xref: /freebsd/contrib/wpa/wpa_supplicant/README-WPS (revision b64c5a0ace59af62eff52bfe110a521dc73c937b) 
1wpa_supplicant and Wi-Fi Protected Setup (WPS)
2==============================================
3
4This document describes how the WPS implementation in wpa_supplicant
5can be configured and how an external component on the client (e.g.,
6management GUI) is used to enable WPS enrollment and registrar
7registration.
8
9
10Introduction to WPS
11-------------------
12
13Wi-Fi Protected Setup (WPS) is a mechanism for easy configuration of a
14wireless network. It allows automated generation of random keys (WPA
15passphrase/PSK) and configuration of an access point and client
16devices. WPS includes number of methods for setting up connections
17with PIN method and push-button configuration (PBC) being the most
18commonly deployed options.
19
20While WPS can enable more home networks to use encryption in the
21wireless network, it should be noted that the use of the PIN and
22especially PBC mechanisms for authenticating the initial key setup is
23not very secure. As such, use of WPS may not be suitable for
24environments that require secure network access without chance for
25allowing outsiders to gain access during the setup phase.
26
27WPS uses the following terms to describe the entities participating
28in the network setup:
29- access point: the WLAN access point
30- Registrar: a device that control a network and can authorize
31  addition of new devices); this may be either in the AP ("internal
32  Registrar") or in an external device, e.g., a laptop, ("external
33  Registrar")
34- Enrollee: a device that is being authorized to use the network
35
36It should also be noted that the AP and a client device may change
37roles (i.e., AP acts as an Enrollee and client device as a Registrar)
38when WPS is used to configure the access point.
39
40
41More information about WPS is available from Wi-Fi Alliance:
42http://www.wi-fi.org/wifi-protected-setup
43
44
45wpa_supplicant implementation
46-----------------------------
47
48wpa_supplicant includes an optional WPS component that can be used as
49an Enrollee to enroll new network credential or as a Registrar to
50configure an AP.
51
52
53wpa_supplicant configuration
54----------------------------
55
56WPS is an optional component that needs to be enabled in
57wpa_supplicant build configuration (.config). Here is an example
58configuration that includes WPS support and Linux nl80211-based
59driver interface:
60
61CONFIG_DRIVER_NL80211=y
62CONFIG_WPS=y
63
64If you want to enable WPS external registrar (ER) functionality, you
65will also need to add the following line:
66
67CONFIG_WPS_ER=y
68
69The following parameter can be used to enable support for NFC config
70method:
71
72CONFIG_WPS_NFC=y
73
74WPS needs the Universally Unique IDentifier (UUID; see RFC 4122) for
75the device. This is configured in the runtime configuration for
76wpa_supplicant (if not set, UUID will be generated based on local MAC
77address):
78
79# example UUID for WPS
80uuid=12345678-9abc-def0-1234-56789abcdef0
81
82The network configuration blocks needed for WPS are added
83automatically based on control interface commands, so they do not need
84to be added explicitly in the configuration file.
85
86WPS registration will generate new network blocks for the acquired
87credentials. If these are to be stored for future use (after
88restarting wpa_supplicant), wpa_supplicant will need to be configured
89to allow configuration file updates:
90
91update_config=1
92
93
94External operations
95-------------------
96
97WPS requires either a device PIN code (usually, 8-digit number) or a
98pushbutton event (for PBC) to allow a new WPS Enrollee to join the
99network. wpa_supplicant uses the control interface as an input channel
100for these events.
101
102The PIN value used in the commands must be processed by an UI to
103remove non-digit characters and potentially, to verify the checksum
104digit. "wpa_cli wps_check_pin <PIN>" can be used to do such processing.
105It returns FAIL if the PIN is invalid, or FAIL-CHECKSUM if the checksum
106digit is incorrect, or the processed PIN (non-digit characters removed)
107if the PIN is valid.
108
109If the client device has a display, a random PIN has to be generated
110for each WPS registration session. wpa_supplicant can do this with a
111control interface request, e.g., by calling wpa_cli:
112
113wpa_cli wps_pin any
114
115This will return the generated 8-digit PIN which will then need to be
116entered at the Registrar to complete WPS registration. At that point,
117the client will be enrolled with credentials needed to connect to the
118AP to access the network.
