blob: 2f1e31b2a730bfe95bb542c32c06acae07fb1a89 [file] [log] [blame]
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001##### Example wpa_supplicant configuration file ###############################
2#
3# This file describes configuration file format and lists all available option.
4# Please also take a look at simpler configuration examples in 'examples'
5# subdirectory.
6#
7# Empty lines and lines starting with # are ignored
8
9# NOTE! This file may contain password information and should probably be made
10# readable only by root user on multiuser systems.
11
12# Note: All file paths in this configuration file should use full (absolute,
13# not relative to working directory) path in order to allow working directory
14# to be changed. This can happen if wpa_supplicant is run in the background.
15
16# Whether to allow wpa_supplicant to update (overwrite) configuration
17#
18# This option can be used to allow wpa_supplicant to overwrite configuration
19# file whenever configuration is changed (e.g., new network block is added with
20# wpa_cli or wpa_gui, or a password is changed). This is required for
21# wpa_cli/wpa_gui to be able to store the configuration changes permanently.
22# Please note that overwriting configuration file will remove the comments from
23# it.
24#update_config=1
25
26# global configuration (shared by all network blocks)
27#
28# Parameters for the control interface. If this is specified, wpa_supplicant
29# will open a control interface that is available for external programs to
30# manage wpa_supplicant. The meaning of this string depends on which control
Dmitry Shmidtc5ec7f52012-03-06 16:33:24 -080031# interface mechanism is used. For all cases, the existence of this parameter
Dmitry Shmidt30f94812012-02-21 17:02:48 -080032# in configuration is used to determine whether the control interface is
33# enabled.
34#
35# For UNIX domain sockets (default on Linux and BSD): This is a directory that
36# will be created for UNIX domain sockets for listening to requests from
37# external programs (CLI/GUI, etc.) for status information and configuration.
38# The socket file will be named based on the interface name, so multiple
39# wpa_supplicant processes can be run at the same time if more than one
40# interface is used.
41# /var/run/wpa_supplicant is the recommended directory for sockets and by
42# default, wpa_cli will use it when trying to connect with wpa_supplicant.
43#
44# Access control for the control interface can be configured by setting the
45# directory to allow only members of a group to use sockets. This way, it is
46# possible to run wpa_supplicant as root (since it needs to change network
47# configuration and open raw sockets) and still allow GUI/CLI components to be
48# run as non-root users. However, since the control interface can be used to
49# change the network configuration, this access needs to be protected in many
50# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you
51# want to allow non-root users to use the control interface, add a new group
52# and change this value to match with that group. Add users that should have
53# control interface access to this group. If this variable is commented out or
54# not included in the configuration file, group will not be changed from the
55# value it got by default when the directory or socket was created.
56#
57# When configuring both the directory and group, use following format:
58# DIR=/var/run/wpa_supplicant GROUP=wheel
59# DIR=/var/run/wpa_supplicant GROUP=0
60# (group can be either group name or gid)
61#
62# For UDP connections (default on Windows): The value will be ignored. This
63# variable is just used to select that the control interface is to be created.
64# The value can be set to, e.g., udp (ctrl_interface=udp)
65#
66# For Windows Named Pipe: This value can be used to set the security descriptor
67# for controlling access to the control interface. Security descriptor can be
68# set using Security Descriptor String Format (see http://msdn.microsoft.com/
69# library/default.asp?url=/library/en-us/secauthz/security/
70# security_descriptor_string_format.asp). The descriptor string needs to be
71# prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty
72# DACL (which will reject all connections). See README-Windows.txt for more
73# information about SDDL string format.
74#
75ctrl_interface=/var/run/wpa_supplicant
76
77# IEEE 802.1X/EAPOL version
78# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines
79# EAPOL version 2. However, there are many APs that do not handle the new
80# version number correctly (they seem to drop the frames completely). In order
81# to make wpa_supplicant interoperate with these APs, the version number is set
82# to 1 by default. This configuration value can be used to set it to the new
83# version (2).
Dmitry Shmidt5a1480c2014-05-12 09:46:02 -070084# Note: When using MACsec, eapol_version shall be set to 3, which is
85# defined in IEEE Std 802.1X-2010.
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -070086eapol_version=1
Dmitry Shmidt30f94812012-02-21 17:02:48 -080087
88# AP scanning/selection
89# By default, wpa_supplicant requests driver to perform AP scanning and then
90# uses the scan results to select a suitable AP. Another alternative is to
91# allow the driver to take care of AP scanning and selection and use
92# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association
93# information from the driver.
94# 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to
95# the currently enabled networks are found, a new network (IBSS or AP mode
96# operation) may be initialized (if configured) (default)
Hai Shalomfdcde762020-04-02 11:19:20 -070097# 0: This mode must only be used when using wired Ethernet drivers
98# (including MACsec).
Dmitry Shmidt30f94812012-02-21 17:02:48 -080099# 2: like 0, but associate with APs using security policy and SSID (but not
100# BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to
101# enable operation with hidden SSIDs and optimized roaming; in this mode,
102# the network blocks in the configuration file are tried one by one until
103# the driver reports successful association; each network block should have
104# explicit security policy (i.e., only one option in the lists) for
105# key_mgmt, pairwise, group, proto variables
Hai Shalomfdcde762020-04-02 11:19:20 -0700106# Note: ap_scan=0/2 should not be used with the nl80211 driver interface (the
107# current Linux interface). ap_scan=1 is the only option working with nl80211.
Dmitry Shmidtd80a4012015-11-05 16:35:40 -0800108# For finding networks using hidden SSID, scan_ssid=1 in the network block can
109# be used with nl80211.
Dmitry Shmidt30f94812012-02-21 17:02:48 -0800110# When using IBSS or AP mode, ap_scan=2 mode can force the new network to be
111# created immediately regardless of scan results. ap_scan=1 mode will first try
112# to scan for existing networks and only if no matches with the enabled
113# networks are found, a new IBSS or AP mode network is created.
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700114ap_scan=1
Dmitry Shmidt30f94812012-02-21 17:02:48 -0800115
Dmitry Shmidtb70d0bb2015-11-16 10:43:06 -0800116# Whether to force passive scan for network connection
117#
118# By default, scans will send out Probe Request frames on channels that allow
119# active scanning. This advertise the local station to the world. Normally this
120# is fine, but users may wish to do passive scanning where the radio should only
121# listen quietly for Beacon frames and not send any Probe Request frames. Actual
122# functionality may be driver dependent.
123#
124# This parameter can be used to force only passive scanning to be used
125# for network connection cases. It should be noted that this will slow
126# down scan operations and reduce likelihood of finding the AP. In
127# addition, some use cases will override this due to functional
128# requirements, e.g., for finding an AP that uses hidden SSID
129# (scan_ssid=1) or P2P device discovery.
130#
131# 0: Do normal scans (allow active scans) (default)
132# 1: Do passive scans.
133#passive_scan=0
134
Dmitry Shmidt6c0da2b2015-01-05 13:08:17 -0800135# MPM residency
136# By default, wpa_supplicant implements the mesh peering manager (MPM) for an
137# open mesh. However, if the driver can implement the MPM, you may set this to
138# 0 to use the driver version. When AMPE is enabled, the wpa_supplicant MPM is
139# always used.
140# 0: MPM lives in the driver
141# 1: wpa_supplicant provides an MPM which handles peering (default)
142#user_mpm=1
143
144# Maximum number of peer links (0-255; default: 99)
145# Maximum number of mesh peering currently maintained by the STA.
146#max_peer_links=99
147
Dmitry Shmidt2f74e362015-01-21 13:19:05 -0800148# Timeout in seconds to detect STA inactivity (default: 300 seconds)
149#
150# This timeout value is used in mesh STA to clean up inactive stations.
151#mesh_max_inactivity=300
152
153# cert_in_cb - Whether to include a peer certificate dump in events
154# This controls whether peer certificates for authentication server and
155# its certificate chain are included in EAP peer certificate events. This is
156# enabled by default.
157#cert_in_cb=1
158
Dmitry Shmidt30f94812012-02-21 17:02:48 -0800159# EAP fast re-authentication
160# By default, fast re-authentication is enabled for all EAP methods that
161# support it. This variable can be used to disable fast re-authentication.
162# Normally, there is no need to disable this.
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700163fast_reauth=1
Dmitry Shmidt30f94812012-02-21 17:02:48 -0800164
165# OpenSSL Engine support
Dmitry Shmidtd5ab1b52016-06-21 12:38:41 -0700166# These options can be used to load OpenSSL engines in special or legacy
167# modes.
Dmitry Shmidt30f94812012-02-21 17:02:48 -0800168# The two engines that are supported currently are shown below:
169# They are both from the opensc project (http://www.opensc.org/)
Dmitry Shmidtd5ab1b52016-06-21 12:38:41 -0700170# By default the PKCS#11 engine is loaded if the client_cert or
171# private_key option appear to be a PKCS#11 URI, and these options
172# should not need to be used explicitly.
Dmitry Shmidt30f94812012-02-21 17:02:48 -0800173# make the opensc engine available
174#opensc_engine_path=/usr/lib/opensc/engine_opensc.so
175# make the pkcs11 engine available
176#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so
177# configure the path to the pkcs11 module required by the pkcs11 engine
178#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so
179
Dmitry Shmidt6c0da2b2015-01-05 13:08:17 -0800180# OpenSSL cipher string
181#
182# This is an OpenSSL specific configuration option for configuring the default
Dmitry Shmidtd2986c22017-10-23 14:22:09 -0700183# ciphers. If not set, the value configured at build time ("DEFAULT:!EXP:!LOW"
184# by default) is used.
Dmitry Shmidt6c0da2b2015-01-05 13:08:17 -0800185# See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation
186# on cipher suite configuration. This is applicable only if wpa_supplicant is
187# built to use OpenSSL.
188#openssl_ciphers=DEFAULT:!EXP:!LOW
189
Dmitry Shmidt30f94812012-02-21 17:02:48 -0800190# Dynamic EAP methods
191# If EAP methods were built dynamically as shared object files, they need to be
192# loaded here before being used in the network blocks. By default, EAP methods
193# are included statically in the build, so these lines are not needed
194#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so
195#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so
196
197# Driver interface parameters
Dmitry Shmidtaca489e2016-09-28 15:44:14 -0700198# This field can be used to configure arbitrary driver interface parameters. The
Dmitry Shmidt30f94812012-02-21 17:02:48 -0800199# format is specific to the selected driver interface. This field is not used
200# in most cases.
201#driver_param="field=value"
202
203# Country code
204# The ISO/IEC alpha2 country code for the country in which this device is
205# currently operating.
206#country=US
207
208# Maximum lifetime for PMKSA in seconds; default 43200
209#dot11RSNAConfigPMKLifetime=43200
210# Threshold for reauthentication (percentage of PMK lifetime); default 70
211#dot11RSNAConfigPMKReauthThreshold=70
212# Timeout for security association negotiation in seconds; default 60
213#dot11RSNAConfigSATimeout=60
214
215# Wi-Fi Protected Setup (WPS) parameters
216
217# Universally Unique IDentifier (UUID; see RFC 4122) of the device
Dmitry Shmidtd2986c22017-10-23 14:22:09 -0700218# If not configured, UUID will be generated based on the mechanism selected with
219# the auto_uuid parameter.
Dmitry Shmidt30f94812012-02-21 17:02:48 -0800220#uuid=12345678-9abc-def0-1234-56789abcdef0
221
Dmitry Shmidtd2986c22017-10-23 14:22:09 -0700222# Automatic UUID behavior
223# 0 = generate static value based on the local MAC address (default)
224# 1 = generate a random UUID every time wpa_supplicant starts
225#auto_uuid=0
226
Dmitry Shmidt30f94812012-02-21 17:02:48 -0800227# Device Name
228# User-friendly description of device; up to 32 octets encoded in UTF-8
229#device_name=Wireless Client
230
231# Manufacturer
232# The manufacturer of the device (up to 64 ASCII characters)
233#manufacturer=Company
234
235# Model Name
236# Model of the device (up to 32 ASCII characters)
237#model_name=cmodel
238
239# Model Number
240# Additional device description (up to 32 ASCII characters)
241#model_number=123
242
243# Serial Number
244# Serial number of the device (up to 32 characters)
245#serial_number=12345
246
247# Primary Device Type
248# Used format: <categ>-<OUI>-<subcateg>
249# categ = Category as an integer value
250# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for
251# default WPS OUI
252# subcateg = OUI-specific Sub Category as an integer value
253# Examples:
254# 1-0050F204-1 (Computer / PC)
255# 1-0050F204-2 (Computer / Server)
256# 5-0050F204-1 (Storage / NAS)
257# 6-0050F204-1 (Network Infrastructure / AP)
258#device_type=1-0050F204-1
259
260# OS Version
261# 4-octet operating system version number (hex string)
262#os_version=01020300
263
264# Config Methods
265# List of the supported configuration methods
266# Available methods: usba ethernet label display ext_nfc_token int_nfc_token
267# nfc_interface push_button keypad virtual_display physical_display
268# virtual_push_button physical_push_button
269# For WSC 1.0:
270#config_methods=label display push_button keypad
271# For WSC 2.0:
272#config_methods=label virtual_display virtual_push_button keypad
273
274# Credential processing
275# 0 = process received credentials internally (default)
276# 1 = do not process received credentials; just pass them over ctrl_iface to
277# external program(s)
278# 2 = process received credentials internally and pass them over ctrl_iface
279# to external program(s)
280#wps_cred_processing=0
281
Hai Shalom021b0b52019-04-10 11:17:58 -0700282# Whether to enable SAE (WPA3-Personal transition mode) automatically for
283# WPA2-PSK credentials received using WPS.
