wpa_supplicant.conf 41 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085
  1. ##### Example wpa_supplicant configuration file ###############################
  2. #
  3. # This file describes configuration file format and lists all available option.
  4. # Please also take a look at simpler configuration examples in 'examples'
  5. # subdirectory.
  6. #
  7. # Empty lines and lines starting with # are ignored
  8. # NOTE! This file may contain password information and should probably be made
  9. # readable only by root user on multiuser systems.
  10. # Note: All file paths in this configuration file should use full (absolute,
  11. # not relative to working directory) path in order to allow working directory
  12. # to be changed. This can happen if wpa_supplicant is run in the background.
  13. # Whether to allow wpa_supplicant to update (overwrite) configuration
  14. #
  15. # This option can be used to allow wpa_supplicant to overwrite configuration
  16. # file whenever configuration is changed (e.g., new network block is added with
  17. # wpa_cli or wpa_gui, or a password is changed). This is required for
  18. # wpa_cli/wpa_gui to be able to store the configuration changes permanently.
  19. # Please note that overwriting configuration file will remove the comments from
  20. # it.
  21. #update_config=1
  22. # global configuration (shared by all network blocks)
  23. #
  24. # Parameters for the control interface. If this is specified, wpa_supplicant
  25. # will open a control interface that is available for external programs to
  26. # manage wpa_supplicant. The meaning of this string depends on which control
  27. # interface mechanism is used. For all cases, the existence of this parameter
  28. # in configuration is used to determine whether the control interface is
  29. # enabled.
  30. #
  31. # For UNIX domain sockets (default on Linux and BSD): This is a directory that
  32. # will be created for UNIX domain sockets for listening to requests from
  33. # external programs (CLI/GUI, etc.) for status information and configuration.
  34. # The socket file will be named based on the interface name, so multiple
  35. # wpa_supplicant processes can be run at the same time if more than one
  36. # interface is used.
  37. # /var/run/wpa_supplicant is the recommended directory for sockets and by
  38. # default, wpa_cli will use it when trying to connect with wpa_supplicant.
  39. #
  40. # Access control for the control interface can be configured by setting the
  41. # directory to allow only members of a group to use sockets. This way, it is
  42. # possible to run wpa_supplicant as root (since it needs to change network
  43. # configuration and open raw sockets) and still allow GUI/CLI components to be
  44. # run as non-root users. However, since the control interface can be used to
  45. # change the network configuration, this access needs to be protected in many
  46. # cases. By default, wpa_supplicant is configured to use gid 0 (root). If you
  47. # want to allow non-root users to use the control interface, add a new group
  48. # and change this value to match with that group. Add users that should have
  49. # control interface access to this group. If this variable is commented out or
  50. # not included in the configuration file, group will not be changed from the
  51. # value it got by default when the directory or socket was created.
  52. #
  53. # When configuring both the directory and group, use following format:
  54. # DIR=/var/run/wpa_supplicant GROUP=wheel
  55. # DIR=/var/run/wpa_supplicant GROUP=0
  56. # (group can be either group name or gid)
  57. #
  58. # For UDP connections (default on Windows): The value will be ignored. This
  59. # variable is just used to select that the control interface is to be created.
  60. # The value can be set to, e.g., udp (ctrl_interface=udp)
  61. #
  62. # For Windows Named Pipe: This value can be used to set the security descriptor
  63. # for controlling access to the control interface. Security descriptor can be
  64. # set using Security Descriptor String Format (see http://msdn.microsoft.com/
  65. # library/default.asp?url=/library/en-us/secauthz/security/
  66. # security_descriptor_string_format.asp). The descriptor string needs to be
  67. # prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty
  68. # DACL (which will reject all connections). See README-Windows.txt for more
  69. # information about SDDL string format.
  70. #
  71. ctrl_interface=/var/run/wpa_supplicant
  72. # IEEE 802.1X/EAPOL version
  73. # wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines
  74. # EAPOL version 2. However, there are many APs that do not handle the new
  75. # version number correctly (they seem to drop the frames completely). In order
  76. # to make wpa_supplicant interoperate with these APs, the version number is set
  77. # to 1 by default. This configuration value can be used to set it to the new
  78. # version (2).
  79. eapol_version=1
  80. # AP scanning/selection
  81. # By default, wpa_supplicant requests driver to perform AP scanning and then
  82. # uses the scan results to select a suitable AP. Another alternative is to
  83. # allow the driver to take care of AP scanning and selection and use
  84. # wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association
  85. # information from the driver.
  86. # 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to
  87. # the currently enabled networks are found, a new network (IBSS or AP mode
  88. # operation) may be initialized (if configured) (default)
  89. # 0: driver takes care of scanning, AP selection, and IEEE 802.11 association
  90. # parameters (e.g., WPA IE generation); this mode can also be used with
  91. # non-WPA drivers when using IEEE 802.1X mode; do not try to associate with
  92. # APs (i.e., external program needs to control association). This mode must
  93. # also be used when using wired Ethernet drivers.
  94. # 2: like 0, but associate with APs using security policy and SSID (but not
  95. # BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to
  96. # enable operation with hidden SSIDs and optimized roaming; in this mode,
  97. # the network blocks in the configuration file are tried one by one until
  98. # the driver reports successful association; each network block should have
  99. # explicit security policy (i.e., only one option in the lists) for
  100. # key_mgmt, pairwise, group, proto variables
  101. # When using IBSS or AP mode, ap_scan=2 mode can force the new network to be
  102. # created immediately regardless of scan results. ap_scan=1 mode will first try
  103. # to scan for existing networks and only if no matches with the enabled
  104. # networks are found, a new IBSS or AP mode network is created.