119
120If the client device does not have a display that could show the
121random PIN, a hardcoded PIN that is printed on a label can be
122used. wpa_supplicant is notified this with a control interface
123request, e.g., by calling wpa_cli:
124
125wpa_cli wps_pin any 12345670
126
127This starts the WPS negotiation in the same way as above with the
128generated PIN.
129
130When the wps_pin command is issued for an AP (including P2P GO) mode
131interface, an optional timeout parameter can be used to specify
132expiration timeout for the PIN in seconds. For example:
133
134wpa_cli wps_pin any 12345670 300
135
136If a random PIN is needed for a user interface, "wpa_cli wps_pin get"
137can be used to generate a new PIN without starting WPS negotiation.
138This random PIN can then be passed as an argument to another wps_pin
139call when the actual operation should be started.
140
141If the client design wants to support optional WPS PBC mode, this can
142be enabled by either a physical button in the client device or a
143virtual button in the user interface. The PBC operation requires that
144a button is also pressed at the AP/Registrar at about the same time (2
145minute window). wpa_supplicant is notified of the local button event
146over the control interface, e.g., by calling wpa_cli:
147
148wpa_cli wps_pbc
149
150At this point, the AP/Registrar has two minutes to complete WPS
151negotiation which will generate a new WPA PSK in the same way as the
152PIN method described above.
153
154If the client wants to operate in the Registrar role to learn the
155current AP configuration and optionally, to configure an AP,
156wpa_supplicant is notified over the control interface, e.g., with
157wpa_cli:
158
159wpa_cli wps_reg <AP BSSID> <AP PIN>
160(example: wpa_cli wps_reg 02:34:56:78:9a:bc 12345670)
161
162This is used to fetch the current AP settings instead of actually
163changing them. The main difference with the wps_pin command is that
164wps_reg uses the AP PIN (e.g., from a label on the AP) instead of a
165PIN generated at the client.
166
167In order to change the AP configuration, the new configuration
168parameters are given to the wps_reg command:
169
170wpa_cli wps_reg <AP BSSID> <AP PIN> <new SSID> <auth> <encr> <new key>
171examples:
172  wpa_cli wps_reg 02:34:56:78:9a:bc 12345670 testing WPA2PSK CCMP 12345678
173  wpa_cli wps_reg 02:34:56:78:9a:bc 12345670 clear OPEN NONE ""
174
175<auth> must be one of the following: OPEN WPAPSK WPA2PSK
176<encr> must be one of the following: NONE WEP TKIP CCMP
177
178
179Scanning
180--------
181
182Scan results ('wpa_cli scan_results' or 'wpa_cli bss <idx>') include a
183flags field that is used to indicate whether the BSS support WPS. If
184the AP support WPS, but has not recently activated a Registrar, [WPS]
185flag will be included. If PIN method has been recently selected,
186[WPS-PIN] is shown instead. Similarly, [WPS-PBC] is shown if PBC mode
187is in progress. GUI programs can use these as triggers for suggesting
188a guided WPS configuration to the user. In addition, control interface
189monitor events WPS-AP-AVAILABLE{,-PBC,-PIN} can be used to find out if
190there are WPS enabled APs in scan results without having to go through
191all the details in the GUI. These notification could be used, e.g., to
192suggest possible WPS connection to the user.
193
194
195wpa_gui
196-------
197
198wpa_gui-qt4 directory contains a sample GUI that shows an example of
199how WPS support can be integrated into the GUI. Its main window has a
200WPS tab that guides user through WPS registration with automatic AP
201selection. In addition, it shows how WPS can be started manually by
202selecting an AP from scan results.
203
204
205Credential processing
206---------------------
207
208By default, wpa_supplicant processes received credentials and updates
209its configuration internally. However, it is possible to
210control these operations from external programs, if desired.
211
212This internal processing can be disabled with wps_cred_processing=1
213option. When this is used, an external program is responsible for
214processing the credential attributes and updating wpa_supplicant
215configuration based on them.
