wpa_supplicant.conf 43 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112
  1. ##### Example wpa_supplicant configuration file ###############################
  2. #
  3. # This file describes configuration file format and lists all available option.
  4. # Please also take a look at simpler configuration examples in 'examples'
  5. # subdirectory.
  6. #
  7. # Empty lines and lines starting with # are ignored
  8. # NOTE! This file may contain password information and should probably be made
  9. # readable only by root user on multiuser systems.
  10. # Note: All file paths in this configuration file should use full (absolute,
  11. # not relative to working directory) path in order to allow working directory
  12. # to be changed. This can happen if wpa_supplicant is run in the background.
  13. # Whether to allow wpa_supplicant to update (overwrite) configuration
  14. #
  15. # This option can be used to allow wpa_supplicant to overwrite configuration
  16. # file whenever configuration is changed (e.g., new network block is added with
  17. # wpa_cli or wpa_gui, or a password is changed). This is required for
  18. # wpa_cli/wpa_gui to be able to store the configuration changes permanently.
  19. # Please note that overwriting configuration file will remove the comments from
  20. # it.
  21. #update_config=1
  22. # global configuration (shared by all network blocks)
  23. #
  24. # Parameters for the control interface. If this is specified, wpa_supplicant
  25. # will open a control interface that is available for external programs to
  26. # manage wpa_supplicant. The meaning of this string depends on which control
  27. # interface mechanism is used. For all cases, the existence of this parameter
  28. # in configuration is used to determine whether the control interface is
  29. # enabled.
  30. #
  31. # For UNIX domain sockets (default on Linux and BSD): This is a directory that
  32. # will be created for UNIX domain sockets for listening to requests from
  33. # external programs (CLI/GUI, etc.) for status information and configuration.
  34. # The socket file will be named based on the interface name, so multiple
  35. # wpa_supplicant processes can be run at the same time if more than one
  36. # interface is used.
  37. # /var/run/wpa_supplicant is the recommended directory for sockets and by
  38. # default, wpa_cli will use it when trying to connect with wpa_supplicant.
  39. #
  40. # Access control for the control interface can be configured by setting the
  41. # directory to allow only members of a group to use sockets. This way, it is
  42. # possible to run wpa_supplicant as root (since it needs to change network
  43. # configuration and open raw sockets) and still allow GUI/CLI components to be
  44. # run as non-root users. However, since the control interface can be used to
  45. # change the network configuration, this access needs to be protected in many
  46. # cases. By default, wpa_supplicant is configured to use gid 0 (root). If you
  47. # want to allow non-root users to use the control interface, add a new group
  48. # and change this value to match with that group. Add users that should have
  49. # control interface access to this group. If this variable is commented out or
  50. # not included in the configuration file, group will not be changed from the
  51. # value it got by default when the directory or socket was created.
  52. #
  53. # When configuring both the directory and group, use following format:
  54. # DIR=/var/run/wpa_supplicant GROUP=wheel
  55. # DIR=/var/run/wpa_supplicant GROUP=0
  56. # (group can be either group name or gid)
  57. #
  58. # For UDP connections (default on Windows): The value will be ignored. This
  59. # variable is just used to select that the control interface is to be created.
  60. # The value can be set to, e.g., udp (ctrl_interface=udp)
  61. #
  62. # For Windows Named Pipe: This value can be used to set the security descriptor
  63. # for controlling access to the control interface. Security descriptor can be
  64. # set using Security Descriptor String Format (see http://msdn.microsoft.com/
  65. # library/default.asp?url=/library/en-us/secauthz/security/
  66. # security_descriptor_string_format.asp). The descriptor string needs to be
  67. # prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty
  68. # DACL (which will reject all connections). See README-Windows.txt for more
  69. # information about SDDL string format.
  70. #
  71. ctrl_interface=/var/run/wpa_supplicant
  72. # IEEE 802.1X/EAPOL version
  73. # wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines
  74. # EAPOL version 2. However, there are many APs that do not handle the new
  75. # version number correctly (they seem to drop the frames completely). In order
  76. # to make wpa_supplicant interoperate with these APs, the version number is set
  77. # to 1 by default. This configuration value can be used to set it to the new
  78. # version (2).
  79. eapol_version=1
  80. # AP scanning/selection
  81. # By default, wpa_supplicant requests driver to perform AP scanning and then
  82. # uses the scan results to select a suitable AP. Another alternative is to
  83. # allow the driver to take care of AP scanning and selection and use
  84. # wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association
  85. # information from the driver.
  86. # 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to
  87. # the currently enabled networks are found, a new network (IBSS or AP mode
  88. # operation) may be initialized (if configured) (default)
  89. # 0: driver takes care of scanning, AP selection, and IEEE 802.11 association
  90. # parameters (e.g., WPA IE generation); this mode can also be used with
  91. # non-WPA drivers when using IEEE 802.1X mode; do not try to associate with
  92. # APs (i.e., external program needs to control association). This mode must
  93. # also be used when using wired Ethernet drivers.
  94. # 2: like 0, but associate with APs using security policy and SSID (but not
  95. # BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to
  96. # enable operation with hidden SSIDs and optimized roaming; in this mode,
  97. # the network blocks in the configuration file are tried one by one until
  98. # the driver reports successful association; each network block should have
  99. # explicit security policy (i.e., only one option in the lists) for
  100. # key_mgmt, pairwise, group, proto variables
  101. # When using IBSS or AP mode, ap_scan=2 mode can force the new network to be
  102. # created immediately regardless of scan results. ap_scan=1 mode will first try
  103. # to scan for existing networks and only if no matches with the enabled
  104. # networks are found, a new IBSS or AP mode network is created.
