wok-current annotate wpa_supplicant/stuff/etc/wpa_supplicant.conf @ rev 8053

Up: cherokee to 1.0.18.
author Christopher Rogers <slaxemulator@gmail.com>
date Thu Jan 20 16:12:21 2011 +0000 (2011-01-20)
parents
children 01ad1e61b761
rev   line source
jozee@3445 1 ##### Example wpa_supplicant configuration file ###############################
jozee@3445 2 #
jozee@3445 3 # This file describes configuration file format and lists all available option.
jozee@3445 4 # Please also take a look at simpler configuration examples in 'examples'
jozee@3445 5 # subdirectory.
jozee@3445 6 #
jozee@3445 7 # Empty lines and lines starting with # are ignored
jozee@3445 8
jozee@3445 9 # NOTE! This file may contain password information and should probably be made
jozee@3445 10 # readable only by root user on multiuser systems.
jozee@3445 11
jozee@3445 12 # Note: All file paths in this configuration file should use full (absolute,
jozee@3445 13 # not relative to working directory) path in order to allow working directory
jozee@3445 14 # to be changed. This can happen if wpa_supplicant is run in the background.
jozee@3445 15
jozee@3445 16 # Whether to allow wpa_supplicant to update (overwrite) configuration
jozee@3445 17 #
jozee@3445 18 # This option can be used to allow wpa_supplicant to overwrite configuration
jozee@3445 19 # file whenever configuration is changed (e.g., new network block is added with
jozee@3445 20 # wpa_cli or wpa_gui, or a password is changed). This is required for
jozee@3445 21 # wpa_cli/wpa_gui to be able to store the configuration changes permanently.
jozee@3445 22 # Please note that overwriting configuration file will remove the comments from
jozee@3445 23 # it.
jozee@3445 24 #update_config=1
jozee@3445 25
jozee@3445 26 # global configuration (shared by all network blocks)
jozee@3445 27 #
jozee@3445 28 # Parameters for the control interface. If this is specified, wpa_supplicant
jozee@3445 29 # will open a control interface that is available for external programs to
jozee@3445 30 # manage wpa_supplicant. The meaning of this string depends on which control
jozee@3445 31 # interface mechanism is used. For all cases, the existance of this parameter
jozee@3445 32 # in configuration is used to determine whether the control interface is
jozee@3445 33 # enabled.
jozee@3445 34 #
jozee@3445 35 # For UNIX domain sockets (default on Linux and BSD): This is a directory that
jozee@3445 36 # will be created for UNIX domain sockets for listening to requests from
jozee@3445 37 # external programs (CLI/GUI, etc.) for status information and configuration.
jozee@3445 38 # The socket file will be named based on the interface name, so multiple
jozee@3445 39 # wpa_supplicant processes can be run at the same time if more than one
jozee@3445 40 # interface is used.
jozee@3445 41 # /var/run/wpa_supplicant is the recommended directory for sockets and by
jozee@3445 42 # default, wpa_cli will use it when trying to connect with wpa_supplicant.
jozee@3445 43 #
jozee@3445 44 # Access control for the control interface can be configured by setting the
jozee@3445 45 # directory to allow only members of a group to use sockets. This way, it is
jozee@3445 46 # possible to run wpa_supplicant as root (since it needs to change network
jozee@3445 47 # configuration and open raw sockets) and still allow GUI/CLI components to be
jozee@3445 48 # run as non-root users. However, since the control interface can be used to
jozee@3445 49 # change the network configuration, this access needs to be protected in many
jozee@3445 50 # cases. By default, wpa_supplicant is configured to use gid 0 (root). If you
jozee@3445 51 # want to allow non-root users to use the control interface, add a new group
jozee@3445 52 # and change this value to match with that group. Add users that should have
jozee@3445 53 # control interface access to this group. If this variable is commented out or
jozee@3445 54 # not included in the configuration file, group will not be changed from the
jozee@3445 55 # value it got by default when the directory or socket was created.
jozee@3445 56 #
jozee@3445 57 # When configuring both the directory and group, use following format:
jozee@3445 58 # DIR=/var/run/wpa_supplicant GROUP=wheel
jozee@3445 59 # DIR=/var/run/wpa_supplicant GROUP=0
jozee@3445 60 # (group can be either group name or gid)
jozee@3445 61 #
jozee@3445 62 # For UDP connections (default on Windows): The value will be ignored. This
jozee@3445 63 # variable is just used to select that the control interface is to be created.
jozee@3445 64 # The value can be set to, e.g., udp (ctrl_interface=udp)
jozee@3445 65 #
jozee@3445 66 # For Windows Named Pipe: This value can be used to set the security descriptor
jozee@3445 67 # for controlling access to the control interface. Security descriptor can be
jozee@3445 68 # set using Security Descriptor String Format (see http://msdn.microsoft.com/
jozee@3445 69 # library/default.asp?url=/library/en-us/secauthz/security/
jozee@3445 70 # security_descriptor_string_format.asp). The descriptor string needs to be
jozee@3445 71 # prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty
jozee@3445 72 # DACL (which will reject all connections). See README-Windows.txt for more
jozee@3445 73 # information about SDDL string format.
