wok annotate wpa_supplicant/stuff/etc/wpa/wpa_supplicant.conf @ rev 20070

busybox/udhcpc6: update script (again)
author Pascal Bellard <pascal.bellard@slitaz.org>
date Sat Sep 23 17:56:48 2017 +0200 (2017-09-23)
parents
children
rev   line source
pankso@15914 1 ##### Example wpa_supplicant configuration file ###############################
pankso@15914 2 #
pankso@15914 3 # This file describes configuration file format and lists all available option.
pankso@15914 4 # Please also take a look at simpler configuration examples in 'examples'
pankso@15914 5 # subdirectory.
pankso@15914 6 #
pankso@15914 7 # Empty lines and lines starting with # are ignored
pankso@15914 8
pankso@15914 9 # NOTE! This file may contain password information and should probably be made
pankso@15914 10 # readable only by root user on multiuser systems.
pankso@15914 11
pankso@15914 12 # Note: All file paths in this configuration file should use full (absolute,
pankso@15914 13 # not relative to working directory) path in order to allow working directory
pankso@15914 14 # to be changed. This can happen if wpa_supplicant is run in the background.
pankso@15914 15
pankso@15914 16 # Whether to allow wpa_supplicant to update (overwrite) configuration
pankso@15914 17 #
pankso@15914 18 # This option can be used to allow wpa_supplicant to overwrite configuration
pankso@15914 19 # file whenever configuration is changed (e.g., new network block is added with
pankso@15914 20 # wpa_cli or wpa_gui, or a password is changed). This is required for
pankso@15914 21 # wpa_cli/wpa_gui to be able to store the configuration changes permanently.
pankso@15914 22 # Please note that overwriting configuration file will remove the comments from
pankso@15914 23 # it.
pankso@15914 24 #update_config=1
pankso@15914 25
pankso@15914 26 # global configuration (shared by all network blocks)
pankso@15914 27 #
pankso@15914 28 # Parameters for the control interface. If this is specified, wpa_supplicant
pankso@15914 29 # will open a control interface that is available for external programs to
pankso@15914 30 # manage wpa_supplicant. The meaning of this string depends on which control
pankso@15914 31 # interface mechanism is used. For all cases, the existence of this parameter
pankso@15914 32 # in configuration is used to determine whether the control interface is
pankso@15914 33 # enabled.
pankso@15914 34 #
pankso@15914 35 # For UNIX domain sockets (default on Linux and BSD): This is a directory that
pankso@15914 36 # will be created for UNIX domain sockets for listening to requests from
pankso@15914 37 # external programs (CLI/GUI, etc.) for status information and configuration.
pankso@15914 38 # The socket file will be named based on the interface name, so multiple
pankso@15914 39 # wpa_supplicant processes can be run at the same time if more than one
pankso@15914 40 # interface is used.
pankso@15914 41 # /var/run/wpa_supplicant is the recommended directory for sockets and by
pankso@15914 42 # default, wpa_cli will use it when trying to connect with wpa_supplicant.
pankso@15914 43 #
pankso@15914 44 # Access control for the control interface can be configured by setting the
pankso@15914 45 # directory to allow only members of a group to use sockets. This way, it is
pankso@15914 46 # possible to run wpa_supplicant as root (since it needs to change network
pankso@15914 47 # configuration and open raw sockets) and still allow GUI/CLI components to be
pankso@15914 48 # run as non-root users. However, since the control interface can be used to
pankso@15914 49 # change the network configuration, this access needs to be protected in many
pankso@15914 50 # cases. By default, wpa_supplicant is configured to use gid 0 (root). If you
pankso@15914 51 # want to allow non-root users to use the control interface, add a new group
pankso@15914 52 # and change this value to match with that group. Add users that should have
pankso@15914 53 # control interface access to this group. If this variable is commented out or
pankso@15914 54 # not included in the configuration file, group will not be changed from the
pankso@15914 55 # value it got by default when the directory or socket was created.
pankso@15914 56 #
pankso@15914 57 # When configuring both the directory and group, use following format:
pankso@15914 58 # DIR=/var/run/wpa_supplicant GROUP=wheel
pankso@15914 59 # DIR=/var/run/wpa_supplicant GROUP=0
pankso@15914 60 # (group can be either group name or gid)
pankso@15914 61 #
pankso@15914 62 # For UDP connections (default on Windows): The value will be ignored. This
pankso@15914 63 # variable is just used to select that the control interface is to be created.
pankso@15914 64 # The value can be set to, e.g., udp (ctrl_interface=udp)
pankso@15914 65 #
pankso@15914 66 # For Windows Named Pipe: This value can be used to set the security descriptor
pankso@15914 67 # for controlling access to the control interface. Security descriptor can be
pankso@15914 68 # set using Security Descriptor String Format (see http://msdn.microsoft.com/
pankso@15914 69 # library/default.asp?url=/library/en-us/secauthz/security/
pankso@15914 70 # security_descriptor_string_format.asp). The descriptor string needs to be
pankso@15914 71 # prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty
pankso@15914 72 # DACL (which will reject all connections). See README-Windows.txt for more
pankso@15914 73 # information about SDDL string format.
pankso@15914 74 #
pankso@15914 75 ctrl_interface=/var/run/wpa_supplicant
pankso@15914 76
pankso@15914 77 # IEEE 802.1X/EAPOL version
pankso@15914 78 # wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines
pankso@15914 79 # EAPOL version 2. However, there are many APs that do not handle the new
pankso@15914 80 # version number correctly (they seem to drop the frames completely). In order
pankso@15914 81 # to make wpa_supplicant interoperate with these APs, the version number is set
pankso@15914 82 # to 1 by default. This configuration value can be used to set it to the new
pankso@15914 83 # version (2).
pankso@15914 84 eapol_version=1
pankso@15914 85
pankso@15914 86 # AP scanning/selection
pankso@15914 87 # By default, wpa_supplicant requests driver to perform AP scanning and then
pankso@15914 88 # uses the scan results to select a suitable AP. Another alternative is to
pankso@15914 89 # allow the driver to take care of AP scanning and selection and use
pankso@15914 90 # wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association
pankso@15914 91 # information from the driver.
pankso@15914 92 # 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to
pankso@15914 93 # the currently enabled networks are found, a new network (IBSS or AP mode
pankso@15914 94 # operation) may be initialized (if configured) (default)
pankso@15914 95 # 0: driver takes care of scanning, AP selection, and IEEE 802.11 association
pankso@15914 96 # parameters (e.g., WPA IE generation); this mode can also be used with
pankso@15914 97 # non-WPA drivers when using IEEE 802.1X mode; do not try to associate with
pankso@15914 98 # APs (i.e., external program needs to control association). This mode must
pankso@15914 99 # also be used when using wired Ethernet drivers.
pankso@15914 100 # 2: like 0, but associate with APs using security policy and SSID (but not
pankso@15914 101 # BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to
pankso@15914 102 # enable operation with hidden SSIDs and optimized roaming; in this mode,
pankso@15914 103 # the network blocks in the configuration file are tried one by one until
pankso@15914 104 # the driver reports successful association; each network block should have
pankso@15914 105 # explicit security policy (i.e., only one option in the lists) for
pankso@15914 106 # key_mgmt, pairwise, group, proto variables
pankso@15914 107 # When using IBSS or AP mode, ap_scan=2 mode can force the new network to be
pankso@15914 108 # created immediately regardless of scan results. ap_scan=1 mode will first try
pankso@15914 109 # to scan for existing networks and only if no matches with the enabled
pankso@15914 110 # networks are found, a new IBSS or AP mode network is created.
pankso@15914 111 ap_scan=1
pankso@15914 112
pankso@15914 113 # EAP fast re-authentication
pankso@15914 114 # By default, fast re-authentication is enabled for all EAP methods that
pankso@15914 115 # support it. This variable can be used to disable fast re-authentication.
pankso@15914 116 # Normally, there is no need to disable this.
pankso@15914 117 fast_reauth=1
pankso@15914 118
pankso@15914 119 # OpenSSL Engine support
pankso@15914 120 # These options can be used to load OpenSSL engines.
pankso@15914 121 # The two engines that are supported currently are shown below:
pankso@15914 122 # They are both from the opensc project (http://www.opensc.org/)
pankso@15914 123 # By default no engines are loaded.
pankso@15914 124 # make the opensc engine available
pankso@15914 125 #opensc_engine_path=/usr/lib/opensc/engine_opensc.so
pankso@15914 126 # make the pkcs11 engine available
pankso@15914 127 #pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so
pankso@15914 128 # configure the path to the pkcs11 module required by the pkcs11 engine
pankso@15914 129 #pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so
pankso@15914 130
pankso@15914 131 # Dynamic EAP methods
pankso@15914 132 # If EAP methods were built dynamically as shared object files, they need to be
pankso@15914 133 # loaded here before being used in the network blocks. By default, EAP methods
pankso@15914 134 # are included statically in the build, so these lines are not needed
pankso@15914 135 #load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so
pankso@15914 136 #load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so
pankso@15914 137
pankso@15914 138 # Driver interface parameters
pankso@15914 139 # This field can be used to configure arbitrary driver interace parameters. The
pankso@15914 140 # format is specific to the selected driver interface. This field is not used
pankso@15914 141 # in most cases.
