Lines Matching +full:enforce +full:- +full:video +full:- +full:mode

6 # Note: This attribute can be overridden by the values supplied with the '-i'
19 # has been started to change the interface mode). If needed, the bridge
37 # Module bitfield (ORed bitfield of modules that will be logged; -1 = all
53 logger_syslog=-1
55 logger_stdout=-1
72 # run as non-root users. However, since the control interface can be used to
75 # want to allow non-root users to use the control interface, add a new group
89 # (double quoted string, hexdump, printf-escaped string)
94 # UTF-8 SSID: Whether the SSID is to be interpreted using UTF-8 encoding
97 # Country code (ISO/IEC 3166-1). Used to set regulatory domain.
116 # Annex E, Table E-4 (Global operating classes)
146 # Operation mode (a = IEEE 802.11a (5 GHz), b = IEEE 802.11b (2.4 GHz),
167 # Global operating class (IEEE 802.11, Annex E, Table E-4)
173 # ACS tuning - Automatic Channel Selection
178 # acs_num_scans requirement is 1..100 - number of scans to be performed that
186 # acs_chan_bias is a space-separated list of <channel>:<bias> pairs. It can be
202 # Channel list can be provided as range using hyphen ('-') or individual
206 #chanlist=1 6 11-13
210 # Frequency list can be provided as range using hyphen ('-') or individual
214 #freqlist=2437,5985-6105
225 # Default behavior is to include all PSC and non-PSC channels.
256 # RTS/CTS threshold; -1 = disabled (default); range -1..65535
259 rts_threshold=-1
261 # Fragmentation threshold; -1 = disabled (default); range -1, 256..2346
265 fragm_threshold=-1
305 # This applies only to IEEE 802.11b-compatible networks and this should only be
313 # Station MAC address -based authentication
379 # Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e):
388 # Note: for IEEE 802.11b mode: cWmin=31 cWmax=1023 burst=0
395 # Note: for IEEE 802.11b mode: cWmin=31 cWmax=127 burst=0
397 # High priority / AC_VI = video
402 # Note: for IEEE 802.11b mode: cWmin=15 cWmax=31 burst=6.0
409 # Note: for IEEE 802.11b mode: cWmin=7 cWmax=15 burst=3.3
416 # 2 - AC_BK Background
419 # 4 CL AC_VI Video
420 # 5 VI AC_VI Video
425 # PS-Poll frames: AC_BE
427 # Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e):
433 # note - txop_limit is in units of 32microseconds
434 # note - acm is admission control mandatory flag. 0 = admission control not
436 # note - Here cwMin and cmMax are in exponent form. The actual cw value used
437 # will be (2^n)-1 where n is the value given here. The allowed range for these
442 # WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD]
443 # Enable this flag if U-APSD supported outside hostapd (eg., Firmware/driver)
452 # Note: for IEEE 802.11b mode: cWmin=5 cWmax=10
460 # Note: for IEEE 802.11b mode: cWmin=5 cWmax=7
462 # High priority / AC_VI = video
468 # Note: for IEEE 802.11b mode: cWmin=4 cWmax=5 txop_limit=188
476 # Note: for IEEE 802.11b mode: cWmin=3 cWmax=4 burst=102
478 # Enable Multi-AP functionality
494 # digits, depending on whether 40-bit (64-bit), 104-bit (128-bit), or
495 # 128-bit (152-bit) WEP is used.
530 # period and require STAs to use protected keep-alive frames)
554 # WDS (4-address frame) mode with per-station virtual interfaces
556 # This mode allows associated stations to use 4-address frames to allow layer 2
563 #wds_bridge=wds-br0
568 # Client isolation can be used to prevent low-level bridging of frames between
590 # Request that the AP will do multicast-to-unicast conversion for ARP, IPv4, and
627 # Supported channel width set: [HT40-] = both 20 MHz and 40 MHz with secondary
631 # Note: There are limits on which channels can be used with HT40- and
633 # HT40- and HT40+ use per IEEE 802.11n Annex J:
634 # freq HT40- HT40+
635 # 2.4 GHz 5-13 1-7 (1-9 in Europe/Japan)
643 # HT-greenfield: [GF] (disabled if not set)
644 # Short GI for 20 MHz: [SHORT-GI-20] (disabled if not set)
645 # Short GI for 40 MHz: [SHORT-GI-40] (disabled if not set)
646 # Tx STBC: [TX-STBC] (disabled if not set)
647 # Rx STBC: [RX-STBC1] (one spatial stream), [RX-STBC12] (one or two spatial
648 # streams), or [RX-STBC123] (one, two, or three spatial streams); Rx STBC
650 # HT-delayed Block Ack: [DELAYED-BA] (disabled if not set)
651 # Maximum A-MSDU length: [MAX-AMSDU-7935] for 7935 octets (3839 octets if not
653 # DSSS/CCK Mode in 40 MHz: [DSSS_CCK-40] = allowed (not allowed if not set)
654 # 40 MHz intolerant [40-INTOLERANT] (not advertised if not set)
655 # L-SIG TXOP protection support: [LSIG-TXOP-PROT] (disabled if not set)
656 #ht_capab=[HT40-][SHORT-GI-20][SHORT-GI-40]
661 # If set non-zero, require stations to perform scans of overlapping
664 # to non-zero allows 2.4 GHz band AP to move dynamically to a 40 MHz channel if
665 # no co-existence issues with neighboring devices are found.