  105. ap_scan=1
  106. # EAP fast re-authentication
  107. # By default, fast re-authentication is enabled for all EAP methods that
  108. # support it. This variable can be used to disable fast re-authentication.
  109. # Normally, there is no need to disable this.
  110. fast_reauth=1
  111. # OpenSSL Engine support
  112. # These options can be used to load OpenSSL engines.
  113. # The two engines that are supported currently are shown below:
  114. # They are both from the opensc project (http://www.opensc.org/)
  115. # By default no engines are loaded.
  116. # make the opensc engine available
  117. #opensc_engine_path=/usr/lib/opensc/engine_opensc.so
  118. # make the pkcs11 engine available
  119. #pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so
  120. # configure the path to the pkcs11 module required by the pkcs11 engine
  121. #pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so
  122. # Dynamic EAP methods
  123. # If EAP methods were built dynamically as shared object files, they need to be
  124. # loaded here before being used in the network blocks. By default, EAP methods
  125. # are included statically in the build, so these lines are not needed
  126. #load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so
  127. #load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so
  128. # Driver interface parameters
  129. # This field can be used to configure arbitrary driver interace parameters. The
  130. # format is specific to the selected driver interface. This field is not used
  131. # in most cases.
  132. #driver_param="field=value"
  133. # Country code
  134. # The ISO/IEC alpha2 country code for the country in which this device is
  135. # currently operating.
  136. #country=US
  137. # Maximum lifetime for PMKSA in seconds; default 43200
  138. #dot11RSNAConfigPMKLifetime=43200
  139. # Threshold for reauthentication (percentage of PMK lifetime); default 70
  140. #dot11RSNAConfigPMKReauthThreshold=70
  141. # Timeout for security association negotiation in seconds; default 60
  142. #dot11RSNAConfigSATimeout=60
  143. # Wi-Fi Protected Setup (WPS) parameters
  144. # Universally Unique IDentifier (UUID; see RFC 4122) of the device
  145. # If not configured, UUID will be generated based on the local MAC address.
  146. #uuid=12345678-9abc-def0-1234-56789abcdef0
  147. # Device Name
  148. # User-friendly description of device; up to 32 octets encoded in UTF-8
  149. #device_name=Wireless Client
  150. # Manufacturer
  151. # The manufacturer of the device (up to 64 ASCII characters)
  152. #manufacturer=Company
  153. # Model Name
  154. # Model of the device (up to 32 ASCII characters)
  155. #model_name=cmodel
  156. # Model Number
  157. # Additional device description (up to 32 ASCII characters)
  158. #model_number=123
  159. # Serial Number
  160. # Serial number of the device (up to 32 characters)
  161. #serial_number=12345
  162. # Primary Device Type
  163. # Used format: <categ>-<OUI>-<subcateg>
  164. # categ = Category as an integer value
  165. # OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for
  166. # default WPS OUI
  167. # subcateg = OUI-specific Sub Category as an integer value
  168. # Examples:
  169. # 1-0050F204-1 (Computer / PC)
  170. # 1-0050F204-2 (Computer / Server)
  171. # 5-0050F204-1 (Storage / NAS)
  172. # 6-0050F204-1 (Network Infrastructure / AP)
  173. #device_type=1-0050F204-1
  174. # OS Version
  175. # 4-octet operating system version number (hex string)
  176. #os_version=01020300
  177. # Config Methods
  178. # List of the supported configuration methods
  179. # Available methods: usba ethernet label display ext_nfc_token int_nfc_token
  180. # nfc_interface push_button keypad virtual_display physical_display
  181. # virtual_push_button physical_push_button
  182. # For WSC 1.0:
  183. #config_methods=label display push_button keypad
  184. # For WSC 2.0:
  185. #config_methods=label virtual_display virtual_push_button keypad
  186. # Credential processing
  187. # 0 = process received credentials internally (default)
  188. # 1 = do not process received credentials; just pass them over ctrl_iface to
  189. # external program(s)
  190. # 2 = process received credentials internally and pass them over ctrl_iface
  191. # to external program(s)
  192. #wps_cred_processing=0
  193. # Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing
  194. # The vendor attribute contents to be added in M1 (hex string)
  195. #wps_vendor_ext_m1=000137100100020001
  196. # NFC password token for WPS
  197. # These parameters can be used to configure a fixed NFC password token for the
  198. # station. This can be generated, e.g., with nfc_pw_token. When these
  199. # parameters are used, the station is assumed to be deployed with a NFC tag
  200. # that includes the matching NFC password token (e.g., written based on the
  201. # NDEF record from nfc_pw_token).
  202. #
  203. #wps_nfc_dev_pw_id: Device Password ID (16..65535)
  204. #wps_nfc_dh_pubkey: Hexdump of DH Public Key
  205. #wps_nfc_dh_privkey: Hexdump of DH Private Key
  206. #wps_nfc_dev_pw: Hexdump of Device Password
  207. # Maximum number of BSS entries to keep in memory
  208. # Default: 200
  209. # This can be used to limit memory use on the BSS entries (cached scan
  210. # results). A larger value may be needed in environments that have huge number
  211. # of APs when using ap_scan=1 mode.
  212. #bss_max_count=200
  213. # Automatic scan
  214. # This is an optional set of parameters for automatic scanning
  215. # within an interface in following format:
  216. #autoscan=<autoscan module name>:<module parameters>
  217. # autoscan is like bgscan but on disconnected or inactive state.
