xref: /freebsd/contrib/wpa/wpa_supplicant/wpa_supplicant.conf (revision a90b9d0159070121c221b966469c3e36d912bf82)
139beb93cSSam Leffler##### Example wpa_supplicant configuration file ###############################
239beb93cSSam Leffler#
339beb93cSSam Leffler# This file describes configuration file format and lists all available option.
439beb93cSSam Leffler# Please also take a look at simpler configuration examples in 'examples'
539beb93cSSam Leffler# subdirectory.
639beb93cSSam Leffler#
739beb93cSSam Leffler# Empty lines and lines starting with # are ignored
839beb93cSSam Leffler
939beb93cSSam Leffler# NOTE! This file may contain password information and should probably be made
1039beb93cSSam Leffler# readable only by root user on multiuser systems.
1139beb93cSSam Leffler
1239beb93cSSam Leffler# Note: All file paths in this configuration file should use full (absolute,
1339beb93cSSam Leffler# not relative to working directory) path in order to allow working directory
1439beb93cSSam Leffler# to be changed. This can happen if wpa_supplicant is run in the background.
1539beb93cSSam Leffler
1639beb93cSSam Leffler# Whether to allow wpa_supplicant to update (overwrite) configuration
1739beb93cSSam Leffler#
1839beb93cSSam Leffler# This option can be used to allow wpa_supplicant to overwrite configuration
1939beb93cSSam Leffler# file whenever configuration is changed (e.g., new network block is added with
2039beb93cSSam Leffler# wpa_cli or wpa_gui, or a password is changed). This is required for
2139beb93cSSam Leffler# wpa_cli/wpa_gui to be able to store the configuration changes permanently.
2239beb93cSSam Leffler# Please note that overwriting configuration file will remove the comments from
2339beb93cSSam Leffler# it.
2439beb93cSSam Leffler#update_config=1
2539beb93cSSam Leffler
2639beb93cSSam Leffler# global configuration (shared by all network blocks)
2739beb93cSSam Leffler#
2839beb93cSSam Leffler# Parameters for the control interface. If this is specified, wpa_supplicant
2939beb93cSSam Leffler# will open a control interface that is available for external programs to
3039beb93cSSam Leffler# manage wpa_supplicant. The meaning of this string depends on which control
31f05cddf9SRui Paulo# interface mechanism is used. For all cases, the existence of this parameter
3239beb93cSSam Leffler# in configuration is used to determine whether the control interface is
3339beb93cSSam Leffler# enabled.
3439beb93cSSam Leffler#
3539beb93cSSam Leffler# For UNIX domain sockets (default on Linux and BSD): This is a directory that
3639beb93cSSam Leffler# will be created for UNIX domain sockets for listening to requests from
3739beb93cSSam Leffler# external programs (CLI/GUI, etc.) for status information and configuration.
3839beb93cSSam Leffler# The socket file will be named based on the interface name, so multiple
3939beb93cSSam Leffler# wpa_supplicant processes can be run at the same time if more than one
4039beb93cSSam Leffler# interface is used.
4139beb93cSSam Leffler# /var/run/wpa_supplicant is the recommended directory for sockets and by
4239beb93cSSam Leffler# default, wpa_cli will use it when trying to connect with wpa_supplicant.
4339beb93cSSam Leffler#
4439beb93cSSam Leffler# Access control for the control interface can be configured by setting the
4539beb93cSSam Leffler# directory to allow only members of a group to use sockets. This way, it is
4639beb93cSSam Leffler# possible to run wpa_supplicant as root (since it needs to change network
4739beb93cSSam Leffler# configuration and open raw sockets) and still allow GUI/CLI components to be
4839beb93cSSam Leffler# run as non-root users. However, since the control interface can be used to
4939beb93cSSam Leffler# change the network configuration, this access needs to be protected in many
5039beb93cSSam Leffler# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you
5139beb93cSSam Leffler# want to allow non-root users to use the control interface, add a new group
5239beb93cSSam Leffler# and change this value to match with that group. Add users that should have
5339beb93cSSam Leffler# control interface access to this group. If this variable is commented out or
5439beb93cSSam Leffler# not included in the configuration file, group will not be changed from the
5539beb93cSSam Leffler# value it got by default when the directory or socket was created.
