wok-current rev 15914
Update wpa_supplicant (2.1) And use /etc/wpa
author | Christophe Lincoln <pankso@slitaz.org> |
---|---|
date | Sat Feb 15 19:55:40 2014 +0100 (2014-02-15) |
parents | f2f0afdddde7 |
children | 0677483d2636 |
files | wpa_supplicant/receipt wpa_supplicant/stuff/etc/wpa/wpa_empty.conf wpa_supplicant/stuff/etc/wpa/wpa_supplicant.conf wpa_supplicant/stuff/etc/wpa_supplicant.conf |
line diff
1.1 --- a/wpa_supplicant/receipt Sat Feb 15 15:38:27 2014 +0100 1.2 +++ b/wpa_supplicant/receipt Sat Feb 15 19:55:40 2014 +0100 1.3 @@ -1,7 +1,7 @@ 1.4 # SliTaz package receipt. 1.5 1.6 PACKAGE="wpa_supplicant" 1.7 -VERSION="1.1" 1.8 +VERSION="2.1" 1.9 CATEGORY="utilities" 1.10 SHORT_DESC="WPA Supplicant with support for WPA and WPA2" 1.11 MAINTAINER="0dddba11@googlemail.com" 1.12 @@ -57,20 +57,22 @@ 1.13 $src/wpa_supplicant/dbus/dbus-wpa_supplicant.conf \ 1.14 $fs/etc/dbus-1/system.d/wpa_supplicant.conf 1.15 1.16 - # Startup script and cleaned up wpa_supplicant.conf 1.17 - cp -a stuff/etc $fs 1.18 - # dont copy the original 1.19 - # cp -a $src/$PACKAGE/wpa_supplicant.conf $fs/etc 1.20 + # Startup script and cleaned up wpa_empty.conf 1.21 + cp -a $stuff/etc $fs 1.22 + cp -a $src/$PACKAGE/wpa_supplicant.conf $fs/etc/wpa 1.23 } 1.24 1.25 # Pre and post install commands for Tazpkg. 1.26 post_install() 1.27 { 1.28 - grep -qs ^WPA_OPTIONS= $1/etc/daemons.conf || cat >> $1/etc/daemons.conf <<EOT 1.29 + grep -qs ^WPA_OPTIONS= $1/etc/daemons.conf || cat >> $1/etc/daemons.conf << EOT 1.30 + 1.31 # wpa_supplicant daemon options 1.32 -WPA_OPTIONS="-B -u -P /var/run/wpa_supplicant.pid -c /etc/wpa_supplicant.conf -i \$(. /etc/network.conf ; echo \$WIFI_INTERFACE)" 1.33 +WPA_OPTIONS="-B -u -P /var/run/wpa_supplicant.pid -c /etc/wpa/wpa.conf -i \$(. /etc/network.conf ; echo \$WIFI_INTERFACE)" 1.34 1.35 EOT 1.36 + # We use /etc/wpa/wpa.conf from SliTaz 5.0 1.37 + sed -i s'#/etc/wpa_supplicant.conf#/etc/wpa/wpa.conf#'/ $1/etc/daemons.conf 2> /dev/null 1.38 # 'w' option dont exist anymore with < 0.6.9 1.39 sed -i s/'-Bw'/'-B'/ $1/etc/daemons.conf 2> /dev/null 1.40 sed -i s/'-B -w'/'-B'/g $1/etc/init.d/network.sh 2> /dev/null
2.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 2.2 +++ b/wpa_supplicant/stuff/etc/wpa/wpa_empty.conf Sat Feb 15 19:55:40 2014 +0100 2.3 @@ -0,0 +1,37 @@ 2.4 +# /etc/wpa/wpa.conf: wpa_supplicant configuration file. 2.5 +# 2.6 + 2.7 +# Whether to allow wpa_supplicant to update (overwrite) configuration 2.8 +#update_config=1 2.9 + 2.10 +# 2.11 +# global configuration (shared by all network blocks) 2.12 +# 2.13 + 2.14 +# Parameters for the control interface 2.15 +ctrl_interface=/var/run/wpa_supplicant 2.16 + 2.17 +# Ensure that only root can read the WPA configuration 2.18 +ctrl_interface_group=0 2.19 + 2.20 +# IEEE 802.1X/EAPOL version: 1 or 2 2.21 +eapol_version=2 2.22 + 2.23 +# AP scanning/selection 2.24 +ap_scan=1 2.25 + 2.26 +# EAP fast re-authentication 2.27 +fast_reauth=1 2.28 + 2.29 +# Network configuration example. 2.30 +#network={ 2.31 + #ssid="" 2.32 + #psk="" 2.33 + #scan_ssid=1 2.34 + #proto=WPA RSN 2.35 + #key_mgmt=WPA-PSK WPA-EAP 2.36 +#} 2.37 + 2.38 +# Network configuration added by /etc/init.d/network.sh using 2.39 +# setting from /etc/network.conf 2.40 +
3.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 3.2 +++ b/wpa_supplicant/stuff/etc/wpa/wpa_supplicant.conf Sat Feb 15 19:55:40 2014 +0100 3.3 @@ -0,0 +1,1273 @@ 3.4 +##### Example wpa_supplicant configuration file ############################### 3.5 +# 3.6 +# This file describes configuration file format and lists all available option. 3.7 +# Please also take a look at simpler configuration examples in 'examples' 3.8 +# subdirectory. 3.9 +# 3.10 +# Empty lines and lines starting with # are ignored 3.11 + 3.12 +# NOTE! This file may contain password information and should probably be made 3.13 +# readable only by root user on multiuser systems. 3.14 + 3.15 +# Note: All file paths in this configuration file should use full (absolute, 3.16 +# not relative to working directory) path in order to allow working directory 3.17 +# to be changed. This can happen if wpa_supplicant is run in the background. 3.18 + 3.19 +# Whether to allow wpa_supplicant to update (overwrite) configuration 3.20 +# 3.21 +# This option can be used to allow wpa_supplicant to overwrite configuration 3.22 +# file whenever configuration is changed (e.g., new network block is added with 3.23 +# wpa_cli or wpa_gui, or a password is changed). This is required for 3.24 +# wpa_cli/wpa_gui to be able to store the configuration changes permanently. 3.25 +# Please note that overwriting configuration file will remove the comments from 3.26 +# it. 3.27 +#update_config=1 3.28 + 3.29 +# global configuration (shared by all network blocks) 3.30 +# 3.31 +# Parameters for the control interface. If this is specified, wpa_supplicant 3.32 +# will open a control interface that is available for external programs to 3.33 +# manage wpa_supplicant. The meaning of this string depends on which control 3.34 +# interface mechanism is used. For all cases, the existence of this parameter 3.35 +# in configuration is used to determine whether the control interface is 3.36 +# enabled. 3.37 +# 3.38 +# For UNIX domain sockets (default on Linux and BSD): This is a directory that 3.39 +# will be created for UNIX domain sockets for listening to requests from 3.40 +# external programs (CLI/GUI, etc.) for status information and configuration. 3.41 +# The socket file will be named based on the interface name, so multiple 3.42 +# wpa_supplicant processes can be run at the same time if more than one 3.43 +# interface is used. 3.44 +# /var/run/wpa_supplicant is the recommended directory for sockets and by 3.45 +# default, wpa_cli will use it when trying to connect with wpa_supplicant. 3.46 +# 3.47 +# Access control for the control interface can be configured by setting the 3.48 +# directory to allow only members of a group to use sockets. This way, it is 3.49 +# possible to run wpa_supplicant as root (since it needs to change network 3.50 +# configuration and open raw sockets) and still allow GUI/CLI components to be 3.51 +# run as non-root users. However, since the control interface can be used to 3.52 +# change the network configuration, this access needs to be protected in many 3.53 +# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you 3.54 +# want to allow non-root users to use the control interface, add a new group 3.55 +# and change this value to match with that group. Add users that should have 3.56 +# control interface access to this group. If this variable is commented out or 3.57 +# not included in the configuration file, group will not be changed from the 3.58 +# value it got by default when the directory or socket was created. 3.59 +# 3.60 +# When configuring both the directory and group, use following format: 3.61 +# DIR=/var/run/wpa_supplicant GROUP=wheel 3.62 +# DIR=/var/run/wpa_supplicant GROUP=0 3.63 +# (group can be either group name or gid) 3.64 +# 3.65 +# For UDP connections (default on Windows): The value will be ignored. This 3.66 +# variable is just used to select that the control interface is to be created. 3.67 +# The value can be set to, e.g., udp (ctrl_interface=udp) 3.68 +# 3.69 +# For Windows Named Pipe: This value can be used to set the security descriptor 3.70 +# for controlling access to the control interface. Security descriptor can be 3.71 +# set using Security Descriptor String Format (see http://msdn.microsoft.com/ 3.72 +# library/default.asp?url=/library/en-us/secauthz/security/ 3.73 +# security_descriptor_string_format.asp). The descriptor string needs to be 3.74 +# prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty 3.75 +# DACL (which will reject all connections). See README-Windows.txt for more 3.76 +# information about SDDL string format. 3.77 +# 3.78 +ctrl_interface=/var/run/wpa_supplicant 3.79 + 3.80 +# IEEE 802.1X/EAPOL version 3.81 +# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines 3.82 +# EAPOL version 2. However, there are many APs that do not handle the new 3.83 +# version number correctly (they seem to drop the frames completely). In order 3.84 +# to make wpa_supplicant interoperate with these APs, the version number is set 3.85 +# to 1 by default. This configuration value can be used to set it to the new 3.86 +# version (2). 3.87 +eapol_version=1 3.88 + 3.89 +# AP scanning/selection 3.90 +# By default, wpa_supplicant requests driver to perform AP scanning and then 3.91 +# uses the scan results to select a suitable AP. Another alternative is to 3.92 +# allow the driver to take care of AP scanning and selection and use 3.93 +# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association 3.94 +# information from the driver. 3.95 +# 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to 3.96 +# the currently enabled networks are found, a new network (IBSS or AP mode 3.97 +# operation) may be initialized (if configured) (default) 3.98 +# 0: driver takes care of scanning, AP selection, and IEEE 802.11 association 3.99 +# parameters (e.g., WPA IE generation); this mode can also be used with 3.100 +# non-WPA drivers when using IEEE 802.1X mode; do not try to associate with 3.101 +# APs (i.e., external program needs to control association). This mode must 3.102 +# also be used when using wired Ethernet drivers. 3.103 +# 2: like 0, but associate with APs using security policy and SSID (but not 3.104 +# BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to 3.105 +# enable operation with hidden SSIDs and optimized roaming; in this mode, 3.106 +# the network blocks in the configuration file are tried one by one until 3.107 +# the driver reports successful association; each network block should have 3.108 +# explicit security policy (i.e., only one option in the lists) for 3.109 +# key_mgmt, pairwise, group, proto variables 3.110 +# When using IBSS or AP mode, ap_scan=2 mode can force the new network to be 3.111 +# created immediately regardless of scan results. ap_scan=1 mode will first try 3.112 +# to scan for existing networks and only if no matches with the enabled 3.113 +# networks are found, a new IBSS or AP mode network is created. 3.114 +ap_scan=1 3.115 + 3.116 +# EAP fast re-authentication 3.117 +# By default, fast re-authentication is enabled for all EAP methods that 3.118 +# support it. This variable can be used to disable fast re-authentication. 3.119 +# Normally, there is no need to disable this. 3.120 +fast_reauth=1 3.121 + 3.122 +# OpenSSL Engine support 3.123 +# These options can be used to load OpenSSL engines. 3.124 +# The two engines that are supported currently are shown below: 3.125 +# They are both from the opensc project (http://www.opensc.org/) 3.126 +# By default no engines are loaded. 3.127 +# make the opensc engine available 3.128 +#opensc_engine_path=/usr/lib/opensc/engine_opensc.so 3.129 +# make the pkcs11 engine available 3.130 +#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so 3.131 +# configure the path to the pkcs11 module required by the pkcs11 engine 3.132 +#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so 3.133 + 3.134 +# Dynamic EAP methods 3.135 +# If EAP methods were built dynamically as shared object files, they need to be 3.136 +# loaded here before being used in the network blocks. By default, EAP methods 3.137 +# are included statically in the build, so these lines are not needed 3.138 +#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so 3.139 +#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so 3.140 + 3.141 +# Driver interface parameters 3.142 +# This field can be used to configure arbitrary driver interace parameters. The 3.143 +# format is specific to the selected driver interface. This field is not used 3.144 +# in most cases. 3.145 +#driver_param="field=value" 3.146 + 3.147 +# Country code 3.148 +# The ISO/IEC alpha2 country code for the country in which this device is 3.149 +# currently operating. 