284# 0 = only add the explicitly listed WPA2-PSK configuration (default)
285# 1 = add both the WPA2-PSK and SAE configuration and enable PMF so that the
286# station gets configured in WPA3-Personal transition mode (supports both
287# WPA2-Personal (PSK) and WPA3-Personal (SAE) APs).
288#wps_cred_add_sae=0
289
Dmitry Shmidt04949592012-07-19 12:16:46 -0700290# Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing
291# The vendor attribute contents to be added in M1 (hex string)
292#wps_vendor_ext_m1=000137100100020001
293
294# NFC password token for WPS
295# These parameters can be used to configure a fixed NFC password token for the
296# station. This can be generated, e.g., with nfc_pw_token. When these
297# parameters are used, the station is assumed to be deployed with a NFC tag
298# that includes the matching NFC password token (e.g., written based on the
299# NDEF record from nfc_pw_token).
300#
301#wps_nfc_dev_pw_id: Device Password ID (16..65535)
302#wps_nfc_dh_pubkey: Hexdump of DH Public Key
303#wps_nfc_dh_privkey: Hexdump of DH Private Key
304#wps_nfc_dev_pw: Hexdump of Device Password
305
Dmitry Shmidt7a53dbb2015-06-11 13:13:53 -0700306# Priority for the networks added through WPS
307# This priority value will be set to each network profile that is added
308# by executing the WPS protocol.
309#wps_priority=0
310
Hai Shalomc3565922019-10-28 11:58:20 -0700311# Device Provisioning Protocol (DPP) parameters
312#
313# How to process DPP configuration
314# 0 = report received configuration to an external program for
315# processing; do not generate any network profile internally (default)
316# 1 = report received configuration to an external program and generate
317# a network profile internally, but do not automatically connect
318# to the created (disabled) profile; the network profile id is
319# reported to external programs
320# 2 = report received configuration to an external program, generate
321# a network profile internally, try to connect to the created
322# profile automatically
323#dpp_config_processing=0
324#
325# Name for Enrollee's DPP Configuration Request
326#dpp_name=Test
327#
328# MUD URL for Enrollee's DPP Configuration Request (optional)
329#dpp_mud_url=https://example.com/mud
330
Dmitry Shmidt30f94812012-02-21 17:02:48 -0800331# Maximum number of BSS entries to keep in memory
332# Default: 200
333# This can be used to limit memory use on the BSS entries (cached scan
334# results). A larger value may be needed in environments that have huge number
335# of APs when using ap_scan=1 mode.
336#bss_max_count=200
337
Hai Shalom5f92bc92019-04-18 11:54:11 -0700338# BSS expiration age in seconds. A BSS will be removed from the local cache
339# if it is not in use and has not been seen for this time. Default is 180.
340#bss_expiration_age=180
341
342# BSS expiration after number of scans. A BSS will be removed from the local
343# cache if it is not seen in this number of scans.
344# Default is 2.
345#bss_expiration_scan_count=2
346
Dmitry Shmidt04949592012-07-19 12:16:46 -0700347# Automatic scan
348# This is an optional set of parameters for automatic scanning
349# within an interface in following format:
350#autoscan=<autoscan module name>:<module parameters>
Dmitry Shmidtcce06662013-11-04 18:44:24 -0800351# autoscan is like bgscan but on disconnected or inactive state.
352# For instance, on exponential module parameters would be <base>:<limit>
Dmitry Shmidt04949592012-07-19 12:16:46 -0700353#autoscan=exponential:3:300
354# Which means a delay between scans on a base exponential of 3,
Dmitry Shmidtcce06662013-11-04 18:44:24 -0800355# up to the limit of 300 seconds (3, 9, 27 ... 300)
356# For periodic module, parameters would be <fixed interval>
Dmitry Shmidt04949592012-07-19 12:16:46 -0700357#autoscan=periodic:30
Dmitry Shmidtd7ff03d2015-12-04 14:49:35 -0800358# So a delay of 30 seconds will be applied between each scan.
359# Note: If sched_scan_plans are configured and supported by the driver,
360# autoscan is ignored.
Dmitry Shmidt30f94812012-02-21 17:02:48 -0800361
362# filter_ssids - SSID-based scan result filtering
363# 0 = do not filter scan results (default)
364# 1 = only include configured SSIDs in scan results/BSS table
365#filter_ssids=0
366
Dmitry Shmidt61d9df32012-08-29 16:22:06 -0700367# Password (and passphrase, etc.) backend for external storage
368# format: <backend name>[:<optional backend parameters>]
369#ext_password_backend=test:pw1=password|pw2=testing
370
Dmitry Shmidt1d755d02015-04-28 10:34:29 -0700371
372# Disable P2P functionality
373# p2p_disabled=1
374
Dmitry Shmidt61d9df32012-08-29 16:22:06 -0700375# Timeout in seconds to detect STA inactivity (default: 300 seconds)
376#
377# This timeout value is used in P2P GO mode to clean up
378# inactive stations.
379#p2p_go_max_inactivity=300
380
Dmitry Shmidt2271d3f2014-06-23 12:16:31 -0700381# Passphrase length (8..63) for P2P GO
382#
383# This parameter controls the length of the random passphrase that is
384# generated at the GO. Default: 8.
385#p2p_passphrase_len=8
386
Dmitry Shmidt09f57ba2014-06-10 16:07:13 -0700387# Extra delay between concurrent P2P search iterations
388#
389# This value adds extra delay in milliseconds between concurrent search
390# iterations to make p2p_find friendlier to concurrent operations by avoiding
391# it from taking 100% of radio resources. The default value is 500 ms.
392#p2p_search_delay=500
393
Dmitry Shmidtd5e49232012-12-03 15:08:10 -0800394# Opportunistic Key Caching (also known as Proactive Key Caching) default
395# This parameter can be used to set the default behavior for the
396# proactive_key_caching parameter. By default, OKC is disabled unless enabled
397# with the global okc=1 parameter or with the per-network
398# proactive_key_caching=1 parameter. With okc=1, OKC is enabled by default, but
399# can be disabled with per-network proactive_key_caching=0 parameter.
400#okc=0
401
402# Protected Management Frames default
403# This parameter can be used to set the default behavior for the ieee80211w
Dmitry Shmidt849734c2016-05-27 09:59:01 -0700404# parameter for RSN networks. By default, PMF is disabled unless enabled with
405# the global pmf=1/2 parameter or with the per-network ieee80211w=1/2 parameter.
406# With pmf=1/2, PMF is enabled/required by default, but can be disabled with the
407# per-network ieee80211w parameter. This global default value does not apply
408# for non-RSN networks (key_mgmt=NONE) since PMF is available only when using
409# RSN.
Dmitry Shmidtd5e49232012-12-03 15:08:10 -0800410#pmf=0
Dmitry Shmidt30f94812012-02-21 17:02:48 -0800411
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800412# Enabled SAE finite cyclic groups in preference order
413# By default (if this parameter is not set), the mandatory group 19 (ECC group
Hai Shalom021b0b52019-04-10 11:17:58 -0700414# defined over a 256-bit prime order field, NIST P-256) is preferred and groups
415# 20 (NIST P-384) and 21 (NIST P-521) are also enabled. If this parameter is
416# set, the groups will be tried in the indicated order.
417# The group values are listed in the IANA registry:
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800418# http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9
Hai Shalom021b0b52019-04-10 11:17:58 -0700419# Note that groups 1, 2, 5, 22, 23, and 24 should not be used in production
420# purposes due limited security (see RFC 8247). Groups that are not as strong as
421# group 19 (ECC, NIST P-256) are unlikely to be useful for production use cases
422# since all implementations are required to support group 19.
423#sae_groups=19 20 21
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800424
Hai Shalomc3565922019-10-28 11:58:20 -0700425# SAE mechanism for PWE derivation
Hai Shalomfdcde762020-04-02 11:19:20 -0700426# 0 = hunting-and-pecking loop only (default without password identifier)
427# 1 = hash-to-element only (default with password identifier)
Hai Shalomc3565922019-10-28 11:58:20 -0700428# 2 = both hunting-and-pecking loop and hash-to-element enabled
429# Note: The default value is likely to change from 0 to 2 once the new
430# hash-to-element mechanism has received more interoperability testing.
Hai Shalomfdcde762020-04-02 11:19:20 -0700431# When using SAE password identifier, the hash-to-element mechanism is used
432# regardless of the sae_pwe parameter value.
Hai Shalomc3565922019-10-28 11:58:20 -0700433#sae_pwe=0
434
Dmitry Shmidt7a5e50a2013-03-05 12:37:16 -0800435# Default value for DTIM period (if not overridden in network block)
436#dtim_period=2
437
438# Default value for Beacon interval (if not overridden in network block)
439#beacon_int=100
440
Dmitry Shmidt0ccb66e2013-03-29 16:41:28 -0700441# Additional vendor specific elements for Beacon and Probe Response frames
442# This parameter can be used to add additional vendor specific element(s) into
443# the end of the Beacon and Probe Response frames. The format for these
444# element(s) is a hexdump of the raw information elements (id+len+payload for
445# one or more elements). This is used in AP and P2P GO modes.
446#ap_vendor_elements=dd0411223301
447
Dmitry Shmidt444d5672013-04-01 13:08:44 -0700448# Ignore scan results older than request
449#
450# The driver may have a cache of scan results that makes it return
451# information that is older than our scan trigger. This parameter can
452# be used to configure such old information to be ignored instead of
453# allowing it to update the internal BSS table.
454#ignore_old_scan_res=0
455
Dmitry Shmidtea69e842013-05-13 14:52:28 -0700456# scan_cur_freq: Whether to scan only the current frequency
457# 0: Scan all available frequencies. (Default)
458# 1: Scan current operating frequency if another VIF on the same radio
459# is already associated.
Dmitry Shmidt444d5672013-04-01 13:08:44 -0700460
Dmitry Shmidt661b4f72014-09-29 14:58:27 -0700461# MAC address policy default
462# 0 = use permanent MAC address
463# 1 = use random MAC address for each ESS connection
464# 2 = like 1, but maintain OUI (with local admin bit set)
465#
466# By default, permanent MAC address is used unless policy is changed by
467# the per-network mac_addr parameter. Global mac_addr=1 can be used to
468# change this default behavior.
469#mac_addr=0
470
471# Lifetime of random MAC address in seconds (default: 60)
472#rand_addr_lifetime=60
473
474# MAC address policy for pre-association operations (scanning, ANQP)
475# 0 = use permanent MAC address
476# 1 = use random MAC address
477# 2 = like 1, but maintain OUI (with local admin bit set)
478#preassoc_mac_addr=0
479
Dmitry Shmidtebd93af2017-02-21 13:40:44 -0800480# MAC address policy for GAS operations
481# 0 = use permanent MAC address
482# 1 = use random MAC address
483# 2 = like 1, but maintain OUI (with local admin bit set)
Hai Shalomb755a2a2020-04-23 21:49:02 -0700484# Note that this setting is ignored when a specific MAC address is needed for
485# a full protocol exchange that includes GAS, e.g., when going through a DPP
486# exchange that exposes the configured interface address as part of the DP
487# Public Action frame exchanges before using GAS. That same address is then used
488# during the GAS exchange as well to avoid breaking the protocol expectations.
