wpa_supplicant.conf 38 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008
  1. ##### Example wpa_supplicant configuration file ###############################
  2. #
  3. # This file describes configuration file format and lists all available option.
  4. # Please also take a look at simpler configuration examples in 'examples'
  5. # subdirectory.
  6. #
  7. # Empty lines and lines starting with # are ignored
  8. # NOTE! This file may contain password information and should probably be made
  9. # readable only by root user on multiuser systems.
  10. # Note: All file paths in this configuration file should use full (absolute,
  11. # not relative to working directory) path in order to allow working directory
  12. # to be changed. This can happen if wpa_supplicant is run in the background.
  13. # Whether to allow wpa_supplicant to update (overwrite) configuration
  14. #
  15. # This option can be used to allow wpa_supplicant to overwrite configuration
  16. # file whenever configuration is changed (e.g., new network block is added with
  17. # wpa_cli or wpa_gui, or a password is changed). This is required for
  18. # wpa_cli/wpa_gui to be able to store the configuration changes permanently.
  19. # Please note that overwriting configuration file will remove the comments from
  20. # it.
  21. #update_config=1
  22. # global configuration (shared by all network blocks)
  23. #
  24. # Parameters for the control interface. If this is specified, wpa_supplicant
  25. # will open a control interface that is available for external programs to
  26. # manage wpa_supplicant. The meaning of this string depends on which control
  27. # interface mechanism is used. For all cases, the existence of this parameter
  28. # in configuration is used to determine whether the control interface is
  29. # enabled.
  30. #
  31. # For UNIX domain sockets (default on Linux and BSD): This is a directory that
  32. # will be created for UNIX domain sockets for listening to requests from
  33. # external programs (CLI/GUI, etc.) for status information and configuration.
  34. # The socket file will be named based on the interface name, so multiple
  35. # wpa_supplicant processes can be run at the same time if more than one
  36. # interface is used.
  37. # /var/run/wpa_supplicant is the recommended directory for sockets and by
  38. # default, wpa_cli will use it when trying to connect with wpa_supplicant.
  39. #
  40. # Access control for the control interface can be configured by setting the
  41. # directory to allow only members of a group to use sockets. This way, it is
  42. # possible to run wpa_supplicant as root (since it needs to change network
  43. # configuration and open raw sockets) and still allow GUI/CLI components to be
  44. # run as non-root users. However, since the control interface can be used to
  45. # change the network configuration, this access needs to be protected in many
  46. # cases. By default, wpa_supplicant is configured to use gid 0 (root). If you
  47. # want to allow non-root users to use the control interface, add a new group
  48. # and change this value to match with that group. Add users that should have
  49. # control interface access to this group. If this variable is commented out or
  50. # not included in the configuration file, group will not be changed from the
  51. # value it got by default when the directory or socket was created.
  52. #
  53. # When configuring both the directory and group, use following format:
  54. # DIR=/var/run/wpa_supplicant GROUP=wheel
  55. # DIR=/var/run/wpa_supplicant GROUP=0
  56. # (group can be either group name or gid)
  57. #
  58. # For UDP connections (default on Windows): The value will be ignored. This
  59. # variable is just used to select that the control interface is to be created.
  60. # The value can be set to, e.g., udp (ctrl_interface=udp)
  61. #
  62. # For Windows Named Pipe: This value can be used to set the security descriptor
  63. # for controlling access to the control interface. Security descriptor can be
  64. # set using Security Descriptor String Format (see http://msdn.microsoft.com/
  65. # library/default.asp?url=/library/en-us/secauthz/security/
  66. # security_descriptor_string_format.asp). The descriptor string needs to be
  67. # prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty
  68. # DACL (which will reject all connections). See README-Windows.txt for more
  69. # information about SDDL string format.
  70. #
  71. ctrl_interface=/var/run/wpa_supplicant
  72. # IEEE 802.1X/EAPOL version
  73. # wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines
  74. # EAPOL version 2. However, there are many APs that do not handle the new
  75. # version number correctly (they seem to drop the frames completely). In order
  76. # to make wpa_supplicant interoperate with these APs, the version number is set
  77. # to 1 by default. This configuration value can be used to set it to the new
  78. # version (2).
  79. eapol_version=1
  80. # AP scanning/selection
  81. # By default, wpa_supplicant requests driver to perform AP scanning and then
  82. # uses the scan results to select a suitable AP. Another alternative is to
  83. # allow the driver to take care of AP scanning and selection and use
  84. # wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association
  85. # information from the driver.
  86. # 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to
  87. # the currently enabled networks are found, a new network (IBSS or AP mode
  88. # operation) may be initialized (if configured) (default)
  89. # 0: driver takes care of scanning, AP selection, and IEEE 802.11 association
  90. # parameters (e.g., WPA IE generation); this mode can also be used with
  91. # non-WPA drivers when using IEEE 802.1X mode; do not try to associate with
  92. # APs (i.e., external program needs to control association). This mode must
  93. # also be used when using wired Ethernet drivers.