3.150 +#country=US 3.151 + 3.152 +# Maximum lifetime for PMKSA in seconds; default 43200 3.153 +#dot11RSNAConfigPMKLifetime=43200 3.154 +# Threshold for reauthentication (percentage of PMK lifetime); default 70 3.155 +#dot11RSNAConfigPMKReauthThreshold=70 3.156 +# Timeout for security association negotiation in seconds; default 60 3.157 +#dot11RSNAConfigSATimeout=60 3.158 + 3.159 +# Wi-Fi Protected Setup (WPS) parameters 3.160 + 3.161 +# Universally Unique IDentifier (UUID; see RFC 4122) of the device 3.162 +# If not configured, UUID will be generated based on the local MAC address. 3.163 +#uuid=12345678-9abc-def0-1234-56789abcdef0 3.164 + 3.165 +# Device Name 3.166 +# User-friendly description of device; up to 32 octets encoded in UTF-8 3.167 +#device_name=Wireless Client 3.168 + 3.169 +# Manufacturer 3.170 +# The manufacturer of the device (up to 64 ASCII characters) 3.171 +#manufacturer=Company 3.172 + 3.173 +# Model Name 3.174 +# Model of the device (up to 32 ASCII characters) 3.175 +#model_name=cmodel 3.176 + 3.177 +# Model Number 3.178 +# Additional device description (up to 32 ASCII characters) 3.179 +#model_number=123 3.180 + 3.181 +# Serial Number 3.182 +# Serial number of the device (up to 32 characters) 3.183 +#serial_number=12345 3.184 + 3.185 +# Primary Device Type 3.186 +# Used format: <categ>-<OUI>-<subcateg> 3.187 +# categ = Category as an integer value 3.188 +# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for 3.189 +# default WPS OUI 3.190 +# subcateg = OUI-specific Sub Category as an integer value 3.191 +# Examples: 3.192 +# 1-0050F204-1 (Computer / PC) 3.193 +# 1-0050F204-2 (Computer / Server) 3.194 +# 5-0050F204-1 (Storage / NAS) 3.195 +# 6-0050F204-1 (Network Infrastructure / AP) 3.196 +#device_type=1-0050F204-1 3.197 + 3.198 +# OS Version 3.199 +# 4-octet operating system version number (hex string) 3.200 +#os_version=01020300 3.201 + 3.202 +# Config Methods 3.203 +# List of the supported configuration methods 3.204 +# Available methods: usba ethernet label display ext_nfc_token int_nfc_token 3.205 +# nfc_interface push_button keypad virtual_display physical_display 3.206 +# virtual_push_button physical_push_button 3.207 +# For WSC 1.0: 3.208 +#config_methods=label display push_button keypad 3.209 +# For WSC 2.0: 3.210 +#config_methods=label virtual_display virtual_push_button keypad 3.211 + 3.212 +# Credential processing 3.213 +# 0 = process received credentials internally (default) 3.214 +# 1 = do not process received credentials; just pass them over ctrl_iface to 3.215 +# external program(s) 3.216 +# 2 = process received credentials internally and pass them over ctrl_iface 3.217 +# to external program(s) 3.218 +#wps_cred_processing=0 3.219 + 3.220 +# Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing 3.221 +# The vendor attribute contents to be added in M1 (hex string) 3.222 +#wps_vendor_ext_m1=000137100100020001 3.223 + 3.224 +# NFC password token for WPS 3.225 +# These parameters can be used to configure a fixed NFC password token for the 3.226 +# station. This can be generated, e.g., with nfc_pw_token. When these 3.227 +# parameters are used, the station is assumed to be deployed with a NFC tag 3.228 +# that includes the matching NFC password token (e.g., written based on the 3.229 +# NDEF record from nfc_pw_token). 3.230 +# 3.231 +#wps_nfc_dev_pw_id: Device Password ID (16..65535) 3.232 +#wps_nfc_dh_pubkey: Hexdump of DH Public Key 3.233 +#wps_nfc_dh_privkey: Hexdump of DH Private Key 3.234 +#wps_nfc_dev_pw: Hexdump of Device Password 3.235 + 3.236 +# Maximum number of BSS entries to keep in memory 3.237 +# Default: 200 3.238 +# This can be used to limit memory use on the BSS entries (cached scan 3.239 +# results). A larger value may be needed in environments that have huge number 3.240 +# of APs when using ap_scan=1 mode. 3.241 +#bss_max_count=200 3.242 + 3.243 +# Automatic scan 3.244 +# This is an optional set of parameters for automatic scanning 3.245 +# within an interface in following format: 3.246 +#autoscan=<autoscan module name>:<module parameters> 3.247 +# autoscan is like bgscan but on disconnected or inactive state. 3.248 +# For instance, on exponential module parameters would be <base>:<limit> 3.249 +#autoscan=exponential:3:300 3.250 +# Which means a delay between scans on a base exponential of 3, 3.251 +# up to the limit of 300 seconds (3, 9, 27 ... 300) 3.252 +# For periodic module, parameters would be <fixed interval> 3.253 +#autoscan=periodic:30 3.254 +# So a delay of 30 seconds will be applied between each scan 3.255 + 3.256 +# filter_ssids - SSID-based scan result filtering 3.257 +# 0 = do not filter scan results (default) 3.258 +# 1 = only include configured SSIDs in scan results/BSS table 3.259 +#filter_ssids=0 3.260 + 3.261 +# Password (and passphrase, etc.) backend for external storage 3.262 +# format: <backend name>[:<optional backend parameters>] 3.263 +#ext_password_backend=test:pw1=password|pw2=testing 3.264 + 3.265 +# Timeout in seconds to detect STA inactivity (default: 300 seconds) 3.266 +# 3.267 +# This timeout value is used in P2P GO mode to clean up 3.268 +# inactive stations. 3.269 +#p2p_go_max_inactivity=300 3.270 + 3.271 +# Opportunistic Key Caching (also known as Proactive Key Caching) default 3.272 +# This parameter can be used to set the default behavior for the 3.273 +# proactive_key_caching parameter. By default, OKC is disabled unless enabled 3.274 +# with the global okc=1 parameter or with the per-network 3.275 +# proactive_key_caching=1 parameter. With okc=1, OKC is enabled by default, but 3.276 +# can be disabled with per-network proactive_key_caching=0 parameter. 3.277 +#okc=0 3.278 + 3.279 +# Protected Management Frames default 3.280 +# This parameter can be used to set the default behavior for the ieee80211w 3.281 +# parameter. By default, PMF is disabled unless enabled with the global pmf=1/2 3.282 +# parameter or with the per-network ieee80211w=1/2 parameter. With pmf=1/2, PMF 3.283 +# is enabled/required by default, but can be disabled with the per-network 3.284 +# ieee80211w parameter. 3.285 +#pmf=0 3.286 + 3.287 +# Enabled SAE finite cyclic groups in preference order 3.288 +# By default (if this parameter is not set), the mandatory group 19 (ECC group 3.289 +# defined over a 256-bit prime order field) is preferred, but other groups are 3.290 +# also enabled. If this parameter is set, the groups will be tried in the 3.291 +# indicated order. The group values are listed in the IANA registry: 3.292 +# http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9 3.293 +#sae_groups=21 20 19 26 25 3.294 + 3.295 +# Default value for DTIM period (if not overridden in network block) 3.296 +#dtim_period=2 3.297 + 3.298 +# Default value for Beacon interval (if not overridden in network block) 3.299 +#beacon_int=100 3.300 + 3.301 +# Additional vendor specific elements for Beacon and Probe Response frames 3.302 +# This parameter can be used to add additional vendor specific element(s) into 3.303 +# the end of the Beacon and Probe Response frames. The format for these 3.304 +# element(s) is a hexdump of the raw information elements (id+len+payload for 3.305 +# one or more elements). This is used in AP and P2P GO modes. 3.306 +#ap_vendor_elements=dd0411223301 3.307 + 3.308 +# Ignore scan results older than request 3.309 +# 3.310 +# The driver may have a cache of scan results that makes it return 3.311 +# information that is older than our scan trigger. This parameter can 3.312 +# be used to configure such old information to be ignored instead of 3.313 +# allowing it to update the internal BSS table. 3.314 +#ignore_old_scan_res=0 3.315 + 3.316 +# scan_cur_freq: Whether to scan only the current frequency 3.317 +# 0: Scan all available frequencies. (Default) 3.318 +# 1: Scan current operating frequency if another VIF on the same radio 3.319 +# is already associated. 3.320 + 3.321 +# Interworking (IEEE 802.11u) 3.322 + 3.323 +# Enable Interworking 3.324 +# interworking=1 3.325 + 3.326 +# Homogenous ESS identifier 3.327 +# If this is set, scans will be used to request response only from BSSes 3.328 +# belonging to the specified Homogeneous ESS. This is used only if interworking 3.329 +# is enabled. 3.330 +# hessid=00:11:22:33:44:55 3.331 + 3.332 +# Automatic network selection behavior 3.333 +# 0 = do not automatically go through Interworking network selection 3.334 +# (i.e., require explicit interworking_select command for this; default) 3.335 +# 1 = perform Interworking network selection if one or more 3.336 +# credentials have been configured and scan did not find a 3.337 +# matching network block 3.338 +#auto_interworking=0 3.339 + 3.340 +# credential block 3.341 +# 3.342 +# Each credential used for automatic network selection is configured as a set 3.343 +# of parameters that are compared to the information advertised by the APs when 3.344 +# interworking_select and interworking_connect commands are used. 3.345 +# 3.346 +# credential fields: 3.347 +# 3.348 +# temporary: Whether this credential is temporary and not to be saved 3.349 +# 3.350 +# priority: Priority group 3.351 +# By default, all networks and credentials get the same priority group 3.352 +# (0). This field can be used to give higher priority for credentials 3.353 +# (and similarly in struct wpa_ssid for network blocks) to change the 3.354 +# Interworking automatic networking selection behavior. The matching 3.355 +# network (based on either an enabled network block or a credential) 3.356 +# with the highest priority value will be selected. 3.357 +# 3.358 +# pcsc: Use PC/SC and SIM/USIM card 3.359 +# 3.360 +# realm: Home Realm for Interworking 3.361 +# 3.362 +# username: Username for Interworking network selection 3.363 +# 3.364 +# password: Password for Interworking network selection 3.365 +# 3.366 +# ca_cert: CA certificate for Interworking network selection 3.367 +# 3.368 +# client_cert: File path to client certificate file (PEM/DER) 3.369 +# This field is used with Interworking networking selection for a case 3.370 +# where client certificate/private key is used for authentication 3.371 +# (EAP-TLS). Full path to the file should be used since working 3.372 +# directory may change when wpa_supplicant is run in the background. 3.373 +# 3.374 +# Alternatively, a named configuration blob can be used by setting 3.375 +# this to blob://blob_name. 3.376 +# 3.377 +# private_key: File path to client private key file (PEM/DER/PFX) 3.378 +# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be 3.379 +# commented out. Both the private key and certificate will be read 3.380 +# from the PKCS#12 file in this case. Full path to the file should be 3.381 +# used since working directory may change when wpa_supplicant is run 3.382 +# in the background. 3.383 +# 3.384 +# Windows certificate store can be used by leaving client_cert out and 3.385 +# configuring private_key in one of the following formats: 3.386 +# 3.387 +# cert://substring_to_match 3.388 +# 3.389 +# hash://certificate_thumbprint_in_hex 3.390 +# 3.391 +# For example: private_key="hash://63093aa9c47f56ae88334c7b65a4" 3.392 +# 3.393 +# Note that when running wpa_supplicant as an application, the user 3.394 +# certificate store (My user account) is used, whereas computer store 3.395 +# (Computer account) is used when running wpasvc as a service. 3.396 +# 3.397 +# Alternatively, a named configuration blob can be used by setting 3.398 +# this to blob://blob_name. 3.399 +# 3.400 +# private_key_passwd: Password for private key file 3.401 +# 3.402 +# imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format 3.403 +# 3.404 +# milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN> 3.405 +# format 3.406 +# 3.407 +# domain: Home service provider FQDN(s) 3.408 +# This is used to compare against the Domain Name List to figure out 3.409 +# whether the AP is operated by the Home SP. Multiple domain entries can 3.410 +# be used to configure alternative FQDNs that will be considered home 3.411 +# networks. 