jozee@3445 74 #
jozee@3445 75 ctrl_interface=/var/run/wpa_supplicant
jozee@3445 76
jozee@3445 77 # Ensure that only root can read the WPA configuration
jozee@3445 78 ctrl_interface_group=0
jozee@3445 79
jozee@3445 80
jozee@3445 81 # IEEE 802.1X/EAPOL version
jozee@3445 82 # wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines
jozee@3445 83 # EAPOL version 2. However, there are many APs that do not handle the new
jozee@3445 84 # version number correctly (they seem to drop the frames completely). In order
jozee@3445 85 # to make wpa_supplicant interoperate with these APs, the version number is set
jozee@3445 86 # to 1 by default. This configuration value can be used to set it to the new
jozee@3445 87 # version (2).
jozee@3445 88 eapol_version=1
jozee@3445 89
jozee@3445 90 # AP scanning/selection
jozee@3445 91 # By default, wpa_supplicant requests driver to perform AP scanning and then
jozee@3445 92 # uses the scan results to select a suitable AP. Another alternative is to
jozee@3445 93 # allow the driver to take care of AP scanning and selection and use
jozee@3445 94 # wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association
jozee@3445 95 # information from the driver.
jozee@3445 96 # 1: wpa_supplicant initiates scanning and AP selection
jozee@3445 97 # 0: driver takes care of scanning, AP selection, and IEEE 802.11 association
jozee@3445 98 # parameters (e.g., WPA IE generation); this mode can also be used with
jozee@3445 99 # non-WPA drivers when using IEEE 802.1X mode; do not try to associate with
jozee@3445 100 # APs (i.e., external program needs to control association). This mode must
jozee@3445 101 # also be used when using wired Ethernet drivers.
jozee@3445 102 # 2: like 0, but associate with APs using security policy and SSID (but not
jozee@3445 103 # BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to
jozee@3445 104 # enable operation with hidden SSIDs and optimized roaming; in this mode,
jozee@3445 105 # the network blocks in the configuration file are tried one by one until
jozee@3445 106 # the driver reports successful association; each network block should have
jozee@3445 107 # explicit security policy (i.e., only one option in the lists) for
jozee@3445 108 # key_mgmt, pairwise, group, proto variables
jozee@3445 109 ap_scan=1
jozee@3445 110
jozee@3445 111 # EAP fast re-authentication
jozee@3445 112 # By default, fast re-authentication is enabled for all EAP methods that
jozee@3445 113 # support it. This variable can be used to disable fast re-authentication.
jozee@3445 114 # Normally, there is no need to disable this.
jozee@3445 115 fast_reauth=1
jozee@3445 116
jozee@3445 117 # OpenSSL Engine support
jozee@3445 118 # These options can be used to load OpenSSL engines.
jozee@3445 119 # The two engines that are supported currently are shown below:
jozee@3445 120 # They are both from the opensc project (http://www.opensc.org/)
jozee@3445 121 # By default no engines are loaded.
jozee@3445 122 # make the opensc engine available
jozee@3445 123 #opensc_engine_path=/usr/lib/opensc/engine_opensc.so
jozee@3445 124 # make the pkcs11 engine available
jozee@3445 125 #pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so
jozee@3445 126 # configure the path to the pkcs11 module required by the pkcs11 engine
jozee@3445 127 #pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so
jozee@3445 128
jozee@3445 129 # Dynamic EAP methods
jozee@3445 130 # If EAP methods were built dynamically as shared object files, they need to be
jozee@3445 131 # loaded here before being used in the network blocks. By default, EAP methods
jozee@3445 132 # are included statically in the build, so these lines are not needed
jozee@3445 133 #load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so
jozee@3445 134 #load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so
jozee@3445 135
jozee@3445 136 # Driver interface parameters
jozee@3445 137 # This field can be used to configure arbitrary driver interace parameters. The
jozee@3445 138 # format is specific to the selected driver interface. This field is not used
jozee@3445 139 # in most cases.
jozee@3445 140 #driver_param="field=value"
jozee@3445 141
jozee@3445 142 # Maximum lifetime for PMKSA in seconds; default 43200
jozee@3445 143 #dot11RSNAConfigPMKLifetime=43200
jozee@3445 144 # Threshold for reauthentication (percentage of PMK lifetime); default 70
jozee@3445 145 #dot11RSNAConfigPMKReauthThreshold=70
jozee@3445 146 # Timeout for security association negotiation in seconds; default 60
jozee@3445 147 #dot11RSNAConfigSATimeout=60
jozee@3445 148
jozee@3445 149 # network block
jozee@3445 150 #
jozee@3445 151 # Each network (usually AP's sharing the same SSID) is configured as a separate
jozee@3445 152 # block in this configuration file. The network blocks are in preference order
jozee@3445 153 # (the first match is used).
jozee@3445 154 #
jozee@3445 155 # network block fields:
jozee@3445 156 #
jozee@3445 157 # disabled:
jozee@3445 158 # 0 = this network can be used (default)
jozee@3445 159 # 1 = this network block is disabled (can be enabled through ctrl_iface,
jozee@3445 160 # e.g., with wpa_cli or wpa_gui)
jozee@3445 161 #
jozee@3445 162 # id_str: Network identifier string for external scripts. This value is passed
jozee@3445 163 # to external action script through wpa_cli as WPA_ID_STR environment
jozee@3445 164 # variable to make it easier to do network specific configuration.