  218. # For instance, on exponential module parameters would be <base>:<limit>
  219. #autoscan=exponential:3:300
  220. # Which means a delay between scans on a base exponential of 3,
  221. # up to the limit of 300 seconds (3, 9, 27 ... 300)
  222. # For periodic module, parameters would be <fixed interval>
  223. #autoscan=periodic:30
  224. # So a delay of 30 seconds will be applied between each scan
  225. # filter_ssids - SSID-based scan result filtering
  226. # 0 = do not filter scan results (default)
  227. # 1 = only include configured SSIDs in scan results/BSS table
  228. #filter_ssids=0
  229. # Password (and passphrase, etc.) backend for external storage
  230. # format: <backend name>[:<optional backend parameters>]
  231. #ext_password_backend=test:pw1=password|pw2=testing
  232. # Interworking (IEEE 802.11u)
  233. # Enable Interworking
  234. # interworking=1
  235. # Homogenous ESS identifier
  236. # If this is set, scans will be used to request response only from BSSes
  237. # belonging to the specified Homogeneous ESS. This is used only if interworking
  238. # is enabled.
  239. # hessid=00:11:22:33:44:55
  240. # credential block
  241. #
  242. # Each credential used for automatic network selection is configured as a set
  243. # of parameters that are compared to the information advertised by the APs when
  244. # interworking_select and interworking_connect commands are used.
  245. #
  246. # credential fields:
  247. #
  248. # priority: Priority group
  249. # By default, all networks and credentials get the same priority group
  250. # (0). This field can be used to give higher priority for credentials
  251. # (and similarly in struct wpa_ssid for network blocks) to change the
  252. # Interworking automatic networking selection behavior. The matching
  253. # network (based on either an enabled network block or a credential)
  254. # with the highest priority value will be selected.
  255. #
  256. # pcsc: Use PC/SC and SIM/USIM card
  257. #
  258. # realm: Home Realm for Interworking
  259. #
  260. # username: Username for Interworking network selection
  261. #
  262. # password: Password for Interworking network selection
  263. #
  264. # ca_cert: CA certificate for Interworking network selection
  265. #
  266. # client_cert: File path to client certificate file (PEM/DER)
  267. # This field is used with Interworking networking selection for a case
  268. # where client certificate/private key is used for authentication
  269. # (EAP-TLS). Full path to the file should be used since working
  270. # directory may change when wpa_supplicant is run in the background.
  271. #
  272. # Alternatively, a named configuration blob can be used by setting
  273. # this to blob://blob_name.
  274. #
  275. # private_key: File path to client private key file (PEM/DER/PFX)
  276. # When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
  277. # commented out. Both the private key and certificate will be read
  278. # from the PKCS#12 file in this case. Full path to the file should be
  279. # used since working directory may change when wpa_supplicant is run
  280. # in the background.
  281. #
  282. # Windows certificate store can be used by leaving client_cert out and
  283. # configuring private_key in one of the following formats:
  284. #
  285. # cert://substring_to_match
  286. #
  287. # hash://certificate_thumbprint_in_hex
  288. #
  289. # For example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
  290. #
  291. # Note that when running wpa_supplicant as an application, the user
  292. # certificate store (My user account) is used, whereas computer store
  293. # (Computer account) is used when running wpasvc as a service.
  294. #
  295. # Alternatively, a named configuration blob can be used by setting
  296. # this to blob://blob_name.
  297. #
  298. # private_key_passwd: Password for private key file
  299. #
  300. # imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format
  301. #
  302. # milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN>
  303. # format
  304. #
  305. # domain: Home service provider FQDN
  306. # This is used to compare against the Domain Name List to figure out
  307. # whether the AP is operated by the Home SP.
  308. #
  309. # roaming_consortium: Roaming Consortium OI
  310. # If roaming_consortium_len is non-zero, this field contains the
  311. # Roaming Consortium OI that can be used to determine which access
  312. # points support authentication with this credential. This is an
  313. # alternative to the use of the realm parameter. When using Roaming
  314. # Consortium to match the network, the EAP parameters need to be
  315. # pre-configured with the credential since the NAI Realm information
  316. # may not be available or fetched.
  317. #
  318. # eap: Pre-configured EAP method
  319. # This optional field can be used to specify which EAP method will be
  320. # used with this credential. If not set, the EAP method is selected
  321. # automatically based on ANQP information (e.g., NAI Realm).
  322. #
  323. # phase1: Pre-configure Phase 1 (outer authentication) parameters
  324. # This optional field is used with like the 'eap' parameter.
  325. #
  326. # phase2: Pre-configure Phase 2 (inner authentication) parameters
  327. # This optional field is used with like the 'eap' parameter.
  328. #
  329. # for example:
  330. #
  331. #cred={
  332. # realm="example.com"
  333. # username="user@example.com"
  334. # password="password"
  335. # ca_cert="/etc/wpa_supplicant/ca.pem"
  336. # domain="example.com"
  337. #}
  338. #
  339. #cred={
  340. # imsi="310026-000000000"
  341. # milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82"
  342. #}
  343. #
  344. #cred={
  345. # realm="example.com"
  346. # username="user"
  347. # password="password"
  348. # ca_cert="/etc/wpa_supplicant/ca.pem"
  349. # domain="example.com"
  350. # roaming_consortium=223344
  351. # eap=TTLS
  352. # phase2="auth=MSCHAPV2"
  353. #}
  354. # Hotspot 2.0
  355. # hs20=1
  356. # network block
  357. #
  358. # Each network (usually AP's sharing the same SSID) is configured as a separate
  359. # block in this configuration file. The network blocks are in preference order
  360. # (the first match is used).