5639beb93cSSam Leffler#
5739beb93cSSam Leffler# When configuring both the directory and group, use following format:
5839beb93cSSam Leffler# DIR=/var/run/wpa_supplicant GROUP=wheel
5939beb93cSSam Leffler# DIR=/var/run/wpa_supplicant GROUP=0
6039beb93cSSam Leffler# (group can be either group name or gid)
6139beb93cSSam Leffler#
62c1d255d3SCy Schubert# For UDP connections (default on Windows): The value will be ignored. This
63c1d255d3SCy Schubert# variable is just used to select that the control interface is to be created.
64c1d255d3SCy Schubert# The value can be set to, e.g., udp (ctrl_interface=udp)
65c1d255d3SCy Schubert#
66c1d255d3SCy Schubert# For Windows Named Pipe: This value can be used to set the security descriptor
67c1d255d3SCy Schubert# for controlling access to the control interface. Security descriptor can be
68c1d255d3SCy Schubert# set using Security Descriptor String Format (see http://msdn.microsoft.com/
69c1d255d3SCy Schubert# library/default.asp?url=/library/en-us/secauthz/security/
70c1d255d3SCy Schubert# security_descriptor_string_format.asp). The descriptor string needs to be
71c1d255d3SCy Schubert# prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty
72c1d255d3SCy Schubert# DACL (which will reject all connections). See README-Windows.txt for more
73c1d255d3SCy Schubert# information about SDDL string format.
74c1d255d3SCy Schubert#
7539beb93cSSam Lefflerctrl_interface=/var/run/wpa_supplicant
7639beb93cSSam Leffler
7739beb93cSSam Leffler# IEEE 802.1X/EAPOL version
7839beb93cSSam Leffler# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines
7939beb93cSSam Leffler# EAPOL version 2. However, there are many APs that do not handle the new
8039beb93cSSam Leffler# version number correctly (they seem to drop the frames completely). In order
8139beb93cSSam Leffler# to make wpa_supplicant interoperate with these APs, the version number is set
8239beb93cSSam Leffler# to 1 by default. This configuration value can be used to set it to the new
8339beb93cSSam Leffler# version (2).
845b9c547cSRui Paulo# Note: When using MACsec, eapol_version shall be set to 3, which is
855b9c547cSRui Paulo# defined in IEEE Std 802.1X-2010.
8639beb93cSSam Lefflereapol_version=1
8739beb93cSSam Leffler
8839beb93cSSam Leffler# AP scanning/selection
8939beb93cSSam Leffler# By default, wpa_supplicant requests driver to perform AP scanning and then
9039beb93cSSam Leffler# uses the scan results to select a suitable AP. Another alternative is to
9139beb93cSSam Leffler# allow the driver to take care of AP scanning and selection and use
9239beb93cSSam Leffler# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association
9339beb93cSSam Leffler# information from the driver.
94e28a4053SRui Paulo# 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to
95e28a4053SRui Paulo#    the currently enabled networks are found, a new network (IBSS or AP mode
96e28a4053SRui Paulo#    operation) may be initialized (if configured) (default)
97c1d255d3SCy Schubert# 0: This mode must only be used when using wired Ethernet drivers
98c1d255d3SCy Schubert#    (including MACsec).