Dmitry Shmidtebd93af2017-02-21 13:40:44 -0800489#gas_rand_mac_addr=0
490
491# Lifetime of GAS random MAC address in seconds (default: 60)
492#gas_rand_addr_lifetime=60
493
Dmitry Shmidtc5ec7f52012-03-06 16:33:24 -0800494# Interworking (IEEE 802.11u)
495
496# Enable Interworking
497# interworking=1
498
Dmitry Shmidtd2986c22017-10-23 14:22:09 -0700499# Enable P2P GO advertisement of Interworking
500# go_interworking=1
501
502# P2P GO Interworking: Access Network Type
503# 0 = Private network
504# 1 = Private network with guest access
505# 2 = Chargeable public network
506# 3 = Free public network
507# 4 = Personal device network
508# 5 = Emergency services only network
509# 14 = Test or experimental
510# 15 = Wildcard
511#go_access_network_type=0
512
513# P2P GO Interworking: Whether the network provides connectivity to the Internet
514# 0 = Unspecified
515# 1 = Network provides connectivity to the Internet
516#go_internet=1
517
518# P2P GO Interworking: Group Venue Info (optional)
519# The available values are defined in IEEE Std 802.11-2016, 9.4.1.35.
520# Example values (group,type):
521# 0,0 = Unspecified
522# 1,7 = Convention Center
523# 1,13 = Coffee Shop
524# 2,0 = Unspecified Business
525# 7,1 Private Residence
526#go_venue_group=7
527#go_venue_type=1
528
Dmitry Shmidtc5ec7f52012-03-06 16:33:24 -0800529# Homogenous ESS identifier
530# If this is set, scans will be used to request response only from BSSes
531# belonging to the specified Homogeneous ESS. This is used only if interworking
532# is enabled.
533# hessid=00:11:22:33:44:55
534
Dmitry Shmidt61d9df32012-08-29 16:22:06 -0700535# Automatic network selection behavior
536# 0 = do not automatically go through Interworking network selection
537# (i.e., require explicit interworking_select command for this; default)
538# 1 = perform Interworking network selection if one or more
539# credentials have been configured and scan did not find a
540# matching network block
541#auto_interworking=0
542
Dmitry Shmidtd5ab1b52016-06-21 12:38:41 -0700543# GAS Address3 field behavior
544# 0 = P2P specification (Address3 = AP BSSID); default
545# 1 = IEEE 802.11 standard compliant (Address3 = Wildcard BSSID when
546# sent to not-associated AP; if associated, AP BSSID)
547#gas_address3=0
548
Dmitry Shmidt7d175302016-09-06 13:11:34 -0700549# Publish fine timing measurement (FTM) responder functionality in
550# the Extended Capabilities element bit 70.
551# Controls whether FTM responder functionality will be published by AP/STA.
552# Note that actual FTM responder operation is managed outside wpa_supplicant.
553# 0 = Do not publish; default
554# 1 = Publish
555#ftm_responder=0
556
557# Publish fine timing measurement (FTM) initiator functionality in
558# the Extended Capabilities element bit 71.
559# Controls whether FTM initiator functionality will be published by AP/STA.
560# Note that actual FTM initiator operation is managed outside wpa_supplicant.
561# 0 = Do not publish; default
562# 1 = Publish
563#ftm_initiator=0
564
Dmitry Shmidt04949592012-07-19 12:16:46 -0700565# credential block
566#
567# Each credential used for automatic network selection is configured as a set
568# of parameters that are compared to the information advertised by the APs when
569# interworking_select and interworking_connect commands are used.
570#
571# credential fields:
572#
Dmitry Shmidtfb79edc2014-01-10 10:45:54 -0800573# temporary: Whether this credential is temporary and not to be saved
574#
Dmitry Shmidt04949592012-07-19 12:16:46 -0700575# priority: Priority group
576# By default, all networks and credentials get the same priority group
577# (0). This field can be used to give higher priority for credentials
578# (and similarly in struct wpa_ssid for network blocks) to change the
579# Interworking automatic networking selection behavior. The matching
580# network (based on either an enabled network block or a credential)
581# with the highest priority value will be selected.
582#
583# pcsc: Use PC/SC and SIM/USIM card
584#
585# realm: Home Realm for Interworking
586#
587# username: Username for Interworking network selection
588#
589# password: Password for Interworking network selection
590#
591# ca_cert: CA certificate for Interworking network selection
592#
593# client_cert: File path to client certificate file (PEM/DER)
594# This field is used with Interworking networking selection for a case
595# where client certificate/private key is used for authentication
596# (EAP-TLS). Full path to the file should be used since working
597# directory may change when wpa_supplicant is run in the background.
598#
Dmitry Shmidtd5ab1b52016-06-21 12:38:41 -0700599# Certificates from PKCS#11 tokens can be referenced by a PKCS#11 URI.
600#
601# For example: private_key="pkcs11:manufacturer=piv_II;id=%01"
602#
Dmitry Shmidt04949592012-07-19 12:16:46 -0700603# Alternatively, a named configuration blob can be used by setting
604# this to blob://blob_name.
605#
606# private_key: File path to client private key file (PEM/DER/PFX)
607# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
608# commented out. Both the private key and certificate will be read
609# from the PKCS#12 file in this case. Full path to the file should be
610# used since working directory may change when wpa_supplicant is run
611# in the background.
612#
Dmitry Shmidtd5ab1b52016-06-21 12:38:41 -0700613# Keys in PKCS#11 tokens can be referenced by a PKCS#11 URI.
614# For example: private_key="pkcs11:manufacturer=piv_II;id=%01"
615#
Dmitry Shmidt04949592012-07-19 12:16:46 -0700616# Windows certificate store can be used by leaving client_cert out and
617# configuring private_key in one of the following formats:
618#
619# cert://substring_to_match
620#
621# hash://certificate_thumbprint_in_hex
622#
623# For example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
624#
625# Note that when running wpa_supplicant as an application, the user
626# certificate store (My user account) is used, whereas computer store
627# (Computer account) is used when running wpasvc as a service.
628#
629# Alternatively, a named configuration blob can be used by setting
630# this to blob://blob_name.
631#
632# private_key_passwd: Password for private key file
633#
634# imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format
635#
636# milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN>
637# format
638#
Dmitry Shmidt051af732013-10-22 13:52:46 -0700639# domain: Home service provider FQDN(s)
Dmitry Shmidt04949592012-07-19 12:16:46 -0700640# This is used to compare against the Domain Name List to figure out
Dmitry Shmidt051af732013-10-22 13:52:46 -0700641# whether the AP is operated by the Home SP. Multiple domain entries can
642# be used to configure alternative FQDNs that will be considered home
643# networks.
Dmitry Shmidt04949592012-07-19 12:16:46 -0700644#
Dmitry Shmidt61d9df32012-08-29 16:22:06 -0700645# roaming_consortium: Roaming Consortium OI
646# If roaming_consortium_len is non-zero, this field contains the
647# Roaming Consortium OI that can be used to determine which access
648# points support authentication with this credential. This is an
649# alternative to the use of the realm parameter. When using Roaming
650# Consortium to match the network, the EAP parameters need to be
651# pre-configured with the credential since the NAI Realm information
652# may not be available or fetched.
653#
Roshan Pius3a1667e2018-07-03 15:17:14 -0700654# required_roaming_consortium: Required Roaming Consortium OI
655# If required_roaming_consortium_len is non-zero, this field contains the
656# Roaming Consortium OI that is required to be advertised by the AP for
657# the credential to be considered matching.
658#
659# roaming_consortiums: Roaming Consortium OI(s) memberships
660# This string field contains one or more comma delimited OIs (hexdump)
661# identifying the roaming consortiums of which the provider is a member.
662# The list is sorted from the most preferred one to the least preferred
663# one. A match between the Roaming Consortium OIs advertised by an AP and
664# the OIs in this list indicates that successful authentication is
665# possible.
666# (Hotspot 2.0 PerProviderSubscription/<X+>/HomeSP/RoamingConsortiumOI)
667#
Dmitry Shmidt61d9df32012-08-29 16:22:06 -0700668# eap: Pre-configured EAP method
669# This optional field can be used to specify which EAP method will be
670# used with this credential. If not set, the EAP method is selected
671# automatically based on ANQP information (e.g., NAI Realm).
672#
673# phase1: Pre-configure Phase 1 (outer authentication) parameters
674# This optional field is used with like the 'eap' parameter.
675#
676# phase2: Pre-configure Phase 2 (inner authentication) parameters
677# This optional field is used with like the 'eap' parameter.
678#
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800679# excluded_ssid: Excluded SSID
680# This optional field can be used to excluded specific SSID(s) from
681# matching with the network. Multiple entries can be used to specify more
682# than one SSID.
683#
Dmitry Shmidtf21452a2014-02-26 10:55:25 -0800684# roaming_partner: Roaming partner information
685# This optional field can be used to configure preferences between roaming
686# partners. The field is a string in following format:
687# <FQDN>,<0/1 exact match>,<priority>,<* or country code>
688# (non-exact match means any subdomain matches the entry; priority is in
689# 0..255 range with 0 being the highest priority)
690#
691# update_identifier: PPS MO ID
692# (Hotspot 2.0 PerProviderSubscription/UpdateIdentifier)
693#
694# provisioning_sp: FQDN of the SP that provisioned the credential
695# This optional field can be used to keep track of the SP that provisioned
696# the credential to find the PPS MO (./Wi-Fi/<provisioning_sp>).
697#
698# Minimum backhaul threshold (PPS/<X+>/Policy/MinBackhauldThreshold/*)
699# These fields can be used to specify minimum download/upload backhaul
700# bandwidth that is preferred for the credential. This constraint is
701# ignored if the AP does not advertise WAN Metrics information or if the
702# limit would prevent any connection. Values are in kilobits per second.
703# min_dl_bandwidth_home
704# min_ul_bandwidth_home
705# min_dl_bandwidth_roaming
706# min_ul_bandwidth_roaming
707#
708# max_bss_load: Maximum BSS Load Channel Utilization (1..255)
709# (PPS/<X+>/Policy/MaximumBSSLoadValue)
710# This value is used as the maximum channel utilization for network
711# selection purposes for home networks. If the AP does not advertise
712# BSS Load or if the limit would prevent any connection, this constraint
713# will be ignored.
714#
715# req_conn_capab: Required connection capability
716# (PPS/<X+>/Policy/RequiredProtoPortTuple)
717# This value is used to configure set of required protocol/port pairs that
718# a roaming network shall support (include explicitly in Connection
719# Capability ANQP element). This constraint is ignored if the AP does not
720# advertise Connection Capability or if this constraint would prevent any
721# network connection. This policy is not used in home networks.
722# Format: <protocol>[:<comma-separated list of ports]
723# Multiple entries can be used to list multiple requirements.
724# For example, number of common TCP protocols:
725# req_conn_capab=6,22,80,443
726# For example, IPSec/IKE:
727# req_conn_capab=17:500
728# req_conn_capab=50
729#
730# ocsp: Whether to use/require OCSP to check server certificate
731# 0 = do not use OCSP stapling (TLS certificate status extension)
732# 1 = try to use OCSP stapling, but not require response
733# 2 = require valid OCSP stapling response
Dmitry Shmidt014a3ff2015-12-28 13:27:49 -0800734# 3 = require valid OCSP stapling response for all not-trusted
735# certificates in the server certificate chain
Dmitry Shmidtf21452a2014-02-26 10:55:25 -0800736#
Dmitry Shmidtf9bdef92014-04-25 10:46:36 -0700737# sim_num: Identifier for which SIM to use in multi-SIM devices
738#
Dmitry Shmidt04949592012-07-19 12:16:46 -0700739# for example:
740#
741#cred={
742# realm="example.com"
743# username="user@example.com"
744# password="password"
745# ca_cert="/etc/wpa_supplicant/ca.pem"
746# domain="example.com"
747#}
748#
749#cred={
750# imsi="310026-000000000"
751# milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82"
752#}
Dmitry Shmidt61d9df32012-08-29 16:22:06 -0700753#
754#cred={
755# realm="example.com"
756# username="user"
757# password="password"
758# ca_cert="/etc/wpa_supplicant/ca.pem"
759# domain="example.com"
760# roaming_consortium=223344
761# eap=TTLS
762# phase2="auth=MSCHAPV2"
763#}
Dmitry Shmidtc5ec7f52012-03-06 16:33:24 -0800764
Dmitry Shmidt04949592012-07-19 12:16:46 -0700765# Hotspot 2.0
766# hs20=1
Dmitry Shmidtc5ec7f52012-03-06 16:33:24 -0800767
Dmitry Shmidtd7ff03d2015-12-04 14:49:35 -0800768# Scheduled scan plans
769#
770# A space delimited list of scan plans. Each scan plan specifies the scan
771# interval and number of iterations, delimited by a colon. The last scan plan
772# will run infinitely and thus must specify only the interval and not the number
773# of iterations.
774#
775# The driver advertises the maximum number of scan plans supported. If more scan
776# plans than supported are configured, only the first ones are set (up to the
777# maximum supported). The last scan plan that specifies only the interval is
778# always set as the last plan.
779#
780# If the scan interval or the number of iterations for a scan plan exceeds the
781# maximum supported, it will be set to the maximum supported value.
