by disabling workarounds with eap_workaround=0.
  791. # Station inactivity limit
  792. #
  793. # If a station does not send anything in ap_max_inactivity seconds, an
  794. # empty data frame is sent to it in order to verify whether it is
  795. # still in range. If this frame is not ACKed, the station will be
  796. # disassociated and then deauthenticated. This feature is used to
  797. # clear station table of old entries when the STAs move out of the
  798. # range.
  799. #
  800. # The station can associate again with the AP if it is still in range;
  801. # this inactivity poll is just used as a nicer way of verifying
  802. # inactivity; i.e., client will not report broken connection because
  803. # disassociation frame is not sent immediately without first polling
  804. # the STA with a data frame.
  805. # default: 300 (i.e., 5 minutes)
  806. #ap_max_inactivity=300
  807. # DTIM period in Beacon intervals for AP mode (default: 2)
  808. #dtim_period=2
  809. # Beacon interval (default: 100 TU)
  810. #beacon_int=100
  811. # disable_ht: Whether HT (802.11n) should be disabled.
  812. # 0 = HT enabled (if AP supports it)
  813. # 1 = HT disabled
  814. #
  815. # disable_ht40: Whether HT-40 (802.11n) should be disabled.
  816. # 0 = HT-40 enabled (if AP supports it)
  817. # 1 = HT-40 disabled
  818. #
  819. # disable_sgi: Whether SGI (short guard interval) should be disabled.
  820. # 0 = SGI enabled (if AP supports it)
  821. # 1 = SGI disabled
  822. #
  823. # ht_mcs: Configure allowed MCS rates.
  824. # Parsed as an array of bytes, in base-16 (ascii-hex)
  825. # ht_mcs="" // Use all available (default)
  826. # ht_mcs="0xff 00 00 00 00 00 00 00 00 00 " // Use MCS 0-7 only
  827. # ht_mcs="0xff ff 00 00 00 00 00 00 00 00 " // Use MCS 0-15 only
  828. #
  829. # disable_max_amsdu: Whether MAX_AMSDU should be disabled.
  830. # -1 = Do not make any changes.
  831. # 0 = Enable MAX-AMSDU if hardware supports it.
  832. # 1 = Disable AMSDU
  833. #
  834. # ampdu_density: Allow overriding AMPDU density configuration.
  835. # Treated as hint by the kernel.
  836. # -1 = Do not make any changes.
  837. # 0-3 = Set AMPDU density (aka factor) to specified value.
  838. # disable_vht: Whether VHT should be disabled.
  839. # 0 = VHT enabled (if AP supports it)
  840. # 1 = VHT disabled
  841. #
  842. # vht_capa: VHT capabilities to set in the override
  843. # vht_capa_mask: mask of VHT capabilities
  844. #
  845. # vht_rx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for RX NSS 1-8
  846. # vht_tx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for TX NSS 1-8
  847. # 0: MCS 0-7
  848. # 1: MCS 0-8
  849. # 2: MCS 0-9
  850. # 3: not supported
  851. # Example blocks:
  852. # Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers
  853. network={
  854. ssid="simple"
  855. psk="very secret passphrase"
  856. priority=5
  857. }
  858. # Same as previous, but request SSID-specific scanning (for APs that reject
  859. # broadcast SSID)
  860. network={
  861. ssid="second ssid"
  862. scan_ssid=1
  863. psk="very secret passphrase"
  864. priority=2
  865. }
  866. # Only WPA-PSK is used. Any valid cipher combination is accepted.
  867. network={
  868. ssid="example"
  869. proto=WPA
  870. key_mgmt=WPA-PSK
  871. pairwise=CCMP TKIP
  872. group=CCMP TKIP WEP104 WEP40
  873. psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
  874. priority=2
  875. }
  876. # WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying
  877. network={
  878. ssid="example"
  879. proto=WPA
  880. key_mgmt=WPA-PSK
  881. pairwise=TKIP
  882. group=TKIP
  883. psk="not so secure passphrase"
  884. wpa_ptk_rekey=600
  885. }
  886. # Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104
  887. # or WEP40 as the group cipher will not be accepted.
