139beb93cSSam Leffler##### Example wpa_supplicant configuration file ############################### 239beb93cSSam Leffler# 339beb93cSSam Leffler# This file describes configuration file format and lists all available option. 439beb93cSSam Leffler# Please also take a look at simpler configuration examples in 'examples' 539beb93cSSam Leffler# subdirectory. 639beb93cSSam Leffler# 739beb93cSSam Leffler# Empty lines and lines starting with # are ignored 839beb93cSSam Leffler 939beb93cSSam Leffler# NOTE! This file may contain password information and should probably be made 1039beb93cSSam Leffler# readable only by root user on multiuser systems. 1139beb93cSSam Leffler 1239beb93cSSam Leffler# Note: All file paths in this configuration file should use full (absolute, 1339beb93cSSam Leffler# not relative to working directory) path in order to allow working directory 1439beb93cSSam Leffler# to be changed. This can happen if wpa_supplicant is run in the background. 1539beb93cSSam Leffler 1639beb93cSSam Leffler# Whether to allow wpa_supplicant to update (overwrite) configuration 1739beb93cSSam Leffler# 1839beb93cSSam Leffler# This option can be used to allow wpa_supplicant to overwrite configuration 1939beb93cSSam Leffler# file whenever configuration is changed (e.g., new network block is added with 2039beb93cSSam Leffler# wpa_cli or wpa_gui, or a password is changed). This is required for 2139beb93cSSam Leffler# wpa_cli/wpa_gui to be able to store the configuration changes permanently. 2239beb93cSSam Leffler# Please note that overwriting configuration file will remove the comments from 2339beb93cSSam Leffler# it. 2439beb93cSSam Leffler#update_config=1 2539beb93cSSam Leffler 2639beb93cSSam Leffler# global configuration (shared by all network blocks) 2739beb93cSSam Leffler# 2839beb93cSSam Leffler# Parameters for the control interface. If this is specified, wpa_supplicant 2939beb93cSSam Leffler# will open a control interface that is available for external programs to 3039beb93cSSam Leffler# manage wpa_supplicant. The meaning of this string depends on which control 31f05cddf9SRui Paulo# interface mechanism is used. For all cases, the existence of this parameter 3239beb93cSSam Leffler# in configuration is used to determine whether the control interface is 3339beb93cSSam Leffler# enabled. 3439beb93cSSam Leffler# 3539beb93cSSam Leffler# For UNIX domain sockets (default on Linux and BSD): This is a directory that 3639beb93cSSam Leffler# will be created for UNIX domain sockets for listening to requests from 3739beb93cSSam Leffler# external programs (CLI/GUI, etc.) for status information and configuration. 3839beb93cSSam Leffler# The socket file will be named based on the interface name, so multiple 3939beb93cSSam Leffler# wpa_supplicant processes can be run at the same time if more than one 4039beb93cSSam Leffler# interface is used. 4139beb93cSSam Leffler# /var/run/wpa_supplicant is the recommended directory for sockets and by 4239beb93cSSam Leffler# default, wpa_cli will use it when trying to connect with wpa_supplicant. 4339beb93cSSam Leffler# 4439beb93cSSam Leffler# Access control for the control interface can be configured by setting the 4539beb93cSSam Leffler# directory to allow only members of a group to use sockets. This way, it is 4639beb93cSSam Leffler# possible to run wpa_supplicant as root (since it needs to change network 4739beb93cSSam Leffler# configuration and open raw sockets) and still allow GUI/CLI components to be 4839beb93cSSam Leffler# run as non-root users. However, since the control interface can be used to 4939beb93cSSam Leffler# change the network configuration, this access needs to be protected in many 5039beb93cSSam Leffler# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you 5139beb93cSSam Leffler# want to allow non-root users to use the control interface, add a new group 5239beb93cSSam Leffler# and change this value to match with that group. Add users that should have 5339beb93cSSam Leffler# control interface access to this group. If this variable is commented out or 5439beb93cSSam Leffler# not included in the configuration file, group will not be changed from the 5539beb93cSSam Leffler# value it got by default when the directory or socket was created. 5639beb93cSSam Leffler# 5739beb93cSSam Leffler# When configuring both the directory and group, use following format: 5839beb93cSSam Leffler# DIR=/var/run/wpa_supplicant GROUP=wheel 5939beb93cSSam Leffler# DIR=/var/run/wpa_supplicant GROUP=0 6039beb93cSSam Leffler# (group can be either group name or gid) 6139beb93cSSam Leffler# 62c1d255d3SCy Schubert# For UDP connections (default on Windows): The value will be ignored. This 63c1d255d3SCy Schubert# variable is just used to select that the control interface is to be created. 64c1d255d3SCy Schubert# The value can be set to, e.g., udp (ctrl_interface=udp) 65c1d255d3SCy Schubert# 66c1d255d3SCy Schubert# For Windows Named Pipe: This value can be used to set the security descriptor 67c1d255d3SCy Schubert# for controlling access to the control interface. Security descriptor can be 68c1d255d3SCy Schubert# set using Security Descriptor String Format (see http://msdn.microsoft.com/ 69c1d255d3SCy Schubert# library/default.asp?url=/library/en-us/secauthz/security/ 70c1d255d3SCy Schubert# security_descriptor_string_format.asp). The descriptor string needs to be 71c1d255d3SCy Schubert# prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty 72c1d255d3SCy Schubert# DACL (which will reject all connections). See README-Windows.txt for more 73c1d255d3SCy Schubert# information about SDDL string format. 74c1d255d3SCy Schubert# 7539beb93cSSam Lefflerctrl_interface=/var/run/wpa_supplicant 7639beb93cSSam Leffler 7739beb93cSSam Leffler# IEEE 802.1X/EAPOL version 7839beb93cSSam Leffler# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines 7939beb93cSSam Leffler# EAPOL version 2. However, there are many APs that do not handle the new 8039beb93cSSam Leffler# version number correctly (they seem to drop the frames completely). In order 8139beb93cSSam Leffler# to make wpa_supplicant interoperate with these APs, the version number is set 8239beb93cSSam Leffler# to 1 by default. This configuration value can be used to set it to the new 8339beb93cSSam Leffler# version (2). 845b9c547cSRui Paulo# Note: When using MACsec, eapol_version shall be set to 3, which is 855b9c547cSRui Paulo# defined in IEEE Std 802.1X-2010. 8639beb93cSSam Lefflereapol_version=1 8739beb93cSSam Leffler 8839beb93cSSam Leffler# AP scanning/selection 8939beb93cSSam Leffler# By default, wpa_supplicant requests driver to perform AP scanning and then 9039beb93cSSam Leffler# uses the scan results to select a suitable AP. Another alternative is to 9139beb93cSSam Leffler# allow the driver to take care of AP scanning and selection and use 9239beb93cSSam Leffler# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association 9339beb93cSSam Leffler# information from the driver. 94e28a4053SRui Paulo# 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to 95e28a4053SRui Paulo# the currently enabled networks are found, a new network (IBSS or AP mode 96e28a4053SRui Paulo# operation) may be initialized (if configured) (default) 97c1d255d3SCy Schubert# 0: This mode must only be used when using wired Ethernet drivers 98c1d255d3SCy Schubert# (including MACsec). 9939beb93cSSam Leffler# 2: like 0, but associate with APs using security policy and SSID (but not 10039beb93cSSam Leffler# BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to 10139beb93cSSam Leffler# enable operation with hidden SSIDs and optimized roaming; in this mode, 10239beb93cSSam Leffler# the network blocks in the configuration file are tried one by one until 10339beb93cSSam Leffler# the driver reports successful association; each network block should have 10439beb93cSSam Leffler# explicit security policy (i.e., only one option in the lists) for 10539beb93cSSam Leffler# key_mgmt, pairwise, group, proto variables 106c1d255d3SCy Schubert# Note: ap_scan=0/2 should not be used with the nl80211 driver interface (the 107c1d255d3SCy Schubert# current Linux interface). ap_scan=1 is the only option working with nl80211. 108c1d255d3SCy Schubert# For finding networks using hidden SSID, scan_ssid=1 in the network block can 109c1d255d3SCy Schubert# be used with nl80211. 110e28a4053SRui Paulo# When using IBSS or AP mode, ap_scan=2 mode can force the new network to be 111e28a4053SRui Paulo# created immediately regardless of scan results. ap_scan=1 mode will first try 112e28a4053SRui Paulo# to scan for existing networks and only if no matches with the enabled 113e28a4053SRui Paulo# networks are found, a new IBSS or AP mode network is created. 11439beb93cSSam Lefflerap_scan=1 11539beb93cSSam Leffler 116780fb4a2SCy Schubert# Whether to force passive scan for network connection 117780fb4a2SCy Schubert# 118780fb4a2SCy Schubert# By default, scans will send out Probe Request frames on channels that allow 119780fb4a2SCy Schubert# active scanning. This advertise the local station to the world. Normally this 120780fb4a2SCy Schubert# is fine, but users may wish to do passive scanning where the radio should only 121780fb4a2SCy Schubert# listen quietly for Beacon frames and not send any Probe Request frames. Actual 122780fb4a2SCy Schubert# functionality may be driver dependent. 123780fb4a2SCy Schubert# 124780fb4a2SCy Schubert# This parameter can be used to force only passive scanning to be used 125780fb4a2SCy Schubert# for network connection cases. It should be noted that this will slow 126780fb4a2SCy Schubert# down scan operations and reduce likelihood of finding the AP. In 127780fb4a2SCy Schubert# addition, some use cases will override this due to functional 128780fb4a2SCy Schubert# requirements, e.g., for finding an AP that uses hidden SSID 129780fb4a2SCy Schubert# (scan_ssid=1) or P2P device discovery. 130780fb4a2SCy Schubert# 131780fb4a2SCy Schubert# 0: Do normal scans (allow active scans) (default) 132780fb4a2SCy Schubert# 1: Do passive scans. 133780fb4a2SCy Schubert#passive_scan=0 134780fb4a2SCy Schubert 1355b9c547cSRui Paulo# MPM residency 1365b9c547cSRui Paulo# By default, wpa_supplicant implements the mesh peering manager (MPM) for an 1375b9c547cSRui Paulo# open mesh. However, if the driver can implement the MPM, you may set this to 1385b9c547cSRui Paulo# 0 to use the driver version. When AMPE is enabled, the wpa_supplicant MPM is 1395b9c547cSRui Paulo# always used. 1405b9c547cSRui Paulo# 0: MPM lives in the driver 1415b9c547cSRui Paulo# 1: wpa_supplicant provides an MPM which handles peering (default) 1425b9c547cSRui Paulo#user_mpm=1 1435b9c547cSRui Paulo 1445b9c547cSRui Paulo# Maximum number of peer links (0-255; default: 99) 1455b9c547cSRui Paulo# Maximum number of mesh peering currently maintained by the STA. 1465b9c547cSRui Paulo#max_peer_links=99 1475b9c547cSRui Paulo 1485b9c547cSRui Paulo# Timeout in seconds to detect STA inactivity (default: 300 seconds) 1495b9c547cSRui Paulo# 1505b9c547cSRui Paulo# This timeout value is used in mesh STA to clean up inactive stations. 1515b9c547cSRui Paulo#mesh_max_inactivity=300 1525b9c547cSRui Paulo 15332a95656SCy Schubert# Enable 802.11s layer-2 routing and forwarding (dot11MeshForwarding) 15432a95656SCy Schubert#mesh_fwding=1 15532a95656SCy Schubert 1565b9c547cSRui Paulo# cert_in_cb - Whether to include a peer certificate dump in events 1575b9c547cSRui Paulo# This controls whether peer certificates for authentication server and 1585b9c547cSRui Paulo# its certificate chain are included in EAP peer certificate events. This is 1595b9c547cSRui Paulo# enabled by default. 1605b9c547cSRui Paulo#cert_in_cb=1 1615b9c547cSRui Paulo 16239beb93cSSam Leffler# EAP fast re-authentication 16339beb93cSSam Leffler# By default, fast re-authentication is enabled for all EAP methods that 16439beb93cSSam Leffler# support it. This variable can be used to disable fast re-authentication. 16539beb93cSSam Leffler# Normally, there is no need to disable this. 16639beb93cSSam Lefflerfast_reauth=1 16739beb93cSSam Leffler 16839beb93cSSam Leffler# OpenSSL Engine support 169780fb4a2SCy Schubert# These options can be used to load OpenSSL engines in special or legacy 170780fb4a2SCy Schubert# modes. 17139beb93cSSam Leffler# The two engines that are supported currently are shown below: 17239beb93cSSam Leffler# They are both from the opensc project (http://www.opensc.org/) 173780fb4a2SCy Schubert# By default the PKCS#11 engine is loaded if the client_cert or 174780fb4a2SCy Schubert# private_key option appear to be a PKCS#11 URI, and these options 175780fb4a2SCy Schubert# should not need to be used explicitly. 17639beb93cSSam Leffler# make the opensc engine available 17739beb93cSSam Leffler#opensc_engine_path=/usr/lib/opensc/engine_opensc.so 17839beb93cSSam Leffler# make the pkcs11 engine available 17939beb93cSSam Leffler#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so 18039beb93cSSam Leffler# configure the path to the pkcs11 module required by the pkcs11 engine 18139beb93cSSam Leffler#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so 18239beb93cSSam Leffler 1835b9c547cSRui Paulo# OpenSSL cipher string 1845b9c547cSRui Paulo# 1855b9c547cSRui Paulo# This is an OpenSSL specific configuration option for configuring the default 18685732ac8SCy Schubert# ciphers. If not set, the value configured at build time ("DEFAULT:!EXP:!LOW" 18785732ac8SCy Schubert# by default) is used. 1885b9c547cSRui Paulo# See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation 1895b9c547cSRui Paulo# on cipher suite configuration. This is applicable only if wpa_supplicant is 1905b9c547cSRui Paulo# built to use OpenSSL. 1915b9c547cSRui Paulo#openssl_ciphers=DEFAULT:!EXP:!LOW 1925b9c547cSRui Paulo 19339beb93cSSam Leffler# Dynamic EAP methods 19439beb93cSSam Leffler# If EAP methods were built dynamically as shared object files, they need to be 19539beb93cSSam Leffler# loaded here before being used in the network blocks. By default, EAP methods 19639beb93cSSam Leffler# are included statically in the build, so these lines are not needed 19739beb93cSSam Leffler#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so 19839beb93cSSam Leffler#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so 19939beb93cSSam Leffler 20039beb93cSSam Leffler# Driver interface parameters 201780fb4a2SCy Schubert# This field can be used to configure arbitrary driver interface parameters. The 20239beb93cSSam Leffler# format is specific to the selected driver interface. This field is not used 20339beb93cSSam Leffler# in most cases. 20439beb93cSSam Leffler#driver_param="field=value" 20539beb93cSSam Leffler 20639beb93cSSam Leffler# Country code 20739beb93cSSam Leffler# The ISO/IEC alpha2 country code for the country in which this device is 20839beb93cSSam Leffler# currently operating. 20939beb93cSSam Leffler#country=US 21039beb93cSSam Leffler 21139beb93cSSam Leffler# Maximum lifetime for PMKSA in seconds; default 43200 21239beb93cSSam Leffler#dot11RSNAConfigPMKLifetime=43200 21339beb93cSSam Leffler# Threshold for reauthentication (percentage of PMK lifetime); default 70 21439beb93cSSam Leffler#dot11RSNAConfigPMKReauthThreshold=70 21539beb93cSSam Leffler# Timeout for security association negotiation in seconds; default 60 21639beb93cSSam Leffler#dot11RSNAConfigSATimeout=60 21739beb93cSSam Leffler 21839beb93cSSam Leffler# Wi-Fi Protected Setup (WPS) parameters 21939beb93cSSam Leffler 22039beb93cSSam Leffler# Universally Unique IDentifier (UUID; see RFC 4122) of the device 22185732ac8SCy Schubert# If not configured, UUID will be generated based on the mechanism selected with 22285732ac8SCy Schubert# the auto_uuid parameter. 