  94. # 2: like 0, but associate with APs using security policy and SSID (but not
  95. # BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to
  96. # enable operation with hidden SSIDs and optimized roaming; in this mode,
  97. # the network blocks in the configuration file are tried one by one until
  98. # the driver reports successful association; each network block should have
  99. # explicit security policy (i.e., only one option in the lists) for
  100. # key_mgmt, pairwise, group, proto variables
  101. # When using IBSS or AP mode, ap_scan=2 mode can force the new network to be
  102. # created immediately regardless of scan results. ap_scan=1 mode will first try
  103. # to scan for existing networks and only if no matches with the enabled
  104. # networks are found, a new IBSS or AP mode network is created.
  105. ap_scan=1
  106. # EAP fast re-authentication
  107. # By default, fast re-authentication is enabled for all EAP methods that
  108. # support it. This variable can be used to disable fast re-authentication.
  109. # Normally, there is no need to disable this.
  110. fast_reauth=1
  111. # OpenSSL Engine support
  112. # These options can be used to load OpenSSL engines.
  113. # The two engines that are supported currently are shown below:
  114. # They are both from the opensc project (http://www.opensc.org/)
  115. # By default no engines are loaded.
  116. # make the opensc engine available
  117. #opensc_engine_path=/usr/lib/opensc/engine_opensc.so
  118. # make the pkcs11 engine available
  119. #pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so
  120. # configure the path to the pkcs11 module required by the pkcs11 engine
  121. #pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so
  122. # Dynamic EAP methods
  123. # If EAP methods were built dynamically as shared object files, they need to be
  124. # loaded here before being used in the network blocks. By default, EAP methods
  125. # are included statically in the build, so these lines are not needed
  126. #load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so
  127. #load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so
  128. # Driver interface parameters
  129. # This field can be used to configure arbitrary driver interace parameters. The
  130. # format is specific to the selected driver interface. This field is not used
  131. # in most cases.
  132. #driver_param="field=value"
  133. # Country code
  134. # The ISO/IEC alpha2 country code for the country in which this device is
  135. # currently operating.
  136. #country=US
  137. # Maximum lifetime for PMKSA in seconds; default 43200
  138. #dot11RSNAConfigPMKLifetime=43200
  139. # Threshold for reauthentication (percentage of PMK lifetime); default 70
  140. #dot11RSNAConfigPMKReauthThreshold=70
  141. # Timeout for security association negotiation in seconds; default 60
  142. #dot11RSNAConfigSATimeout=60
  143. # Wi-Fi Protected Setup (WPS) parameters
  144. # Universally Unique IDentifier (UUID; see RFC 4122) of the device
  145. # If not configured, UUID will be generated based on the local MAC address.
  146. #uuid=12345678-9abc-def0-1234-56789abcdef0
  147. # Device Name
  148. # User-friendly description of device; up to 32 octets encoded in UTF-8
  149. #device_name=Wireless Client
  150. # Manufacturer
  151. # The manufacturer of the device (up to 64 ASCII characters)
  152. #manufacturer=Company
  153. # Model Name
  154. # Model of the device (up to 32 ASCII characters)
  155. #model_name=cmodel
  156. # Model Number
  157. # Additional device description (up to 32 ASCII characters)
  158. #model_number=123
  159. # Serial Number
  160. # Serial number of the device (up to 32 characters)
  161. #serial_number=12345
  162. # Primary Device Type
  163. # Used format: <categ>-<OUI>-<subcateg>
  164. # categ = Category as an integer value
  165. # OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for
  166. # default WPS OUI
  167. # subcateg = OUI-specific Sub Category as an integer value
  168. # Examples:
  169. # 1-0050F204-1 (Computer / PC)
  170. # 1-0050F204-2 (Computer / Server)
  171. # 5-0050F204-1 (Storage / NAS)
  172. # 6-0050F204-1 (Network Infrastructure / AP)
  173. #device_type=1-0050F204-1
  174. # OS Version
  175. # 4-octet operating system version number (hex string)
  176. #os_version=01020300
  177. # Config Methods
  178. # List of the supported configuration methods
  179. # Available methods: usba ethernet label display ext_nfc_token int_nfc_token
  180. # nfc_interface push_button keypad virtual_display physical_display
  181. # virtual_push_button physical_push_button
  182. # For WSC 1.0:
  183. #config_methods=label display push_button keypad
  184. # For WSC 2.0:
  185. #config_methods=label virtual_display virtual_push_button keypad
  186. # Credential processing
  187. # 0 = process received credentials internally (default)
  188. # 1 = do not process received credentials; just pass them over ctrl_iface to
  189. # external program(s)
  190. # 2 = process received credentials internally and pass them over ctrl_iface
  191. # to external program(s)
  192. #wps_cred_processing=0
  193. # Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing
  194. # The vendor attribute contents to be added in M1 (hex string)
  195. #wps_vendor_ext_m1=000137100100020001
  196. # Maximum number of BSS entries to keep in memory
  197. # Default: 200
  198. # This can be used to limit memory use on the BSS entries (cached scan
  199. # results). A larger value may be needed in environments that have huge number
  200. # of APs when using ap_scan=1 mode.