  888. network={
  889. ssid="example"
  890. proto=RSN
  891. key_mgmt=WPA-EAP
  892. pairwise=CCMP TKIP
  893. group=CCMP TKIP
  894. eap=TLS
  895. identity="user@example.com"
  896. ca_cert="/etc/cert/ca.pem"
  897. client_cert="/etc/cert/user.pem"
  898. private_key="/etc/cert/user.prv"
  899. private_key_passwd="password"
  900. priority=1
  901. }
  902. # EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel
  903. # (e.g., Radiator)
  904. network={
  905. ssid="example"
  906. key_mgmt=WPA-EAP
  907. eap=PEAP
  908. identity="user@example.com"
  909. password="foobar"
  910. ca_cert="/etc/cert/ca.pem"
  911. phase1="peaplabel=1"
  912. phase2="auth=MSCHAPV2"
  913. priority=10
  914. }
  915. # EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the
  916. # unencrypted use. Real identity is sent only within an encrypted TLS tunnel.
  917. network={
  918. ssid="example"
  919. key_mgmt=WPA-EAP
  920. eap=TTLS
  921. identity="user@example.com"
  922. anonymous_identity="anonymous@example.com"
  923. password="foobar"
  924. ca_cert="/etc/cert/ca.pem"
  925. priority=2
  926. }
  927. # EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted
  928. # use. Real identity is sent only within an encrypted TLS tunnel.
  929. network={
  930. ssid="example"
  931. key_mgmt=WPA-EAP
  932. eap=TTLS
  933. identity="user@example.com"
  934. anonymous_identity="anonymous@example.com"
  935. password="foobar"
  936. ca_cert="/etc/cert/ca.pem"
  937. phase2="auth=MSCHAPV2"
  938. }
  939. # WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner
  940. # authentication.
  941. network={
  942. ssid="example"
  943. key_mgmt=WPA-EAP
  944. eap=TTLS
  945. # Phase1 / outer authentication
  946. anonymous_identity="anonymous@example.com"
  947. ca_cert="/etc/cert/ca.pem"
  948. # Phase 2 / inner authentication
  949. phase2="autheap=TLS"
  950. ca_cert2="/etc/cert/ca2.pem"
  951. client_cert2="/etc/cer/user.pem"
  952. private_key2="/etc/cer/user.prv"
  953. private_key2_passwd="password"
  954. priority=2
  955. }
  956. # Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and
  957. # group cipher.
  958. network={
  959. ssid="example"
  960. bssid=00:11:22:33:44:55
  961. proto=WPA RSN
  962. key_mgmt=WPA-PSK WPA-EAP
  963. pairwise=CCMP
  964. group=CCMP
  965. psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
  966. }
  967. # Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP
  968. # and all valid ciphers.
  969. network={
  970. ssid=00010203
  971. psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
  972. }
  973. # EAP-SIM with a GSM SIM or USIM
  974. network={
  975. ssid="eap-sim-test"
  976. key_mgmt=WPA-EAP
  977. eap=SIM
  978. pin="1234"
  979. pcsc=""
  980. }
  981. # EAP-PSK
  982. network={
  983. ssid="eap-psk-test"
  984. key_mgmt=WPA-EAP
  985. eap=PSK
  986. anonymous_identity="eap_psk_user"
  987. password=06b4be19da289f475aa46a33cb793029
  988. identity="eap_psk_user@example.com"
  989. }
  990. # IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using
  991. # EAP-TLS for authentication and key generation; require both unicast and
  992. # broadcast WEP keys.
