139beb93cSSam Lefflerhostapd - user space IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP 239beb93cSSam Leffler Authenticator and RADIUS authentication server 339beb93cSSam Leffler================================================================ 439beb93cSSam Leffler 5*a90b9d01SCy SchubertCopyright (c) 2002-2024, Jouni Malinen <j@w1.fi> and contributors 639beb93cSSam LefflerAll Rights Reserved. 739beb93cSSam Leffler 8f05cddf9SRui PauloThis program is licensed under the BSD license (the one with 9f05cddf9SRui Pauloadvertisement clause removed). 10f05cddf9SRui Paulo 11f05cddf9SRui PauloIf you are submitting changes to the project, please see CONTRIBUTIONS 12f05cddf9SRui Paulofile for more instructions. 1339beb93cSSam Leffler 1439beb93cSSam Leffler 1539beb93cSSam Leffler 1639beb93cSSam LefflerLicense 1739beb93cSSam Leffler------- 1839beb93cSSam Leffler 19f05cddf9SRui PauloThis software may be distributed, used, and modified under the terms of 20f05cddf9SRui PauloBSD license: 2139beb93cSSam Leffler 2239beb93cSSam LefflerRedistribution and use in source and binary forms, with or without 2339beb93cSSam Lefflermodification, are permitted provided that the following conditions are 2439beb93cSSam Lefflermet: 2539beb93cSSam Leffler 2639beb93cSSam Leffler1. Redistributions of source code must retain the above copyright 2739beb93cSSam Leffler notice, this list of conditions and the following disclaimer. 2839beb93cSSam Leffler 2939beb93cSSam Leffler2. Redistributions in binary form must reproduce the above copyright 3039beb93cSSam Leffler notice, this list of conditions and the following disclaimer in the 3139beb93cSSam Leffler documentation and/or other materials provided with the distribution. 3239beb93cSSam Leffler 3339beb93cSSam Leffler3. Neither the name(s) of the above-listed copyright holder(s) nor the 3439beb93cSSam Leffler names of its contributors may be used to endorse or promote products 3539beb93cSSam Leffler derived from this software without specific prior written permission. 3639beb93cSSam Leffler 3739beb93cSSam LefflerTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 3839beb93cSSam Leffler"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 3939beb93cSSam LefflerLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 4039beb93cSSam LefflerA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 4139beb93cSSam LefflerOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 4239beb93cSSam LefflerSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 4339beb93cSSam LefflerLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 4439beb93cSSam LefflerDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 4539beb93cSSam LefflerTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 4639beb93cSSam Leffler(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 4739beb93cSSam LefflerOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 4839beb93cSSam Leffler 4939beb93cSSam Leffler 5039beb93cSSam Leffler 5139beb93cSSam LefflerIntroduction 5239beb93cSSam Leffler============ 5339beb93cSSam Leffler 5439beb93cSSam LefflerOriginally, hostapd was an optional user space component for Host AP 5539beb93cSSam Lefflerdriver. It adds more features to the basic IEEE 802.11 management 5639beb93cSSam Lefflerincluded in the kernel driver: using external RADIUS authentication 5739beb93cSSam Lefflerserver for MAC address based access control, IEEE 802.1X Authenticator 5839beb93cSSam Lefflerand dynamic WEP keying, RADIUS accounting, WPA/WPA2 (IEEE 802.11i/RSN) 5939beb93cSSam LefflerAuthenticator and dynamic TKIP/CCMP keying. 6039beb93cSSam Leffler 6139beb93cSSam LefflerThe current version includes support for other drivers, an integrated 6239beb93cSSam LefflerEAP server (i.e., allow full authentication without requiring 6339beb93cSSam Leffleran external RADIUS authentication server), and RADIUS authentication 6439beb93cSSam Lefflerserver for EAP authentication. 