216
217The following control interface messages are sent out for external
218programs:
219
220WPS-CRED-RECEIVED  <hexdump of Credential attribute(s)>
221For example:
222<2>WPS-CRED-RECEIVED 100e006f10260001011045000c6a6b6d2d7770732d74657374100300020020100f000200081027004030653462303435366332363666653064333961643135353461316634626637313234333761636664623766333939653534663166316230323061643434386235102000060266a0ee1727
223
224
225wpa_supplicant as WPS External Registrar (ER)
226---------------------------------------------
227
228wpa_supplicant can be used as a WPS ER to configure an AP or enroll
229new Enrollee to join the network. This functionality uses UPnP and
230requires that a working IP connectivity is available with the AP (this
231can be either over a wired or wireless connection).
232
233Separate wpa_supplicant process can be started for WPS ER
234operations. A special "none" driver can be used in such a case to
235indicate that no local network interface is actually controlled. For
236example, the following command could be used to start the ER:
237
238wpa_supplicant -Dnone -c er.conf -ieth0
239
240Sample er.conf:
241
242ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=admin
243device_name=WPS External Registrar
244
245wpa_cli commands for ER functionality:
246
247wps_er_start [IP address]
248- start WPS ER functionality
249- the optional IP address parameter can be used to filter operations only
250  to include a single AP
251- if run again while ER is active, the stored information (discovered APs
252  and Enrollees) are shown again
253
254wps_er_stop
255- stop WPS ER functionality
256
257wps_er_learn <UUID|BSSID> <AP PIN>
258- learn AP configuration
259
260wps_er_set_config <UUID|BSSID> <network id>
261- use AP configuration from a locally configured network (e.g., from
262  wps_reg command); this does not change the AP's configuration, but
263  only prepares a configuration to be used when enrolling a new device
264  to the AP
265
266wps_er_config <UUID|BSSID> <AP PIN> <new SSID> <auth> <encr> <new key>
267- examples:
268  wps_er_config 87654321-9abc-def0-1234-56789abc0002 12345670 testing WPA2PSK CCMP 12345678
269  wpa_er_config 87654321-9abc-def0-1234-56789abc0002 12345670 clear OPEN NONE ""
270
271<auth> must be one of the following: OPEN WPAPSK WPA2PSK
272<encr> must be one of the following: NONE WEP TKIP CCMP
273
274wps_er_pbc <Enrollee UUID|MAC address>
275- accept an Enrollee PBC using External Registrar
276
277wps_er_pin <Enrollee UUID|"any"|MAC address> <PIN> [Enrollee MAC address]
278- add an Enrollee PIN to External Registrar
279- if Enrollee UUID is not known, "any" can be used to add a wildcard PIN
280- if the MAC address of the enrollee is known, it should be configured
281  to allow the AP to advertise list of authorized enrollees
282
283WPS ER events:
284
285WPS_EVENT_ER_AP_ADD
286- WPS ER discovered an AP
287
288WPS-ER-AP-ADD 87654321-9abc-def0-1234-56789abc0002 02:11:22:33:44:55 pri_dev_type=6-0050F204-1 wps_state=1 |Very friendly name|Company|Long description of the model|WAP|http://w1.fi/|http://w1.fi/hostapd/
289
290WPS_EVENT_ER_AP_REMOVE
291- WPS ER removed an AP entry
292
293WPS-ER-AP-REMOVE 87654321-9abc-def0-1234-56789abc0002
294
295WPS_EVENT_ER_ENROLLEE_ADD
296- WPS ER discovered a new Enrollee
297
298WPS-ER-ENROLLEE-ADD 2b7093f1-d6fb-5108-adbb-bea66bb87333 02:66:a0:ee:17:27 M1=1 config_methods=0x14d dev_passwd_id=0 pri_dev_type=1-0050F204-1 |Wireless Client|Company|cmodel|123|12345|
299
300WPS_EVENT_ER_ENROLLEE_REMOVE
301- WPS ER removed an Enrollee entry
302
303WPS-ER-ENROLLEE-REMOVE 2b7093f1-d6fb-5108-adbb-bea66bb87333 02:66:a0:ee:17:27
304
305WPS-ER-AP-SETTINGS
306- WPS ER learned AP settings
307
308WPS-ER-AP-SETTINGS uuid=fd91b4ec-e3fa-5891-a57d-8c59efeed1d2 ssid=test-wps auth_type=0x0020 encr_type=0x0008 key=12345678
309
310
311WPS with NFC
312------------
313
314WPS can be used with NFC-based configuration method. An NFC tag
315containing a password token from the Enrollee can be used to
316authenticate the connection instead of the PIN. In addition, an NFC tag
317with a configuration token can be used to transfer AP settings without
318going through the WPS protocol.