22339beb93cSSam Leffler#uuid=12345678-9abc-def0-1234-56789abcdef0 22439beb93cSSam Leffler 22585732ac8SCy Schubert# Automatic UUID behavior 22685732ac8SCy Schubert# 0 = generate static value based on the local MAC address (default) 22785732ac8SCy Schubert# 1 = generate a random UUID every time wpa_supplicant starts 22885732ac8SCy Schubert#auto_uuid=0 22985732ac8SCy Schubert 23039beb93cSSam Leffler# Device Name 23139beb93cSSam Leffler# User-friendly description of device; up to 32 octets encoded in UTF-8 23239beb93cSSam Leffler#device_name=Wireless Client 23339beb93cSSam Leffler 23439beb93cSSam Leffler# Manufacturer 23539beb93cSSam Leffler# The manufacturer of the device (up to 64 ASCII characters) 23639beb93cSSam Leffler#manufacturer=Company 23739beb93cSSam Leffler 23839beb93cSSam Leffler# Model Name 23939beb93cSSam Leffler# Model of the device (up to 32 ASCII characters) 24039beb93cSSam Leffler#model_name=cmodel 24139beb93cSSam Leffler 24239beb93cSSam Leffler# Model Number 24339beb93cSSam Leffler# Additional device description (up to 32 ASCII characters) 24439beb93cSSam Leffler#model_number=123 24539beb93cSSam Leffler 24639beb93cSSam Leffler# Serial Number 24739beb93cSSam Leffler# Serial number of the device (up to 32 characters) 24839beb93cSSam Leffler#serial_number=12345 24939beb93cSSam Leffler 25039beb93cSSam Leffler# Primary Device Type 25139beb93cSSam Leffler# Used format: <categ>-<OUI>-<subcateg> 25239beb93cSSam Leffler# categ = Category as an integer value 25339beb93cSSam Leffler# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for 25439beb93cSSam Leffler# default WPS OUI 25539beb93cSSam Leffler# subcateg = OUI-specific Sub Category as an integer value 25639beb93cSSam Leffler# Examples: 25739beb93cSSam Leffler# 1-0050F204-1 (Computer / PC) 25839beb93cSSam Leffler# 1-0050F204-2 (Computer / Server) 25939beb93cSSam Leffler# 5-0050F204-1 (Storage / NAS) 26039beb93cSSam Leffler# 6-0050F204-1 (Network Infrastructure / AP) 26139beb93cSSam Leffler#device_type=1-0050F204-1 26239beb93cSSam Leffler 26339beb93cSSam Leffler# OS Version 26439beb93cSSam Leffler# 4-octet operating system version number (hex string) 26539beb93cSSam Leffler#os_version=01020300 26639beb93cSSam Leffler 267e28a4053SRui Paulo# Config Methods 268e28a4053SRui Paulo# List of the supported configuration methods 269e28a4053SRui Paulo# Available methods: usba ethernet label display ext_nfc_token int_nfc_token 270f05cddf9SRui Paulo# nfc_interface push_button keypad virtual_display physical_display 271f05cddf9SRui Paulo# virtual_push_button physical_push_button 272f05cddf9SRui Paulo# For WSC 1.0: 273e28a4053SRui Paulo#config_methods=label display push_button keypad 274f05cddf9SRui Paulo# For WSC 2.0: 275f05cddf9SRui Paulo#config_methods=label virtual_display virtual_push_button keypad 276e28a4053SRui Paulo 27739beb93cSSam Leffler# Credential processing 27839beb93cSSam Leffler# 0 = process received credentials internally (default) 27939beb93cSSam Leffler# 1 = do not process received credentials; just pass them over ctrl_iface to 28039beb93cSSam Leffler# external program(s) 28139beb93cSSam Leffler# 2 = process received credentials internally and pass them over ctrl_iface 28239beb93cSSam Leffler# to external program(s) 28339beb93cSSam Leffler#wps_cred_processing=0 28439beb93cSSam Leffler 2854bc52338SCy Schubert# Whether to enable SAE (WPA3-Personal transition mode) automatically for 2864bc52338SCy Schubert# WPA2-PSK credentials received using WPS. 2874bc52338SCy Schubert# 0 = only add the explicitly listed WPA2-PSK configuration (default) 2884bc52338SCy Schubert# 1 = add both the WPA2-PSK and SAE configuration and enable PMF so that the 2894bc52338SCy Schubert# station gets configured in WPA3-Personal transition mode (supports both 2904bc52338SCy Schubert# WPA2-Personal (PSK) and WPA3-Personal (SAE) APs). 2914bc52338SCy Schubert#wps_cred_add_sae=0 2924bc52338SCy Schubert 293f05cddf9SRui Paulo# Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing 294f05cddf9SRui Paulo# The vendor attribute contents to be added in M1 (hex string) 295f05cddf9SRui Paulo#wps_vendor_ext_m1=000137100100020001 296f05cddf9SRui Paulo 297f05cddf9SRui Paulo# NFC password token for WPS 298f05cddf9SRui Paulo# These parameters can be used to configure a fixed NFC password token for the 299f05cddf9SRui Paulo# station. This can be generated, e.g., with nfc_pw_token. When these 300f05cddf9SRui Paulo# parameters are used, the station is assumed to be deployed with a NFC tag 301f05cddf9SRui Paulo# that includes the matching NFC password token (e.g., written based on the 302f05cddf9SRui Paulo# NDEF record from nfc_pw_token). 303f05cddf9SRui Paulo# 304f05cddf9SRui Paulo#wps_nfc_dev_pw_id: Device Password ID (16..65535) 305f05cddf9SRui Paulo#wps_nfc_dh_pubkey: Hexdump of DH Public Key 306f05cddf9SRui Paulo#wps_nfc_dh_privkey: Hexdump of DH Private Key 307f05cddf9SRui Paulo#wps_nfc_dev_pw: Hexdump of Device Password 308f05cddf9SRui Paulo 309325151a3SRui Paulo# Priority for the networks added through WPS 310325151a3SRui Paulo# This priority value will be set to each network profile that is added 311325151a3SRui Paulo# by executing the WPS protocol. 312325151a3SRui Paulo#wps_priority=0 313325151a3SRui Paulo 314c1d255d3SCy Schubert# Device Provisioning Protocol (DPP) parameters 315c1d255d3SCy Schubert# 316c1d255d3SCy Schubert# How to process DPP configuration 317c1d255d3SCy Schubert# 0 = report received configuration to an external program for 318c1d255d3SCy Schubert# processing; do not generate any network profile internally (default) 319c1d255d3SCy Schubert# 1 = report received configuration to an external program and generate 320c1d255d3SCy Schubert# a network profile internally, but do not automatically connect 321c1d255d3SCy Schubert# to the created (disabled) profile; the network profile id is 322c1d255d3SCy Schubert# reported to external programs 323c1d255d3SCy Schubert# 2 = report received configuration to an external program, generate 324c1d255d3SCy Schubert# a network profile internally, try to connect to the created 325c1d255d3SCy Schubert# profile automatically 326c1d255d3SCy Schubert#dpp_config_processing=0 327c1d255d3SCy Schubert# 328c1d255d3SCy Schubert# Name for Enrollee's DPP Configuration Request 329c1d255d3SCy Schubert#dpp_name=Test 330c1d255d3SCy Schubert# 331c1d255d3SCy Schubert# MUD URL for Enrollee's DPP Configuration Request (optional) 332c1d255d3SCy Schubert#dpp_mud_url=https://example.com/mud 333c1d255d3SCy Schubert 334e28a4053SRui Paulo# Maximum number of BSS entries to keep in memory 335e28a4053SRui Paulo# Default: 200 336e28a4053SRui Paulo# This can be used to limit memory use on the BSS entries (cached scan 337e28a4053SRui Paulo# results). A larger value may be needed in environments that have huge number 338e28a4053SRui Paulo# of APs when using ap_scan=1 mode. 339e28a4053SRui Paulo#bss_max_count=200 340e28a4053SRui Paulo 3414bc52338SCy Schubert# BSS expiration age in seconds. A BSS will be removed from the local cache 3424bc52338SCy Schubert# if it is not in use and has not been seen for this time. Default is 180. 3434bc52338SCy Schubert#bss_expiration_age=180 3444bc52338SCy Schubert 3454bc52338SCy Schubert# BSS expiration after number of scans. A BSS will be removed from the local 3464bc52338SCy Schubert# cache if it is not seen in this number of scans. 3474bc52338SCy Schubert# Default is 2. 3484bc52338SCy Schubert#bss_expiration_scan_count=2 3494bc52338SCy Schubert 350f05cddf9SRui Paulo# Automatic scan 351f05cddf9SRui Paulo# This is an optional set of parameters for automatic scanning 352f05cddf9SRui Paulo# within an interface in following format: 353f05cddf9SRui Paulo#autoscan=<autoscan module name>:<module parameters> 3545b9c547cSRui Paulo# autoscan is like bgscan but on disconnected or inactive state. 3555b9c547cSRui Paulo# For instance, on exponential module parameters would be <base>:<limit> 356f05cddf9SRui Paulo#autoscan=exponential:3:300 357f05cddf9SRui Paulo# Which means a delay between scans on a base exponential of 3, 3585b9c547cSRui Paulo# up to the limit of 300 seconds (3, 9, 27 ... 300) 3595b9c547cSRui Paulo# For periodic module, parameters would be <fixed interval> 360f05cddf9SRui Paulo#autoscan=periodic:30 361780fb4a2SCy Schubert# So a delay of 30 seconds will be applied between each scan. 362780fb4a2SCy Schubert# Note: If sched_scan_plans are configured and supported by the driver, 363780fb4a2SCy Schubert# autoscan is ignored. 364e28a4053SRui Paulo 365e28a4053SRui Paulo# filter_ssids - SSID-based scan result filtering 366e28a4053SRui Paulo# 0 = do not filter scan results (default) 367e28a4053SRui Paulo# 1 = only include configured SSIDs in scan results/BSS table 368e28a4053SRui Paulo#filter_ssids=0 369e28a4053SRui Paulo 370f05cddf9SRui Paulo# Password (and passphrase, etc.) backend for external storage 371f05cddf9SRui Paulo# format: <backend name>[:<optional backend parameters>] 372c1d255d3SCy Schubert# Test backend which stores passwords in memory. Should only be used for 373c1d255d3SCy Schubert# development purposes. 374f05cddf9SRui Paulo#ext_password_backend=test:pw1=password|pw2=testing 375c1d255d3SCy Schubert# File-based backend which reads passwords from a file. The parameter 376c1d255d3SCy Schubert# identifies the file to read passwords from. The password file follows the 377c1d255d3SCy Schubert# format of wpa_supplicant.conf and accepts simple `key=passphrase` formatted 378c1d255d3SCy Schubert# passwords. 379c1d255d3SCy Schubert#ext_password_backend=file:/path/to/passwords.conf 380f05cddf9SRui Paulo 381325151a3SRui Paulo 382325151a3SRui Paulo# Disable P2P functionality 383325151a3SRui Paulo# p2p_disabled=1 384325151a3SRui Paulo 385f05cddf9SRui Paulo# Timeout in seconds to detect STA inactivity (default: 300 seconds) 386f05cddf9SRui Paulo# 387f05cddf9SRui Paulo# This timeout value is used in P2P GO mode to clean up 388f05cddf9SRui Paulo# inactive stations. 389f05cddf9SRui Paulo#p2p_go_max_inactivity=300 390f05cddf9SRui Paulo 3915b9c547cSRui Paulo# Passphrase length (8..63) for P2P GO 3925b9c547cSRui Paulo# 3935b9c547cSRui Paulo# This parameter controls the length of the random passphrase that is 3945b9c547cSRui Paulo# generated at the GO. Default: 8. 3955b9c547cSRui Paulo#p2p_passphrase_len=8 3965b9c547cSRui Paulo 3975b9c547cSRui Paulo# Extra delay between concurrent P2P search iterations 3985b9c547cSRui Paulo# 3995b9c547cSRui Paulo# This value adds extra delay in milliseconds between concurrent search 4005b9c547cSRui Paulo# iterations to make p2p_find friendlier to concurrent operations by avoiding 4015b9c547cSRui Paulo# it from taking 100% of radio resources. The default value is 500 ms. 4025b9c547cSRui Paulo#p2p_search_delay=500 4035b9c547cSRui Paulo 404f05cddf9SRui Paulo# Opportunistic Key Caching (also known as Proactive Key Caching) default 405f05cddf9SRui Paulo# This parameter can be used to set the default behavior for the 406f05cddf9SRui Paulo# proactive_key_caching parameter. By default, OKC is disabled unless enabled 407f05cddf9SRui Paulo# with the global okc=1 parameter or with the per-network 408f05cddf9SRui Paulo# proactive_key_caching=1 parameter. With okc=1, OKC is enabled by default, but 409f05cddf9SRui Paulo# can be disabled with per-network proactive_key_caching=0 parameter. 410f05cddf9SRui Paulo#okc=0 411f05cddf9SRui Paulo 412f05cddf9SRui Paulo# Protected Management Frames default 413f05cddf9SRui Paulo# This parameter can be used to set the default behavior for the ieee80211w 414780fb4a2SCy Schubert# parameter for RSN networks. By default, PMF is disabled unless enabled with 415780fb4a2SCy Schubert# the global pmf=1/2 parameter or with the per-network ieee80211w=1/2 parameter. 416780fb4a2SCy Schubert# With pmf=1/2, PMF is enabled/required by default, but can be disabled with the 417780fb4a2SCy Schubert# per-network ieee80211w parameter. This global default value does not apply 418780fb4a2SCy Schubert# for non-RSN networks (key_mgmt=NONE) since PMF is available only when using 419780fb4a2SCy Schubert# RSN. 420f05cddf9SRui Paulo#pmf=0 421f05cddf9SRui Paulo 422*a90b9d01SCy Schubert# sae_check_mfp: Require PMF support to select SAE key_mgmt 423*a90b9d01SCy Schubert# 0 = Do not check PMF for SAE (default) 424*a90b9d01SCy Schubert# 1 = Limit SAE when PMF is not enabled 425*a90b9d01SCy Schubert# 426*a90b9d01SCy Schubert# When enabled SAE will not be selected if PMF will not be used 427*a90b9d01SCy Schubert# for the connection. 428*a90b9d01SCy Schubert# Scenarios where this check will limit SAE: 429*a90b9d01SCy Schubert# 1) ieee80211w=0 is set for the network 430*a90b9d01SCy Schubert# 2) The AP does not have PMF enabled. 431*a90b9d01SCy Schubert# 3) ieee80211w is unset, pmf=1 is enabled globally, and 432*a90b9d01SCy Schubert# the device does not support the BIP cipher. 433*a90b9d01SCy Schubert# Consider the configuration of global parameterss sae_check_mfp=1, pmf=1 and a 434*a90b9d01SCy Schubert# network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK. 435*a90b9d01SCy Schubert# In the example WPA-PSK will be used if the device does not support 436*a90b9d01SCy Schubert# the BIP cipher or the AP has PMF disabled. 437*a90b9d01SCy Schubert# Limiting SAE with this check can avoid failing to associate to an AP 438*a90b9d01SCy Schubert# that is configured with sae_requires_mfp=1 if the device does 439*a90b9d01SCy Schubert# not support PMF due to lack of the BIP cipher. 440*a90b9d01SCy Schubert# 441*a90b9d01SCy Schubert# Enabling this check helps with compliance of the WPA3 442*a90b9d01SCy Schubert# specification for WPA3-Personal transition mode. 443*a90b9d01SCy Schubert# The WPA3 specification section 2.3 "WPA3-Personal transition mode" item 8 444*a90b9d01SCy Schubert# states "A STA shall negotiate PMF when associating to an AP using SAE". 445*a90b9d01SCy Schubert# With this check WPA3 capable devices when connecting 446*a90b9d01SCy Schubert# to transition mode APs that do not advertise PMF support 447*a90b9d01SCy Schubert# will not use SAE and instead fallback to PSK. 448*a90b9d01SCy Schubert#sae_check_mfp=0 449*a90b9d01SCy Schubert 4505b9c547cSRui Paulo# Enabled SAE finite cyclic groups in preference order 4515b9c547cSRui Paulo# By default (if this parameter is not set), the mandatory group 19 (ECC group 4524bc52338SCy Schubert# defined over a 256-bit prime order field, NIST P-256) is preferred and groups 4534bc52338SCy Schubert# 20 (NIST P-384) and 21 (NIST P-521) are also enabled. If this parameter is 4544bc52338SCy Schubert# set, the groups will be tried in the indicated order. 4554bc52338SCy Schubert# The group values are listed in the IANA registry: 4565b9c547cSRui Paulo# http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9 4574bc52338SCy Schubert# Note that groups 1, 2, 5, 22, 23, and 24 should not be used in production 4584bc52338SCy Schubert# purposes due limited security (see RFC 8247). Groups that are not as strong as 4594bc52338SCy Schubert# group 19 (ECC, NIST P-256) are unlikely to be useful for production use cases 4604bc52338SCy Schubert# since all implementations are required to support group 19. 4614bc52338SCy Schubert#sae_groups=19 20 21 4625b9c547cSRui Paulo 463c1d255d3SCy Schubert# SAE mechanism for PWE derivation 464c1d255d3SCy Schubert# 0 = hunting-and-pecking loop only (default without password identifier) 465c1d255d3SCy Schubert# 1 = hash-to-element only (default with password identifier) 466c1d255d3SCy Schubert# 2 = both hunting-and-pecking loop and hash-to-element enabled 467c1d255d3SCy Schubert# Note: The default value is likely to change from 0 to 2 once the new 468c1d255d3SCy Schubert# hash-to-element mechanism has received more interoperability testing. 469c1d255d3SCy Schubert# When using SAE password identifier, the hash-to-element mechanism is used 470c1d255d3SCy Schubert# regardless of the sae_pwe parameter value. 471c1d255d3SCy Schubert#sae_pwe=0 472c1d255d3SCy Schubert 4735b9c547cSRui Paulo# Default value for DTIM period (if not overridden in network block) 4745b9c547cSRui Paulo#dtim_period=2 4755b9c547cSRui Paulo 4765b9c547cSRui Paulo# Default value for Beacon interval (if not overridden in network block) 4775b9c547cSRui Paulo#beacon_int=100 4785b9c547cSRui Paulo 4795b9c547cSRui Paulo# Additional vendor specific elements for Beacon and Probe Response frames 4805b9c547cSRui Paulo# This parameter can be used to add additional vendor specific element(s) into 4815b9c547cSRui Paulo# the end of the Beacon and Probe Response frames. The format for these 4825b9c547cSRui Paulo# element(s) is a hexdump of the raw information elements (id+len+payload for 4835b9c547cSRui Paulo# one or more elements). This is used in AP and P2P GO modes. 4845b9c547cSRui Paulo#ap_vendor_elements=dd0411223301 4855b9c547cSRui Paulo 4865b9c547cSRui Paulo# Ignore scan results older than request 4875b9c547cSRui Paulo# 4885b9c547cSRui Paulo# The driver may have a cache of scan results that makes it return 4895b9c547cSRui Paulo# information that is older than our scan trigger. This parameter can 4905b9c547cSRui Paulo# be used to configure such old information to be ignored instead of 4915b9c547cSRui Paulo# allowing it to update the internal BSS table. 4925b9c547cSRui Paulo#ignore_old_scan_res=0 4935b9c547cSRui Paulo 4945b9c547cSRui Paulo# scan_cur_freq: Whether to scan only the current frequency 4955b9c547cSRui Paulo# 0: Scan all available frequencies. (Default) 4965b9c547cSRui Paulo# 1: Scan current operating frequency if another VIF on the same radio 4975b9c547cSRui Paulo# is already associated. 4985b9c547cSRui Paulo 499c1d255d3SCy Schubert# Seconds to consider old scan results valid for association (default: 5) 500c1d255d3SCy Schubert#scan_res_valid_for_connect=5 501c1d255d3SCy Schubert 5025b9c547cSRui Paulo# MAC address policy default 5035b9c547cSRui Paulo# 0 = use permanent MAC address 5045b9c547cSRui Paulo# 1 = use random MAC address for each ESS connection 5055b9c547cSRui Paulo# 2 = like 1, but maintain OUI (with local admin bit set) 506*a90b9d01SCy Schubert# 3 = use dedicated/pregenerated MAC address (see mac_value) 5075b9c547cSRui Paulo# 5085b9c547cSRui Paulo# By default, permanent MAC address is used unless policy is changed by 5095b9c547cSRui Paulo# the per-network mac_addr parameter. Global mac_addr=1 can be used to 5105b9c547cSRui Paulo# change this default behavior. 