688 # vht_max_mpdu_len: [MAX-MPDU-7991] [MAX-MPDU-11454]
695 # supported_chan_width: [VHT160] [VHT160-80PLUS80]
707 # Short GI for 80 MHz: [SHORT-GI-80]
713 # Short GI for 160 MHz: [SHORT-GI-160]
719 # Tx STBC: [TX-STBC-2BY1]
724 # Rx STBC: [RX-STBC-1] [RX-STBC-12] [RX-STBC-123] [RX-STBC-1234]
733 # SU Beamformer Capable: [SU-BEAMFORMER]
738 # SU Beamformee Capable: [SU-BEAMFORMEE]
744 # [BF-ANTENNA-2] [BF-ANTENNA-3] [BF-ANTENNA-4]
752 # [SOUNDING-DIMENSION-2] [SOUNDING-DIMENSION-3] [SOUNDING-DIMENSION-4]
758 # MU Beamformer Capable: [MU-BEAMFORMER]
760 # 0 = Not supported or sent by Non-AP STA (default)
763 # VHT TXOP PS: [VHT-TXOP-PS]
764 # Indicates whether or not the AP supports VHT TXOP Power Save Mode
765 # or whether or not the STA is in VHT TXOP Power Save mode
766 # 0 = VHT AP doesn't support VHT TXOP PS mode (OR) VHT STA not in VHT TXOP PS
767 # mode
768 # 1 = VHT AP supports VHT TXOP PS mode (OR) VHT STA is in VHT TXOP power save
769 # mode
771 # +HTC-VHT Capable: [HTC-VHT]
777 # Maximum A-MPDU Length Exponent: [MAX-A-MPDU-LEN-EXP0]..[MAX-A-MPDU-LEN-EXP7]
778 # Indicates the maximum length of A-MPDU pre-EOF padding that the STA can recv
781 # 2 pow(13 + Maximum A-MPDU Length Exponent) -1 octets
783 # VHT Link Adaptation Capable: [VHT-LINK-ADAPT2] [VHT-LINK-ADAPT3]
786 # If +HTC-VHTcapable is 1
792 # Reserved if +HTC-VHTcapable is 0
794 # Rx Antenna Pattern Consistency: [RX-ANTENNA-PATTERN]
799 # Tx Antenna Pattern Consistency: [TX-ANTENNA-PATTERN]
803 #vht_capab=[SHORT-GI-80][HTC-VHT]
861 # he_bss_color: BSS color (1-63)
886 #he_er_su_disable: Disable 242-tone HE ER SU PPDU reception by the AP
901 # IEEE P802.11ax/D6.1 Annex E, Table E-4).
907 # 16-bit combination of 2-bit values of Max HE-MCS For 1..8 SS; each 2-bit
909 # 0 = HE-MCS 0-7, 1 = HE-MCS 0-9, 2 = HE-MCS 0-11, 3 = not supported
940 # B1 = Non-SRG OBSS PD SR Disallowed
941 # B2 = Non-SRG Offset Present
946 # Non-SRG OBSS PD Max Offset (included if he_spr_sr_control B2=1)
958 # SRG of which the transmitting STA is a member. The value is in range of 0-63.
977 #he_6ghz_max_ampdu_len_exp: Maximum A-MPDU Length Exponent of HE 6 GHz band
978 # capabilities. Indicates the maximum length of A-MPDU pre-EOF padding that
981 # 2 pow(13 + Maximum A-MPDU Length Exponent) -1 octets
1014 # See IEEE P802.11-REVme/D4.0, Table E-12 (Regulatory Info subfield encoding)
1021 #reg_def_cli_eirp_psd=-1
1023 #reg_sub_cli_eirp_psd=-1
1026 # This is for the 6 GHz band only. If the interval is set to a non-zero value,
1028 # transmitted for in-band discovery. Refer to
1063 # Annex E.1 - Country information and operating classes).