  105. ap_scan=1
  106. # EAP fast re-authentication
  107. # By default, fast re-authentication is enabled for all EAP methods that
  108. # support it. This variable can be used to disable fast re-authentication.
  109. # Normally, there is no need to disable this.
  110. fast_reauth=1
  111. # OpenSSL Engine support
  112. # These options can be used to load OpenSSL engines.
  113. # The two engines that are supported currently are shown below:
  114. # They are both from the opensc project (http://www.opensc.org/)
  115. # By default no engines are loaded.
  116. # make the opensc engine available
  117. #opensc_engine_path=/usr/lib/opensc/engine_opensc.so
  118. # make the pkcs11 engine available
  119. #pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so
  120. # configure the path to the pkcs11 module required by the pkcs11 engine
  121. #pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so
  122. # Dynamic EAP methods
  123. # If EAP methods were built dynamically as shared object files, they need to be
  124. # loaded here before being used in the network blocks. By default, EAP methods
  125. # are included statically in the build, so these lines are not needed
  126. #load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so
  127. #load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so
  128. # Driver interface parameters
  129. # This field can be used to configure arbitrary driver interace parameters. The
  130. # format is specific to the selected driver interface. This field is not used
  131. # in most cases.
  132. #driver_param="field=value"
  133. # Country code
  134. # The ISO/IEC alpha2 country code for the country in which this device is
  135. # currently operating.
  136. #country=US
  137. # Maximum lifetime for PMKSA in seconds; default 43200
  138. #dot11RSNAConfigPMKLifetime=43200
  139. # Threshold for reauthentication (percentage of PMK lifetime); default 70
  140. #dot11RSNAConfigPMKReauthThreshold=70
  141. # Timeout for security association negotiation in seconds; default 60
  142. #dot11RSNAConfigSATimeout=60
  143. # Wi-Fi Protected Setup (WPS) parameters
  144. # Universally Unique IDentifier (UUID; see RFC 4122) of the device
  145. # If not configured, UUID will be generated based on the local MAC address.
  146. #uuid=12345678-9abc-def0-1234-56789abcdef0
  147. # Device Name
  148. # User-friendly description of device; up to 32 octets encoded in UTF-8
  149. #device_name=Wireless Client
  150. # Manufacturer
  151. # The manufacturer of the device (up to 64 ASCII characters)
  152. #manufacturer=Company
  153. # Model Name
  154. # Model of the device (up to 32 ASCII characters)
  155. #model_name=cmodel
  156. # Model Number
  157. # Additional device description (up to 32 ASCII characters)
  158. #model_number=123
  159. # Serial Number
  160. # Serial number of the device (up to 32 characters)
  161. #serial_number=12345
  162. # Primary Device Type
  163. # Used format: <categ>-<OUI>-<subcateg>
  164. # categ = Category as an integer value
  165. # OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for
  166. # default WPS OUI
  167. # subcateg = OUI-specific Sub Category as an integer value
  168. # Examples:
  169. # 1-0050F204-1 (Computer / PC)
  170. # 1-0050F204-2 (Computer / Server)
  171. # 5-0050F204-1 (Storage / NAS)
  172. # 6-0050F204-1 (Network Infrastructure / AP)
  173. #device_type=1-0050F204-1
  174. # OS Version
  175. # 4-octet operating system version number (hex string)
  176. #os_version=01020300
  177. # Config Methods
  178. # List of the supported configuration methods
  179. # Available methods: usba ethernet label display ext_nfc_token int_nfc_token
  180. # nfc_interface push_button keypad virtual_display physical_display
  181. # virtual_push_button physical_push_button
  182. # For WSC 1.0:
  183. #config_methods=label display push_button keypad
  184. # For WSC 2.0:
  185. #config_methods=label virtual_display virtual_push_button keypad
  186. # Credential processing
  187. # 0 = process received credentials internally (default)
  188. # 1 = do not process received credentials; just pass them over ctrl_iface to
  189. # external program(s)
  190. # 2 = process received credentials internally and pass them over ctrl_iface
  191. # to external program(s)
  192. #wps_cred_processing=0
  193. # Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing
  194. # The vendor attribute contents to be added in M1 (hex string)
  195. #wps_vendor_ext_m1=000137100100020001
  196. # NFC password token for WPS
  197. # These parameters can be used to configure a fixed NFC password token for the
  198. # station. This can be generated, e.g., with nfc_pw_token. When these
  199. # parameters are used, the station is assumed to be deployed with a NFC tag
  200. # that includes the matching NFC password token (e.g., written based on the
  201. # NDEF record from nfc_pw_token).
  202. #
  203. #wps_nfc_dev_pw_id: Device Password ID (16..65535)
  204. #wps_nfc_dh_pubkey: Hexdump of DH Public Key
  205. #wps_nfc_dh_privkey: Hexdump of DH Private Key
  206. #wps_nfc_dev_pw: Hexdump of Device Password
  207. # Maximum number of BSS entries to keep in memory
  208. # Default: 200
  209. # This can be used to limit memory use on the BSS entries (cached scan
  210. # results). A larger value may be needed in environments that have huge number
  211. # of APs when using ap_scan=1 mode.
  212. #bss_max_count=200
  213. # Automatic scan
  214. # This is an optional set of parameters for automatic scanning
  215. # within an interface in following format:
  216. #autoscan=<autoscan module name>:<module parameters>
  217. # autoscan is like bgscan but on disconnected or inactive state.