9939beb93cSSam Leffler# 2: like 0, but associate with APs using security policy and SSID (but not
10039beb93cSSam Leffler#    BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to
10139beb93cSSam Leffler#    enable operation with hidden SSIDs and optimized roaming; in this mode,
10239beb93cSSam Leffler#    the network blocks in the configuration file are tried one by one until
10339beb93cSSam Leffler#    the driver reports successful association; each network block should have
10439beb93cSSam Leffler#    explicit security policy (i.e., only one option in the lists) for
10539beb93cSSam Leffler#    key_mgmt, pairwise, group, proto variables
106c1d255d3SCy Schubert# Note: ap_scan=0/2 should not be used with the nl80211 driver interface (the
107c1d255d3SCy Schubert# current Linux interface). ap_scan=1 is the only option working with nl80211.
108c1d255d3SCy Schubert# For finding networks using hidden SSID, scan_ssid=1 in the network block can
109c1d255d3SCy Schubert# be used with nl80211.
110e28a4053SRui Paulo# When using IBSS or AP mode, ap_scan=2 mode can force the new network to be
111e28a4053SRui Paulo# created immediately regardless of scan results. ap_scan=1 mode will first try
112e28a4053SRui Paulo# to scan for existing networks and only if no matches with the enabled
113e28a4053SRui Paulo# networks are found, a new IBSS or AP mode network is created.
11439beb93cSSam Lefflerap_scan=1
11539beb93cSSam Leffler
116780fb4a2SCy Schubert# Whether to force passive scan for network connection
117780fb4a2SCy Schubert#
118780fb4a2SCy Schubert# By default, scans will send out Probe Request frames on channels that allow
119780fb4a2SCy Schubert# active scanning. This advertise the local station to the world. Normally this
120780fb4a2SCy Schubert# is fine, but users may wish to do passive scanning where the radio should only
121780fb4a2SCy Schubert# listen quietly for Beacon frames and not send any Probe Request frames. Actual
122780fb4a2SCy Schubert# functionality may be driver dependent.
123780fb4a2SCy Schubert#
124780fb4a2SCy Schubert# This parameter can be used to force only passive scanning to be used
125780fb4a2SCy Schubert# for network connection cases. It should be noted that this will slow
126780fb4a2SCy Schubert# down scan operations and reduce likelihood of finding the AP. In
127780fb4a2SCy Schubert# addition, some use cases will override this due to functional
128780fb4a2SCy Schubert# requirements, e.g., for finding an AP that uses hidden SSID
129780fb4a2SCy Schubert# (scan_ssid=1) or P2P device discovery.
130780fb4a2SCy Schubert#
131780fb4a2SCy Schubert# 0:  Do normal scans (allow active scans) (default)
132780fb4a2SCy Schubert# 1:  Do passive scans.
133780fb4a2SCy Schubert#passive_scan=0
134780fb4a2SCy Schubert
1355b9c547cSRui Paulo# MPM residency
1365b9c547cSRui Paulo# By default, wpa_supplicant implements the mesh peering manager (MPM) for an
1375b9c547cSRui Paulo# open mesh. However, if the driver can implement the MPM, you may set this to
1385b9c547cSRui Paulo# 0 to use the driver version. When AMPE is enabled, the wpa_supplicant MPM is
1395b9c547cSRui Paulo# always used.
1405b9c547cSRui Paulo# 0: MPM lives in the driver
1415b9c547cSRui Paulo# 1: wpa_supplicant provides an MPM which handles peering (default)
1425b9c547cSRui Paulo#user_mpm=1
1435b9c547cSRui Paulo
1445b9c547cSRui Paulo# Maximum number of peer links (0-255; default: 99)
1455b9c547cSRui Paulo# Maximum number of mesh peering currently maintained by the STA.
1465b9c547cSRui Paulo#max_peer_links=99
1475b9c547cSRui Paulo
1485b9c547cSRui Paulo# Timeout in seconds to detect STA inactivity (default: 300 seconds)
1495b9c547cSRui Paulo#
1505b9c547cSRui Paulo# This timeout value is used in mesh STA to clean up inactive stations.