1073 # 320 MHz channelization in EHT mode.
1076 # 0 = auto-detect by hostapd
1077 # 1 = 320 MHz-1 (channel center frequency 31, 95, 159)
1078 # 2 = 320 MHz-2 (channel center frequency 63, 127, 191)
1082 # Figure 9-1002c (EHT Operation Information field format). Each bit corresponds
1094 # AP MLD - Whether this AP is a part of an AP MLD
1105 ##### IEEE 802.1X-2004 related configuration ##################################
1111 # hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL
1117 # defined in IEEE Std 802.1X-2010.
1120 # Optional displayable message sent with EAP Request-Identity. The first \0
1121 # in this string will be converted to ASCII-0 (nul). This can be used to
1129 # 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits)
1130 # 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits)
1136 # EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if
1142 # Note: Reauthentications may enforce a disconnection, check the related
1152 # EAP Re-authentication Protocol (ERP) authenticator (RFC 6696)
1154 # Whether to initiate EAP authentication with EAP-Initiate/Re-auth-Start before
1155 # EAP-Identity/Request
1158 # Domain name for EAP-Initiate/Re-auth-Start. Omitted from the message if not
1169 # 1: MACsec enabled - Should secure, accept key server's advice to
1172 # macsec_integ_only: IEEE 802.1X/MACsec transmit mode
1174 # - macsec_policy is enabled
1175 # - the key server has decided to enable MACsec
1181 # - macsec_policy is enabled
1182 # - the key server has decided to enable MACsec
1190 # - macsec_replay_protect is enabled
1191 # - the key server has decided to enable MACsec
1193 # 1..2^32-1: number of packets that could be misordered
1197 # - macsec_policy is enabled
1198 # - the key server has decided to enable MACsec
1205 # Range: 1-65534 (default: 1)
1211 # 0 = GCM-AES-128 (default)
1212 # 1 = GCM-AES-256 (default)
1214 # mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode
1215 # This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair.
1216 # In this mode, instances of hostapd can act as MACsec peers. The peer
1218 # mka_cak (CAK = Secure Connectivity Association Key) takes a 16-byte (128-bit)
1219 # hex-string (32 hex-digits) or a 32-byte (256-bit) hex-string (64 hex-digits)
1220 # mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string
1221 # (2..64 hex-digits)
1240 # CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS
1243 # Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS
1246 # Private key matching with the server certificate for EAP-TLS/PEAP/TTLS
1268 #server_cert2=/etc/hostapd.server-ecc.pem
1269 #private_key2=/etc/hostapd.server-ecc.prv
1335 # abbreviated handshake when using EAP-TLS/TTLS/PEAP.
1340 # [ALLOW-SIGN-RSA-MD5] = allow MD5-based certificate signatures (depending on
1341 # the TLS library, these may be disabled by default to enforce stronger
1343 # [DISABLE-TIME-CHECKS] = ignore certificate validity time (this requests
1347 # [DISABLE-TLSv1.0] = disable use of TLSv1.0
1348 # [ENABLE-TLSv1.0] = explicitly enable use of TLSv1.0 (this allows
1350 # [DISABLE-TLSv1.1] = disable use of TLSv1.1
1351 # [ENABLE-TLSv1.1] = explicitly enable use of TLSv1.1 (this allows
1353 # [DISABLE-TLSv1.2] = disable use of TLSv1.2
1354 # [ENABLE-TLSv1.2] = explicitly enable use of TLSv1.2 (this allows
1356 # [DISABLE-TLSv1.3] = disable use of TLSv1.3
1357 # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default)
1372 # -no_nonce \
1373 # -CAfile /etc/hostapd.ca.pem \
1374 # -issuer /etc/hostapd.ca.pem \
1375 # -cert /etc/hostapd.server.pem \
1376 # -url http://ocsp.example.com:8888/ \
1377 # -respout /tmp/ocsp-cache.der
1378 #ocsp_stapling_response=/tmp/ocsp-cache.der
1383 #ocsp_stapling_response_multi=/tmp/ocsp-multi-cache.der
1390 # parameter is not set. DH parameters are required if anonymous EAP-FAST is
1393 # "openssl dhparam -out /etc/hostapd.dh.pem 2048"
1409 # curves for EAP-TLS/TTLS/PEAP/FAST server. If not set, automatic curve
1413 # P-521:P-384:P-256). This is applicable only if hostapd is built to use
1417 #openssl_ecdh_curves=P-521:P-384:P-256
1422 # Finite cyclic group for EAP-pwd. Number maps to group of domain parameters
1426 # Configuration data for EAP-SIM database/authentication gateway interface.