jozee@3445 165 #
jozee@3445 166 # ssid: SSID (mandatory); either as an ASCII string with double quotation or
jozee@3445 167 # as hex string; network name
jozee@3445 168 #
jozee@3445 169 # scan_ssid:
jozee@3445 170 # 0 = do not scan this SSID with specific Probe Request frames (default)
jozee@3445 171 # 1 = scan with SSID-specific Probe Request frames (this can be used to
jozee@3445 172 # find APs that do not accept broadcast SSID or use multiple SSIDs;
jozee@3445 173 # this will add latency to scanning, so enable this only when needed)
jozee@3445 174 #
jozee@3445 175 # bssid: BSSID (optional); if set, this network block is used only when
jozee@3445 176 # associating with the AP using the configured BSSID
jozee@3445 177 #
jozee@3445 178 # priority: priority group (integer)
jozee@3445 179 # By default, all networks will get same priority group (0). If some of the
jozee@3445 180 # networks are more desirable, this field can be used to change the order in
jozee@3445 181 # which wpa_supplicant goes through the networks when selecting a BSS. The
jozee@3445 182 # priority groups will be iterated in decreasing priority (i.e., the larger the
jozee@3445 183 # priority value, the sooner the network is matched against the scan results).
jozee@3445 184 # Within each priority group, networks will be selected based on security
jozee@3445 185 # policy, signal strength, etc.
jozee@3445 186 # Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not
jozee@3445 187 # using this priority to select the order for scanning. Instead, they try the
jozee@3445 188 # networks in the order that used in the configuration file.
jozee@3445 189 #
jozee@3445 190 # mode: IEEE 802.11 operation mode
jozee@3445 191 # 0 = infrastructure (Managed) mode, i.e., associate with an AP (default)
jozee@3445 192 # 1 = IBSS (ad-hoc, peer-to-peer)
jozee@3445 193 # Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP)
jozee@3445 194 # and key_mgmt=WPA-NONE (fixed group key TKIP/CCMP). In addition, ap_scan has
jozee@3445 195 # to be set to 2 for IBSS. WPA-None requires following network block options:
jozee@3445 196 # proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not
jozee@3445 197 # both), and psk must also be set.
jozee@3445 198 #
jozee@3445 199 # frequency: Channel frequency in megahertz (MHz) for IBSS, e.g.,
jozee@3445 200 # 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial
jozee@3445 201 # channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode.
jozee@3445 202 # In addition, this value is only used by the station that creates the IBSS. If
jozee@3445 203 # an IBSS network with the configured SSID is already present, the frequency of
jozee@3445 204 # the network will be used instead of this configured value.
jozee@3445 205 #
jozee@3445 206 # proto: list of accepted protocols
jozee@3445 207 # WPA = WPA/IEEE 802.11i/D3.0
jozee@3445 208 # RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN)
jozee@3445 209 # If not set, this defaults to: WPA RSN
jozee@3445 210 #
jozee@3445 211 # key_mgmt: list of accepted authenticated key management protocols
jozee@3445 212 # WPA-PSK = WPA pre-shared key (this requires 'psk' field)
jozee@3445 213 # WPA-EAP = WPA using EAP authentication (this can use an external
jozee@3445 214 # program, e.g., Xsupplicant, for IEEE 802.1X EAP Authentication
jozee@3445 215 # IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically
jozee@3445 216 # generated WEP keys
jozee@3445 217 # NONE = WPA is not used; plaintext or static WEP could be used
jozee@3445 218 # If not set, this defaults to: WPA-PSK WPA-EAP
jozee@3445 219 #
jozee@3445 220 # auth_alg: list of allowed IEEE 802.11 authentication algorithms
jozee@3445 221 # OPEN = Open System authentication (required for WPA/WPA2)
jozee@3445 222 # SHARED = Shared Key authentication (requires static WEP keys)
jozee@3445 223 # LEAP = LEAP/Network EAP (only used with LEAP)
jozee@3445 224 # If not set, automatic selection is used (Open System with LEAP enabled if
jozee@3445 225 # LEAP is allowed as one of the EAP methods).
jozee@3445 226 #
jozee@3445 227 # pairwise: list of accepted pairwise (unicast) ciphers for WPA
jozee@3445 228 # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
jozee@3445 229 # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
jozee@3445 230 # NONE = Use only Group Keys (deprecated, should not be included if APs support
jozee@3445 231 # pairwise keys)
jozee@3445 232 # If not set, this defaults to: CCMP TKIP
jozee@3445 233 #
jozee@3445 234 # group: list of accepted group (broadcast/multicast) ciphers for WPA
jozee@3445 235 # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
jozee@3445 236 # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
jozee@3445 237 # WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key
jozee@3445 238 # WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11]
jozee@3445 239 # If not set, this defaults to: CCMP TKIP WEP104 WEP40
jozee@3445 240 #
jozee@3445 241 # psk: WPA preshared key; 256-bit pre-shared key
jozee@3445 242 # The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e.,
jozee@3445 243 # 32 bytes or as an ASCII passphrase (in which case, the real PSK will be
jozee@3445 244 # generated using the passphrase and SSID). ASCII passphrase must be between
jozee@3445 245 # 8 and 63 characters (inclusive).
jozee@3445 246 # This field is not needed, if WPA-EAP is used.
jozee@3445 247 # Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys
jozee@3445 248 # from ASCII passphrase. This process uses lot of CPU and wpa_supplicant
jozee@3445 249 # startup and reconfiguration time can be optimized by generating the PSK only
jozee@3445 250 # only when the passphrase or SSID has actually changed.
jozee@3445 251 #
jozee@3445 252 # eapol_flags: IEEE 802.1X/EAPOL options (bit field)
jozee@3445 253 # Dynamic WEP key required for non-WPA mode
jozee@3445 254 # bit0 (1): require dynamically generated unicast WEP key
jozee@3445 255 # bit1 (2): require dynamically generated broadcast WEP key
jozee@3445 256 # (3 = require both keys; default)
jozee@3445 257 # Note: When using wired authentication, eapol_flags must be set to 0 for the
jozee@3445 258 # authentication to be completed successfully.