1515b9c547cSRui Paulo#mesh_max_inactivity=300
1525b9c547cSRui Paulo
15332a95656SCy Schubert# Enable 802.11s layer-2 routing and forwarding (dot11MeshForwarding)
15432a95656SCy Schubert#mesh_fwding=1
15532a95656SCy Schubert
1565b9c547cSRui Paulo# cert_in_cb - Whether to include a peer certificate dump in events
1575b9c547cSRui Paulo# This controls whether peer certificates for authentication server and
1585b9c547cSRui Paulo# its certificate chain are included in EAP peer certificate events. This is
1595b9c547cSRui Paulo# enabled by default.
1605b9c547cSRui Paulo#cert_in_cb=1
1615b9c547cSRui Paulo
16239beb93cSSam Leffler# EAP fast re-authentication
16339beb93cSSam Leffler# By default, fast re-authentication is enabled for all EAP methods that
16439beb93cSSam Leffler# support it. This variable can be used to disable fast re-authentication.
16539beb93cSSam Leffler# Normally, there is no need to disable this.
16639beb93cSSam Lefflerfast_reauth=1
16739beb93cSSam Leffler
16839beb93cSSam Leffler# OpenSSL Engine support
169780fb4a2SCy Schubert# These options can be used to load OpenSSL engines in special or legacy
170780fb4a2SCy Schubert# modes.
17139beb93cSSam Leffler# The two engines that are supported currently are shown below:
17239beb93cSSam Leffler# They are both from the opensc project (http://www.opensc.org/)
173780fb4a2SCy Schubert# By default the PKCS#11 engine is loaded if the client_cert or
174780fb4a2SCy Schubert# private_key option appear to be a PKCS#11 URI, and these options
175780fb4a2SCy Schubert# should not need to be used explicitly.
17639beb93cSSam Leffler# make the opensc engine available
17739beb93cSSam Leffler#opensc_engine_path=/usr/lib/opensc/engine_opensc.so
17839beb93cSSam Leffler# make the pkcs11 engine available
17939beb93cSSam Leffler#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so
18039beb93cSSam Leffler# configure the path to the pkcs11 module required by the pkcs11 engine
18139beb93cSSam Leffler#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so
18239beb93cSSam Leffler
1835b9c547cSRui Paulo# OpenSSL cipher string
1845b9c547cSRui Paulo#
1855b9c547cSRui Paulo# This is an OpenSSL specific configuration option for configuring the default
18685732ac8SCy Schubert# ciphers. If not set, the value configured at build time ("DEFAULT:!EXP:!LOW"
18785732ac8SCy Schubert# by default) is used.
1885b9c547cSRui Paulo# See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation
1895b9c547cSRui Paulo# on cipher suite configuration. This is applicable only if wpa_supplicant is
1905b9c547cSRui Paulo# built to use OpenSSL.
1915b9c547cSRui Paulo#openssl_ciphers=DEFAULT:!EXP:!LOW
1925b9c547cSRui Paulo
19339beb93cSSam Leffler# Dynamic EAP methods
19439beb93cSSam Leffler# If EAP methods were built dynamically as shared object files, they need to be
19539beb93cSSam Leffler# loaded here before being used in the network blocks. By default, EAP methods
19639beb93cSSam Leffler# are included statically in the build, so these lines are not needed
19739beb93cSSam Leffler#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so
19839beb93cSSam Leffler#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so
19939beb93cSSam Leffler
20039beb93cSSam Leffler# Driver interface parameters
201780fb4a2SCy Schubert# This field can be used to configure arbitrary driver interface parameters. The
20239beb93cSSam Leffler# format is specific to the selected driver interface. This field is not used
20339beb93cSSam Leffler# in most cases.
20439beb93cSSam Leffler#driver_param="field=value"
20539beb93cSSam Leffler
20639beb93cSSam Leffler# Country code
20739beb93cSSam Leffler# The ISO/IEC alpha2 country code for the country in which this device is
20839beb93cSSam Leffler# currently operating.
