xref: /freebsd/contrib/wpa/hostapd/README (revision a90b9d0159070121c221b966469c3e36d912bf82)
139beb93cSSam Lefflerhostapd - user space IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP
239beb93cSSam Leffler	  Authenticator and RADIUS authentication server
339beb93cSSam Leffler================================================================
439beb93cSSam Leffler
5*a90b9d01SCy SchubertCopyright (c) 2002-2024, Jouni Malinen <j@w1.fi> and contributors
639beb93cSSam LefflerAll Rights Reserved.
739beb93cSSam Leffler
8f05cddf9SRui PauloThis program is licensed under the BSD license (the one with
9f05cddf9SRui Pauloadvertisement clause removed).
10f05cddf9SRui Paulo
11f05cddf9SRui PauloIf you are submitting changes to the project, please see CONTRIBUTIONS
12f05cddf9SRui Paulofile for more instructions.
1339beb93cSSam Leffler
1439beb93cSSam Leffler
1539beb93cSSam Leffler
1639beb93cSSam LefflerLicense
1739beb93cSSam Leffler-------
1839beb93cSSam Leffler
19f05cddf9SRui PauloThis software may be distributed, used, and modified under the terms of
20f05cddf9SRui PauloBSD license:
2139beb93cSSam Leffler
2239beb93cSSam LefflerRedistribution and use in source and binary forms, with or without
2339beb93cSSam Lefflermodification, are permitted provided that the following conditions are
2439beb93cSSam Lefflermet:
2539beb93cSSam Leffler
2639beb93cSSam Leffler1. Redistributions of source code must retain the above copyright
2739beb93cSSam Leffler   notice, this list of conditions and the following disclaimer.
2839beb93cSSam Leffler
2939beb93cSSam Leffler2. Redistributions in binary form must reproduce the above copyright
3039beb93cSSam Leffler   notice, this list of conditions and the following disclaimer in the
3139beb93cSSam Leffler   documentation and/or other materials provided with the distribution.
3239beb93cSSam Leffler
3339beb93cSSam Leffler3. Neither the name(s) of the above-listed copyright holder(s) nor the
3439beb93cSSam Leffler   names of its contributors may be used to endorse or promote products
3539beb93cSSam Leffler   derived from this software without specific prior written permission.
3639beb93cSSam Leffler
3739beb93cSSam LefflerTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
3839beb93cSSam Leffler"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
3939beb93cSSam LefflerLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
4039beb93cSSam LefflerA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
4139beb93cSSam LefflerOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
4239beb93cSSam LefflerSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
4339beb93cSSam LefflerLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
4439beb93cSSam LefflerDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
4539beb93cSSam LefflerTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
4639beb93cSSam Leffler(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
4739beb93cSSam LefflerOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
4839beb93cSSam Leffler
4939beb93cSSam Leffler
5039beb93cSSam Leffler
5139beb93cSSam LefflerIntroduction
5239beb93cSSam Leffler============
5339beb93cSSam Leffler
5439beb93cSSam LefflerOriginally, hostapd was an optional user space component for Host AP
5539beb93cSSam Lefflerdriver. It adds more features to the basic IEEE 802.11 management
5639beb93cSSam Lefflerincluded in the kernel driver: using external RADIUS authentication
5739beb93cSSam Lefflerserver for MAC address based access control, IEEE 802.1X Authenticator
5839beb93cSSam Lefflerand dynamic WEP keying, RADIUS accounting, WPA/WPA2 (IEEE 802.11i/RSN)
5939beb93cSSam LefflerAuthenticator and dynamic TKIP/CCMP keying.
6039beb93cSSam Leffler
6139beb93cSSam LefflerThe current version includes support for other drivers, an integrated
6239beb93cSSam LefflerEAP server (i.e., allow full authentication without requiring
6339beb93cSSam Leffleran external RADIUS authentication server), and RADIUS authentication
6439beb93cSSam Lefflerserver for EAP authentication.
6539beb93cSSam Leffler
6639beb93cSSam Leffler
6739beb93cSSam LefflerRequirements
6839beb93cSSam Leffler------------
6939beb93cSSam Leffler
7039beb93cSSam LefflerCurrent hardware/software requirements:
7139beb93cSSam Leffler- drivers:
7239beb93cSSam Leffler	Host AP driver for Prism2/2.5/3.