pankso@15914 142 #driver_param="field=value"
pankso@15914 143
pankso@15914 144 # Country code
pankso@15914 145 # The ISO/IEC alpha2 country code for the country in which this device is
pankso@15914 146 # currently operating.
pankso@15914 147 #country=US
pankso@15914 148
pankso@15914 149 # Maximum lifetime for PMKSA in seconds; default 43200
pankso@15914 150 #dot11RSNAConfigPMKLifetime=43200
pankso@15914 151 # Threshold for reauthentication (percentage of PMK lifetime); default 70
pankso@15914 152 #dot11RSNAConfigPMKReauthThreshold=70
pankso@15914 153 # Timeout for security association negotiation in seconds; default 60
pankso@15914 154 #dot11RSNAConfigSATimeout=60
pankso@15914 155
pankso@15914 156 # Wi-Fi Protected Setup (WPS) parameters
pankso@15914 157
pankso@15914 158 # Universally Unique IDentifier (UUID; see RFC 4122) of the device
pankso@15914 159 # If not configured, UUID will be generated based on the local MAC address.
pankso@15914 160 #uuid=12345678-9abc-def0-1234-56789abcdef0
pankso@15914 161
pankso@15914 162 # Device Name
pankso@15914 163 # User-friendly description of device; up to 32 octets encoded in UTF-8
pankso@15914 164 #device_name=Wireless Client
pankso@15914 165
pankso@15914 166 # Manufacturer
pankso@15914 167 # The manufacturer of the device (up to 64 ASCII characters)
pankso@15914 168 #manufacturer=Company
pankso@15914 169
pankso@15914 170 # Model Name
pankso@15914 171 # Model of the device (up to 32 ASCII characters)
pankso@15914 172 #model_name=cmodel
pankso@15914 173
pankso@15914 174 # Model Number
pankso@15914 175 # Additional device description (up to 32 ASCII characters)
pankso@15914 176 #model_number=123
pankso@15914 177
pankso@15914 178 # Serial Number
pankso@15914 179 # Serial number of the device (up to 32 characters)
pankso@15914 180 #serial_number=12345
pankso@15914 181
pankso@15914 182 # Primary Device Type
pankso@15914 183 # Used format: <categ>-<OUI>-<subcateg>
pankso@15914 184 # categ = Category as an integer value
pankso@15914 185 # OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for
pankso@15914 186 # default WPS OUI
pankso@15914 187 # subcateg = OUI-specific Sub Category as an integer value
pankso@15914 188 # Examples:
pankso@15914 189 # 1-0050F204-1 (Computer / PC)
pankso@15914 190 # 1-0050F204-2 (Computer / Server)
pankso@15914 191 # 5-0050F204-1 (Storage / NAS)
pankso@15914 192 # 6-0050F204-1 (Network Infrastructure / AP)
pankso@15914 193 #device_type=1-0050F204-1
pankso@15914 194
pankso@15914 195 # OS Version
pankso@15914 196 # 4-octet operating system version number (hex string)
pankso@15914 197 #os_version=01020300
pankso@15914 198
pankso@15914 199 # Config Methods
pankso@15914 200 # List of the supported configuration methods
pankso@15914 201 # Available methods: usba ethernet label display ext_nfc_token int_nfc_token
pankso@15914 202 # nfc_interface push_button keypad virtual_display physical_display
pankso@15914 203 # virtual_push_button physical_push_button
pankso@15914 204 # For WSC 1.0:
pankso@15914 205 #config_methods=label display push_button keypad
pankso@15914 206 # For WSC 2.0:
pankso@15914 207 #config_methods=label virtual_display virtual_push_button keypad
pankso@15914 208
pankso@15914 209 # Credential processing
pankso@15914 210 # 0 = process received credentials internally (default)
pankso@15914 211 # 1 = do not process received credentials; just pass them over ctrl_iface to
pankso@15914 212 # external program(s)
pankso@15914 213 # 2 = process received credentials internally and pass them over ctrl_iface
pankso@15914 214 # to external program(s)
pankso@15914 215 #wps_cred_processing=0
pankso@15914 216
pankso@15914 217 # Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing
pankso@15914 218 # The vendor attribute contents to be added in M1 (hex string)
pankso@15914 219 #wps_vendor_ext_m1=000137100100020001
pankso@15914 220
pankso@15914 221 # NFC password token for WPS
pankso@15914 222 # These parameters can be used to configure a fixed NFC password token for the
pankso@15914 223 # station. This can be generated, e.g., with nfc_pw_token. When these
pankso@15914 224 # parameters are used, the station is assumed to be deployed with a NFC tag
pankso@15914 225 # that includes the matching NFC password token (e.g., written based on the
pankso@15914 226 # NDEF record from nfc_pw_token).
pankso@15914 227 #
pankso@15914 228 #wps_nfc_dev_pw_id: Device Password ID (16..65535)
pankso@15914 229 #wps_nfc_dh_pubkey: Hexdump of DH Public Key
pankso@15914 230 #wps_nfc_dh_privkey: Hexdump of DH Private Key
pankso@15914 231 #wps_nfc_dev_pw: Hexdump of Device Password
pankso@15914 232
pankso@15914 233 # Maximum number of BSS entries to keep in memory
pankso@15914 234 # Default: 200
pankso@15914 235 # This can be used to limit memory use on the BSS entries (cached scan
pankso@15914 236 # results). A larger value may be needed in environments that have huge number
pankso@15914 237 # of APs when using ap_scan=1 mode.
pankso@15914 238 #bss_max_count=200
pankso@15914 239
pankso@15914 240 # Automatic scan
pankso@15914 241 # This is an optional set of parameters for automatic scanning
pankso@15914 242 # within an interface in following format:
pankso@15914 243 #autoscan=<autoscan module name>:<module parameters>
pankso@15914 244 # autoscan is like bgscan but on disconnected or inactive state.
pankso@15914 245 # For instance, on exponential module parameters would be <base>:<limit>
pankso@15914 246 #autoscan=exponential:3:300
pankso@15914 247 # Which means a delay between scans on a base exponential of 3,
pankso@15914 248 # up to the limit of 300 seconds (3, 9, 27 ... 300)
pankso@15914 249 # For periodic module, parameters would be <fixed interval>
pankso@15914 250 #autoscan=periodic:30
pankso@15914 251 # So a delay of 30 seconds will be applied between each scan
pankso@15914 252
pankso@15914 253 # filter_ssids - SSID-based scan result filtering
pankso@15914 254 # 0 = do not filter scan results (default)
pankso@15914 255 # 1 = only include configured SSIDs in scan results/BSS table
pankso@15914 256 #filter_ssids=0
pankso@15914 257
pankso@15914 258 # Password (and passphrase, etc.) backend for external storage
pankso@15914 259 # format: <backend name>[:<optional backend parameters>]
pankso@15914 260 #ext_password_backend=test:pw1=password|pw2=testing
pankso@15914 261
pankso@15914 262 # Timeout in seconds to detect STA inactivity (default: 300 seconds)
pankso@15914 263 #
pankso@15914 264 # This timeout value is used in P2P GO mode to clean up
pankso@15914 265 # inactive stations.
pankso@15914 266 #p2p_go_max_inactivity=300
pankso@15914 267
pankso@15914 268 # Opportunistic Key Caching (also known as Proactive Key Caching) default
pankso@15914 269 # This parameter can be used to set the default behavior for the
pankso@15914 270 # proactive_key_caching parameter. By default, OKC is disabled unless enabled
pankso@15914 271 # with the global okc=1 parameter or with the per-network
pankso@15914 272 # proactive_key_caching=1 parameter. With okc=1, OKC is enabled by default, but
pankso@15914 273 # can be disabled with per-network proactive_key_caching=0 parameter.
pankso@15914 274 #okc=0
pankso@15914 275
pankso@15914 276 # Protected Management Frames default
pankso@15914 277 # This parameter can be used to set the default behavior for the ieee80211w
pankso@15914 278 # parameter. By default, PMF is disabled unless enabled with the global pmf=1/2
pankso@15914 279 # parameter or with the per-network ieee80211w=1/2 parameter. With pmf=1/2, PMF
pankso@15914 280 # is enabled/required by default, but can be disabled with the per-network
pankso@15914 281 # ieee80211w parameter.
pankso@15914 282 #pmf=0
pankso@15914 283
pankso@15914 284 # Enabled SAE finite cyclic groups in preference order
pankso@15914 285 # By default (if this parameter is not set), the mandatory group 19 (ECC group
pankso@15914 286 # defined over a 256-bit prime order field) is preferred, but other groups are
pankso@15914 287 # also enabled. If this parameter is set, the groups will be tried in the
pankso@15914 288 # indicated order. The group values are listed in the IANA registry:
pankso@15914 289 # http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9
pankso@15914 290 #sae_groups=21 20 19 26 25
pankso@15914 291
pankso@15914 292 # Default value for DTIM period (if not overridden in network block)
pankso@15914 293 #dtim_period=2
pankso@15914 294
pankso@15914 295 # Default value for Beacon interval (if not overridden in network block)
pankso@15914 296 #beacon_int=100
pankso@15914 297
pankso@15914 298 # Additional vendor specific elements for Beacon and Probe Response frames
pankso@15914 299 # This parameter can be used to add additional vendor specific element(s) into
pankso@15914 300 # the end of the Beacon and Probe Response frames. The format for these
pankso@15914 301 # element(s) is a hexdump of the raw information elements (id+len+payload for
pankso@15914 302 # one or more elements). This is used in AP and P2P GO modes.