  201. #bss_max_count=200
  202. # filter_ssids - SSID-based scan result filtering
  203. # 0 = do not filter scan results (default)
  204. # 1 = only include configured SSIDs in scan results/BSS table
  205. #filter_ssids=0
  206. # Interworking (IEEE 802.11u)
  207. # Enable Interworking
  208. # interworking=1
  209. # Homogenous ESS identifier
  210. # If this is set, scans will be used to request response only from BSSes
  211. # belonging to the specified Homogeneous ESS. This is used only if interworking
  212. # is enabled.
  213. # hessid=00:11:22:33:44:55
  214. # credential block
  215. #
  216. # Each credential used for automatic network selection is configured as a set
  217. # of parameters that are compared to the information advertised by the APs when
  218. # interworking_select and interworking_connect commands are used.
  219. #
  220. # credential fields:
  221. #
  222. # priority: Priority group
  223. # By default, all networks and credentials get the same priority group
  224. # (0). This field can be used to give higher priority for credentials
  225. # (and similarly in struct wpa_ssid for network blocks) to change the
  226. # Interworking automatic networking selection behavior. The matching
  227. # network (based on either an enabled network block or a credential)
  228. # with the highest priority value will be selected.
  229. #
  230. # pcsc: Use PC/SC and SIM/USIM card
  231. #
  232. # realm: Home Realm for Interworking
  233. #
  234. # username: Username for Interworking network selection
  235. #
  236. # password: Password for Interworking network selection
  237. #
  238. # ca_cert: CA certificate for Interworking network selection
  239. #
  240. # client_cert: File path to client certificate file (PEM/DER)
  241. # This field is used with Interworking networking selection for a case
  242. # where client certificate/private key is used for authentication
  243. # (EAP-TLS). Full path to the file should be used since working
  244. # directory may change when wpa_supplicant is run in the background.
  245. #
  246. # Alternatively, a named configuration blob can be used by setting
  247. # this to blob://blob_name.
  248. #
  249. # private_key: File path to client private key file (PEM/DER/PFX)
  250. # When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
  251. # commented out. Both the private key and certificate will be read
  252. # from the PKCS#12 file in this case. Full path to the file should be
  253. # used since working directory may change when wpa_supplicant is run
  254. # in the background.
  255. #
  256. # Windows certificate store can be used by leaving client_cert out and
  257. # configuring private_key in one of the following formats:
  258. #
  259. # cert://substring_to_match
  260. #
  261. # hash://certificate_thumbprint_in_hex
  262. #
  263. # For example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
  264. #
  265. # Note that when running wpa_supplicant as an application, the user
  266. # certificate store (My user account) is used, whereas computer store
  267. # (Computer account) is used when running wpasvc as a service.
  268. #
  269. # Alternatively, a named configuration blob can be used by setting
  270. # this to blob://blob_name.
  271. #
  272. # private_key_passwd: Password for private key file
  273. #
  274. # imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format
  275. #
  276. # milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN>
  277. # format
  278. #
  279. # domain: Home service provider FQDN
  280. # This is used to compare against the Domain Name List to figure out
  281. # whether the AP is operated by the Home SP.
  282. #
  283. # for example:
  284. #
  285. #cred={
  286. # realm="example.com"
  287. # username="user@example.com"
  288. # password="password"
  289. # ca_cert="/etc/wpa_supplicant/ca.pem"
  290. # domain="example.com"
  291. #}
  292. #
  293. #cred={
  294. # imsi="310026-000000000"
  295. # milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82"
  296. #}
  297. # network block
  298. #
  299. # Each network (usually AP's sharing the same SSID) is configured as a separate
  300. # block in this configuration file. The network blocks are in preference order
  301. # (the first match is used).
  302. #
  303. # network block fields:
  304. #
  305. # disabled:
  306. # 0 = this network can be used (default)
  307. # 1 = this network block is disabled (can be enabled through ctrl_iface,
  308. # e.g., with wpa_cli or wpa_gui)
  309. #
  310. # id_str: Network identifier string for external scripts. This value is passed
  311. # to external action script through wpa_cli as WPA_ID_STR environment
  312. # variable to make it easier to do network specific configuration.
  313. #
  314. # ssid: SSID (mandatory); either as an ASCII string with double quotation or
  315. # as hex string; network name
  316. #
  317. # scan_ssid:
  318. # 0 = do not scan this SSID with specific Probe Request frames (default)
  319. # 1 = scan with SSID-specific Probe Request frames (this can be used to
  320. # find APs that do not accept broadcast SSID or use multiple SSIDs;
  321. # this will add latency to scanning, so enable this only when needed)
  322. #
  323. # bssid: BSSID (optional); if set, this network block is used only when
  324. # associating with the AP using the configured BSSID
  325. #
  326. # priority: priority group (integer)
  327. # By default, all networks will get same priority group (0). If some of the
  328. # networks are more desirable, this field can be used to change the order in
  329. # which wpa_supplicant goes through the networks when selecting a BSS. The
  330. # priority groups will be iterated in decreasing priority (i.e., the larger the
  331. # priority value, the sooner the network is matched against the scan results).
  332. # Within each priority group, networks will be selected based on security
  333. # policy, signal strength, etc.