7385732ac8SCy Schubert	(http://w1.fi/hostap-driver.html)
7439beb93cSSam Leffler	Please note that station firmware version needs to be 1.7.0 or newer
7539beb93cSSam Leffler	to work in WPA mode.
7639beb93cSSam Leffler
7739beb93cSSam Leffler	mac80211-based drivers that support AP mode (with driver=nl80211).
7839beb93cSSam Leffler	This includes drivers for Atheros (ath9k) and Broadcom (b43)
7939beb93cSSam Leffler	chipsets.
8039beb93cSSam Leffler
8139beb93cSSam Leffler	Any wired Ethernet driver for wired IEEE 802.1X authentication
8239beb93cSSam Leffler	(experimental code)
8339beb93cSSam Leffler
8485732ac8SCy Schubert	FreeBSD -current
8539beb93cSSam Leffler	BSD net80211 layer (e.g., Atheros driver)
8639beb93cSSam Leffler
8739beb93cSSam Leffler
8839beb93cSSam LefflerBuild configuration
8939beb93cSSam Leffler-------------------
9039beb93cSSam Leffler
9139beb93cSSam LefflerIn order to be able to build hostapd, you will need to create a build
9239beb93cSSam Lefflertime configuration file, .config that selects which optional
9339beb93cSSam Lefflercomponents are included. See defconfig file for example configuration
9439beb93cSSam Lefflerand list of available options.
9539beb93cSSam Leffler
9639beb93cSSam Leffler
9739beb93cSSam Leffler
9839beb93cSSam LefflerIEEE 802.1X
9939beb93cSSam Leffler===========
10039beb93cSSam Leffler
10139beb93cSSam LefflerIEEE Std 802.1X-2001 is a standard for port-based network access
10239beb93cSSam Lefflercontrol. In case of IEEE 802.11 networks, a "virtual port" is used
10339beb93cSSam Lefflerbetween each associated station and the AP. IEEE 802.11 specifies
10439beb93cSSam Lefflerminimal authentication mechanism for stations, whereas IEEE 802.1X
10539beb93cSSam Lefflerintroduces a extensible mechanism for authenticating and authorizing
10639beb93cSSam Lefflerusers.
10739beb93cSSam Leffler
10839beb93cSSam LefflerIEEE 802.1X uses elements called Supplicant, Authenticator, Port
10939beb93cSSam LefflerAccess Entity, and Authentication Server. Supplicant is a component in
11039beb93cSSam Lefflera station and it performs the authentication with the Authentication
11139beb93cSSam LefflerServer. An access point includes an Authenticator that relays the packets
11239beb93cSSam Lefflerbetween a Supplicant and an Authentication Server. In addition, it has a
11339beb93cSSam LefflerPort Access Entity (PAE) with Authenticator functionality for
11439beb93cSSam Lefflercontrolling the virtual port authorization, i.e., whether to accept
11539beb93cSSam Lefflerpackets from or to the station.
11639beb93cSSam Leffler
11739beb93cSSam LefflerIEEE 802.1X uses Extensible Authentication Protocol (EAP). The frames
11839beb93cSSam Lefflerbetween a Supplicant and an Authenticator are sent using EAP over LAN
11939beb93cSSam Leffler(EAPOL) and the Authenticator relays these frames to the Authentication
12039beb93cSSam LefflerServer (and similarly, relays the messages from the Authentication
12139beb93cSSam LefflerServer to the Supplicant). The Authentication Server can be colocated with the
12239beb93cSSam LefflerAuthenticator, in which case there is no need for additional protocol
12339beb93cSSam Lefflerfor EAP frame transmission. However, a more common configuration is to
12439beb93cSSam Leffleruse an external Authentication Server and encapsulate EAP frame in the
12539beb93cSSam Lefflerframes used by that server. RADIUS is suitable for this, but IEEE
12639beb93cSSam Leffler802.1X would also allow other mechanisms.