20939beb93cSSam Leffler#country=US
21039beb93cSSam Leffler
21139beb93cSSam Leffler# Maximum lifetime for PMKSA in seconds; default 43200
21239beb93cSSam Leffler#dot11RSNAConfigPMKLifetime=43200
21339beb93cSSam Leffler# Threshold for reauthentication (percentage of PMK lifetime); default 70
21439beb93cSSam Leffler#dot11RSNAConfigPMKReauthThreshold=70
21539beb93cSSam Leffler# Timeout for security association negotiation in seconds; default 60
21639beb93cSSam Leffler#dot11RSNAConfigSATimeout=60
21739beb93cSSam Leffler
21839beb93cSSam Leffler# Wi-Fi Protected Setup (WPS) parameters
21939beb93cSSam Leffler
22039beb93cSSam Leffler# Universally Unique IDentifier (UUID; see RFC 4122) of the device
22185732ac8SCy Schubert# If not configured, UUID will be generated based on the mechanism selected with
22285732ac8SCy Schubert# the auto_uuid parameter.
22339beb93cSSam Leffler#uuid=12345678-9abc-def0-1234-56789abcdef0
22439beb93cSSam Leffler
22585732ac8SCy Schubert# Automatic UUID behavior
22685732ac8SCy Schubert# 0 = generate static value based on the local MAC address (default)
22785732ac8SCy Schubert# 1 = generate a random UUID every time wpa_supplicant starts
22885732ac8SCy Schubert#auto_uuid=0
22985732ac8SCy Schubert
23039beb93cSSam Leffler# Device Name
23139beb93cSSam Leffler# User-friendly description of device; up to 32 octets encoded in UTF-8
23239beb93cSSam Leffler#device_name=Wireless Client
23339beb93cSSam Leffler
23439beb93cSSam Leffler# Manufacturer
23539beb93cSSam Leffler# The manufacturer of the device (up to 64 ASCII characters)
23639beb93cSSam Leffler#manufacturer=Company
23739beb93cSSam Leffler
23839beb93cSSam Leffler# Model Name
23939beb93cSSam Leffler# Model of the device (up to 32 ASCII characters)
24039beb93cSSam Leffler#model_name=cmodel
24139beb93cSSam Leffler
24239beb93cSSam Leffler# Model Number
24339beb93cSSam Leffler# Additional device description (up to 32 ASCII characters)
24439beb93cSSam Leffler#model_number=123
24539beb93cSSam Leffler
24639beb93cSSam Leffler# Serial Number
24739beb93cSSam Leffler# Serial number of the device (up to 32 characters)
24839beb93cSSam Leffler#serial_number=12345
24939beb93cSSam Leffler
25039beb93cSSam Leffler# Primary Device Type
25139beb93cSSam Leffler# Used format: <categ>-<OUI>-<subcateg>
25239beb93cSSam Leffler# categ = Category as an integer value
25339beb93cSSam Leffler# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for
25439beb93cSSam Leffler#       default WPS OUI
25539beb93cSSam Leffler# subcateg = OUI-specific Sub Category as an integer value
25639beb93cSSam Leffler# Examples:
25739beb93cSSam Leffler#   1-0050F204-1 (Computer / PC)
25839beb93cSSam Leffler#   1-0050F204-2 (Computer / Server)
25939beb93cSSam Leffler#   5-0050F204-1 (Storage / NAS)
26039beb93cSSam Leffler#   6-0050F204-1 (Network Infrastructure / AP)
26139beb93cSSam Leffler#device_type=1-0050F204-1
26239beb93cSSam Leffler
26339beb93cSSam Leffler# OS Version
26439beb93cSSam Leffler# 4-octet operating system version number (hex string)
26539beb93cSSam Leffler#os_version=01020300
26639beb93cSSam Leffler
267e28a4053SRui Paulo# Config Methods
268e28a4053SRui Paulo# List of the supported configuration methods
269e28a4053SRui Paulo# Available methods: usba ethernet label display ext_nfc_token int_nfc_token
270f05cddf9SRui Paulo#	nfc_interface push_button keypad virtual_display physical_display
271f05cddf9SRui Paulo#	virtual_push_button physical_push_button
272f05cddf9SRui Paulo# For WSC 1.0:
273e28a4053SRui Paulo#config_methods=label display push_button keypad
274f05cddf9SRui Paulo# For WSC 2.0:
275f05cddf9SRui Paulo#config_methods=label virtual_display virtual_push_button keypad
276e28a4053SRui Paulo
27739beb93cSSam Leffler# Credential processing
27839beb93cSSam Leffler#   0 = process received credentials internally (default)
27939beb93cSSam Leffler#   1 = do not process received credentials; just pass them over ctrl_iface to
28039beb93cSSam Leffler#	external program(s)
28139beb93cSSam Leffler#   2 = process received credentials internally and pass them over ctrl_iface
28239beb93cSSam Leffler#	to external program(s)
28339beb93cSSam Leffler#wps_cred_processing=0
28439beb93cSSam Leffler
2854bc52338SCy Schubert# Whether to enable SAE (WPA3-Personal transition mode) automatically for
2864bc52338SCy Schubert# WPA2-PSK credentials received using WPS.