1435 # EAP-SIM DB request timeout
1440 # Encryption key for EAP-FAST PAC-Opaque values. This key must be a secret,
1441 # random value. It is configured as a 16-octet value in hex format. It can be
1443 # od -tx1 -v -N16 /dev/random | colrm 1 8 | tr -d ' '
1446 # EAP-FAST authority identity (A-ID)
1447 # A-ID indicates the identity of the authority that issues PACs. The A-ID
1449 # length field, but due to some existing implementations requiring A-ID to be
1455 # EAP-FAST authority identifier information (A-ID-Info)
1456 # This is a user-friendly name for the A-ID. For example, the enterprise name
1457 # and server name in a human-readable format. This field is encoded as UTF-8.
1460 # Enable/disable different EAP-FAST provisioning modes:
1467 # EAP-FAST PAC-Key lifetime in seconds (hard limit)
1470 # EAP-FAST PAC-Key refresh time in seconds (soft limit on remaining hard
1471 # limit). The server will generate a new PAC-Key when this number of seconds
1475 # EAP-TEAP authentication type
1477 # 1 = Basic-Password-Auth
1482 # EAP-TEAP authentication behavior when using PAC
1484 # 1 = skip inner authentication (inner EAP/Basic-Password-Auth)
1487 # EAP-TEAP behavior with Result TLV
1488 # 0 = include with Intermediate-Result TLV (default)
1492 # EAP-TEAP identities
1501 # EAP-TEAP tunneled EAP method behavior
1503 # crypto-binding of the previous one.
1504 # 1 = complete crypto-binding before starting the next EAP method
1507 # EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND
1511 # EAP-SIM and EAP-AKA identity options
1517 # EAP-Response/Identity to be used without method specific identity exchange
1519 # EAP-Response/Identity to be used without method specific identity exchange
1521 # EAP-Response/Identity to be used without method specific identity exchange
1523 # EAP-Response/Identity to be used without method specific identity exchange
1526 # IMSI privacy key (PEM encoded RSA 2048-bit private key) for decrypting
1527 # permanent identity when using EAP-SIM/AKA/AKA'.
1528 #imsi_privacy_key=imsi-privacy-key.pem
1530 # EAP-SIM and EAP-AKA fast re-authentication limit
1531 # Maximum number of fast re-authentications allowed after each full
1537 # connect. Note: This is only used with EAP-TTLS and EAP-FAST. If any other
1541 # EAP Re-authentication Protocol (ERP) - RFC 6696
1551 # The own IP address of the access point (used as NAS-IP-Address)
1554 # NAS-Identifier string for RADIUS messages. When used, this should be unique
1559 # (Accounting-On/Off messages are interpreted as clearing all ongoing sessions
1561 # NAS-Identifier value is used.) For example, a fully qualified domain name
1623 # Message-Authenticator attribute requirement for non-EAP cases
1624 # hostapd requires Message-Authenticator attribute to be included in all cases
1631 # 0 = Do not require Message-Authenticator in MAC ACL response
1632 # 1 = Require Message-Authenticator in all authentication cases (default)
1638 # possible Acct-Interim-Interval attribute in Access-Accept message. Thus, this
1645 # Request Chargeable-User-Identity (RFC 4372)
1647 # RADIUS server by including Chargeable-User-Identity attribute into
1648 # Access-Request packets.
1651 # Dynamic VLAN mode; allow RADIUS authentication server to decide which VLAN
1653 # attributes based on RFC 3580 and RFC 2868: Tunnel-Type (value 13 = VLAN),
1654 # Tunnel-Medium-Type (value 6 = IEEE 802), Tunnel-Private-Group-ID (value
1657 # Dynamic VLAN mode is also used with VLAN ID assignment based on WPA/WPA2
1664 # Per-Station AP_VLAN interface mode
1666 # This implies per-station group keying and ebtables filtering of inter-STA
1670 # Otherwise, it will be added to the per-VLAN bridge.
1675 # VLAN interface list for dynamic VLAN mode is read from a separate text file.
1682 # to <bss-iface>.<vlan-id> interfaces.
1705 # Arbitrary RADIUS attributes can be added into Access-Request and
1706 # Accounting-Request packets by specifying the contents of the attributes with
1711 # attr_id: RADIUS attribute type (e.g., 26 = Vendor-Specific)
1712 # syntax: s = string (UTF-8), d = integer, x = octet string
1717 # Additional Access-Request attributes
1720 # Operator-Name = "Operator"
1722 # Service-Type = Framed (2)
1724 # Connect-Info = "testing" (this overrides the automatically generated value)
1726 # Same Connect-Info value set as a hexdump
1730 # Additional Accounting-Request attributes
1733 # Operator-Name = "Operator"
1740 # id | sta | reqtype | attr : multi-key (sta, reqtype)
1753 # This is disabled by default. Set radius_das_port to non-zero UDP port
1762 # DAS Event-Timestamp time window in seconds
1765 # DAS require Event-Timestamp
1768 # DAS require Message-Authenticator
1796 # WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either
1797 # wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK.