6539beb93cSSam Leffler 6639beb93cSSam Leffler 6739beb93cSSam LefflerRequirements 6839beb93cSSam Leffler------------ 6939beb93cSSam Leffler 7039beb93cSSam LefflerCurrent hardware/software requirements: 7139beb93cSSam Leffler- drivers: 7239beb93cSSam Leffler Host AP driver for Prism2/2.5/3. 7385732ac8SCy Schubert (http://w1.fi/hostap-driver.html) 7439beb93cSSam Leffler Please note that station firmware version needs to be 1.7.0 or newer 7539beb93cSSam Leffler to work in WPA mode. 7639beb93cSSam Leffler 7739beb93cSSam Leffler mac80211-based drivers that support AP mode (with driver=nl80211). 7839beb93cSSam Leffler This includes drivers for Atheros (ath9k) and Broadcom (b43) 7939beb93cSSam Leffler chipsets. 8039beb93cSSam Leffler 8139beb93cSSam Leffler Any wired Ethernet driver for wired IEEE 802.1X authentication 8239beb93cSSam Leffler (experimental code) 8339beb93cSSam Leffler 8485732ac8SCy Schubert FreeBSD -current 8539beb93cSSam Leffler BSD net80211 layer (e.g., Atheros driver) 8639beb93cSSam Leffler 8739beb93cSSam Leffler 8839beb93cSSam LefflerBuild configuration 8939beb93cSSam Leffler------------------- 9039beb93cSSam Leffler 9139beb93cSSam LefflerIn order to be able to build hostapd, you will need to create a build 9239beb93cSSam Lefflertime configuration file, .config that selects which optional 9339beb93cSSam Lefflercomponents are included. See defconfig file for example configuration 9439beb93cSSam Lefflerand list of available options. 9539beb93cSSam Leffler 9639beb93cSSam Leffler 9739beb93cSSam Leffler 9839beb93cSSam LefflerIEEE 802.1X 9939beb93cSSam Leffler=========== 10039beb93cSSam Leffler 10139beb93cSSam LefflerIEEE Std 802.1X-2001 is a standard for port-based network access 10239beb93cSSam Lefflercontrol. In case of IEEE 802.11 networks, a "virtual port" is used 10339beb93cSSam Lefflerbetween each associated station and the AP. IEEE 802.11 specifies 10439beb93cSSam Lefflerminimal authentication mechanism for stations, whereas IEEE 802.1X 10539beb93cSSam Lefflerintroduces a extensible mechanism for authenticating and authorizing 10639beb93cSSam Lefflerusers. 10739beb93cSSam Leffler 10839beb93cSSam LefflerIEEE 802.1X uses elements called Supplicant, Authenticator, Port 10939beb93cSSam LefflerAccess Entity, and Authentication Server. Supplicant is a component in 11039beb93cSSam Lefflera station and it performs the authentication with the Authentication 11139beb93cSSam LefflerServer. An access point includes an Authenticator that relays the packets 11239beb93cSSam Lefflerbetween a Supplicant and an Authentication Server. In addition, it has a 11339beb93cSSam LefflerPort Access Entity (PAE) with Authenticator functionality for 11439beb93cSSam Lefflercontrolling the virtual port authorization, i.e., whether to accept 11539beb93cSSam Lefflerpackets from or to the station. 11639beb93cSSam Leffler 11739beb93cSSam LefflerIEEE 802.1X uses Extensible Authentication Protocol (EAP). The frames 11839beb93cSSam Lefflerbetween a Supplicant and an Authenticator are sent using EAP over LAN 11939beb93cSSam Leffler(EAPOL) and the Authenticator relays these frames to the Authentication 12039beb93cSSam LefflerServer (and similarly, relays the messages from the Authentication 12139beb93cSSam LefflerServer to the Supplicant). The Authentication Server can be colocated with the 12239beb93cSSam LefflerAuthenticator, in which case there is no need for additional protocol 12339beb93cSSam Lefflerfor EAP frame transmission. However, a more common configuration is to 12439beb93cSSam Leffleruse an external Authentication Server and encapsulate EAP frame in the 12539beb93cSSam Lefflerframes used by that server. RADIUS is suitable for this, but IEEE 12639beb93cSSam Leffler802.1X would also allow other mechanisms. 