  334. # Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not
  335. # using this priority to select the order for scanning. Instead, they try the
  336. # networks in the order that used in the configuration file.
  337. #
  338. # mode: IEEE 802.11 operation mode
  339. # 0 = infrastructure (Managed) mode, i.e., associate with an AP (default)
  340. # 1 = IBSS (ad-hoc, peer-to-peer)
  341. # 2 = AP (access point)
  342. # Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP)
  343. # and key_mgmt=WPA-NONE (fixed group key TKIP/CCMP). WPA-None requires
  344. # following network block options:
  345. # proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not
  346. # both), and psk must also be set.
  347. #
  348. # frequency: Channel frequency in megahertz (MHz) for IBSS, e.g.,
  349. # 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial
  350. # channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode.
  351. # In addition, this value is only used by the station that creates the IBSS. If
  352. # an IBSS network with the configured SSID is already present, the frequency of
  353. # the network will be used instead of this configured value.
  354. #
  355. # scan_freq: List of frequencies to scan
  356. # Space-separated list of frequencies in MHz to scan when searching for this
  357. # BSS. If the subset of channels used by the network is known, this option can
  358. # be used to optimize scanning to not occur on channels that the network does
  359. # not use. Example: scan_freq=2412 2437 2462
  360. #
  361. # freq_list: Array of allowed frequencies
  362. # Space-separated list of frequencies in MHz to allow for selecting the BSS. If
  363. # set, scan results that do not match any of the specified frequencies are not
  364. # considered when selecting a BSS.
  365. #
  366. # proto: list of accepted protocols
  367. # WPA = WPA/IEEE 802.11i/D3.0
  368. # RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN)
  369. # If not set, this defaults to: WPA RSN
  370. #
  371. # key_mgmt: list of accepted authenticated key management protocols
  372. # WPA-PSK = WPA pre-shared key (this requires 'psk' field)
  373. # WPA-EAP = WPA using EAP authentication
  374. # IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically
  375. # generated WEP keys
  376. # NONE = WPA is not used; plaintext or static WEP could be used
  377. # WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms
  378. # WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms
  379. # If not set, this defaults to: WPA-PSK WPA-EAP
  380. #
  381. # auth_alg: list of allowed IEEE 802.11 authentication algorithms
  382. # OPEN = Open System authentication (required for WPA/WPA2)
  383. # SHARED = Shared Key authentication (requires static WEP keys)
  384. # LEAP = LEAP/Network EAP (only used with LEAP)
  385. # If not set, automatic selection is used (Open System with LEAP enabled if
  386. # LEAP is allowed as one of the EAP methods).
  387. #
  388. # pairwise: list of accepted pairwise (unicast) ciphers for WPA
  389. # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
  390. # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
  391. # NONE = Use only Group Keys (deprecated, should not be included if APs support
  392. # pairwise keys)
  393. # If not set, this defaults to: CCMP TKIP
  394. #
  395. # group: list of accepted group (broadcast/multicast) ciphers for WPA
  396. # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
  397. # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
  398. # WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key
  399. # WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11]
  400. # If not set, this defaults to: CCMP TKIP WEP104 WEP40
  401. #
  402. # psk: WPA preshared key; 256-bit pre-shared key
  403. # The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e.,
  404. # 32 bytes or as an ASCII passphrase (in which case, the real PSK will be
  405. # generated using the passphrase and SSID). ASCII passphrase must be between
  406. # 8 and 63 characters (inclusive).
  407. # This field is not needed, if WPA-EAP is used.
  408. # Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys
  409. # from ASCII passphrase. This process uses lot of CPU and wpa_supplicant
  410. # startup and reconfiguration time can be optimized by generating the PSK only
  411. # only when the passphrase or SSID has actually changed.
  412. #
  413. # eapol_flags: IEEE 802.1X/EAPOL options (bit field)
  414. # Dynamic WEP key required for non-WPA mode
  415. # bit0 (1): require dynamically generated unicast WEP key
  416. # bit1 (2): require dynamically generated broadcast WEP key
  417. # (3 = require both keys; default)
  418. # Note: When using wired authentication, eapol_flags must be set to 0 for the
  419. # authentication to be completed successfully.
  420. #
  421. # mixed_cell: This option can be used to configure whether so called mixed
  422. # cells, i.e., networks that use both plaintext and encryption in the same
  423. # SSID, are allowed when selecting a BSS from scan results.
  424. # 0 = disabled (default)
  425. # 1 = enabled
  426. #
  427. # proactive_key_caching:
  428. # Enable/disable opportunistic PMKSA caching for WPA2.
  429. # 0 = disabled (default)
  430. # 1 = enabled
  431. #
  432. # wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or
  433. # hex without quotation, e.g., 0102030405)
  434. # wep_tx_keyidx: Default WEP key index (TX) (0..3)
  435. #
  436. # peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is
  437. # allowed. This is only used with RSN/WPA2.
  438. # 0 = disabled (default)
  439. # 1 = enabled
  440. #peerkey=1
  441. #
  442. # wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to
  443. # enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies.
  444. #
  445. # Following fields are only used with internal EAP implementation.