5115b9c547cSRui Paulo#mac_addr=0 5125b9c547cSRui Paulo 513*a90b9d01SCy Schubert# Local MAC address to use whenever connecting with this network profile 514*a90b9d01SCy Schubert# This is used with mac_addr=3. 515*a90b9d01SCy Schubert#mac_value=02:12:34:56:78:9a 516*a90b9d01SCy Schubert 5175b9c547cSRui Paulo# Lifetime of random MAC address in seconds (default: 60) 5185b9c547cSRui Paulo#rand_addr_lifetime=60 5195b9c547cSRui Paulo 5205b9c547cSRui Paulo# MAC address policy for pre-association operations (scanning, ANQP) 5215b9c547cSRui Paulo# 0 = use permanent MAC address 5225b9c547cSRui Paulo# 1 = use random MAC address 5235b9c547cSRui Paulo# 2 = like 1, but maintain OUI (with local admin bit set) 5245b9c547cSRui Paulo#preassoc_mac_addr=0 5255b9c547cSRui Paulo 52685732ac8SCy Schubert# MAC address policy for GAS operations 52785732ac8SCy Schubert# 0 = use permanent MAC address 52885732ac8SCy Schubert# 1 = use random MAC address 52985732ac8SCy Schubert# 2 = like 1, but maintain OUI (with local admin bit set) 530c1d255d3SCy Schubert# Note that this setting is ignored when a specific MAC address is needed for 531c1d255d3SCy Schubert# a full protocol exchange that includes GAS, e.g., when going through a DPP 532c1d255d3SCy Schubert# exchange that exposes the configured interface address as part of the DP 533c1d255d3SCy Schubert# Public Action frame exchanges before using GAS. That same address is then used 534c1d255d3SCy Schubert# during the GAS exchange as well to avoid breaking the protocol expectations. 53585732ac8SCy Schubert#gas_rand_mac_addr=0 53685732ac8SCy Schubert 53785732ac8SCy Schubert# Lifetime of GAS random MAC address in seconds (default: 60) 53885732ac8SCy Schubert#gas_rand_addr_lifetime=60 53985732ac8SCy Schubert 540f05cddf9SRui Paulo# Interworking (IEEE 802.11u) 541f05cddf9SRui Paulo 542f05cddf9SRui Paulo# Enable Interworking 543f05cddf9SRui Paulo# interworking=1 544f05cddf9SRui Paulo 54585732ac8SCy Schubert# Enable P2P GO advertisement of Interworking 54685732ac8SCy Schubert# go_interworking=1 54785732ac8SCy Schubert 54885732ac8SCy Schubert# P2P GO Interworking: Access Network Type 54985732ac8SCy Schubert# 0 = Private network 55085732ac8SCy Schubert# 1 = Private network with guest access 55185732ac8SCy Schubert# 2 = Chargeable public network 55285732ac8SCy Schubert# 3 = Free public network 55385732ac8SCy Schubert# 4 = Personal device network 55485732ac8SCy Schubert# 5 = Emergency services only network 55585732ac8SCy Schubert# 14 = Test or experimental 55685732ac8SCy Schubert# 15 = Wildcard 55785732ac8SCy Schubert#go_access_network_type=0 55885732ac8SCy Schubert 55985732ac8SCy Schubert# P2P GO Interworking: Whether the network provides connectivity to the Internet 56085732ac8SCy Schubert# 0 = Unspecified 56185732ac8SCy Schubert# 1 = Network provides connectivity to the Internet 56285732ac8SCy Schubert#go_internet=1 56385732ac8SCy Schubert 56485732ac8SCy Schubert# P2P GO Interworking: Group Venue Info (optional) 56585732ac8SCy Schubert# The available values are defined in IEEE Std 802.11-2016, 9.4.1.35. 56685732ac8SCy Schubert# Example values (group,type): 56785732ac8SCy Schubert# 0,0 = Unspecified 56885732ac8SCy Schubert# 1,7 = Convention Center 56985732ac8SCy Schubert# 1,13 = Coffee Shop 57085732ac8SCy Schubert# 2,0 = Unspecified Business 57185732ac8SCy Schubert# 7,1 Private Residence 57285732ac8SCy Schubert#go_venue_group=7 57385732ac8SCy Schubert#go_venue_type=1 57485732ac8SCy Schubert 575c1d255d3SCy Schubert# Homogeneous ESS identifier 576f05cddf9SRui Paulo# If this is set, scans will be used to request response only from BSSes 577f05cddf9SRui Paulo# belonging to the specified Homogeneous ESS. This is used only if interworking 578f05cddf9SRui Paulo# is enabled. 579f05cddf9SRui Paulo# hessid=00:11:22:33:44:55 580f05cddf9SRui Paulo 581f05cddf9SRui Paulo# Automatic network selection behavior 582f05cddf9SRui Paulo# 0 = do not automatically go through Interworking network selection 583f05cddf9SRui Paulo# (i.e., require explicit interworking_select command for this; default) 584f05cddf9SRui Paulo# 1 = perform Interworking network selection if one or more 585f05cddf9SRui Paulo# credentials have been configured and scan did not find a 586f05cddf9SRui Paulo# matching network block 587f05cddf9SRui Paulo#auto_interworking=0 588f05cddf9SRui Paulo 589780fb4a2SCy Schubert# GAS Address3 field behavior 590780fb4a2SCy Schubert# 0 = P2P specification (Address3 = AP BSSID); default 591780fb4a2SCy Schubert# 1 = IEEE 802.11 standard compliant (Address3 = Wildcard BSSID when 592780fb4a2SCy Schubert# sent to not-associated AP; if associated, AP BSSID) 593780fb4a2SCy Schubert#gas_address3=0 594780fb4a2SCy Schubert 595780fb4a2SCy Schubert# Publish fine timing measurement (FTM) responder functionality in 596780fb4a2SCy Schubert# the Extended Capabilities element bit 70. 597780fb4a2SCy Schubert# Controls whether FTM responder functionality will be published by AP/STA. 598780fb4a2SCy Schubert# Note that actual FTM responder operation is managed outside wpa_supplicant. 599780fb4a2SCy Schubert# 0 = Do not publish; default 600780fb4a2SCy Schubert# 1 = Publish 601780fb4a2SCy Schubert#ftm_responder=0 602780fb4a2SCy Schubert 603780fb4a2SCy Schubert# Publish fine timing measurement (FTM) initiator functionality in 604780fb4a2SCy Schubert# the Extended Capabilities element bit 71. 605780fb4a2SCy Schubert# Controls whether FTM initiator functionality will be published by AP/STA. 606780fb4a2SCy Schubert# Note that actual FTM initiator operation is managed outside wpa_supplicant. 607780fb4a2SCy Schubert# 0 = Do not publish; default 608780fb4a2SCy Schubert# 1 = Publish 609780fb4a2SCy Schubert#ftm_initiator=0 610780fb4a2SCy Schubert 611f05cddf9SRui Paulo# credential block 612f05cddf9SRui Paulo# 613f05cddf9SRui Paulo# Each credential used for automatic network selection is configured as a set 614f05cddf9SRui Paulo# of parameters that are compared to the information advertised by the APs when 615f05cddf9SRui Paulo# interworking_select and interworking_connect commands are used. 616f05cddf9SRui Paulo# 617f05cddf9SRui Paulo# credential fields: 618f05cddf9SRui Paulo# 6195b9c547cSRui Paulo# temporary: Whether this credential is temporary and not to be saved 6205b9c547cSRui Paulo# 621f05cddf9SRui Paulo# priority: Priority group 622f05cddf9SRui Paulo# By default, all networks and credentials get the same priority group 623f05cddf9SRui Paulo# (0). This field can be used to give higher priority for credentials 624f05cddf9SRui Paulo# (and similarly in struct wpa_ssid for network blocks) to change the 625f05cddf9SRui Paulo# Interworking automatic networking selection behavior. The matching 626f05cddf9SRui Paulo# network (based on either an enabled network block or a credential) 627f05cddf9SRui Paulo# with the highest priority value will be selected. 628f05cddf9SRui Paulo# 629f05cddf9SRui Paulo# pcsc: Use PC/SC and SIM/USIM card 630f05cddf9SRui Paulo# 631f05cddf9SRui Paulo# realm: Home Realm for Interworking 632f05cddf9SRui Paulo# 633f05cddf9SRui Paulo# username: Username for Interworking network selection 634f05cddf9SRui Paulo# 635f05cddf9SRui Paulo# password: Password for Interworking network selection 636f05cddf9SRui Paulo# 637f05cddf9SRui Paulo# ca_cert: CA certificate for Interworking network selection 638f05cddf9SRui Paulo# 639f05cddf9SRui Paulo# client_cert: File path to client certificate file (PEM/DER) 640f05cddf9SRui Paulo# This field is used with Interworking networking selection for a case 641f05cddf9SRui Paulo# where client certificate/private key is used for authentication 642f05cddf9SRui Paulo# (EAP-TLS). Full path to the file should be used since working 643f05cddf9SRui Paulo# directory may change when wpa_supplicant is run in the background. 644f05cddf9SRui Paulo# 645780fb4a2SCy Schubert# Certificates from PKCS#11 tokens can be referenced by a PKCS#11 URI. 646780fb4a2SCy Schubert# 647780fb4a2SCy Schubert# For example: private_key="pkcs11:manufacturer=piv_II;id=%01" 648780fb4a2SCy Schubert# 649f05cddf9SRui Paulo# Alternatively, a named configuration blob can be used by setting 650f05cddf9SRui Paulo# this to blob://blob_name. 651f05cddf9SRui Paulo# 652f05cddf9SRui Paulo# private_key: File path to client private key file (PEM/DER/PFX) 653f05cddf9SRui Paulo# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be 654f05cddf9SRui Paulo# commented out. Both the private key and certificate will be read 655f05cddf9SRui Paulo# from the PKCS#12 file in this case. Full path to the file should be 656f05cddf9SRui Paulo# used since working directory may change when wpa_supplicant is run 657f05cddf9SRui Paulo# in the background. 658f05cddf9SRui Paulo# 659780fb4a2SCy Schubert# Keys in PKCS#11 tokens can be referenced by a PKCS#11 URI. 660780fb4a2SCy Schubert# For example: private_key="pkcs11:manufacturer=piv_II;id=%01" 661780fb4a2SCy Schubert# 662f05cddf9SRui Paulo# Windows certificate store can be used by leaving client_cert out and 663f05cddf9SRui Paulo# configuring private_key in one of the following formats: 664f05cddf9SRui Paulo# 665f05cddf9SRui Paulo# cert://substring_to_match 666f05cddf9SRui Paulo# 667f05cddf9SRui Paulo# hash://certificate_thumbprint_in_hex 668f05cddf9SRui Paulo# 669f05cddf9SRui Paulo# For example: private_key="hash://63093aa9c47f56ae88334c7b65a4" 670f05cddf9SRui Paulo# 671f05cddf9SRui Paulo# Note that when running wpa_supplicant as an application, the user 672f05cddf9SRui Paulo# certificate store (My user account) is used, whereas computer store 673f05cddf9SRui Paulo# (Computer account) is used when running wpasvc as a service. 674f05cddf9SRui Paulo# 675f05cddf9SRui Paulo# Alternatively, a named configuration blob can be used by setting 676f05cddf9SRui Paulo# this to blob://blob_name. 677f05cddf9SRui Paulo# 678f05cddf9SRui Paulo# private_key_passwd: Password for private key file 679f05cddf9SRui Paulo# 680f05cddf9SRui Paulo# imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format 681f05cddf9SRui Paulo# 682f05cddf9SRui Paulo# milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN> 683f05cddf9SRui Paulo# format 684f05cddf9SRui Paulo# 6855b9c547cSRui Paulo# domain: Home service provider FQDN(s) 686f05cddf9SRui Paulo# This is used to compare against the Domain Name List to figure out 6875b9c547cSRui Paulo# whether the AP is operated by the Home SP. Multiple domain entries can 6885b9c547cSRui Paulo# be used to configure alternative FQDNs that will be considered home 6895b9c547cSRui Paulo# networks. 690f05cddf9SRui Paulo# 691*a90b9d01SCy Schubert# home_ois: Home OI(s) 692*a90b9d01SCy Schubert# This string field contains one or more comma delimited OIs (hexdump) 693*a90b9d01SCy Schubert# identifying the access the access points that support authentication 694*a90b9d01SCy Schubert# with this credential. There are an alternative to the use of the realm 695*a90b9d01SCy Schubert# parameter. When using Home OIs to match the network, the EAP parameters 696*a90b9d01SCy Schubert# need to be pre-configured with the credentials since the NAI Realm 697*a90b9d01SCy Schubert# information may not be available or fetched. 698*a90b9d01SCy Schubert# A successful authentication with the access point is possible as soon 699*a90b9d01SCy Schubert# as at least one Home OI from the list matches an OI in the Roaming 700*a90b9d01SCy Schubert# Consortium advertised by the access point. 701*a90b9d01SCy Schubert# (Hotspot 2.0 PerProviderSubscription/<X+>/HomeSP/HomeOIList/<X+>/HomeOI) 702*a90b9d01SCy Schubert# 703*a90b9d01SCy Schubert# required_home_ois: Required Home OI(s) 704*a90b9d01SCy Schubert# This string field contains the set of Home OI(s) (hexdump) that are 705*a90b9d01SCy Schubert# required to be advertised by the AP for the credential to be considered 706*a90b9d01SCy Schubert# matching. 707*a90b9d01SCy Schubert# (Hotspot 2.0 PerProviderSubscription/<X+>/HomeSP/HomeOIList/<X+>/HomeOIRequired) 708*a90b9d01SCy Schubert# 709f05cddf9SRui Paulo# roaming_consortium: Roaming Consortium OI 710*a90b9d01SCy Schubert# Deprecated: use home_ois instead. 711f05cddf9SRui Paulo# If roaming_consortium_len is non-zero, this field contains the 712f05cddf9SRui Paulo# Roaming Consortium OI that can be used to determine which access 713f05cddf9SRui Paulo# points support authentication with this credential. This is an 714f05cddf9SRui Paulo# alternative to the use of the realm parameter. When using Roaming 715f05cddf9SRui Paulo# Consortium to match the network, the EAP parameters need to be 716f05cddf9SRui Paulo# pre-configured with the credential since the NAI Realm information 717f05cddf9SRui Paulo# may not be available or fetched. 718f05cddf9SRui Paulo# 71985732ac8SCy Schubert# required_roaming_consortium: Required Roaming Consortium OI 720*a90b9d01SCy Schubert# Deprecated: use required_home_ois instead. 72185732ac8SCy Schubert# If required_roaming_consortium_len is non-zero, this field contains the 72285732ac8SCy Schubert# Roaming Consortium OI that is required to be advertised by the AP for 72385732ac8SCy Schubert# the credential to be considered matching. 72485732ac8SCy Schubert# 72585732ac8SCy Schubert# roaming_consortiums: Roaming Consortium OI(s) memberships 72685732ac8SCy Schubert# This string field contains one or more comma delimited OIs (hexdump) 72785732ac8SCy Schubert# identifying the roaming consortiums of which the provider is a member. 72885732ac8SCy Schubert# The list is sorted from the most preferred one to the least preferred 72985732ac8SCy Schubert# one. A match between the Roaming Consortium OIs advertised by an AP and 73085732ac8SCy Schubert# the OIs in this list indicates that successful authentication is 73185732ac8SCy Schubert# possible. 73285732ac8SCy Schubert# (Hotspot 2.0 PerProviderSubscription/<X+>/HomeSP/RoamingConsortiumOI) 73385732ac8SCy Schubert# 734f05cddf9SRui Paulo# eap: Pre-configured EAP method 735f05cddf9SRui Paulo# This optional field can be used to specify which EAP method will be 736f05cddf9SRui Paulo# used with this credential. If not set, the EAP method is selected 737f05cddf9SRui Paulo# automatically based on ANQP information (e.g., NAI Realm). 738f05cddf9SRui Paulo# 739f05cddf9SRui Paulo# phase1: Pre-configure Phase 1 (outer authentication) parameters 740f05cddf9SRui Paulo# This optional field is used with like the 'eap' parameter. 741f05cddf9SRui Paulo# 742f05cddf9SRui Paulo# phase2: Pre-configure Phase 2 (inner authentication) parameters 743f05cddf9SRui Paulo# This optional field is used with like the 'eap' parameter. 744f05cddf9SRui Paulo# 745f05cddf9SRui Paulo# excluded_ssid: Excluded SSID 746f05cddf9SRui Paulo# This optional field can be used to excluded specific SSID(s) from 747f05cddf9SRui Paulo# matching with the network. Multiple entries can be used to specify more 748f05cddf9SRui Paulo# than one SSID. 749f05cddf9SRui Paulo# 7505b9c547cSRui Paulo# roaming_partner: Roaming partner information 7515b9c547cSRui Paulo# This optional field can be used to configure preferences between roaming 7525b9c547cSRui Paulo# partners. The field is a string in following format: 7535b9c547cSRui Paulo# <FQDN>,<0/1 exact match>,<priority>,<* or country code> 7545b9c547cSRui Paulo# (non-exact match means any subdomain matches the entry; priority is in 7555b9c547cSRui Paulo# 0..255 range with 0 being the highest priority) 7565b9c547cSRui Paulo# 7575b9c547cSRui Paulo# update_identifier: PPS MO ID 7585b9c547cSRui Paulo# (Hotspot 2.0 PerProviderSubscription/UpdateIdentifier) 7595b9c547cSRui Paulo# 7605b9c547cSRui Paulo# provisioning_sp: FQDN of the SP that provisioned the credential 7615b9c547cSRui Paulo# This optional field can be used to keep track of the SP that provisioned 7625b9c547cSRui Paulo# the credential to find the PPS MO (./Wi-Fi/<provisioning_sp>). 7635b9c547cSRui Paulo# 7645b9c547cSRui Paulo# Minimum backhaul threshold (PPS/<X+>/Policy/MinBackhauldThreshold/*) 7655b9c547cSRui Paulo# These fields can be used to specify minimum download/upload backhaul 7665b9c547cSRui Paulo# bandwidth that is preferred for the credential. This constraint is 7675b9c547cSRui Paulo# ignored if the AP does not advertise WAN Metrics information or if the 7685b9c547cSRui Paulo# limit would prevent any connection. Values are in kilobits per second. 7695b9c547cSRui Paulo# min_dl_bandwidth_home 7705b9c547cSRui Paulo# min_ul_bandwidth_home 7715b9c547cSRui Paulo# min_dl_bandwidth_roaming 7725b9c547cSRui Paulo# min_ul_bandwidth_roaming 7735b9c547cSRui Paulo# 7745b9c547cSRui Paulo# max_bss_load: Maximum BSS Load Channel Utilization (1..255) 7755b9c547cSRui Paulo# (PPS/<X+>/Policy/MaximumBSSLoadValue) 7765b9c547cSRui Paulo# This value is used as the maximum channel utilization for network 7775b9c547cSRui Paulo# selection purposes for home networks. If the AP does not advertise 7785b9c547cSRui Paulo# BSS Load or if the limit would prevent any connection, this constraint 7795b9c547cSRui Paulo# will be ignored. 