  361. #
  362. # network block fields:
  363. #
  364. # disabled:
  365. # 0 = this network can be used (default)
  366. # 1 = this network block is disabled (can be enabled through ctrl_iface,
  367. # e.g., with wpa_cli or wpa_gui)
  368. #
  369. # id_str: Network identifier string for external scripts. This value is passed
  370. # to external action script through wpa_cli as WPA_ID_STR environment
  371. # variable to make it easier to do network specific configuration.
  372. #
  373. # ssid: SSID (mandatory); either as an ASCII string with double quotation or
  374. # as hex string; network name
  375. #
  376. # scan_ssid:
  377. # 0 = do not scan this SSID with specific Probe Request frames (default)
  378. # 1 = scan with SSID-specific Probe Request frames (this can be used to
  379. # find APs that do not accept broadcast SSID or use multiple SSIDs;
  380. # this will add latency to scanning, so enable this only when needed)
  381. #
  382. # bssid: BSSID (optional); if set, this network block is used only when
  383. # associating with the AP using the configured BSSID
  384. #
  385. # priority: priority group (integer)
  386. # By default, all networks will get same priority group (0). If some of the
  387. # networks are more desirable, this field can be used to change the order in
  388. # which wpa_supplicant goes through the networks when selecting a BSS. The
  389. # priority groups will be iterated in decreasing priority (i.e., the larger the
  390. # priority value, the sooner the network is matched against the scan results).
  391. # Within each priority group, networks will be selected based on security
  392. # policy, signal strength, etc.
  393. # Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not
  394. # using this priority to select the order for scanning. Instead, they try the
  395. # networks in the order that used in the configuration file.
  396. #
  397. # mode: IEEE 802.11 operation mode
  398. # 0 = infrastructure (Managed) mode, i.e., associate with an AP (default)
  399. # 1 = IBSS (ad-hoc, peer-to-peer)
  400. # 2 = AP (access point)
  401. # Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP)
  402. # and key_mgmt=WPA-NONE (fixed group key TKIP/CCMP). WPA-None requires
  403. # following network block options:
  404. # proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not
  405. # both), and psk must also be set.
  406. #
  407. # frequency: Channel frequency in megahertz (MHz) for IBSS, e.g.,
  408. # 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial
  409. # channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode.
  410. # In addition, this value is only used by the station that creates the IBSS. If
  411. # an IBSS network with the configured SSID is already present, the frequency of
  412. # the network will be used instead of this configured value.
  413. #
  414. # scan_freq: List of frequencies to scan
  415. # Space-separated list of frequencies in MHz to scan when searching for this
  416. # BSS. If the subset of channels used by the network is known, this option can
  417. # be used to optimize scanning to not occur on channels that the network does
  418. # not use. Example: scan_freq=2412 2437 2462
  419. #
  420. # freq_list: Array of allowed frequencies
  421. # Space-separated list of frequencies in MHz to allow for selecting the BSS. If
  422. # set, scan results that do not match any of the specified frequencies are not
  423. # considered when selecting a BSS.
  424. #
  425. # proto: list of accepted protocols
  426. # WPA = WPA/IEEE 802.11i/D3.0
  427. # RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN)
  428. # If not set, this defaults to: WPA RSN
  429. #
  430. # key_mgmt: list of accepted authenticated key management protocols
  431. # WPA-PSK = WPA pre-shared key (this requires 'psk' field)
  432. # WPA-EAP = WPA using EAP authentication
  433. # IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically
  434. # generated WEP keys
  435. # NONE = WPA is not used; plaintext or static WEP could be used
  436. # WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms
  437. # WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms
  438. # If not set, this defaults to: WPA-PSK WPA-EAP
  439. #
  440. # ieee80211w: whether management frame protection is enabled
  441. # 0 = disabled (default)
  442. # 1 = optional
  443. # 2 = required
  444. # The most common configuration options for this based on the PMF (protected
  445. # management frames) certification program are:
  446. # PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256
  447. # PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256
  448. # (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used)
  449. #
  450. # auth_alg: list of allowed IEEE 802.11 authentication algorithms
  451. # OPEN = Open System authentication (required for WPA/WPA2)
  452. # SHARED = Shared Key authentication (requires static WEP keys)
  453. # LEAP = LEAP/Network EAP (only used with LEAP)
  454. # If not set, automatic selection is used (Open System with LEAP enabled if
  455. # LEAP is allowed as one of the EAP methods).
  456. #
  457. # pairwise: list of accepted pairwise (unicast) ciphers for WPA
  458. # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
  459. # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
  460. # NONE = Use only Group Keys (deprecated, should not be included if APs support
  461. # pairwise keys)
  462. # If not set, this defaults to: CCMP TKIP
  463. #
  464. # group: list of accepted group (broadcast/multicast) ciphers for WPA
  465. # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
  466. # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
  467. # WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key
  468. # WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11]
  469. # If not set, this defaults to: CCMP TKIP WEP104 WEP40
  470. #
  471. # psk: WPA preshared key; 256-bit pre-shared key
  472. # The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e.,
  473. # 32 bytes or as an ASCII passphrase (in which case, the real PSK will be
  474. # generated using the passphrase and SSID). ASCII passphrase must be between
  475. # 8 and 63 characters (inclusive). ext:<name of external PSK field> format can
  476. # be used to indicate that the PSK/passphrase is stored in external storage.
  477. # This field is not needed, if WPA-EAP is used.