12739beb93cSSam Leffler
12839beb93cSSam LefflerHost AP driver includes PAE functionality in the kernel driver. It
12939beb93cSSam Leffleris a relatively simple mechanism for denying normal frames going to
13039beb93cSSam Leffleror coming from an unauthorized port. PAE allows IEEE 802.1X related
13139beb93cSSam Lefflerframes to be passed between the Supplicant and the Authenticator even
13239beb93cSSam Leffleron an unauthorized port.
13339beb93cSSam Leffler
13439beb93cSSam LefflerUser space daemon, hostapd, includes Authenticator functionality. It
13539beb93cSSam Lefflerreceives 802.1X (EAPOL) frames from the Supplicant using the wlan#ap
13639beb93cSSam Lefflerdevice that is also used with IEEE 802.11 management frames. The
13739beb93cSSam Lefflerframes to the Supplicant are sent using the same device.
13839beb93cSSam Leffler
13939beb93cSSam LefflerThe normal configuration of the Authenticator would use an external
14039beb93cSSam LefflerAuthentication Server. hostapd supports RADIUS encapsulation of EAP
14139beb93cSSam Lefflerpackets, so the Authentication Server should be a RADIUS server, like
14239beb93cSSam LefflerFreeRADIUS (http://www.freeradius.org/). The Authenticator in hostapd
14339beb93cSSam Lefflerrelays the frames between the Supplicant and the Authentication
14439beb93cSSam LefflerServer. It also controls the PAE functionality in the kernel driver by
14539beb93cSSam Lefflercontrolling virtual port authorization, i.e., station-AP
14639beb93cSSam Lefflerconnection, based on the IEEE 802.1X state.
14739beb93cSSam Leffler
14839beb93cSSam LefflerWhen a station would like to use the services of an access point, it
14939beb93cSSam Lefflerwill first perform IEEE 802.11 authentication. This is normally done
15039beb93cSSam Lefflerwith open systems authentication, so there is no security. After
15139beb93cSSam Lefflerthis, IEEE 802.11 association is performed. If IEEE 802.1X is
15239beb93cSSam Lefflerconfigured to be used, the virtual port for the station is set in
15339beb93cSSam LefflerUnauthorized state and only IEEE 802.1X frames are accepted at this
15439beb93cSSam Lefflerpoint. The Authenticator will then ask the Supplicant to authenticate
15539beb93cSSam Lefflerwith the Authentication Server. After this is completed successfully,
15639beb93cSSam Lefflerthe virtual port is set to Authorized state and frames from and to the
15739beb93cSSam Lefflerstation are accepted.
15839beb93cSSam Leffler
15939beb93cSSam LefflerHost AP configuration for IEEE 802.1X
16039beb93cSSam Leffler-------------------------------------
16139beb93cSSam Leffler
16239beb93cSSam LefflerThe user space daemon has its own configuration file that can be used to
16339beb93cSSam Lefflerdefine AP options. Distribution package contains an example
16439beb93cSSam Lefflerconfiguration file (hostapd/hostapd.conf) that can be used as a basis
16539beb93cSSam Lefflerfor configuration. It includes examples of all supported configuration
16639beb93cSSam Leffleroptions and short description of each option. hostapd should be started
16739beb93cSSam Lefflerwith full path to the configuration file as the command line argument,
16839beb93cSSam Lefflere.g., './hostapd /etc/hostapd.conf'. If you have more that one wireless
16939beb93cSSam LefflerLAN card, you can use one hostapd process for multiple interfaces by
17039beb93cSSam Lefflergiving a list of configuration files (one per interface) in the command
17139beb93cSSam Lefflerline.
17239beb93cSSam Leffler
17339beb93cSSam Lefflerhostapd includes a minimal co-located IEEE 802.1X server which can be
17439beb93cSSam Lefflerused to test IEEE 802.1X authentication. However, it should not be
17539beb93cSSam Lefflerused in normal use since it does not provide any security. This can be
17639beb93cSSam Lefflerconfigured by setting ieee8021x and minimal_eap options in the
17739beb93cSSam Lefflerconfiguration file.