782#
783# Format:
784# sched_scan_plans=<interval:iterations> <interval:iterations> ... <interval>
785#
786# Example:
787# sched_scan_plans=10:100 20:200 30
788
Dmitry Shmidt57c2d392016-02-23 13:40:19 -0800789# Multi Band Operation (MBO) non-preferred channels
790# A space delimited list of non-preferred channels where each channel is a colon
Dmitry Shmidtaca489e2016-09-28 15:44:14 -0700791# delimited list of values.
Dmitry Shmidt57c2d392016-02-23 13:40:19 -0800792# Format:
Dmitry Shmidtaca489e2016-09-28 15:44:14 -0700793# non_pref_chan=<oper_class>:<chan>:<preference>:<reason>
Dmitry Shmidt57c2d392016-02-23 13:40:19 -0800794# Example:
Dmitry Shmidtd2986c22017-10-23 14:22:09 -0700795# non_pref_chan=81:5:10:2 81:1:0:2 81:9:0:2
Dmitry Shmidt57c2d392016-02-23 13:40:19 -0800796
797# MBO Cellular Data Capabilities
798# 1 = Cellular data connection available
799# 2 = Cellular data connection not available
800# 3 = Not cellular capable (default)
801#mbo_cell_capa=3
802
Dmitry Shmidtd2986c22017-10-23 14:22:09 -0700803# Optimized Connectivity Experience (OCE)
804# oce: Enable OCE features (bitmap)
805# Set BIT(0) to Enable OCE in non-AP STA mode (default; disabled if the driver
806# does not indicate support for OCE in STA mode)
807# Set BIT(1) to Enable OCE in STA-CFON mode
808#oce=1
809
Hai Shalomfdcde762020-04-02 11:19:20 -0700810# Extended Key ID support for Individually Addressed frames
811# 0 = force off: Do not use Extended Key ID (default)
812# 1 = auto: Activate Extended Key ID support if the driver supports it
813#extended_key_id=0
814
Dmitry Shmidt30f94812012-02-21 17:02:48 -0800815# network block
816#
817# Each network (usually AP's sharing the same SSID) is configured as a separate
818# block in this configuration file. The network blocks are in preference order
819# (the first match is used).
820#
821# network block fields:
822#
823# disabled:
824# 0 = this network can be used (default)
825# 1 = this network block is disabled (can be enabled through ctrl_iface,
826# e.g., with wpa_cli or wpa_gui)
827#
828# id_str: Network identifier string for external scripts. This value is passed
829# to external action script through wpa_cli as WPA_ID_STR environment
830# variable to make it easier to do network specific configuration.
831#
Dmitry Shmidt61d9df32012-08-29 16:22:06 -0700832# ssid: SSID (mandatory); network name in one of the optional formats:
833# - an ASCII string with double quotation
834# - a hex string (two characters per octet of SSID)
835# - a printf-escaped ASCII string P"<escaped string>"
Dmitry Shmidt30f94812012-02-21 17:02:48 -0800836#
837# scan_ssid:
838# 0 = do not scan this SSID with specific Probe Request frames (default)
839# 1 = scan with SSID-specific Probe Request frames (this can be used to
840# find APs that do not accept broadcast SSID or use multiple SSIDs;
841# this will add latency to scanning, so enable this only when needed)
842#
843# bssid: BSSID (optional); if set, this network block is used only when
844# associating with the AP using the configured BSSID
845#
Hai Shalom899fcc72020-10-19 14:38:18 -0700846# ignore_broadcast_ssid: SSID broadcast behavior
847# Send empty SSID in beacons and ignore probe request frames that do not
848# specify full SSID, i.e., require stations to know SSID.
849# default: disabled (0)
850# 1 = send empty (length=0) SSID in beacon and ignore probe request for
851# broadcast SSID
852# 2 = clear SSID (ASCII 0), but keep the original length (this may be required
853# with some clients that do not support empty SSID) and ignore probe
854# requests for broadcast SSID
855#
Dmitry Shmidt30f94812012-02-21 17:02:48 -0800856# priority: priority group (integer)
857# By default, all networks will get same priority group (0). If some of the
858# networks are more desirable, this field can be used to change the order in
859# which wpa_supplicant goes through the networks when selecting a BSS. The
860# priority groups will be iterated in decreasing priority (i.e., the larger the
861# priority value, the sooner the network is matched against the scan results).
862# Within each priority group, networks will be selected based on security
863# policy, signal strength, etc.
864# Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not
865# using this priority to select the order for scanning. Instead, they try the
866# networks in the order that used in the configuration file.
867#
868# mode: IEEE 802.11 operation mode
869# 0 = infrastructure (Managed) mode, i.e., associate with an AP (default)
870# 1 = IBSS (ad-hoc, peer-to-peer)
871# 2 = AP (access point)
Dmitry Shmidtfb79edc2014-01-10 10:45:54 -0800872# Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) and
873# WPA-PSK (with proto=RSN). In addition, key_mgmt=WPA-NONE (fixed group key
874# TKIP/CCMP) is available for backwards compatibility, but its use is
875# deprecated. WPA-None requires following network block options:
Dmitry Shmidt30f94812012-02-21 17:02:48 -0800876# proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not
877# both), and psk must also be set.
878#
879# frequency: Channel frequency in megahertz (MHz) for IBSS, e.g.,
880# 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial
881# channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode.
882# In addition, this value is only used by the station that creates the IBSS. If
883# an IBSS network with the configured SSID is already present, the frequency of
884# the network will be used instead of this configured value.
885#
Dmitry Shmidt57c2d392016-02-23 13:40:19 -0800886# pbss: Whether to use PBSS. Relevant to IEEE 802.11ad networks only.
Dmitry Shmidt849734c2016-05-27 09:59:01 -0700887# 0 = do not use PBSS
888# 1 = use PBSS
889# 2 = don't care (not allowed in AP mode)
Dmitry Shmidt57c2d392016-02-23 13:40:19 -0800890# Used together with mode configuration. When mode is AP, it means to start a
891# PCP instead of a regular AP. When mode is infrastructure it means connect
Dmitry Shmidt849734c2016-05-27 09:59:01 -0700892# to a PCP instead of AP. In this mode you can also specify 2 (don't care)
893# which means connect to either PCP or AP.
894# P2P_GO and P2P_GROUP_FORMATION modes must use PBSS in IEEE 802.11ad network.
Dmitry Shmidt57c2d392016-02-23 13:40:19 -0800895# For more details, see IEEE Std 802.11ad-2012.
896#
Dmitry Shmidt30f94812012-02-21 17:02:48 -0800897# scan_freq: List of frequencies to scan
898# Space-separated list of frequencies in MHz to scan when searching for this
899# BSS. If the subset of channels used by the network is known, this option can
900# be used to optimize scanning to not occur on channels that the network does
901# not use. Example: scan_freq=2412 2437 2462
902#
903# freq_list: Array of allowed frequencies
904# Space-separated list of frequencies in MHz to allow for selecting the BSS. If
905# set, scan results that do not match any of the specified frequencies are not
906# considered when selecting a BSS.
907#
Dmitry Shmidt51b6ea82013-05-08 10:42:09 -0700908# This can also be set on the outside of the network block. In this case,
909# it limits the frequencies that will be scanned.
910#
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800911# bgscan: Background scanning
912# wpa_supplicant behavior for background scanning can be specified by
913# configuring a bgscan module. These modules are responsible for requesting
914# background scans for the purpose of roaming within an ESS (i.e., within a
915# single network block with all the APs using the same SSID). The bgscan
916# parameter uses following format: "<bgscan module name>:<module parameters>"
917# Following bgscan modules are available:
918# simple - Periodic background scans based on signal strength
919# bgscan="simple:<short bgscan interval in seconds>:<signal strength threshold>:
920# <long interval>"
921# bgscan="simple:30:-45:300"
922# learn - Learn channels used by the network and try to avoid bgscans on other
923# channels (experimental)
924# bgscan="learn:<short bgscan interval in seconds>:<signal strength threshold>:
925# <long interval>[:<database file name>]"
926# bgscan="learn:30:-45:300:/etc/wpa_supplicant/network1.bgscan"
Dmitry Shmidta38abf92014-03-06 13:38:44 -0800927# Explicitly disable bgscan by setting
928# bgscan=""
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -0800929#
Dmitry Shmidtb96dad42013-11-05 10:07:29 -0800930# This option can also be set outside of all network blocks for the bgscan
931# parameter to apply for all the networks that have no specific bgscan
932# parameter.
933#
Dmitry Shmidt30f94812012-02-21 17:02:48 -0800934# proto: list of accepted protocols
935# WPA = WPA/IEEE 802.11i/D3.0
936# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN)
Hai Shalomce48b4a2018-09-05 11:41:35 -0700937# Note that RSN is used also for WPA3.
Dmitry Shmidt30f94812012-02-21 17:02:48 -0800938# If not set, this defaults to: WPA RSN
939#
940# key_mgmt: list of accepted authenticated key management protocols
941# WPA-PSK = WPA pre-shared key (this requires 'psk' field)
942# WPA-EAP = WPA using EAP authentication
943# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically
944# generated WEP keys
945# NONE = WPA is not used; plaintext or static WEP could be used
Dmitry Shmidt014a3ff2015-12-28 13:27:49 -0800946# WPA-NONE = WPA-None for IBSS (deprecated; use proto=RSN key_mgmt=WPA-PSK
947# instead)
948# FT-PSK = Fast BSS Transition (IEEE 802.11r) with pre-shared key
949# FT-EAP = Fast BSS Transition (IEEE 802.11r) with EAP authentication
Roshan Pius3a1667e2018-07-03 15:17:14 -0700950# FT-EAP-SHA384 = Fast BSS Transition (IEEE 802.11r) with EAP authentication
951# and using SHA384
Dmitry Shmidt30f94812012-02-21 17:02:48 -0800952# WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms
953# WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms
Dmitry Shmidt014a3ff2015-12-28 13:27:49 -0800954# SAE = Simultaneous authentication of equals; pre-shared key/password -based
955# authentication with stronger security than WPA-PSK especially when using
Hai Shalomce48b4a2018-09-05 11:41:35 -0700956# not that strong password; a.k.a. WPA3-Personal
Dmitry Shmidt014a3ff2015-12-28 13:27:49 -0800957# FT-SAE = SAE with FT
958# WPA-EAP-SUITE-B = Suite B 128-bit level
959# WPA-EAP-SUITE-B-192 = Suite B 192-bit level
Dmitry Shmidtde47be72016-01-07 12:52:55 -0800960# OSEN = Hotspot 2.0 Rel 2 online signup connection
Dmitry Shmidt9839ecd2016-11-07 11:05:47 -0800961# FILS-SHA256 = Fast Initial Link Setup with SHA256
962# FILS-SHA384 = Fast Initial Link Setup with SHA384
963# FT-FILS-SHA256 = FT and Fast Initial Link Setup with SHA256
964# FT-FILS-SHA384 = FT and Fast Initial Link Setup with SHA384
Hai Shalomce48b4a2018-09-05 11:41:35 -0700965# OWE = Opportunistic Wireless Encryption (a.k.a. Enhanced Open)
966# DPP = Device Provisioning Protocol
Dmitry Shmidt30f94812012-02-21 17:02:48 -0800967# If not set, this defaults to: WPA-PSK WPA-EAP
968#
Dmitry Shmidt04949592012-07-19 12:16:46 -0700969# ieee80211w: whether management frame protection is enabled
Dmitry Shmidtd5e49232012-12-03 15:08:10 -0800970# 0 = disabled (default unless changed with the global pmf parameter)
Dmitry Shmidt04949592012-07-19 12:16:46 -0700971# 1 = optional
972# 2 = required
973# The most common configuration options for this based on the PMF (protected
974# management frames) certification program are:
975# PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256
976# PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256
Ahmed ElArabawy0ff61c52019-12-26 12:38:39 -0800977# (and similarly for WPA-PSK and WPA-PSK-SHA256 if WPA2-Personal is used)
978# WPA3-Personal-only mode: ieee80211w=2 and key_mgmt=SAE
Dmitry Shmidt04949592012-07-19 12:16:46 -0700979#
Hai Shalom74f70d42019-02-11 14:42:39 -0800980# ocv: whether operating channel validation is enabled
981# This is a countermeasure against multi-channel man-in-the-middle attacks.
982# Enabling this automatically also enables ieee80211w, if not yet enabled.
983# 0 = disabled (default)
984# 1 = enabled
985#ocv=1
986#
Dmitry Shmidt30f94812012-02-21 17:02:48 -0800987# auth_alg: list of allowed IEEE 802.11 authentication algorithms
988# OPEN = Open System authentication (required for WPA/WPA2)
989# SHARED = Shared Key authentication (requires static WEP keys)
990# LEAP = LEAP/Network EAP (only used with LEAP)
991# If not set, automatic selection is used (Open System with LEAP enabled if
992# LEAP is allowed as one of the EAP methods).