  446. # eap: space-separated list of accepted EAP methods
  447. # MD5 = EAP-MD5 (unsecure and does not generate keying material ->
  448. # cannot be used with WPA; to be used as a Phase 2 method
  449. # with EAP-PEAP or EAP-TTLS)
  450. # MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used
  451. # as a Phase 2 method with EAP-PEAP or EAP-TTLS)
  452. # OTP = EAP-OTP (cannot be used separately with WPA; to be used
  453. # as a Phase 2 method with EAP-PEAP or EAP-TTLS)
  454. # GTC = EAP-GTC (cannot be used separately with WPA; to be used
  455. # as a Phase 2 method with EAP-PEAP or EAP-TTLS)
  456. # TLS = EAP-TLS (client and server certificate)
  457. # PEAP = EAP-PEAP (with tunnelled EAP authentication)
  458. # TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2
  459. # authentication)
  460. # If not set, all compiled in methods are allowed.
  461. #
  462. # identity: Identity string for EAP
  463. # This field is also used to configure user NAI for
  464. # EAP-PSK/PAX/SAKE/GPSK.
  465. # anonymous_identity: Anonymous identity string for EAP (to be used as the
  466. # unencrypted identity with EAP types that support different tunnelled
  467. # identity, e.g., EAP-TTLS)
  468. # password: Password string for EAP. This field can include either the
  469. # plaintext password (using ASCII or hex string) or a NtPasswordHash
  470. # (16-byte MD4 hash of password) in hash:<32 hex digits> format.
  471. # NtPasswordHash can only be used when the password is for MSCHAPv2 or
  472. # MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP).
  473. # EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit
  474. # PSK) is also configured using this field. For EAP-GPSK, this is a
  475. # variable length PSK.
  476. # ca_cert: File path to CA certificate file (PEM/DER). This file can have one
  477. # or more trusted CA certificates. If ca_cert and ca_path are not
  478. # included, server certificate will not be verified. This is insecure and
  479. # a trusted CA certificate should always be configured when using
  480. # EAP-TLS/TTLS/PEAP. Full path should be used since working directory may
  481. # change when wpa_supplicant is run in the background.
  482. #
  483. # Alternatively, this can be used to only perform matching of the server
  484. # certificate (SHA-256 hash of the DER encoded X.509 certificate). In
  485. # this case, the possible CA certificates in the server certificate chain
  486. # are ignored and only the server certificate is verified. This is
  487. # configured with the following format:
  488. # hash:://server/sha256/cert_hash_in_hex
  489. # For example: "hash://server/sha256/
  490. # 5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"
  491. #
  492. # On Windows, trusted CA certificates can be loaded from the system
  493. # certificate store by setting this to cert_store://<name>, e.g.,
  494. # ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".
  495. # Note that when running wpa_supplicant as an application, the user
  496. # certificate store (My user account) is used, whereas computer store
  497. # (Computer account) is used when running wpasvc as a service.
  498. # ca_path: Directory path for CA certificate files (PEM). This path may
  499. # contain multiple CA certificates in OpenSSL format. Common use for this
  500. # is to point to system trusted CA list which is often installed into
  501. # directory like /etc/ssl/certs. If configured, these certificates are
  502. # added to the list of trusted CAs. ca_cert may also be included in that
  503. # case, but it is not required.
  504. # client_cert: File path to client certificate file (PEM/DER)
  505. # Full path should be used since working directory may change when
  506. # wpa_supplicant is run in the background.
  507. # Alternatively, a named configuration blob can be used by setting this
  508. # to blob://<blob name>.
  509. # private_key: File path to client private key file (PEM/DER/PFX)
  510. # When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
  511. # commented out. Both the private key and certificate will be read from
  512. # the PKCS#12 file in this case. Full path should be used since working
  513. # directory may change when wpa_supplicant is run in the background.
  514. # Windows certificate store can be used by leaving client_cert out and
  515. # configuring private_key in one of the following formats:
  516. # cert://substring_to_match
  517. # hash://certificate_thumbprint_in_hex
  518. # for example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
  519. # Note that when running wpa_supplicant as an application, the user
  520. # certificate store (My user account) is used, whereas computer store
  521. # (Computer account) is used when running wpasvc as a service.
  522. # Alternatively, a named configuration blob can be used by setting this
  523. # to blob://<blob name>.
  524. # private_key_passwd: Password for private key file (if left out, this will be
  525. # asked through control interface)
  526. # dh_file: File path to DH/DSA parameters file (in PEM format)
  527. # This is an optional configuration file for setting parameters for an
  528. # ephemeral DH key exchange. In most cases, the default RSA
  529. # authentication does not use this configuration. However, it is possible
  530. # setup RSA to use ephemeral DH key exchange. In addition, ciphers with
  531. # DSA keys always use ephemeral DH keys. This can be used to achieve
  532. # forward secrecy. If the file is in DSA parameters format, it will be
  533. # automatically converted into DH params.
  534. # subject_match: Substring to be matched against the subject of the
  535. # authentication server certificate. If this string is set, the server
  536. # sertificate is only accepted if it contains this string in the subject.