1799 # For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys),
1800 # RADIUS authentication server must be configured, and WPA-EAP must be included
1808 # wpa_key_mgmt=SAE for WPA3-Personal instead of wpa_key_mgmt=WPA-PSK).
1822 # WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit
1842 # Tunnel-Password
1844 # Tunnel-Password
1845 # 3 = ask RADIUS server during 4-way handshake if there is no locally
1848 # The Tunnel-Password attribute in Access-Accept can contain either the
1853 # Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The
1854 # entries are separated with a space. WPA-PSK-SHA256 and WPA-EAP-SHA256 can be
1855 # added to enable SHA256-based stronger algorithms.
1856 # WPA-PSK = WPA-Personal / WPA2-Personal
1857 # WPA-PSK-SHA256 = WPA2-Personal using SHA256
1858 # WPA-EAP = WPA-Enterprise / WPA2-Enterprise
1859 # WPA-EAP-SHA256 = WPA2-Enterprise using SHA256
1860 # SAE = SAE (WPA3-Personal)
1861 # WPA-EAP-SUITE-B-192 = WPA3-Enterprise with 192-bit security/CNSA suite
1862 # FT-PSK = FT with passphrase/PSK
1863 # FT-EAP = FT with EAP
1864 # FT-EAP-SHA384 = FT with EAP using SHA384
1865 # FT-SAE = FT with SAE
1866 # FILS-SHA256 = Fast Initial Link Setup with SHA256
1867 # FILS-SHA384 = Fast Initial Link Setup with SHA384
1868 # FT-FILS-SHA256 = FT and Fast Initial Link Setup with SHA256
1869 # FT-FILS-SHA384 = FT and Fast Initial Link Setup with SHA384
1874 #wpa_key_mgmt=WPA-PSK WPA-EAP
1878 # CCMP = AES in Counter mode with CBC-MAC (CCMP-128)
1880 # CCMP-256 = AES in Counter mode with CBC-MAC with 256-bit key
1881 # GCMP = Galois/counter mode protocol (GCMP-128)
1882 # GCMP-256 = Galois/counter mode protocol with 256-bit key
1914 # The number of times EAPOL-Key Message 1/2 in the RSN Group Key Handshake is
1927 # Maximum lifetime for PTK in seconds. This can be used to enforce rekeying of
1949 # The number of times EAPOL-Key Message 1/4 and Message 3/4 in the RSN 4-Way
1950 # Handshake are retried per 4-Way Handshake attempt.
1957 # This parameter can be used to disable retransmission of EAPOL-Key frames that
1958 # are used to install keys (EAPOL-Key message 3/4 and group message 1/2). This
1963 # EAPOL-Key messages.
1969 # station side vulnerabilities CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
1970 # CVE-2017-13080, and CVE-2017-13081.
1979 # Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up
1980 # roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN
1985 # Space separated list of interfaces from which pre-authentication frames are
1990 # pre-authentication is only used with APs other than the currently associated
2001 # PMF enabled: ieee80211w=1 and wpa_key_mgmt=WPA-EAP WPA-EAP-SHA256
2002 # PMF required: ieee80211w=2 and wpa_key_mgmt=WPA-EAP-SHA256
2003 # (and similarly for WPA-PSK and WPA-PSK-SHA256 if WPA2-Personal is used)
2004 # WPA3-Personal-only mode: ieee80211w=2 and wpa_key_mgmt=SAE
2007 # Default: AES-128-CMAC (BIP)
2009 # BIP-GMAC-128
2010 # BIP-GMAC-256
2011 # BIP-CMAC-256
2013 # selected cipher. The default AES-128-CMAC is the only option that is commonly
2015 #group_mgmt_cipher=AES-128-CMAC
2035 # This is a countermeasure against multi-channel on-path attacks.
2042 # 2 = enabled in workaround mode - Allow STA that claims OCV capability to
2049 # EAPOL-Key msg 2/4/FT Reassociation Request frame/FILS (Re)Association
2051 # with the STA. Enabling this workaround mode reduced OCV protection to
2075 # wpa_passphrase follows the WPA-PSK constraints (8..63 characters) even though
2077 # WPA-PSK and both values are set, SAE uses the sae_password values and WPA-PSK
2093 # If the password identifier (with non-zero length) is included, the entry is
2102 #[|pk=<m:ECPrivateKey-base64>][|id=<identifier>]
2113 # SAE threshold for anti-clogging mechanism (dot11RSNASAEAntiCloggingThreshold)
2115 # same time before the anti-clogging mechanism is taken into use.