  478. # Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys
  479. # from ASCII passphrase. This process uses lot of CPU and wpa_supplicant
  480. # startup and reconfiguration time can be optimized by generating the PSK only
  481. # only when the passphrase or SSID has actually changed.
  482. #
  483. # eapol_flags: IEEE 802.1X/EAPOL options (bit field)
  484. # Dynamic WEP key required for non-WPA mode
  485. # bit0 (1): require dynamically generated unicast WEP key
  486. # bit1 (2): require dynamically generated broadcast WEP key
  487. # (3 = require both keys; default)
  488. # Note: When using wired authentication, eapol_flags must be set to 0 for the
  489. # authentication to be completed successfully.
  490. #
  491. # mixed_cell: This option can be used to configure whether so called mixed
  492. # cells, i.e., networks that use both plaintext and encryption in the same
  493. # SSID, are allowed when selecting a BSS from scan results.
  494. # 0 = disabled (default)
  495. # 1 = enabled
  496. #
  497. # proactive_key_caching:
  498. # Enable/disable opportunistic PMKSA caching for WPA2.
  499. # 0 = disabled (default)
  500. # 1 = enabled
  501. #
  502. # wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or
  503. # hex without quotation, e.g., 0102030405)
  504. # wep_tx_keyidx: Default WEP key index (TX) (0..3)
  505. #
  506. # peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is
  507. # allowed. This is only used with RSN/WPA2.
  508. # 0 = disabled (default)
  509. # 1 = enabled
  510. #peerkey=1
  511. #
  512. # wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to
  513. # enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies.
  514. #
  515. # Following fields are only used with internal EAP implementation.
  516. # eap: space-separated list of accepted EAP methods
  517. # MD5 = EAP-MD5 (unsecure and does not generate keying material ->
  518. # cannot be used with WPA; to be used as a Phase 2 method
  519. # with EAP-PEAP or EAP-TTLS)
  520. # MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used
  521. # as a Phase 2 method with EAP-PEAP or EAP-TTLS)
  522. # OTP = EAP-OTP (cannot be used separately with WPA; to be used
  523. # as a Phase 2 method with EAP-PEAP or EAP-TTLS)
  524. # GTC = EAP-GTC (cannot be used separately with WPA; to be used
  525. # as a Phase 2 method with EAP-PEAP or EAP-TTLS)
  526. # TLS = EAP-TLS (client and server certificate)
  527. # PEAP = EAP-PEAP (with tunnelled EAP authentication)
  528. # TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2
  529. # authentication)
  530. # If not set, all compiled in methods are allowed.
  531. #
  532. # identity: Identity string for EAP
  533. # This field is also used to configure user NAI for
  534. # EAP-PSK/PAX/SAKE/GPSK.
  535. # anonymous_identity: Anonymous identity string for EAP (to be used as the
  536. # unencrypted identity with EAP types that support different tunnelled
  537. # identity, e.g., EAP-TTLS)
  538. # password: Password string for EAP. This field can include either the
  539. # plaintext password (using ASCII or hex string) or a NtPasswordHash
  540. # (16-byte MD4 hash of password) in hash:<32 hex digits> format.
  541. # NtPasswordHash can only be used when the password is for MSCHAPv2 or
  542. # MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP).
  543. # EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit
  544. # PSK) is also configured using this field. For EAP-GPSK, this is a
  545. # variable length PSK. ext:<name of external password field> format can
  546. # be used to indicate that the password is stored in external storage.
  547. # ca_cert: File path to CA certificate file (PEM/DER). This file can have one
  548. # or more trusted CA certificates. If ca_cert and ca_path are not
  549. # included, server certificate will not be verified. This is insecure and
  550. # a trusted CA certificate should always be configured when using
  551. # EAP-TLS/TTLS/PEAP. Full path should be used since working directory may
  552. # change when wpa_supplicant is run in the background.
  553. #
  554. # Alternatively, this can be used to only perform matching of the server
  555. # certificate (SHA-256 hash of the DER encoded X.509 certificate). In
  556. # this case, the possible CA certificates in the server certificate chain
  557. # are ignored and only the server certificate is verified. This is
  558. # configured with the following format:
  559. # hash:://server/sha256/cert_hash_in_hex
  560. # For example: "hash://server/sha256/
  561. # 5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"
  562. #
  563. # On Windows, trusted CA certificates can be loaded from the system
  564. # certificate store by setting this to cert_store://<name>, e.g.,
  565. # ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".
  566. # Note that when running wpa_supplicant as an application, the user
  567. # certificate store (My user account) is used, whereas computer store
  568. # (Computer account) is used when running wpasvc as a service.
  569. # ca_path: Directory path for CA certificate files (PEM). This path may
  570. # contain multiple CA certificates in OpenSSL format. Common use for this
  571. # is to point to system trusted CA list which is often installed into
  572. # directory like /etc/ssl/certs. If configured, these certificates are
  573. # added to the list of trusted CAs. ca_cert may also be included in that
  574. # case, but it is not required.
  575. # client_cert: File path to client certificate file (PEM/DER)
  576. # Full path should be used since working directory may change when
  577. # wpa_supplicant is run in the background.
  578. # Alternatively, a named configuration blob can be used by setting this
  579. # to blob://<blob name>.
  580. # private_key: File path to client private key file (PEM/DER/PFX)
  581. # When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
  582. # commented out. Both the private key and certificate will be read from
  583. # the PKCS#12 file in this case. Full path should be used since working
  584. # directory may change when wpa_supplicant is run in the background.