pankso@15914 303 #ap_vendor_elements=dd0411223301
pankso@15914 304
pankso@15914 305 # Ignore scan results older than request
pankso@15914 306 #
pankso@15914 307 # The driver may have a cache of scan results that makes it return
pankso@15914 308 # information that is older than our scan trigger. This parameter can
pankso@15914 309 # be used to configure such old information to be ignored instead of
pankso@15914 310 # allowing it to update the internal BSS table.
pankso@15914 311 #ignore_old_scan_res=0
pankso@15914 312
pankso@15914 313 # scan_cur_freq: Whether to scan only the current frequency
pankso@15914 314 # 0: Scan all available frequencies. (Default)
pankso@15914 315 # 1: Scan current operating frequency if another VIF on the same radio
pankso@15914 316 # is already associated.
pankso@15914 317
pankso@15914 318 # Interworking (IEEE 802.11u)
pankso@15914 319
pankso@15914 320 # Enable Interworking
pankso@15914 321 # interworking=1
pankso@15914 322
pankso@15914 323 # Homogenous ESS identifier
pankso@15914 324 # If this is set, scans will be used to request response only from BSSes
pankso@15914 325 # belonging to the specified Homogeneous ESS. This is used only if interworking
pankso@15914 326 # is enabled.
pankso@15914 327 # hessid=00:11:22:33:44:55
pankso@15914 328
pankso@15914 329 # Automatic network selection behavior
pankso@15914 330 # 0 = do not automatically go through Interworking network selection
pankso@15914 331 # (i.e., require explicit interworking_select command for this; default)
pankso@15914 332 # 1 = perform Interworking network selection if one or more
pankso@15914 333 # credentials have been configured and scan did not find a
pankso@15914 334 # matching network block
pankso@15914 335 #auto_interworking=0
pankso@15914 336
pankso@15914 337 # credential block
pankso@15914 338 #
pankso@15914 339 # Each credential used for automatic network selection is configured as a set
pankso@15914 340 # of parameters that are compared to the information advertised by the APs when
pankso@15914 341 # interworking_select and interworking_connect commands are used.
pankso@15914 342 #
pankso@15914 343 # credential fields:
pankso@15914 344 #
pankso@15914 345 # temporary: Whether this credential is temporary and not to be saved
pankso@15914 346 #
pankso@15914 347 # priority: Priority group
pankso@15914 348 # By default, all networks and credentials get the same priority group
pankso@15914 349 # (0). This field can be used to give higher priority for credentials
pankso@15914 350 # (and similarly in struct wpa_ssid for network blocks) to change the
pankso@15914 351 # Interworking automatic networking selection behavior. The matching
pankso@15914 352 # network (based on either an enabled network block or a credential)
pankso@15914 353 # with the highest priority value will be selected.
pankso@15914 354 #
pankso@15914 355 # pcsc: Use PC/SC and SIM/USIM card
pankso@15914 356 #
pankso@15914 357 # realm: Home Realm for Interworking
pankso@15914 358 #
pankso@15914 359 # username: Username for Interworking network selection
pankso@15914 360 #
pankso@15914 361 # password: Password for Interworking network selection
pankso@15914 362 #
pankso@15914 363 # ca_cert: CA certificate for Interworking network selection
pankso@15914 364 #
pankso@15914 365 # client_cert: File path to client certificate file (PEM/DER)
pankso@15914 366 # This field is used with Interworking networking selection for a case
pankso@15914 367 # where client certificate/private key is used for authentication
pankso@15914 368 # (EAP-TLS). Full path to the file should be used since working
pankso@15914 369 # directory may change when wpa_supplicant is run in the background.
pankso@15914 370 #
pankso@15914 371 # Alternatively, a named configuration blob can be used by setting
pankso@15914 372 # this to blob://blob_name.
pankso@15914 373 #
pankso@15914 374 # private_key: File path to client private key file (PEM/DER/PFX)
pankso@15914 375 # When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
pankso@15914 376 # commented out. Both the private key and certificate will be read
pankso@15914 377 # from the PKCS#12 file in this case. Full path to the file should be
pankso@15914 378 # used since working directory may change when wpa_supplicant is run
pankso@15914 379 # in the background.
pankso@15914 380 #
pankso@15914 381 # Windows certificate store can be used by leaving client_cert out and
pankso@15914 382 # configuring private_key in one of the following formats:
pankso@15914 383 #
pankso@15914 384 # cert://substring_to_match
pankso@15914 385 #
pankso@15914 386 # hash://certificate_thumbprint_in_hex
pankso@15914 387 #
pankso@15914 388 # For example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
pankso@15914 389 #
pankso@15914 390 # Note that when running wpa_supplicant as an application, the user
pankso@15914 391 # certificate store (My user account) is used, whereas computer store
pankso@15914 392 # (Computer account) is used when running wpasvc as a service.
pankso@15914 393 #
pankso@15914 394 # Alternatively, a named configuration blob can be used by setting
pankso@15914 395 # this to blob://blob_name.
pankso@15914 396 #
pankso@15914 397 # private_key_passwd: Password for private key file
pankso@15914 398 #
pankso@15914 399 # imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format
pankso@15914 400 #
pankso@15914 401 # milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN>
pankso@15914 402 # format
pankso@15914 403 #
pankso@15914 404 # domain: Home service provider FQDN(s)
pankso@15914 405 # This is used to compare against the Domain Name List to figure out
pankso@15914 406 # whether the AP is operated by the Home SP. Multiple domain entries can
pankso@15914 407 # be used to configure alternative FQDNs that will be considered home
pankso@15914 408 # networks.
pankso@15914 409 #
pankso@15914 410 # roaming_consortium: Roaming Consortium OI
pankso@15914 411 # If roaming_consortium_len is non-zero, this field contains the
pankso@15914 412 # Roaming Consortium OI that can be used to determine which access
pankso@15914 413 # points support authentication with this credential. This is an
pankso@15914 414 # alternative to the use of the realm parameter. When using Roaming
pankso@15914 415 # Consortium to match the network, the EAP parameters need to be
pankso@15914 416 # pre-configured with the credential since the NAI Realm information
pankso@15914 417 # may not be available or fetched.
pankso@15914 418 #
pankso@15914 419 # eap: Pre-configured EAP method
pankso@15914 420 # This optional field can be used to specify which EAP method will be
pankso@15914 421 # used with this credential. If not set, the EAP method is selected
pankso@15914 422 # automatically based on ANQP information (e.g., NAI Realm).
pankso@15914 423 #
pankso@15914 424 # phase1: Pre-configure Phase 1 (outer authentication) parameters
pankso@15914 425 # This optional field is used with like the 'eap' parameter.
pankso@15914 426 #
pankso@15914 427 # phase2: Pre-configure Phase 2 (inner authentication) parameters
pankso@15914 428 # This optional field is used with like the 'eap' parameter.
pankso@15914 429 #
pankso@15914 430 # excluded_ssid: Excluded SSID
pankso@15914 431 # This optional field can be used to excluded specific SSID(s) from
pankso@15914 432 # matching with the network. Multiple entries can be used to specify more
pankso@15914 433 # than one SSID.
pankso@15914 434 #
pankso@15914 435 # for example:
pankso@15914 436 #
pankso@15914 437 #cred={
pankso@15914 438 # realm="example.com"
pankso@15914 439 # username="user@example.com"
pankso@15914 440 # password="password"
pankso@15914 441 # ca_cert="/etc/wpa_supplicant/ca.pem"
pankso@15914 442 # domain="example.com"
pankso@15914 443 #}
pankso@15914 444 #
pankso@15914 445 #cred={
pankso@15914 446 # imsi="310026-000000000"
pankso@15914 447 # milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82"
pankso@15914 448 #}
pankso@15914 449 #
pankso@15914 450 #cred={
pankso@15914 451 # realm="example.com"
pankso@15914 452 # username="user"
pankso@15914 453 # password="password"
pankso@15914 454 # ca_cert="/etc/wpa_supplicant/ca.pem"
pankso@15914 455 # domain="example.com"
pankso@15914 456 # roaming_consortium=223344
pankso@15914 457 # eap=TTLS
pankso@15914 458 # phase2="auth=MSCHAPV2"
pankso@15914 459 #}
pankso@15914 460
pankso@15914 461 # Hotspot 2.0
pankso@15914 462 # hs20=1
pankso@15914 463
pankso@15914 464 # network block
pankso@15914 465 #
pankso@15914 466 # Each network (usually AP's sharing the same SSID) is configured as a separate
pankso@15914 467 # block in this configuration file. The network blocks are in preference order
pankso@15914 468 # (the first match is used).