3.412 +# 3.413 +# roaming_consortium: Roaming Consortium OI 3.414 +# If roaming_consortium_len is non-zero, this field contains the 3.415 +# Roaming Consortium OI that can be used to determine which access 3.416 +# points support authentication with this credential. This is an 3.417 +# alternative to the use of the realm parameter. When using Roaming 3.418 +# Consortium to match the network, the EAP parameters need to be 3.419 +# pre-configured with the credential since the NAI Realm information 3.420 +# may not be available or fetched. 3.421 +# 3.422 +# eap: Pre-configured EAP method 3.423 +# This optional field can be used to specify which EAP method will be 3.424 +# used with this credential. If not set, the EAP method is selected 3.425 +# automatically based on ANQP information (e.g., NAI Realm). 3.426 +# 3.427 +# phase1: Pre-configure Phase 1 (outer authentication) parameters 3.428 +# This optional field is used with like the 'eap' parameter. 3.429 +# 3.430 +# phase2: Pre-configure Phase 2 (inner authentication) parameters 3.431 +# This optional field is used with like the 'eap' parameter. 3.432 +# 3.433 +# excluded_ssid: Excluded SSID 3.434 +# This optional field can be used to excluded specific SSID(s) from 3.435 +# matching with the network. Multiple entries can be used to specify more 3.436 +# than one SSID. 3.437 +# 3.438 +# for example: 3.439 +# 3.440 +#cred={ 3.441 +# realm="example.com" 3.442 +# username="user@example.com" 3.443 +# password="password" 3.444 +# ca_cert="/etc/wpa_supplicant/ca.pem" 3.445 +# domain="example.com" 3.446 +#} 3.447 +# 3.448 +#cred={ 3.449 +# imsi="310026-000000000" 3.450 +# milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82" 3.451 +#} 3.452 +# 3.453 +#cred={ 3.454 +# realm="example.com" 3.455 +# username="user" 3.456 +# password="password" 3.457 +# ca_cert="/etc/wpa_supplicant/ca.pem" 3.458 +# domain="example.com" 3.459 +# roaming_consortium=223344 3.460 +# eap=TTLS 3.461 +# phase2="auth=MSCHAPV2" 3.462 +#} 3.463 + 3.464 +# Hotspot 2.0 3.465 +# hs20=1 3.466 + 3.467 +# network block 3.468 +# 3.469 +# Each network (usually AP's sharing the same SSID) is configured as a separate 3.470 +# block in this configuration file. The network blocks are in preference order 3.471 +# (the first match is used). 3.472 +# 3.473 +# network block fields: 3.474 +# 3.475 +# disabled: 3.476 +# 0 = this network can be used (default) 3.477 +# 1 = this network block is disabled (can be enabled through ctrl_iface, 3.478 +# e.g., with wpa_cli or wpa_gui) 3.479 +# 3.480 +# id_str: Network identifier string for external scripts. This value is passed 3.481 +# to external action script through wpa_cli as WPA_ID_STR environment 3.482 +# variable to make it easier to do network specific configuration. 3.483 +# 3.484 +# ssid: SSID (mandatory); network name in one of the optional formats: 3.485 +# - an ASCII string with double quotation 3.486 +# - a hex string (two characters per octet of SSID) 3.487 +# - a printf-escaped ASCII string P"<escaped string>" 3.488 +# 3.489 +# scan_ssid: 3.490 +# 0 = do not scan this SSID with specific Probe Request frames (default) 3.491 +# 1 = scan with SSID-specific Probe Request frames (this can be used to 3.492 +# find APs that do not accept broadcast SSID or use multiple SSIDs; 3.493 +# this will add latency to scanning, so enable this only when needed) 3.494 +# 3.495 +# bssid: BSSID (optional); if set, this network block is used only when 3.496 +# associating with the AP using the configured BSSID 3.497 +# 3.498 +# priority: priority group (integer) 3.499 +# By default, all networks will get same priority group (0). If some of the 3.500 +# networks are more desirable, this field can be used to change the order in 3.501 +# which wpa_supplicant goes through the networks when selecting a BSS. The 3.502 +# priority groups will be iterated in decreasing priority (i.e., the larger the 3.503 +# priority value, the sooner the network is matched against the scan results). 3.504 +# Within each priority group, networks will be selected based on security 3.505 +# policy, signal strength, etc. 3.506 +# Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not 3.507 +# using this priority to select the order for scanning. Instead, they try the 3.508 +# networks in the order that used in the configuration file. 3.509 +# 3.510 +# mode: IEEE 802.11 operation mode 3.511 +# 0 = infrastructure (Managed) mode, i.e., associate with an AP (default) 3.512 +# 1 = IBSS (ad-hoc, peer-to-peer) 3.513 +# 2 = AP (access point) 3.514 +# Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) and 3.515 +# WPA-PSK (with proto=RSN). In addition, key_mgmt=WPA-NONE (fixed group key 3.516 +# TKIP/CCMP) is available for backwards compatibility, but its use is 3.517 +# deprecated. WPA-None requires following network block options: 3.518 +# proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not 3.519 +# both), and psk must also be set. 3.520 +# 3.521 +# frequency: Channel frequency in megahertz (MHz) for IBSS, e.g., 3.522 +# 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial 3.523 +# channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode. 3.524 +# In addition, this value is only used by the station that creates the IBSS. If 3.525 +# an IBSS network with the configured SSID is already present, the frequency of 3.526 +# the network will be used instead of this configured value. 3.527 +# 3.528 +# scan_freq: List of frequencies to scan 3.529 +# Space-separated list of frequencies in MHz to scan when searching for this 3.530 +# BSS. If the subset of channels used by the network is known, this option can 3.531 +# be used to optimize scanning to not occur on channels that the network does 3.532 +# not use. Example: scan_freq=2412 2437 2462 3.533 +# 3.534 +# freq_list: Array of allowed frequencies 3.535 +# Space-separated list of frequencies in MHz to allow for selecting the BSS. If 3.536 +# set, scan results that do not match any of the specified frequencies are not 3.537 +# considered when selecting a BSS. 3.538 +# 3.539 +# This can also be set on the outside of the network block. In this case, 3.540 +# it limits the frequencies that will be scanned. 3.541 +# 3.542 +# bgscan: Background scanning 3.543 +# wpa_supplicant behavior for background scanning can be specified by 3.544 +# configuring a bgscan module. These modules are responsible for requesting 3.545 +# background scans for the purpose of roaming within an ESS (i.e., within a 3.546 +# single network block with all the APs using the same SSID). The bgscan 3.547 +# parameter uses following format: "<bgscan module name>:<module parameters>" 3.548 +# Following bgscan modules are available: 3.549 +# simple - Periodic background scans based on signal strength 3.550 +# bgscan="simple:<short bgscan interval in seconds>:<signal strength threshold>: 3.551 +# <long interval>" 3.552 +# bgscan="simple:30:-45:300" 3.553 +# learn - Learn channels used by the network and try to avoid bgscans on other 3.554 +# channels (experimental) 3.555 +# bgscan="learn:<short bgscan interval in seconds>:<signal strength threshold>: 3.556 +# <long interval>[:<database file name>]" 3.557 +# bgscan="learn:30:-45:300:/etc/wpa_supplicant/network1.bgscan" 3.558 +# 3.559 +# This option can also be set outside of all network blocks for the bgscan 3.560 +# parameter to apply for all the networks that have no specific bgscan 3.561 +# parameter. 3.562 +# 3.563 +# proto: list of accepted protocols 3.564 +# WPA = WPA/IEEE 802.11i/D3.0 3.565 +# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN) 3.566 +# If not set, this defaults to: WPA RSN 3.567 +# 3.568 +# key_mgmt: list of accepted authenticated key management protocols 3.569 +# WPA-PSK = WPA pre-shared key (this requires 'psk' field) 3.570 +# WPA-EAP = WPA using EAP authentication 3.571 +# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically 3.572 +# generated WEP keys 3.573 +# NONE = WPA is not used; plaintext or static WEP could be used 3.574 +# WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms 3.575 +# WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms 3.576 +# If not set, this defaults to: WPA-PSK WPA-EAP 3.577 +# 3.578 +# ieee80211w: whether management frame protection is enabled 3.579 +# 0 = disabled (default unless changed with the global pmf parameter) 3.580 +# 1 = optional 3.581 +# 2 = required 3.582 +# The most common configuration options for this based on the PMF (protected 3.583 +# management frames) certification program are: 3.584 +# PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256 3.585 +# PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256 3.586 +# (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used) 3.587 +# 3.588 +# auth_alg: list of allowed IEEE 802.11 authentication algorithms 3.589 +# OPEN = Open System authentication (required for WPA/WPA2) 3.590 +# SHARED = Shared Key authentication (requires static WEP keys) 3.591 +# LEAP = LEAP/Network EAP (only used with LEAP) 3.592 +# If not set, automatic selection is used (Open System with LEAP enabled if 3.593 +# LEAP is allowed as one of the EAP methods). 3.594 +# 3.595 +# pairwise: list of accepted pairwise (unicast) ciphers for WPA 3.596 +# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 3.597 +# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 3.598 +# NONE = Use only Group Keys (deprecated, should not be included if APs support 3.599 +# pairwise keys) 3.600 +# If not set, this defaults to: CCMP TKIP 3.601 +# 3.602 +# group: list of accepted group (broadcast/multicast) ciphers for WPA 3.603 +# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 3.604 +# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 3.605 +# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key 3.606 +# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11] 3.607 +# If not set, this defaults to: CCMP TKIP WEP104 WEP40 3.608 +# 3.609 +# psk: WPA preshared key; 256-bit pre-shared key 3.610 +# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e., 3.611 +# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be 3.612 +# generated using the passphrase and SSID). ASCII passphrase must be between 3.613 +# 8 and 63 characters (inclusive). ext:<name of external PSK field> format can 3.614 +# be used to indicate that the PSK/passphrase is stored in external storage. 3.615 +# This field is not needed, if WPA-EAP is used. 3.616 +# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys 3.617 +# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant 3.618 +# startup and reconfiguration time can be optimized by generating the PSK only 3.619 +# only when the passphrase or SSID has actually changed. 3.620 +# 3.621 +# eapol_flags: IEEE 802.1X/EAPOL options (bit field) 3.622 +# Dynamic WEP key required for non-WPA mode 3.623 +# bit0 (1): require dynamically generated unicast WEP key 3.624 +# bit1 (2): require dynamically generated broadcast WEP key 3.625 +# (3 = require both keys; default) 3.626 +# Note: When using wired authentication, eapol_flags must be set to 0 for the 3.627 +# authentication to be completed successfully. 3.628 +# 3.629 +# mixed_cell: This option can be used to configure whether so called mixed 3.630 +# cells, i.e., networks that use both plaintext and encryption in the same 3.631 +# SSID, are allowed when selecting a BSS from scan results. 3.632 +# 0 = disabled (default) 3.633 +# 1 = enabled 3.634 +# 3.635 +# proactive_key_caching: 3.636 +# Enable/disable opportunistic PMKSA caching for WPA2. 3.637 +# 0 = disabled (default unless changed with the global okc parameter) 3.638 +# 1 = enabled 3.639 +# 3.640 +# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or 3.641 +# hex without quotation, e.g., 0102030405) 3.642 +# wep_tx_keyidx: Default WEP key index (TX) (0..3) 3.643 +# 3.644 +# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is 3.645 +# allowed. This is only used with RSN/WPA2. 3.646 +# 0 = disabled (default) 3.647 +# 1 = enabled 3.648 +#peerkey=1 3.649 +# 3.650 +# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to 3.651 +# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies. 3.652 +# 3.653 +# Following fields are only used with internal EAP implementation. 