12739beb93cSSam Leffler 12839beb93cSSam LefflerHost AP driver includes PAE functionality in the kernel driver. It 12939beb93cSSam Leffleris a relatively simple mechanism for denying normal frames going to 13039beb93cSSam Leffleror coming from an unauthorized port. PAE allows IEEE 802.1X related 13139beb93cSSam Lefflerframes to be passed between the Supplicant and the Authenticator even 13239beb93cSSam Leffleron an unauthorized port. 13339beb93cSSam Leffler 13439beb93cSSam LefflerUser space daemon, hostapd, includes Authenticator functionality. It 13539beb93cSSam Lefflerreceives 802.1X (EAPOL) frames from the Supplicant using the wlan#ap 13639beb93cSSam Lefflerdevice that is also used with IEEE 802.11 management frames. The 13739beb93cSSam Lefflerframes to the Supplicant are sent using the same device. 13839beb93cSSam Leffler 13939beb93cSSam LefflerThe normal configuration of the Authenticator would use an external 14039beb93cSSam LefflerAuthentication Server. hostapd supports RADIUS encapsulation of EAP 14139beb93cSSam Lefflerpackets, so the Authentication Server should be a RADIUS server, like 14239beb93cSSam LefflerFreeRADIUS (http://www.freeradius.org/). The Authenticator in hostapd 14339beb93cSSam Lefflerrelays the frames between the Supplicant and the Authentication 14439beb93cSSam LefflerServer. It also controls the PAE functionality in the kernel driver by 14539beb93cSSam Lefflercontrolling virtual port authorization, i.e., station-AP 14639beb93cSSam Lefflerconnection, based on the IEEE 802.1X state. 14739beb93cSSam Leffler 14839beb93cSSam LefflerWhen a station would like to use the services of an access point, it 14939beb93cSSam Lefflerwill first perform IEEE 802.11 authentication. This is normally done 15039beb93cSSam Lefflerwith open systems authentication, so there is no security. After 15139beb93cSSam Lefflerthis, IEEE 802.11 association is performed. If IEEE 802.1X is 15239beb93cSSam Lefflerconfigured to be used, the virtual port for the station is set in 15339beb93cSSam LefflerUnauthorized state and only IEEE 802.1X frames are accepted at this 15439beb93cSSam Lefflerpoint. The Authenticator will then ask the Supplicant to authenticate 15539beb93cSSam Lefflerwith the Authentication Server. After this is completed successfully, 15639beb93cSSam Lefflerthe virtual port is set to Authorized state and frames from and to the 15739beb93cSSam Lefflerstation are accepted. 15839beb93cSSam Leffler 15939beb93cSSam LefflerHost AP configuration for IEEE 802.1X 16039beb93cSSam Leffler------------------------------------- 16139beb93cSSam Leffler 16239beb93cSSam LefflerThe user space daemon has its own configuration file that can be used to 16339beb93cSSam Lefflerdefine AP options. Distribution package contains an example 16439beb93cSSam Lefflerconfiguration file (hostapd/hostapd.conf) that can be used as a basis 16539beb93cSSam Lefflerfor configuration. It includes examples of all supported configuration 16639beb93cSSam Leffleroptions and short description of each option. hostapd should be started 16739beb93cSSam Lefflerwith full path to the configuration file as the command line argument, 16839beb93cSSam Lefflere.g., './hostapd /etc/hostapd.conf'. If you have more that one wireless 16939beb93cSSam LefflerLAN card, you can use one hostapd process for multiple interfaces by 17039beb93cSSam Lefflergiving a list of configuration files (one per interface) in the command 17139beb93cSSam Lefflerline. 17239beb93cSSam Leffler 17339beb93cSSam Lefflerhostapd includes a minimal co-located IEEE 802.1X server which can be 17439beb93cSSam Lefflerused to test IEEE 802.1X authentication. However, it should not be 17539beb93cSSam Lefflerused in normal use since it does not provide any security. This can be 17639beb93cSSam Lefflerconfigured by setting ieee8021x and minimal_eap options in the 17739beb93cSSam Lefflerconfiguration file. 17839beb93cSSam Leffler 17939beb93cSSam LefflerAn external Authentication Server (RADIUS) is configured with 18039beb93cSSam Lefflerauth_server_{addr,port,shared_secret} options. In addition, 18139beb93cSSam Lefflerieee8021x and own_ip_addr must be set for this mode. With such 18239beb93cSSam Lefflerconfiguration, the co-located Authentication Server is not used and EAP 18339beb93cSSam Lefflerframes will be relayed using EAPOL between the Supplicant and the 18439beb93cSSam LefflerAuthenticator and RADIUS encapsulation between the Authenticator and 18539beb93cSSam Lefflerthe Authentication Server. Other than this, the functionality is similar 18639beb93cSSam Lefflerto the case with the co-located Authentication Server. 