  585. # Windows certificate store can be used by leaving client_cert out and
  586. # configuring private_key in one of the following formats:
  587. # cert://substring_to_match
  588. # hash://certificate_thumbprint_in_hex
  589. # for example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
  590. # Note that when running wpa_supplicant as an application, the user
  591. # certificate store (My user account) is used, whereas computer store
  592. # (Computer account) is used when running wpasvc as a service.
  593. # Alternatively, a named configuration blob can be used by setting this
  594. # to blob://<blob name>.
  595. # private_key_passwd: Password for private key file (if left out, this will be
  596. # asked through control interface)
  597. # dh_file: File path to DH/DSA parameters file (in PEM format)
  598. # This is an optional configuration file for setting parameters for an
  599. # ephemeral DH key exchange. In most cases, the default RSA
  600. # authentication does not use this configuration. However, it is possible
  601. # setup RSA to use ephemeral DH key exchange. In addition, ciphers with
  602. # DSA keys always use ephemeral DH keys. This can be used to achieve
  603. # forward secrecy. If the file is in DSA parameters format, it will be
  604. # automatically converted into DH params.
  605. # subject_match: Substring to be matched against the subject of the
  606. # authentication server certificate. If this string is set, the server
  607. # sertificate is only accepted if it contains this string in the subject.
  608. # The subject string is in following format:
  609. # /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com
  610. # altsubject_match: Semicolon separated string of entries to be matched against
  611. # the alternative subject name of the authentication server certificate.
  612. # If this string is set, the server sertificate is only accepted if it
  613. # contains one of the entries in an alternative subject name extension.
  614. # altSubjectName string is in following format: TYPE:VALUE
  615. # Example: EMAIL:server@example.com
  616. # Example: DNS:server.example.com;DNS:server2.example.com
  617. # Following types are supported: EMAIL, DNS, URI
  618. # phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters
  619. # (string with field-value pairs, e.g., "peapver=0" or
  620. # "peapver=1 peaplabel=1")
  621. # 'peapver' can be used to force which PEAP version (0 or 1) is used.
  622. # 'peaplabel=1' can be used to force new label, "client PEAP encryption",
  623. # to be used during key derivation when PEAPv1 or newer. Most existing
  624. # PEAPv1 implementation seem to be using the old label, "client EAP
  625. # encryption", and wpa_supplicant is now using that as the default value.
  626. # Some servers, e.g., Radiator, may require peaplabel=1 configuration to
  627. # interoperate with PEAPv1; see eap_testing.txt for more details.
  628. # 'peap_outer_success=0' can be used to terminate PEAP authentication on
  629. # tunneled EAP-Success. This is required with some RADIUS servers that
  630. # implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
  631. # Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode)
  632. # include_tls_length=1 can be used to force wpa_supplicant to include
  633. # TLS Message Length field in all TLS messages even if they are not
  634. # fragmented.
  635. # sim_min_num_chal=3 can be used to configure EAP-SIM to require three
  636. # challenges (by default, it accepts 2 or 3)
  637. # result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use
  638. # protected result indication.
  639. # 'crypto_binding' option can be used to control PEAPv0 cryptobinding
  640. # behavior:
  641. # * 0 = do not use cryptobinding (default)
  642. # * 1 = use cryptobinding if server supports it
  643. # * 2 = require cryptobinding
  644. # EAP-WSC (WPS) uses following options: pin=<Device Password> or
  645. # pbc=1.
  646. # phase2: Phase2 (inner authentication with TLS tunnel) parameters
  647. # (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
  648. # "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS)
  649. # Following certificate/private key fields are used in inner Phase2
  650. # authentication when using EAP-TTLS or EAP-PEAP.
  651. # ca_cert2: File path to CA certificate file. This file can have one or more
  652. # trusted CA certificates. If ca_cert2 and ca_path2 are not included,
  653. # server certificate will not be verified. This is insecure and a trusted
  654. # CA certificate should always be configured.
  655. # ca_path2: Directory path for CA certificate files (PEM)
  656. # client_cert2: File path to client certificate file
  657. # private_key2: File path to client private key file
  658. # private_key2_passwd: Password for private key file
  659. # dh_file2: File path to DH/DSA parameters file (in PEM format)
  660. # subject_match2: Substring to be matched against the subject of the
  661. # authentication server certificate.
  662. # altsubject_match2: Substring to be matched against the alternative subject
  663. # name of the authentication server certificate.
  664. #
  665. # fragment_size: Maximum EAP fragment size in bytes (default 1398).
  666. # This value limits the fragment size for EAP methods that support
  667. # fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set
  668. # small enough to make the EAP messages fit in MTU of the network
  669. # interface used for EAPOL. The default value is suitable for most
  670. # cases.
  671. #
  672. # EAP-FAST variables:
  673. # pac_file: File path for the PAC entries. wpa_supplicant will need to be able
  674. # to create this file and write updates to it when PAC is being
  675. # provisioned or refreshed. Full path to the file should be used since
  676. # working directory may change when wpa_supplicant is run in the
  677. # background. Alternatively, a named configuration blob can be used by
  678. # setting this to blob://<blob name>
  679. # phase1: fast_provisioning option can be used to enable in-line provisioning
  680. # of EAP-FAST credentials (PAC):
  681. # 0 = disabled,
  682. # 1 = allow unauthenticated provisioning,
  683. # 2 = allow authenticated provisioning,
  684. # 3 = allow both unauthenticated and authenticated provisioning
  685. # fast_max_pac_list_len=<num> option can be used to set the maximum
  686. # number of PAC entries to store in a PAC list (default: 10)
  687. # fast_pac_format=binary option can be used to select binary format for
  688. # storing PAC entries in order to save some space (the default
  689. # text format uses about 2.5 times the size of minimal binary
  690. # format)
  691. #
  692. # wpa_supplicant supports number of "EAP workarounds" to work around
  693. # interoperability issues with incorrectly behaving authentication servers.