3.654 +# eap: space-separated list of accepted EAP methods 3.655 +# MD5 = EAP-MD5 (unsecure and does not generate keying material -> 3.656 +# cannot be used with WPA; to be used as a Phase 2 method 3.657 +# with EAP-PEAP or EAP-TTLS) 3.658 +# MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used 3.659 +# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 3.660 +# OTP = EAP-OTP (cannot be used separately with WPA; to be used 3.661 +# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 3.662 +# GTC = EAP-GTC (cannot be used separately with WPA; to be used 3.663 +# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 3.664 +# TLS = EAP-TLS (client and server certificate) 3.665 +# PEAP = EAP-PEAP (with tunnelled EAP authentication) 3.666 +# TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 3.667 +# authentication) 3.668 +# If not set, all compiled in methods are allowed. 3.669 +# 3.670 +# identity: Identity string for EAP 3.671 +# This field is also used to configure user NAI for 3.672 +# EAP-PSK/PAX/SAKE/GPSK. 3.673 +# anonymous_identity: Anonymous identity string for EAP (to be used as the 3.674 +# unencrypted identity with EAP types that support different tunnelled 3.675 +# identity, e.g., EAP-TTLS). This field can also be used with 3.676 +# EAP-SIM/AKA/AKA' to store the pseudonym identity. 3.677 +# password: Password string for EAP. This field can include either the 3.678 +# plaintext password (using ASCII or hex string) or a NtPasswordHash 3.679 +# (16-byte MD4 hash of password) in hash:<32 hex digits> format. 3.680 +# NtPasswordHash can only be used when the password is for MSCHAPv2 or 3.681 +# MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP). 3.682 +# EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit 3.683 +# PSK) is also configured using this field. For EAP-GPSK, this is a 3.684 +# variable length PSK. ext:<name of external password field> format can 3.685 +# be used to indicate that the password is stored in external storage. 3.686 +# ca_cert: File path to CA certificate file (PEM/DER). This file can have one 3.687 +# or more trusted CA certificates. If ca_cert and ca_path are not 3.688 +# included, server certificate will not be verified. This is insecure and 3.689 +# a trusted CA certificate should always be configured when using 3.690 +# EAP-TLS/TTLS/PEAP. Full path should be used since working directory may 3.691 +# change when wpa_supplicant is run in the background. 3.692 +# 3.693 +# Alternatively, this can be used to only perform matching of the server 3.694 +# certificate (SHA-256 hash of the DER encoded X.509 certificate). In 3.695 +# this case, the possible CA certificates in the server certificate chain 3.696 +# are ignored and only the server certificate is verified. This is 3.697 +# configured with the following format: 3.698 +# hash:://server/sha256/cert_hash_in_hex 3.699 +# For example: "hash://server/sha256/ 3.700 +# 5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a" 3.701 +# 3.702 +# On Windows, trusted CA certificates can be loaded from the system 3.703 +# certificate store by setting this to cert_store://<name>, e.g., 3.704 +# ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT". 3.705 +# Note that when running wpa_supplicant as an application, the user 3.706 +# certificate store (My user account) is used, whereas computer store 3.707 +# (Computer account) is used when running wpasvc as a service. 3.708 +# ca_path: Directory path for CA certificate files (PEM). This path may 3.709 +# contain multiple CA certificates in OpenSSL format. Common use for this 3.710 +# is to point to system trusted CA list which is often installed into 3.711 +# directory like /etc/ssl/certs. If configured, these certificates are 3.712 +# added to the list of trusted CAs. ca_cert may also be included in that 3.713 +# case, but it is not required. 3.714 +# client_cert: File path to client certificate file (PEM/DER) 3.715 +# Full path should be used since working directory may change when 3.716 +# wpa_supplicant is run in the background. 3.717 +# Alternatively, a named configuration blob can be used by setting this 3.718 +# to blob://<blob name>. 3.719 +# private_key: File path to client private key file (PEM/DER/PFX) 3.720 +# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be 3.721 +# commented out. Both the private key and certificate will be read from 3.722 +# the PKCS#12 file in this case. Full path should be used since working 3.723 +# directory may change when wpa_supplicant is run in the background. 3.724 +# Windows certificate store can be used by leaving client_cert out and 3.725 +# configuring private_key in one of the following formats: 3.726 +# cert://substring_to_match 3.727 +# hash://certificate_thumbprint_in_hex 3.728 +# for example: private_key="hash://63093aa9c47f56ae88334c7b65a4" 3.729 +# Note that when running wpa_supplicant as an application, the user 3.730 +# certificate store (My user account) is used, whereas computer store 3.731 +# (Computer account) is used when running wpasvc as a service. 3.732 +# Alternatively, a named configuration blob can be used by setting this 3.733 +# to blob://<blob name>. 3.734 +# private_key_passwd: Password for private key file (if left out, this will be 3.735 +# asked through control interface) 3.736 +# dh_file: File path to DH/DSA parameters file (in PEM format) 3.737 +# This is an optional configuration file for setting parameters for an 3.738 +# ephemeral DH key exchange. In most cases, the default RSA 3.739 +# authentication does not use this configuration. However, it is possible 3.740 +# setup RSA to use ephemeral DH key exchange. In addition, ciphers with 3.741 +# DSA keys always use ephemeral DH keys. This can be used to achieve 3.742 +# forward secrecy. If the file is in DSA parameters format, it will be 3.743 +# automatically converted into DH params. 3.744 +# subject_match: Substring to be matched against the subject of the 3.745 +# authentication server certificate. If this string is set, the server 3.746 +# sertificate is only accepted if it contains this string in the subject. 3.747 +# The subject string is in following format: 3.748 +# /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com 3.749 +# altsubject_match: Semicolon separated string of entries to be matched against 3.750 +# the alternative subject name of the authentication server certificate. 3.751 +# If this string is set, the server sertificate is only accepted if it 3.752 +# contains one of the entries in an alternative subject name extension. 3.753 +# altSubjectName string is in following format: TYPE:VALUE 3.754 +# Example: EMAIL:server@example.com 3.755 +# Example: DNS:server.example.com;DNS:server2.example.com 3.756 +# Following types are supported: EMAIL, DNS, URI 3.757 +# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters 3.758 +# (string with field-value pairs, e.g., "peapver=0" or 3.759 +# "peapver=1 peaplabel=1") 3.760 +# 'peapver' can be used to force which PEAP version (0 or 1) is used. 3.761 +# 'peaplabel=1' can be used to force new label, "client PEAP encryption", 3.762 +# to be used during key derivation when PEAPv1 or newer. Most existing 3.763 +# PEAPv1 implementation seem to be using the old label, "client EAP 3.764 +# encryption", and wpa_supplicant is now using that as the default value. 3.765 +# Some servers, e.g., Radiator, may require peaplabel=1 configuration to 3.766 +# interoperate with PEAPv1; see eap_testing.txt for more details. 3.767 +# 'peap_outer_success=0' can be used to terminate PEAP authentication on 3.768 +# tunneled EAP-Success. This is required with some RADIUS servers that 3.769 +# implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g., 3.770 +# Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode) 3.771 +# include_tls_length=1 can be used to force wpa_supplicant to include 3.772 +# TLS Message Length field in all TLS messages even if they are not 3.773 +# fragmented. 3.774 +# sim_min_num_chal=3 can be used to configure EAP-SIM to require three 3.775 +# challenges (by default, it accepts 2 or 3) 3.776 +# result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use 3.777 +# protected result indication. 3.778 +# 'crypto_binding' option can be used to control PEAPv0 cryptobinding 3.779 +# behavior: 3.780 +# * 0 = do not use cryptobinding (default) 3.781 +# * 1 = use cryptobinding if server supports it 3.782 +# * 2 = require cryptobinding 3.783 +# EAP-WSC (WPS) uses following options: pin=<Device Password> or 3.784 +# pbc=1. 3.785 +# phase2: Phase2 (inner authentication with TLS tunnel) parameters 3.786 +# (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or 3.787 +# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS) 3.788 +# 3.789 +# TLS-based methods can use the following parameters to control TLS behavior 3.790 +# (these are normally in the phase1 parameter, but can be used also in the 3.791 +# phase2 parameter when EAP-TLS is used within the inner tunnel): 3.792 +# tls_allow_md5=1 - allow MD5-based certificate signatures (depending on the 3.793 +# TLS library, these may be disabled by default to enforce stronger 3.794 +# security) 3.795 +# tls_disable_time_checks=1 - ignore certificate validity time (this requests 3.796 +# the TLS library to accept certificates even if they are not currently 3.797 +# valid, i.e., have expired or have not yet become valid; this should be 3.798 +# used only for testing purposes) 3.799 +# tls_disable_session_ticket=1 - disable TLS Session Ticket extension 3.800 +# tls_disable_session_ticket=0 - allow TLS Session Ticket extension to be used 3.801 +# Note: If not set, this is automatically set to 1 for EAP-TLS/PEAP/TTLS 3.802 +# as a workaround for broken authentication server implementations unless 3.803 +# EAP workarounds are disabled with eap_workarounds=0. 3.804 +# For EAP-FAST, this must be set to 0 (or left unconfigured for the 3.805 +# default value to be used automatically). 3.806 +# 3.807 +# Following certificate/private key fields are used in inner Phase2 3.808 +# authentication when using EAP-TTLS or EAP-PEAP. 3.809 +# ca_cert2: File path to CA certificate file. This file can have one or more 3.810 +# trusted CA certificates. If ca_cert2 and ca_path2 are not included, 3.811 +# server certificate will not be verified. This is insecure and a trusted 3.812 +# CA certificate should always be configured. 3.813 +# ca_path2: Directory path for CA certificate files (PEM) 3.814 +# client_cert2: File path to client certificate file 3.815 +# private_key2: File path to client private key file 3.816 +# private_key2_passwd: Password for private key file 3.817 +# dh_file2: File path to DH/DSA parameters file (in PEM format) 3.818 +# subject_match2: Substring to be matched against the subject of the 3.819 +# authentication server certificate. 3.820 +# altsubject_match2: Substring to be matched against the alternative subject 3.821 +# name of the authentication server certificate. 3.822 +# 3.823 +# fragment_size: Maximum EAP fragment size in bytes (default 1398). 3.824 +# This value limits the fragment size for EAP methods that support 3.825 +# fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set 3.826 +# small enough to make the EAP messages fit in MTU of the network 3.827 +# interface used for EAPOL. The default value is suitable for most 3.828 +# cases. 