7805b9c547cSRui Paulo# 7815b9c547cSRui Paulo# req_conn_capab: Required connection capability 7825b9c547cSRui Paulo# (PPS/<X+>/Policy/RequiredProtoPortTuple) 7835b9c547cSRui Paulo# This value is used to configure set of required protocol/port pairs that 7845b9c547cSRui Paulo# a roaming network shall support (include explicitly in Connection 7855b9c547cSRui Paulo# Capability ANQP element). This constraint is ignored if the AP does not 7865b9c547cSRui Paulo# advertise Connection Capability or if this constraint would prevent any 7875b9c547cSRui Paulo# network connection. This policy is not used in home networks. 7885b9c547cSRui Paulo# Format: <protocol>[:<comma-separated list of ports] 7895b9c547cSRui Paulo# Multiple entries can be used to list multiple requirements. 7905b9c547cSRui Paulo# For example, number of common TCP protocols: 7915b9c547cSRui Paulo# req_conn_capab=6,22,80,443 7925b9c547cSRui Paulo# For example, IPSec/IKE: 7935b9c547cSRui Paulo# req_conn_capab=17:500 7945b9c547cSRui Paulo# req_conn_capab=50 7955b9c547cSRui Paulo# 7965b9c547cSRui Paulo# ocsp: Whether to use/require OCSP to check server certificate 7975b9c547cSRui Paulo# 0 = do not use OCSP stapling (TLS certificate status extension) 7985b9c547cSRui Paulo# 1 = try to use OCSP stapling, but not require response 7995b9c547cSRui Paulo# 2 = require valid OCSP stapling response 800780fb4a2SCy Schubert# 3 = require valid OCSP stapling response for all not-trusted 801780fb4a2SCy Schubert# certificates in the server certificate chain 8025b9c547cSRui Paulo# 8035b9c547cSRui Paulo# sim_num: Identifier for which SIM to use in multi-SIM devices 8045b9c547cSRui Paulo# 805f05cddf9SRui Paulo# for example: 806f05cddf9SRui Paulo# 807f05cddf9SRui Paulo#cred={ 808f05cddf9SRui Paulo# realm="example.com" 809f05cddf9SRui Paulo# username="user@example.com" 810f05cddf9SRui Paulo# password="password" 811f05cddf9SRui Paulo# ca_cert="/etc/wpa_supplicant/ca.pem" 812f05cddf9SRui Paulo# domain="example.com" 813f05cddf9SRui Paulo#} 814f05cddf9SRui Paulo# 815f05cddf9SRui Paulo#cred={ 816f05cddf9SRui Paulo# imsi="310026-000000000" 817f05cddf9SRui Paulo# milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82" 818f05cddf9SRui Paulo#} 819f05cddf9SRui Paulo# 820f05cddf9SRui Paulo#cred={ 821f05cddf9SRui Paulo# realm="example.com" 822f05cddf9SRui Paulo# username="user" 823f05cddf9SRui Paulo# password="password" 824f05cddf9SRui Paulo# ca_cert="/etc/wpa_supplicant/ca.pem" 825f05cddf9SRui Paulo# domain="example.com" 826*a90b9d01SCy Schubert# home_ois="223344" 827f05cddf9SRui Paulo# eap=TTLS 828f05cddf9SRui Paulo# phase2="auth=MSCHAPV2" 829f05cddf9SRui Paulo#} 830f05cddf9SRui Paulo 831f05cddf9SRui Paulo# Hotspot 2.0 832f05cddf9SRui Paulo# hs20=1 833e28a4053SRui Paulo 834780fb4a2SCy Schubert# Scheduled scan plans 835780fb4a2SCy Schubert# 836780fb4a2SCy Schubert# A space delimited list of scan plans. Each scan plan specifies the scan 837780fb4a2SCy Schubert# interval and number of iterations, delimited by a colon. The last scan plan 838780fb4a2SCy Schubert# will run infinitely and thus must specify only the interval and not the number 839780fb4a2SCy Schubert# of iterations. 840780fb4a2SCy Schubert# 841780fb4a2SCy Schubert# The driver advertises the maximum number of scan plans supported. If more scan 842780fb4a2SCy Schubert# plans than supported are configured, only the first ones are set (up to the 843780fb4a2SCy Schubert# maximum supported). The last scan plan that specifies only the interval is 844780fb4a2SCy Schubert# always set as the last plan. 845780fb4a2SCy Schubert# 846780fb4a2SCy Schubert# If the scan interval or the number of iterations for a scan plan exceeds the 847780fb4a2SCy Schubert# maximum supported, it will be set to the maximum supported value. 848780fb4a2SCy Schubert# 849780fb4a2SCy Schubert# Format: 850780fb4a2SCy Schubert# sched_scan_plans=<interval:iterations> <interval:iterations> ... <interval> 851780fb4a2SCy Schubert# 852780fb4a2SCy Schubert# Example: 853780fb4a2SCy Schubert# sched_scan_plans=10:100 20:200 30 854780fb4a2SCy Schubert 855780fb4a2SCy Schubert# Multi Band Operation (MBO) non-preferred channels 856780fb4a2SCy Schubert# A space delimited list of non-preferred channels where each channel is a colon 857780fb4a2SCy Schubert# delimited list of values. 858780fb4a2SCy Schubert# Format: 859780fb4a2SCy Schubert# non_pref_chan=<oper_class>:<chan>:<preference>:<reason> 860780fb4a2SCy Schubert# Example: 86185732ac8SCy Schubert# non_pref_chan=81:5:10:2 81:1:0:2 81:9:0:2 862780fb4a2SCy Schubert 863780fb4a2SCy Schubert# MBO Cellular Data Capabilities 864780fb4a2SCy Schubert# 1 = Cellular data connection available 865780fb4a2SCy Schubert# 2 = Cellular data connection not available 866780fb4a2SCy Schubert# 3 = Not cellular capable (default) 867780fb4a2SCy Schubert#mbo_cell_capa=3 868780fb4a2SCy Schubert 86985732ac8SCy Schubert# Optimized Connectivity Experience (OCE) 87085732ac8SCy Schubert# oce: Enable OCE features (bitmap) 87185732ac8SCy Schubert# Set BIT(0) to Enable OCE in non-AP STA mode (default; disabled if the driver 87285732ac8SCy Schubert# does not indicate support for OCE in STA mode) 87385732ac8SCy Schubert# Set BIT(1) to Enable OCE in STA-CFON mode 87485732ac8SCy Schubert#oce=1 87585732ac8SCy Schubert 876c1d255d3SCy Schubert# Extended Key ID support for Individually Addressed frames 877c1d255d3SCy Schubert# 0 = force off: Do not use Extended Key ID (default) 878c1d255d3SCy Schubert# 1 = auto: Activate Extended Key ID support if the driver supports it 879c1d255d3SCy Schubert#extended_key_id=0 880c1d255d3SCy Schubert 88139beb93cSSam Leffler# network block 88239beb93cSSam Leffler# 88339beb93cSSam Leffler# Each network (usually AP's sharing the same SSID) is configured as a separate 88439beb93cSSam Leffler# block in this configuration file. The network blocks are in preference order 88539beb93cSSam Leffler# (the first match is used). 88639beb93cSSam Leffler# 88739beb93cSSam Leffler# network block fields: 88839beb93cSSam Leffler# 88939beb93cSSam Leffler# disabled: 89039beb93cSSam Leffler# 0 = this network can be used (default) 89139beb93cSSam Leffler# 1 = this network block is disabled (can be enabled through ctrl_iface, 89239beb93cSSam Leffler# e.g., with wpa_cli or wpa_gui) 89339beb93cSSam Leffler# 89439beb93cSSam Leffler# id_str: Network identifier string for external scripts. This value is passed 89539beb93cSSam Leffler# to external action script through wpa_cli as WPA_ID_STR environment 89639beb93cSSam Leffler# variable to make it easier to do network specific configuration. 89739beb93cSSam Leffler# 898f05cddf9SRui Paulo# ssid: SSID (mandatory); network name in one of the optional formats: 899f05cddf9SRui Paulo# - an ASCII string with double quotation 900f05cddf9SRui Paulo# - a hex string (two characters per octet of SSID) 901f05cddf9SRui Paulo# - a printf-escaped ASCII string P"<escaped string>" 90239beb93cSSam Leffler# 90339beb93cSSam Leffler# scan_ssid: 90439beb93cSSam Leffler# 0 = do not scan this SSID with specific Probe Request frames (default) 90539beb93cSSam Leffler# 1 = scan with SSID-specific Probe Request frames (this can be used to 906c1d255d3SCy Schubert# find APs that do not accept broadcast SSID or use multiple SSIDs; 90739beb93cSSam Leffler# this will add latency to scanning, so enable this only when needed) 90839beb93cSSam Leffler# 90939beb93cSSam Leffler# bssid: BSSID (optional); if set, this network block is used only when 91039beb93cSSam Leffler# associating with the AP using the configured BSSID 91139beb93cSSam Leffler# 912c1d255d3SCy Schubert# ignore_broadcast_ssid: SSID broadcast behavior 913c1d255d3SCy Schubert# Send empty SSID in beacons and ignore probe request frames that do not 914c1d255d3SCy Schubert# specify full SSID, i.e., require stations to know SSID. 915c1d255d3SCy Schubert# default: disabled (0) 916c1d255d3SCy Schubert# 1 = send empty (length=0) SSID in beacon and ignore probe request for 917c1d255d3SCy Schubert# broadcast SSID 918c1d255d3SCy Schubert# 2 = clear SSID (ASCII 0), but keep the original length (this may be required 919c1d255d3SCy Schubert# with some clients that do not support empty SSID) and ignore probe 920c1d255d3SCy Schubert# requests for broadcast SSID 921c1d255d3SCy Schubert# 92239beb93cSSam Leffler# priority: priority group (integer) 92339beb93cSSam Leffler# By default, all networks will get same priority group (0). If some of the 92439beb93cSSam Leffler# networks are more desirable, this field can be used to change the order in 92539beb93cSSam Leffler# which wpa_supplicant goes through the networks when selecting a BSS. The 92639beb93cSSam Leffler# priority groups will be iterated in decreasing priority (i.e., the larger the 92739beb93cSSam Leffler# priority value, the sooner the network is matched against the scan results). 92839beb93cSSam Leffler# Within each priority group, networks will be selected based on security 92939beb93cSSam Leffler# policy, signal strength, etc. 93039beb93cSSam Leffler# Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not 93139beb93cSSam Leffler# using this priority to select the order for scanning. Instead, they try the 932c1d255d3SCy Schubert# networks in the order that used in the configuration file. 93339beb93cSSam Leffler# 93439beb93cSSam Leffler# mode: IEEE 802.11 operation mode 93539beb93cSSam Leffler# 0 = infrastructure (Managed) mode, i.e., associate with an AP (default) 93639beb93cSSam Leffler# 1 = IBSS (ad-hoc, peer-to-peer) 937e28a4053SRui Paulo# 2 = AP (access point) 9385b9c547cSRui Paulo# Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) and 9395b9c547cSRui Paulo# WPA-PSK (with proto=RSN). In addition, key_mgmt=WPA-NONE (fixed group key 9405b9c547cSRui Paulo# TKIP/CCMP) is available for backwards compatibility, but its use is 9415b9c547cSRui Paulo# deprecated. WPA-None requires following network block options: 94239beb93cSSam Leffler# proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not 94339beb93cSSam Leffler# both), and psk must also be set. 94439beb93cSSam Leffler# 94539beb93cSSam Leffler# frequency: Channel frequency in megahertz (MHz) for IBSS, e.g., 94639beb93cSSam Leffler# 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial 94739beb93cSSam Leffler# channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode. 94839beb93cSSam Leffler# In addition, this value is only used by the station that creates the IBSS. If 94939beb93cSSam Leffler# an IBSS network with the configured SSID is already present, the frequency of 95039beb93cSSam Leffler# the network will be used instead of this configured value. 95139beb93cSSam Leffler# 952780fb4a2SCy Schubert# pbss: Whether to use PBSS. Relevant to IEEE 802.11ad networks only. 953780fb4a2SCy Schubert# 0 = do not use PBSS 954780fb4a2SCy Schubert# 1 = use PBSS 955780fb4a2SCy Schubert# 2 = don't care (not allowed in AP mode) 956780fb4a2SCy Schubert# Used together with mode configuration. When mode is AP, it means to start a 957780fb4a2SCy Schubert# PCP instead of a regular AP. When mode is infrastructure it means connect 958780fb4a2SCy Schubert# to a PCP instead of AP. In this mode you can also specify 2 (don't care) 959780fb4a2SCy Schubert# which means connect to either PCP or AP. 960780fb4a2SCy Schubert# P2P_GO and P2P_GROUP_FORMATION modes must use PBSS in IEEE 802.11ad network. 961780fb4a2SCy Schubert# For more details, see IEEE Std 802.11ad-2012. 962780fb4a2SCy Schubert# 963e28a4053SRui Paulo# scan_freq: List of frequencies to scan 964e28a4053SRui Paulo# Space-separated list of frequencies in MHz to scan when searching for this 965e28a4053SRui Paulo# BSS. If the subset of channels used by the network is known, this option can 966e28a4053SRui Paulo# be used to optimize scanning to not occur on channels that the network does 967e28a4053SRui Paulo# not use. Example: scan_freq=2412 2437 2462 968e28a4053SRui Paulo# 969e28a4053SRui Paulo# freq_list: Array of allowed frequencies 970e28a4053SRui Paulo# Space-separated list of frequencies in MHz to allow for selecting the BSS. If 971e28a4053SRui Paulo# set, scan results that do not match any of the specified frequencies are not 972e28a4053SRui Paulo# considered when selecting a BSS. 973e28a4053SRui Paulo# 9745b9c547cSRui Paulo# This can also be set on the outside of the network block. In this case, 9755b9c547cSRui Paulo# it limits the frequencies that will be scanned. 9765b9c547cSRui Paulo# 977f05cddf9SRui Paulo# bgscan: Background scanning 978f05cddf9SRui Paulo# wpa_supplicant behavior for background scanning can be specified by 979f05cddf9SRui Paulo# configuring a bgscan module. These modules are responsible for requesting 980f05cddf9SRui Paulo# background scans for the purpose of roaming within an ESS (i.e., within a 981f05cddf9SRui Paulo# single network block with all the APs using the same SSID). The bgscan 982f05cddf9SRui Paulo# parameter uses following format: "<bgscan module name>:<module parameters>" 983f05cddf9SRui Paulo# Following bgscan modules are available: 984f05cddf9SRui Paulo# simple - Periodic background scans based on signal strength 985*a90b9d01SCy Schubert# send_btm_query > 0 means do this many BTM queries before attempting a scan. 986f05cddf9SRui Paulo# bgscan="simple:<short bgscan interval in seconds>:<signal strength threshold>: 987*a90b9d01SCy Schubert# <long interval>[:<send_btm_query>]" 988f05cddf9SRui Paulo# bgscan="simple:30:-45:300" 989*a90b9d01SCy Schubert# bgscan="simple:30:-45:300:3" 990f05cddf9SRui Paulo# learn - Learn channels used by the network and try to avoid bgscans on other 991f05cddf9SRui Paulo# channels (experimental) 992f05cddf9SRui Paulo# bgscan="learn:<short bgscan interval in seconds>:<signal strength threshold>: 993f05cddf9SRui Paulo# <long interval>[:<database file name>]" 994f05cddf9SRui Paulo# bgscan="learn:30:-45:300:/etc/wpa_supplicant/network1.bgscan" 9955b9c547cSRui Paulo# Explicitly disable bgscan by setting 9965b9c547cSRui Paulo# bgscan="" 9975b9c547cSRui Paulo# 9985b9c547cSRui Paulo# This option can also be set outside of all network blocks for the bgscan 9995b9c547cSRui Paulo# parameter to apply for all the networks that have no specific bgscan 10005b9c547cSRui Paulo# parameter. 1001f05cddf9SRui Paulo# 100239beb93cSSam Leffler# proto: list of accepted protocols 100339beb93cSSam Leffler# WPA = WPA/IEEE 802.11i/D3.0 100439beb93cSSam Leffler# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN) 100585732ac8SCy Schubert# Note that RSN is used also for WPA3. 100639beb93cSSam Leffler# If not set, this defaults to: WPA RSN 100739beb93cSSam Leffler# 100839beb93cSSam Leffler# key_mgmt: list of accepted authenticated key management protocols 100939beb93cSSam Leffler# WPA-PSK = WPA pre-shared key (this requires 'psk' field) 101039beb93cSSam Leffler# WPA-EAP = WPA using EAP authentication 101139beb93cSSam Leffler# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically 101239beb93cSSam Leffler# generated WEP keys 101339beb93cSSam Leffler# NONE = WPA is not used; plaintext or static WEP could be used 1014780fb4a2SCy Schubert# WPA-NONE = WPA-None for IBSS (deprecated; use proto=RSN key_mgmt=WPA-PSK 1015780fb4a2SCy Schubert# instead) 1016780fb4a2SCy Schubert# FT-PSK = Fast BSS Transition (IEEE 802.11r) with pre-shared key 1017780fb4a2SCy Schubert# FT-EAP = Fast BSS Transition (IEEE 802.11r) with EAP authentication 101885732ac8SCy Schubert# FT-EAP-SHA384 = Fast BSS Transition (IEEE 802.11r) with EAP authentication 101985732ac8SCy Schubert# and using SHA384 102039beb93cSSam Leffler# WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms 102139beb93cSSam Leffler# WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms 1022780fb4a2SCy Schubert# SAE = Simultaneous authentication of equals; pre-shared key/password -based 1023780fb4a2SCy Schubert# authentication with stronger security than WPA-PSK especially when using 102485732ac8SCy Schubert# not that strong password; a.k.a. WPA3-Personal 1025780fb4a2SCy Schubert# FT-SAE = SAE with FT 1026780fb4a2SCy Schubert# WPA-EAP-SUITE-B = Suite B 128-bit level 1027780fb4a2SCy Schubert# WPA-EAP-SUITE-B-192 = Suite B 192-bit level 1028780fb4a2SCy Schubert# OSEN = Hotspot 2.0 Rel 2 online signup connection 102985732ac8SCy Schubert# FILS-SHA256 = Fast Initial Link Setup with SHA256 103085732ac8SCy Schubert# FILS-SHA384 = Fast Initial Link Setup with SHA384 103185732ac8SCy Schubert# FT-FILS-SHA256 = FT and Fast Initial Link Setup with SHA256 103285732ac8SCy Schubert# FT-FILS-SHA384 = FT and Fast Initial Link Setup with SHA384 103385732ac8SCy Schubert# OWE = Opportunistic Wireless Encryption (a.k.a. Enhanced Open) 103485732ac8SCy Schubert# DPP = Device Provisioning Protocol 103539beb93cSSam Leffler# If not set, this defaults to: WPA-PSK WPA-EAP 103639beb93cSSam Leffler# 1037f05cddf9SRui Paulo# ieee80211w: whether management frame protection is enabled 1038f05cddf9SRui Paulo# 0 = disabled (default unless changed with the global pmf parameter) 1039f05cddf9SRui Paulo# 1 = optional 1040f05cddf9SRui Paulo# 2 = required 1041f05cddf9SRui Paulo# The most common configuration options for this based on the PMF (protected 1042f05cddf9SRui Paulo# management frames) certification program are: 1043f05cddf9SRui Paulo# PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256 1044f05cddf9SRui Paulo# PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256 1045c1d255d3SCy Schubert# (and similarly for WPA-PSK and WPA-PSK-SHA256 if WPA2-Personal is used) 1046c1d255d3SCy Schubert# WPA3-Personal-only mode: ieee80211w=2 and key_mgmt=SAE 1047f05cddf9SRui Paulo# 10484bc52338SCy Schubert# ocv: whether operating channel validation is enabled 10494b72b91aSCy Schubert# This is a countermeasure against multi-channel on-path attacks. 