  218. # For instance, on exponential module parameters would be <base>:<limit>
  219. #autoscan=exponential:3:300
  220. # Which means a delay between scans on a base exponential of 3,
  221. # up to the limit of 300 seconds (3, 9, 27 ... 300)
  222. # For periodic module, parameters would be <fixed interval>
  223. #autoscan=periodic:30
  224. # So a delay of 30 seconds will be applied between each scan
  225. # filter_ssids - SSID-based scan result filtering
  226. # 0 = do not filter scan results (default)
  227. # 1 = only include configured SSIDs in scan results/BSS table
  228. #filter_ssids=0
  229. # Password (and passphrase, etc.) backend for external storage
  230. # format: <backend name>[:<optional backend parameters>]
  231. #ext_password_backend=test:pw1=password|pw2=testing
  232. # Timeout in seconds to detect STA inactivity (default: 300 seconds)
  233. #
  234. # This timeout value is used in P2P GO mode to clean up
  235. # inactive stations.
  236. #p2p_go_max_inactivity=300
  237. # Interworking (IEEE 802.11u)
  238. # Enable Interworking
  239. # interworking=1
  240. # Homogenous ESS identifier
  241. # If this is set, scans will be used to request response only from BSSes
  242. # belonging to the specified Homogeneous ESS. This is used only if interworking
  243. # is enabled.
  244. # hessid=00:11:22:33:44:55
  245. # credential block
  246. #
  247. # Each credential used for automatic network selection is configured as a set
  248. # of parameters that are compared to the information advertised by the APs when
  249. # interworking_select and interworking_connect commands are used.
  250. #
  251. # credential fields:
  252. #
  253. # priority: Priority group
  254. # By default, all networks and credentials get the same priority group
  255. # (0). This field can be used to give higher priority for credentials
  256. # (and similarly in struct wpa_ssid for network blocks) to change the
  257. # Interworking automatic networking selection behavior. The matching
  258. # network (based on either an enabled network block or a credential)
  259. # with the highest priority value will be selected.
  260. #
  261. # pcsc: Use PC/SC and SIM/USIM card
  262. #
  263. # realm: Home Realm for Interworking
  264. #
  265. # username: Username for Interworking network selection
  266. #
  267. # password: Password for Interworking network selection
  268. #
  269. # ca_cert: CA certificate for Interworking network selection
  270. #
  271. # client_cert: File path to client certificate file (PEM/DER)
  272. # This field is used with Interworking networking selection for a case
  273. # where client certificate/private key is used for authentication
  274. # (EAP-TLS). Full path to the file should be used since working
  275. # directory may change when wpa_supplicant is run in the background.
  276. #
  277. # Alternatively, a named configuration blob can be used by setting
  278. # this to blob://blob_name.
  279. #
  280. # private_key: File path to client private key file (PEM/DER/PFX)
  281. # When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
  282. # commented out. Both the private key and certificate will be read
  283. # from the PKCS#12 file in this case. Full path to the file should be
  284. # used since working directory may change when wpa_supplicant is run
  285. # in the background.
  286. #
  287. # Windows certificate store can be used by leaving client_cert out and
  288. # configuring private_key in one of the following formats:
  289. #
  290. # cert://substring_to_match
  291. #
  292. # hash://certificate_thumbprint_in_hex
  293. #
  294. # For example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
  295. #
  296. # Note that when running wpa_supplicant as an application, the user
  297. # certificate store (My user account) is used, whereas computer store
  298. # (Computer account) is used when running wpasvc as a service.
  299. #
  300. # Alternatively, a named configuration blob can be used by setting
  301. # this to blob://blob_name.
  302. #
  303. # private_key_passwd: Password for private key file
  304. #
  305. # imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format
  306. #
  307. # milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN>
  308. # format
  309. #
  310. # domain: Home service provider FQDN
  311. # This is used to compare against the Domain Name List to figure out
  312. # whether the AP is operated by the Home SP.
  313. #
  314. # roaming_consortium: Roaming Consortium OI
  315. # If roaming_consortium_len is non-zero, this field contains the
  316. # Roaming Consortium OI that can be used to determine which access
  317. # points support authentication with this credential. This is an
  318. # alternative to the use of the realm parameter. When using Roaming
  319. # Consortium to match the network, the EAP parameters need to be
  320. # pre-configured with the credential since the NAI Realm information
  321. # may not be available or fetched.
  322. #
  323. # eap: Pre-configured EAP method
  324. # This optional field can be used to specify which EAP method will be
  325. # used with this credential. If not set, the EAP method is selected
  326. # automatically based on ANQP information (e.g., NAI Realm).
  327. #
  328. # phase1: Pre-configure Phase 1 (outer authentication) parameters
  329. # This optional field is used with like the 'eap' parameter.
  330. #
  331. # phase2: Pre-configure Phase 2 (inner authentication) parameters
  332. # This optional field is used with like the 'eap' parameter.
  333. #
  334. # for example:
  335. #
  336. #cred={
  337. # realm="example.com"
  338. # username="user@example.com"
  339. # password="password"
  340. # ca_cert="/etc/wpa_supplicant/ca.pem"
  341. # domain="example.com"
  342. #}
  343. #
  344. #cred={
  345. # imsi="310026-000000000"
  346. # milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82"
  347. #}
  348. #
  349. #cred={
  350. # realm="example.com"
  351. # username="user"
  352. # password="password"
  353. # ca_cert="/etc/wpa_supplicant/ca.pem"
  354. # domain="example.com"
  355. # roaming_consortium=223344
  356. # eap=TTLS
  357. # phase2="auth=MSCHAPV2"
  358. #}
  359. # Hotspot 2.0
  360. # hs20=1
  361. # network block
  362. #
  363. # Each network (usually AP's sharing the same SSID) is configured as a separate
  364. # block in this configuration file. The network blocks are in preference order
  365. # (the first match is used).
  366. #
  367. # network block fields:
  368. #
  369. # disabled:
  370. # 0 = this network can be used (default)
  371. # 1 = this network block is disabled (can be enabled through ctrl_iface,
  372. # e.g., with wpa_cli or wpa_gui)
  373. #
  374. # id_str: Network identifier string for external scripts. This value is passed
  375. # to external action script through wpa_cli as WPA_ID_STR environment
  376. # variable to make it easier to do network specific configuration.