  694. # These are enabled by default because some of the issues are present in large
  695. # number of authentication servers. Strict EAP conformance mode can be
  696. # configured by disabling workarounds with eap_workaround=0.
  697. # Station inactivity limit
  698. #
  699. # If a station does not send anything in ap_max_inactivity seconds, an
  700. # empty data frame is sent to it in order to verify whether it is
  701. # still in range. If this frame is not ACKed, the station will be
  702. # disassociated and then deauthenticated. This feature is used to
  703. # clear station table of old entries when the STAs move out of the
  704. # range.
  705. #
  706. # The station can associate again with the AP if it is still in range;
  707. # this inactivity poll is just used as a nicer way of verifying
  708. # inactivity; i.e., client will not report broken connection because
  709. # disassociation frame is not sent immediately without first polling
  710. # the STA with a data frame.
  711. # default: 300 (i.e., 5 minutes)
  712. #ap_max_inactivity=300
  713. # DTIM period in Beacon intervals for AP mode (default: 2)
  714. #dtim_period=2
  715. # Example blocks:
  716. # Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers
  717. network={
  718. ssid="simple"
  719. psk="very secret passphrase"
  720. priority=5
  721. }
  722. # Same as previous, but request SSID-specific scanning (for APs that reject
  723. # broadcast SSID)
  724. network={
  725. ssid="second ssid"
  726. scan_ssid=1
  727. psk="very secret passphrase"
  728. priority=2
  729. }
  730. # Only WPA-PSK is used. Any valid cipher combination is accepted.
  731. network={
  732. ssid="example"
  733. proto=WPA
  734. key_mgmt=WPA-PSK
  735. pairwise=CCMP TKIP
  736. group=CCMP TKIP WEP104 WEP40
  737. psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
  738. priority=2
  739. }
  740. # WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying
  741. network={
  742. ssid="example"
  743. proto=WPA
  744. key_mgmt=WPA-PSK
  745. pairwise=TKIP
  746. group=TKIP
  747. psk="not so secure passphrase"
  748. wpa_ptk_rekey=600
  749. }
  750. # Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104
  751. # or WEP40 as the group cipher will not be accepted.
  752. network={
  753. ssid="example"
  754. proto=RSN
  755. key_mgmt=WPA-EAP
  756. pairwise=CCMP TKIP
  757. group=CCMP TKIP
  758. eap=TLS
  759. identity="user@example.com"
  760. ca_cert="/etc/cert/ca.pem"
  761. client_cert="/etc/cert/user.pem"
  762. private_key="/etc/cert/user.prv"
  763. private_key_passwd="password"
  764. priority=1
  765. }
  766. # EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel
  767. # (e.g., Radiator)
  768. network={
  769. ssid="example"
  770. key_mgmt=WPA-EAP
  771. eap=PEAP
  772. identity="user@example.com"
  773. password="foobar"
  774. ca_cert="/etc/cert/ca.pem"
  775. phase1="peaplabel=1"
  776. phase2="auth=MSCHAPV2"
  777. priority=10
  778. }
  779. # EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the
  780. # unencrypted use. Real identity is sent only within an encrypted TLS tunnel.
  781. network={
  782. ssid="example"
  783. key_mgmt=WPA-EAP
  784. eap=TTLS
  785. identity="user@example.com"
  786. anonymous_identity="anonymous@example.com"
  787. password="foobar"
  788. ca_cert="/etc/cert/ca.pem"
  789. priority=2
  790. }
  791. # EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted
  792. # use. Real identity is sent only within an encrypted TLS tunnel.
  793. network={
  794. ssid="example"
  795. key_mgmt=WPA-EAP
  796. eap=TTLS
  797. identity="user@example.com"
  798. anonymous_identity="anonymous@example.com"
  799. password="foobar"
  800. ca_cert="/etc/cert/ca.pem"
  801. phase2="auth=MSCHAPV2"
  802. }
  803. # WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner
  804. # authentication.
  805. network={
  806. ssid="example"
  807. key_mgmt=WPA-EAP
  808. eap=TTLS
  809. # Phase1 / outer authentication
  810. anonymous_identity="anonymous@example.com"
  811. ca_cert="/etc/cert/ca.pem"
  812. # Phase 2 / inner authentication
  813. phase2="autheap=TLS"
  814. ca_cert2="/etc/cert/ca2.pem"
  815. client_cert2="/etc/cer/user.pem"
  816. private_key2="/etc/cer/user.prv"
  817. private_key2_passwd="password"
  818. priority=2
  819. }
  820. # Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and
  821. # group cipher.
  822. network={
  823. ssid="example"
  824. bssid=00:11:22:33:44:55
  825. proto=WPA RSN
  826. key_mgmt=WPA-PSK WPA-EAP
  827. pairwise=CCMP
  828. group=CCMP
  829. psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
  830. }
  831. # Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP
  832. # and all valid ciphers.