17839beb93cSSam Leffler
17939beb93cSSam LefflerAn external Authentication Server (RADIUS) is configured with
18039beb93cSSam Lefflerauth_server_{addr,port,shared_secret} options. In addition,
18139beb93cSSam Lefflerieee8021x and own_ip_addr must be set for this mode. With such
18239beb93cSSam Lefflerconfiguration, the co-located Authentication Server is not used and EAP
18339beb93cSSam Lefflerframes will be relayed using EAPOL between the Supplicant and the
18439beb93cSSam LefflerAuthenticator and RADIUS encapsulation between the Authenticator and
18539beb93cSSam Lefflerthe Authentication Server. Other than this, the functionality is similar
18639beb93cSSam Lefflerto the case with the co-located Authentication Server.
18739beb93cSSam Leffler
18885732ac8SCy SchubertAuthentication Server
18985732ac8SCy Schubert---------------------
19039beb93cSSam Leffler
19139beb93cSSam LefflerAny RADIUS server supporting EAP should be usable as an IEEE 802.1X
19239beb93cSSam LefflerAuthentication Server with hostapd Authenticator. FreeRADIUS
19339beb93cSSam Leffler(http://www.freeradius.org/) has been successfully tested with hostapd
19485732ac8SCy SchubertAuthenticator.
19539beb93cSSam Leffler
19639beb93cSSam LefflerAutomatic WEP key configuration
19739beb93cSSam Leffler-------------------------------
19839beb93cSSam Leffler
19939beb93cSSam LefflerEAP/TLS generates a session key that can be used to send WEP keys from
20039beb93cSSam Leffleran AP to authenticated stations. The Authenticator in hostapd can be
20139beb93cSSam Lefflerconfigured to automatically select a random default/broadcast key
20239beb93cSSam Leffler(shared by all authenticated stations) with wep_key_len_broadcast
20339beb93cSSam Leffleroption (5 for 40-bit WEP or 13 for 104-bit WEP). In addition,
20439beb93cSSam Lefflerwep_key_len_unicast option can be used to configure individual unicast
20539beb93cSSam Lefflerkeys for stations. This requires support for individual keys in the
20639beb93cSSam Lefflerstation driver.
20739beb93cSSam Leffler
20839beb93cSSam LefflerWEP keys can be automatically updated by configuring rekeying. This
20939beb93cSSam Lefflerwill improve security of the network since same WEP key will only be
21039beb93cSSam Lefflerused for a limited period of time. wep_rekey_period option sets the
21139beb93cSSam Lefflerinterval for rekeying in seconds.
21239beb93cSSam Leffler
21339beb93cSSam Leffler
21439beb93cSSam LefflerWPA/WPA2
21539beb93cSSam Leffler========
21639beb93cSSam Leffler
21739beb93cSSam LefflerFeatures
21839beb93cSSam Leffler--------
21939beb93cSSam Leffler
22039beb93cSSam LefflerSupported WPA/IEEE 802.11i features:
22139beb93cSSam Leffler- WPA-PSK ("WPA-Personal")
22239beb93cSSam Leffler- WPA with EAP (e.g., with RADIUS authentication server) ("WPA-Enterprise")
22339beb93cSSam Leffler- key management for CCMP, TKIP, WEP104, WEP40
22439beb93cSSam Leffler- RSN/WPA2 (IEEE 802.11i), including PMKSA caching and pre-authentication
22539beb93cSSam Leffler
22639beb93cSSam LefflerWPA
22739beb93cSSam Leffler---
22839beb93cSSam Leffler
22939beb93cSSam LefflerThe original security mechanism of IEEE 802.11 standard was not
23039beb93cSSam Lefflerdesigned to be strong and has proved to be insufficient for most
23139beb93cSSam Lefflernetworks that require some kind of security. Task group I (Security)
23239beb93cSSam Lefflerof IEEE 802.11 working group (http://www.ieee802.org/11/) has worked
23339beb93cSSam Lefflerto address the flaws of the base standard and has in practice
23439beb93cSSam Lefflercompleted its work in May 2004. The IEEE 802.11i amendment to the IEEE
23585732ac8SCy Schubert802.11 standard was approved in June 2004 and this amendment was
23685732ac8SCy Schubertpublished in July 2004.