2874bc52338SCy Schubert# 0 = only add the explicitly listed WPA2-PSK configuration (default)
2884bc52338SCy Schubert# 1 = add both the WPA2-PSK and SAE configuration and enable PMF so that the
2894bc52338SCy Schubert#     station gets configured in WPA3-Personal transition mode (supports both
2904bc52338SCy Schubert#     WPA2-Personal (PSK) and WPA3-Personal (SAE) APs).
2914bc52338SCy Schubert#wps_cred_add_sae=0
2924bc52338SCy Schubert
293f05cddf9SRui Paulo# Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing
294f05cddf9SRui Paulo# The vendor attribute contents to be added in M1 (hex string)
295f05cddf9SRui Paulo#wps_vendor_ext_m1=000137100100020001
296f05cddf9SRui Paulo
297f05cddf9SRui Paulo# NFC password token for WPS
298f05cddf9SRui Paulo# These parameters can be used to configure a fixed NFC password token for the
299f05cddf9SRui Paulo# station. This can be generated, e.g., with nfc_pw_token. When these
300f05cddf9SRui Paulo# parameters are used, the station is assumed to be deployed with a NFC tag
301f05cddf9SRui Paulo# that includes the matching NFC password token (e.g., written based on the
302f05cddf9SRui Paulo# NDEF record from nfc_pw_token).
303f05cddf9SRui Paulo#
304f05cddf9SRui Paulo#wps_nfc_dev_pw_id: Device Password ID (16..65535)
305f05cddf9SRui Paulo#wps_nfc_dh_pubkey: Hexdump of DH Public Key
306f05cddf9SRui Paulo#wps_nfc_dh_privkey: Hexdump of DH Private Key
307f05cddf9SRui Paulo#wps_nfc_dev_pw: Hexdump of Device Password
308f05cddf9SRui Paulo
309325151a3SRui Paulo# Priority for the networks added through WPS
310325151a3SRui Paulo# This priority value will be set to each network profile that is added
311325151a3SRui Paulo# by executing the WPS protocol.