10504bc52338SCy Schubert# Enabling this automatically also enables ieee80211w, if not yet enabled. 10514bc52338SCy Schubert# 0 = disabled (default) 1052c1d255d3SCy Schubert# 1 = enabled if wpa_supplicant's SME in use. Otherwise enabled only when the 1053c1d255d3SCy Schubert# driver indicates support for operating channel validation. 10544bc52338SCy Schubert#ocv=1 10554bc52338SCy Schubert# 105639beb93cSSam Leffler# auth_alg: list of allowed IEEE 802.11 authentication algorithms 105739beb93cSSam Leffler# OPEN = Open System authentication (required for WPA/WPA2) 105839beb93cSSam Leffler# SHARED = Shared Key authentication (requires static WEP keys) 105939beb93cSSam Leffler# LEAP = LEAP/Network EAP (only used with LEAP) 106039beb93cSSam Leffler# If not set, automatic selection is used (Open System with LEAP enabled if 106139beb93cSSam Leffler# LEAP is allowed as one of the EAP methods). 106239beb93cSSam Leffler# 106339beb93cSSam Leffler# pairwise: list of accepted pairwise (unicast) ciphers for WPA 106439beb93cSSam Leffler# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 106539beb93cSSam Leffler# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 106639beb93cSSam Leffler# NONE = Use only Group Keys (deprecated, should not be included if APs support 106739beb93cSSam Leffler# pairwise keys) 106839beb93cSSam Leffler# If not set, this defaults to: CCMP TKIP 106939beb93cSSam Leffler# 107039beb93cSSam Leffler# group: list of accepted group (broadcast/multicast) ciphers for WPA 107139beb93cSSam Leffler# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 107239beb93cSSam Leffler# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 107339beb93cSSam Leffler# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key 107439beb93cSSam Leffler# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11] 107539beb93cSSam Leffler# If not set, this defaults to: CCMP TKIP WEP104 WEP40 107639beb93cSSam Leffler# 107785732ac8SCy Schubert# group_mgmt: list of accepted group management ciphers for RSN (PMF) 107885732ac8SCy Schubert# AES-128-CMAC = BIP-CMAC-128 107985732ac8SCy Schubert# BIP-GMAC-128 108085732ac8SCy Schubert# BIP-GMAC-256 108185732ac8SCy Schubert# BIP-CMAC-256 108285732ac8SCy Schubert# If not set, no constraint on the cipher, i.e., accept whichever cipher the AP 108385732ac8SCy Schubert# indicates. 108485732ac8SCy Schubert# 108539beb93cSSam Leffler# psk: WPA preshared key; 256-bit pre-shared key 108639beb93cSSam Leffler# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e., 108739beb93cSSam Leffler# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be 108839beb93cSSam Leffler# generated using the passphrase and SSID). ASCII passphrase must be between 1089f05cddf9SRui Paulo# 8 and 63 characters (inclusive). ext:<name of external PSK field> format can 1090f05cddf9SRui Paulo# be used to indicate that the PSK/passphrase is stored in external storage. 109139beb93cSSam Leffler# This field is not needed, if WPA-EAP is used. 109239beb93cSSam Leffler# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys 109339beb93cSSam Leffler# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant 109439beb93cSSam Leffler# startup and reconfiguration time can be optimized by generating the PSK only 109539beb93cSSam Leffler# only when the passphrase or SSID has actually changed. 109639beb93cSSam Leffler# 1097325151a3SRui Paulo# mem_only_psk: Whether to keep PSK/passphrase only in memory 1098325151a3SRui Paulo# 0 = allow psk/passphrase to be stored to the configuration file 1099325151a3SRui Paulo# 1 = do not store psk/passphrase to the configuration file 1100325151a3SRui Paulo#mem_only_psk=0 1101325151a3SRui Paulo# 110285732ac8SCy Schubert# sae_password: SAE password 110385732ac8SCy Schubert# This parameter can be used to set a password for SAE. By default, the 110485732ac8SCy Schubert# passphrase from the psk parameter is used if this separate parameter is not 110585732ac8SCy Schubert# used, but psk follows the WPA-PSK constraints (8..63 characters) even though 110685732ac8SCy Schubert# SAE passwords do not have such constraints. 110785732ac8SCy Schubert# 110885732ac8SCy Schubert# sae_password_id: SAE password identifier 110985732ac8SCy Schubert# This parameter can be used to set an identifier for the SAE password. By 111085732ac8SCy Schubert# default, no such identifier is used. If set, the specified identifier value 111185732ac8SCy Schubert# is used by the other peer to select which password to use for authentication. 111285732ac8SCy Schubert# 111339beb93cSSam Leffler# eapol_flags: IEEE 802.1X/EAPOL options (bit field) 111439beb93cSSam Leffler# Dynamic WEP key required for non-WPA mode 111539beb93cSSam Leffler# bit0 (1): require dynamically generated unicast WEP key 111639beb93cSSam Leffler# bit1 (2): require dynamically generated broadcast WEP key 111739beb93cSSam Leffler# (3 = require both keys; default) 111885732ac8SCy Schubert# Note: When using wired authentication (including MACsec drivers), 11195b9c547cSRui Paulo# eapol_flags must be set to 0 for the authentication to be completed 11205b9c547cSRui Paulo# successfully. 11215b9c547cSRui Paulo# 11225b9c547cSRui Paulo# macsec_policy: IEEE 802.1X/MACsec options 112385732ac8SCy Schubert# This determines how sessions are secured with MACsec (only for MACsec 112485732ac8SCy Schubert# drivers). 11255b9c547cSRui Paulo# 0: MACsec not in use (default) 11265b9c547cSRui Paulo# 1: MACsec enabled - Should secure, accept key server's advice to 11275b9c547cSRui Paulo# determine whether to use a secure session or not. 112839beb93cSSam Leffler# 112985732ac8SCy Schubert# macsec_integ_only: IEEE 802.1X/MACsec transmit mode 113085732ac8SCy Schubert# This setting applies only when MACsec is in use, i.e., 113185732ac8SCy Schubert# - macsec_policy is enabled 113285732ac8SCy Schubert# - the key server has decided to enable MACsec 113385732ac8SCy Schubert# 0: Encrypt traffic (default) 113485732ac8SCy Schubert# 1: Integrity only 113585732ac8SCy Schubert# 11364bc52338SCy Schubert# macsec_replay_protect: IEEE 802.1X/MACsec replay protection 11374bc52338SCy Schubert# This setting applies only when MACsec is in use, i.e., 11384bc52338SCy Schubert# - macsec_policy is enabled 11394bc52338SCy Schubert# - the key server has decided to enable MACsec 11404bc52338SCy Schubert# 0: Replay protection disabled (default) 11414bc52338SCy Schubert# 1: Replay protection enabled 11424bc52338SCy Schubert# 11434bc52338SCy Schubert# macsec_replay_window: IEEE 802.1X/MACsec replay protection window 11444bc52338SCy Schubert# This determines a window in which replay is tolerated, to allow receipt 11454bc52338SCy Schubert# of frames that have been misordered by the network. 11464bc52338SCy Schubert# This setting applies only when MACsec replay protection active, i.e., 11474bc52338SCy Schubert# - macsec_replay_protect is enabled 11484bc52338SCy Schubert# - the key server has decided to enable MACsec 11494bc52338SCy Schubert# 0: No replay window, strict check (default) 11504bc52338SCy Schubert# 1..2^32-1: number of packets that could be misordered 11514bc52338SCy Schubert# 1152*a90b9d01SCy Schubert# macsec_offload - Enable MACsec hardware offload 1153*a90b9d01SCy Schubert# 1154*a90b9d01SCy Schubert# This setting applies only when MACsec is in use, i.e., 1155*a90b9d01SCy Schubert# - the key server has decided to enable MACsec 1156*a90b9d01SCy Schubert# 1157*a90b9d01SCy Schubert# 0 = MACSEC_OFFLOAD_OFF (default) 1158*a90b9d01SCy Schubert# 1 = MACSEC_OFFLOAD_PHY 1159*a90b9d01SCy Schubert# 2 = MACSEC_OFFLOAD_MAC 1160*a90b9d01SCy Schubert# 116185732ac8SCy Schubert# macsec_port: IEEE 802.1X/MACsec port 116285732ac8SCy Schubert# Port component of the SCI 116385732ac8SCy Schubert# Range: 1-65534 (default: 1) 116485732ac8SCy Schubert# 116585732ac8SCy Schubert# mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode 116685732ac8SCy Schubert# This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair. 116785732ac8SCy Schubert# In this mode, instances of wpa_supplicant can act as MACsec peers. The peer 116885732ac8SCy Schubert# with lower priority will become the key server and start distributing SAKs. 11694bc52338SCy Schubert# mka_cak (CAK = Secure Connectivity Association Key) takes a 16-byte (128-bit) 11704bc52338SCy Schubert# hex-string (32 hex-digits) or a 32-byte (256-bit) hex-string (64 hex-digits) 11714bc52338SCy Schubert# mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string 11724bc52338SCy Schubert# (2..64 hex-digits) 117385732ac8SCy Schubert# mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being 117485732ac8SCy Schubert# default priority 117585732ac8SCy Schubert# 117639beb93cSSam Leffler# mixed_cell: This option can be used to configure whether so called mixed 117739beb93cSSam Leffler# cells, i.e., networks that use both plaintext and encryption in the same 1178f05cddf9SRui Paulo# SSID, are allowed when selecting a BSS from scan results. 117939beb93cSSam Leffler# 0 = disabled (default) 118039beb93cSSam Leffler# 1 = enabled 118139beb93cSSam Leffler# 118239beb93cSSam Leffler# proactive_key_caching: 118339beb93cSSam Leffler# Enable/disable opportunistic PMKSA caching for WPA2. 1184f05cddf9SRui Paulo# 0 = disabled (default unless changed with the global okc parameter) 118539beb93cSSam Leffler# 1 = enabled 118639beb93cSSam Leffler# 1187206b73d0SCy Schubert# ft_eap_pmksa_caching: 1188206b73d0SCy Schubert# Whether FT-EAP PMKSA caching is allowed 1189206b73d0SCy Schubert# 0 = do not try to use PMKSA caching with FT-EAP (default) 1190206b73d0SCy Schubert# 1 = try to use PMKSA caching with FT-EAP 1191206b73d0SCy Schubert# This controls whether to try to use PMKSA caching with FT-EAP for the 1192206b73d0SCy Schubert# FT initial mobility domain association. 1193206b73d0SCy Schubert#ft_eap_pmksa_caching=0 1194206b73d0SCy Schubert# 119539beb93cSSam Leffler# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or 119639beb93cSSam Leffler# hex without quotation, e.g., 0102030405) 119739beb93cSSam Leffler# wep_tx_keyidx: Default WEP key index (TX) (0..3) 119839beb93cSSam Leffler# 119939beb93cSSam Leffler# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to 120039beb93cSSam Leffler# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies. 120139beb93cSSam Leffler# 1202c1d255d3SCy Schubert# wpa_deny_ptk0_rekey: Workaround for PTK rekey issues 1203c1d255d3SCy Schubert# PTK0 rekeys (using only one Key ID value for pairwise keys) can degrade the 1204c1d255d3SCy Schubert# security and stability with some cards. 1205c1d255d3SCy Schubert# To avoid the issues wpa_supplicant can replace those PTK rekeys (including 1206c1d255d3SCy Schubert# EAP reauthentications) with fast reconnects. 1207c1d255d3SCy Schubert# 1208c1d255d3SCy Schubert# Available options: 1209c1d255d3SCy Schubert# 0 = always rekey when configured/instructed (default) 1210c1d255d3SCy Schubert# 1 = only rekey when the local driver is explicitly indicating it can perform 1211c1d255d3SCy Schubert# this operation without issues 1212c1d255d3SCy Schubert# 2 = never allow problematic PTK0 rekeys 1213c1d255d3SCy Schubert# 1214780fb4a2SCy Schubert# group_rekey: Group rekeying time in seconds. This value, if non-zero, is used 1215780fb4a2SCy Schubert# as the dot11RSNAConfigGroupRekeyTime parameter when operating in 121685732ac8SCy Schubert# Authenticator role in IBSS, or in AP and mesh modes. 1217780fb4a2SCy Schubert# 121839beb93cSSam Leffler# Following fields are only used with internal EAP implementation. 121939beb93cSSam Leffler# eap: space-separated list of accepted EAP methods 1220780fb4a2SCy Schubert# MD5 = EAP-MD5 (insecure and does not generate keying material -> 122139beb93cSSam Leffler# cannot be used with WPA; to be used as a Phase 2 method 122239beb93cSSam Leffler# with EAP-PEAP or EAP-TTLS) 122339beb93cSSam Leffler# MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used 122439beb93cSSam Leffler# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 122539beb93cSSam Leffler# OTP = EAP-OTP (cannot be used separately with WPA; to be used 122639beb93cSSam Leffler# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 122739beb93cSSam Leffler# GTC = EAP-GTC (cannot be used separately with WPA; to be used 122839beb93cSSam Leffler# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 122939beb93cSSam Leffler# TLS = EAP-TLS (client and server certificate) 123039beb93cSSam Leffler# PEAP = EAP-PEAP (with tunnelled EAP authentication) 123139beb93cSSam Leffler# TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 123239beb93cSSam Leffler# authentication) 123339beb93cSSam Leffler# If not set, all compiled in methods are allowed. 123439beb93cSSam Leffler# 123539beb93cSSam Leffler# identity: Identity string for EAP 123639beb93cSSam Leffler# This field is also used to configure user NAI for 123739beb93cSSam Leffler# EAP-PSK/PAX/SAKE/GPSK. 123839beb93cSSam Leffler# anonymous_identity: Anonymous identity string for EAP (to be used as the 123939beb93cSSam Leffler# unencrypted identity with EAP types that support different tunnelled 1240f05cddf9SRui Paulo# identity, e.g., EAP-TTLS). This field can also be used with 1241f05cddf9SRui Paulo# EAP-SIM/AKA/AKA' to store the pseudonym identity. 124239beb93cSSam Leffler# password: Password string for EAP. This field can include either the 124339beb93cSSam Leffler# plaintext password (using ASCII or hex string) or a NtPasswordHash 124439beb93cSSam Leffler# (16-byte MD4 hash of password) in hash:<32 hex digits> format. 124539beb93cSSam Leffler# NtPasswordHash can only be used when the password is for MSCHAPv2 or 124639beb93cSSam Leffler# MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP). 124739beb93cSSam Leffler# EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit 124839beb93cSSam Leffler# PSK) is also configured using this field. For EAP-GPSK, this is a 1249f05cddf9SRui Paulo# variable length PSK. ext:<name of external password field> format can 1250f05cddf9SRui Paulo# be used to indicate that the password is stored in external storage. 125139beb93cSSam Leffler# ca_cert: File path to CA certificate file (PEM/DER). This file can have one 125239beb93cSSam Leffler# or more trusted CA certificates. If ca_cert and ca_path are not 125339beb93cSSam Leffler# included, server certificate will not be verified. This is insecure and 125439beb93cSSam Leffler# a trusted CA certificate should always be configured when using 125539beb93cSSam Leffler# EAP-TLS/TTLS/PEAP. Full path should be used since working directory may 125639beb93cSSam Leffler# change when wpa_supplicant is run in the background. 1257e28a4053SRui Paulo# 1258e28a4053SRui Paulo# Alternatively, this can be used to only perform matching of the server 1259e28a4053SRui Paulo# certificate (SHA-256 hash of the DER encoded X.509 certificate). In 1260e28a4053SRui Paulo# this case, the possible CA certificates in the server certificate chain 1261e28a4053SRui Paulo# are ignored and only the server certificate is verified. This is 1262e28a4053SRui Paulo# configured with the following format: 1263e28a4053SRui Paulo# hash:://server/sha256/cert_hash_in_hex 1264e28a4053SRui Paulo# For example: "hash://server/sha256/ 1265e28a4053SRui Paulo# 5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a" 1266e28a4053SRui Paulo# 126739beb93cSSam Leffler# On Windows, trusted CA certificates can be loaded from the system 126839beb93cSSam Leffler# certificate store by setting this to cert_store://<name>, e.g., 126939beb93cSSam Leffler# ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT". 127039beb93cSSam Leffler# Note that when running wpa_supplicant as an application, the user 127139beb93cSSam Leffler# certificate store (My user account) is used, whereas computer store 127239beb93cSSam Leffler# (Computer account) is used when running wpasvc as a service. 127339beb93cSSam Leffler# ca_path: Directory path for CA certificate files (PEM). This path may 127439beb93cSSam Leffler# contain multiple CA certificates in OpenSSL format. Common use for this 127539beb93cSSam Leffler# is to point to system trusted CA list which is often installed into 127639beb93cSSam Leffler# directory like /etc/ssl/certs. If configured, these certificates are 127739beb93cSSam Leffler# added to the list of trusted CAs. ca_cert may also be included in that 127839beb93cSSam Leffler# case, but it is not required. 127939beb93cSSam Leffler# client_cert: File path to client certificate file (PEM/DER) 128039beb93cSSam Leffler# Full path should be used since working directory may change when 128139beb93cSSam Leffler# wpa_supplicant is run in the background. 