23739beb93cSSam Leffler
23839beb93cSSam LefflerWi-Fi Alliance (http://www.wi-fi.org/) used a draft version of the
23939beb93cSSam LefflerIEEE 802.11i work (draft 3.0) to define a subset of the security
24039beb93cSSam Lefflerenhancements that can be implemented with existing wlan hardware. This
24139beb93cSSam Leffleris called Wi-Fi Protected Access<TM> (WPA). This has now become a
24239beb93cSSam Lefflermandatory component of interoperability testing and certification done
24385732ac8SCy Schubertby Wi-Fi Alliance.
24439beb93cSSam Leffler
24539beb93cSSam LefflerIEEE 802.11 standard defined wired equivalent privacy (WEP) algorithm
24639beb93cSSam Lefflerfor protecting wireless networks. WEP uses RC4 with 40-bit keys,
24739beb93cSSam Leffler24-bit initialization vector (IV), and CRC32 to protect against packet
24839beb93cSSam Lefflerforgery. All these choices have proven to be insufficient: key space is
24939beb93cSSam Lefflertoo small against current attacks, RC4 key scheduling is insufficient
25039beb93cSSam Leffler(beginning of the pseudorandom stream should be skipped), IV space is
25139beb93cSSam Lefflertoo small and IV reuse makes attacks easier, there is no replay
25239beb93cSSam Lefflerprotection, and non-keyed authentication does not protect against bit
25339beb93cSSam Lefflerflipping packet data.
25439beb93cSSam Leffler
25539beb93cSSam LefflerWPA is an intermediate solution for the security issues. It uses
25639beb93cSSam LefflerTemporal Key Integrity Protocol (TKIP) to replace WEP. TKIP is a
25739beb93cSSam Lefflercompromise on strong security and possibility to use existing
25839beb93cSSam Lefflerhardware. It still uses RC4 for the encryption like WEP, but with
25939beb93cSSam Lefflerper-packet RC4 keys. In addition, it implements replay protection,
26039beb93cSSam Lefflerkeyed packet authentication mechanism (Michael MIC).
26139beb93cSSam Leffler
26239beb93cSSam LefflerKeys can be managed using two different mechanisms. WPA can either use
26339beb93cSSam Leffleran external authentication server (e.g., RADIUS) and EAP just like
26439beb93cSSam LefflerIEEE 802.1X is using or pre-shared keys without need for additional
26539beb93cSSam Lefflerservers. Wi-Fi calls these "WPA-Enterprise" and "WPA-Personal",
26639beb93cSSam Lefflerrespectively. Both mechanisms will generate a master session key for
26739beb93cSSam Lefflerthe Authenticator (AP) and Supplicant (client station).
26839beb93cSSam Leffler
26939beb93cSSam LefflerWPA implements a new key handshake (4-Way Handshake and Group Key
27039beb93cSSam LefflerHandshake) for generating and exchanging data encryption keys between
27139beb93cSSam Lefflerthe Authenticator and Supplicant. This handshake is also used to
27239beb93cSSam Lefflerverify that both Authenticator and Supplicant know the master session
27339beb93cSSam Lefflerkey. These handshakes are identical regardless of the selected key
27439beb93cSSam Lefflermanagement mechanism (only the method for generating master session
27539beb93cSSam Lefflerkey changes).
27639beb93cSSam Leffler
27739beb93cSSam Leffler
27839beb93cSSam LefflerIEEE 802.11i / WPA2
27939beb93cSSam Leffler-------------------
28039beb93cSSam Leffler
28139beb93cSSam LefflerThe design for parts of IEEE 802.11i that were not included in WPA has
28239beb93cSSam Lefflerfinished (May 2004) and this amendment to IEEE 802.11 was approved in
28339beb93cSSam LefflerJune 2004. Wi-Fi Alliance is using the final IEEE 802.11i as a new
28439beb93cSSam Lefflerversion of WPA called WPA2. This includes, e.g., support for more
28539beb93cSSam Lefflerrobust encryption algorithm (CCMP: AES in Counter mode with CBC-MAC)
28639beb93cSSam Lefflerto replace TKIP and optimizations for handoff (reduced number of
28739beb93cSSam Lefflermessages in initial key handshake, pre-authentication, and PMKSA caching).
28839beb93cSSam Leffler
28939beb93cSSam LefflerSome wireless LAN vendors are already providing support for CCMP in
29039beb93cSSam Lefflertheir WPA products. There is no "official" interoperability
29139beb93cSSam Lefflercertification for CCMP and/or mixed modes using both TKIP and CCMP, so
29239beb93cSSam Lefflersome interoperability issues can be expected even though many
29339beb93cSSam Lefflercombinations seem to be working with equipment from different vendors.