  833. network={
  834. ssid=00010203
  835. psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
  836. }
  837. # EAP-SIM with a GSM SIM or USIM
  838. network={
  839. ssid="eap-sim-test"
  840. key_mgmt=WPA-EAP
  841. eap=SIM
  842. pin="1234"
  843. pcsc=""
  844. }
  845. # EAP-PSK
  846. network={
  847. ssid="eap-psk-test"
  848. key_mgmt=WPA-EAP
  849. eap=PSK
  850. anonymous_identity="eap_psk_user"
  851. password=06b4be19da289f475aa46a33cb793029
  852. identity="eap_psk_user@example.com"
  853. }
  854. # IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using
  855. # EAP-TLS for authentication and key generation; require both unicast and
  856. # broadcast WEP keys.
  857. network={
  858. ssid="1x-test"
  859. key_mgmt=IEEE8021X
  860. eap=TLS
  861. identity="user@example.com"
  862. ca_cert="/etc/cert/ca.pem"
  863. client_cert="/etc/cert/user.pem"
  864. private_key="/etc/cert/user.prv"
  865. private_key_passwd="password"
  866. eapol_flags=3
  867. }
  868. # LEAP with dynamic WEP keys
  869. network={
  870. ssid="leap-example"
  871. key_mgmt=IEEE8021X
  872. eap=LEAP
  873. identity="user"
  874. password="foobar"
  875. }
  876. # EAP-IKEv2 using shared secrets for both server and peer authentication
  877. network={
  878. ssid="ikev2-example"
  879. key_mgmt=WPA-EAP
  880. eap=IKEV2
  881. identity="user"
  882. password="foobar"
  883. }
  884. # EAP-FAST with WPA (WPA or WPA2)
  885. network={
  886. ssid="eap-fast-test"
  887. key_mgmt=WPA-EAP
  888. eap=FAST
  889. anonymous_identity="FAST-000102030405"
  890. identity="username"
  891. password="password"
  892. phase1="fast_provisioning=1"
  893. pac_file="/etc/wpa_supplicant.eap-fast-pac"
  894. }
  895. network={
  896. ssid="eap-fast-test"
  897. key_mgmt=WPA-EAP
  898. eap=FAST
  899. anonymous_identity="FAST-000102030405"
  900. identity="username"
  901. password="password"
  902. phase1="fast_provisioning=1"
  903. pac_file="blob://eap-fast-pac"
  904. }
  905. # Plaintext connection (no WPA, no IEEE 802.1X)
  906. network={
  907. ssid="plaintext-test"
  908. key_mgmt=NONE
  909. }
  910. # Shared WEP key connection (no WPA, no IEEE 802.1X)
  911. network={
  912. ssid="static-wep-test"
  913. key_mgmt=NONE
  914. wep_key0="abcde"
  915. wep_key1=0102030405
  916. wep_key2="1234567890123"
  917. wep_tx_keyidx=0
  918. priority=5
  919. }
  920. # Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key
  921. # IEEE 802.11 authentication
  922. network={
  923. ssid="static-wep-test2"
  924. key_mgmt=NONE
  925. wep_key0="abcde"
  926. wep_key1=0102030405
  927. wep_key2="1234567890123"
  928. wep_tx_keyidx=0
  929. priority=5
  930. auth_alg=SHARED
  931. }
  932. # IBSS/ad-hoc network with WPA-None/TKIP.
  933. network={
  934. ssid="test adhoc"
  935. mode=1
  936. frequency=2412
  937. proto=WPA
  938. key_mgmt=WPA-NONE
  939. pairwise=NONE
  940. group=TKIP
  941. psk="secret passphrase"
  942. }
  943. # Catch all example that allows more or less all configuration modes
  944. network={
  945. ssid="example"
  946. scan_ssid=1
  947. key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
  948. pairwise=CCMP TKIP
  949. group=CCMP TKIP WEP104 WEP40
  950. psk="very secret passphrase"
  951. eap=TTLS PEAP TLS
  952. identity="user@example.com"
  953. password="foobar"
  954. ca_cert="/etc/cert/ca.pem"
  955. client_cert="/etc/cert/user.pem"
  956. private_key="/etc/cert/user.prv"
  957. private_key_passwd="password"
  958. phase1="peaplabel=0"
  959. }
  960. # Example of EAP-TLS with smartcard (openssl engine)
  961. network={
  962. ssid="example"
  963. key_mgmt=WPA-EAP
  964. eap=TLS
  965. proto=RSN
  966. pairwise=CCMP TKIP
  967. group=CCMP TKIP
  968. identity="user@example.com"
  969. ca_cert="/etc/cert/ca.pem"
  970. client_cert="/etc/cert/user.pem"
  971. engine=1
  972. # The engine configured here must be available. Look at
  973. # OpenSSL engine support in the global section.
  974. # The key available through the engine must be the private key
  975. # matching the client certificate configured above.
  976. # use the opensc engine
  977. #engine_id="opensc"
  978. #key_id="45"
  979. # use the pkcs11 engine
  980. engine_id="pkcs11"
  981. key_id="id_45"
  982. # Optional PIN configuration; this can be left out and PIN will be
  983. # asked through the control interface
  984. pin="1234"
  985. }
  986. # Example configuration showing how to use an inlined blob as a CA certificate
  987. # data instead of using external file
  988. network={
  989. ssid="example"
  990. key_mgmt=WPA-EAP
  991. eap=TTLS
  992. identity="user@example.com"
  993. anonymous_identity="anonymous@example.com"
  994. password="foobar"
  995. ca_cert="blob://exampleblob"
  996. priority=20
  997. }
  998. blob-base64-exampleblob={
  999. SGVsbG8gV29ybGQhCg==
  1000. }
  1001. # Wildcard match for SSID (plaintext APs only). This example select any
  1002. # open AP regardless of its SSID.
  1003. network={
  1004. key_mgmt=NONE
  1005. }