128239beb93cSSam Leffler# Alternatively, a named configuration blob can be used by setting this 128339beb93cSSam Leffler# to blob://<blob name>. 128439beb93cSSam Leffler# private_key: File path to client private key file (PEM/DER/PFX) 128539beb93cSSam Leffler# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be 128639beb93cSSam Leffler# commented out. Both the private key and certificate will be read from 128739beb93cSSam Leffler# the PKCS#12 file in this case. Full path should be used since working 128839beb93cSSam Leffler# directory may change when wpa_supplicant is run in the background. 128939beb93cSSam Leffler# Windows certificate store can be used by leaving client_cert out and 129039beb93cSSam Leffler# configuring private_key in one of the following formats: 129139beb93cSSam Leffler# cert://substring_to_match 129239beb93cSSam Leffler# hash://certificate_thumbprint_in_hex 129339beb93cSSam Leffler# for example: private_key="hash://63093aa9c47f56ae88334c7b65a4" 129439beb93cSSam Leffler# Note that when running wpa_supplicant as an application, the user 129539beb93cSSam Leffler# certificate store (My user account) is used, whereas computer store 129639beb93cSSam Leffler# (Computer account) is used when running wpasvc as a service. 129739beb93cSSam Leffler# Alternatively, a named configuration blob can be used by setting this 129839beb93cSSam Leffler# to blob://<blob name>. 129939beb93cSSam Leffler# private_key_passwd: Password for private key file (if left out, this will be 130039beb93cSSam Leffler# asked through control interface) 130139beb93cSSam Leffler# subject_match: Substring to be matched against the subject of the 130239beb93cSSam Leffler# authentication server certificate. If this string is set, the server 1303780fb4a2SCy Schubert# certificate is only accepted if it contains this string in the subject. 130439beb93cSSam Leffler# The subject string is in following format: 130539beb93cSSam Leffler# /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com 1306780fb4a2SCy Schubert# Note: Since this is a substring match, this cannot be used securely to 13075b9c547cSRui Paulo# do a suffix match against a possible domain name in the CN entry. For 13085b9c547cSRui Paulo# such a use case, domain_suffix_match or domain_match should be used 13095b9c547cSRui Paulo# instead. 131039beb93cSSam Leffler# altsubject_match: Semicolon separated string of entries to be matched against 131139beb93cSSam Leffler# the alternative subject name of the authentication server certificate. 1312780fb4a2SCy Schubert# If this string is set, the server certificate is only accepted if it 131339beb93cSSam Leffler# contains one of the entries in an alternative subject name extension. 131439beb93cSSam Leffler# altSubjectName string is in following format: TYPE:VALUE 131539beb93cSSam Leffler# Example: EMAIL:server@example.com 131639beb93cSSam Leffler# Example: DNS:server.example.com;DNS:server2.example.com 131739beb93cSSam Leffler# Following types are supported: EMAIL, DNS, URI 13185b9c547cSRui Paulo# domain_suffix_match: Constraint for server domain name. If set, this FQDN is 13195b9c547cSRui Paulo# used as a suffix match requirement for the AAA server certificate in 13205b9c547cSRui Paulo# SubjectAltName dNSName element(s). If a matching dNSName is found, this 13215b9c547cSRui Paulo# constraint is met. If no dNSName values are present, this constraint is 13225b9c547cSRui Paulo# matched against SubjectName CN using same suffix match comparison. 13235b9c547cSRui Paulo# 13245b9c547cSRui Paulo# Suffix match here means that the host/domain name is compared one label 13255b9c547cSRui Paulo# at a time starting from the top-level domain and all the labels in 13265b9c547cSRui Paulo# domain_suffix_match shall be included in the certificate. The 13275b9c547cSRui Paulo# certificate may include additional sub-level labels in addition to the 13285b9c547cSRui Paulo# required labels. 13295b9c547cSRui Paulo# 13304bc52338SCy Schubert# More than one match string can be provided by using semicolons to 13314bc52338SCy Schubert# separate the strings (e.g., example.org;example.com). When multiple 13324bc52338SCy Schubert# strings are specified, a match with any one of the values is considered 13334bc52338SCy Schubert# a sufficient match for the certificate, i.e., the conditions are ORed 13344bc52338SCy Schubert# together. 13354bc52338SCy Schubert# 13365b9c547cSRui Paulo# For example, domain_suffix_match=example.com would match 13375b9c547cSRui Paulo# test.example.com but would not match test-example.com. 13385b9c547cSRui Paulo# domain_match: Constraint for server domain name 13395b9c547cSRui Paulo# If set, this FQDN is used as a full match requirement for the 13405b9c547cSRui Paulo# server certificate in SubjectAltName dNSName element(s). If a 13415b9c547cSRui Paulo# matching dNSName is found, this constraint is met. If no dNSName 13425b9c547cSRui Paulo# values are present, this constraint is matched against SubjectName CN 13435b9c547cSRui Paulo# using same full match comparison. This behavior is similar to 13445b9c547cSRui Paulo# domain_suffix_match, but has the requirement of a full match, i.e., 13455b9c547cSRui Paulo# no subdomains or wildcard matches are allowed. Case-insensitive 13465b9c547cSRui Paulo# comparison is used, so "Example.com" matches "example.com", but would 13475b9c547cSRui Paulo# not match "test.Example.com". 13484bc52338SCy Schubert# 13494bc52338SCy Schubert# More than one match string can be provided by using semicolons to 13504bc52338SCy Schubert# separate the strings (e.g., example.org;example.com). When multiple 13514bc52338SCy Schubert# strings are specified, a match with any one of the values is considered 13524bc52338SCy Schubert# a sufficient match for the certificate, i.e., the conditions are ORed 13534bc52338SCy Schubert# together. 135439beb93cSSam Leffler# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters 135539beb93cSSam Leffler# (string with field-value pairs, e.g., "peapver=0" or 135639beb93cSSam Leffler# "peapver=1 peaplabel=1") 135739beb93cSSam Leffler# 'peapver' can be used to force which PEAP version (0 or 1) is used. 135839beb93cSSam Leffler# 'peaplabel=1' can be used to force new label, "client PEAP encryption", 135939beb93cSSam Leffler# to be used during key derivation when PEAPv1 or newer. Most existing 136039beb93cSSam Leffler# PEAPv1 implementation seem to be using the old label, "client EAP 136139beb93cSSam Leffler# encryption", and wpa_supplicant is now using that as the default value. 136239beb93cSSam Leffler# Some servers, e.g., Radiator, may require peaplabel=1 configuration to 136339beb93cSSam Leffler# interoperate with PEAPv1; see eap_testing.txt for more details. 136439beb93cSSam Leffler# 'peap_outer_success=0' can be used to terminate PEAP authentication on 136539beb93cSSam Leffler# tunneled EAP-Success. This is required with some RADIUS servers that 136639beb93cSSam Leffler# implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g., 136739beb93cSSam Leffler# Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode) 136839beb93cSSam Leffler# include_tls_length=1 can be used to force wpa_supplicant to include 136939beb93cSSam Leffler# TLS Message Length field in all TLS messages even if they are not 137039beb93cSSam Leffler# fragmented. 137139beb93cSSam Leffler# sim_min_num_chal=3 can be used to configure EAP-SIM to require three 137239beb93cSSam Leffler# challenges (by default, it accepts 2 or 3) 137339beb93cSSam Leffler# result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use 137439beb93cSSam Leffler# protected result indication. 137539beb93cSSam Leffler# 'crypto_binding' option can be used to control PEAPv0 cryptobinding 137639beb93cSSam Leffler# behavior: 137739beb93cSSam Leffler# * 0 = do not use cryptobinding (default) 137839beb93cSSam Leffler# * 1 = use cryptobinding if server supports it 137939beb93cSSam Leffler# * 2 = require cryptobinding 1380*a90b9d01SCy Schubert# 'phase2_auth' option can be used to control Phase 2 (i.e., within TLS 1381*a90b9d01SCy Schubert# tunnel) behavior for PEAP: 1382*a90b9d01SCy Schubert# * 0 = do not require Phase 2 authentication 1383*a90b9d01SCy Schubert# * 1 = require Phase 2 authentication when client certificate 1384*a90b9d01SCy Schubert# (private_key/client_cert) is no used and TLS session resumption was 1385*a90b9d01SCy Schubert# not used (default) 1386*a90b9d01SCy Schubert# * 2 = require Phase 2 authentication in all cases 138739beb93cSSam Leffler# EAP-WSC (WPS) uses following options: pin=<Device Password> or 138839beb93cSSam Leffler# pbc=1. 13895b9c547cSRui Paulo# 13905b9c547cSRui Paulo# For wired IEEE 802.1X authentication, "allow_canned_success=1" can be 13915b9c547cSRui Paulo# used to configure a mode that allows EAP-Success (and EAP-Failure) 13925b9c547cSRui Paulo# without going through authentication step. Some switches use such 13935b9c547cSRui Paulo# sequence when forcing the port to be authorized/unauthorized or as a 13945b9c547cSRui Paulo# fallback option if the authentication server is unreachable. By default, 13955b9c547cSRui Paulo# wpa_supplicant discards such frames to protect against potential attacks 13965b9c547cSRui Paulo# by rogue devices, but this option can be used to disable that protection 13975b9c547cSRui Paulo# for cases where the server/authenticator does not need to be 13985b9c547cSRui Paulo# authenticated. 139939beb93cSSam Leffler# phase2: Phase2 (inner authentication with TLS tunnel) parameters 140039beb93cSSam Leffler# (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or 14015b9c547cSRui Paulo# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS). "mschapv2_retry=0" can be 14025b9c547cSRui Paulo# used to disable MSCHAPv2 password retry in authentication failure cases. 1403f05cddf9SRui Paulo# 1404f05cddf9SRui Paulo# TLS-based methods can use the following parameters to control TLS behavior 1405f05cddf9SRui Paulo# (these are normally in the phase1 parameter, but can be used also in the 1406f05cddf9SRui Paulo# phase2 parameter when EAP-TLS is used within the inner tunnel): 1407f05cddf9SRui Paulo# tls_allow_md5=1 - allow MD5-based certificate signatures (depending on the 1408f05cddf9SRui Paulo# TLS library, these may be disabled by default to enforce stronger 1409f05cddf9SRui Paulo# security) 1410f05cddf9SRui Paulo# tls_disable_time_checks=1 - ignore certificate validity time (this requests 1411f05cddf9SRui Paulo# the TLS library to accept certificates even if they are not currently 1412f05cddf9SRui Paulo# valid, i.e., have expired or have not yet become valid; this should be 1413f05cddf9SRui Paulo# used only for testing purposes) 1414f05cddf9SRui Paulo# tls_disable_session_ticket=1 - disable TLS Session Ticket extension 1415f05cddf9SRui Paulo# tls_disable_session_ticket=0 - allow TLS Session Ticket extension to be used 1416f05cddf9SRui Paulo# Note: If not set, this is automatically set to 1 for EAP-TLS/PEAP/TTLS 1417f05cddf9SRui Paulo# as a workaround for broken authentication server implementations unless 1418325151a3SRui Paulo# EAP workarounds are disabled with eap_workaround=0. 1419f05cddf9SRui Paulo# For EAP-FAST, this must be set to 0 (or left unconfigured for the 1420f05cddf9SRui Paulo# default value to be used automatically). 1421325151a3SRui Paulo# tls_disable_tlsv1_0=1 - disable use of TLSv1.0 14224bc52338SCy Schubert# tls_disable_tlsv1_0=0 - explicitly enable use of TLSv1.0 (this allows 14234bc52338SCy Schubert# systemwide TLS policies to be overridden) 14245b9c547cSRui Paulo# tls_disable_tlsv1_1=1 - disable use of TLSv1.1 (a workaround for AAA servers 14255b9c547cSRui Paulo# that have issues interoperating with updated TLS version) 14264bc52338SCy Schubert# tls_disable_tlsv1_1=0 - explicitly enable use of TLSv1.1 (this allows 14274bc52338SCy Schubert# systemwide TLS policies to be overridden) 14285b9c547cSRui Paulo# tls_disable_tlsv1_2=1 - disable use of TLSv1.2 (a workaround for AAA servers 14295b9c547cSRui Paulo# that have issues interoperating with updated TLS version) 14304bc52338SCy Schubert# tls_disable_tlsv1_2=0 - explicitly enable use of TLSv1.2 (this allows 14314bc52338SCy Schubert# systemwide TLS policies to be overridden) 143285732ac8SCy Schubert# tls_disable_tlsv1_3=1 - disable use of TLSv1.3 (a workaround for AAA servers 143385732ac8SCy Schubert# that have issues interoperating with updated TLS version) 14344bc52338SCy Schubert# tls_disable_tlsv1_3=0 - enable TLSv1.3 (experimental - disabled by default) 1435780fb4a2SCy Schubert# tls_ext_cert_check=0 - No external server certificate validation (default) 1436780fb4a2SCy Schubert# tls_ext_cert_check=1 - External server certificate validation enabled; this 1437780fb4a2SCy Schubert# requires an external program doing validation of server certificate 1438780fb4a2SCy Schubert# chain when receiving CTRL-RSP-EXT_CERT_CHECK event from the control 1439780fb4a2SCy Schubert# interface and report the result of the validation with 1440780fb4a2SCy Schubert# CTRL-RSP_EXT_CERT_CHECK. 144185732ac8SCy Schubert# tls_suiteb=0 - do not apply Suite B 192-bit constraints on TLS (default) 144285732ac8SCy Schubert# tls_suiteb=1 - apply Suite B 192-bit constraints on TLS; this is used in 144385732ac8SCy Schubert# particular when using Suite B with RSA keys of >= 3K (3072) bits 1444*a90b9d01SCy Schubert# allow_unsafe_renegotiation=1 - allow connection with a TLS server that does 1445*a90b9d01SCy Schubert# not support safe renegotiation (RFC 5746); please note that this 1446*a90b9d01SCy Schubert# workaround should be only when having to authenticate with an old 1447*a90b9d01SCy Schubert# authentication server that cannot be updated to use secure TLS 1448*a90b9d01SCy Schubert# implementation. 1449f05cddf9SRui Paulo# 145039beb93cSSam Leffler# Following certificate/private key fields are used in inner Phase2 145139beb93cSSam Leffler# authentication when using EAP-TTLS or EAP-PEAP. 145239beb93cSSam Leffler# ca_cert2: File path to CA certificate file. This file can have one or more 145339beb93cSSam Leffler# trusted CA certificates. If ca_cert2 and ca_path2 are not included, 145439beb93cSSam Leffler# server certificate will not be verified. This is insecure and a trusted 145539beb93cSSam Leffler# CA certificate should always be configured. 145639beb93cSSam Leffler# ca_path2: Directory path for CA certificate files (PEM) 145739beb93cSSam Leffler# client_cert2: File path to client certificate file 145839beb93cSSam Leffler# private_key2: File path to client private key file 145939beb93cSSam Leffler# private_key2_passwd: Password for private key file 146039beb93cSSam Leffler# dh_file2: File path to DH/DSA parameters file (in PEM format) 146139beb93cSSam Leffler# subject_match2: Substring to be matched against the subject of the 14625b9c547cSRui Paulo# authentication server certificate. See subject_match for more details. 14635b9c547cSRui Paulo# altsubject_match2: Semicolon separated string of entries to be matched 14645b9c547cSRui Paulo# against the alternative subject name of the authentication server 14655b9c547cSRui Paulo# certificate. See altsubject_match documentation for more details. 14665b9c547cSRui Paulo# domain_suffix_match2: Constraint for server domain name. See 14675b9c547cSRui Paulo# domain_suffix_match for more details. 1468c1d255d3SCy Schubert# ocsp2: See ocsp for more details. 1469c1d255d3SCy Schubert# 1470c1d255d3SCy Schubert# Separate machine credentials can be configured for EAP-TEAP Phase 2 with 1471c1d255d3SCy Schubert# "machine_" prefix (e.g., "machine_identity") in the configuration parameters. 1472c1d255d3SCy Schubert# See the parameters without that prefix for more details on the meaning and 1473c1d255d3SCy Schubert# format of each such parameter. 147439beb93cSSam Leffler# 147539beb93cSSam Leffler# fragment_size: Maximum EAP fragment size in bytes (default 1398). 147639beb93cSSam Leffler# This value limits the fragment size for EAP methods that support 147739beb93cSSam Leffler# fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set 147839beb93cSSam Leffler# small enough to make the EAP messages fit in MTU of the network 147939beb93cSSam Leffler# interface used for EAPOL. The default value is suitable for most 148039beb93cSSam Leffler# cases. 148139beb93cSSam Leffler# 14825b9c547cSRui Paulo# ocsp: Whether to use/require OCSP to check server certificate 14835b9c547cSRui Paulo# 0 = do not use OCSP stapling (TLS certificate status extension) 14845b9c547cSRui Paulo# 1 = try to use OCSP stapling, but not require response 14855b9c547cSRui Paulo# 2 = require valid OCSP stapling response 1486780fb4a2SCy Schubert# 3 = require valid OCSP stapling response for all not-trusted 1487780fb4a2SCy Schubert# certificates in the server certificate chain 14885b9c547cSRui Paulo# 14895b9c547cSRui Paulo# openssl_ciphers: OpenSSL specific cipher configuration 14905b9c547cSRui Paulo# This can be used to override the global openssl_ciphers configuration 14915b9c547cSRui Paulo# parameter (see above). 