3.829 +# 3.830 +# ocsp: Whether to use/require OCSP to check server certificate 3.831 +# 0 = do not use OCSP stapling (TLS certificate status extension) 3.832 +# 1 = try to use OCSP stapling, but not require response 3.833 +# 2 = require valid OCSP stapling response 3.834 +# 3.835 +# EAP-FAST variables: 3.836 +# pac_file: File path for the PAC entries. wpa_supplicant will need to be able 3.837 +# to create this file and write updates to it when PAC is being 3.838 +# provisioned or refreshed. Full path to the file should be used since 3.839 +# working directory may change when wpa_supplicant is run in the 3.840 +# background. Alternatively, a named configuration blob can be used by 3.841 +# setting this to blob://<blob name> 3.842 +# phase1: fast_provisioning option can be used to enable in-line provisioning 3.843 +# of EAP-FAST credentials (PAC): 3.844 +# 0 = disabled, 3.845 +# 1 = allow unauthenticated provisioning, 3.846 +# 2 = allow authenticated provisioning, 3.847 +# 3 = allow both unauthenticated and authenticated provisioning 3.848 +# fast_max_pac_list_len=<num> option can be used to set the maximum 3.849 +# number of PAC entries to store in a PAC list (default: 10) 3.850 +# fast_pac_format=binary option can be used to select binary format for 3.851 +# storing PAC entries in order to save some space (the default 3.852 +# text format uses about 2.5 times the size of minimal binary 3.853 +# format) 3.854 +# 3.855 +# wpa_supplicant supports number of "EAP workarounds" to work around 3.856 +# interoperability issues with incorrectly behaving authentication servers. 3.857 +# These are enabled by default because some of the issues are present in large 3.858 +# number of authentication servers. Strict EAP conformance mode can be 3.859 +# configured by disabling workarounds with eap_workaround=0. 3.860 + 3.861 +# Station inactivity limit 3.862 +# 3.863 +# If a station does not send anything in ap_max_inactivity seconds, an 3.864 +# empty data frame is sent to it in order to verify whether it is 3.865 +# still in range. If this frame is not ACKed, the station will be 3.866 +# disassociated and then deauthenticated. This feature is used to 3.867 +# clear station table of old entries when the STAs move out of the 3.868 +# range. 3.869 +# 3.870 +# The station can associate again with the AP if it is still in range; 3.871 +# this inactivity poll is just used as a nicer way of verifying 3.872 +# inactivity; i.e., client will not report broken connection because 3.873 +# disassociation frame is not sent immediately without first polling 3.874 +# the STA with a data frame. 3.875 +# default: 300 (i.e., 5 minutes) 3.876 +#ap_max_inactivity=300 3.877 + 3.878 +# DTIM period in Beacon intervals for AP mode (default: 2) 3.879 +#dtim_period=2 3.880 + 3.881 +# Beacon interval (default: 100 TU) 3.882 +#beacon_int=100 3.883 + 3.884 +# disable_ht: Whether HT (802.11n) should be disabled. 3.885 +# 0 = HT enabled (if AP supports it) 3.886 +# 1 = HT disabled 3.887 +# 3.888 +# disable_ht40: Whether HT-40 (802.11n) should be disabled. 3.889 +# 0 = HT-40 enabled (if AP supports it) 3.890 +# 1 = HT-40 disabled 3.891 +# 3.892 +# disable_sgi: Whether SGI (short guard interval) should be disabled. 3.893 +# 0 = SGI enabled (if AP supports it) 3.894 +# 1 = SGI disabled 3.895 +# 3.896 +# ht_mcs: Configure allowed MCS rates. 3.897 +# Parsed as an array of bytes, in base-16 (ascii-hex) 3.898 +# ht_mcs="" // Use all available (default) 3.899 +# ht_mcs="0xff 00 00 00 00 00 00 00 00 00 " // Use MCS 0-7 only 3.900 +# ht_mcs="0xff ff 00 00 00 00 00 00 00 00 " // Use MCS 0-15 only 3.901 +# 3.902 +# disable_max_amsdu: Whether MAX_AMSDU should be disabled. 3.903 +# -1 = Do not make any changes. 3.904 +# 0 = Enable MAX-AMSDU if hardware supports it. 3.905 +# 1 = Disable AMSDU 3.906 +# 3.907 +# ampdu_density: Allow overriding AMPDU density configuration. 3.908 +# Treated as hint by the kernel. 3.909 +# -1 = Do not make any changes. 3.910 +# 0-3 = Set AMPDU density (aka factor) to specified value. 3.911 + 3.912 +# disable_vht: Whether VHT should be disabled. 3.913 +# 0 = VHT enabled (if AP supports it) 3.914 +# 1 = VHT disabled 3.915 +# 3.916 +# vht_capa: VHT capabilities to set in the override 3.917 +# vht_capa_mask: mask of VHT capabilities 3.918 +# 3.919 +# vht_rx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for RX NSS 1-8 3.920 +# vht_tx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for TX NSS 1-8 3.921 +# 0: MCS 0-7 3.922 +# 1: MCS 0-8 3.923 +# 2: MCS 0-9 3.924 +# 3: not supported 3.925 + 3.926 +# Example blocks: 3.927 + 3.928 +# Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers 3.929 +network={ 3.930 + ssid="simple" 3.931 + psk="very secret passphrase" 3.932 + priority=5 3.933 +} 3.934 + 3.935 +# Same as previous, but request SSID-specific scanning (for APs that reject 3.936 +# broadcast SSID) 3.937 +network={ 3.938 + ssid="second ssid" 3.939 + scan_ssid=1 3.940 + psk="very secret passphrase" 3.941 + priority=2 3.942 +} 3.943 + 3.944 +# Only WPA-PSK is used. Any valid cipher combination is accepted. 3.945 +network={ 3.946 + ssid="example" 3.947 + proto=WPA 3.948 + key_mgmt=WPA-PSK 3.949 + pairwise=CCMP TKIP 3.950 + group=CCMP TKIP WEP104 WEP40 3.951 + psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb 3.952 + priority=2 3.953 +} 3.954 + 3.955 +# WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying 3.956 +network={ 3.957 + ssid="example" 3.958 + proto=WPA 3.959 + key_mgmt=WPA-PSK 3.960 + pairwise=TKIP 3.961 + group=TKIP 3.962 + psk="not so secure passphrase" 3.963 + wpa_ptk_rekey=600 3.964 +} 3.965 + 3.966 +# Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104 3.967 +# or WEP40 as the group cipher will not be accepted. 3.968 +network={ 3.969 + ssid="example" 3.970 + proto=RSN 3.971 + key_mgmt=WPA-EAP 3.972 + pairwise=CCMP TKIP 3.973 + group=CCMP TKIP 3.974 + eap=TLS 3.975 + identity="user@example.com" 3.976 + ca_cert="/etc/cert/ca.pem" 3.977 + client_cert="/etc/cert/user.pem" 3.978 + private_key="/etc/cert/user.prv" 3.979 + private_key_passwd="password" 3.980 + priority=1 3.981 +} 3.982 + 3.983 +# EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel 3.984 +# (e.g., Radiator) 3.985 +network={ 3.986 + ssid="example" 3.987 + key_mgmt=WPA-EAP 3.988 + eap=PEAP 3.989 + identity="user@example.com" 3.990 + password="foobar" 3.991 + ca_cert="/etc/cert/ca.pem" 3.992 + phase1="peaplabel=1" 3.993 + phase2="auth=MSCHAPV2" 3.994 + priority=10 3.995 +} 3.996 + 3.997 +# EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the 3.998 +# unencrypted use. Real identity is sent only within an encrypted TLS tunnel. 3.999 +network={ 3.1000 + ssid="example" 3.1001 + key_mgmt=WPA-EAP 3.1002 + eap=TTLS 3.1003 + identity="user@example.com" 3.1004 + anonymous_identity="anonymous@example.com" 3.1005 + password="foobar" 3.1006 + ca_cert="/etc/cert/ca.pem" 3.1007 + priority=2 3.1008 +} 3.1009 + 3.1010 +# EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted 3.1011 +# use. Real identity is sent only within an encrypted TLS tunnel. 3.1012 +network={ 3.1013 + ssid="example" 3.1014 + key_mgmt=WPA-EAP 3.1015 + eap=TTLS 3.1016 + identity="user@example.com" 3.1017 + anonymous_identity="anonymous@example.com" 3.1018 + password="foobar" 3.1019 + ca_cert="/etc/cert/ca.pem" 3.1020 + phase2="auth=MSCHAPV2" 3.1021 +} 3.1022 + 3.1023 +# WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner 3.1024 +# authentication. 3.1025 +network={ 3.1026 + ssid="example" 3.1027 + key_mgmt=WPA-EAP 3.1028 + eap=TTLS 3.1029 + # Phase1 / outer authentication 3.1030 + anonymous_identity="anonymous@example.com" 3.1031 + ca_cert="/etc/cert/ca.pem" 3.1032 + # Phase 2 / inner authentication 3.1033 + phase2="autheap=TLS" 3.1034 + ca_cert2="/etc/cert/ca2.pem" 3.1035 + client_cert2="/etc/cer/user.pem" 3.1036 + private_key2="/etc/cer/user.prv" 3.1037 + private_key2_passwd="password" 3.1038 + priority=2 3.1039 +} 3.1040 + 3.1041 +# Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and 3.1042 +# group cipher. 3.1043 +network={ 3.1044 + ssid="example" 3.1045 + bssid=00:11:22:33:44:55 3.1046 + proto=WPA RSN 3.1047 + key_mgmt=WPA-PSK WPA-EAP 3.1048 + pairwise=CCMP 3.1049 + group=CCMP 3.1050 + psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb 3.1051 +} 3.1052 + 3.1053 +# Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP 3.1054 +# and all valid ciphers. 3.1055 +network={ 3.1056 + ssid=00010203 3.1057 + psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 3.1058 +} 3.1059 + 3.1060 + 3.1061 +# EAP-SIM with a GSM SIM or USIM 3.1062 +network={ 3.1063 + ssid="eap-sim-test" 3.1064 + key_mgmt=WPA-EAP 3.1065 + eap=SIM 3.1066 + pin="1234" 3.1067 + pcsc="" 3.1068 +} 3.1069 + 3.1070 + 3.1071 +# EAP-PSK 3.1072 +network={ 3.1073 + ssid="eap-psk-test" 3.1074 + key_mgmt=WPA-EAP 3.1075 + eap=PSK 3.1076 + anonymous_identity="eap_psk_user" 3.1077 + password=06b4be19da289f475aa46a33cb793029 3.1078 + identity="eap_psk_user@example.com" 3.1079 +} 3.1080 + 3.1081 + 3.1082 +# IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using 3.1083 +# EAP-TLS for authentication and key generation; require both unicast and 3.1084 +# broadcast WEP keys. 3.1085 +network={ 3.1086 + ssid="1x-test" 3.1087 + key_mgmt=IEEE8021X 3.1088 + eap=TLS 3.1089 + identity="user@example.com" 3.1090 + ca_cert="/etc/cert/ca.pem" 3.1091 + client_cert="/etc/cert/user.pem" 3.1092 + private_key="/etc/cert/user.prv" 3.1093 + private_key_passwd="password" 3.1094 + eapol_flags=3 3.1095 +} 3.1096 + 3.1097 + 3.1098 +# LEAP with dynamic WEP keys 3.1099 +network={ 3.1100 + ssid="leap-example" 3.1101 + key_mgmt=IEEE8021X 3.1102 + eap=LEAP 3.1103 + identity="user" 3.1104 + password="foobar" 3.1105 +} 3.1106 + 3.1107 +# EAP-IKEv2 using shared secrets for both server and peer authentication 3.1108 +network={ 3.1109 + ssid="ikev2-example" 3.1110 + key_mgmt=WPA-EAP 3.1111 + eap=IKEV2 3.1112 + identity="user" 3.1113 + password="foobar" 3.1114 +} 3.1115 + 3.1116 +# EAP-FAST with WPA (WPA or WPA2) 3.1117 +network={ 3.1118 + ssid="eap-fast-test" 3.1119 + key_mgmt=WPA-EAP 3.1120 + eap=FAST 3.1121 + anonymous_identity="FAST-000102030405" 3.1122 + identity="username" 3.1123 + password="password" 3.1124 + phase1="fast_provisioning=1" 3.1125 + pac_file="/etc/wpa_supplicant.eap-fast-pac" 3.1126 +} 3.1127 + 3.1128 +network={ 3.1129 + ssid="eap-fast-test" 3.1130 + key_mgmt=WPA-EAP 3.1131 + eap=FAST 3.1132 + anonymous_identity="FAST-000102030405" 3.1133 + identity="username" 3.1134 + password="password" 3.1135 + phase1="fast_provisioning=1" 3.1136 + pac_file="blob://eap-fast-pac" 3.1137 +} 3.1138 + 3.1139 +# Plaintext connection (no WPA, no IEEE 802.1X) 3.1140 +network={ 3.1141 + ssid="plaintext-test" 3.1142 + key_mgmt=NONE 3.1143 +} 3.1144 + 3.1145 + 3.1146 +# Shared WEP key connection (no WPA, no IEEE 802.1X) 3.1147 +network={ 3.1148 + ssid="static-wep-test" 3.1149 + key_mgmt=NONE 3.1150 + wep_key0="abcde" 3.1151 + wep_key1=0102030405 3.1152 + wep_key2="1234567890123" 3.1153 + wep_tx_keyidx=0 3.1154 + priority=5 3.1155 +} 3.1156 + 3.1157 + 3.1158 +# Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key 3.1159 +# IEEE 802.11 authentication 3.1160 +network={ 3.1161 + ssid="static-wep-test2" 3.1162 + key_mgmt=NONE 3.1163 + wep_key0="abcde" 3.1164 + wep_key1=0102030405 3.1165 + wep_key2="1234567890123" 3.1166 + wep_tx_keyidx=0 3.1167 + priority=5 3.1168 + auth_alg=SHARED 3.1169 +} 3.1170 + 3.1171 + 3.1172 +# IBSS/ad-hoc network with RSN 3.1173 +network={ 3.1174 + ssid="ibss-rsn" 3.1175 + key_mgmt=WPA-PSK 3.1176 + proto=RSN 3.1177 + psk="12345678" 3.1178 + mode=1 3.1179 + frequency=2412 3.1180 + pairwise=CCMP 3.1181 + group=CCMP 3.1182 +} 3.1183 + 3.1184 +# IBSS/ad-hoc network with WPA-None/TKIP (deprecated) 3.1185 +network={ 3.1186 + ssid="test adhoc" 3.1187 + mode=1 3.1188 + frequency=2412 3.1189 + proto=WPA 3.1190 + key_mgmt=WPA-NONE 3.1191 + pairwise=NONE 3.1192 + group=TKIP 3.1193 + psk="secret passphrase" 3.1194 +} 3.1195 + 3.1196 + 3.1197 +# Catch all example that allows more or less all configuration modes 3.1198 +network={ 3.1199 + ssid="example" 3.1200 + scan_ssid=1 3.1201 + key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE 3.1202 + pairwise=CCMP TKIP 3.1203 + group=CCMP TKIP WEP104 WEP40 3.1204 + psk="very secret passphrase" 3.1205 + eap=TTLS PEAP TLS 3.1206 + identity="user@example.com" 3.1207 + password="foobar" 3.1208 + ca_cert="/etc/cert/ca.pem" 3.1209 + client_cert="/etc/cert/user.pem" 3.1210 + private_key="/etc/cert/user.prv" 3.1211 + private_key_passwd="password" 3.1212 + phase1="peaplabel=0" 3.1213 +} 3.1214 + 3.1215 +# Example of EAP-TLS with smartcard (openssl engine) 3.1216 +network={ 3.1217 + ssid="example" 3.1218 + key_mgmt=WPA-EAP 3.1219 + eap=TLS 3.1220 + proto=RSN 3.1221 + pairwise=CCMP TKIP 3.1222 + group=CCMP TKIP 3.1223 + identity="user@example.com" 3.1224 + ca_cert="/etc/cert/ca.pem" 3.1225 + client_cert="/etc/cert/user.pem" 3.1226 + 3.1227 + engine=1 3.1228 + 3.1229 + # The engine configured here must be available. Look at 3.1230 + # OpenSSL engine support in the global section. 3.1231 + # The key available through the engine must be the private key 3.1232 + # matching the client certificate configured above. 3.1233 + 3.1234 + # use the opensc engine 3.1235 + #engine_id="opensc" 3.1236 + #key_id="45" 3.1237 + 3.1238 + # use the pkcs11 engine 3.1239 + engine_id="pkcs11" 3.1240 + key_id="id_45" 3.1241 + 3.1242 + # Optional PIN configuration; this can be left out and PIN will be 3.1243 + # asked through the control interface 3.1244 + pin="1234" 3.1245 +} 3.1246 + 3.1247 +# Example configuration showing how to use an inlined blob as a CA certificate 3.1248 +# data instead of using external file 3.1249 +network={ 3.1250 + ssid="example" 3.1251 + key_mgmt=WPA-EAP 3.1252 + eap=TTLS 3.1253 + identity="user@example.com" 3.1254 + anonymous_identity="anonymous@example.com" 3.1255 + password="foobar" 3.1256 + ca_cert="blob://exampleblob" 3.1257 + priority=20 3.1258 +} 3.1259 + 3.1260 +blob-base64-exampleblob={ 3.1261 +SGVsbG8gV29ybGQhCg== 3.1262 +} 3.1263 + 3.1264 + 3.1265 +# Wildcard match for SSID (plaintext APs only). This example select any 3.1266 +# open AP regardless of its SSID. 3.1267 +network={ 3.1268 + key_mgmt=NONE 3.1269 +} 3.1270 + 3.1271 + 3.1272 +# Example config file that will only scan on channel 36. 3.1273 +freq_list=5180 3.1274 +network={ 3.1275 + key_mgmt=NONE 3.1276 +}