  537. # The subject string is in following format:
  538. # /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com
  539. # altsubject_match: Semicolon separated string of entries to be matched against
  540. # the alternative subject name of the authentication server certificate.
  541. # If this string is set, the server sertificate is only accepted if it
  542. # contains one of the entries in an alternative subject name extension.
  543. # altSubjectName string is in following format: TYPE:VALUE
  544. # Example: EMAIL:server@example.com
  545. # Example: DNS:server.example.com;DNS:server2.example.com
  546. # Following types are supported: EMAIL, DNS, URI
  547. # phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters
  548. # (string with field-value pairs, e.g., "peapver=0" or
  549. # "peapver=1 peaplabel=1")
  550. # 'peapver' can be used to force which PEAP version (0 or 1) is used.
  551. # 'peaplabel=1' can be used to force new label, "client PEAP encryption",
  552. # to be used during key derivation when PEAPv1 or newer. Most existing
  553. # PEAPv1 implementation seem to be using the old label, "client EAP
  554. # encryption", and wpa_supplicant is now using that as the default value.
  555. # Some servers, e.g., Radiator, may require peaplabel=1 configuration to
  556. # interoperate with PEAPv1; see eap_testing.txt for more details.
  557. # 'peap_outer_success=0' can be used to terminate PEAP authentication on
  558. # tunneled EAP-Success. This is required with some RADIUS servers that
  559. # implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
  560. # Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode)
  561. # include_tls_length=1 can be used to force wpa_supplicant to include
  562. # TLS Message Length field in all TLS messages even if they are not
  563. # fragmented.
  564. # sim_min_num_chal=3 can be used to configure EAP-SIM to require three
  565. # challenges (by default, it accepts 2 or 3)
  566. # result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use
  567. # protected result indication.
  568. # 'crypto_binding' option can be used to control PEAPv0 cryptobinding
  569. # behavior:
  570. # * 0 = do not use cryptobinding (default)
  571. # * 1 = use cryptobinding if server supports it
  572. # * 2 = require cryptobinding
  573. # EAP-WSC (WPS) uses following options: pin=<Device Password> or
  574. # pbc=1.
  575. # phase2: Phase2 (inner authentication with TLS tunnel) parameters
  576. # (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
  577. # "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS)
  578. # Following certificate/private key fields are used in inner Phase2
  579. # authentication when using EAP-TTLS or EAP-PEAP.
  580. # ca_cert2: File path to CA certificate file. This file can have one or more
  581. # trusted CA certificates. If ca_cert2 and ca_path2 are not included,
  582. # server certificate will not be verified. This is insecure and a trusted
  583. # CA certificate should always be configured.
  584. # ca_path2: Directory path for CA certificate files (PEM)
  585. # client_cert2: File path to client certificate file
  586. # private_key2: File path to client private key file
  587. # private_key2_passwd: Password for private key file
  588. # dh_file2: File path to DH/DSA parameters file (in PEM format)
  589. # subject_match2: Substring to be matched against the subject of the
  590. # authentication server certificate.
  591. # altsubject_match2: Substring to be matched against the alternative subject
  592. # name of the authentication server certificate.
  593. #
  594. # fragment_size: Maximum EAP fragment size in bytes (default 1398).
  595. # This value limits the fragment size for EAP methods that support
  596. # fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set
  597. # small enough to make the EAP messages fit in MTU of the network
  598. # interface used for EAPOL. The default value is suitable for most
  599. # cases.
  600. #
  601. # EAP-FAST variables:
  602. # pac_file: File path for the PAC entries. wpa_supplicant will need to be able
  603. # to create this file and write updates to it when PAC is being
  604. # provisioned or refreshed. Full path to the file should be used since
  605. # working directory may change when wpa_supplicant is run in the
  606. # background. Alternatively, a named configuration blob can be used by
  607. # setting this to blob://<blob name>
  608. # phase1: fast_provisioning option can be used to enable in-line provisioning
  609. # of EAP-FAST credentials (PAC):
  610. # 0 = disabled,
  611. # 1 = allow unauthenticated provisioning,
  612. # 2 = allow authenticated provisioning,
  613. # 3 = allow both unauthenticated and authenticated provisioning
  614. # fast_max_pac_list_len=<num> option can be used to set the maximum
  615. # number of PAC entries to store in a PAC list (default: 10)
  616. # fast_pac_format=binary option can be used to select binary format for
  617. # storing PAC entries in order to save some space (the default
  618. # text format uses about 2.5 times the size of minimal binary
  619. # format)
  620. #
  621. # wpa_supplicant supports number of "EAP workarounds" to work around
  622. # interoperability issues with incorrectly behaving authentication servers.
  623. # These are enabled by default because some of the issues are present in large
  624. # number of authentication servers. Strict EAP conformance mode can be
  625. # configured by disabling workarounds with eap_workaround=0.
  626. # Station inactivity limit
  627. #
  628. # If a station does not send anything in ap_max_inactivity seconds, an
  629. # empty data frame is sent to it in order to verify whether it is
  630. # still in range. If this frame is not ACKed, the station will be
  631. # disassociated and then deauthenticated. This feature is used to
  632. # clear station table of old entries when the STAs move out of the
  633. # range.