14925b9c547cSRui Paulo# 14935b9c547cSRui Paulo# erp: Whether EAP Re-authentication Protocol (ERP) is enabled 14945b9c547cSRui Paulo# 149539beb93cSSam Leffler# EAP-FAST variables: 149639beb93cSSam Leffler# pac_file: File path for the PAC entries. wpa_supplicant will need to be able 149739beb93cSSam Leffler# to create this file and write updates to it when PAC is being 149839beb93cSSam Leffler# provisioned or refreshed. Full path to the file should be used since 149939beb93cSSam Leffler# working directory may change when wpa_supplicant is run in the 150039beb93cSSam Leffler# background. Alternatively, a named configuration blob can be used by 150139beb93cSSam Leffler# setting this to blob://<blob name> 150239beb93cSSam Leffler# phase1: fast_provisioning option can be used to enable in-line provisioning 150339beb93cSSam Leffler# of EAP-FAST credentials (PAC): 150439beb93cSSam Leffler# 0 = disabled, 150539beb93cSSam Leffler# 1 = allow unauthenticated provisioning, 150639beb93cSSam Leffler# 2 = allow authenticated provisioning, 150739beb93cSSam Leffler# 3 = allow both unauthenticated and authenticated provisioning 150839beb93cSSam Leffler# fast_max_pac_list_len=<num> option can be used to set the maximum 150939beb93cSSam Leffler# number of PAC entries to store in a PAC list (default: 10) 151039beb93cSSam Leffler# fast_pac_format=binary option can be used to select binary format for 151139beb93cSSam Leffler# storing PAC entries in order to save some space (the default 151239beb93cSSam Leffler# text format uses about 2.5 times the size of minimal binary 151339beb93cSSam Leffler# format) 151439beb93cSSam Leffler# 151539beb93cSSam Leffler# wpa_supplicant supports number of "EAP workarounds" to work around 151639beb93cSSam Leffler# interoperability issues with incorrectly behaving authentication servers. 151739beb93cSSam Leffler# These are enabled by default because some of the issues are present in large 151839beb93cSSam Leffler# number of authentication servers. Strict EAP conformance mode can be 151939beb93cSSam Leffler# configured by disabling workarounds with eap_workaround=0. 152039beb93cSSam Leffler 1521780fb4a2SCy Schubert# update_identifier: PPS MO ID 1522780fb4a2SCy Schubert# (Hotspot 2.0 PerProviderSubscription/UpdateIdentifier) 152385732ac8SCy Schubert# 152485732ac8SCy Schubert# roaming_consortium_selection: Roaming Consortium Selection 152585732ac8SCy Schubert# The matching Roaming Consortium OI that was used to generate this 152685732ac8SCy Schubert# network profile. 1527780fb4a2SCy Schubert 1528f05cddf9SRui Paulo# Station inactivity limit 1529f05cddf9SRui Paulo# 1530f05cddf9SRui Paulo# If a station does not send anything in ap_max_inactivity seconds, an 1531f05cddf9SRui Paulo# empty data frame is sent to it in order to verify whether it is 1532f05cddf9SRui Paulo# still in range. If this frame is not ACKed, the station will be 1533f05cddf9SRui Paulo# disassociated and then deauthenticated. This feature is used to 1534f05cddf9SRui Paulo# clear station table of old entries when the STAs move out of the 1535f05cddf9SRui Paulo# range. 1536f05cddf9SRui Paulo# 1537f05cddf9SRui Paulo# The station can associate again with the AP if it is still in range; 1538f05cddf9SRui Paulo# this inactivity poll is just used as a nicer way of verifying 1539f05cddf9SRui Paulo# inactivity; i.e., client will not report broken connection because 1540f05cddf9SRui Paulo# disassociation frame is not sent immediately without first polling 1541f05cddf9SRui Paulo# the STA with a data frame. 1542f05cddf9SRui Paulo# default: 300 (i.e., 5 minutes) 1543f05cddf9SRui Paulo#ap_max_inactivity=300 1544f05cddf9SRui Paulo 1545f05cddf9SRui Paulo# DTIM period in Beacon intervals for AP mode (default: 2) 1546f05cddf9SRui Paulo#dtim_period=2 1547f05cddf9SRui Paulo 15485b9c547cSRui Paulo# Beacon interval (default: 100 TU) 15495b9c547cSRui Paulo#beacon_int=100 15505b9c547cSRui Paulo 1551780fb4a2SCy Schubert# WPS in AP mode 1552780fb4a2SCy Schubert# 0 = WPS enabled and configured (default) 1553780fb4a2SCy Schubert# 1 = WPS disabled 1554780fb4a2SCy Schubert#wps_disabled=0 1555780fb4a2SCy Schubert 155685732ac8SCy Schubert# FILS DH Group 155785732ac8SCy Schubert# 0 = PFS disabled with FILS shared key authentication (default) 155885732ac8SCy Schubert# 1-65535 = DH Group to use for FILS PFS 155985732ac8SCy Schubert#fils_dh_group=0 156085732ac8SCy Schubert 1561c1d255d3SCy Schubert# DPP PFS 1562c1d255d3SCy Schubert# 0: allow PFS to be used or not used (default) 1563c1d255d3SCy Schubert# 1: require PFS to be used (note: not compatible with DPP R1) 1564c1d255d3SCy Schubert# 2: do not allow PFS to be used 1565c1d255d3SCy Schubert#dpp_pfs=0 1566c1d255d3SCy Schubert 1567*a90b9d01SCy Schubert# DPP Network introduction type 1568*a90b9d01SCy Schubert# 0: unprotected variant from DPP R1 (default) 1569*a90b9d01SCy Schubert# 1: privacy protecting (station Connector encrypted) variant from 1570*a90b9d01SCy Schubert# DPP R3 1571*a90b9d01SCy Schubert#dpp_connector_privacy=0 1572*a90b9d01SCy Schubert 1573c1d255d3SCy Schubert# Whether beacon protection is enabled 1574c1d255d3SCy Schubert# This depends on management frame protection (ieee80211w) being enabled and 1575c1d255d3SCy Schubert# beacon protection support indication from the driver. 1576c1d255d3SCy Schubert# 0 = disabled (default) 1577c1d255d3SCy Schubert# 1 = enabled 1578c1d255d3SCy Schubert#beacon_prot=0 1579c1d255d3SCy Schubert 1580c1d255d3SCy Schubert# OWE DH Group 1581c1d255d3SCy Schubert# 0: use default (19) first and then try all supported groups one by one if AP 1582c1d255d3SCy Schubert# rejects the selected group 1583c1d255d3SCy Schubert# 1-65535: DH Group to use for OWE 1584c1d255d3SCy Schubert# Groups 19 (NIST P-256), 20 (NIST P-384), and 21 (NIST P-521) are 1585c1d255d3SCy Schubert# currently supported. 1586c1d255d3SCy Schubert#owe_group=0 1587c1d255d3SCy Schubert 1588c1d255d3SCy Schubert# OWE-only mode (disable transition mode) 1589c1d255d3SCy Schubert# 0: enable transition mode (allow connection to either OWE or open BSS) 1590c1d255d3SCy Schubert# 1 = disable transition mode (allow connection only with OWE) 1591c1d255d3SCy Schubert#owe_only=0 1592c1d255d3SCy Schubert 1593c1d255d3SCy Schubert# OWE PTK derivation workaround 1594c1d255d3SCy Schubert# Initial OWE implementation used SHA256 when deriving the PTK for all 1595c1d255d3SCy Schubert# OWE groups. This was supposed to change to SHA384 for group 20 and 1596c1d255d3SCy Schubert# SHA512 for group 21. This parameter can be used to enable older 1597c1d255d3SCy Schubert# behavior mainly for testing purposes. There is no impact to group 19 1598c1d255d3SCy Schubert# behavior, but if enabled, this will make group 20 and 21 cases use 1599c1d255d3SCy Schubert# SHA256-based PTK derivation which will not work with the updated 1600c1d255d3SCy Schubert# OWE implementation on the AP side. 1601c1d255d3SCy Schubert#owe_ptk_workaround=0 1602c1d255d3SCy Schubert 1603c1d255d3SCy Schubert# Transition Disable indication 1604c1d255d3SCy Schubert# The AP can notify authenticated stations to disable transition mode 1605c1d255d3SCy Schubert# in their network profiles when the network has completed transition 1606c1d255d3SCy Schubert# steps, i.e., once sufficiently large number of APs in the ESS have 1607c1d255d3SCy Schubert# been updated to support the more secure alternative. When this 1608c1d255d3SCy Schubert# indication is used, the stations are expected to automatically 1609c1d255d3SCy Schubert# disable transition mode and less secure security options. This 1610c1d255d3SCy Schubert# includes use of WEP, TKIP (including use of TKIP as the group 1611c1d255d3SCy Schubert# cipher), and connections without PMF. 1612c1d255d3SCy Schubert# Bitmap bits: 1613c1d255d3SCy Schubert# bit 0 (0x01): WPA3-Personal (i.e., disable WPA2-Personal = WPA-PSK 1614c1d255d3SCy Schubert# and only allow SAE to be used) 1615c1d255d3SCy Schubert# bit 1 (0x02): SAE-PK (disable SAE without use of SAE-PK) 1616c1d255d3SCy Schubert# bit 2 (0x04): WPA3-Enterprise (move to requiring PMF) 1617c1d255d3SCy Schubert# bit 3 (0x08): Enhanced Open (disable use of open network; require 1618c1d255d3SCy Schubert# OWE) 1619c1d255d3SCy Schubert 1620c1d255d3SCy Schubert# SAE-PK mode 1621c1d255d3SCy Schubert# 0: automatic SAE/SAE-PK selection based on password; enable 1622c1d255d3SCy Schubert# transition mode (allow SAE authentication without SAE-PK) 1623c1d255d3SCy Schubert# 1: SAE-PK only (disable transition mode; allow SAE authentication 1624c1d255d3SCy Schubert# only with SAE-PK) 1625c1d255d3SCy Schubert# 2: disable SAE-PK (allow SAE authentication only without SAE-PK) 1626c1d255d3SCy Schubert#sae_pk=0 1627c1d255d3SCy Schubert 16285b9c547cSRui Paulo# MAC address policy 16295b9c547cSRui Paulo# 0 = use permanent MAC address 16305b9c547cSRui Paulo# 1 = use random MAC address for each ESS connection 16315b9c547cSRui Paulo# 2 = like 1, but maintain OUI (with local admin bit set) 16325b9c547cSRui Paulo#mac_addr=0 16335b9c547cSRui Paulo 1634f05cddf9SRui Paulo# disable_ht: Whether HT (802.11n) should be disabled. 1635f05cddf9SRui Paulo# 0 = HT enabled (if AP supports it) 1636f05cddf9SRui Paulo# 1 = HT disabled 1637f05cddf9SRui Paulo# 1638f05cddf9SRui Paulo# disable_ht40: Whether HT-40 (802.11n) should be disabled. 1639f05cddf9SRui Paulo# 0 = HT-40 enabled (if AP supports it) 1640f05cddf9SRui Paulo# 1 = HT-40 disabled 1641f05cddf9SRui Paulo# 1642f05cddf9SRui Paulo# disable_sgi: Whether SGI (short guard interval) should be disabled. 1643f05cddf9SRui Paulo# 0 = SGI enabled (if AP supports it) 1644f05cddf9SRui Paulo# 1 = SGI disabled 1645f05cddf9SRui Paulo# 16465b9c547cSRui Paulo# disable_ldpc: Whether LDPC should be disabled. 16475b9c547cSRui Paulo# 0 = LDPC enabled (if AP supports it) 16485b9c547cSRui Paulo# 1 = LDPC disabled 16495b9c547cSRui Paulo# 16505b9c547cSRui Paulo# ht40_intolerant: Whether 40 MHz intolerant should be indicated. 16515b9c547cSRui Paulo# 0 = 40 MHz tolerant (default) 16525b9c547cSRui Paulo# 1 = 40 MHz intolerant 16535b9c547cSRui Paulo# 1654f05cddf9SRui Paulo# ht_mcs: Configure allowed MCS rates. 1655f05cddf9SRui Paulo# Parsed as an array of bytes, in base-16 (ascii-hex) 1656f05cddf9SRui Paulo# ht_mcs="" // Use all available (default) 1657f05cddf9SRui Paulo# ht_mcs="0xff 00 00 00 00 00 00 00 00 00 " // Use MCS 0-7 only 1658f05cddf9SRui Paulo# ht_mcs="0xff ff 00 00 00 00 00 00 00 00 " // Use MCS 0-15 only 1659f05cddf9SRui Paulo# 1660f05cddf9SRui Paulo# disable_max_amsdu: Whether MAX_AMSDU should be disabled. 1661f05cddf9SRui Paulo# -1 = Do not make any changes. 1662f05cddf9SRui Paulo# 0 = Enable MAX-AMSDU if hardware supports it. 1663f05cddf9SRui Paulo# 1 = Disable AMSDU 1664f05cddf9SRui Paulo# 16655b9c547cSRui Paulo# ampdu_factor: Maximum A-MPDU Length Exponent 16665b9c547cSRui Paulo# Value: 0-3, see 7.3.2.56.3 in IEEE Std 802.11n-2009. 16675b9c547cSRui Paulo# 1668f05cddf9SRui Paulo# ampdu_density: Allow overriding AMPDU density configuration. 1669f05cddf9SRui Paulo# Treated as hint by the kernel. 1670f05cddf9SRui Paulo# -1 = Do not make any changes. 1671f05cddf9SRui Paulo# 0-3 = Set AMPDU density (aka factor) to specified value. 16724bc52338SCy Schubert# 16734bc52338SCy Schubert# tx_stbc: Allow overriding STBC support for TX streams 16744bc52338SCy Schubert# Value: 0-1, see IEEE Std 802.11-2016, 9.4.2.56.2. 16754bc52338SCy Schubert# -1 = Do not make any changes (default) 16764bc52338SCy Schubert# 0 = Set if not supported 16774bc52338SCy Schubert# 1 = Set if supported 16784bc52338SCy Schubert# 16794bc52338SCy Schubert# rx_stbc: Allow overriding STBC support for RX streams 16804bc52338SCy Schubert# Value: 0-3, see IEEE Std 802.11-2016, 9.4.2.56.2. 16814bc52338SCy Schubert# -1 = Do not make any changes (default) 16824bc52338SCy Schubert# 0 = Set if not supported 16834bc52338SCy Schubert# 1 = Set for support of one spatial stream 16844bc52338SCy Schubert# 2 = Set for support of one and two spatial streams 16854bc52338SCy Schubert# 3 = Set for support of one, two and three spatial streams 1686f05cddf9SRui Paulo 16875b9c547cSRui Paulo# disable_vht: Whether VHT should be disabled. 16885b9c547cSRui Paulo# 0 = VHT enabled (if AP supports it) 16895b9c547cSRui Paulo# 1 = VHT disabled 16905b9c547cSRui Paulo# 16915b9c547cSRui Paulo# vht_capa: VHT capabilities to set in the override 16925b9c547cSRui Paulo# vht_capa_mask: mask of VHT capabilities 16935b9c547cSRui Paulo# 16945b9c547cSRui Paulo# vht_rx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for RX NSS 1-8 16955b9c547cSRui Paulo# vht_tx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for TX NSS 1-8 16965b9c547cSRui Paulo# 0: MCS 0-7 16975b9c547cSRui Paulo# 1: MCS 0-8 16985b9c547cSRui Paulo# 2: MCS 0-9 16995b9c547cSRui Paulo# 3: not supported 17005b9c547cSRui Paulo 1701*a90b9d01SCy Schubert# disable_eht: Whether EHT should be disabled. 1702*a90b9d01SCy Schubert# 0 = EHT enabled (if supported) (default) 1703*a90b9d01SCy Schubert# 1 = EHT disabled 1704*a90b9d01SCy Schubert 17054bc52338SCy Schubert# multi_ap_backhaul_sta: Multi-AP backhaul STA functionality 17064bc52338SCy Schubert# 0 = normal STA (default) 17074bc52338SCy Schubert# 1 = backhaul STA 17084bc52338SCy Schubert# A backhaul STA sends the Multi-AP IE, fails to associate if the AP does not 17094bc52338SCy Schubert# support Multi-AP, and sets 4-address mode if it does. Thus, the netdev can be 17104bc52338SCy Schubert# added to a bridge to allow forwarding frames over this backhaul link. 17114bc52338SCy Schubert 1712*a90b9d01SCy Schubert# Multi-AP Profile 1713*a90b9d01SCy Schubert# Indicate the supported Multi-AP profile 1714*a90b9d01SCy Schubert# 1 = Supports Multi-AP profile 1 as defined in Wi-Fi EasyMesh specification 1715*a90b9d01SCy Schubert# 2 = Supports Multi-AP profile 2 as defined in Wi-Fi EasyMesh specification 1716*a90b9d01SCy Schubert#multi_ap_profile=2 1717*a90b9d01SCy Schubert 1718325151a3SRui Paulo##### Fast Session Transfer (FST) support ##################################### 1719325151a3SRui Paulo# 1720325151a3SRui Paulo# The options in this section are only available when the build configuration 1721780fb4a2SCy Schubert# option CONFIG_FST is set while compiling wpa_supplicant. They allow this 1722780fb4a2SCy Schubert# interface to be a part of FST setup. 1723325151a3SRui Paulo# 1724325151a3SRui Paulo# FST is the transfer of a session from a channel to another channel, in the 1725325151a3SRui Paulo# same or different frequency bands. 1726325151a3SRui Paulo# 1727780fb4a2SCy Schubert# For details, see IEEE Std 802.11ad-2012. 1728325151a3SRui Paulo 1729325151a3SRui Paulo# Identifier of an FST Group the interface belongs to. 1730325151a3SRui Paulo#fst_group_id=bond0 1731325151a3SRui Paulo 1732325151a3SRui Paulo# Interface priority within the FST Group. 1733325151a3SRui Paulo# Announcing a higher priority for an interface means declaring it more 1734325151a3SRui Paulo# preferable for FST switch. 1735325151a3SRui Paulo# fst_priority is in 1..255 range with 1 being the lowest priority. 1736325151a3SRui Paulo#fst_priority=100 1737325151a3SRui Paulo 1738325151a3SRui Paulo# Default LLT value for this interface in milliseconds. The value used in case 1739325151a3SRui Paulo# no value provided during session setup. Default is 50 msec. 1740325151a3SRui Paulo# fst_llt is in 1..4294967 range (due to spec limitation, see 10.32.2.2 1741325151a3SRui Paulo# Transitioning between states). 1742325151a3SRui Paulo#fst_llt=100 1743325151a3SRui Paulo 1744206b73d0SCy Schubert# BSS Transition Management 1745206b73d0SCy Schubert# disable_btm - Disable BSS transition management in STA 1746206b73d0SCy Schubert# Set to 0 to enable BSS transition management (default behavior) 1747206b73d0SCy Schubert# Set to 1 to disable BSS transition management 1748206b73d0SCy Schubert#disable_btm=0 1749206b73d0SCy Schubert 1750c1d255d3SCy Schubert# Enable EDMG capability in STA/AP mode, default value is false 1751c1d255d3SCy Schubert#enable_edmg=1 1752c1d255d3SCy Schubert 1753c1d255d3SCy Schubert# This value is used to configure the channel bonding feature. 1754c1d255d3SCy Schubert# Default value is 0. 1755c1d255d3SCy Schubert# Relevant only if enable_edmg is true 1756c1d255d3SCy Schubert# In AP mode it defines the EDMG channel to use for AP operation. 1757c1d255d3SCy Schubert# In STA mode it defines the EDMG channel for connection (if supported by AP). 1758c1d255d3SCy Schubert#edmg_channel=9 1759c1d255d3SCy Schubert 1760*a90b9d01SCy Schubert# BSS max idle period to request 1761*a90b9d01SCy Schubert# If nonzero, request the specified number of 1000 TU (i.e., 1.024 s) 1762*a90b9d01SCy Schubert# as the maximum idle period for the STA during association. 1763*a90b9d01SCy Schubert#max_idle=600 1764*a90b9d01SCy Schubert 176539beb93cSSam Leffler# Example blocks: 176639beb93cSSam Leffler 176739beb93cSSam Leffler# Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers 176839beb93cSSam Lefflernetwork={ 176939beb93cSSam Leffler ssid="simple" 177039beb93cSSam Leffler psk="very secret passphrase" 177139beb93cSSam Leffler priority=5 177239beb93cSSam Leffler} 177339beb93cSSam Leffler 177439beb93cSSam Leffler# Same as previous, but request SSID-specific scanning (for APs that reject 177539beb93cSSam Leffler# broadcast SSID) 177639beb93cSSam Lefflernetwork={ 177739beb93cSSam Leffler ssid="second ssid" 177839beb93cSSam Leffler scan_ssid=1 177939beb93cSSam Leffler psk="very secret passphrase" 178039beb93cSSam Leffler priority=2 178139beb93cSSam Leffler} 178239beb93cSSam Leffler 178339beb93cSSam Leffler# Only WPA-PSK is used. Any valid cipher combination is accepted. 