4.1 --- a/wpa_supplicant/stuff/etc/wpa_supplicant.conf Sat Feb 15 15:38:27 2014 +0100 4.2 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 4.3 @@ -1,754 +0,0 @@ 4.4 -##### Example wpa_supplicant configuration file ############################### 4.5 -# 4.6 -# This file describes configuration file format and lists all available option. 4.7 -# Please also take a look at simpler configuration examples in 'examples' 4.8 -# subdirectory. 4.9 -# 4.10 -# Empty lines and lines starting with # are ignored 4.11 - 4.12 -# NOTE! This file may contain password information and should probably be made 4.13 -# readable only by root user on multiuser systems. 4.14 - 4.15 -# Note: All file paths in this configuration file should use full (absolute, 4.16 -# not relative to working directory) path in order to allow working directory 4.17 -# to be changed. This can happen if wpa_supplicant is run in the background. 4.18 - 4.19 -# Whether to allow wpa_supplicant to update (overwrite) configuration 4.20 -# 4.21 -# This option can be used to allow wpa_supplicant to overwrite configuration 4.22 -# file whenever configuration is changed (e.g., new network block is added with 4.23 -# wpa_cli or wpa_gui, or a password is changed). This is required for 4.24 -# wpa_cli/wpa_gui to be able to store the configuration changes permanently. 4.25 -# Please note that overwriting configuration file will remove the comments from 4.26 -# it. 4.27 -#update_config=1 4.28 - 4.29 -# global configuration (shared by all network blocks) 4.30 -# 4.31 -# Parameters for the control interface. If this is specified, wpa_supplicant 4.32 -# will open a control interface that is available for external programs to 4.33 -# manage wpa_supplicant. The meaning of this string depends on which control 4.34 -# interface mechanism is used. For all cases, the existance of this parameter 4.35 -# in configuration is used to determine whether the control interface is 4.36 -# enabled. 4.37 -# 4.38 -# For UNIX domain sockets (default on Linux and BSD): This is a directory that 4.39 -# will be created for UNIX domain sockets for listening to requests from 4.40 -# external programs (CLI/GUI, etc.) for status information and configuration. 4.41 -# The socket file will be named based on the interface name, so multiple 4.42 -# wpa_supplicant processes can be run at the same time if more than one 4.43 -# interface is used. 4.44 -# /var/run/wpa_supplicant is the recommended directory for sockets and by 4.45 -# default, wpa_cli will use it when trying to connect with wpa_supplicant. 4.46 -# 4.47 -# Access control for the control interface can be configured by setting the 4.48 -# directory to allow only members of a group to use sockets. This way, it is 4.49 -# possible to run wpa_supplicant as root (since it needs to change network 4.50 -# configuration and open raw sockets) and still allow GUI/CLI components to be 4.51 -# run as non-root users. However, since the control interface can be used to 4.52 -# change the network configuration, this access needs to be protected in many 4.53 -# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you 4.54 -# want to allow non-root users to use the control interface, add a new group 4.55 -# and change this value to match with that group. Add users that should have 4.56 -# control interface access to this group. If this variable is commented out or 4.57 -# not included in the configuration file, group will not be changed from the 4.58 -# value it got by default when the directory or socket was created. 4.59 -# 4.60 -# When configuring both the directory and group, use following format: 4.61 -# DIR=/var/run/wpa_supplicant GROUP=wheel 4.62 -# DIR=/var/run/wpa_supplicant GROUP=0 4.63 -# (group can be either group name or gid) 4.64 -# 4.65 -# For UDP connections (default on Windows): The value will be ignored. This 4.66 -# variable is just used to select that the control interface is to be created. 4.67 -# The value can be set to, e.g., udp (ctrl_interface=udp) 4.68 -# 4.69 -# For Windows Named Pipe: This value can be used to set the security descriptor 4.70 -# for controlling access to the control interface. Security descriptor can be 4.71 -# set using Security Descriptor String Format (see http://msdn.microsoft.com/ 4.72 -# library/default.asp?url=/library/en-us/secauthz/security/ 4.73 -# security_descriptor_string_format.asp). The descriptor string needs to be 4.74 -# prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty 4.75 -# DACL (which will reject all connections). See README-Windows.txt for more 4.76 -# information about SDDL string format. 4.77 -# 4.78 -ctrl_interface=/var/run/wpa_supplicant 4.79 - 4.80 -# Ensure that only root can read the WPA configuration 4.81 -ctrl_interface_group=0 4.82 - 4.83 - 4.84 -# IEEE 802.1X/EAPOL version 4.85 -# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines 4.86 -# EAPOL version 2. However, there are many APs that do not handle the new 4.87 -# version number correctly (they seem to drop the frames completely). In order 4.88 -# to make wpa_supplicant interoperate with these APs, the version number is set 4.89 -# to 1 by default. This configuration value can be used to set it to the new 4.90 -# version (2). 4.91 -eapol_version=1 4.92 - 4.93 -# AP scanning/selection 4.94 -# By default, wpa_supplicant requests driver to perform AP scanning and then 4.95 -# uses the scan results to select a suitable AP. Another alternative is to 4.96 -# allow the driver to take care of AP scanning and selection and use 4.97 -# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association 4.98 -# information from the driver. 4.99 -# 1: wpa_supplicant initiates scanning and AP selection 4.100 -# 0: driver takes care of scanning, AP selection, and IEEE 802.11 association 4.101 -# parameters (e.g., WPA IE generation); this mode can also be used with 4.102 -# non-WPA drivers when using IEEE 802.1X mode; do not try to associate with 4.103 -# APs (i.e., external program needs to control association). This mode must 4.104 -# also be used when using wired Ethernet drivers. 4.105 -# 2: like 0, but associate with APs using security policy and SSID (but not 4.106 -# BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to 4.107 -# enable operation with hidden SSIDs and optimized roaming; in this mode, 4.108 -# the network blocks in the configuration file are tried one by one until 4.109 -# the driver reports successful association; each network block should have 4.110 -# explicit security policy (i.e., only one option in the lists) for 4.111 -# key_mgmt, pairwise, group, proto variables 4.112 -ap_scan=0 4.113 - 4.114 -# EAP fast re-authentication 4.115 -# By default, fast re-authentication is enabled for all EAP methods that 4.116 -# support it. This variable can be used to disable fast re-authentication. 4.117 -# Normally, there is no need to disable this. 4.118 -fast_reauth=1 4.119 - 4.120 -# OpenSSL Engine support 4.121 -# These options can be used to load OpenSSL engines. 4.122 -# The two engines that are supported currently are shown below: 4.123 -# They are both from the opensc project (http://www.opensc.org/) 4.124 -# By default no engines are loaded. 4.125 -# make the opensc engine available 4.126 -#opensc_engine_path=/usr/lib/opensc/engine_opensc.so 4.127 -# make the pkcs11 engine available 4.128 -#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so 4.129 -# configure the path to the pkcs11 module required by the pkcs11 engine 4.130 -#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so 4.131 - 4.132 -# Dynamic EAP methods 4.133 -# If EAP methods were built dynamically as shared object files, they need to be 4.134 -# loaded here before being used in the network blocks. By default, EAP methods 4.135 -# are included statically in the build, so these lines are not needed 4.136 -#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so 4.137 -#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so 4.138 - 4.139 -# Driver interface parameters 4.140 -# This field can be used to configure arbitrary driver interace parameters. The 4.141 -# format is specific to the selected driver interface. This field is not used 4.142 -# in most cases. 4.143 -#driver_param="field=value" 4.144 - 4.145 -# Maximum lifetime for PMKSA in seconds; default 43200 4.146 -#dot11RSNAConfigPMKLifetime=43200 4.147 -# Threshold for reauthentication (percentage of PMK lifetime); default 70 4.148 -#dot11RSNAConfigPMKReauthThreshold=70 4.149 -# Timeout for security association negotiation in seconds; default 60 4.150 -#dot11RSNAConfigSATimeout=60 4.151 - 4.152 -# network block 4.153 -# 4.154 -# Each network (usually AP's sharing the same SSID) is configured as a separate 4.155 -# block in this configuration file. The network blocks are in preference order 4.156 -# (the first match is used). 4.157 -# 4.158 -# network block fields: 4.159 -# 4.160 -# disabled: 4.161 -# 0 = this network can be used (default) 4.162 -# 1 = this network block is disabled (can be enabled through ctrl_iface, 4.163 -# e.g., with wpa_cli or wpa_gui) 4.164 -# 4.165 -# id_str: Network identifier string for external scripts. This value is passed 4.166 -# to external action script through wpa_cli as WPA_ID_STR environment 4.167 -# variable to make it easier to do network specific configuration. 4.168 -# 4.169 -# ssid: SSID (mandatory); either as an ASCII string with double quotation or 4.170 -# as hex string; network name 4.171 -# 4.172 -# scan_ssid: 4.173 -# 0 = do not scan this SSID with specific Probe Request frames (default) 4.174 -# 1 = scan with SSID-specific Probe Request frames (this can be used to 4.175 -# find APs that do not accept broadcast SSID or use multiple SSIDs; 4.176 -# this will add latency to scanning, so enable this only when needed) 4.177 -# 4.178 -# bssid: BSSID (optional); if set, this network block is used only when 4.179 -# associating with the AP using the configured BSSID 4.180 -# 4.181 -# priority: priority group (integer) 4.182 -# By default, all networks will get same priority group (0). If some of the 4.183 -# networks are more desirable, this field can be used to change the order in 4.184 -# which wpa_supplicant goes through the networks when selecting a BSS. The 4.185 -# priority groups will be iterated in decreasing priority (i.e., the larger the 4.186 -# priority value, the sooner the network is matched against the scan results). 