  377. #
  378. # ssid: SSID (mandatory); network name in one of the optional formats:
  379. # - an ASCII string with double quotation
  380. # - a hex string (two characters per octet of SSID)
  381. # - a printf-escaped ASCII string P"<escaped string>"
  382. #
  383. # scan_ssid:
  384. # 0 = do not scan this SSID with specific Probe Request frames (default)
  385. # 1 = scan with SSID-specific Probe Request frames (this can be used to
  386. # find APs that do not accept broadcast SSID or use multiple SSIDs;
  387. # this will add latency to scanning, so enable this only when needed)
  388. #
  389. # bssid: BSSID (optional); if set, this network block is used only when
  390. # associating with the AP using the configured BSSID
  391. #
  392. # priority: priority group (integer)
  393. # By default, all networks will get same priority group (0). If some of the
  394. # networks are more desirable, this field can be used to change the order in
  395. # which wpa_supplicant goes through the networks when selecting a BSS. The
  396. # priority groups will be iterated in decreasing priority (i.e., the larger the
  397. # priority value, the sooner the network is matched against the scan results).
  398. # Within each priority group, networks will be selected based on security
  399. # policy, signal strength, etc.
  400. # Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not
  401. # using this priority to select the order for scanning. Instead, they try the
  402. # networks in the order that used in the configuration file.
  403. #
  404. # mode: IEEE 802.11 operation mode
  405. # 0 = infrastructure (Managed) mode, i.e., associate with an AP (default)
  406. # 1 = IBSS (ad-hoc, peer-to-peer)
  407. # 2 = AP (access point)
  408. # Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP)
  409. # and key_mgmt=WPA-NONE (fixed group key TKIP/CCMP). WPA-None requires
  410. # following network block options:
  411. # proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not
  412. # both), and psk must also be set.
  413. #
  414. # frequency: Channel frequency in megahertz (MHz) for IBSS, e.g.,
  415. # 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial
  416. # channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode.
  417. # In addition, this value is only used by the station that creates the IBSS. If
  418. # an IBSS network with the configured SSID is already present, the frequency of
  419. # the network will be used instead of this configured value.
  420. #
  421. # scan_freq: List of frequencies to scan
  422. # Space-separated list of frequencies in MHz to scan when searching for this
  423. # BSS. If the subset of channels used by the network is known, this option can
  424. # be used to optimize scanning to not occur on channels that the network does
  425. # not use. Example: scan_freq=2412 2437 2462
  426. #
  427. # freq_list: Array of allowed frequencies
  428. # Space-separated list of frequencies in MHz to allow for selecting the BSS. If
  429. # set, scan results that do not match any of the specified frequencies are not
  430. # considered when selecting a BSS.
  431. #
  432. # proto: list of accepted protocols
  433. # WPA = WPA/IEEE 802.11i/D3.0
  434. # RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN)
  435. # If not set, this defaults to: WPA RSN
  436. #
  437. # key_mgmt: list of accepted authenticated key management protocols
  438. # WPA-PSK = WPA pre-shared key (this requires 'psk' field)
  439. # WPA-EAP = WPA using EAP authentication
  440. # IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically
  441. # generated WEP keys
  442. # NONE = WPA is not used; plaintext or static WEP could be used
  443. # WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms
  444. # WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms
  445. # If not set, this defaults to: WPA-PSK WPA-EAP
  446. #
  447. # ieee80211w: whether management frame protection is enabled
  448. # 0 = disabled (default)
  449. # 1 = optional
  450. # 2 = required
  451. # The most common configuration options for this based on the PMF (protected
  452. # management frames) certification program are:
  453. # PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256
  454. # PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256
  455. # (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used)
  456. #
  457. # auth_alg: list of allowed IEEE 802.11 authentication algorithms
  458. # OPEN = Open System authentication (required for WPA/WPA2)
  459. # SHARED = Shared Key authentication (requires static WEP keys)
  460. # LEAP = LEAP/Network EAP (only used with LEAP)
  461. # If not set, automatic selection is used (Open System with LEAP enabled if
  462. # LEAP is allowed as one of the EAP methods).
  463. #
  464. # pairwise: list of accepted pairwise (unicast) ciphers for WPA
  465. # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
  466. # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
  467. # NONE = Use only Group Keys (deprecated, should not be included if APs support
  468. # pairwise keys)
  469. # If not set, this defaults to: CCMP TKIP
  470. #
  471. # group: list of accepted group (broadcast/multicast) ciphers for WPA
  472. # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
  473. # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
  474. # WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key
  475. # WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11]
  476. # If not set, this defaults to: CCMP TKIP WEP104 WEP40
  477. #
  478. # psk: WPA preshared key; 256-bit pre-shared key
  479. # The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e.,
  480. # 32 bytes or as an ASCII passphrase (in which case, the real PSK will be
  481. # generated using the passphrase and SSID). ASCII passphrase must be between
  482. # 8 and 63 characters (inclusive). ext:<name of external PSK field> format can
  483. # be used to indicate that the PSK/passphrase is stored in external storage.
  484. # This field is not needed, if WPA-EAP is used.
  485. # Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys
  486. # from ASCII passphrase. This process uses lot of CPU and wpa_supplicant
  487. # startup and reconfiguration time can be optimized by generating the PSK only
  488. # only when the passphrase or SSID has actually changed.
  489. #
  490. # eapol_flags: IEEE 802.1X/EAPOL options (bit field)
  491. # Dynamic WEP key required for non-WPA mode
  492. # bit0 (1): require dynamically generated unicast WEP key
  493. # bit1 (2): require dynamically generated broadcast WEP key
  494. # (3 = require both keys; default)
  495. # Note: When using wired authentication, eapol_flags must be set to 0 for the
  496. # authentication to be completed successfully.