  993. network={
  994. ssid="1x-test"
  995. key_mgmt=IEEE8021X
  996. eap=TLS
  997. identity="user@example.com"
  998. ca_cert="/etc/cert/ca.pem"
  999. client_cert="/etc/cert/user.pem"
  1000. private_key="/etc/cert/user.prv"
  1001. private_key_passwd="password"
  1002. eapol_flags=3
  1003. }
  1004. # LEAP with dynamic WEP keys
  1005. network={
  1006. ssid="leap-example"
  1007. key_mgmt=IEEE8021X
  1008. eap=LEAP
  1009. identity="user"
  1010. password="foobar"
  1011. }
  1012. # EAP-IKEv2 using shared secrets for both server and peer authentication
  1013. network={
  1014. ssid="ikev2-example"
  1015. key_mgmt=WPA-EAP
  1016. eap=IKEV2
  1017. identity="user"
  1018. password="foobar"
  1019. }
  1020. # EAP-FAST with WPA (WPA or WPA2)
  1021. network={
  1022. ssid="eap-fast-test"
  1023. key_mgmt=WPA-EAP
  1024. eap=FAST
  1025. anonymous_identity="FAST-000102030405"
  1026. identity="username"
  1027. password="password"
  1028. phase1="fast_provisioning=1"
  1029. pac_file="/etc/wpa_supplicant.eap-fast-pac"
  1030. }
  1031. network={
  1032. ssid="eap-fast-test"
  1033. key_mgmt=WPA-EAP
  1034. eap=FAST
  1035. anonymous_identity="FAST-000102030405"
  1036. identity="username"
  1037. password="password"
  1038. phase1="fast_provisioning=1"
  1039. pac_file="blob://eap-fast-pac"
  1040. }
  1041. # Plaintext connection (no WPA, no IEEE 802.1X)
  1042. network={
  1043. ssid="plaintext-test"
  1044. key_mgmt=NONE
  1045. }
  1046. # Shared WEP key connection (no WPA, no IEEE 802.1X)
  1047. network={
  1048. ssid="static-wep-test"
  1049. key_mgmt=NONE
  1050. wep_key0="abcde"
  1051. wep_key1=0102030405
  1052. wep_key2="1234567890123"
  1053. wep_tx_keyidx=0
  1054. priority=5
  1055. }
  1056. # Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key
  1057. # IEEE 802.11 authentication
  1058. network={
  1059. ssid="static-wep-test2"
  1060. key_mgmt=NONE
  1061. wep_key0="abcde"
  1062. wep_key1=0102030405
  1063. wep_key2="1234567890123"
  1064. wep_tx_keyidx=0
  1065. priority=5
  1066. auth_alg=SHARED
  1067. }
  1068. # IBSS/ad-hoc network with WPA-None/TKIP.
  1069. network={
  1070. ssid="test adhoc"
  1071. mode=1
  1072. frequency=2412
  1073. proto=WPA
  1074. key_mgmt=WPA-NONE
  1075. pairwise=NONE
  1076. group=TKIP
  1077. psk="secret passphrase"
  1078. }
  1079. # Catch all example that allows more or less all configuration modes
  1080. network={
  1081. ssid="example"
  1082. scan_ssid=1
  1083. key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
  1084. pairwise=CCMP TKIP
  1085. group=CCMP TKIP WEP104 WEP40
  1086. psk="very secret passphrase"
  1087. eap=TTLS PEAP TLS
  1088. identity="user@example.com"
  1089. password="foobar"
  1090. ca_cert="/etc/cert/ca.pem"
  1091. client_cert="/etc/cert/user.pem"
  1092. private_key="/etc/cert/user.prv"
  1093. private_key_passwd="password"
  1094. phase1="peaplabel=0"
  1095. }
  1096. # Example of EAP-TLS with smartcard (openssl engine)
  1097. network={
  1098. ssid="example"
  1099. key_mgmt=WPA-EAP
  1100. eap=TLS
  1101. proto=RSN
  1102. pairwise=CCMP TKIP
  1103. group=CCMP TKIP
  1104. identity="user@example.com"
  1105. ca_cert="/etc/cert/ca.pem"
  1106. client_cert="/etc/cert/user.pem"
  1107. engine=1
  1108. # The engine configured here must be available. Look at
  1109. # OpenSSL engine support in the global section.
  1110. # The key available through the engine must be the private key
  1111. # matching the client certificate configured above.
  1112. # use the opensc engine
  1113. #engine_id="opensc"
  1114. #key_id="45"
  1115. # use the pkcs11 engine
  1116. engine_id="pkcs11"
  1117. key_id="id_45"
  1118. # Optional PIN configuration; this can be left out and PIN will be
  1119. # asked through the control interface
  1120. pin="1234"
  1121. }
  1122. # Example configuration showing how to use an inlined blob as a CA certificate
  1123. # data instead of using external file
  1124. network={
  1125. ssid="example"
  1126. key_mgmt=WPA-EAP
  1127. eap=TTLS
  1128. identity="user@example.com"
  1129. anonymous_identity="anonymous@example.com"
  1130. password="foobar"
  1131. ca_cert="blob://exampleblob"
  1132. priority=20
  1133. }
  1134. blob-base64-exampleblob={
  1135. SGVsbG8gV29ybGQhCg==
  1136. }
  1137. # Wildcard match for SSID (plaintext APs only). This example select any
  1138. # open AP regardless of its SSID.
  1139. network={
  1140. key_mgmt=NONE
  1141. }