pankso@15914 469 #
pankso@15914 470 # network block fields:
pankso@15914 471 #
pankso@15914 472 # disabled:
pankso@15914 473 # 0 = this network can be used (default)
pankso@15914 474 # 1 = this network block is disabled (can be enabled through ctrl_iface,
pankso@15914 475 # e.g., with wpa_cli or wpa_gui)
pankso@15914 476 #
pankso@15914 477 # id_str: Network identifier string for external scripts. This value is passed
pankso@15914 478 # to external action script through wpa_cli as WPA_ID_STR environment
pankso@15914 479 # variable to make it easier to do network specific configuration.
pankso@15914 480 #
pankso@15914 481 # ssid: SSID (mandatory); network name in one of the optional formats:
pankso@15914 482 # - an ASCII string with double quotation
pankso@15914 483 # - a hex string (two characters per octet of SSID)
pankso@15914 484 # - a printf-escaped ASCII string P"<escaped string>"
pankso@15914 485 #
pankso@15914 486 # scan_ssid:
pankso@15914 487 # 0 = do not scan this SSID with specific Probe Request frames (default)
pankso@15914 488 # 1 = scan with SSID-specific Probe Request frames (this can be used to
pankso@15914 489 # find APs that do not accept broadcast SSID or use multiple SSIDs;
pankso@15914 490 # this will add latency to scanning, so enable this only when needed)
pankso@15914 491 #
pankso@15914 492 # bssid: BSSID (optional); if set, this network block is used only when
pankso@15914 493 # associating with the AP using the configured BSSID
pankso@15914 494 #
pankso@15914 495 # priority: priority group (integer)
pankso@15914 496 # By default, all networks will get same priority group (0). If some of the
pankso@15914 497 # networks are more desirable, this field can be used to change the order in
pankso@15914 498 # which wpa_supplicant goes through the networks when selecting a BSS. The
pankso@15914 499 # priority groups will be iterated in decreasing priority (i.e., the larger the
pankso@15914 500 # priority value, the sooner the network is matched against the scan results).
pankso@15914 501 # Within each priority group, networks will be selected based on security
pankso@15914 502 # policy, signal strength, etc.
pankso@15914 503 # Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not
pankso@15914 504 # using this priority to select the order for scanning. Instead, they try the
pankso@15914 505 # networks in the order that used in the configuration file.
pankso@15914 506 #
pankso@15914 507 # mode: IEEE 802.11 operation mode
pankso@15914 508 # 0 = infrastructure (Managed) mode, i.e., associate with an AP (default)
pankso@15914 509 # 1 = IBSS (ad-hoc, peer-to-peer)
pankso@15914 510 # 2 = AP (access point)
pankso@15914 511 # Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) and
pankso@15914 512 # WPA-PSK (with proto=RSN). In addition, key_mgmt=WPA-NONE (fixed group key
pankso@15914 513 # TKIP/CCMP) is available for backwards compatibility, but its use is
pankso@15914 514 # deprecated. WPA-None requires following network block options:
pankso@15914 515 # proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not
pankso@15914 516 # both), and psk must also be set.
pankso@15914 517 #
pankso@15914 518 # frequency: Channel frequency in megahertz (MHz) for IBSS, e.g.,
pankso@15914 519 # 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial
pankso@15914 520 # channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode.
pankso@15914 521 # In addition, this value is only used by the station that creates the IBSS. If
pankso@15914 522 # an IBSS network with the configured SSID is already present, the frequency of
pankso@15914 523 # the network will be used instead of this configured value.
pankso@15914 524 #
pankso@15914 525 # scan_freq: List of frequencies to scan
pankso@15914 526 # Space-separated list of frequencies in MHz to scan when searching for this
pankso@15914 527 # BSS. If the subset of channels used by the network is known, this option can
pankso@15914 528 # be used to optimize scanning to not occur on channels that the network does
pankso@15914 529 # not use. Example: scan_freq=2412 2437 2462
pankso@15914 530 #
pankso@15914 531 # freq_list: Array of allowed frequencies
pankso@15914 532 # Space-separated list of frequencies in MHz to allow for selecting the BSS. If
pankso@15914 533 # set, scan results that do not match any of the specified frequencies are not
pankso@15914 534 # considered when selecting a BSS.
pankso@15914 535 #
pankso@15914 536 # This can also be set on the outside of the network block. In this case,
pankso@15914 537 # it limits the frequencies that will be scanned.
pankso@15914 538 #
pankso@15914 539 # bgscan: Background scanning
pankso@15914 540 # wpa_supplicant behavior for background scanning can be specified by
pankso@15914 541 # configuring a bgscan module. These modules are responsible for requesting
pankso@15914 542 # background scans for the purpose of roaming within an ESS (i.e., within a
pankso@15914 543 # single network block with all the APs using the same SSID). The bgscan
pankso@15914 544 # parameter uses following format: "<bgscan module name>:<module parameters>"
pankso@15914 545 # Following bgscan modules are available:
pankso@15914 546 # simple - Periodic background scans based on signal strength
pankso@15914 547 # bgscan="simple:<short bgscan interval in seconds>:<signal strength threshold>:
pankso@15914 548 # <long interval>"
pankso@15914 549 # bgscan="simple:30:-45:300"
pankso@15914 550 # learn - Learn channels used by the network and try to avoid bgscans on other
pankso@15914 551 # channels (experimental)
pankso@15914 552 # bgscan="learn:<short bgscan interval in seconds>:<signal strength threshold>:
pankso@15914 553 # <long interval>[:<database file name>]"
pankso@15914 554 # bgscan="learn:30:-45:300:/etc/wpa_supplicant/network1.bgscan"
pankso@15914 555 #
pankso@15914 556 # This option can also be set outside of all network blocks for the bgscan
pankso@15914 557 # parameter to apply for all the networks that have no specific bgscan
pankso@15914 558 # parameter.
pankso@15914 559 #
pankso@15914 560 # proto: list of accepted protocols
pankso@15914 561 # WPA = WPA/IEEE 802.11i/D3.0
pankso@15914 562 # RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN)
pankso@15914 563 # If not set, this defaults to: WPA RSN
pankso@15914 564 #
pankso@15914 565 # key_mgmt: list of accepted authenticated key management protocols
pankso@15914 566 # WPA-PSK = WPA pre-shared key (this requires 'psk' field)
pankso@15914 567 # WPA-EAP = WPA using EAP authentication
pankso@15914 568 # IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically
pankso@15914 569 # generated WEP keys
pankso@15914 570 # NONE = WPA is not used; plaintext or static WEP could be used
pankso@15914 571 # WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms
pankso@15914 572 # WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms
pankso@15914 573 # If not set, this defaults to: WPA-PSK WPA-EAP
pankso@15914 574 #
pankso@15914 575 # ieee80211w: whether management frame protection is enabled
pankso@15914 576 # 0 = disabled (default unless changed with the global pmf parameter)
pankso@15914 577 # 1 = optional
pankso@15914 578 # 2 = required
pankso@15914 579 # The most common configuration options for this based on the PMF (protected
pankso@15914 580 # management frames) certification program are:
pankso@15914 581 # PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256
pankso@15914 582 # PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256
pankso@15914 583 # (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used)
pankso@15914 584 #
pankso@15914 585 # auth_alg: list of allowed IEEE 802.11 authentication algorithms
pankso@15914 586 # OPEN = Open System authentication (required for WPA/WPA2)
pankso@15914 587 # SHARED = Shared Key authentication (requires static WEP keys)
pankso@15914 588 # LEAP = LEAP/Network EAP (only used with LEAP)
pankso@15914 589 # If not set, automatic selection is used (Open System with LEAP enabled if
pankso@15914 590 # LEAP is allowed as one of the EAP methods).
pankso@15914 591 #
pankso@15914 592 # pairwise: list of accepted pairwise (unicast) ciphers for WPA
pankso@15914 593 # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
pankso@15914 594 # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
pankso@15914 595 # NONE = Use only Group Keys (deprecated, should not be included if APs support
pankso@15914 596 # pairwise keys)
pankso@15914 597 # If not set, this defaults to: CCMP TKIP
pankso@15914 598 #
pankso@15914 599 # group: list of accepted group (broadcast/multicast) ciphers for WPA
pankso@15914 600 # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
pankso@15914 601 # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
pankso@15914 602 # WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key
pankso@15914 603 # WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11]
pankso@15914 604 # If not set, this defaults to: CCMP TKIP WEP104 WEP40
pankso@15914 605 #
pankso@15914 606 # psk: WPA preshared key; 256-bit pre-shared key
pankso@15914 607 # The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e.,
pankso@15914 608 # 32 bytes or as an ASCII passphrase (in which case, the real PSK will be
pankso@15914 609 # generated using the passphrase and SSID). ASCII passphrase must be between
pankso@15914 610 # 8 and 63 characters (inclusive). ext:<name of external PSK field> format can
pankso@15914 611 # be used to indicate that the PSK/passphrase is stored in external storage.
pankso@15914 612 # This field is not needed, if WPA-EAP is used.
pankso@15914 613 # Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys
pankso@15914 614 # from ASCII passphrase. This process uses lot of CPU and wpa_supplicant
pankso@15914 615 # startup and reconfiguration time can be optimized by generating the PSK only
pankso@15914 616 # only when the passphrase or SSID has actually changed.