jozee@3445 259 #
jozee@3445 260 # mixed_cell: This option can be used to configure whether so called mixed
jozee@3445 261 # cells, i.e., networks that use both plaintext and encryption in the same
jozee@3445 262 # SSID, are allowed when selecting a BSS form scan results.
jozee@3445 263 # 0 = disabled (default)
jozee@3445 264 # 1 = enabled
jozee@3445 265 #
jozee@3445 266 # proactive_key_caching:
jozee@3445 267 # Enable/disable opportunistic PMKSA caching for WPA2.
jozee@3445 268 # 0 = disabled (default)
jozee@3445 269 # 1 = enabled
jozee@3445 270 #
jozee@3445 271 # wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or
jozee@3445 272 # hex without quotation, e.g., 0102030405)
jozee@3445 273 # wep_tx_keyidx: Default WEP key index (TX) (0..3)
jozee@3445 274 #
jozee@3445 275 # peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is
jozee@3445 276 # allowed. This is only used with RSN/WPA2.
jozee@3445 277 # 0 = disabled (default)
jozee@3445 278 # 1 = enabled
jozee@3445 279 #peerkey=1
jozee@3445 280 #
jozee@3445 281 # Following fields are only used with internal EAP implementation.
jozee@3445 282 # eap: space-separated list of accepted EAP methods
jozee@3445 283 # MD5 = EAP-MD5 (unsecure and does not generate keying material ->
jozee@3445 284 # cannot be used with WPA; to be used as a Phase 2 method
jozee@3445 285 # with EAP-PEAP or EAP-TTLS)
jozee@3445 286 # MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used
jozee@3445 287 # as a Phase 2 method with EAP-PEAP or EAP-TTLS)
jozee@3445 288 # OTP = EAP-OTP (cannot be used separately with WPA; to be used
jozee@3445 289 # as a Phase 2 method with EAP-PEAP or EAP-TTLS)
jozee@3445 290 # GTC = EAP-GTC (cannot be used separately with WPA; to be used
jozee@3445 291 # as a Phase 2 method with EAP-PEAP or EAP-TTLS)
jozee@3445 292 # TLS = EAP-TLS (client and server certificate)
jozee@3445 293 # PEAP = EAP-PEAP (with tunnelled EAP authentication)
jozee@3445 294 # TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2
jozee@3445 295 # authentication)
jozee@3445 296 # If not set, all compiled in methods are allowed.
jozee@3445 297 #
jozee@3445 298 # identity: Identity string for EAP
jozee@3445 299 # anonymous_identity: Anonymous identity string for EAP (to be used as the
jozee@3445 300 # unencrypted identity with EAP types that support different tunnelled
jozee@3445 301 # identity, e.g., EAP-TTLS)
jozee@3445 302 # password: Password string for EAP
jozee@3445 303 # ca_cert: File path to CA certificate file (PEM/DER). This file can have one
jozee@3445 304 # or more trusted CA certificates. If ca_cert and ca_path are not
jozee@3445 305 # included, server certificate will not be verified. This is insecure and
jozee@3445 306 # a trusted CA certificate should always be configured when using
jozee@3445 307 # EAP-TLS/TTLS/PEAP. Full path should be used since working directory may
jozee@3445 308 # change when wpa_supplicant is run in the background.
jozee@3445 309 # On Windows, trusted CA certificates can be loaded from the system
jozee@3445 310 # certificate store by setting this to cert_store://<name>, e.g.,
jozee@3445 311 # ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".
jozee@3445 312 # Note that when running wpa_supplicant as an application, the user
jozee@3445 313 # certificate store (My user account) is used, whereas computer store
jozee@3445 314 # (Computer account) is used when running wpasvc as a service.
jozee@3445 315 # ca_path: Directory path for CA certificate files (PEM). This path may
jozee@3445 316 # contain multiple CA certificates in OpenSSL format. Common use for this
jozee@3445 317 # is to point to system trusted CA list which is often installed into
jozee@3445 318 # directory like /etc/ssl/certs. If configured, these certificates are
jozee@3445 319 # added to the list of trusted CAs. ca_cert may also be included in that
jozee@3445 320 # case, but it is not required.
jozee@3445 321 # client_cert: File path to client certificate file (PEM/DER)
jozee@3445 322 # Full path should be used since working directory may change when
jozee@3445 323 # wpa_supplicant is run in the background.
jozee@3445 324 # Alternatively, a named configuration blob can be used by setting this
jozee@3445 325 # to blob://<blob name>.
jozee@3445 326 # private_key: File path to client private key file (PEM/DER/PFX)
jozee@3445 327 # When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
jozee@3445 328 # commented out. Both the private key and certificate will be read from
jozee@3445 329 # the PKCS#12 file in this case. Full path should be used since working
jozee@3445 330 # directory may change when wpa_supplicant is run in the background.
jozee@3445 331 # Windows certificate store can be used by leaving client_cert out and
jozee@3445 332 # configuring private_key in one of the following formats:
jozee@3445 333 # cert://substring_to_match
jozee@3445 334 # hash://certificate_thumbprint_in_hex
jozee@3445 335 # for example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
jozee@3445 336 # Note that when running wpa_supplicant as an application, the user
jozee@3445 337 # certificate store (My user account) is used, whereas computer store
jozee@3445 338 # (Computer account) is used when running wpasvc as a service.