  634. #
  635. # The station can associate again with the AP if it is still in range;
  636. # this inactivity poll is just used as a nicer way of verifying
  637. # inactivity; i.e., client will not report broken connection because
  638. # disassociation frame is not sent immediately without first polling
  639. # the STA with a data frame.
  640. # default: 300 (i.e., 5 minutes)
  641. #ap_max_inactivity=300
  642. # Example blocks:
  643. # Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers
  644. network={
  645. ssid="simple"
  646. psk="very secret passphrase"
  647. priority=5
  648. }
  649. # Same as previous, but request SSID-specific scanning (for APs that reject
  650. # broadcast SSID)
  651. network={
  652. ssid="second ssid"
  653. scan_ssid=1
  654. psk="very secret passphrase"
  655. priority=2
  656. }
  657. # Only WPA-PSK is used. Any valid cipher combination is accepted.
  658. network={
  659. ssid="example"
  660. proto=WPA
  661. key_mgmt=WPA-PSK
  662. pairwise=CCMP TKIP
  663. group=CCMP TKIP WEP104 WEP40
  664. psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
  665. priority=2
  666. }
  667. # WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying
  668. network={
  669. ssid="example"
  670. proto=WPA
  671. key_mgmt=WPA-PSK
  672. pairwise=TKIP
  673. group=TKIP
  674. psk="not so secure passphrase"
  675. wpa_ptk_rekey=600
  676. }
  677. # Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104
  678. # or WEP40 as the group cipher will not be accepted.
  679. network={
  680. ssid="example"
  681. proto=RSN
  682. key_mgmt=WPA-EAP
  683. pairwise=CCMP TKIP
  684. group=CCMP TKIP
  685. eap=TLS
  686. identity="user@example.com"
  687. ca_cert="/etc/cert/ca.pem"
  688. client_cert="/etc/cert/user.pem"
  689. private_key="/etc/cert/user.prv"
  690. private_key_passwd="password"
  691. priority=1
  692. }
  693. # EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel
  694. # (e.g., Radiator)
  695. network={
  696. ssid="example"
  697. key_mgmt=WPA-EAP
  698. eap=PEAP
  699. identity="user@example.com"
  700. password="foobar"
  701. ca_cert="/etc/cert/ca.pem"
  702. phase1="peaplabel=1"
  703. phase2="auth=MSCHAPV2"
  704. priority=10
  705. }
  706. # EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the
  707. # unencrypted use. Real identity is sent only within an encrypted TLS tunnel.
  708. network={
  709. ssid="example"
  710. key_mgmt=WPA-EAP
  711. eap=TTLS
  712. identity="user@example.com"
  713. anonymous_identity="anonymous@example.com"
  714. password="foobar"
  715. ca_cert="/etc/cert/ca.pem"
  716. priority=2
  717. }
  718. # EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted
  719. # use. Real identity is sent only within an encrypted TLS tunnel.
  720. network={
  721. ssid="example"
  722. key_mgmt=WPA-EAP
  723. eap=TTLS
  724. identity="user@example.com"
  725. anonymous_identity="anonymous@example.com"
  726. password="foobar"
  727. ca_cert="/etc/cert/ca.pem"
  728. phase2="auth=MSCHAPV2"
  729. }
  730. # WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner
  731. # authentication.
  732. network={
  733. ssid="example"
  734. key_mgmt=WPA-EAP
  735. eap=TTLS
  736. # Phase1 / outer authentication
  737. anonymous_identity="anonymous@example.com"
  738. ca_cert="/etc/cert/ca.pem"
  739. # Phase 2 / inner authentication
  740. phase2="autheap=TLS"
  741. ca_cert2="/etc/cert/ca2.pem"
  742. client_cert2="/etc/cer/user.pem"
  743. private_key2="/etc/cer/user.prv"
  744. private_key2_passwd="password"
  745. priority=2
  746. }
  747. # Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and
  748. # group cipher.
  749. network={
  750. ssid="example"
  751. bssid=00:11:22:33:44:55
  752. proto=WPA RSN
  753. key_mgmt=WPA-PSK WPA-EAP
  754. pairwise=CCMP
  755. group=CCMP
  756. psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
  757. }
  758. # Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP
  759. # and all valid ciphers.
  760. network={
  761. ssid=00010203
  762. psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
  763. }
  764. # EAP-SIM with a GSM SIM or USIM
  765. network={
  766. ssid="eap-sim-test"
  767. key_mgmt=WPA-EAP
  768. eap=SIM
  769. pin="1234"
  770. pcsc=""
  771. }
  772. # EAP-PSK
  773. network={
  774. ssid="eap-psk-test"
  775. key_mgmt=WPA-EAP
  776. eap=PSK
  777. anonymous_identity="eap_psk_user"
  778. password=06b4be19da289f475aa46a33cb793029
  779. identity="eap_psk_user@example.com"
  780. }
  781. # IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using
  782. # EAP-TLS for authentication and key generation; require both unicast and
  783. # broadcast WEP keys.