993#
994# pairwise: list of accepted pairwise (unicast) ciphers for WPA
995# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
996# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
997# NONE = Use only Group Keys (deprecated, should not be included if APs support
998# pairwise keys)
999# If not set, this defaults to: CCMP TKIP
1000#
1001# group: list of accepted group (broadcast/multicast) ciphers for WPA
1002# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
1003# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
1004# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key
1005# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11]
1006# If not set, this defaults to: CCMP TKIP WEP104 WEP40
1007#
Dmitry Shmidtd2986c22017-10-23 14:22:09 -07001008# group_mgmt: list of accepted group management ciphers for RSN (PMF)
1009# AES-128-CMAC = BIP-CMAC-128
1010# BIP-GMAC-128
1011# BIP-GMAC-256
1012# BIP-CMAC-256
1013# If not set, no constraint on the cipher, i.e., accept whichever cipher the AP
1014# indicates.
1015#
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001016# psk: WPA preshared key; 256-bit pre-shared key
1017# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e.,
1018# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be
1019# generated using the passphrase and SSID). ASCII passphrase must be between
Dmitry Shmidt61d9df32012-08-29 16:22:06 -07001020# 8 and 63 characters (inclusive). ext:<name of external PSK field> format can
1021# be used to indicate that the PSK/passphrase is stored in external storage.
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001022# This field is not needed, if WPA-EAP is used.
1023# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys
1024# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant
1025# startup and reconfiguration time can be optimized by generating the PSK only
1026# only when the passphrase or SSID has actually changed.
1027#
Dmitry Shmidt912c6ec2015-03-30 13:16:51 -07001028# mem_only_psk: Whether to keep PSK/passphrase only in memory
1029# 0 = allow psk/passphrase to be stored to the configuration file
1030# 1 = do not store psk/passphrase to the configuration file
1031#mem_only_psk=0
1032#
Dmitry Shmidtd2986c22017-10-23 14:22:09 -07001033# sae_password: SAE password
1034# This parameter can be used to set a password for SAE. By default, the
Roshan Pius3a1667e2018-07-03 15:17:14 -07001035# passphrase from the psk parameter is used if this separate parameter is not
1036# used, but psk follows the WPA-PSK constraints (8..63 characters) even though
1037# SAE passwords do not have such constraints.
1038#
1039# sae_password_id: SAE password identifier
1040# This parameter can be used to set an identifier for the SAE password. By
1041# default, no such identifier is used. If set, the specified identifier value
1042# is used by the other peer to select which password to use for authentication.
Dmitry Shmidtd2986c22017-10-23 14:22:09 -07001043#
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001044# eapol_flags: IEEE 802.1X/EAPOL options (bit field)
1045# Dynamic WEP key required for non-WPA mode
1046# bit0 (1): require dynamically generated unicast WEP key
1047# bit1 (2): require dynamically generated broadcast WEP key
1048# (3 = require both keys; default)
Dmitry Shmidtabb90a32016-12-05 15:34:39 -08001049# Note: When using wired authentication (including MACsec drivers),
Dmitry Shmidt5a1480c2014-05-12 09:46:02 -07001050# eapol_flags must be set to 0 for the authentication to be completed
1051# successfully.
1052#
1053# macsec_policy: IEEE 802.1X/MACsec options
Dmitry Shmidtabb90a32016-12-05 15:34:39 -08001054# This determines how sessions are secured with MACsec (only for MACsec
1055# drivers).
Dmitry Shmidt5a1480c2014-05-12 09:46:02 -07001056# 0: MACsec not in use (default)
1057# 1: MACsec enabled - Should secure, accept key server's advice to
1058# determine whether to use a secure session or not.
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001059#
Dmitry Shmidtabb90a32016-12-05 15:34:39 -08001060# macsec_integ_only: IEEE 802.1X/MACsec transmit mode
1061# This setting applies only when MACsec is in use, i.e.,
1062# - macsec_policy is enabled
1063# - the key server has decided to enable MACsec
1064# 0: Encrypt traffic (default)
1065# 1: Integrity only
1066#
Hai Shalom74f70d42019-02-11 14:42:39 -08001067# macsec_replay_protect: IEEE 802.1X/MACsec replay protection
1068# This setting applies only when MACsec is in use, i.e.,
1069# - macsec_policy is enabled
1070# - the key server has decided to enable MACsec
1071# 0: Replay protection disabled (default)
1072# 1: Replay protection enabled
1073#
1074# macsec_replay_window: IEEE 802.1X/MACsec replay protection window
1075# This determines a window in which replay is tolerated, to allow receipt
1076# of frames that have been misordered by the network.
1077# This setting applies only when MACsec replay protection active, i.e.,
1078# - macsec_replay_protect is enabled
1079# - the key server has decided to enable MACsec
1080# 0: No replay window, strict check (default)
1081# 1..2^32-1: number of packets that could be misordered
1082#
Dmitry Shmidtabb90a32016-12-05 15:34:39 -08001083# macsec_port: IEEE 802.1X/MACsec port
1084# Port component of the SCI
1085# Range: 1-65534 (default: 1)
1086#
Dmitry Shmidt29333592017-01-09 12:27:11 -08001087# mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode
Dmitry Shmidtabb90a32016-12-05 15:34:39 -08001088# This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair.
Dmitry Shmidt29333592017-01-09 12:27:11 -08001089# In this mode, instances of wpa_supplicant can act as MACsec peers. The peer
1090# with lower priority will become the key server and start distributing SAKs.
Hai Shalom74f70d42019-02-11 14:42:39 -08001091# mka_cak (CAK = Secure Connectivity Association Key) takes a 16-byte (128-bit)
1092# hex-string (32 hex-digits) or a 32-byte (256-bit) hex-string (64 hex-digits)
1093# mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string
1094# (2..64 hex-digits)
Dmitry Shmidt29333592017-01-09 12:27:11 -08001095# mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being
1096# default priority
Dmitry Shmidtabb90a32016-12-05 15:34:39 -08001097#
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001098# mixed_cell: This option can be used to configure whether so called mixed
1099# cells, i.e., networks that use both plaintext and encryption in the same
Dmitry Shmidtc5ec7f52012-03-06 16:33:24 -08001100# SSID, are allowed when selecting a BSS from scan results.
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001101# 0 = disabled (default)
1102# 1 = enabled
1103#
1104# proactive_key_caching:
1105# Enable/disable opportunistic PMKSA caching for WPA2.
Dmitry Shmidtd5e49232012-12-03 15:08:10 -08001106# 0 = disabled (default unless changed with the global okc parameter)
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001107# 1 = enabled
1108#
Hai Shalom81f62d82019-07-22 12:10:00 -07001109# ft_eap_pmksa_caching:
1110# Whether FT-EAP PMKSA caching is allowed
1111# 0 = do not try to use PMKSA caching with FT-EAP (default)
1112# 1 = try to use PMKSA caching with FT-EAP
1113# This controls whether to try to use PMKSA caching with FT-EAP for the
1114# FT initial mobility domain association.
1115#ft_eap_pmksa_caching=0
1116#
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001117# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or
1118# hex without quotation, e.g., 0102030405)
1119# wep_tx_keyidx: Default WEP key index (TX) (0..3)
1120#
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001121# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to
1122# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies.
1123#
Hai Shalomfdcde762020-04-02 11:19:20 -07001124# wpa_deny_ptk0_rekey: Workaround for PTK rekey issues
1125# PTK0 rekeys (using only one Key ID value for pairwise keys) can degrade the
1126# security and stability with some cards.
1127# To avoid the issues wpa_supplicant can replace those PTK rekeys (including
1128# EAP reauthentications) with fast reconnects.
1129#
1130# Available options:
1131# 0 = always rekey when configured/instructed (default)
1132# 1 = only rekey when the local driver is explicitly indicating it can perform
1133# this operation without issues
1134# 2 = never allow problematic PTK0 rekeys
1135#
Dmitry Shmidt7f2c7532016-08-15 09:48:12 -07001136# group_rekey: Group rekeying time in seconds. This value, if non-zero, is used
1137# as the dot11RSNAConfigGroupRekeyTime parameter when operating in
Paul Stewart092955c2017-02-06 09:13:09 -08001138# Authenticator role in IBSS, or in AP and mesh modes.
Dmitry Shmidt7f2c7532016-08-15 09:48:12 -07001139#
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001140# Following fields are only used with internal EAP implementation.
1141# eap: space-separated list of accepted EAP methods
Dmitry Shmidtaca489e2016-09-28 15:44:14 -07001142# MD5 = EAP-MD5 (insecure and does not generate keying material ->
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001143# cannot be used with WPA; to be used as a Phase 2 method
1144# with EAP-PEAP or EAP-TTLS)
1145# MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used
1146# as a Phase 2 method with EAP-PEAP or EAP-TTLS)
1147# OTP = EAP-OTP (cannot be used separately with WPA; to be used
1148# as a Phase 2 method with EAP-PEAP or EAP-TTLS)
1149# GTC = EAP-GTC (cannot be used separately with WPA; to be used
1150# as a Phase 2 method with EAP-PEAP or EAP-TTLS)
1151# TLS = EAP-TLS (client and server certificate)
1152# PEAP = EAP-PEAP (with tunnelled EAP authentication)
1153# TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2
1154# authentication)
1155# If not set, all compiled in methods are allowed.
1156#
1157# identity: Identity string for EAP
1158# This field is also used to configure user NAI for
1159# EAP-PSK/PAX/SAKE/GPSK.
1160# anonymous_identity: Anonymous identity string for EAP (to be used as the
1161# unencrypted identity with EAP types that support different tunnelled
Dmitry Shmidt4530cfd2012-09-09 15:20:40 -07001162# identity, e.g., EAP-TTLS). This field can also be used with
1163# EAP-SIM/AKA/AKA' to store the pseudonym identity.
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001164# password: Password string for EAP. This field can include either the
1165# plaintext password (using ASCII or hex string) or a NtPasswordHash
1166# (16-byte MD4 hash of password) in hash:<32 hex digits> format.
1167# NtPasswordHash can only be used when the password is for MSCHAPv2 or
1168# MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP).
1169# EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit
1170# PSK) is also configured using this field. For EAP-GPSK, this is a
Dmitry Shmidt61d9df32012-08-29 16:22:06 -07001171# variable length PSK. ext:<name of external password field> format can
1172# be used to indicate that the password is stored in external storage.
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001173# ca_cert: File path to CA certificate file (PEM/DER). This file can have one
1174# or more trusted CA certificates. If ca_cert and ca_path are not
1175# included, server certificate will not be verified. This is insecure and
1176# a trusted CA certificate should always be configured when using
1177# EAP-TLS/TTLS/PEAP. Full path should be used since working directory may
1178# change when wpa_supplicant is run in the background.
1179#
1180# Alternatively, this can be used to only perform matching of the server
1181# certificate (SHA-256 hash of the DER encoded X.509 certificate). In
1182# this case, the possible CA certificates in the server certificate chain
1183# are ignored and only the server certificate is verified. This is
1184# configured with the following format:
1185# hash:://server/sha256/cert_hash_in_hex
1186# For example: "hash://server/sha256/
1187# 5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"
1188#
1189# On Windows, trusted CA certificates can be loaded from the system
1190# certificate store by setting this to cert_store://<name>, e.g.,
1191# ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".
1192# Note that when running wpa_supplicant as an application, the user
1193# certificate store (My user account) is used, whereas computer store
1194# (Computer account) is used when running wpasvc as a service.
1195# ca_path: Directory path for CA certificate files (PEM). This path may
1196# contain multiple CA certificates in OpenSSL format. Common use for this
1197# is to point to system trusted CA list which is often installed into
1198# directory like /etc/ssl/certs. If configured, these certificates are
1199# added to the list of trusted CAs. ca_cert may also be included in that
1200# case, but it is not required.
1201# client_cert: File path to client certificate file (PEM/DER)
1202# Full path should be used since working directory may change when
1203# wpa_supplicant is run in the background.
1204# Alternatively, a named configuration blob can be used by setting this
1205# to blob://<blob name>.
1206# private_key: File path to client private key file (PEM/DER/PFX)
1207# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
1208# commented out. Both the private key and certificate will be read from
1209# the PKCS#12 file in this case. Full path should be used since working
1210# directory may change when wpa_supplicant is run in the background.
1211# Windows certificate store can be used by leaving client_cert out and
1212# configuring private_key in one of the following formats:
1213# cert://substring_to_match
1214# hash://certificate_thumbprint_in_hex
1215# for example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
1216# Note that when running wpa_supplicant as an application, the user
1217# certificate store (My user account) is used, whereas computer store
1218# (Computer account) is used when running wpasvc as a service.