29439beb93cSSam LefflerTesting for WPA2 is likely to start during the second half of 2004.
29539beb93cSSam Leffler
29639beb93cSSam Lefflerhostapd configuration for WPA/WPA2
29739beb93cSSam Leffler----------------------------------
29839beb93cSSam Leffler
29939beb93cSSam LefflerTODO
30039beb93cSSam Leffler
30139beb93cSSam Leffler# Enable WPA. Setting this variable configures the AP to require WPA (either
30239beb93cSSam Leffler# WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either
30339beb93cSSam Leffler# wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK.
30439beb93cSSam Leffler# For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys),
30539beb93cSSam Leffler# RADIUS authentication server must be configured, and WPA-EAP must be included
30639beb93cSSam Leffler# in wpa_key_mgmt.
30739beb93cSSam Leffler# This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0)
30839beb93cSSam Leffler# and/or WPA2 (full IEEE 802.11i/RSN):
30939beb93cSSam Leffler# bit0 = WPA
31039beb93cSSam Leffler# bit1 = IEEE 802.11i/RSN (WPA2)
31139beb93cSSam Leffler#wpa=1
31239beb93cSSam Leffler
31339beb93cSSam Leffler# WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit
31439beb93cSSam Leffler# secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase
31539beb93cSSam Leffler# (8..63 characters) that will be converted to PSK. This conversion uses SSID
31639beb93cSSam Leffler# so the PSK changes when ASCII passphrase is used and the SSID is changed.
31739beb93cSSam Leffler#wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
31839beb93cSSam Leffler#wpa_passphrase=secret passphrase
31939beb93cSSam Leffler
32039beb93cSSam Leffler# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The
32139beb93cSSam Leffler# entries are separated with a space.
32239beb93cSSam Leffler#wpa_key_mgmt=WPA-PSK WPA-EAP
32339beb93cSSam Leffler
32439beb93cSSam Leffler# Set of accepted cipher suites (encryption algorithms) for pairwise keys
32539beb93cSSam Leffler# (unicast packets). This is a space separated list of algorithms:
32639beb93cSSam Leffler# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i]
32739beb93cSSam Leffler# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i]
32839beb93cSSam Leffler# Group cipher suite (encryption algorithm for broadcast and multicast frames)
32939beb93cSSam Leffler# is automatically selected based on this configuration. If only CCMP is
33039beb93cSSam Leffler# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise,
33139beb93cSSam Leffler# TKIP will be used as the group cipher.
33239beb93cSSam Leffler#wpa_pairwise=TKIP CCMP
33339beb93cSSam Leffler
33439beb93cSSam Leffler# Time interval for rekeying GTK (broadcast/multicast encryption keys) in
33539beb93cSSam Leffler# seconds.
33639beb93cSSam Leffler#wpa_group_rekey=600
33739beb93cSSam Leffler
33839beb93cSSam Leffler# Time interval for rekeying GMK (master key used internally to generate GTKs
33939beb93cSSam Leffler# (in seconds).
34039beb93cSSam Leffler#wpa_gmk_rekey=86400
34139beb93cSSam Leffler
34239beb93cSSam Leffler# Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up
34339beb93cSSam Leffler# roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN
34439beb93cSSam Leffler# authentication and key handshake before actually associating with a new AP.
34539beb93cSSam Leffler#rsn_preauth=1
34639beb93cSSam Leffler#
34739beb93cSSam Leffler# Space separated list of interfaces from which pre-authentication frames are
34839beb93cSSam Leffler# accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all
34939beb93cSSam Leffler# interface that are used for connections to other APs. This could include
35039beb93cSSam Leffler# wired interfaces and WDS links. The normal wireless data interface towards
35139beb93cSSam Leffler# associated stations (e.g., wlan0) should not be added, since
35239beb93cSSam Leffler# pre-authentication is only used with APs other than the currently associated
35339beb93cSSam Leffler# one.
35439beb93cSSam Leffler#rsn_preauth_interfaces=eth0
355