  497. #
  498. # mixed_cell: This option can be used to configure whether so called mixed
  499. # cells, i.e., networks that use both plaintext and encryption in the same
  500. # SSID, are allowed when selecting a BSS from scan results.
  501. # 0 = disabled (default)
  502. # 1 = enabled
  503. #
  504. # proactive_key_caching:
  505. # Enable/disable opportunistic PMKSA caching for WPA2.
  506. # 0 = disabled (default)
  507. # 1 = enabled
  508. #
  509. # wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or
  510. # hex without quotation, e.g., 0102030405)
  511. # wep_tx_keyidx: Default WEP key index (TX) (0..3)
  512. #
  513. # peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is
  514. # allowed. This is only used with RSN/WPA2.
  515. # 0 = disabled (default)
  516. # 1 = enabled
  517. #peerkey=1
  518. #
  519. # wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to
  520. # enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies.
  521. #
  522. # Following fields are only used with internal EAP implementation.
  523. # eap: space-separated list of accepted EAP methods
  524. # MD5 = EAP-MD5 (unsecure and does not generate keying material ->
  525. # cannot be used with WPA; to be used as a Phase 2 method
  526. # with EAP-PEAP or EAP-TTLS)
  527. # MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used
  528. # as a Phase 2 method with EAP-PEAP or EAP-TTLS)
  529. # OTP = EAP-OTP (cannot be used separately with WPA; to be used
  530. # as a Phase 2 method with EAP-PEAP or EAP-TTLS)
  531. # GTC = EAP-GTC (cannot be used separately with WPA; to be used
  532. # as a Phase 2 method with EAP-PEAP or EAP-TTLS)
  533. # TLS = EAP-TLS (client and server certificate)
  534. # PEAP = EAP-PEAP (with tunnelled EAP authentication)
  535. # TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2
  536. # authentication)
  537. # If not set, all compiled in methods are allowed.
  538. #
  539. # identity: Identity string for EAP
  540. # This field is also used to configure user NAI for
  541. # EAP-PSK/PAX/SAKE/GPSK.
  542. # anonymous_identity: Anonymous identity string for EAP (to be used as the
  543. # unencrypted identity with EAP types that support different tunnelled
  544. # identity, e.g., EAP-TTLS)
  545. # password: Password string for EAP. This field can include either the
  546. # plaintext password (using ASCII or hex string) or a NtPasswordHash
  547. # (16-byte MD4 hash of password) in hash:<32 hex digits> format.
  548. # NtPasswordHash can only be used when the password is for MSCHAPv2 or
  549. # MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP).
  550. # EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit
  551. # PSK) is also configured using this field. For EAP-GPSK, this is a
  552. # variable length PSK. ext:<name of external password field> format can
  553. # be used to indicate that the password is stored in external storage.
  554. # ca_cert: File path to CA certificate file (PEM/DER). This file can have one
  555. # or more trusted CA certificates. If ca_cert and ca_path are not
  556. # included, server certificate will not be verified. This is insecure and
  557. # a trusted CA certificate should always be configured when using
  558. # EAP-TLS/TTLS/PEAP. Full path should be used since working directory may
  559. # change when wpa_supplicant is run in the background.
  560. #
  561. # Alternatively, this can be used to only perform matching of the server
  562. # certificate (SHA-256 hash of the DER encoded X.509 certificate). In
  563. # this case, the possible CA certificates in the server certificate chain
  564. # are ignored and only the server certificate is verified. This is
  565. # configured with the following format:
  566. # hash:://server/sha256/cert_hash_in_hex
  567. # For example: "hash://server/sha256/
  568. # 5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"
  569. #
  570. # On Windows, trusted CA certificates can be loaded from the system
  571. # certificate store by setting this to cert_store://<name>, e.g.,
  572. # ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".
  573. # Note that when running wpa_supplicant as an application, the user
  574. # certificate store (My user account) is used, whereas computer store
  575. # (Computer account) is used when running wpasvc as a service.
  576. # ca_path: Directory path for CA certificate files (PEM). This path may
  577. # contain multiple CA certificates in OpenSSL format. Common use for this
  578. # is to point to system trusted CA list which is often installed into
  579. # directory like /etc/ssl/certs. If configured, these certificates are
  580. # added to the list of trusted CAs. ca_cert may also be included in that
  581. # case, but it is not required.
  582. # client_cert: File path to client certificate file (PEM/DER)
  583. # Full path should be used since working directory may change when
  584. # wpa_supplicant is run in the background.
  585. # Alternatively, a named configuration blob can be used by setting this
  586. # to blob://<blob name>.
  587. # private_key: File path to client private key file (PEM/DER/PFX)
  588. # When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
  589. # commented out. Both the private key and certificate will be read from
  590. # the PKCS#12 file in this case. Full path should be used since working
  591. # directory may change when wpa_supplicant is run in the background.
  592. # Windows certificate store can be used by leaving client_cert out and
  593. # configuring private_key in one of the following formats:
  594. # cert://substring_to_match
  595. # hash://certificate_thumbprint_in_hex
  596. # for example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
  597. # Note that when running wpa_supplicant as an application, the user
  598. # certificate store (My user account) is used, whereas computer store
  599. # (Computer account) is used when running wpasvc as a service.
  600. # Alternatively, a named configuration blob can be used by setting this
  601. # to blob://<blob name>.