18739beb93cSSam Leffler 18885732ac8SCy SchubertAuthentication Server 18985732ac8SCy Schubert--------------------- 19039beb93cSSam Leffler 19139beb93cSSam LefflerAny RADIUS server supporting EAP should be usable as an IEEE 802.1X 19239beb93cSSam LefflerAuthentication Server with hostapd Authenticator. FreeRADIUS 19339beb93cSSam Leffler(http://www.freeradius.org/) has been successfully tested with hostapd 19485732ac8SCy SchubertAuthenticator. 19539beb93cSSam Leffler 19639beb93cSSam LefflerAutomatic WEP key configuration 19739beb93cSSam Leffler------------------------------- 19839beb93cSSam Leffler 19939beb93cSSam LefflerEAP/TLS generates a session key that can be used to send WEP keys from 20039beb93cSSam Leffleran AP to authenticated stations. The Authenticator in hostapd can be 20139beb93cSSam Lefflerconfigured to automatically select a random default/broadcast key 20239beb93cSSam Leffler(shared by all authenticated stations) with wep_key_len_broadcast 20339beb93cSSam Leffleroption (5 for 40-bit WEP or 13 for 104-bit WEP). In addition, 20439beb93cSSam Lefflerwep_key_len_unicast option can be used to configure individual unicast 20539beb93cSSam Lefflerkeys for stations. This requires support for individual keys in the 20639beb93cSSam Lefflerstation driver. 20739beb93cSSam Leffler 20839beb93cSSam LefflerWEP keys can be automatically updated by configuring rekeying. This 20939beb93cSSam Lefflerwill improve security of the network since same WEP key will only be 21039beb93cSSam Lefflerused for a limited period of time. wep_rekey_period option sets the 21139beb93cSSam Lefflerinterval for rekeying in seconds. 21239beb93cSSam Leffler 21339beb93cSSam Leffler 21439beb93cSSam LefflerWPA/WPA2 21539beb93cSSam Leffler======== 21639beb93cSSam Leffler 21739beb93cSSam LefflerFeatures 21839beb93cSSam Leffler-------- 21939beb93cSSam Leffler 22039beb93cSSam LefflerSupported WPA/IEEE 802.11i features: 22139beb93cSSam Leffler- WPA-PSK ("WPA-Personal") 22239beb93cSSam Leffler- WPA with EAP (e.g., with RADIUS authentication server) ("WPA-Enterprise") 22339beb93cSSam Leffler- key management for CCMP, TKIP, WEP104, WEP40 22439beb93cSSam Leffler- RSN/WPA2 (IEEE 802.11i), including PMKSA caching and pre-authentication 22539beb93cSSam Leffler 22639beb93cSSam LefflerWPA 22739beb93cSSam Leffler--- 22839beb93cSSam Leffler 22939beb93cSSam LefflerThe original security mechanism of IEEE 802.11 standard was not 23039beb93cSSam Lefflerdesigned to be strong and has proved to be insufficient for most 23139beb93cSSam Lefflernetworks that require some kind of security. Task group I (Security) 23239beb93cSSam Lefflerof IEEE 802.11 working group (http://www.ieee802.org/11/) has worked 23339beb93cSSam Lefflerto address the flaws of the base standard and has in practice 23439beb93cSSam Lefflercompleted its work in May 2004. The IEEE 802.11i amendment to the IEEE 23585732ac8SCy Schubert802.11 standard was approved in June 2004 and this amendment was 23685732ac8SCy Schubertpublished in July 2004. 23739beb93cSSam Leffler 23839beb93cSSam LefflerWi-Fi Alliance (http://www.wi-fi.org/) used a draft version of the 23939beb93cSSam LefflerIEEE 802.11i work (draft 3.0) to define a subset of the security 24039beb93cSSam Lefflerenhancements that can be implemented with existing wlan hardware. This 24139beb93cSSam Leffleris called Wi-Fi Protected Access<TM> (WPA). This has now become a 24239beb93cSSam Lefflermandatory component of interoperability testing and certification done 24385732ac8SCy Schubertby Wi-Fi Alliance. 