jozee@3445 339 # Alternatively, a named configuration blob can be used by setting this
jozee@3445 340 # to blob://<blob name>.
jozee@3445 341 # private_key_passwd: Password for private key file (if left out, this will be
jozee@3445 342 # asked through control interface)
jozee@3445 343 # dh_file: File path to DH/DSA parameters file (in PEM format)
jozee@3445 344 # This is an optional configuration file for setting parameters for an
jozee@3445 345 # ephemeral DH key exchange. In most cases, the default RSA
jozee@3445 346 # authentication does not use this configuration. However, it is possible
jozee@3445 347 # setup RSA to use ephemeral DH key exchange. In addition, ciphers with
jozee@3445 348 # DSA keys always use ephemeral DH keys. This can be used to achieve
jozee@3445 349 # forward secrecy. If the file is in DSA parameters format, it will be
jozee@3445 350 # automatically converted into DH params.
jozee@3445 351 # subject_match: Substring to be matched against the subject of the
jozee@3445 352 # authentication server certificate. If this string is set, the server
jozee@3445 353 # sertificate is only accepted if it contains this string in the subject.
jozee@3445 354 # The subject string is in following format:
jozee@3445 355 # /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com
jozee@3445 356 # altsubject_match: Semicolon separated string of entries to be matched against
jozee@3445 357 # the alternative subject name of the authentication server certificate.
jozee@3445 358 # If this string is set, the server sertificate is only accepted if it
jozee@3445 359 # contains one of the entries in an alternative subject name extension.
jozee@3445 360 # altSubjectName string is in following format: TYPE:VALUE
jozee@3445 361 # Example: EMAIL:server@example.com
jozee@3445 362 # Example: DNS:server.example.com;DNS:server2.example.com
jozee@3445 363 # Following types are supported: EMAIL, DNS, URI
jozee@3445 364 # phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters
jozee@3445 365 # (string with field-value pairs, e.g., "peapver=0" or
jozee@3445 366 # "peapver=1 peaplabel=1")
jozee@3445 367 # 'peapver' can be used to force which PEAP version (0 or 1) is used.
jozee@3445 368 # 'peaplabel=1' can be used to force new label, "client PEAP encryption",
jozee@3445 369 # to be used during key derivation when PEAPv1 or newer. Most existing
jozee@3445 370 # PEAPv1 implementation seem to be using the old label, "client EAP
jozee@3445 371 # encryption", and wpa_supplicant is now using that as the default value.
jozee@3445 372 # Some servers, e.g., Radiator, may require peaplabel=1 configuration to
jozee@3445 373 # interoperate with PEAPv1; see eap_testing.txt for more details.
jozee@3445 374 # 'peap_outer_success=0' can be used to terminate PEAP authentication on
jozee@3445 375 # tunneled EAP-Success. This is required with some RADIUS servers that
jozee@3445 376 # implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
jozee@3445 377 # Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode)
jozee@3445 378 # include_tls_length=1 can be used to force wpa_supplicant to include
jozee@3445 379 # TLS Message Length field in all TLS messages even if they are not
jozee@3445 380 # fragmented.
jozee@3445 381 # sim_min_num_chal=3 can be used to configure EAP-SIM to require three
jozee@3445 382 # challenges (by default, it accepts 2 or 3)
jozee@3445 383 # phase2: Phase2 (inner authentication with TLS tunnel) parameters
jozee@3445 384 # (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
jozee@3445 385 # "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS)
jozee@3445 386 # Following certificate/private key fields are used in inner Phase2
jozee@3445 387 # authentication when using EAP-TTLS or EAP-PEAP.
jozee@3445 388 # ca_cert2: File path to CA certificate file. This file can have one or more
jozee@3445 389 # trusted CA certificates. If ca_cert2 and ca_path2 are not included,
jozee@3445 390 # server certificate will not be verified. This is insecure and a trusted
jozee@3445 391 # CA certificate should always be configured.
jozee@3445 392 # ca_path2: Directory path for CA certificate files (PEM)
jozee@3445 393 # client_cert2: File path to client certificate file
jozee@3445 394 # private_key2: File path to client private key file
jozee@3445 395 # private_key2_passwd: Password for private key file
jozee@3445 396 # dh_file2: File path to DH/DSA parameters file (in PEM format)
jozee@3445 397 # subject_match2: Substring to be matched against the subject of the
jozee@3445 398 # authentication server certificate.
jozee@3445 399 # altsubject_match2: Substring to be matched against the alternative subject
jozee@3445 400 # name of the authentication server certificate.
jozee@3445 401 #
jozee@3445 402 # fragment_size: Maximum EAP fragment size in bytes (default 1398).
jozee@3445 403 # This value limits the fragment size for EAP methods that support
jozee@3445 404 # fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set
jozee@3445 405 # small enough to make the EAP messages fit in MTU of the network
jozee@3445 406 # interface used for EAPOL. The default value is suitable for most
jozee@3445 407 # cases.