  602. # private_key_passwd: Password for private key file (if left out, this will be
  603. # asked through control interface)
  604. # dh_file: File path to DH/DSA parameters file (in PEM format)
  605. # This is an optional configuration file for setting parameters for an
  606. # ephemeral DH key exchange. In most cases, the default RSA
  607. # authentication does not use this configuration. However, it is possible
  608. # setup RSA to use ephemeral DH key exchange. In addition, ciphers with
  609. # DSA keys always use ephemeral DH keys. This can be used to achieve
  610. # forward secrecy. If the file is in DSA parameters format, it will be
  611. # automatically converted into DH params.
  612. # subject_match: Substring to be matched against the subject of the
  613. # authentication server certificate. If this string is set, the server
  614. # sertificate is only accepted if it contains this string in the subject.
  615. # The subject string is in following format:
  616. # /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com
  617. # altsubject_match: Semicolon separated string of entries to be matched against
  618. # the alternative subject name of the authentication server certificate.
  619. # If this string is set, the server sertificate is only accepted if it
  620. # contains one of the entries in an alternative subject name extension.
  621. # altSubjectName string is in following format: TYPE:VALUE
  622. # Example: EMAIL:server@example.com
  623. # Example: DNS:server.example.com;DNS:server2.example.com
  624. # Following types are supported: EMAIL, DNS, URI
  625. # phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters
  626. # (string with field-value pairs, e.g., "peapver=0" or
  627. # "peapver=1 peaplabel=1")
  628. # 'peapver' can be used to force which PEAP version (0 or 1) is used.
  629. # 'peaplabel=1' can be used to force new label, "client PEAP encryption",
  630. # to be used during key derivation when PEAPv1 or newer. Most existing
  631. # PEAPv1 implementation seem to be using the old label, "client EAP
  632. # encryption", and wpa_supplicant is now using that as the default value.
  633. # Some servers, e.g., Radiator, may require peaplabel=1 configuration to
  634. # interoperate with PEAPv1; see eap_testing.txt for more details.
  635. # 'peap_outer_success=0' can be used to terminate PEAP authentication on
  636. # tunneled EAP-Success. This is required with some RADIUS servers that
  637. # implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
  638. # Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode)
  639. # include_tls_length=1 can be used to force wpa_supplicant to include
  640. # TLS Message Length field in all TLS messages even if they are not
  641. # fragmented.
  642. # sim_min_num_chal=3 can be used to configure EAP-SIM to require three
  643. # challenges (by default, it accepts 2 or 3)
  644. # result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use
  645. # protected result indication.
  646. # 'crypto_binding' option can be used to control PEAPv0 cryptobinding
  647. # behavior:
  648. # * 0 = do not use cryptobinding (default)
  649. # * 1 = use cryptobinding if server supports it
  650. # * 2 = require cryptobinding
  651. # EAP-WSC (WPS) uses following options: pin=<Device Password> or
  652. # pbc=1.
  653. # phase2: Phase2 (inner authentication with TLS tunnel) parameters
  654. # (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
  655. # "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS)
  656. #
  657. # TLS-based methods can use the following parameters to control TLS behavior
  658. # (these are normally in the phase1 parameter, but can be used also in the
  659. # phase2 parameter when EAP-TLS is used within the inner tunnel):
  660. # tls_allow_md5=1 - allow MD5-based certificate signatures (depending on the
  661. # TLS library, these may be disabled by default to enforce stronger
  662. # security)
  663. # tls_disable_time_checks=1 - ignore certificate validity time (this requests
  664. # the TLS library to accept certificates even if they are not currently
  665. # valid, i.e., have expired or have not yet become valid; this should be
  666. # used only for testing purposes)
  667. # tls_disable_session_ticket=1 - disable TLS Session Ticket extension
  668. # tls_disable_session_ticket=0 - allow TLS Session Ticket extension to be used
  669. # Note: If not set, this is automatically set to 1 for EAP-TLS/PEAP/TTLS
  670. # as a workaround for broken authentication server implementations unless
  671. # EAP workarounds are disabled with eap_workarounds=0.
  672. # For EAP-FAST, this must be set to 0 (or left unconfigured for the
  673. # default value to be used automatically).
  674. #
  675. # Following certificate/private key fields are used in inner Phase2
  676. # authentication when using EAP-TTLS or EAP-PEAP.
  677. # ca_cert2: File path to CA certificate file. This file can have one or more
  678. # trusted CA certificates. If ca_cert2 and ca_path2 are not included,
  679. # server certificate will not be verified. This is insecure and a trusted
  680. # CA certificate should always be configured.
  681. # ca_path2: Directory path for CA certificate files (PEM)
  682. # client_cert2: File path to client certificate file
  683. # private_key2: File path to client private key file
  684. # private_key2_passwd: Password for private key file
  685. # dh_file2: File path to DH/DSA parameters file (in PEM format)
  686. # subject_match2: Substring to be matched against the subject of the
  687. # authentication server certificate.
  688. # altsubject_match2: Substring to be matched against the alternative subject
  689. # name of the authentication server certificate.
  690. #
  691. # fragment_size: Maximum EAP fragment size in bytes (default 1398).
  692. # This value limits the fragment size for EAP methods that support
  693. # fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set
  694. # small enough to make the EAP messages fit in MTU of the network
  695. # interface used for EAPOL. The default value is suitable for most
  696. # cases.