24439beb93cSSam Leffler 24539beb93cSSam LefflerIEEE 802.11 standard defined wired equivalent privacy (WEP) algorithm 24639beb93cSSam Lefflerfor protecting wireless networks. WEP uses RC4 with 40-bit keys, 24739beb93cSSam Leffler24-bit initialization vector (IV), and CRC32 to protect against packet 24839beb93cSSam Lefflerforgery. All these choices have proven to be insufficient: key space is 24939beb93cSSam Lefflertoo small against current attacks, RC4 key scheduling is insufficient 25039beb93cSSam Leffler(beginning of the pseudorandom stream should be skipped), IV space is 25139beb93cSSam Lefflertoo small and IV reuse makes attacks easier, there is no replay 25239beb93cSSam Lefflerprotection, and non-keyed authentication does not protect against bit 25339beb93cSSam Lefflerflipping packet data. 25439beb93cSSam Leffler 25539beb93cSSam LefflerWPA is an intermediate solution for the security issues. It uses 25639beb93cSSam LefflerTemporal Key Integrity Protocol (TKIP) to replace WEP. TKIP is a 25739beb93cSSam Lefflercompromise on strong security and possibility to use existing 25839beb93cSSam Lefflerhardware. It still uses RC4 for the encryption like WEP, but with 25939beb93cSSam Lefflerper-packet RC4 keys. In addition, it implements replay protection, 26039beb93cSSam Lefflerkeyed packet authentication mechanism (Michael MIC). 26139beb93cSSam Leffler 26239beb93cSSam LefflerKeys can be managed using two different mechanisms. WPA can either use 26339beb93cSSam Leffleran external authentication server (e.g., RADIUS) and EAP just like 26439beb93cSSam LefflerIEEE 802.1X is using or pre-shared keys without need for additional 26539beb93cSSam Lefflerservers. Wi-Fi calls these "WPA-Enterprise" and "WPA-Personal", 26639beb93cSSam Lefflerrespectively. Both mechanisms will generate a master session key for 26739beb93cSSam Lefflerthe Authenticator (AP) and Supplicant (client station). 26839beb93cSSam Leffler 26939beb93cSSam LefflerWPA implements a new key handshake (4-Way Handshake and Group Key 27039beb93cSSam LefflerHandshake) for generating and exchanging data encryption keys between 27139beb93cSSam Lefflerthe Authenticator and Supplicant. This handshake is also used to 27239beb93cSSam Lefflerverify that both Authenticator and Supplicant know the master session 27339beb93cSSam Lefflerkey. These handshakes are identical regardless of the selected key 27439beb93cSSam Lefflermanagement mechanism (only the method for generating master session 27539beb93cSSam Lefflerkey changes). 27639beb93cSSam Leffler 27739beb93cSSam Leffler 27839beb93cSSam LefflerIEEE 802.11i / WPA2 27939beb93cSSam Leffler------------------- 28039beb93cSSam Leffler 28139beb93cSSam LefflerThe design for parts of IEEE 802.11i that were not included in WPA has 28239beb93cSSam Lefflerfinished (May 2004) and this amendment to IEEE 802.11 was approved in 28339beb93cSSam LefflerJune 2004. Wi-Fi Alliance is using the final IEEE 802.11i as a new 28439beb93cSSam Lefflerversion of WPA called WPA2. This includes, e.g., support for more 28539beb93cSSam Lefflerrobust encryption algorithm (CCMP: AES in Counter mode with CBC-MAC) 28639beb93cSSam Lefflerto replace TKIP and optimizations for handoff (reduced number of 28739beb93cSSam Lefflermessages in initial key handshake, pre-authentication, and PMKSA caching). 28839beb93cSSam Leffler 28939beb93cSSam LefflerSome wireless LAN vendors are already providing support for CCMP in 29039beb93cSSam Lefflertheir WPA products. There is no "official" interoperability 29139beb93cSSam Lefflercertification for CCMP and/or mixed modes using both TKIP and CCMP, so 29239beb93cSSam Lefflersome interoperability issues can be expected even though many 29339beb93cSSam Lefflercombinations seem to be working with equipment from different vendors. 29439beb93cSSam LefflerTesting for WPA2 is likely to start during the second half of 2004. 