jozee@3445 408 #
jozee@3445 409 # EAP-PSK variables:
jozee@3445 410 # eappsk: 16-byte (128-bit, 32 hex digits) pre-shared key in hex format
jozee@3445 411 # nai: user NAI
jozee@3445 412 #
jozee@3445 413 # EAP-PAX variables:
jozee@3445 414 # eappsk: 16-byte (128-bit, 32 hex digits) pre-shared key in hex format
jozee@3445 415 #
jozee@3445 416 # EAP-SAKE variables:
jozee@3445 417 # eappsk: 32-byte (256-bit, 64 hex digits) pre-shared key in hex format
jozee@3445 418 # (this is concatenation of Root-Secret-A and Root-Secret-B)
jozee@3445 419 # nai: user NAI (PEERID)
jozee@3445 420 #
jozee@3445 421 # EAP-GPSK variables:
jozee@3445 422 # eappsk: Pre-shared key in hex format (at least 128 bits, i.e., 32 hex digits)
jozee@3445 423 # nai: user NAI (ID_Client)
jozee@3445 424 #
jozee@3445 425 # EAP-FAST variables:
jozee@3445 426 # pac_file: File path for the PAC entries. wpa_supplicant will need to be able
jozee@3445 427 # to create this file and write updates to it when PAC is being
jozee@3445 428 # provisioned or refreshed. Full path to the file should be used since
jozee@3445 429 # working directory may change when wpa_supplicant is run in the
jozee@3445 430 # background. Alternatively, a named configuration blob can be used by
jozee@3445 431 # setting this to blob://<blob name>
jozee@3445 432 # phase1: fast_provisioning=1 option enables in-line provisioning of EAP-FAST
jozee@3445 433 # credentials (PAC)
jozee@3445 434 #
jozee@3445 435 # wpa_supplicant supports number of "EAP workarounds" to work around
jozee@3445 436 # interoperability issues with incorrectly behaving authentication servers.
jozee@3445 437 # These are enabled by default because some of the issues are present in large
jozee@3445 438 # number of authentication servers. Strict EAP conformance mode can be
jozee@3445 439 # configured by disabling workarounds with eap_workaround=0.
jozee@3445 440
jozee@3445 441 # Example blocks:
jozee@3445 442
jozee@3445 443 # Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers
jozee@3445 444 #network={
jozee@3445 445 # ssid="simple"
jozee@3445 446 # psk="very secret passphrase"
jozee@3445 447 # priority=5
jozee@3445 448 #}
jozee@3445 449
jozee@3445 450 # Same as previous, but request SSID-specific scanning (for APs that reject
jozee@3445 451 # broadcast SSID)
jozee@3445 452 #network={
jozee@3445 453 # ssid="second ssid"
jozee@3445 454 # scan_ssid=1
jozee@3445 455 # psk="very secret passphrase"
jozee@3445 456 # priority=2
jozee@3445 457 #}
jozee@3445 458
jozee@3445 459 # Only WPA-PSK is used. Any valid cipher combination is accepted.
jozee@3445 460 #network={
jozee@3445 461 # ssid="example"
jozee@3445 462 # proto=WPA
jozee@3445 463 # key_mgmt=WPA-PSK
jozee@3445 464 # pairwise=CCMP TKIP
jozee@3445 465 # group=CCMP TKIP WEP104 WEP40
jozee@3445 466 # psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
jozee@3445 467 # priority=2
jozee@3445 468 #}
jozee@3445 469
jozee@3445 470 # Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104
jozee@3445 471 # or WEP40 as the group cipher will not be accepted.
jozee@3445 472 #network={
jozee@3445 473 # ssid="example"
jozee@3445 474 # proto=RSN
jozee@3445 475 # key_mgmt=WPA-EAP
jozee@3445 476 # pairwise=CCMP TKIP
jozee@3445 477 # group=CCMP TKIP
jozee@3445 478 # eap=TLS
jozee@3445 479 # identity="user@example.com"
jozee@3445 480 # ca_cert="/etc/cert/ca.pem"
jozee@3445 481 # client_cert="/etc/cert/user.pem"
jozee@3445 482 # private_key="/etc/cert/user.prv"
jozee@3445 483 # private_key_passwd="password"
jozee@3445 484 # priority=1
jozee@3445 485 #}
jozee@3445 486
jozee@3445 487 # EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel
jozee@3445 488 # (e.g., Radiator)
jozee@3445 489 #network={
jozee@3445 490 # ssid="example"
jozee@3445 491 # key_mgmt=WPA-EAP
jozee@3445 492 # eap=PEAP
jozee@3445 493 # identity="user@example.com"
jozee@3445 494 # password="foobar"
jozee@3445 495 # ca_cert="/etc/cert/ca.pem"
jozee@3445 496 # phase1="peaplabel=1"
jozee@3445 497 # phase2="auth=MSCHAPV2"
jozee@3445 498 # priority=10
jozee@3445 499 #}
jozee@3445 500
jozee@3445 501 # EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the
jozee@3445 502 # unencrypted use. Real identity is sent only within an encrypted TLS tunnel.
jozee@3445 503 #network={
jozee@3445 504 # ssid="example"
jozee@3445 505 # key_mgmt=WPA-EAP
jozee@3445 506 # eap=TTLS
jozee@3445 507 # identity="user@example.com"
jozee@3445 508 # anonymous_identity="anonymous@example.com"
jozee@3445 509 # password="foobar"
jozee@3445 510 # ca_cert="/etc/cert/ca.pem"
jozee@3445 511 # priority=2
jozee@3445 512 #}
jozee@3445 513
jozee@3445 514 # EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted
jozee@3445 515 # use. Real identity is sent only within an encrypted TLS tunnel.