  697. #
  698. # EAP-FAST variables:
  699. # pac_file: File path for the PAC entries. wpa_supplicant will need to be able
  700. # to create this file and write updates to it when PAC is being
  701. # provisioned or refreshed. Full path to the file should be used since
  702. # working directory may change when wpa_supplicant is run in the
  703. # background. Alternatively, a named configuration blob can be used by
  704. # setting this to blob://<blob name>
  705. # phase1: fast_provisioning option can be used to enable in-line provisioning
  706. # of EAP-FAST credentials (PAC):
  707. # 0 = disabled,
  708. # 1 = allow unauthenticated provisioning,
  709. # 2 = allow authenticated provisioning,
  710. # 3 = allow both unauthenticated and authenticated provisioning
  711. # fast_max_pac_list_len=<num> option can be used to set the maximum
  712. # number of PAC entries to store in a PAC list (default: 10)
  713. # fast_pac_format=binary option can be used to select binary format for
  714. # storing PAC entries in order to save some space (the default
  715. # text format uses about 2.5 times the size of minimal binary
  716. # format)
  717. #
  718. # wpa_supplicant supports number of "EAP workarounds" to work around
  719. # interoperability issues with incorrectly behaving authentication servers.
  720. # These are enabled by default because some of the issues are present in large
  721. # number of authentication servers. Strict EAP conformance mode can be
  722. # configured by disabling workarounds with eap_workaround=0.
  723. # Station inactivity limit
  724. #
  725. # If a station does not send anything in ap_max_inactivity seconds, an
  726. # empty data frame is sent to it in order to verify whether it is
  727. # still in range. If this frame is not ACKed, the station will be
  728. # disassociated and then deauthenticated. This feature is used to
  729. # clear station table of old entries when the STAs move out of the
  730. # range.
  731. #
  732. # The station can associate again with the AP if it is still in range;
  733. # this inactivity poll is just used as a nicer way of verifying
  734. # inactivity; i.e., client will not report broken connection because
  735. # disassociation frame is not sent immediately without first polling
  736. # the STA with a data frame.
  737. # default: 300 (i.e., 5 minutes)
  738. #ap_max_inactivity=300
  739. # DTIM period in Beacon intervals for AP mode (default: 2)
  740. #dtim_period=2
  741. # Example blocks:
  742. # Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers
  743. network={
  744. ssid="simple"
  745. psk="very secret passphrase"
  746. priority=5
  747. }
  748. # Same as previous, but request SSID-specific scanning (for APs that reject
  749. # broadcast SSID)
  750. network={
  751. ssid="second ssid"
  752. scan_ssid=1
  753. psk="very secret passphrase"
  754. priority=2
  755. }
  756. # Only WPA-PSK is used. Any valid cipher combination is accepted.
  757. network={
  758. ssid="example"
  759. proto=WPA
  760. key_mgmt=WPA-PSK
  761. pairwise=CCMP TKIP
  762. group=CCMP TKIP WEP104 WEP40
  763. psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
  764. priority=2
  765. }
  766. # WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying
  767. network={
  768. ssid="example"
  769. proto=WPA
  770. key_mgmt=WPA-PSK
  771. pairwise=TKIP
  772. group=TKIP
  773. psk="not so secure passphrase"
  774. wpa_ptk_rekey=600
  775. }
  776. # Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104
  777. # or WEP40 as the group cipher will not be accepted.
  778. network={
  779. ssid="example"
  780. proto=RSN
  781. key_mgmt=WPA-EAP
  782. pairwise=CCMP TKIP
  783. group=CCMP TKIP
  784. eap=TLS
  785. identity="user@example.com"
  786. ca_cert="/etc/cert/ca.pem"
  787. client_cert="/etc/cert/user.pem"
  788. private_key="/etc/cert/user.prv"
  789. private_key_passwd="password"
  790. priority=1
  791. }
  792. # EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel
  793. # (e.g., Radiator)
  794. network={
  795. ssid="example"
  796. key_mgmt=WPA-EAP
  797. eap=PEAP
  798. identity="user@example.com"
  799. password="foobar"
  800. ca_cert="/etc/cert/ca.pem"
  801. phase1="peaplabel=1"
  802. phase2="auth=MSCHAPV2"
  803. priority=10
  804. }
  805. # EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the
  806. # unencrypted use. Real identity is sent only within an encrypted TLS tunnel.
  807. network={
  808. ssid="example"
  809. key_mgmt=WPA-EAP
  810. eap=TTLS
  811. identity="user@example.com"
  812. anonymous_identity="anonymous@example.com"
  813. password="foobar"
  814. ca_cert="/etc/cert/ca.pem"
  815. priority=2
  816. }
  817. # EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted
  818. # use. Real identity is sent only within an encrypted TLS tunnel.
  819. network={
  820. ssid="example"
  821. key_mgmt=WPA-EAP
  822. eap=TTLS
  823. identity="user@example.com"
  824. anonymous_identity="anonymous@example.com"
  825. password="foobar"
  826. ca_cert="/etc/cert/ca.pem"
  827. phase2="auth=MSCHAPV2"
  828. }
  829. # WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner
  830. # authentication.
  831. network={
  832. ssid="example"
  833. key_mgmt=WPA-EAP
  834. eap=TTLS
  835. # Phase1 / outer authentication
  836. anonymous_identity="anonymous@example.com"
  837. ca_cert="/etc/cert/ca.pem"
  838. # Phase 2 / inner authentication
  839. phase2="autheap=TLS"
  840. ca_cert2="/etc/cert/ca2.pem"
  841. client_cert2="/etc/cer/user.pem"
  842. private_key2="/etc/cer/user.prv"
  843. private_key2_passwd="password"
  844. priority=2
  845. }
  846. # Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and
  847. # group cipher.
  848. network={
  849. ssid="example"
  850. bssid=00:11:22:33:44:55
  851. proto=WPA RSN
  852. key_mgmt=WPA-PSK WPA-EAP
  853. pairwise=CCMP
  854. group=CCMP
  855. psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
  856. }
  857. # Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP
  858. # and all valid ciphers.