1219# Alternatively, a named configuration blob can be used by setting this
1220# to blob://<blob name>.
1221# private_key_passwd: Password for private key file (if left out, this will be
1222# asked through control interface)
1223# dh_file: File path to DH/DSA parameters file (in PEM format)
1224# This is an optional configuration file for setting parameters for an
1225# ephemeral DH key exchange. In most cases, the default RSA
1226# authentication does not use this configuration. However, it is possible
1227# setup RSA to use ephemeral DH key exchange. In addition, ciphers with
1228# DSA keys always use ephemeral DH keys. This can be used to achieve
1229# forward secrecy. If the file is in DSA parameters format, it will be
1230# automatically converted into DH params.
1231# subject_match: Substring to be matched against the subject of the
1232# authentication server certificate. If this string is set, the server
Dmitry Shmidtaca489e2016-09-28 15:44:14 -07001233# certificate is only accepted if it contains this string in the subject.
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001234# The subject string is in following format:
1235# /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com
Dmitry Shmidtaca489e2016-09-28 15:44:14 -07001236# Note: Since this is a substring match, this cannot be used securely to
Dmitry Shmidtff787d52015-01-12 13:01:47 -08001237# do a suffix match against a possible domain name in the CN entry. For
Dmitry Shmidt2f74e362015-01-21 13:19:05 -08001238# such a use case, domain_suffix_match or domain_match should be used
1239# instead.
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001240# altsubject_match: Semicolon separated string of entries to be matched against
1241# the alternative subject name of the authentication server certificate.
Dmitry Shmidtaca489e2016-09-28 15:44:14 -07001242# If this string is set, the server certificate is only accepted if it
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001243# contains one of the entries in an alternative subject name extension.
1244# altSubjectName string is in following format: TYPE:VALUE
1245# Example: EMAIL:server@example.com
1246# Example: DNS:server.example.com;DNS:server2.example.com
1247# Following types are supported: EMAIL, DNS, URI
Dmitry Shmidtff787d52015-01-12 13:01:47 -08001248# domain_suffix_match: Constraint for server domain name. If set, this FQDN is
Dmitry Shmidtaca489e2016-09-28 15:44:14 -07001249# used as a suffix match requirement for the AAA server certificate in
Dmitry Shmidtff787d52015-01-12 13:01:47 -08001250# SubjectAltName dNSName element(s). If a matching dNSName is found, this
1251# constraint is met. If no dNSName values are present, this constraint is
1252# matched against SubjectName CN using same suffix match comparison.
1253#
1254# Suffix match here means that the host/domain name is compared one label
1255# at a time starting from the top-level domain and all the labels in
1256# domain_suffix_match shall be included in the certificate. The
1257# certificate may include additional sub-level labels in addition to the
1258# required labels.
1259#
Hai Shalom021b0b52019-04-10 11:17:58 -07001260# More than one match string can be provided by using semicolons to
1261# separate the strings (e.g., example.org;example.com). When multiple
1262# strings are specified, a match with any one of the values is considered
1263# a sufficient match for the certificate, i.e., the conditions are ORed
1264# together.
1265#
Dmitry Shmidtff787d52015-01-12 13:01:47 -08001266# For example, domain_suffix_match=example.com would match
1267# test.example.com but would not match test-example.com.
Dmitry Shmidt2f74e362015-01-21 13:19:05 -08001268# domain_match: Constraint for server domain name
1269# If set, this FQDN is used as a full match requirement for the
1270# server certificate in SubjectAltName dNSName element(s). If a
1271# matching dNSName is found, this constraint is met. If no dNSName
1272# values are present, this constraint is matched against SubjectName CN
1273# using same full match comparison. This behavior is similar to
1274# domain_suffix_match, but has the requirement of a full match, i.e.,
1275# no subdomains or wildcard matches are allowed. Case-insensitive
1276# comparison is used, so "Example.com" matches "example.com", but would
1277# not match "test.Example.com".
Hai Shalom021b0b52019-04-10 11:17:58 -07001278#
1279# More than one match string can be provided by using semicolons to
1280# separate the strings (e.g., example.org;example.com). When multiple
1281# strings are specified, a match with any one of the values is considered
1282# a sufficient match for the certificate, i.e., the conditions are ORed
1283# together.
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001284# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters
1285# (string with field-value pairs, e.g., "peapver=0" or
1286# "peapver=1 peaplabel=1")
1287# 'peapver' can be used to force which PEAP version (0 or 1) is used.
1288# 'peaplabel=1' can be used to force new label, "client PEAP encryption",
1289# to be used during key derivation when PEAPv1 or newer. Most existing
1290# PEAPv1 implementation seem to be using the old label, "client EAP
1291# encryption", and wpa_supplicant is now using that as the default value.
1292# Some servers, e.g., Radiator, may require peaplabel=1 configuration to
1293# interoperate with PEAPv1; see eap_testing.txt for more details.
1294# 'peap_outer_success=0' can be used to terminate PEAP authentication on
1295# tunneled EAP-Success. This is required with some RADIUS servers that
1296# implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
1297# Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode)
1298# include_tls_length=1 can be used to force wpa_supplicant to include
1299# TLS Message Length field in all TLS messages even if they are not
1300# fragmented.
1301# sim_min_num_chal=3 can be used to configure EAP-SIM to require three
1302# challenges (by default, it accepts 2 or 3)
1303# result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use
1304# protected result indication.
1305# 'crypto_binding' option can be used to control PEAPv0 cryptobinding
1306# behavior:
1307# * 0 = do not use cryptobinding (default)
1308# * 1 = use cryptobinding if server supports it
1309# * 2 = require cryptobinding
1310# EAP-WSC (WPS) uses following options: pin=<Device Password> or
1311# pbc=1.
Dmitry Shmidt216983b2015-02-06 10:50:36 -08001312#
1313# For wired IEEE 802.1X authentication, "allow_canned_success=1" can be
1314# used to configure a mode that allows EAP-Success (and EAP-Failure)
1315# without going through authentication step. Some switches use such
1316# sequence when forcing the port to be authorized/unauthorized or as a
1317# fallback option if the authentication server is unreachable. By default,
1318# wpa_supplicant discards such frames to protect against potential attacks
1319# by rogue devices, but this option can be used to disable that protection
1320# for cases where the server/authenticator does not need to be
1321# authenticated.
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001322# phase2: Phase2 (inner authentication with TLS tunnel) parameters
1323# (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
Dmitry Shmidt216983b2015-02-06 10:50:36 -08001324# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS). "mschapv2_retry=0" can be
1325# used to disable MSCHAPv2 password retry in authentication failure cases.
Dmitry Shmidt61d9df32012-08-29 16:22:06 -07001326#
1327# TLS-based methods can use the following parameters to control TLS behavior
1328# (these are normally in the phase1 parameter, but can be used also in the
1329# phase2 parameter when EAP-TLS is used within the inner tunnel):
1330# tls_allow_md5=1 - allow MD5-based certificate signatures (depending on the
1331# TLS library, these may be disabled by default to enforce stronger
1332# security)
1333# tls_disable_time_checks=1 - ignore certificate validity time (this requests
1334# the TLS library to accept certificates even if they are not currently
1335# valid, i.e., have expired or have not yet become valid; this should be
1336# used only for testing purposes)
1337# tls_disable_session_ticket=1 - disable TLS Session Ticket extension
1338# tls_disable_session_ticket=0 - allow TLS Session Ticket extension to be used
1339# Note: If not set, this is automatically set to 1 for EAP-TLS/PEAP/TTLS
1340# as a workaround for broken authentication server implementations unless
Dmitry Shmidtaf9da312015-04-03 10:03:11 -07001341# EAP workarounds are disabled with eap_workaround=0.
Dmitry Shmidt61d9df32012-08-29 16:22:06 -07001342# For EAP-FAST, this must be set to 0 (or left unconfigured for the
1343# default value to be used automatically).
Dmitry Shmidtd80a4012015-11-05 16:35:40 -08001344# tls_disable_tlsv1_0=1 - disable use of TLSv1.0
Hai Shalom74f70d42019-02-11 14:42:39 -08001345# tls_disable_tlsv1_0=0 - explicitly enable use of TLSv1.0 (this allows
1346# systemwide TLS policies to be overridden)
Dmitry Shmidt13ca8d82014-02-20 10:18:40 -08001347# tls_disable_tlsv1_1=1 - disable use of TLSv1.1 (a workaround for AAA servers
1348# that have issues interoperating with updated TLS version)
Hai Shalom74f70d42019-02-11 14:42:39 -08001349# tls_disable_tlsv1_1=0 - explicitly enable use of TLSv1.1 (this allows
1350# systemwide TLS policies to be overridden)
Dmitry Shmidt13ca8d82014-02-20 10:18:40 -08001351# tls_disable_tlsv1_2=1 - disable use of TLSv1.2 (a workaround for AAA servers
1352# that have issues interoperating with updated TLS version)
Hai Shalom74f70d42019-02-11 14:42:39 -08001353# tls_disable_tlsv1_2=0 - explicitly enable use of TLSv1.2 (this allows
1354# systemwide TLS policies to be overridden)
Roshan Pius3a1667e2018-07-03 15:17:14 -07001355# tls_disable_tlsv1_3=1 - disable use of TLSv1.3 (a workaround for AAA servers
1356# that have issues interoperating with updated TLS version)
Hai Shalom74f70d42019-02-11 14:42:39 -08001357# tls_disable_tlsv1_3=0 - enable TLSv1.3 (experimental - disabled by default)
Dmitry Shmidt55840ad2015-12-14 12:45:46 -08001358# tls_ext_cert_check=0 - No external server certificate validation (default)
1359# tls_ext_cert_check=1 - External server certificate validation enabled; this
1360# requires an external program doing validation of server certificate
1361# chain when receiving CTRL-RSP-EXT_CERT_CHECK event from the control
1362# interface and report the result of the validation with
1363# CTRL-RSP_EXT_CERT_CHECK.
Dmitry Shmidtd2986c22017-10-23 14:22:09 -07001364# tls_suiteb=0 - do not apply Suite B 192-bit constraints on TLS (default)
1365# tls_suiteb=1 - apply Suite B 192-bit constraints on TLS; this is used in
1366# particular when using Suite B with RSA keys of >= 3K (3072) bits
Dmitry Shmidt61d9df32012-08-29 16:22:06 -07001367#
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001368# Following certificate/private key fields are used in inner Phase2
1369# authentication when using EAP-TTLS or EAP-PEAP.
1370# ca_cert2: File path to CA certificate file. This file can have one or more
1371# trusted CA certificates. If ca_cert2 and ca_path2 are not included,
1372# server certificate will not be verified. This is insecure and a trusted
1373# CA certificate should always be configured.
1374# ca_path2: Directory path for CA certificate files (PEM)
1375# client_cert2: File path to client certificate file
1376# private_key2: File path to client private key file
1377# private_key2_passwd: Password for private key file
1378# dh_file2: File path to DH/DSA parameters file (in PEM format)
1379# subject_match2: Substring to be matched against the subject of the
Dmitry Shmidtff787d52015-01-12 13:01:47 -08001380# authentication server certificate. See subject_match for more details.
1381# altsubject_match2: Semicolon separated string of entries to be matched
1382# against the alternative subject name of the authentication server
1383# certificate. See altsubject_match documentation for more details.
1384# domain_suffix_match2: Constraint for server domain name. See
1385# domain_suffix_match for more details.
Hai Shalomc3565922019-10-28 11:58:20 -07001386# ocsp2: See ocsp for more details.
1387#
1388# Separate machine credentials can be configured for EAP-TEAP Phase 2 with
1389# "machine_" prefix (e.g., "machine_identity") in the configuration parameters.
1390# See the parameters without that prefix for more details on the meaning and
1391# format of each such parameter.
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001392#
1393# fragment_size: Maximum EAP fragment size in bytes (default 1398).
1394# This value limits the fragment size for EAP methods that support
1395# fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set
1396# small enough to make the EAP messages fit in MTU of the network
1397# interface used for EAPOL. The default value is suitable for most
1398# cases.
1399#
Dmitry Shmidt34af3062013-07-11 10:46:32 -07001400# ocsp: Whether to use/require OCSP to check server certificate
1401# 0 = do not use OCSP stapling (TLS certificate status extension)
1402# 1 = try to use OCSP stapling, but not require response
1403# 2 = require valid OCSP stapling response
Dmitry Shmidt014a3ff2015-12-28 13:27:49 -08001404# 3 = require valid OCSP stapling response for all not-trusted
1405# certificates in the server certificate chain
Dmitry Shmidt34af3062013-07-11 10:46:32 -07001406#
Dmitry Shmidt6c0da2b2015-01-05 13:08:17 -08001407# openssl_ciphers: OpenSSL specific cipher configuration
1408# This can be used to override the global openssl_ciphers configuration
1409# parameter (see above).