pankso@15914 617 #
pankso@15914 618 # eapol_flags: IEEE 802.1X/EAPOL options (bit field)
pankso@15914 619 # Dynamic WEP key required for non-WPA mode
pankso@15914 620 # bit0 (1): require dynamically generated unicast WEP key
pankso@15914 621 # bit1 (2): require dynamically generated broadcast WEP key
pankso@15914 622 # (3 = require both keys; default)
pankso@15914 623 # Note: When using wired authentication, eapol_flags must be set to 0 for the
pankso@15914 624 # authentication to be completed successfully.
pankso@15914 625 #
pankso@15914 626 # mixed_cell: This option can be used to configure whether so called mixed
pankso@15914 627 # cells, i.e., networks that use both plaintext and encryption in the same
pankso@15914 628 # SSID, are allowed when selecting a BSS from scan results.
pankso@15914 629 # 0 = disabled (default)
pankso@15914 630 # 1 = enabled
pankso@15914 631 #
pankso@15914 632 # proactive_key_caching:
pankso@15914 633 # Enable/disable opportunistic PMKSA caching for WPA2.
pankso@15914 634 # 0 = disabled (default unless changed with the global okc parameter)
pankso@15914 635 # 1 = enabled
pankso@15914 636 #
pankso@15914 637 # wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or
pankso@15914 638 # hex without quotation, e.g., 0102030405)
pankso@15914 639 # wep_tx_keyidx: Default WEP key index (TX) (0..3)
pankso@15914 640 #
pankso@15914 641 # peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is
pankso@15914 642 # allowed. This is only used with RSN/WPA2.
pankso@15914 643 # 0 = disabled (default)
pankso@15914 644 # 1 = enabled
pankso@15914 645 #peerkey=1
pankso@15914 646 #
pankso@15914 647 # wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to
pankso@15914 648 # enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies.
pankso@15914 649 #
pankso@15914 650 # Following fields are only used with internal EAP implementation.
pankso@15914 651 # eap: space-separated list of accepted EAP methods
pankso@15914 652 # MD5 = EAP-MD5 (unsecure and does not generate keying material ->
pankso@15914 653 # cannot be used with WPA; to be used as a Phase 2 method
pankso@15914 654 # with EAP-PEAP or EAP-TTLS)
pankso@15914 655 # MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used
pankso@15914 656 # as a Phase 2 method with EAP-PEAP or EAP-TTLS)
pankso@15914 657 # OTP = EAP-OTP (cannot be used separately with WPA; to be used
pankso@15914 658 # as a Phase 2 method with EAP-PEAP or EAP-TTLS)
pankso@15914 659 # GTC = EAP-GTC (cannot be used separately with WPA; to be used
pankso@15914 660 # as a Phase 2 method with EAP-PEAP or EAP-TTLS)
pankso@15914 661 # TLS = EAP-TLS (client and server certificate)
pankso@15914 662 # PEAP = EAP-PEAP (with tunnelled EAP authentication)
pankso@15914 663 # TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2
pankso@15914 664 # authentication)
pankso@15914 665 # If not set, all compiled in methods are allowed.
pankso@15914 666 #
pankso@15914 667 # identity: Identity string for EAP
pankso@15914 668 # This field is also used to configure user NAI for
pankso@15914 669 # EAP-PSK/PAX/SAKE/GPSK.
pankso@15914 670 # anonymous_identity: Anonymous identity string for EAP (to be used as the
pankso@15914 671 # unencrypted identity with EAP types that support different tunnelled
pankso@15914 672 # identity, e.g., EAP-TTLS). This field can also be used with
pankso@15914 673 # EAP-SIM/AKA/AKA' to store the pseudonym identity.
pankso@15914 674 # password: Password string for EAP. This field can include either the
pankso@15914 675 # plaintext password (using ASCII or hex string) or a NtPasswordHash
pankso@15914 676 # (16-byte MD4 hash of password) in hash:<32 hex digits> format.
pankso@15914 677 # NtPasswordHash can only be used when the password is for MSCHAPv2 or
pankso@15914 678 # MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP).
pankso@15914 679 # EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit
pankso@15914 680 # PSK) is also configured using this field. For EAP-GPSK, this is a
pankso@15914 681 # variable length PSK. ext:<name of external password field> format can
pankso@15914 682 # be used to indicate that the password is stored in external storage.
pankso@15914 683 # ca_cert: File path to CA certificate file (PEM/DER). This file can have one
pankso@15914 684 # or more trusted CA certificates. If ca_cert and ca_path are not
pankso@15914 685 # included, server certificate will not be verified. This is insecure and
pankso@15914 686 # a trusted CA certificate should always be configured when using
pankso@15914 687 # EAP-TLS/TTLS/PEAP. Full path should be used since working directory may
pankso@15914 688 # change when wpa_supplicant is run in the background.
pankso@15914 689 #
pankso@15914 690 # Alternatively, this can be used to only perform matching of the server
pankso@15914 691 # certificate (SHA-256 hash of the DER encoded X.509 certificate). In
pankso@15914 692 # this case, the possible CA certificates in the server certificate chain
pankso@15914 693 # are ignored and only the server certificate is verified. This is
pankso@15914 694 # configured with the following format:
pankso@15914 695 # hash:://server/sha256/cert_hash_in_hex
pankso@15914 696 # For example: "hash://server/sha256/
pankso@15914 697 # 5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"
pankso@15914 698 #
pankso@15914 699 # On Windows, trusted CA certificates can be loaded from the system
pankso@15914 700 # certificate store by setting this to cert_store://<name>, e.g.,
pankso@15914 701 # ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".
pankso@15914 702 # Note that when running wpa_supplicant as an application, the user
pankso@15914 703 # certificate store (My user account) is used, whereas computer store
pankso@15914 704 # (Computer account) is used when running wpasvc as a service.
pankso@15914 705 # ca_path: Directory path for CA certificate files (PEM). This path may
pankso@15914 706 # contain multiple CA certificates in OpenSSL format. Common use for this
pankso@15914 707 # is to point to system trusted CA list which is often installed into
pankso@15914 708 # directory like /etc/ssl/certs. If configured, these certificates are
pankso@15914 709 # added to the list of trusted CAs. ca_cert may also be included in that
pankso@15914 710 # case, but it is not required.
pankso@15914 711 # client_cert: File path to client certificate file (PEM/DER)
pankso@15914 712 # Full path should be used since working directory may change when
pankso@15914 713 # wpa_supplicant is run in the background.
pankso@15914 714 # Alternatively, a named configuration blob can be used by setting this
pankso@15914 715 # to blob://<blob name>.
pankso@15914 716 # private_key: File path to client private key file (PEM/DER/PFX)
pankso@15914 717 # When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
pankso@15914 718 # commented out. Both the private key and certificate will be read from
pankso@15914 719 # the PKCS#12 file in this case. Full path should be used since working
pankso@15914 720 # directory may change when wpa_supplicant is run in the background.
pankso@15914 721 # Windows certificate store can be used by leaving client_cert out and
pankso@15914 722 # configuring private_key in one of the following formats:
pankso@15914 723 # cert://substring_to_match
pankso@15914 724 # hash://certificate_thumbprint_in_hex
pankso@15914 725 # for example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
pankso@15914 726 # Note that when running wpa_supplicant as an application, the user
pankso@15914 727 # certificate store (My user account) is used, whereas computer store
pankso@15914 728 # (Computer account) is used when running wpasvc as a service.
pankso@15914 729 # Alternatively, a named configuration blob can be used by setting this
pankso@15914 730 # to blob://<blob name>.
pankso@15914 731 # private_key_passwd: Password for private key file (if left out, this will be
pankso@15914 732 # asked through control interface)
pankso@15914 733 # dh_file: File path to DH/DSA parameters file (in PEM format)
pankso@15914 734 # This is an optional configuration file for setting parameters for an
pankso@15914 735 # ephemeral DH key exchange. In most cases, the default RSA
pankso@15914 736 # authentication does not use this configuration. However, it is possible
pankso@15914 737 # setup RSA to use ephemeral DH key exchange. In addition, ciphers with
pankso@15914 738 # DSA keys always use ephemeral DH keys. This can be used to achieve
pankso@15914 739 # forward secrecy. If the file is in DSA parameters format, it will be
pankso@15914 740 # automatically converted into DH params.
pankso@15914 741 # subject_match: Substring to be matched against the subject of the
pankso@15914 742 # authentication server certificate. If this string is set, the server
pankso@15914 743 # sertificate is only accepted if it contains this string in the subject.
pankso@15914 744 # The subject string is in following format:
pankso@15914 745 # /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com
pankso@15914 746 # altsubject_match: Semicolon separated string of entries to be matched against
pankso@15914 747 # the alternative subject name of the authentication server certificate.
pankso@15914 748 # If this string is set, the server sertificate is only accepted if it
pankso@15914 749 # contains one of the entries in an alternative subject name extension.