312325151a3SRui Paulo#wps_priority=0
313325151a3SRui Paulo
314c1d255d3SCy Schubert# Device Provisioning Protocol (DPP) parameters
315c1d255d3SCy Schubert#
316c1d255d3SCy Schubert# How to process DPP configuration
317c1d255d3SCy Schubert# 0 = report received configuration to an external program for
318c1d255d3SCy Schubert#     processing; do not generate any network profile internally (default)
319c1d255d3SCy Schubert# 1 = report received configuration to an external program and generate
320c1d255d3SCy Schubert#     a network profile internally, but do not automatically connect
321c1d255d3SCy Schubert#     to the created (disabled) profile; the network profile id is
322c1d255d3SCy Schubert#     reported to external programs
323c1d255d3SCy Schubert# 2 = report received configuration to an external program, generate
324c1d255d3SCy Schubert#     a network profile internally, try to connect to the created
325c1d255d3SCy Schubert#     profile automatically
326c1d255d3SCy Schubert#dpp_config_processing=0
327c1d255d3SCy Schubert#
328c1d255d3SCy Schubert# Name for Enrollee's DPP Configuration Request
329c1d255d3SCy Schubert#dpp_name=Test
330c1d255d3SCy Schubert#
331c1d255d3SCy Schubert# MUD URL for Enrollee's DPP Configuration Request (optional)
332c1d255d3SCy Schubert#dpp_mud_url=https://example.com/mud
333c1d255d3SCy Schubert
334e28a4053SRui Paulo# Maximum number of BSS entries to keep in memory
335e28a4053SRui Paulo# Default: 200
336e28a4053SRui Paulo# This can be used to limit memory use on the BSS entries (cached scan
337e28a4053SRui Paulo# results). A larger value may be needed in environments that have huge number
338e28a4053SRui Paulo# of APs when using ap_scan=1 mode.
339e28a4053SRui Paulo#bss_max_count=200
340e28a4053SRui Paulo
3414bc52338SCy Schubert# BSS expiration age in seconds. A BSS will be removed from the local cache
3424bc52338SCy Schubert# if it is not in use and has not been seen for this time. Default is 180.
3434bc52338SCy Schubert#bss_expiration_age=180
3444bc52338SCy Schubert
3454bc52338SCy Schubert# BSS expiration after number of scans. A BSS will be removed from the local
3464bc52338SCy Schubert# cache if it is not seen in this number of scans.
3474bc52338SCy Schubert# Default is 2.
3484bc52338SCy Schubert#bss_expiration_scan_count=2
3494bc52338SCy Schubert
350f05cddf9SRui Paulo# Automatic scan
351f05cddf9SRui Paulo# This is an optional set of parameters for automatic scanning
352f05cddf9SRui Paulo# within an interface in following format:
353f05cddf9SRui Paulo#autoscan=<autoscan module name>:<module parameters>
3545b9c547cSRui Paulo# autoscan is like bgscan but on disconnected or inactive state.
3555b9c547cSRui Paulo# For instance, on exponential module parameters would be <base>:<limit>
356f05cddf9SRui Paulo#autoscan=exponential:3:300
357f05cddf9SRui Paulo# Which means a delay between scans on a base exponential of 3,
3585b9c547cSRui Paulo# up to the limit of 300 seconds (3, 9, 27 ... 300)
3595b9c547cSRui Paulo# For periodic module, parameters would be <fixed interval>
360f05cddf9SRui Paulo#autoscan=periodic:30
361780fb4a2SCy Schubert# So a delay of 30 seconds will be applied between each scan.
362780fb4a2SCy Schubert# Note: If sched_scan_plans are configured and supported by the driver,
363780fb4a2SCy Schubert# autoscan is ignored.
364e28a4053SRui Paulo
365e28a4053SRui Paulo# filter_ssids - SSID-based scan result filtering
366e28a4053SRui Paulo# 0 = do not filter scan results (default)
367e28a4053SRui Paulo# 1 = only include configured SSIDs in scan results/BSS table
368e28a4053SRui Paulo#filter_ssids=0
369e28a4053SRui Paulo
370f05cddf9SRui Paulo# Password (and passphrase, etc.) backend for external storage
371f05cddf9SRui Paulo# format: <backend name>[:<optional backend parameters>]
372c1d255d3SCy Schubert# Test backend which stores passwords in memory. Should only be used for
373c1d255d3SCy Schubert# development purposes.
374f05cddf9SRui Paulo#ext_password_backend=test:pw1=password|pw2=testing
375c1d255d3SCy Schubert# File-based backend which reads passwords from a file. The parameter
376c1d255d3SCy Schubert# identifies the file to read passwords from. The password file follows the
377c1d255d3SCy Schubert# format of wpa_supplicant.conf and accepts simple `key=passphrase` formatted
378c1d255d3SCy Schubert# passwords.