2126 # 256-bit prime order field). This configuration parameter can be used to
2130 # http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9
2133 # group 19 (ECC, NIST P-256) are unlikely to be useful for production use cases
2138 # This parameter can be used to enforce negotiation of MFP for all associations
2139 # that negotiate use of SAE. This is used in cases where SAE-capable devices are
2140 # known to be MFP-capable and the BSS is configured with optional MFP
2141 # (ieee80211w=1) for legacy support. The non-SAE stations can connect without
2153 # 0 = hunting-and-pecking loop only (default without password identifier)
2154 # 1 = hash-to-element only (default with password identifier)
2155 # 2 = both hunting-and-pecking loop and hash-to-element enabled
2157 # hash-to-element mechanism has received more interoperability testing.
2158 # When using SAE password identifier, the hash-to-element mechanism is used
2162 # FILS Cache Identifier (16-bit value in hexdump format)
2167 # of realms is used to define which realms (used in keyName-NAI by the client)
2174 # 1-65535 DH Group to use for FILS PFS
2178 # OWE implementations are required to support group 19 (NIST P-256). All groups
2183 # http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-10
2192 # appropriate hash function is tried first and if that fails, SHA256-based PTK
2199 # OWE transition mode configuration
2204 # Alternatively, OWE transition mode BSSID/SSID can be configured with a
2237 # If fils_discovery_max_interval is non-zero, the AP enables FILS Discovery
2239 # of 0-10000. fils_discovery_min_interval defaults to 20.
2246 # The AP can notify authenticated stations to disable transition mode in their
2250 # expected to automatically disable transition mode and less secure security
2254 # bit 0 (0x01): WPA3-Personal (i.e., disable WPA2-Personal = WPA-PSK and only
2256 # bit 1 (0x02): SAE-PK (disable SAE without use of SAE-PK)
2257 # bit 2 (0x04): WPA3-Enterprise (move to requiring PMF)
2263 # PASN implementations are required to support group 19 (NIST P-256). If this
2267 # http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-10
2282 # SSID protection in 4-way handshake
2283 # The IEEE 802.11i-2004 RSN design did not provide means for protecting the
2285 # 4-way handshake. This capability allows a STA to confirm that the AP has the
2288 # This can be used to mitigate CVE-2023-52424 (a.k.a. the SSID Confusion
2296 # 0 = SSID protection in 4-way handshake disabled (default)
2297 # 1 = SSID protection in 4-way handshake enabled
2306 # 2-octet identifier as a hex string.
2309 # PMK-R0 Key Holder identifier (dot11FTR0KeyHolderID)
2313 # Default lifetime of the PMK-R0 in seconds; range 60..4294967295
2318 # Maximum lifetime for PMK-R1; applied only if not zero
2319 # PMK-R1 is removed at latest after this limit.
2320 # Removing any PMK-R1 for expiry can be disabled by setting this to -1.
2324 # PMK-R1 Key Holder identifier (dot11FTR1KeyHolderID)
2325 # 6-octet identifier as a hex string.
2334 # format: <MAC address> <NAS Identifier> <256-bit key as hex string>
2335 # This list is used to map R0KH-ID (NAS Identifier) to a destination MAC
2336 # address when requesting PMK-R1 key from the R0KH that the STA used during the
2338 #r0kh=02:01:02:03:04:05 r0kh-1.example.com 000102030405060708090a0b0c0d0e0f000102030405060708090a0b…
2339 #r0kh=02:01:02:03:04:06 r0kh-2.example.com 00112233445566778899aabbccddeeff00112233445566778899aabb…
2348 # format: <MAC address> <R1KH-ID> <256-bit key as hex string>
2349 # This list is used to map R1KH-ID to a destination MAC address when sending
2350 # PMK-R1 key from the R0KH. This is also the list of authorized R1KHs in the MD
2351 # that can request PMK-R1 keys.