pankso@15914 750 # altSubjectName string is in following format: TYPE:VALUE
pankso@15914 751 # Example: EMAIL:server@example.com
pankso@15914 752 # Example: DNS:server.example.com;DNS:server2.example.com
pankso@15914 753 # Following types are supported: EMAIL, DNS, URI
pankso@15914 754 # phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters
pankso@15914 755 # (string with field-value pairs, e.g., "peapver=0" or
pankso@15914 756 # "peapver=1 peaplabel=1")
pankso@15914 757 # 'peapver' can be used to force which PEAP version (0 or 1) is used.
pankso@15914 758 # 'peaplabel=1' can be used to force new label, "client PEAP encryption",
pankso@15914 759 # to be used during key derivation when PEAPv1 or newer. Most existing
pankso@15914 760 # PEAPv1 implementation seem to be using the old label, "client EAP
pankso@15914 761 # encryption", and wpa_supplicant is now using that as the default value.
pankso@15914 762 # Some servers, e.g., Radiator, may require peaplabel=1 configuration to
pankso@15914 763 # interoperate with PEAPv1; see eap_testing.txt for more details.
pankso@15914 764 # 'peap_outer_success=0' can be used to terminate PEAP authentication on
pankso@15914 765 # tunneled EAP-Success. This is required with some RADIUS servers that
pankso@15914 766 # implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
pankso@15914 767 # Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode)
pankso@15914 768 # include_tls_length=1 can be used to force wpa_supplicant to include
pankso@15914 769 # TLS Message Length field in all TLS messages even if they are not
pankso@15914 770 # fragmented.
pankso@15914 771 # sim_min_num_chal=3 can be used to configure EAP-SIM to require three
pankso@15914 772 # challenges (by default, it accepts 2 or 3)
pankso@15914 773 # result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use
pankso@15914 774 # protected result indication.
pankso@15914 775 # 'crypto_binding' option can be used to control PEAPv0 cryptobinding
pankso@15914 776 # behavior:
pankso@15914 777 # * 0 = do not use cryptobinding (default)
pankso@15914 778 # * 1 = use cryptobinding if server supports it
pankso@15914 779 # * 2 = require cryptobinding
pankso@15914 780 # EAP-WSC (WPS) uses following options: pin=<Device Password> or
pankso@15914 781 # pbc=1.
pankso@15914 782 # phase2: Phase2 (inner authentication with TLS tunnel) parameters
pankso@15914 783 # (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
pankso@15914 784 # "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS)
pankso@15914 785 #
pankso@15914 786 # TLS-based methods can use the following parameters to control TLS behavior
pankso@15914 787 # (these are normally in the phase1 parameter, but can be used also in the
pankso@15914 788 # phase2 parameter when EAP-TLS is used within the inner tunnel):
pankso@15914 789 # tls_allow_md5=1 - allow MD5-based certificate signatures (depending on the
pankso@15914 790 # TLS library, these may be disabled by default to enforce stronger
pankso@15914 791 # security)
pankso@15914 792 # tls_disable_time_checks=1 - ignore certificate validity time (this requests
pankso@15914 793 # the TLS library to accept certificates even if they are not currently
pankso@15914 794 # valid, i.e., have expired or have not yet become valid; this should be
pankso@15914 795 # used only for testing purposes)
pankso@15914 796 # tls_disable_session_ticket=1 - disable TLS Session Ticket extension
pankso@15914 797 # tls_disable_session_ticket=0 - allow TLS Session Ticket extension to be used
pankso@15914 798 # Note: If not set, this is automatically set to 1 for EAP-TLS/PEAP/TTLS
pankso@15914 799 # as a workaround for broken authentication server implementations unless
pankso@15914 800 # EAP workarounds are disabled with eap_workarounds=0.
pankso@15914 801 # For EAP-FAST, this must be set to 0 (or left unconfigured for the
pankso@15914 802 # default value to be used automatically).
pankso@15914 803 #
pankso@15914 804 # Following certificate/private key fields are used in inner Phase2
pankso@15914 805 # authentication when using EAP-TTLS or EAP-PEAP.
pankso@15914 806 # ca_cert2: File path to CA certificate file. This file can have one or more
pankso@15914 807 # trusted CA certificates. If ca_cert2 and ca_path2 are not included,
pankso@15914 808 # server certificate will not be verified. This is insecure and a trusted
pankso@15914 809 # CA certificate should always be configured.
pankso@15914 810 # ca_path2: Directory path for CA certificate files (PEM)
pankso@15914 811 # client_cert2: File path to client certificate file
pankso@15914 812 # private_key2: File path to client private key file
pankso@15914 813 # private_key2_passwd: Password for private key file
pankso@15914 814 # dh_file2: File path to DH/DSA parameters file (in PEM format)
pankso@15914 815 # subject_match2: Substring to be matched against the subject of the
pankso@15914 816 # authentication server certificate.
pankso@15914 817 # altsubject_match2: Substring to be matched against the alternative subject
pankso@15914 818 # name of the authentication server certificate.
pankso@15914 819 #
pankso@15914 820 # fragment_size: Maximum EAP fragment size in bytes (default 1398).
pankso@15914 821 # This value limits the fragment size for EAP methods that support
pankso@15914 822 # fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set
pankso@15914 823 # small enough to make the EAP messages fit in MTU of the network
pankso@15914 824 # interface used for EAPOL. The default value is suitable for most
pankso@15914 825 # cases.
pankso@15914 826 #
pankso@15914 827 # ocsp: Whether to use/require OCSP to check server certificate
pankso@15914 828 # 0 = do not use OCSP stapling (TLS certificate status extension)
pankso@15914 829 # 1 = try to use OCSP stapling, but not require response
pankso@15914 830 # 2 = require valid OCSP stapling response
pankso@15914 831 #
pankso@15914 832 # EAP-FAST variables:
pankso@15914 833 # pac_file: File path for the PAC entries. wpa_supplicant will need to be able
pankso@15914 834 # to create this file and write updates to it when PAC is being
pankso@15914 835 # provisioned or refreshed. Full path to the file should be used since
pankso@15914 836 # working directory may change when wpa_supplicant is run in the
pankso@15914 837 # background. Alternatively, a named configuration blob can be used by
pankso@15914 838 # setting this to blob://<blob name>
pankso@15914 839 # phase1: fast_provisioning option can be used to enable in-line provisioning
pankso@15914 840 # of EAP-FAST credentials (PAC):
pankso@15914 841 # 0 = disabled,
pankso@15914 842 # 1 = allow unauthenticated provisioning,
pankso@15914 843 # 2 = allow authenticated provisioning,
pankso@15914 844 # 3 = allow both unauthenticated and authenticated provisioning
pankso@15914 845 # fast_max_pac_list_len=<num> option can be used to set the maximum
pankso@15914 846 # number of PAC entries to store in a PAC list (default: 10)
pankso@15914 847 # fast_pac_format=binary option can be used to select binary format for
pankso@15914 848 # storing PAC entries in order to save some space (the default
pankso@15914 849 # text format uses about 2.5 times the size of minimal binary
pankso@15914 850 # format)
pankso@15914 851 #
pankso@15914 852 # wpa_supplicant supports number of "EAP workarounds" to work around
pankso@15914 853 # interoperability issues with incorrectly behaving authentication servers.
pankso@15914 854 # These are enabled by default because some of the issues are present in large
pankso@15914 855 # number of authentication servers. Strict EAP conformance mode can be
pankso@15914 856 # configured by disabling workarounds with eap_workaround=0.
pankso@15914 857
pankso@15914 858 # Station inactivity limit
pankso@15914 859 #
pankso@15914 860 # If a station does not send anything in ap_max_inactivity seconds, an
pankso@15914 861 # empty data frame is sent to it in order to verify whether it is
pankso@15914 862 # still in range. If this frame is not ACKed, the station will be
pankso@15914 863 # disassociated and then deauthenticated. This feature is used to
pankso@15914 864 # clear station table of old entries when the STAs move out of the
pankso@15914 865 # range.
pankso@15914 866 #
pankso@15914 867 # The station can associate again with the AP if it is still in range;
pankso@15914 868 # this inactivity poll is just used as a nicer way of verifying
pankso@15914 869 # inactivity; i.e., client will not report broken connection because
pankso@15914 870 # disassociation frame is not sent immediately without first polling
pankso@15914 871 # the STA with a data frame.
pankso@15914 872 # default: 300 (i.e., 5 minutes)
pankso@15914 873 #ap_max_inactivity=300
pankso@15914 874
pankso@15914 875 # DTIM period in Beacon intervals for AP mode (default: 2)
pankso@15914 876 #dtim_period=2
pankso@15914 877
pankso@15914 878 # Beacon interval (default: 100 TU)
pankso@15914 879 #beacon_int=100
pankso@15914 880
pankso@15914 881 # disable_ht: Whether HT (802.11n) should be disabled.
pankso@15914 882 # 0 = HT enabled (if AP supports it)
pankso@15914 883 # 1 = HT disabled
pankso@15914 884 #
pankso@15914 885 # disable_ht40: Whether HT-40 (802.11n) should be disabled.
pankso@15914 886 # 0 = HT-40 enabled (if AP supports it)
pankso@15914 887 # 1 = HT-40 disabled
pankso@15914 888 #
pankso@15914 889 # disable_sgi: Whether SGI (short guard interval) should be disabled.