178439beb93cSSam Lefflernetwork={ 178539beb93cSSam Leffler ssid="example" 178639beb93cSSam Leffler proto=WPA 178739beb93cSSam Leffler key_mgmt=WPA-PSK 178839beb93cSSam Leffler pairwise=CCMP TKIP 178939beb93cSSam Leffler group=CCMP TKIP WEP104 WEP40 179039beb93cSSam Leffler psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb 179139beb93cSSam Leffler priority=2 179239beb93cSSam Leffler} 179339beb93cSSam Leffler 179439beb93cSSam Leffler# WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying 179539beb93cSSam Lefflernetwork={ 179639beb93cSSam Leffler ssid="example" 179739beb93cSSam Leffler proto=WPA 179839beb93cSSam Leffler key_mgmt=WPA-PSK 179939beb93cSSam Leffler pairwise=TKIP 180039beb93cSSam Leffler group=TKIP 180139beb93cSSam Leffler psk="not so secure passphrase" 180239beb93cSSam Leffler wpa_ptk_rekey=600 180339beb93cSSam Leffler} 180439beb93cSSam Leffler 180539beb93cSSam Leffler# Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104 180639beb93cSSam Leffler# or WEP40 as the group cipher will not be accepted. 180739beb93cSSam Lefflernetwork={ 180839beb93cSSam Leffler ssid="example" 180939beb93cSSam Leffler proto=RSN 181039beb93cSSam Leffler key_mgmt=WPA-EAP 181139beb93cSSam Leffler pairwise=CCMP TKIP 181239beb93cSSam Leffler group=CCMP TKIP 181339beb93cSSam Leffler eap=TLS 181439beb93cSSam Leffler identity="user@example.com" 181539beb93cSSam Leffler ca_cert="/etc/cert/ca.pem" 181639beb93cSSam Leffler client_cert="/etc/cert/user.pem" 181739beb93cSSam Leffler private_key="/etc/cert/user.prv" 181839beb93cSSam Leffler private_key_passwd="password" 181939beb93cSSam Leffler priority=1 182039beb93cSSam Leffler} 182139beb93cSSam Leffler 182239beb93cSSam Leffler# EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel 182339beb93cSSam Leffler# (e.g., Radiator) 182439beb93cSSam Lefflernetwork={ 182539beb93cSSam Leffler ssid="example" 182639beb93cSSam Leffler key_mgmt=WPA-EAP 182739beb93cSSam Leffler eap=PEAP 182839beb93cSSam Leffler identity="user@example.com" 182939beb93cSSam Leffler password="foobar" 183039beb93cSSam Leffler ca_cert="/etc/cert/ca.pem" 183139beb93cSSam Leffler phase1="peaplabel=1" 183239beb93cSSam Leffler phase2="auth=MSCHAPV2" 183339beb93cSSam Leffler priority=10 183439beb93cSSam Leffler} 183539beb93cSSam Leffler 183639beb93cSSam Leffler# EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the 183739beb93cSSam Leffler# unencrypted use. Real identity is sent only within an encrypted TLS tunnel. 183839beb93cSSam Lefflernetwork={ 183939beb93cSSam Leffler ssid="example" 184039beb93cSSam Leffler key_mgmt=WPA-EAP 184139beb93cSSam Leffler eap=TTLS 184239beb93cSSam Leffler identity="user@example.com" 184339beb93cSSam Leffler anonymous_identity="anonymous@example.com" 184439beb93cSSam Leffler password="foobar" 184539beb93cSSam Leffler ca_cert="/etc/cert/ca.pem" 184639beb93cSSam Leffler priority=2 184739beb93cSSam Leffler} 184839beb93cSSam Leffler 184939beb93cSSam Leffler# EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted 185039beb93cSSam Leffler# use. Real identity is sent only within an encrypted TLS tunnel. 185139beb93cSSam Lefflernetwork={ 185239beb93cSSam Leffler ssid="example" 185339beb93cSSam Leffler key_mgmt=WPA-EAP 185439beb93cSSam Leffler eap=TTLS 185539beb93cSSam Leffler identity="user@example.com" 185639beb93cSSam Leffler anonymous_identity="anonymous@example.com" 185739beb93cSSam Leffler password="foobar" 185839beb93cSSam Leffler ca_cert="/etc/cert/ca.pem" 185939beb93cSSam Leffler phase2="auth=MSCHAPV2" 186039beb93cSSam Leffler} 186139beb93cSSam Leffler 186239beb93cSSam Leffler# WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner 186339beb93cSSam Leffler# authentication. 186439beb93cSSam Lefflernetwork={ 186539beb93cSSam Leffler ssid="example" 186639beb93cSSam Leffler key_mgmt=WPA-EAP 186739beb93cSSam Leffler eap=TTLS 186839beb93cSSam Leffler # Phase1 / outer authentication 186939beb93cSSam Leffler anonymous_identity="anonymous@example.com" 187039beb93cSSam Leffler ca_cert="/etc/cert/ca.pem" 187139beb93cSSam Leffler # Phase 2 / inner authentication 187239beb93cSSam Leffler phase2="autheap=TLS" 187339beb93cSSam Leffler ca_cert2="/etc/cert/ca2.pem" 187439beb93cSSam Leffler client_cert2="/etc/cer/user.pem" 187539beb93cSSam Leffler private_key2="/etc/cer/user.prv" 187639beb93cSSam Leffler private_key2_passwd="password" 187739beb93cSSam Leffler priority=2 187839beb93cSSam Leffler} 187939beb93cSSam Leffler 188039beb93cSSam Leffler# Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and 188139beb93cSSam Leffler# group cipher. 188239beb93cSSam Lefflernetwork={ 188339beb93cSSam Leffler ssid="example" 188439beb93cSSam Leffler bssid=00:11:22:33:44:55 188539beb93cSSam Leffler proto=WPA RSN 188639beb93cSSam Leffler key_mgmt=WPA-PSK WPA-EAP 188739beb93cSSam Leffler pairwise=CCMP 188839beb93cSSam Leffler group=CCMP 188939beb93cSSam Leffler psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb 189039beb93cSSam Leffler} 189139beb93cSSam Leffler 189239beb93cSSam Leffler# Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP 189339beb93cSSam Leffler# and all valid ciphers. 189439beb93cSSam Lefflernetwork={ 189539beb93cSSam Leffler ssid=00010203 189639beb93cSSam Leffler psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 189739beb93cSSam Leffler} 189839beb93cSSam Leffler 189939beb93cSSam Leffler 190039beb93cSSam Leffler# EAP-SIM with a GSM SIM or USIM 190139beb93cSSam Lefflernetwork={ 190239beb93cSSam Leffler ssid="eap-sim-test" 190339beb93cSSam Leffler key_mgmt=WPA-EAP 190439beb93cSSam Leffler eap=SIM 190539beb93cSSam Leffler pin="1234" 190639beb93cSSam Leffler pcsc="" 190739beb93cSSam Leffler} 190839beb93cSSam Leffler 190939beb93cSSam Leffler 191039beb93cSSam Leffler# EAP-PSK 191139beb93cSSam Lefflernetwork={ 191239beb93cSSam Leffler ssid="eap-psk-test" 191339beb93cSSam Leffler key_mgmt=WPA-EAP 191439beb93cSSam Leffler eap=PSK 191539beb93cSSam Leffler anonymous_identity="eap_psk_user" 191639beb93cSSam Leffler password=06b4be19da289f475aa46a33cb793029 191739beb93cSSam Leffler identity="eap_psk_user@example.com" 191839beb93cSSam Leffler} 191939beb93cSSam Leffler 192039beb93cSSam Leffler 192139beb93cSSam Leffler# IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using 192239beb93cSSam Leffler# EAP-TLS for authentication and key generation; require both unicast and 192339beb93cSSam Leffler# broadcast WEP keys. 192439beb93cSSam Lefflernetwork={ 192539beb93cSSam Leffler ssid="1x-test" 192639beb93cSSam Leffler key_mgmt=IEEE8021X 192739beb93cSSam Leffler eap=TLS 192839beb93cSSam Leffler identity="user@example.com" 192939beb93cSSam Leffler ca_cert="/etc/cert/ca.pem" 193039beb93cSSam Leffler client_cert="/etc/cert/user.pem" 193139beb93cSSam Leffler private_key="/etc/cert/user.prv" 193239beb93cSSam Leffler private_key_passwd="password" 193339beb93cSSam Leffler eapol_flags=3 193439beb93cSSam Leffler} 193539beb93cSSam Leffler 193639beb93cSSam Leffler 193739beb93cSSam Leffler# LEAP with dynamic WEP keys 193839beb93cSSam Lefflernetwork={ 193939beb93cSSam Leffler ssid="leap-example" 194039beb93cSSam Leffler key_mgmt=IEEE8021X 194139beb93cSSam Leffler eap=LEAP 194239beb93cSSam Leffler identity="user" 194339beb93cSSam Leffler password="foobar" 194439beb93cSSam Leffler} 194539beb93cSSam Leffler 194639beb93cSSam Leffler# EAP-IKEv2 using shared secrets for both server and peer authentication 194739beb93cSSam Lefflernetwork={ 194839beb93cSSam Leffler ssid="ikev2-example" 194939beb93cSSam Leffler key_mgmt=WPA-EAP 195039beb93cSSam Leffler eap=IKEV2 195139beb93cSSam Leffler identity="user" 195239beb93cSSam Leffler password="foobar" 195339beb93cSSam Leffler} 195439beb93cSSam Leffler 195539beb93cSSam Leffler# EAP-FAST with WPA (WPA or WPA2) 195639beb93cSSam Lefflernetwork={ 195739beb93cSSam Leffler ssid="eap-fast-test" 195839beb93cSSam Leffler key_mgmt=WPA-EAP 195939beb93cSSam Leffler eap=FAST 196039beb93cSSam Leffler anonymous_identity="FAST-000102030405" 196139beb93cSSam Leffler identity="username" 196239beb93cSSam Leffler password="password" 196339beb93cSSam Leffler phase1="fast_provisioning=1" 196439beb93cSSam Leffler pac_file="/etc/wpa_supplicant.eap-fast-pac" 196539beb93cSSam Leffler} 196639beb93cSSam Leffler 196739beb93cSSam Lefflernetwork={ 196839beb93cSSam Leffler ssid="eap-fast-test" 196939beb93cSSam Leffler key_mgmt=WPA-EAP 197039beb93cSSam Leffler eap=FAST 197139beb93cSSam Leffler anonymous_identity="FAST-000102030405" 197239beb93cSSam Leffler identity="username" 197339beb93cSSam Leffler password="password" 197439beb93cSSam Leffler phase1="fast_provisioning=1" 197539beb93cSSam Leffler pac_file="blob://eap-fast-pac" 197639beb93cSSam Leffler} 197739beb93cSSam Leffler 197839beb93cSSam Leffler# Plaintext connection (no WPA, no IEEE 802.1X) 197939beb93cSSam Lefflernetwork={ 198039beb93cSSam Leffler ssid="plaintext-test" 198139beb93cSSam Leffler key_mgmt=NONE 198239beb93cSSam Leffler} 198339beb93cSSam Leffler 198439beb93cSSam Leffler 198539beb93cSSam Leffler# Shared WEP key connection (no WPA, no IEEE 802.1X) 198639beb93cSSam Lefflernetwork={ 198739beb93cSSam Leffler ssid="static-wep-test" 198839beb93cSSam Leffler key_mgmt=NONE 198939beb93cSSam Leffler wep_key0="abcde" 199039beb93cSSam Leffler wep_key1=0102030405 199139beb93cSSam Leffler wep_key2="1234567890123" 199239beb93cSSam Leffler wep_tx_keyidx=0 199339beb93cSSam Leffler priority=5 199439beb93cSSam Leffler} 199539beb93cSSam Leffler 199639beb93cSSam Leffler 199739beb93cSSam Leffler# Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key 199839beb93cSSam Leffler# IEEE 802.11 authentication 199939beb93cSSam Lefflernetwork={ 200039beb93cSSam Leffler ssid="static-wep-test2" 200139beb93cSSam Leffler key_mgmt=NONE 200239beb93cSSam Leffler wep_key0="abcde" 200339beb93cSSam Leffler wep_key1=0102030405 200439beb93cSSam Leffler wep_key2="1234567890123" 200539beb93cSSam Leffler wep_tx_keyidx=0 200639beb93cSSam Leffler priority=5 200739beb93cSSam Leffler auth_alg=SHARED 200839beb93cSSam Leffler} 200939beb93cSSam Leffler 201039beb93cSSam Leffler 20115b9c547cSRui Paulo# IBSS/ad-hoc network with RSN 20125b9c547cSRui Paulonetwork={ 20135b9c547cSRui Paulo ssid="ibss-rsn" 20145b9c547cSRui Paulo key_mgmt=WPA-PSK 20155b9c547cSRui Paulo proto=RSN 20165b9c547cSRui Paulo psk="12345678" 20175b9c547cSRui Paulo mode=1 20185b9c547cSRui Paulo frequency=2412 20195b9c547cSRui Paulo pairwise=CCMP 20205b9c547cSRui Paulo group=CCMP 20215b9c547cSRui Paulo} 20225b9c547cSRui Paulo 20235b9c547cSRui Paulo# IBSS/ad-hoc network with WPA-None/TKIP (deprecated) 202439beb93cSSam Lefflernetwork={ 202539beb93cSSam Leffler ssid="test adhoc" 202639beb93cSSam Leffler mode=1 202739beb93cSSam Leffler frequency=2412 202839beb93cSSam Leffler proto=WPA 202939beb93cSSam Leffler key_mgmt=WPA-NONE 203039beb93cSSam Leffler pairwise=NONE 203139beb93cSSam Leffler group=TKIP 203239beb93cSSam Leffler psk="secret passphrase" 203339beb93cSSam Leffler} 203439beb93cSSam Leffler 20355b9c547cSRui Paulo# open mesh network 20365b9c547cSRui Paulonetwork={ 20375b9c547cSRui Paulo ssid="test mesh" 20385b9c547cSRui Paulo mode=5 20395b9c547cSRui Paulo frequency=2437 20405b9c547cSRui Paulo key_mgmt=NONE 20415b9c547cSRui Paulo} 20425b9c547cSRui Paulo 20435b9c547cSRui Paulo# secure (SAE + AMPE) network 20445b9c547cSRui Paulonetwork={ 20455b9c547cSRui Paulo ssid="secure mesh" 20465b9c547cSRui Paulo mode=5 20475b9c547cSRui Paulo frequency=2437 20485b9c547cSRui Paulo key_mgmt=SAE 20495b9c547cSRui Paulo psk="very secret passphrase" 20505b9c547cSRui Paulo} 20515b9c547cSRui Paulo 205239beb93cSSam Leffler 205339beb93cSSam Leffler# Catch all example that allows more or less all configuration modes 205439beb93cSSam Lefflernetwork={ 205539beb93cSSam Leffler ssid="example" 205639beb93cSSam Leffler scan_ssid=1 205739beb93cSSam Leffler key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE 205839beb93cSSam Leffler pairwise=CCMP TKIP 205939beb93cSSam Leffler group=CCMP TKIP WEP104 WEP40 206039beb93cSSam Leffler psk="very secret passphrase" 206139beb93cSSam Leffler eap=TTLS PEAP TLS 206239beb93cSSam Leffler identity="user@example.com" 206339beb93cSSam Leffler password="foobar" 206439beb93cSSam Leffler ca_cert="/etc/cert/ca.pem" 206539beb93cSSam Leffler client_cert="/etc/cert/user.pem" 206639beb93cSSam Leffler private_key="/etc/cert/user.prv" 206739beb93cSSam Leffler private_key_passwd="password" 206839beb93cSSam Leffler phase1="peaplabel=0" 206939beb93cSSam Leffler} 207039beb93cSSam Leffler 207139beb93cSSam Leffler# Example of EAP-TLS with smartcard (openssl engine) 207239beb93cSSam Lefflernetwork={ 207339beb93cSSam Leffler ssid="example" 207439beb93cSSam Leffler key_mgmt=WPA-EAP 207539beb93cSSam Leffler eap=TLS 207639beb93cSSam Leffler proto=RSN 207739beb93cSSam Leffler pairwise=CCMP TKIP 207839beb93cSSam Leffler group=CCMP TKIP 207939beb93cSSam Leffler identity="user@example.com" 208039beb93cSSam Leffler ca_cert="/etc/cert/ca.pem" 208139beb93cSSam Leffler 2082780fb4a2SCy Schubert # Certificate and/or key identified by PKCS#11 URI (RFC7512) 2083780fb4a2SCy Schubert client_cert="pkcs11:manufacturer=piv_II;id=%01" 2084780fb4a2SCy Schubert private_key="pkcs11:manufacturer=piv_II;id=%01" 208539beb93cSSam Leffler 208639beb93cSSam Leffler # Optional PIN configuration; this can be left out and PIN will be 208739beb93cSSam Leffler # asked through the control interface 208839beb93cSSam Leffler pin="1234" 208939beb93cSSam Leffler} 209039beb93cSSam Leffler 209139beb93cSSam Leffler# Example configuration showing how to use an inlined blob as a CA certificate 209239beb93cSSam Leffler# data instead of using external file 209339beb93cSSam Lefflernetwork={ 209439beb93cSSam Leffler ssid="example" 209539beb93cSSam Leffler key_mgmt=WPA-EAP 209639beb93cSSam Leffler eap=TTLS 209739beb93cSSam Leffler identity="user@example.com" 209839beb93cSSam Leffler anonymous_identity="anonymous@example.com" 209939beb93cSSam Leffler password="foobar" 210039beb93cSSam Leffler ca_cert="blob://exampleblob" 210139beb93cSSam Leffler priority=20 210239beb93cSSam Leffler} 210339beb93cSSam Leffler 210439beb93cSSam Lefflerblob-base64-exampleblob={ 210539beb93cSSam LefflerSGVsbG8gV29ybGQhCg== 210639beb93cSSam Leffler} 210739beb93cSSam Leffler 210839beb93cSSam Leffler 210939beb93cSSam Leffler# Wildcard match for SSID (plaintext APs only). This example select any 211039beb93cSSam Leffler# open AP regardless of its SSID. 211139beb93cSSam Lefflernetwork={ 211239beb93cSSam Leffler key_mgmt=NONE 211339beb93cSSam Leffler} 21145b9c547cSRui Paulo 2115c1d255d3SCy Schubert# Example configuration ignoring two APs - these will be ignored 21165b9c547cSRui Paulo# for this network. 21175b9c547cSRui Paulonetwork={ 21185b9c547cSRui Paulo ssid="example" 21195b9c547cSRui Paulo psk="very secret passphrase" 2120c1d255d3SCy Schubert bssid_ignore=02:11:22:33:44:55 02:22:aa:44:55:66 21215b9c547cSRui Paulo} 21225b9c547cSRui Paulo 21235b9c547cSRui Paulo# Example configuration limiting AP selection to a specific set of APs; 21245b9c547cSRui Paulo# any other AP not matching the masked address will be ignored. 21255b9c547cSRui Paulonetwork={ 21265b9c547cSRui Paulo ssid="example" 21275b9c547cSRui Paulo psk="very secret passphrase" 2128c1d255d3SCy Schubert bssid_accept=02:55:ae:bc:00:00/ff:ff:ff:ff:00:00 00:00:77:66:55:44/00:00:ff:ff:ff:ff 21295b9c547cSRui Paulo} 21305b9c547cSRui Paulo 21315b9c547cSRui Paulo# Example config file that will only scan on channel 36. 21325b9c547cSRui Paulofreq_list=5180 21335b9c547cSRui Paulonetwork={ 21345b9c547cSRui Paulo key_mgmt=NONE 21355b9c547cSRui Paulo} 21365b9c547cSRui Paulo 21375b9c547cSRui Paulo 213885732ac8SCy Schubert# Example configuration using EAP-TTLS for authentication and key 213985732ac8SCy Schubert# generation for MACsec 214085732ac8SCy Schubertnetwork={ 214185732ac8SCy Schubert key_mgmt=IEEE8021X 214285732ac8SCy Schubert eap=TTLS 214385732ac8SCy Schubert phase2="auth=PAP" 214485732ac8SCy Schubert anonymous_identity="anonymous@example.com" 214585732ac8SCy Schubert identity="user@example.com" 214685732ac8SCy Schubert password="secretr" 214785732ac8SCy Schubert ca_cert="/etc/cert/ca.pem" 214885732ac8SCy Schubert eapol_flags=0 214985732ac8SCy Schubert macsec_policy=1 215085732ac8SCy Schubert} 215185732ac8SCy Schubert 215285732ac8SCy Schubert# Example configuration for MACsec with preshared key 215385732ac8SCy Schubertnetwork={ 215485732ac8SCy Schubert key_mgmt=NONE 215585732ac8SCy Schubert eapol_flags=0 215685732ac8SCy Schubert macsec_policy=1 215785732ac8SCy Schubert mka_cak=0123456789ABCDEF0123456789ABCDEF 215885732ac8SCy Schubert mka_ckn=6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435 215985732ac8SCy Schubert mka_priority=128 216085732ac8SCy Schubert} 2161