2367 # Special values: 0 -> do not expire
2371 # Timeout (milliseconds) for requesting PMK-R1 from R0KH using PULL request
2377 # Special values: 0 -> do not cache
2381 # Note: The R0KH/R1KH keys used to be 128-bit in length before the message
2384 # 256-bit key is derived from it. For new deployments, configuring the 256-bit
2387 # Whether PMK-R1 push is enabled at R0KH
2388 # 0 = do not push PMK-R1 to all configured R1KHs (default)
2389 # 1 = push PMK-R1 to all configured R1KHs whenever a new PMK-R0 is derived
2392 # Whether to enable FT-over-DS
2393 # 0 = FT-over-DS disabled
2394 # 1 = FT-over-DS enabled (default)
2398 # This avoids use of PMK-R1 push/pull from other APs with FT-PSK networks as
2432 # Do not reply to group-addressed Probe Request from a station that was seen on
2438 # frame handling from replying to group-addressed Probe Request frames from a
2460 ##### Wi-Fi Protected Setup (WPS) #############################################
2471 # of interfaces. If this is set to non-zero for an interface, WPS commands
2485 #uuid=12345678-9abc-def0-1234-56789abcdef0
2487 # Note: If wpa_psk_file is set, WPS is used to generate random, per-device PSKs
2490 # per-device PSKs is recommended as the more secure option (i.e., make sure to
2491 # set wpa_psk_file when using WPS with WPA-PSK).
2502 # User-friendly description of device; up to 32 octets encoded in UTF-8
2522 # Used format: <categ>-<OUI>-<subcateg>
2524 # OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for
2526 # subcateg = OUI-specific Sub Category as an integer value
2528 # 1-0050F204-1 (Computer / PC)
2529 # 1-0050F204-2 (Computer / Server)
2530 # 5-0050F204-1 (Storage / NAS)
2531 # 6-0050F204-1 (Network Infrastructure / AP)
2532 #device_type=6-0050F204-1
2535 # 4-octet operating system version number (hex string)
2568 # be replaced with pre-configured Credential(s).
2572 # This option can be used to add pre-configured Credential attributes into M8
2595 # Whether to enable SAE (WPA3-Personal transition mode) automatically for
2596 # WPA2-PSK credentials received using WPS.
2597 # 0 = only add the explicitly listed WPA2-PSK configuration (default)
2598 # 1 = add both the WPA2-PSK and SAE configuration and enable PMF so that the
2599 # AP gets configured in WPA3-Personal transition mode (supports both
2600 # WPA2-Personal (PSK) and WPA3-Personal (SAE) clients).
2606 # with pre-configured attributes. This is similar to extra_cred file format,
2611 # Multi-AP backhaul BSS config
2614 # if the Enrollee has the Multi-AP subelement set. Backhaul SSID is formatted
2620 # Multi-AP Profile
2621 # Indicate the supported Multi-AP profile (default: 2)
2622 # 1 = Supports Multi-AP profile 1 as defined in Wi-Fi EasyMesh specification
2623 # 2 = Supports Multi-AP profile 2 as defined in Wi-Fi EasyMesh specification
2626 # Multi-AP client disallow
2628 # Bitmap of the disallowed Profile-X profiles
2629 # 1 = Profile-1 Backhaul STA association disallowed
2630 # 2 = Profile-2 Backhaul STA association disallowed
2633 # Multi-AP VLAN ID
2634 # A valid non-zero VLAN ID will be used to update Default IEEE 802.1Q Setting
2656 # 12-digit, all-numeric code that identifies the consumer package.
2679 # contents of this parameter starts with 16-octet (32 hexdump characters) of
2684 ##### Wi-Fi Direct (P2P) ######################################################
2715 # Controller-as-responder cases covered by the dpp_controller parameter.
2729 #### TDLS (IEEE 802.11z-2010) #################################################
2737 ##### IEEE 802.11v-2011 #######################################################
2744 # Local time zone as specified in 8.3 of IEEE Std 1003.1-2004:
2748 # WNM-Sleep Mode (extended sleep mode for stations)
2750 # 1 = enabled (allow stations to use WNM-Sleep Mode)
2753 # WNM-Sleep Mode GTK/IGTK workaround
2754 # Normally, WNM-Sleep Mode exit with management frame protection negotiated
2755 # would result in the current GTK/IGTK getting added into the WNM-Sleep Mode
2758 # configuration parameter can be used to disable that behavior and use EAPOL-Key
2761 # with EAPOL-Key. This is related to station side vulnerabilities CVE-2017-13087
2762 # and CVE-2017-13088. To enable this AP-side workaround, set the parameter to 1.
2775 # IPv6 Neighbor Advertisement multicast-to-unicast conversion
2782 ##### IEEE 802.11u-2011 #######################################################
2815 # The available values are defined in IEEE Std 802.11u-2011, 7.3.1.34.
2843 # code (ISO-639) separated by colon from the venue name string.