pankso@15914 890 # 0 = SGI enabled (if AP supports it)
pankso@15914 891 # 1 = SGI disabled
pankso@15914 892 #
pankso@15914 893 # ht_mcs: Configure allowed MCS rates.
pankso@15914 894 # Parsed as an array of bytes, in base-16 (ascii-hex)
pankso@15914 895 # ht_mcs="" // Use all available (default)
pankso@15914 896 # ht_mcs="0xff 00 00 00 00 00 00 00 00 00 " // Use MCS 0-7 only
pankso@15914 897 # ht_mcs="0xff ff 00 00 00 00 00 00 00 00 " // Use MCS 0-15 only
pankso@15914 898 #
pankso@15914 899 # disable_max_amsdu: Whether MAX_AMSDU should be disabled.
pankso@15914 900 # -1 = Do not make any changes.
pankso@15914 901 # 0 = Enable MAX-AMSDU if hardware supports it.
pankso@15914 902 # 1 = Disable AMSDU
pankso@15914 903 #
pankso@15914 904 # ampdu_density: Allow overriding AMPDU density configuration.
pankso@15914 905 # Treated as hint by the kernel.
pankso@15914 906 # -1 = Do not make any changes.
pankso@15914 907 # 0-3 = Set AMPDU density (aka factor) to specified value.
pankso@15914 908
pankso@15914 909 # disable_vht: Whether VHT should be disabled.
pankso@15914 910 # 0 = VHT enabled (if AP supports it)
pankso@15914 911 # 1 = VHT disabled
pankso@15914 912 #
pankso@15914 913 # vht_capa: VHT capabilities to set in the override
pankso@15914 914 # vht_capa_mask: mask of VHT capabilities
pankso@15914 915 #
pankso@15914 916 # vht_rx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for RX NSS 1-8
pankso@15914 917 # vht_tx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for TX NSS 1-8
pankso@15914 918 # 0: MCS 0-7
pankso@15914 919 # 1: MCS 0-8
pankso@15914 920 # 2: MCS 0-9
pankso@15914 921 # 3: not supported
pankso@15914 922
pankso@15914 923 # Example blocks:
pankso@15914 924
pankso@15914 925 # Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers
pankso@15914 926 network={
pankso@15914 927 ssid="simple"
pankso@15914 928 psk="very secret passphrase"
pankso@15914 929 priority=5
pankso@15914 930 }
pankso@15914 931
pankso@15914 932 # Same as previous, but request SSID-specific scanning (for APs that reject
pankso@15914 933 # broadcast SSID)
pankso@15914 934 network={
pankso@15914 935 ssid="second ssid"
pankso@15914 936 scan_ssid=1
pankso@15914 937 psk="very secret passphrase"
pankso@15914 938 priority=2
pankso@15914 939 }
pankso@15914 940
pankso@15914 941 # Only WPA-PSK is used. Any valid cipher combination is accepted.
pankso@15914 942 network={
pankso@15914 943 ssid="example"
pankso@15914 944 proto=WPA
pankso@15914 945 key_mgmt=WPA-PSK
pankso@15914 946 pairwise=CCMP TKIP
pankso@15914 947 group=CCMP TKIP WEP104 WEP40
pankso@15914 948 psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
pankso@15914 949 priority=2
pankso@15914 950 }
pankso@15914 951
pankso@15914 952 # WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying
pankso@15914 953 network={
pankso@15914 954 ssid="example"
pankso@15914 955 proto=WPA
pankso@15914 956 key_mgmt=WPA-PSK
pankso@15914 957 pairwise=TKIP
pankso@15914 958 group=TKIP
pankso@15914 959 psk="not so secure passphrase"
pankso@15914 960 wpa_ptk_rekey=600
pankso@15914 961 }
pankso@15914 962
pankso@15914 963 # Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104
pankso@15914 964 # or WEP40 as the group cipher will not be accepted.
pankso@15914 965 network={
pankso@15914 966 ssid="example"
pankso@15914 967 proto=RSN
pankso@15914 968 key_mgmt=WPA-EAP
pankso@15914 969 pairwise=CCMP TKIP
pankso@15914 970 group=CCMP TKIP
pankso@15914 971 eap=TLS
pankso@15914 972 identity="user@example.com"
pankso@15914 973 ca_cert="/etc/cert/ca.pem"
pankso@15914 974 client_cert="/etc/cert/user.pem"
pankso@15914 975 private_key="/etc/cert/user.prv"
pankso@15914 976 private_key_passwd="password"
pankso@15914 977 priority=1
pankso@15914 978 }
pankso@15914 979
pankso@15914 980 # EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel
pankso@15914 981 # (e.g., Radiator)
pankso@15914 982 network={
pankso@15914 983 ssid="example"
pankso@15914 984 key_mgmt=WPA-EAP
pankso@15914 985 eap=PEAP
pankso@15914 986 identity="user@example.com"
pankso@15914 987 password="foobar"
pankso@15914 988 ca_cert="/etc/cert/ca.pem"
pankso@15914 989 phase1="peaplabel=1"
pankso@15914 990 phase2="auth=MSCHAPV2"
pankso@15914 991 priority=10
pankso@15914 992 }
pankso@15914 993
pankso@15914 994 # EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the
pankso@15914 995 # unencrypted use. Real identity is sent only within an encrypted TLS tunnel.
pankso@15914 996 network={
pankso@15914 997 ssid="example"
pankso@15914 998 key_mgmt=WPA-EAP
pankso@15914 999 eap=TTLS
pankso@15914 1000 identity="user@example.com"
pankso@15914 1001 anonymous_identity="anonymous@example.com"
pankso@15914 1002 password="foobar"
pankso@15914 1003 ca_cert="/etc/cert/ca.pem"
pankso@15914 1004 priority=2
pankso@15914 1005 }
pankso@15914 1006
pankso@15914 1007 # EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted
pankso@15914 1008 # use. Real identity is sent only within an encrypted TLS tunnel.
pankso@15914 1009 network={
pankso@15914 1010 ssid="example"
pankso@15914 1011 key_mgmt=WPA-EAP
pankso@15914 1012 eap=TTLS
pankso@15914 1013 identity="user@example.com"
pankso@15914 1014 anonymous_identity="anonymous@example.com"
pankso@15914 1015 password="foobar"
pankso@15914 1016 ca_cert="/etc/cert/ca.pem"
pankso@15914 1017 phase2="auth=MSCHAPV2"
pankso@15914 1018 }
pankso@15914 1019
pankso@15914 1020 # WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner
pankso@15914 1021 # authentication.
pankso@15914 1022 network={
pankso@15914 1023 ssid="example"
pankso@15914 1024 key_mgmt=WPA-EAP
pankso@15914 1025 eap=TTLS
pankso@15914 1026 # Phase1 / outer authentication
pankso@15914 1027 anonymous_identity="anonymous@example.com"
pankso@15914 1028 ca_cert="/etc/cert/ca.pem"
pankso@15914 1029 # Phase 2 / inner authentication
pankso@15914 1030 phase2="autheap=TLS"
pankso@15914 1031 ca_cert2="/etc/cert/ca2.pem"
pankso@15914 1032 client_cert2="/etc/cer/user.pem"
pankso@15914 1033 private_key2="/etc/cer/user.prv"
pankso@15914 1034 private_key2_passwd="password"
pankso@15914 1035 priority=2
pankso@15914 1036 }
pankso@15914 1037
pankso@15914 1038 # Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and
pankso@15914 1039 # group cipher.
pankso@15914 1040 network={
pankso@15914 1041 ssid="example"
pankso@15914 1042 bssid=00:11:22:33:44:55
pankso@15914 1043 proto=WPA RSN
pankso@15914 1044 key_mgmt=WPA-PSK WPA-EAP
pankso@15914 1045 pairwise=CCMP
pankso@15914 1046 group=CCMP
pankso@15914 1047 psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
pankso@15914 1048 }
pankso@15914 1049
pankso@15914 1050 # Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP
pankso@15914 1051 # and all valid ciphers.
pankso@15914 1052 network={
pankso@15914 1053 ssid=00010203
pankso@15914 1054 psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
pankso@15914 1055 }
pankso@15914 1056
pankso@15914 1057
pankso@15914 1058 # EAP-SIM with a GSM SIM or USIM
pankso@15914 1059 network={
pankso@15914 1060 ssid="eap-sim-test"
pankso@15914 1061 key_mgmt=WPA-EAP
pankso@15914 1062 eap=SIM
pankso@15914 1063 pin="1234"
pankso@15914 1064 pcsc=""
pankso@15914 1065 }
pankso@15914 1066
pankso@15914 1067
pankso@15914 1068 # EAP-PSK
pankso@15914 1069 network={
pankso@15914 1070 ssid="eap-psk-test"
pankso@15914 1071 key_mgmt=WPA-EAP
pankso@15914 1072 eap=PSK
pankso@15914 1073 anonymous_identity="eap_psk_user"
pankso@15914 1074 password=06b4be19da289f475aa46a33cb793029
pankso@15914 1075 identity="eap_psk_user@example.com"
pankso@15914 1076 }
pankso@15914 1077
pankso@15914 1078
pankso@15914 1079 # IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using
pankso@15914 1080 # EAP-TLS for authentication and key generation; require both unicast and
pankso@15914 1081 # broadcast WEP keys.