  859. network={
  860. ssid=00010203
  861. psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
  862. }
  863. # EAP-SIM with a GSM SIM or USIM
  864. network={
  865. ssid="eap-sim-test"
  866. key_mgmt=WPA-EAP
  867. eap=SIM
  868. pin="1234"
  869. pcsc=""
  870. }
  871. # EAP-PSK
  872. network={
  873. ssid="eap-psk-test"
  874. key_mgmt=WPA-EAP
  875. eap=PSK
  876. anonymous_identity="eap_psk_user"
  877. password=06b4be19da289f475aa46a33cb793029
  878. identity="eap_psk_user@example.com"
  879. }
  880. # IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using
  881. # EAP-TLS for authentication and key generation; require both unicast and
  882. # broadcast WEP keys.
  883. network={
  884. ssid="1x-test"
  885. key_mgmt=IEEE8021X
  886. eap=TLS
  887. identity="user@example.com"
  888. ca_cert="/etc/cert/ca.pem"
  889. client_cert="/etc/cert/user.pem"
  890. private_key="/etc/cert/user.prv"
  891. private_key_passwd="password"
  892. eapol_flags=3
  893. }
  894. # LEAP with dynamic WEP keys
  895. network={
  896. ssid="leap-example"
  897. key_mgmt=IEEE8021X
  898. eap=LEAP
  899. identity="user"
  900. password="foobar"
  901. }
  902. # EAP-IKEv2 using shared secrets for both server and peer authentication
  903. network={
  904. ssid="ikev2-example"
  905. key_mgmt=WPA-EAP
  906. eap=IKEV2
  907. identity="user"
  908. password="foobar"
  909. }
  910. # EAP-FAST with WPA (WPA or WPA2)
  911. network={
  912. ssid="eap-fast-test"
  913. key_mgmt=WPA-EAP
  914. eap=FAST
  915. anonymous_identity="FAST-000102030405"
  916. identity="username"
  917. password="password"
  918. phase1="fast_provisioning=1"
  919. pac_file="/etc/wpa_supplicant.eap-fast-pac"
  920. }
  921. network={
  922. ssid="eap-fast-test"
  923. key_mgmt=WPA-EAP
  924. eap=FAST
  925. anonymous_identity="FAST-000102030405"
  926. identity="username"
  927. password="password"
  928. phase1="fast_provisioning=1"
  929. pac_file="blob://eap-fast-pac"
  930. }
  931. # Plaintext connection (no WPA, no IEEE 802.1X)
  932. network={
  933. ssid="plaintext-test"
  934. key_mgmt=NONE
  935. }
  936. # Shared WEP key connection (no WPA, no IEEE 802.1X)
  937. network={
  938. ssid="static-wep-test"
  939. key_mgmt=NONE
  940. wep_key0="abcde"
  941. wep_key1=0102030405
  942. wep_key2="1234567890123"
  943. wep_tx_keyidx=0
  944. priority=5
  945. }
  946. # Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key
  947. # IEEE 802.11 authentication
  948. network={
  949. ssid="static-wep-test2"
  950. key_mgmt=NONE
  951. wep_key0="abcde"
  952. wep_key1=0102030405
  953. wep_key2="1234567890123"
  954. wep_tx_keyidx=0
  955. priority=5
  956. auth_alg=SHARED
  957. }
  958. # IBSS/ad-hoc network with WPA-None/TKIP.
  959. network={
  960. ssid="test adhoc"
  961. mode=1
  962. frequency=2412
  963. proto=WPA
  964. key_mgmt=WPA-NONE
  965. pairwise=NONE
  966. group=TKIP
  967. psk="secret passphrase"
  968. }
  969. # Catch all example that allows more or less all configuration modes
  970. network={
  971. ssid="example"
  972. scan_ssid=1
  973. key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
  974. pairwise=CCMP TKIP
  975. group=CCMP TKIP WEP104 WEP40
  976. psk="very secret passphrase"
  977. eap=TTLS PEAP TLS
  978. identity="user@example.com"
  979. password="foobar"
  980. ca_cert="/etc/cert/ca.pem"
  981. client_cert="/etc/cert/user.pem"
  982. private_key="/etc/cert/user.prv"
  983. private_key_passwd="password"
  984. phase1="peaplabel=0"
  985. }
  986. # Example of EAP-TLS with smartcard (openssl engine)
  987. network={
  988. ssid="example"
  989. key_mgmt=WPA-EAP
  990. eap=TLS
  991. proto=RSN
  992. pairwise=CCMP TKIP
  993. group=CCMP TKIP
  994. identity="user@example.com"
  995. ca_cert="/etc/cert/ca.pem"
  996. client_cert="/etc/cert/user.pem"
  997. engine=1
  998. # The engine configured here must be available. Look at
  999. # OpenSSL engine support in the global section.
  1000. # The key available through the engine must be the private key
  1001. # matching the client certificate configured above.
  1002. # use the opensc engine
  1003. #engine_id="opensc"
  1004. #key_id="45"
  1005. # use the pkcs11 engine
  1006. engine_id="pkcs11"
  1007. key_id="id_45"
  1008. # Optional PIN configuration; this can be left out and PIN will be
  1009. # asked through the control interface
  1010. pin="1234"
  1011. }
  1012. # Example configuration showing how to use an inlined blob as a CA certificate
  1013. # data instead of using external file
  1014. network={
  1015. ssid="example"
  1016. key_mgmt=WPA-EAP
  1017. eap=TTLS
  1018. identity="user@example.com"
  1019. anonymous_identity="anonymous@example.com"
  1020. password="foobar"
  1021. ca_cert="blob://exampleblob"
  1022. priority=20
  1023. }
  1024. blob-base64-exampleblob={
  1025. SGVsbG8gV29ybGQhCg==
  1026. }
  1027. # Wildcard match for SSID (plaintext APs only). This example select any
  1028. # open AP regardless of its SSID.
  1029. network={
  1030. key_mgmt=NONE
  1031. }