2849 # (double quoted string, printf-escaped string)
2858 #venue_url=1:http://www.example.com/info-eng
2859 #venue_url=2:http://www.example.com/info-fin
2864 # format: <network auth type indicator (1-octet hex str)> [redirect URL]
2867 # 01 = On-line enrollment supported
2874 # format: <1-octet encoded value as hex str>
2879 # 2 = Port-restricted IPv4 address available
2882 # 5 = Port-restricted IPv4 address and single NATed IPv4 address available
2883 # 6 = Port-restricted IPv4 address and double NATed IPv4 address available
2892 # format: <variable-octet str>[,<variable-octet str>]
2893 #domain_name=example.com,another.example.com,yet-another.example.com
2907 # 1 = UTF-8 formatted character string that is not formatted in
2909 # NAI Realm(s): Semi-colon delimited NAI Realm(s)
2912 # http://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml#eap-numbers-4
2913 # AuthParam (Table 8-188 in IEEE Std 802.11-2012):
2914 # ID 2 = Non-EAP Inner Authentication Type
2922 # EAP methods EAP-TLS with certificate and EAP-TTLS/MSCHAPv2 with
2926 # Arbitrary ANQP-element configuration
2927 # Additional ANQP-elements with arbitrary values can be defined by specifying
2929 # values will override ANQP-element contents that may have been specified in the
2932 # For example, AP Geospatial Location ANQP-element with unknown location:
2934 # For example, AP Civic Location ANQP-element with unknown location:
2941 # 2 = Force non-compliant behavior (Address3 = AP BSSID for all cases)
2947 # (see IEEE Std 802.11-2012, 8.4.2.97)
2966 # Disable Downstream Group-Addressed Forwarding (DGAF)
2967 # This can be used to configure a network where no group-addressed frames are
2968 # allowed. The AP will not forward any group-address frames to the stations and
2973 # OSU Server-Only Authenticated L2 Encryption Network
2995 # Duples. Each entry has a two or three character language code (ISO-639)
3014 # WAN Info: B0-B1: Link Status, B2: Symmetric Link, B3: At Capabity
3029 # classes in Table E-4 of IEEE Std 802.11-2012 Annex E define the values that
3032 # for example, operating classes 81 (2.4 GHz channels 1-13) and 115 (5 GHz
3033 # channels 36-48):
3039 # indicates in RADIUS Access-Request messages.
3040 #hs20_t_c_filename=terms-and-conditions
3043 # indicates in RADIUS Access-Request messages. Usually, this contains the number
3088 # Operator Icon Metadata ANQO-element.
3100 # 0 = Excluded - AP does not want STA to use the cellular data connection
3108 # BIT(0) - Reserved
3109 # Set BIT(1) (= 2) to enable OCE in STA-CFON mode
3110 # Set BIT(2) (= 4) to enable OCE in AP mode
3114 # RSSI-based association rejection
3117 # Allowed range: -60 to -90 dBm; default = 0 (rejection disabled)
3123 #rssi_reject_assoc_rssi=-75
3130 # Allowed range: -60 to -90 dBm; default = 0 (rejection disabled)
3131 #rssi_ignore_probe_request=-75
3142 # For detals, see IEEE Std 802.11ad-2012.
3197 # Set the airtime policy operating mode:
3200 # 2 = per-BSS dynamic config
3201 # 3 = per-BSS limit mode
3214 # Per-BSS airtime weight. In multi-BSS mode, set for each BSS and hostapd will
3215 # configure station weights to enforce the correct ratio between BSS weights
3226 # no more than half the available airtime, but if the non-limited BSS has more
3233 # Enable EDMG capability for AP mode in the 60 GHz band. Default value is false.
3239 # Configure channel bonding for AP mode in the 60 GHz band.
3263 # Corrupt Key MIC in GTK rekey EAPOL-Key frames with the given probability
3270 # Delay EAPOL-Key messages 1/4 and 3/4 by not sending the frame until the last
3284 # Above configuration is using the default interface (wlan#, or multi-SSID VLAN
3299 # - results in a valid MASK that covers it and the dev_addr
3300 # - is not the same as the MAC address of the radio
3301 # - is not the same as any other explicitly specified BSSID
3304 # hostapd to use the driver auto-generated interface address (e.g., to use the
3326 # IEEE Std 802.11ax-2021 added a feature where instead of multiple interfaces
3331 # the non-transmitting profiles and these are advertised inside the Multiple
3337 # not be able to connect to the non-transmitting interfaces.
3340 # When enabled, the non-transmitting interfaces are split into multiple
3342 # non-transmitting profiles is called the profile periodicity.
3344 # Refer to IEEE Std 802.11-2020 for details regarding the procedure and
3354 # the non-transmitting interfaces should be added using the 'bss' option.
3367 #ssid=<SSID-0>
3368 #bridge=br-lan
3372 #bss=wlan2-1
3380 #ssid=<SSID-1>
3381 #bridge=br-lan