jozee@3445 516 #network={
jozee@3445 517 # ssid="example"
jozee@3445 518 # key_mgmt=WPA-EAP
jozee@3445 519 # eap=TTLS
jozee@3445 520 # identity="user@example.com"
jozee@3445 521 # anonymous_identity="anonymous@example.com"
jozee@3445 522 # password="foobar"
jozee@3445 523 # ca_cert="/etc/cert/ca.pem"
jozee@3445 524 # phase2="auth=MSCHAPV2"
jozee@3445 525 #}
jozee@3445 526
jozee@3445 527 # WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner
jozee@3445 528 # authentication.
jozee@3445 529 #network={
jozee@3445 530 # ssid="example"
jozee@3445 531 # key_mgmt=WPA-EAP
jozee@3445 532 # eap=TTLS
jozee@3445 533 # Phase1 / outer authentication
jozee@3445 534 # anonymous_identity="anonymous@example.com"
jozee@3445 535 # ca_cert="/etc/cert/ca.pem"
jozee@3445 536 # Phase 2 / inner authentication
jozee@3445 537 # phase2="autheap=TLS"
jozee@3445 538 # ca_cert2="/etc/cert/ca2.pem"
jozee@3445 539 # client_cert2="/etc/cer/user.pem"
jozee@3445 540 # private_key2="/etc/cer/user.prv"
jozee@3445 541 # private_key2_passwd="password"
jozee@3445 542 # priority=2
jozee@3445 543 #}
jozee@3445 544
jozee@3445 545 # Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and
jozee@3445 546 # group cipher.
jozee@3445 547 #network={
jozee@3445 548 # ssid="example"
jozee@3445 549 # bssid=00:11:22:33:44:55
jozee@3445 550 # proto=WPA RSN
jozee@3445 551 # key_mgmt=WPA-PSK WPA-EAP
jozee@3445 552 # pairwise=CCMP
jozee@3445 553 # group=CCMP
jozee@3445 554 # psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
jozee@3445 555 #}
jozee@3445 556
jozee@3445 557 # Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP
jozee@3445 558 # and all valid ciphers.
jozee@3445 559 #network={
jozee@3445 560 # ssid=00010203
jozee@3445 561 # psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
jozee@3445 562 #}
jozee@3445 563
jozee@3445 564
jozee@3445 565 # EAP-SIM with a GSM SIM or USIM
jozee@3445 566 #network={
jozee@3445 567 # ssid="eap-sim-test"
jozee@3445 568 # key_mgmt=WPA-EAP
jozee@3445 569 # eap=SIM
jozee@3445 570 # pin="1234"
jozee@3445 571 # pcsc=""
jozee@3445 572 #}
jozee@3445 573
jozee@3445 574
jozee@3445 575 # EAP-PSK
jozee@3445 576 #network={
jozee@3445 577 # ssid="eap-psk-test"
jozee@3445 578 # key_mgmt=WPA-EAP
jozee@3445 579 # eap=PSK
jozee@3445 580 # identity="eap_psk_user"
jozee@3445 581 # eappsk=06b4be19da289f475aa46a33cb793029
jozee@3445 582 # nai="eap_psk_user@example.com"
jozee@3445 583 #}
jozee@3445 584
jozee@3445 585
jozee@3445 586 # IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using
jozee@3445 587 # EAP-TLS for authentication and key generation; require both unicast and
jozee@3445 588 # broadcast WEP keys.
jozee@3445 589 #network={
jozee@3445 590 # ssid="1x-test"
jozee@3445 591 # key_mgmt=IEEE8021X
jozee@3445 592 # eap=TLS
jozee@3445 593 # identity="user@example.com"
jozee@3445 594 # ca_cert="/etc/cert/ca.pem"
jozee@3445 595 # client_cert="/etc/cert/user.pem"
jozee@3445 596 # private_key="/etc/cert/user.prv"
jozee@3445 597 # private_key_passwd="password"
jozee@3445 598 # eapol_flags=3
jozee@3445 599 #}
jozee@3445 600
jozee@3445 601
jozee@3445 602 # LEAP with dynamic WEP keys
jozee@3445 603 #network={
jozee@3445 604 # ssid="leap-example"
jozee@3445 605 # key_mgmt=IEEE8021X
jozee@3445 606 # eap=LEAP
jozee@3445 607 # identity="user"
jozee@3445 608 # password="foobar"
jozee@3445 609 #}
jozee@3445 610
jozee@3445 611 # EAP-FAST with WPA (WPA or WPA2)
jozee@3445 612 #network={
jozee@3445 613 # ssid="eap-fast-test"
jozee@3445 614 # key_mgmt=WPA-EAP
jozee@3445 615 # eap=FAST
jozee@3445 616 # anonymous_identity="FAST-000102030405"
jozee@3445 617 # identity="username"
jozee@3445 618 # password="password"
jozee@3445 619 # phase1="fast_provisioning=1"
jozee@3445 620 # pac_file="/etc/wpa_supplicant.eap-fast-pac"
jozee@3445 621 #}
jozee@3445 622
jozee@3445 623 #network={
jozee@3445 624 # ssid="eap-fast-test"
jozee@3445 625 # key_mgmt=WPA-EAP
jozee@3445 626 # eap=FAST
jozee@3445 627 # anonymous_identity="FAST-000102030405"
jozee@3445 628 # identity="username"
jozee@3445 629 # password="password"
jozee@3445 630 # phase1="fast_provisioning=1"
jozee@3445 631 # pac_file="blob://eap-fast-pac"
jozee@3445 632 #}
jozee@3445 633
jozee@3445 634 # Plaintext connection (no WPA, no IEEE 802.1X)
jozee@3445 635 #network={
jozee@3445 636 # ssid="plaintext-test"
jozee@3445 637 # key_mgmt=NONE
jozee@3445 638 #}
jozee@3445 639
jozee@3445 640
jozee@3445 641 # Shared WEP key connection (no WPA, no IEEE 802.1X)
jozee@3445 642 #network={
jozee@3445 643 # ssid="static-wep-test"
jozee@3445 644 # key_mgmt=NONE
jozee@3445 645 # wep_key0="abcde"
jozee@3445 646 # wep_key1=0102030405
jozee@3445 647 # wep_key2="1234567890123"
jozee@3445 648 # wep_tx_keyidx=0
jozee@3445 649 # priority=5
jozee@3445 650 #}
jozee@3445 651
jozee@3445 652
jozee@3445 653 # Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key
jozee@3445 654 # IEEE 802.11 authentication
jozee@3445 655 #network={
jozee@3445 656 # ssid="static-wep-test2"
jozee@3445 657 # key_mgmt=NONE
jozee@3445 658 # wep_key0="abcde"
jozee@3445 659 # wep_key1=0102030405
jozee@3445 660 # wep_key2="1234567890123"
jozee@3445 661 # wep_tx_keyidx=0
jozee@3445 662 # priority=5
jozee@3445 663 # auth_alg=SHARED
jozee@3445 664 #}
jozee@3445 665
jozee@3445 666
jozee@3445 667 # IBSS/ad-hoc network with WPA-None/TKIP.