29539beb93cSSam Leffler 29639beb93cSSam Lefflerhostapd configuration for WPA/WPA2 29739beb93cSSam Leffler---------------------------------- 29839beb93cSSam Leffler 29939beb93cSSam LefflerTODO 30039beb93cSSam Leffler 30139beb93cSSam Leffler# Enable WPA. Setting this variable configures the AP to require WPA (either 30239beb93cSSam Leffler# WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either 30339beb93cSSam Leffler# wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK. 30439beb93cSSam Leffler# For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys), 30539beb93cSSam Leffler# RADIUS authentication server must be configured, and WPA-EAP must be included 30639beb93cSSam Leffler# in wpa_key_mgmt. 30739beb93cSSam Leffler# This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0) 30839beb93cSSam Leffler# and/or WPA2 (full IEEE 802.11i/RSN): 30939beb93cSSam Leffler# bit0 = WPA 31039beb93cSSam Leffler# bit1 = IEEE 802.11i/RSN (WPA2) 31139beb93cSSam Leffler#wpa=1 31239beb93cSSam Leffler 31339beb93cSSam Leffler# WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit 31439beb93cSSam Leffler# secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase 31539beb93cSSam Leffler# (8..63 characters) that will be converted to PSK. This conversion uses SSID 31639beb93cSSam Leffler# so the PSK changes when ASCII passphrase is used and the SSID is changed. 31739beb93cSSam Leffler#wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef 31839beb93cSSam Leffler#wpa_passphrase=secret passphrase 31939beb93cSSam Leffler 32039beb93cSSam Leffler# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The 32139beb93cSSam Leffler# entries are separated with a space. 32239beb93cSSam Leffler#wpa_key_mgmt=WPA-PSK WPA-EAP 32339beb93cSSam Leffler 32439beb93cSSam Leffler# Set of accepted cipher suites (encryption algorithms) for pairwise keys 32539beb93cSSam Leffler# (unicast packets). This is a space separated list of algorithms: 32639beb93cSSam Leffler# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i] 32739beb93cSSam Leffler# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i] 32839beb93cSSam Leffler# Group cipher suite (encryption algorithm for broadcast and multicast frames) 32939beb93cSSam Leffler# is automatically selected based on this configuration. If only CCMP is 33039beb93cSSam Leffler# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise, 33139beb93cSSam Leffler# TKIP will be used as the group cipher. 33239beb93cSSam Leffler#wpa_pairwise=TKIP CCMP 33339beb93cSSam Leffler 33439beb93cSSam Leffler# Time interval for rekeying GTK (broadcast/multicast encryption keys) in 33539beb93cSSam Leffler# seconds. 33639beb93cSSam Leffler#wpa_group_rekey=600 33739beb93cSSam Leffler 33839beb93cSSam Leffler# Time interval for rekeying GMK (master key used internally to generate GTKs 33939beb93cSSam Leffler# (in seconds). 34039beb93cSSam Leffler#wpa_gmk_rekey=86400 34139beb93cSSam Leffler 34239beb93cSSam Leffler# Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up 34339beb93cSSam Leffler# roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN 34439beb93cSSam Leffler# authentication and key handshake before actually associating with a new AP. 34539beb93cSSam Leffler#rsn_preauth=1 34639beb93cSSam Leffler# 34739beb93cSSam Leffler# Space separated list of interfaces from which pre-authentication frames are 34839beb93cSSam Leffler# accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all 34939beb93cSSam Leffler# interface that are used for connections to other APs. This could include 35039beb93cSSam Leffler# wired interfaces and WDS links. The normal wireless data interface towards 35139beb93cSSam Leffler# associated stations (e.g., wlan0) should not be added, since 35239beb93cSSam Leffler# pre-authentication is only used with APs other than the currently associated 35339beb93cSSam Leffler# one. 35439beb93cSSam Leffler#rsn_preauth_interfaces=eth0 355