4.187 -# Within each priority group, networks will be selected based on security 4.188 -# policy, signal strength, etc. 4.189 -# Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not 4.190 -# using this priority to select the order for scanning. Instead, they try the 4.191 -# networks in the order that used in the configuration file. 4.192 -# 4.193 -# mode: IEEE 802.11 operation mode 4.194 -# 0 = infrastructure (Managed) mode, i.e., associate with an AP (default) 4.195 -# 1 = IBSS (ad-hoc, peer-to-peer) 4.196 -# Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) 4.197 -# and key_mgmt=WPA-NONE (fixed group key TKIP/CCMP). In addition, ap_scan has 4.198 -# to be set to 2 for IBSS. WPA-None requires following network block options: 4.199 -# proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not 4.200 -# both), and psk must also be set. 4.201 -# 4.202 -# frequency: Channel frequency in megahertz (MHz) for IBSS, e.g., 4.203 -# 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial 4.204 -# channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode. 4.205 -# In addition, this value is only used by the station that creates the IBSS. If 4.206 -# an IBSS network with the configured SSID is already present, the frequency of 4.207 -# the network will be used instead of this configured value. 4.208 -# 4.209 -# proto: list of accepted protocols 4.210 -# WPA = WPA/IEEE 802.11i/D3.0 4.211 -# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN) 4.212 -# If not set, this defaults to: WPA RSN 4.213 -# 4.214 -# key_mgmt: list of accepted authenticated key management protocols 4.215 -# WPA-PSK = WPA pre-shared key (this requires 'psk' field) 4.216 -# WPA-EAP = WPA using EAP authentication (this can use an external 4.217 -# program, e.g., Xsupplicant, for IEEE 802.1X EAP Authentication 4.218 -# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically 4.219 -# generated WEP keys 4.220 -# NONE = WPA is not used; plaintext or static WEP could be used 4.221 -# If not set, this defaults to: WPA-PSK WPA-EAP 4.222 -# 4.223 -# auth_alg: list of allowed IEEE 802.11 authentication algorithms 4.224 -# OPEN = Open System authentication (required for WPA/WPA2) 4.225 -# SHARED = Shared Key authentication (requires static WEP keys) 4.226 -# LEAP = LEAP/Network EAP (only used with LEAP) 4.227 -# If not set, automatic selection is used (Open System with LEAP enabled if 4.228 -# LEAP is allowed as one of the EAP methods). 4.229 -# 4.230 -# pairwise: list of accepted pairwise (unicast) ciphers for WPA 4.231 -# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 4.232 -# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 4.233 -# NONE = Use only Group Keys (deprecated, should not be included if APs support 4.234 -# pairwise keys) 4.235 -# If not set, this defaults to: CCMP TKIP 4.236 -# 4.237 -# group: list of accepted group (broadcast/multicast) ciphers for WPA 4.238 -# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 4.239 -# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 4.240 -# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key 4.241 -# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11] 4.242 -# If not set, this defaults to: CCMP TKIP WEP104 WEP40 4.243 -# 4.244 -# psk: WPA preshared key; 256-bit pre-shared key 4.245 -# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e., 4.246 -# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be 4.247 -# generated using the passphrase and SSID). ASCII passphrase must be between 4.248 -# 8 and 63 characters (inclusive). 4.249 -# This field is not needed, if WPA-EAP is used. 4.250 -# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys 4.251 -# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant 4.252 -# startup and reconfiguration time can be optimized by generating the PSK only 4.253 -# only when the passphrase or SSID has actually changed. 4.254 -# 4.255 -# eapol_flags: IEEE 802.1X/EAPOL options (bit field) 4.256 -# Dynamic WEP key required for non-WPA mode 4.257 -# bit0 (1): require dynamically generated unicast WEP key 4.258 -# bit1 (2): require dynamically generated broadcast WEP key 4.259 -# (3 = require both keys; default) 4.260 -# Note: When using wired authentication, eapol_flags must be set to 0 for the 4.261 -# authentication to be completed successfully. 4.262 -# 4.263 -# mixed_cell: This option can be used to configure whether so called mixed 4.264 -# cells, i.e., networks that use both plaintext and encryption in the same 4.265 -# SSID, are allowed when selecting a BSS form scan results. 4.266 -# 0 = disabled (default) 4.267 -# 1 = enabled 4.268 -# 4.269 -# proactive_key_caching: 4.270 -# Enable/disable opportunistic PMKSA caching for WPA2. 4.271 -# 0 = disabled (default) 4.272 -# 1 = enabled 4.273 -# 4.274 -# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or 4.275 -# hex without quotation, e.g., 0102030405) 4.276 -# wep_tx_keyidx: Default WEP key index (TX) (0..3) 4.277 -# 4.278 -# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is 4.279 -# allowed. This is only used with RSN/WPA2. 4.280 -# 0 = disabled (default) 4.281 -# 1 = enabled 4.282 -#peerkey=1 4.283 -# 4.284 -# Following fields are only used with internal EAP implementation. 4.285 -# eap: space-separated list of accepted EAP methods 4.286 -# MD5 = EAP-MD5 (unsecure and does not generate keying material -> 4.287 -# cannot be used with WPA; to be used as a Phase 2 method 4.288 -# with EAP-PEAP or EAP-TTLS) 4.289 -# MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used 4.290 -# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 4.291 -# OTP = EAP-OTP (cannot be used separately with WPA; to be used 4.292 -# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 4.293 -# GTC = EAP-GTC (cannot be used separately with WPA; to be used 4.294 -# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 4.295 -# TLS = EAP-TLS (client and server certificate) 4.296 -# PEAP = EAP-PEAP (with tunnelled EAP authentication) 4.297 -# TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 4.298 -# authentication) 4.299 -# If not set, all compiled in methods are allowed. 4.300 -# 4.301 -# identity: Identity string for EAP 4.302 -# anonymous_identity: Anonymous identity string for EAP (to be used as the 4.303 -# unencrypted identity with EAP types that support different tunnelled 4.304 -# identity, e.g., EAP-TTLS) 4.305 -# password: Password string for EAP 4.306 -# ca_cert: File path to CA certificate file (PEM/DER). This file can have one 4.307 -# or more trusted CA certificates. If ca_cert and ca_path are not 4.308 -# included, server certificate will not be verified. This is insecure and 4.309 -# a trusted CA certificate should always be configured when using 4.310 -# EAP-TLS/TTLS/PEAP. Full path should be used since working directory may 4.311 -# change when wpa_supplicant is run in the background. 4.312 -# On Windows, trusted CA certificates can be loaded from the system 4.313 -# certificate store by setting this to cert_store://<name>, e.g., 4.314 -# ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT". 4.315 -# Note that when running wpa_supplicant as an application, the user 4.316 -# certificate store (My user account) is used, whereas computer store 4.317 -# (Computer account) is used when running wpasvc as a service. 4.318 -# ca_path: Directory path for CA certificate files (PEM). This path may 4.319 -# contain multiple CA certificates in OpenSSL format. Common use for this 4.320 -# is to point to system trusted CA list which is often installed into 4.321 -# directory like /etc/ssl/certs. If configured, these certificates are 4.322 -# added to the list of trusted CAs. ca_cert may also be included in that 4.323 -# case, but it is not required. 4.324 -# client_cert: File path to client certificate file (PEM/DER) 4.325 -# Full path should be used since working directory may change when 4.326 -# wpa_supplicant is run in the background. 4.327 -# Alternatively, a named configuration blob can be used by setting this 4.328 -# to blob://<blob name>. 4.329 -# private_key: File path to client private key file (PEM/DER/PFX) 4.330 -# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be 4.331 -# commented out. Both the private key and certificate will be read from 4.332 -# the PKCS#12 file in this case. Full path should be used since working 4.333 -# directory may change when wpa_supplicant is run in the background. 4.334 -# Windows certificate store can be used by leaving client_cert out and 4.335 -# configuring private_key in one of the following formats: 4.336 -# cert://substring_to_match 4.337 -# hash://certificate_thumbprint_in_hex 4.338 -# for example: private_key="hash://63093aa9c47f56ae88334c7b65a4" 4.339 -# Note that when running wpa_supplicant as an application, the user 4.340 -# certificate store (My user account) is used, whereas computer store 4.341 -# (Computer account) is used when running wpasvc as a service. 4.342 -# Alternatively, a named configuration blob can be used by setting this 4.343 -# to blob://<blob name>. 4.344 -# private_key_passwd: Password for private key file (if left out, this will be 4.345 -# asked through control interface) 4.346 -# dh_file: File path to DH/DSA parameters file (in PEM format) 4.347 -# This is an optional configuration file for setting parameters for an 4.348 -# ephemeral DH key exchange. In most cases, the default RSA 4.349 -# authentication does not use this configuration. However, it is possible 4.350 -# setup RSA to use ephemeral DH key exchange. In addition, ciphers with 4.351 -# DSA keys always use ephemeral DH keys. This can be used to achieve 4.352 -# forward secrecy. If the file is in DSA parameters format, it will be 4.353 -# automatically converted into DH params. 4.354 -# subject_match: Substring to be matched against the subject of the 4.355 -# authentication server certificate. If this string is set, the server 4.356 -# sertificate is only accepted if it contains this string in the subject. 4.357 -# The subject string is in following format: 4.358 -# /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com 4.359 -# altsubject_match: Semicolon separated string of entries to be matched against 4.360 -# the alternative subject name of the authentication server certificate. 4.361 -# If this string is set, the server sertificate is only accepted if it 4.362 -# contains one of the entries in an alternative subject name extension. 4.363 -# altSubjectName string is in following format: TYPE:VALUE 4.364 -# Example: EMAIL:server@example.com 4.365 -# Example: DNS:server.example.com;DNS:server2.example.com 4.366 -# Following types are supported: EMAIL, DNS, URI 4.367 -# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters 4.368 -# (string with field-value pairs, e.g., "peapver=0" or 4.369 -# "peapver=1 peaplabel=1") 4.370 -# 'peapver' can be used to force which PEAP version (0 or 1) is used. 4.371 -# 'peaplabel=1' can be used to force new label, "client PEAP encryption", 4.372 -# to be used during key derivation when PEAPv1 or newer. Most existing 4.373 -# PEAPv1 implementation seem to be using the old label, "client EAP 4.374 -# encryption", and wpa_supplicant is now using that as the default value. 4.375 -# Some servers, e.g., Radiator, may require peaplabel=1 configuration to 4.376 -# interoperate with PEAPv1; see eap_testing.txt for more details. 4.377 -# 'peap_outer_success=0' can be used to terminate PEAP authentication on 4.378 -# tunneled EAP-Success. This is required with some RADIUS servers that 4.379 -# implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g., 4.380 -# Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode) 4.381 -# include_tls_length=1 can be used to force wpa_supplicant to include 4.382 -# TLS Message Length field in all TLS messages even if they are not 4.383 -# fragmented. 