jozee@3445 668 #network={
jozee@3445 669 # ssid="test adhoc"
jozee@3445 670 # mode=1
jozee@3445 671 # frequency=2412
jozee@3445 672 # proto=WPA
jozee@3445 673 # key_mgmt=WPA-NONE
jozee@3445 674 # pairwise=NONE
jozee@3445 675 # group=TKIP
jozee@3445 676 # psk="secret passphrase"
jozee@3445 677 #}
jozee@3445 678
jozee@3445 679
jozee@3445 680 # Catch all example that allows more or less all configuration modes
jozee@3445 681 #network={
jozee@3445 682 # ssid="example"
jozee@3445 683 # scan_ssid=1
jozee@3445 684 # key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
jozee@3445 685 # pairwise=CCMP TKIP
jozee@3445 686 # group=CCMP TKIP WEP104 WEP40
jozee@3445 687 # psk="very secret passphrase"
jozee@3445 688 # eap=TTLS PEAP TLS
jozee@3445 689 # identity="user@example.com"
jozee@3445 690 # password="foobar"
jozee@3445 691 # ca_cert="/etc/cert/ca.pem"
jozee@3445 692 # client_cert="/etc/cert/user.pem"
jozee@3445 693 # private_key="/etc/cert/user.prv"
jozee@3445 694 # private_key_passwd="password"
jozee@3445 695 # phase1="peaplabel=0"
jozee@3445 696 #}
jozee@3445 697
jozee@3445 698 # Example of EAP-TLS with smartcard (openssl engine)
jozee@3445 699 #network={
jozee@3445 700 # ssid="example"
jozee@3445 701 # key_mgmt=WPA-EAP
jozee@3445 702 # eap=TLS
jozee@3445 703 # proto=RSN
jozee@3445 704 # pairwise=CCMP TKIP
jozee@3445 705 # group=CCMP TKIP
jozee@3445 706 # identity="user@example.com"
jozee@3445 707 # ca_cert="/etc/cert/ca.pem"
jozee@3445 708 # client_cert="/etc/cert/user.pem"
jozee@3445 709 #
jozee@3445 710 # engine=1
jozee@3445 711
jozee@3445 712 # The engine configured here must be available. Look at
jozee@3445 713 # OpenSSL engine support in the global section.
jozee@3445 714 # The key available through the engine must be the private key
jozee@3445 715 # matching the client certificate configured above.
jozee@3445 716
jozee@3445 717 # use the opensc engine
jozee@3445 718 #engine_id="opensc"
jozee@3445 719 #key_id="45"
jozee@3445 720
jozee@3445 721 # use the pkcs11 engine
jozee@3445 722 # engine_id="pkcs11"
jozee@3445 723 # key_id="id_45"
jozee@3445 724 #
jozee@3445 725 # Optional PIN configuration; this can be left out and PIN will be
jozee@3445 726 # asked through the control interface
jozee@3445 727 # pin="1234"
jozee@3445 728 #}
jozee@3445 729
jozee@3445 730 # Example configuration showing how to use an inlined blob as a CA certificate
jozee@3445 731 # data instead of using external file
jozee@3445 732 #network={
jozee@3445 733 # ssid="example"
jozee@3445 734 # key_mgmt=WPA-EAP
jozee@3445 735 # eap=TTLS
jozee@3445 736 # identity="user@example.com"
jozee@3445 737 # anonymous_identity="anonymous@example.com"
jozee@3445 738 # password="foobar"
jozee@3445 739 # ca_cert="blob://exampleblob"
jozee@3445 740 # priority=20
jozee@3445 741 #}
jozee@3445 742
jozee@3445 743 #blob-base64-exampleblob={
jozee@3445 744 #SGVsbG8gV29ybGQhCg==
jozee@3445 745 #}
jozee@3445 746
jozee@3445 747
jozee@3445 748 # Wildcard match for SSID (plaintext APs only). This example select any
jozee@3445 749 # open AP regardless of its SSID.
jozee@3445 750 network={
jozee@3445 751 key_mgmt=NONE
jozee@3445 752 }
jozee@3445 753
jozee@3445 754