pankso@15914 1082 network={
pankso@15914 1083 ssid="1x-test"
pankso@15914 1084 key_mgmt=IEEE8021X
pankso@15914 1085 eap=TLS
pankso@15914 1086 identity="user@example.com"
pankso@15914 1087 ca_cert="/etc/cert/ca.pem"
pankso@15914 1088 client_cert="/etc/cert/user.pem"
pankso@15914 1089 private_key="/etc/cert/user.prv"
pankso@15914 1090 private_key_passwd="password"
pankso@15914 1091 eapol_flags=3
pankso@15914 1092 }
pankso@15914 1093
pankso@15914 1094
pankso@15914 1095 # LEAP with dynamic WEP keys
pankso@15914 1096 network={
pankso@15914 1097 ssid="leap-example"
pankso@15914 1098 key_mgmt=IEEE8021X
pankso@15914 1099 eap=LEAP
pankso@15914 1100 identity="user"
pankso@15914 1101 password="foobar"
pankso@15914 1102 }
pankso@15914 1103
pankso@15914 1104 # EAP-IKEv2 using shared secrets for both server and peer authentication
pankso@15914 1105 network={
pankso@15914 1106 ssid="ikev2-example"
pankso@15914 1107 key_mgmt=WPA-EAP
pankso@15914 1108 eap=IKEV2
pankso@15914 1109 identity="user"
pankso@15914 1110 password="foobar"
pankso@15914 1111 }
pankso@15914 1112
pankso@15914 1113 # EAP-FAST with WPA (WPA or WPA2)
pankso@15914 1114 network={
pankso@15914 1115 ssid="eap-fast-test"
pankso@15914 1116 key_mgmt=WPA-EAP
pankso@15914 1117 eap=FAST
pankso@15914 1118 anonymous_identity="FAST-000102030405"
pankso@15914 1119 identity="username"
pankso@15914 1120 password="password"
pankso@15914 1121 phase1="fast_provisioning=1"
pankso@15914 1122 pac_file="/etc/wpa_supplicant.eap-fast-pac"
pankso@15914 1123 }
pankso@15914 1124
pankso@15914 1125 network={
pankso@15914 1126 ssid="eap-fast-test"
pankso@15914 1127 key_mgmt=WPA-EAP
pankso@15914 1128 eap=FAST
pankso@15914 1129 anonymous_identity="FAST-000102030405"
pankso@15914 1130 identity="username"
pankso@15914 1131 password="password"
pankso@15914 1132 phase1="fast_provisioning=1"
pankso@15914 1133 pac_file="blob://eap-fast-pac"
pankso@15914 1134 }
pankso@15914 1135
pankso@15914 1136 # Plaintext connection (no WPA, no IEEE 802.1X)
pankso@15914 1137 network={
pankso@15914 1138 ssid="plaintext-test"
pankso@15914 1139 key_mgmt=NONE
pankso@15914 1140 }
pankso@15914 1141
pankso@15914 1142
pankso@15914 1143 # Shared WEP key connection (no WPA, no IEEE 802.1X)
pankso@15914 1144 network={
pankso@15914 1145 ssid="static-wep-test"
pankso@15914 1146 key_mgmt=NONE
pankso@15914 1147 wep_key0="abcde"
pankso@15914 1148 wep_key1=0102030405
pankso@15914 1149 wep_key2="1234567890123"
pankso@15914 1150 wep_tx_keyidx=0
pankso@15914 1151 priority=5
pankso@15914 1152 }
pankso@15914 1153
pankso@15914 1154
pankso@15914 1155 # Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key
pankso@15914 1156 # IEEE 802.11 authentication
pankso@15914 1157 network={
pankso@15914 1158 ssid="static-wep-test2"
pankso@15914 1159 key_mgmt=NONE
pankso@15914 1160 wep_key0="abcde"
pankso@15914 1161 wep_key1=0102030405
pankso@15914 1162 wep_key2="1234567890123"
pankso@15914 1163 wep_tx_keyidx=0
pankso@15914 1164 priority=5
pankso@15914 1165 auth_alg=SHARED
pankso@15914 1166 }
pankso@15914 1167
pankso@15914 1168
pankso@15914 1169 # IBSS/ad-hoc network with RSN
pankso@15914 1170 network={
pankso@15914 1171 ssid="ibss-rsn"
pankso@15914 1172 key_mgmt=WPA-PSK
pankso@15914 1173 proto=RSN
pankso@15914 1174 psk="12345678"
pankso@15914 1175 mode=1
pankso@15914 1176 frequency=2412
pankso@15914 1177 pairwise=CCMP
pankso@15914 1178 group=CCMP
pankso@15914 1179 }
pankso@15914 1180
pankso@15914 1181 # IBSS/ad-hoc network with WPA-None/TKIP (deprecated)
pankso@15914 1182 network={
pankso@15914 1183 ssid="test adhoc"
pankso@15914 1184 mode=1
pankso@15914 1185 frequency=2412
pankso@15914 1186 proto=WPA
pankso@15914 1187 key_mgmt=WPA-NONE
pankso@15914 1188 pairwise=NONE
pankso@15914 1189 group=TKIP
pankso@15914 1190 psk="secret passphrase"
pankso@15914 1191 }
pankso@15914 1192
pankso@15914 1193
pankso@15914 1194 # Catch all example that allows more or less all configuration modes
pankso@15914 1195 network={
pankso@15914 1196 ssid="example"
pankso@15914 1197 scan_ssid=1
pankso@15914 1198 key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
pankso@15914 1199 pairwise=CCMP TKIP
pankso@15914 1200 group=CCMP TKIP WEP104 WEP40
pankso@15914 1201 psk="very secret passphrase"
pankso@15914 1202 eap=TTLS PEAP TLS
pankso@15914 1203 identity="user@example.com"
pankso@15914 1204 password="foobar"
pankso@15914 1205 ca_cert="/etc/cert/ca.pem"
pankso@15914 1206 client_cert="/etc/cert/user.pem"
pankso@15914 1207 private_key="/etc/cert/user.prv"
pankso@15914 1208 private_key_passwd="password"
pankso@15914 1209 phase1="peaplabel=0"
pankso@15914 1210 }
pankso@15914 1211
pankso@15914 1212 # Example of EAP-TLS with smartcard (openssl engine)
pankso@15914 1213 network={
pankso@15914 1214 ssid="example"
pankso@15914 1215 key_mgmt=WPA-EAP
pankso@15914 1216 eap=TLS
pankso@15914 1217 proto=RSN
pankso@15914 1218 pairwise=CCMP TKIP
pankso@15914 1219 group=CCMP TKIP
pankso@15914 1220 identity="user@example.com"
pankso@15914 1221 ca_cert="/etc/cert/ca.pem"
pankso@15914 1222 client_cert="/etc/cert/user.pem"
pankso@15914 1223
pankso@15914 1224 engine=1
pankso@15914 1225
pankso@15914 1226 # The engine configured here must be available. Look at
pankso@15914 1227 # OpenSSL engine support in the global section.
pankso@15914 1228 # The key available through the engine must be the private key
pankso@15914 1229 # matching the client certificate configured above.
pankso@15914 1230
pankso@15914 1231 # use the opensc engine
pankso@15914 1232 #engine_id="opensc"
pankso@15914 1233 #key_id="45"
pankso@15914 1234
pankso@15914 1235 # use the pkcs11 engine
pankso@15914 1236 engine_id="pkcs11"
pankso@15914 1237 key_id="id_45"
pankso@15914 1238
pankso@15914 1239 # Optional PIN configuration; this can be left out and PIN will be
pankso@15914 1240 # asked through the control interface
pankso@15914 1241 pin="1234"
pankso@15914 1242 }
pankso@15914 1243
pankso@15914 1244 # Example configuration showing how to use an inlined blob as a CA certificate
pankso@15914 1245 # data instead of using external file
pankso@15914 1246 network={
pankso@15914 1247 ssid="example"
pankso@15914 1248 key_mgmt=WPA-EAP
pankso@15914 1249 eap=TTLS
pankso@15914 1250 identity="user@example.com"
pankso@15914 1251 anonymous_identity="anonymous@example.com"
pankso@15914 1252 password="foobar"
pankso@15914 1253 ca_cert="blob://exampleblob"
pankso@15914 1254 priority=20
pankso@15914 1255 }
pankso@15914 1256
pankso@15914 1257 blob-base64-exampleblob={
pankso@15914 1258 SGVsbG8gV29ybGQhCg==
pankso@15914 1259 }
pankso@15914 1260
pankso@15914 1261
pankso@15914 1262 # Wildcard match for SSID (plaintext APs only). This example select any
pankso@15914 1263 # open AP regardless of its SSID.
pankso@15914 1264 network={
pankso@15914 1265 key_mgmt=NONE
pankso@15914 1266 }
pankso@15914 1267
pankso@15914 1268
pankso@15914 1269 # Example config file that will only scan on channel 36.
pankso@15914 1270 freq_list=5180
pankso@15914 1271 network={
pankso@15914 1272 key_mgmt=NONE
pankso@15914 1273 }