1410#
1411# erp: Whether EAP Re-authentication Protocol (ERP) is enabled
1412#
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001413# EAP-FAST variables:
1414# pac_file: File path for the PAC entries. wpa_supplicant will need to be able
1415# to create this file and write updates to it when PAC is being
1416# provisioned or refreshed. Full path to the file should be used since
1417# working directory may change when wpa_supplicant is run in the
1418# background. Alternatively, a named configuration blob can be used by
1419# setting this to blob://<blob name>
1420# phase1: fast_provisioning option can be used to enable in-line provisioning
1421# of EAP-FAST credentials (PAC):
1422# 0 = disabled,
1423# 1 = allow unauthenticated provisioning,
1424# 2 = allow authenticated provisioning,
1425# 3 = allow both unauthenticated and authenticated provisioning
1426# fast_max_pac_list_len=<num> option can be used to set the maximum
1427# number of PAC entries to store in a PAC list (default: 10)
1428# fast_pac_format=binary option can be used to select binary format for
1429# storing PAC entries in order to save some space (the default
1430# text format uses about 2.5 times the size of minimal binary
1431# format)
1432#
1433# wpa_supplicant supports number of "EAP workarounds" to work around
1434# interoperability issues with incorrectly behaving authentication servers.
1435# These are enabled by default because some of the issues are present in large
1436# number of authentication servers. Strict EAP conformance mode can be
1437# configured by disabling workarounds with eap_workaround=0.
1438
Dmitry Shmidtde47be72016-01-07 12:52:55 -08001439# update_identifier: PPS MO ID
1440# (Hotspot 2.0 PerProviderSubscription/UpdateIdentifier)
Roshan Pius3a1667e2018-07-03 15:17:14 -07001441#
1442# roaming_consortium_selection: Roaming Consortium Selection
1443# The matching Roaming Consortium OI that was used to generate this
1444# network profile.
Dmitry Shmidtde47be72016-01-07 12:52:55 -08001445
Dmitry Shmidt04949592012-07-19 12:16:46 -07001446# Station inactivity limit
1447#
1448# If a station does not send anything in ap_max_inactivity seconds, an
1449# empty data frame is sent to it in order to verify whether it is
1450# still in range. If this frame is not ACKed, the station will be
1451# disassociated and then deauthenticated. This feature is used to
1452# clear station table of old entries when the STAs move out of the
1453# range.
1454#
1455# The station can associate again with the AP if it is still in range;
1456# this inactivity poll is just used as a nicer way of verifying
1457# inactivity; i.e., client will not report broken connection because
1458# disassociation frame is not sent immediately without first polling
1459# the STA with a data frame.
1460# default: 300 (i.e., 5 minutes)
1461#ap_max_inactivity=300
1462
1463# DTIM period in Beacon intervals for AP mode (default: 2)
1464#dtim_period=2
1465
Dmitry Shmidt7a5e50a2013-03-05 12:37:16 -08001466# Beacon interval (default: 100 TU)
1467#beacon_int=100
1468
Dmitry Shmidt849734c2016-05-27 09:59:01 -07001469# WPS in AP mode
1470# 0 = WPS enabled and configured (default)
1471# 1 = WPS disabled
1472#wps_disabled=0
1473
Dmitry Shmidtd2986c22017-10-23 14:22:09 -07001474# FILS DH Group
1475# 0 = PFS disabled with FILS shared key authentication (default)
1476# 1-65535 = DH Group to use for FILS PFS
1477#fils_dh_group=0
1478
Hai Shalomfdcde762020-04-02 11:19:20 -07001479# DPP PFS
1480# 0: allow PFS to be used or not used (default)
1481# 1: require PFS to be used (note: not compatible with DPP R1)
1482# 2: do not allow PFS to be used
1483#dpp_pfs=0
1484
Hai Shalom899fcc72020-10-19 14:38:18 -07001485# Whether Beacon protection is enabled
1486# This depends on management frame protection (ieee80211w) being enabled.
1487#beacon_prot=0
1488
1489# OWE DH Group
1490# 0: use default (19) first and then try all supported groups one by one if AP
1491# rejects the selected group
1492# 1-65535: DH Group to use for OWE
1493# Groups 19 (NIST P-256), 20 (NIST P-384), and 21 (NIST P-521) are
1494# currently supported.
1495#owe_group=0
1496
1497# OWE-only mode (disable transition mode)
1498# 0: enable transition mode (allow connection to either OWE or open BSS)
1499# 1 = disable transition mode (allow connection only with OWE)
1500#owe_only=0
1501
1502# OWE PTK derivation workaround
1503# Initial OWE implementation used SHA256 when deriving the PTK for all
1504# OWE groups. This was supposed to change to SHA384 for group 20 and
1505# SHA512 for group 21. This parameter can be used to enable older
1506# behavior mainly for testing purposes. There is no impact to group 19
1507# behavior, but if enabled, this will make group 20 and 21 cases use
1508# SHA256-based PTK derivation which will not work with the updated
1509# OWE implementation on the AP side.
1510#owe_ptk_workaround=0
1511
1512# Transition Disable indication
1513# The AP can notify authenticated stations to disable transition mode
1514# in their network profiles when the network has completed transition
1515# steps, i.e., once sufficiently large number of APs in the ESS have
1516# been updated to support the more secure alternative. When this
1517# indication is used, the stations are expected to automatically
1518# disable transition mode and less secure security options. This
1519# includes use of WEP, TKIP (including use of TKIP as the group
1520# cipher), and connections without PMF.
1521# Bitmap bits:
1522# bit 0 (0x01): WPA3-Personal (i.e., disable WPA2-Personal = WPA-PSK
1523# and only allow SAE to be used)
1524# bit 1 (0x02): SAE-PK (disable SAE without use of SAE-PK)
1525# bit 2 (0x04): WPA3-Enterprise (move to requiring PMF)
1526# bit 3 (0x08): Enhanced Open (disable use of open network; require
1527# OWE)
1528
1529# SAE-PK mode
1530# 0: automatic SAE/SAE-PK selection based on password; enable
1531# transition mode (allow SAE authentication without SAE-PK)
1532# 1: SAE-PK only (disable transition mode; allow SAE authentication
1533# only with SAE-PK)
1534# 2: disable SAE-PK (allow SAE authentication only without SAE-PK)
1535#sae_pk=0
1536
Dmitry Shmidt661b4f72014-09-29 14:58:27 -07001537# MAC address policy
1538# 0 = use permanent MAC address
1539# 1 = use random MAC address for each ESS connection
1540# 2 = like 1, but maintain OUI (with local admin bit set)
1541#mac_addr=0
1542
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -08001543# disable_ht: Whether HT (802.11n) should be disabled.
1544# 0 = HT enabled (if AP supports it)
1545# 1 = HT disabled
1546#
1547# disable_ht40: Whether HT-40 (802.11n) should be disabled.
1548# 0 = HT-40 enabled (if AP supports it)
1549# 1 = HT-40 disabled
1550#
1551# disable_sgi: Whether SGI (short guard interval) should be disabled.
1552# 0 = SGI enabled (if AP supports it)
1553# 1 = SGI disabled
1554#
Dmitry Shmidtdf5a7e42014-04-02 12:59:59 -07001555# disable_ldpc: Whether LDPC should be disabled.
1556# 0 = LDPC enabled (if AP supports it)
1557# 1 = LDPC disabled
1558#
Dmitry Shmidt61593f02014-04-21 16:27:35 -07001559# ht40_intolerant: Whether 40 MHz intolerant should be indicated.
1560# 0 = 40 MHz tolerant (default)
1561# 1 = 40 MHz intolerant
1562#
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -08001563# ht_mcs: Configure allowed MCS rates.
1564# Parsed as an array of bytes, in base-16 (ascii-hex)
1565# ht_mcs="" // Use all available (default)
1566# ht_mcs="0xff 00 00 00 00 00 00 00 00 00 " // Use MCS 0-7 only
1567# ht_mcs="0xff ff 00 00 00 00 00 00 00 00 " // Use MCS 0-15 only
1568#
1569# disable_max_amsdu: Whether MAX_AMSDU should be disabled.
1570# -1 = Do not make any changes.
1571# 0 = Enable MAX-AMSDU if hardware supports it.
1572# 1 = Disable AMSDU
1573#
Dmitry Shmidt7dba0e52014-04-14 10:49:15 -07001574# ampdu_factor: Maximum A-MPDU Length Exponent
1575# Value: 0-3, see 7.3.2.56.3 in IEEE Std 802.11n-2009.
1576#
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -08001577# ampdu_density: Allow overriding AMPDU density configuration.
1578# Treated as hint by the kernel.
1579# -1 = Do not make any changes.
1580# 0-3 = Set AMPDU density (aka factor) to specified value.
Hai Shalom74f70d42019-02-11 14:42:39 -08001581#
1582# tx_stbc: Allow overriding STBC support for TX streams
1583# Value: 0-1, see IEEE Std 802.11-2016, 9.4.2.56.2.
1584# -1 = Do not make any changes (default)
1585# 0 = Set if not supported
1586# 1 = Set if supported
1587#
1588# rx_stbc: Allow overriding STBC support for RX streams
1589# Value: 0-3, see IEEE Std 802.11-2016, 9.4.2.56.2.
1590# -1 = Do not make any changes (default)
1591# 0 = Set if not supported
1592# 1 = Set for support of one spatial stream
1593# 2 = Set for support of one and two spatial streams
1594# 3 = Set for support of one, two and three spatial streams
Dmitry Shmidta54fa5f2013-01-15 13:53:35 -08001595
Dmitry Shmidt2f023192013-03-12 12:44:17 -07001596# disable_vht: Whether VHT should be disabled.
1597# 0 = VHT enabled (if AP supports it)
1598# 1 = VHT disabled
1599#
1600# vht_capa: VHT capabilities to set in the override
1601# vht_capa_mask: mask of VHT capabilities
1602#
1603# vht_rx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for RX NSS 1-8
1604# vht_tx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for TX NSS 1-8
1605# 0: MCS 0-7
1606# 1: MCS 0-8
1607# 2: MCS 0-9
1608# 3: not supported
1609
Hai Shalom74f70d42019-02-11 14:42:39 -08001610# multi_ap_backhaul_sta: Multi-AP backhaul STA functionality
1611# 0 = normal STA (default)
1612# 1 = backhaul STA
1613# A backhaul STA sends the Multi-AP IE, fails to associate if the AP does not
1614# support Multi-AP, and sets 4-address mode if it does. Thus, the netdev can be
1615# added to a bridge to allow forwarding frames over this backhaul link.
1616
Dmitry Shmidtd80a4012015-11-05 16:35:40 -08001617##### Fast Session Transfer (FST) support #####################################
1618#
1619# The options in this section are only available when the build configuration
Dmitry Shmidtaca489e2016-09-28 15:44:14 -07001620# option CONFIG_FST is set while compiling wpa_supplicant. They allow this
1621# interface to be a part of FST setup.
Dmitry Shmidtd80a4012015-11-05 16:35:40 -08001622#
1623# FST is the transfer of a session from a channel to another channel, in the
1624# same or different frequency bands.
1625#
Dmitry Shmidtaca489e2016-09-28 15:44:14 -07001626# For details, see IEEE Std 802.11ad-2012.
Dmitry Shmidtd80a4012015-11-05 16:35:40 -08001627
1628# Identifier of an FST Group the interface belongs to.
1629#fst_group_id=bond0
1630
1631# Interface priority within the FST Group.
1632# Announcing a higher priority for an interface means declaring it more
1633# preferable for FST switch.
1634# fst_priority is in 1..255 range with 1 being the lowest priority.
1635#fst_priority=100
1636
1637# Default LLT value for this interface in milliseconds. The value used in case
1638# no value provided during session setup. Default is 50 msec.
1639# fst_llt is in 1..4294967 range (due to spec limitation, see 10.32.2.2
1640# Transitioning between states).
1641#fst_llt=100
1642
Hai Shalom81f62d82019-07-22 12:10:00 -07001643# BSS Transition Management
1644# disable_btm - Disable BSS transition management in STA
1645# Set to 0 to enable BSS transition management (default behavior)
1646# Set to 1 to disable BSS transition management
1647#disable_btm=0
1648
Dennis Jeone2cb56b2020-10-23 21:23:01 +09001649# This value is used to set where to perform roaming logic
1650# Set to 0 to handle roaming logic fully in supplicant
1651# Set to 1 to skip roaming logic in supplicant and handle it in firmware
1652# In supplicant, just parse BTM frame and notify framework
1653#btm_offload=0
1654
Hai Shalomc3565922019-10-28 11:58:20 -07001655# Enable EDMG capability in STA/AP mode, default value is false
1656#enable_edmg=1
1657
1658# This value is used to configure the channel bonding feature.