4.384 -# sim_min_num_chal=3 can be used to configure EAP-SIM to require three 4.385 -# challenges (by default, it accepts 2 or 3) 4.386 -# phase2: Phase2 (inner authentication with TLS tunnel) parameters 4.387 -# (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or 4.388 -# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS) 4.389 -# Following certificate/private key fields are used in inner Phase2 4.390 -# authentication when using EAP-TTLS or EAP-PEAP. 4.391 -# ca_cert2: File path to CA certificate file. This file can have one or more 4.392 -# trusted CA certificates. If ca_cert2 and ca_path2 are not included, 4.393 -# server certificate will not be verified. This is insecure and a trusted 4.394 -# CA certificate should always be configured. 4.395 -# ca_path2: Directory path for CA certificate files (PEM) 4.396 -# client_cert2: File path to client certificate file 4.397 -# private_key2: File path to client private key file 4.398 -# private_key2_passwd: Password for private key file 4.399 -# dh_file2: File path to DH/DSA parameters file (in PEM format) 4.400 -# subject_match2: Substring to be matched against the subject of the 4.401 -# authentication server certificate. 4.402 -# altsubject_match2: Substring to be matched against the alternative subject 4.403 -# name of the authentication server certificate. 4.404 -# 4.405 -# fragment_size: Maximum EAP fragment size in bytes (default 1398). 4.406 -# This value limits the fragment size for EAP methods that support 4.407 -# fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set 4.408 -# small enough to make the EAP messages fit in MTU of the network 4.409 -# interface used for EAPOL. The default value is suitable for most 4.410 -# cases. 4.411 -# 4.412 -# EAP-PSK variables: 4.413 -# eappsk: 16-byte (128-bit, 32 hex digits) pre-shared key in hex format 4.414 -# nai: user NAI 4.415 -# 4.416 -# EAP-PAX variables: 4.417 -# eappsk: 16-byte (128-bit, 32 hex digits) pre-shared key in hex format 4.418 -# 4.419 -# EAP-SAKE variables: 4.420 -# eappsk: 32-byte (256-bit, 64 hex digits) pre-shared key in hex format 4.421 -# (this is concatenation of Root-Secret-A and Root-Secret-B) 4.422 -# nai: user NAI (PEERID) 4.423 -# 4.424 -# EAP-GPSK variables: 4.425 -# eappsk: Pre-shared key in hex format (at least 128 bits, i.e., 32 hex digits) 4.426 -# nai: user NAI (ID_Client) 4.427 -# 4.428 -# EAP-FAST variables: 4.429 -# pac_file: File path for the PAC entries. wpa_supplicant will need to be able 4.430 -# to create this file and write updates to it when PAC is being 4.431 -# provisioned or refreshed. Full path to the file should be used since 4.432 -# working directory may change when wpa_supplicant is run in the 4.433 -# background. Alternatively, a named configuration blob can be used by 4.434 -# setting this to blob://<blob name> 4.435 -# phase1: fast_provisioning=1 option enables in-line provisioning of EAP-FAST 4.436 -# credentials (PAC) 4.437 -# 4.438 -# wpa_supplicant supports number of "EAP workarounds" to work around 4.439 -# interoperability issues with incorrectly behaving authentication servers. 4.440 -# These are enabled by default because some of the issues are present in large 4.441 -# number of authentication servers. Strict EAP conformance mode can be 4.442 -# configured by disabling workarounds with eap_workaround=0. 4.443 - 4.444 -# Example blocks: 4.445 - 4.446 -# Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers 4.447 -#network={ 4.448 -# ssid="simple" 4.449 -# psk="very secret passphrase" 4.450 -# priority=5 4.451 -#} 4.452 - 4.453 -# Same as previous, but request SSID-specific scanning (for APs that reject 4.454 -# broadcast SSID) 4.455 -#network={ 4.456 -# ssid="second ssid" 4.457 -# scan_ssid=1 4.458 -# psk="very secret passphrase" 4.459 -# priority=2 4.460 -#} 4.461 - 4.462 -# Only WPA-PSK is used. Any valid cipher combination is accepted. 4.463 -#network={ 4.464 -# ssid="example" 4.465 -# proto=WPA 4.466 -# key_mgmt=WPA-PSK 4.467 -# pairwise=CCMP TKIP 4.468 -# group=CCMP TKIP WEP104 WEP40 4.469 -# psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb 4.470 -# priority=2 4.471 -#} 4.472 - 4.473 -# Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104 4.474 -# or WEP40 as the group cipher will not be accepted. 4.475 -#network={ 4.476 -# ssid="example" 4.477 -# proto=RSN 4.478 -# key_mgmt=WPA-EAP 4.479 -# pairwise=CCMP TKIP 4.480 -# group=CCMP TKIP 4.481 -# eap=TLS 4.482 -# identity="user@example.com" 4.483 -# ca_cert="/etc/cert/ca.pem" 4.484 -# client_cert="/etc/cert/user.pem" 4.485 -# private_key="/etc/cert/user.prv" 4.486 -# private_key_passwd="password" 4.487 -# priority=1 4.488 -#} 4.489 - 4.490 -# EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel 4.491 -# (e.g., Radiator) 4.492 -#network={ 4.493 -# ssid="example" 4.494 -# key_mgmt=WPA-EAP 4.495 -# eap=PEAP 4.496 -# identity="user@example.com" 4.497 -# password="foobar" 4.498 -# ca_cert="/etc/cert/ca.pem" 4.499 -# phase1="peaplabel=1" 4.500 -# phase2="auth=MSCHAPV2" 4.501 -# priority=10 4.502 -#} 4.503 - 4.504 -# EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the 4.505 -# unencrypted use. Real identity is sent only within an encrypted TLS tunnel. 4.506 -#network={ 4.507 -# ssid="example" 4.508 -# key_mgmt=WPA-EAP 4.509 -# eap=TTLS 4.510 -# identity="user@example.com" 4.511 -# anonymous_identity="anonymous@example.com" 4.512 -# password="foobar" 4.513 -# ca_cert="/etc/cert/ca.pem" 4.514 -# priority=2 4.515 -#} 4.516 - 4.517 -# EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted 4.518 -# use. Real identity is sent only within an encrypted TLS tunnel. 4.519 -#network={ 4.520 -# ssid="example" 4.521 -# key_mgmt=WPA-EAP 4.522 -# eap=TTLS 4.523 -# identity="user@example.com" 4.524 -# anonymous_identity="anonymous@example.com" 4.525 -# password="foobar" 4.526 -# ca_cert="/etc/cert/ca.pem" 4.527 -# phase2="auth=MSCHAPV2" 4.528 -#} 4.529 - 4.530 -# WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner 4.531 -# authentication. 4.532 -#network={ 4.533 -# ssid="example" 4.534 -# key_mgmt=WPA-EAP 4.535 -# eap=TTLS 4.536 - # Phase1 / outer authentication 4.537 -# anonymous_identity="anonymous@example.com" 4.538 -# ca_cert="/etc/cert/ca.pem" 4.539 - # Phase 2 / inner authentication 4.540 -# phase2="autheap=TLS" 4.541 -# ca_cert2="/etc/cert/ca2.pem" 4.542 -# client_cert2="/etc/cer/user.pem" 4.543 -# private_key2="/etc/cer/user.prv" 4.544 -# private_key2_passwd="password" 4.545 -# priority=2 4.546 -#} 4.547 - 4.548 -# Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and 4.549 -# group cipher. 4.550 -#network={ 4.551 -# ssid="example" 4.552 -# bssid=00:11:22:33:44:55 4.553 -# proto=WPA RSN 4.554 -# key_mgmt=WPA-PSK WPA-EAP 4.555 -# pairwise=CCMP 4.556 -# group=CCMP 4.557 -# psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb 4.558 -#} 4.559 - 4.560 -# Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP 4.561 -# and all valid ciphers. 4.562 -#network={ 4.563 -# ssid=00010203 4.564 -# psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 4.565 -#} 4.566 - 4.567 - 4.568 -# EAP-SIM with a GSM SIM or USIM 4.569 -#network={ 4.570 -# ssid="eap-sim-test" 4.571 -# key_mgmt=WPA-EAP 4.572 -# eap=SIM 4.573 -# pin="1234" 4.574 -# pcsc="" 4.575 -#} 4.576 - 4.577 - 4.578 -# EAP-PSK 4.579 -#network={ 4.580 -# ssid="eap-psk-test" 4.581 -# key_mgmt=WPA-EAP 4.582 -# eap=PSK 4.583 -# identity="eap_psk_user" 4.584 -# eappsk=06b4be19da289f475aa46a33cb793029 4.585 -# nai="eap_psk_user@example.com" 4.586 -#} 4.587 - 4.588 - 4.589 -# IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using 4.590 -# EAP-TLS for authentication and key generation; require both unicast and 4.591 -# broadcast WEP keys. 4.592 -#network={ 4.593 -# ssid="1x-test" 4.594 -# key_mgmt=IEEE8021X 4.595 -# eap=TLS 4.596 -# identity="user@example.com" 4.597 -# ca_cert="/etc/cert/ca.pem" 4.598 -# client_cert="/etc/cert/user.pem" 4.599 -# private_key="/etc/cert/user.prv" 4.600 -# private_key_passwd="password" 4.601 -# eapol_flags=3 4.602 -#} 4.603 - 4.604 - 4.605 -# LEAP with dynamic WEP keys 4.606 -#network={ 4.607 -# ssid="leap-example" 4.608 -# key_mgmt=IEEE8021X 4.609 -# eap=LEAP 4.610 -# identity="user" 4.611 -# password="foobar" 4.612 -#} 4.613 - 4.614 -# EAP-FAST with WPA (WPA or WPA2) 4.615 -#network={ 4.616 -# ssid="eap-fast-test" 4.617 -# key_mgmt=WPA-EAP 4.618 -# eap=FAST 4.619 -# anonymous_identity="FAST-000102030405" 4.620 -# identity="username" 4.621 -# password="password" 4.622 -# phase1="fast_provisioning=1" 4.623 -# pac_file="/etc/wpa_supplicant.eap-fast-pac" 4.624 -#} 4.625 - 4.626 -#network={ 4.627 -# ssid="eap-fast-test" 4.628 -# key_mgmt=WPA-EAP 4.629 -# eap=FAST 4.630 -# anonymous_identity="FAST-000102030405" 4.631 -# identity="username" 4.632 -# password="password" 4.633 -# phase1="fast_provisioning=1" 4.634 -# pac_file="blob://eap-fast-pac" 4.635 -#} 4.636 - 4.637 -# Plaintext connection (no WPA, no IEEE 802.1X) 4.638 -#network={ 4.639 -# ssid="plaintext-test" 4.640 -# key_mgmt=NONE 4.641 -#} 4.642 - 4.643 - 4.644 -# Shared WEP key connection (no WPA, no IEEE 802.1X) 4.645 -#network={ 4.646 -# ssid="static-wep-test" 4.647 -# key_mgmt=NONE 4.648 -# wep_key0="abcde" 4.649 -# wep_key1=0102030405 4.650 -# wep_key2="1234567890123" 4.651 -# wep_tx_keyidx=0 4.652 -# priority=5 4.653 -#} 4.654 - 4.655 - 4.656 -# Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key 4.657 -# IEEE 802.11 authentication 4.658 -#network={ 4.659 -# ssid="static-wep-test2" 4.660 -# key_mgmt=NONE 4.661 -# wep_key0="abcde" 4.662 -# wep_key1=0102030405 4.663 -# wep_key2="1234567890123" 4.664 -# wep_tx_keyidx=0 4.665 -# priority=5 4.666 -# auth_alg=SHARED 4.667 -#} 4.668 - 4.669 - 4.670 -# IBSS/ad-hoc network with WPA-None/TKIP. 4.671 -#network={ 4.672 -# ssid="test adhoc" 4.673 -# mode=1 4.674 -# frequency=2412 4.675 -# proto=WPA 4.676 -# key_mgmt=WPA-NONE 4.677 -# pairwise=NONE 4.678 -# group=TKIP 4.679 -# psk="secret passphrase" 4.680 -#} 4.681 - 4.682 - 4.683 -# Catch all example that allows more or less all configuration modes 4.684 -#network={ 4.685 -# ssid="example" 4.686 -# scan_ssid=1 4.687 -# key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE 4.688 -# pairwise=CCMP TKIP 4.689 -# group=CCMP TKIP WEP104 WEP40 4.690 -# psk="very secret passphrase" 4.691 -# eap=TTLS PEAP TLS 4.692 -# identity="user@example.com" 4.693 -# password="foobar" 4.694 -# ca_cert="/etc/cert/ca.pem" 4.695 -# client_cert="/etc/cert/user.pem" 4.696 -# private_key="/etc/cert/user.prv" 4.697 -# private_key_passwd="password" 4.698 -# phase1="peaplabel=0" 4.699 -#} 4.700 - 4.701 -# Example of EAP-TLS with smartcard (openssl engine) 4.702 -#network={ 4.703 -# ssid="example" 4.704 -# key_mgmt=WPA-EAP 4.705 -# eap=TLS 4.706 -# proto=RSN 4.707 -# pairwise=CCMP TKIP 4.708 -# group=CCMP TKIP 4.709 -# identity="user@example.com" 4.710 -# ca_cert="/etc/cert/ca.pem" 4.711 -# client_cert="/etc/cert/user.pem" 4.712 -# 4.713 -# engine=1 4.714 - 4.715 - # The engine configured here must be available. Look at 4.716 - # OpenSSL engine support in the global section. 4.717 - # The key available through the engine must be the private key 4.718 - # matching the client certificate configured above. 4.719 - 4.720 - # use the opensc engine 4.721 - #engine_id="opensc" 4.722 - #key_id="45" 4.723 - 4.724 - # use the pkcs11 engine 4.725 -# engine_id="pkcs11" 4.726 -# key_id="id_45" 4.727 -# 4.728 - # Optional PIN configuration; this can be left out and PIN will be 4.729 - # asked through the control interface 4.730 -# pin="1234" 4.731 -#} 4.732 - 4.733 -# Example configuration showing how to use an inlined blob as a CA certificate 4.734 -# data instead of using external file 4.735 -#network={ 4.736 -# ssid="example" 4.737 -# key_mgmt=WPA-EAP 4.738 -# eap=TTLS 4.739 -# identity="user@example.com" 4.740 -# anonymous_identity="anonymous@example.com" 4.741 -# password="foobar" 4.742 -# ca_cert="blob://exampleblob" 4.743 -# priority=20 4.744 -#} 4.745 - 4.746 -#blob-base64-exampleblob={ 4.747 -#SGVsbG8gV29ybGQhCg== 4.748 -#} 4.749 - 4.750 - 4.751 -# Wildcard match for SSID (plaintext APs only). This example select any 4.752 -# open AP regardless of its SSID. 4.753 -network={ 4.754 - key_mgmt=NONE 4.755 -} 4.756 - 4.757 -