  784. network={
  785. ssid="1x-test"
  786. key_mgmt=IEEE8021X
  787. eap=TLS
  788. identity="user@example.com"
  789. ca_cert="/etc/cert/ca.pem"
  790. client_cert="/etc/cert/user.pem"
  791. private_key="/etc/cert/user.prv"
  792. private_key_passwd="password"
  793. eapol_flags=3
  794. }
  795. # LEAP with dynamic WEP keys
  796. network={
  797. ssid="leap-example"
  798. key_mgmt=IEEE8021X
  799. eap=LEAP
  800. identity="user"
  801. password="foobar"
  802. }
  803. # EAP-IKEv2 using shared secrets for both server and peer authentication
  804. network={
  805. ssid="ikev2-example"
  806. key_mgmt=WPA-EAP
  807. eap=IKEV2
  808. identity="user"
  809. password="foobar"
  810. }
  811. # EAP-FAST with WPA (WPA or WPA2)
  812. network={
  813. ssid="eap-fast-test"
  814. key_mgmt=WPA-EAP
  815. eap=FAST
  816. anonymous_identity="FAST-000102030405"
  817. identity="username"
  818. password="password"
  819. phase1="fast_provisioning=1"
  820. pac_file="/etc/wpa_supplicant.eap-fast-pac"
  821. }
  822. network={
  823. ssid="eap-fast-test"
  824. key_mgmt=WPA-EAP
  825. eap=FAST
  826. anonymous_identity="FAST-000102030405"
  827. identity="username"
  828. password="password"
  829. phase1="fast_provisioning=1"
  830. pac_file="blob://eap-fast-pac"
  831. }
  832. # Plaintext connection (no WPA, no IEEE 802.1X)
  833. network={
  834. ssid="plaintext-test"
  835. key_mgmt=NONE
  836. }
  837. # Shared WEP key connection (no WPA, no IEEE 802.1X)
  838. network={
  839. ssid="static-wep-test"
  840. key_mgmt=NONE
  841. wep_key0="abcde"
  842. wep_key1=0102030405
  843. wep_key2="1234567890123"
  844. wep_tx_keyidx=0
  845. priority=5
  846. }
  847. # Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key
  848. # IEEE 802.11 authentication
  849. network={
  850. ssid="static-wep-test2"
  851. key_mgmt=NONE
  852. wep_key0="abcde"
  853. wep_key1=0102030405
  854. wep_key2="1234567890123"
  855. wep_tx_keyidx=0
  856. priority=5
  857. auth_alg=SHARED
  858. }
  859. # IBSS/ad-hoc network with WPA-None/TKIP.
  860. network={
  861. ssid="test adhoc"
  862. mode=1
  863. frequency=2412
  864. proto=WPA
  865. key_mgmt=WPA-NONE
  866. pairwise=NONE
  867. group=TKIP
  868. psk="secret passphrase"
  869. }
  870. # Catch all example that allows more or less all configuration modes
  871. network={
  872. ssid="example"
  873. scan_ssid=1
  874. key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
  875. pairwise=CCMP TKIP
  876. group=CCMP TKIP WEP104 WEP40
  877. psk="very secret passphrase"
  878. eap=TTLS PEAP TLS
  879. identity="user@example.com"
  880. password="foobar"
  881. ca_cert="/etc/cert/ca.pem"
  882. client_cert="/etc/cert/user.pem"
  883. private_key="/etc/cert/user.prv"
  884. private_key_passwd="password"
  885. phase1="peaplabel=0"
  886. }
  887. # Example of EAP-TLS with smartcard (openssl engine)
  888. network={
  889. ssid="example"
  890. key_mgmt=WPA-EAP
  891. eap=TLS
  892. proto=RSN
  893. pairwise=CCMP TKIP
  894. group=CCMP TKIP
  895. identity="user@example.com"
  896. ca_cert="/etc/cert/ca.pem"
  897. client_cert="/etc/cert/user.pem"
  898. engine=1
  899. # The engine configured here must be available. Look at
  900. # OpenSSL engine support in the global section.
  901. # The key available through the engine must be the private key
  902. # matching the client certificate configured above.
  903. # use the opensc engine
  904. #engine_id="opensc"
  905. #key_id="45"
  906. # use the pkcs11 engine
  907. engine_id="pkcs11"
  908. key_id="id_45"
  909. # Optional PIN configuration; this can be left out and PIN will be
  910. # asked through the control interface
  911. pin="1234"
  912. }
  913. # Example configuration showing how to use an inlined blob as a CA certificate
  914. # data instead of using external file
  915. network={
  916. ssid="example"
  917. key_mgmt=WPA-EAP
  918. eap=TTLS
  919. identity="user@example.com"
  920. anonymous_identity="anonymous@example.com"
  921. password="foobar"
  922. ca_cert="blob://exampleblob"
  923. priority=20
  924. }
  925. blob-base64-exampleblob={
  926. SGVsbG8gV29ybGQhCg==
  927. }
  928. # Wildcard match for SSID (plaintext APs only). This example select any
  929. # open AP regardless of its SSID.
  930. network={
  931. key_mgmt=NONE
  932. }