1659# Default value is 0.
1660# Relevant only if enable_edmg is true
1661# In AP mode it defines the EDMG channel to use for AP operation.
1662# In STA mode it defines the EDMG channel for connection (if supported by AP).
1663#edmg_channel=9
1664
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001665# Example blocks:
1666
1667# Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers
1668network={
1669 ssid="simple"
1670 psk="very secret passphrase"
1671 priority=5
1672}
1673
1674# Same as previous, but request SSID-specific scanning (for APs that reject
1675# broadcast SSID)
1676network={
1677 ssid="second ssid"
1678 scan_ssid=1
1679 psk="very secret passphrase"
1680 priority=2
1681}
1682
1683# Only WPA-PSK is used. Any valid cipher combination is accepted.
1684network={
1685 ssid="example"
1686 proto=WPA
1687 key_mgmt=WPA-PSK
1688 pairwise=CCMP TKIP
1689 group=CCMP TKIP WEP104 WEP40
1690 psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
1691 priority=2
1692}
1693
1694# WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying
1695network={
1696 ssid="example"
1697 proto=WPA
1698 key_mgmt=WPA-PSK
1699 pairwise=TKIP
1700 group=TKIP
1701 psk="not so secure passphrase"
1702 wpa_ptk_rekey=600
1703}
1704
1705# Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104
1706# or WEP40 as the group cipher will not be accepted.
1707network={
1708 ssid="example"
1709 proto=RSN
1710 key_mgmt=WPA-EAP
1711 pairwise=CCMP TKIP
1712 group=CCMP TKIP
1713 eap=TLS
1714 identity="user@example.com"
1715 ca_cert="/etc/cert/ca.pem"
1716 client_cert="/etc/cert/user.pem"
1717 private_key="/etc/cert/user.prv"
1718 private_key_passwd="password"
1719 priority=1
1720}
1721
1722# EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel
1723# (e.g., Radiator)
1724network={
1725 ssid="example"
1726 key_mgmt=WPA-EAP
1727 eap=PEAP
1728 identity="user@example.com"
1729 password="foobar"
1730 ca_cert="/etc/cert/ca.pem"
1731 phase1="peaplabel=1"
1732 phase2="auth=MSCHAPV2"
1733 priority=10
1734}
1735
1736# EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the
1737# unencrypted use. Real identity is sent only within an encrypted TLS tunnel.
1738network={
1739 ssid="example"
1740 key_mgmt=WPA-EAP
1741 eap=TTLS
1742 identity="user@example.com"
1743 anonymous_identity="anonymous@example.com"
1744 password="foobar"
1745 ca_cert="/etc/cert/ca.pem"
1746 priority=2
1747}
1748
1749# EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted
1750# use. Real identity is sent only within an encrypted TLS tunnel.
1751network={
1752 ssid="example"
1753 key_mgmt=WPA-EAP
1754 eap=TTLS
1755 identity="user@example.com"
1756 anonymous_identity="anonymous@example.com"
1757 password="foobar"
1758 ca_cert="/etc/cert/ca.pem"
1759 phase2="auth=MSCHAPV2"
1760}
1761
1762# WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner
1763# authentication.
1764network={
1765 ssid="example"
1766 key_mgmt=WPA-EAP
1767 eap=TTLS
1768 # Phase1 / outer authentication
1769 anonymous_identity="anonymous@example.com"
1770 ca_cert="/etc/cert/ca.pem"
1771 # Phase 2 / inner authentication
1772 phase2="autheap=TLS"
1773 ca_cert2="/etc/cert/ca2.pem"
1774 client_cert2="/etc/cer/user.pem"
1775 private_key2="/etc/cer/user.prv"
1776 private_key2_passwd="password"
1777 priority=2
1778}
1779
1780# Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and
1781# group cipher.
1782network={
1783 ssid="example"
1784 bssid=00:11:22:33:44:55
1785 proto=WPA RSN
1786 key_mgmt=WPA-PSK WPA-EAP
1787 pairwise=CCMP
1788 group=CCMP
1789 psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
1790}
1791
1792# Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP
1793# and all valid ciphers.
1794network={
1795 ssid=00010203
1796 psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
1797}
1798
1799
1800# EAP-SIM with a GSM SIM or USIM
1801network={
1802 ssid="eap-sim-test"
1803 key_mgmt=WPA-EAP
1804 eap=SIM
1805 pin="1234"
1806 pcsc=""
1807}
1808
1809
1810# EAP-PSK
1811network={
1812 ssid="eap-psk-test"
1813 key_mgmt=WPA-EAP
1814 eap=PSK
1815 anonymous_identity="eap_psk_user"
1816 password=06b4be19da289f475aa46a33cb793029
1817 identity="eap_psk_user@example.com"
1818}
1819
1820
1821# IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using
1822# EAP-TLS for authentication and key generation; require both unicast and
1823# broadcast WEP keys.
1824network={
1825 ssid="1x-test"
1826 key_mgmt=IEEE8021X
1827 eap=TLS
1828 identity="user@example.com"
1829 ca_cert="/etc/cert/ca.pem"
1830 client_cert="/etc/cert/user.pem"
1831 private_key="/etc/cert/user.prv"
1832 private_key_passwd="password"
1833 eapol_flags=3
1834}
1835
1836
1837# LEAP with dynamic WEP keys
1838network={
1839 ssid="leap-example"
1840 key_mgmt=IEEE8021X
1841 eap=LEAP
1842 identity="user"
1843 password="foobar"
1844}
1845
1846# EAP-IKEv2 using shared secrets for both server and peer authentication
1847network={
1848 ssid="ikev2-example"
1849 key_mgmt=WPA-EAP
1850 eap=IKEV2
1851 identity="user"
1852 password="foobar"
1853}
1854
1855# EAP-FAST with WPA (WPA or WPA2)
1856network={
1857 ssid="eap-fast-test"
1858 key_mgmt=WPA-EAP
1859 eap=FAST
1860 anonymous_identity="FAST-000102030405"
1861 identity="username"
1862 password="password"
1863 phase1="fast_provisioning=1"
1864 pac_file="/etc/wpa_supplicant.eap-fast-pac"
1865}
1866
1867network={
1868 ssid="eap-fast-test"
1869 key_mgmt=WPA-EAP
1870 eap=FAST
1871 anonymous_identity="FAST-000102030405"
1872 identity="username"
1873 password="password"
1874 phase1="fast_provisioning=1"
1875 pac_file="blob://eap-fast-pac"
1876}
1877
1878# Plaintext connection (no WPA, no IEEE 802.1X)
1879network={
1880 ssid="plaintext-test"
1881 key_mgmt=NONE
1882}
1883
1884
1885# Shared WEP key connection (no WPA, no IEEE 802.1X)
1886network={
1887 ssid="static-wep-test"
1888 key_mgmt=NONE
1889 wep_key0="abcde"
1890 wep_key1=0102030405
1891 wep_key2="1234567890123"
1892 wep_tx_keyidx=0
1893 priority=5
1894}
1895
1896
1897# Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key
1898# IEEE 802.11 authentication
1899network={
1900 ssid="static-wep-test2"
1901 key_mgmt=NONE
1902 wep_key0="abcde"
1903 wep_key1=0102030405
1904 wep_key2="1234567890123"
1905 wep_tx_keyidx=0
1906 priority=5
1907 auth_alg=SHARED
1908}
1909
1910
Dmitry Shmidtfb79edc2014-01-10 10:45:54 -08001911# IBSS/ad-hoc network with RSN
1912network={
1913 ssid="ibss-rsn"
1914 key_mgmt=WPA-PSK
1915 proto=RSN
1916 psk="12345678"
1917 mode=1
1918 frequency=2412
1919 pairwise=CCMP
1920 group=CCMP
1921}
1922
1923# IBSS/ad-hoc network with WPA-None/TKIP (deprecated)
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001924network={
1925 ssid="test adhoc"
1926 mode=1
1927 frequency=2412
1928 proto=WPA
1929 key_mgmt=WPA-NONE
1930 pairwise=NONE
1931 group=TKIP
1932 psk="secret passphrase"
1933}
1934
Dmitry Shmidt6c0da2b2015-01-05 13:08:17 -08001935# open mesh network
1936network={
1937 ssid="test mesh"
1938 mode=5
1939 frequency=2437
1940 key_mgmt=NONE
1941}
1942
1943# secure (SAE + AMPE) network
1944network={
1945 ssid="secure mesh"
1946 mode=5
1947 frequency=2437
1948 key_mgmt=SAE
1949 psk="very secret passphrase"
1950}
1951
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001952
1953# Catch all example that allows more or less all configuration modes
1954network={
1955 ssid="example"
1956 scan_ssid=1
1957 key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
1958 pairwise=CCMP TKIP
1959 group=CCMP TKIP WEP104 WEP40
1960 psk="very secret passphrase"
1961 eap=TTLS PEAP TLS
1962 identity="user@example.com"
1963 password="foobar"
1964 ca_cert="/etc/cert/ca.pem"
1965 client_cert="/etc/cert/user.pem"
1966 private_key="/etc/cert/user.prv"
1967 private_key_passwd="password"
1968 phase1="peaplabel=0"
1969}
1970
1971# Example of EAP-TLS with smartcard (openssl engine)
1972network={
1973 ssid="example"
1974 key_mgmt=WPA-EAP
1975 eap=TLS
1976 proto=RSN
1977 pairwise=CCMP TKIP
1978 group=CCMP TKIP
1979 identity="user@example.com"
1980 ca_cert="/etc/cert/ca.pem"
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001981
Dmitry Shmidtd5ab1b52016-06-21 12:38:41 -07001982 # Certificate and/or key identified by PKCS#11 URI (RFC7512)
1983 client_cert="pkcs11:manufacturer=piv_II;id=%01"
1984 private_key="pkcs11:manufacturer=piv_II;id=%01"
Dmitry Shmidt30f94812012-02-21 17:02:48 -08001985
1986 # Optional PIN configuration; this can be left out and PIN will be
1987 # asked through the control interface
1988 pin="1234"
1989}
1990
1991# Example configuration showing how to use an inlined blob as a CA certificate
1992# data instead of using external file
1993network={
1994 ssid="example"
1995 key_mgmt=WPA-EAP
1996 eap=TTLS
1997 identity="user@example.com"
1998 anonymous_identity="anonymous@example.com"
1999 password="foobar"
2000 ca_cert="blob://exampleblob"
2001 priority=20
2002}
2003
2004blob-base64-exampleblob={
2005SGVsbG8gV29ybGQhCg==
2006}
2007
2008
2009# Wildcard match for SSID (plaintext APs only). This example select any
2010# open AP regardless of its SSID.
2011network={
2012 key_mgmt=NONE
2013}
Dmitry Shmidt51b6ea82013-05-08 10:42:09 -07002014
Dmitry Shmidtff787d52015-01-12 13:01:47 -08002015# Example configuration blacklisting two APs - these will be ignored
2016# for this network.
2017network={
2018 ssid="example"
2019 psk="very secret passphrase"
2020 bssid_blacklist=02:11:22:33:44:55 02:22:aa:44:55:66
2021}
2022
2023# Example configuration limiting AP selection to a specific set of APs;
2024# any other AP not matching the masked address will be ignored.
2025network={
2026 ssid="example"
2027 psk="very secret passphrase"
2028 bssid_whitelist=02:55:ae:bc:00:00/ff:ff:ff:ff:00:00 00:00:77:66:55:44/00:00:ff:ff:ff:ff
2029}
Dmitry Shmidt51b6ea82013-05-08 10:42:09 -07002030
2031# Example config file that will only scan on channel 36.
2032freq_list=5180
2033network={
2034 key_mgmt=NONE
2035}
Dmitry Shmidt5a1480c2014-05-12 09:46:02 -07002036
2037
Roshan Pius3a1667e2018-07-03 15:17:14 -07002038# Example configuration using EAP-TTLS for authentication and key
2039# generation for MACsec
2040network={
2041 key_mgmt=IEEE8021X
2042 eap=TTLS
2043 phase2="auth=PAP"
2044 anonymous_identity="anonymous@example.com"
2045 identity="user@example.com"
2046 password="secretr"
2047 ca_cert="/etc/cert/ca.pem"
2048 eapol_flags=0
2049 macsec_policy=1
2050}
2051
2052# Example configuration for MACsec with preshared key
2053network={
2054 key_mgmt=NONE
2055 eapol_flags=0
2056 macsec_policy=1
2057 mka_cak=0123456789ABCDEF0123456789ABCDEF
2058 mka_ckn=6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435
2059 mka_priority=128
2060}