319
320When the station acts as an Enrollee, a local NFC tag with a password
321token can be used by touching the NFC interface of a Registrar.
322
323"wps_nfc [BSSID]" command starts WPS protocol run with the local end as
324the Enrollee using the NFC password token that is either pre-configured
325in the configuration file (wps_nfc_dev_pw_id, wps_nfc_dh_pubkey,
326wps_nfc_dh_privkey, wps_nfc_dev_pw) or generated dynamically with
327"wps_nfc_token <WPS|NDEF>" command. The included nfc_pw_token tool
328(build with "make nfc_pw_token") can be used to generate NFC password
329tokens during manufacturing (each station needs to have its own random
330keys).
331
332The "wps_nfc_config_token <WPS/NDEF>" command can be used to build an
333NFC configuration token when wpa_supplicant is controlling an AP
334interface (AP or P2P GO). The output value from this command is a
335hexdump of the current AP configuration (WPS parameter requests this to
336include only the WPS attributes; NDEF parameter requests additional NDEF
337encapsulation to be included). This data needs to be written to an NFC
338tag with an external program. Once written, the NFC configuration token
339can be used to touch an NFC interface on a station to provision the
340credentials needed to access the network.
341
342The "wps_nfc_config_token <WPS/NDEF> <network id>" command can be used
343to build an NFC configuration token based on a locally configured
344network.
345
346If the station includes NFC interface and reads an NFC tag with a MIME
347media type "application/vnd.wfa.wsc", the NDEF message payload (with or
348without NDEF encapsulation) can be delivered to wpa_supplicant using the
349following wpa_cli command:
350
351wps_nfc_tag_read <hexdump of payload>
352
353If the NFC tag contains a configuration token, the network is added to
354wpa_supplicant configuration. If the NFC tag contains a password token,
355the token is added to the WPS Registrar component. This information can
356then be used with wps_reg command (when the NFC password token was from
357an AP) using a special value "nfc-pw" in place of the PIN parameter. If
358the ER functionality has been started (wps_er_start), the NFC password
359token is used to enable enrollment of a new station (that was the source
360of the NFC password token).
361
362"nfc_get_handover_req <NDEF> <WPS-CR>" command can be used to build the
363WPS carrier record for a Handover Request Message for connection
364handover. The first argument selects the format of the output data and
365the second argument selects which type of connection handover is
366requested (WPS-CR = Wi-Fi handover as specified in WSC 2.0).
367
368"nfc_get_handover_sel <NDEF> <WPS> [UUID|BSSID]" command can be used to
369build the contents of a Handover Select Message for connection handover
370when this does not depend on the contents of the Handover Request
371Message. The first argument selects the format of the output data and
372the second argument selects which type of connection handover is
373requested (WPS = Wi-Fi handover as specified in WSC 2.0). If the options
374UUID|BSSID argument is included, this is a request to build the handover
375message for the specified AP when wpa_supplicant is operating as a WPS
376ER.
377
378"nfc_report_handover <INIT/RESP> WPS <carrier from handover request>
379<carrier from handover select>" can be used as an alternative way for
380reporting completed NFC connection handover. The first parameter
381indicates whether the local device initiated or responded to the
382connection handover and the carrier records are the selected carrier
383from the handover request and select messages as a hexdump.
384
385The "wps_er_nfc_config_token <WPS/NDEF> <UUID|BSSID>" command can be
386used to build an NFC configuration token for the specified AP when
387wpa_supplicant is operating as a WPS ER. The output value from this
388command is a hexdump of the selected AP configuration (WPS parameter
389requests this to include only the WPS attributes; NDEF parameter
390requests additional NDEF encapsulation to be included). This data needs
391to be written to an NFC tag with an external program. Once written, the
392NFC configuration token can be used to touch an NFC interface on a
393station to provision the credentials needed to access the network.
394