379c1d255d3SCy Schubert#ext_password_backend=file:/path/to/passwords.conf
380f05cddf9SRui Paulo
381325151a3SRui Paulo
382325151a3SRui Paulo# Disable P2P functionality
383325151a3SRui Paulo# p2p_disabled=1
384325151a3SRui Paulo
385f05cddf9SRui Paulo# Timeout in seconds to detect STA inactivity (default: 300 seconds)
386f05cddf9SRui Paulo#
387f05cddf9SRui Paulo# This timeout value is used in P2P GO mode to clean up
388f05cddf9SRui Paulo# inactive stations.
389f05cddf9SRui Paulo#p2p_go_max_inactivity=300
390f05cddf9SRui Paulo
3915b9c547cSRui Paulo# Passphrase length (8..63) for P2P GO
3925b9c547cSRui Paulo#
3935b9c547cSRui Paulo# This parameter controls the length of the random passphrase that is
3945b9c547cSRui Paulo# generated at the GO. Default: 8.
3955b9c547cSRui Paulo#p2p_passphrase_len=8
3965b9c547cSRui Paulo
3975b9c547cSRui Paulo# Extra delay between concurrent P2P search iterations
3985b9c547cSRui Paulo#
3995b9c547cSRui Paulo# This value adds extra delay in milliseconds between concurrent search
4005b9c547cSRui Paulo# iterations to make p2p_find friendlier to concurrent operations by avoiding
4015b9c547cSRui Paulo# it from taking 100% of radio resources. The default value is 500 ms.
4025b9c547cSRui Paulo#p2p_search_delay=500
4035b9c547cSRui Paulo
404f05cddf9SRui Paulo# Opportunistic Key Caching (also known as Proactive Key Caching) default
405f05cddf9SRui Paulo# This parameter can be used to set the default behavior for the
406f05cddf9SRui Paulo# proactive_key_caching parameter. By default, OKC is disabled unless enabled
407f05cddf9SRui Paulo# with the global okc=1 parameter or with the per-network
408f05cddf9SRui Paulo# proactive_key_caching=1 parameter. With okc=1, OKC is enabled by default, but
409f05cddf9SRui Paulo# can be disabled with per-network proactive_key_caching=0 parameter.
410f05cddf9SRui Paulo#okc=0
411f05cddf9SRui Paulo
412f05cddf9SRui Paulo# Protected Management Frames default
413f05cddf9SRui Paulo# This parameter can be used to set the default behavior for the ieee80211w
414780fb4a2SCy Schubert# parameter for RSN networks. By default, PMF is disabled unless enabled with
415780fb4a2SCy Schubert# the global pmf=1/2 parameter or with the per-network ieee80211w=1/2 parameter.
416780fb4a2SCy Schubert# With pmf=1/2, PMF is enabled/required by default, but can be disabled with the
417780fb4a2SCy Schubert# per-network ieee80211w parameter. This global default value does not apply
418780fb4a2SCy Schubert# for non-RSN networks (key_mgmt=NONE) since PMF is available only when using
419780fb4a2SCy Schubert# RSN.
420f05cddf9SRui Paulo#pmf=0
421f05cddf9SRui Paulo
422*a90b9d01SCy Schubert# sae_check_mfp: Require PMF support to select SAE key_mgmt
423*a90b9d01SCy Schubert# 0 = Do not check PMF for SAE (default)
424*a90b9d01SCy Schubert# 1 = Limit SAE when PMF is not enabled
425*a90b9d01SCy Schubert#
426*a90b9d01SCy Schubert# When enabled SAE will not be selected if PMF will not be used
427*a90b9d01SCy Schubert# for the connection.
428*a90b9d01SCy Schubert# Scenarios where this check will limit SAE:
429*a90b9d01SCy Schubert#  1) ieee80211w=0 is set for the network
430*a90b9d01SCy Schubert#  2) The AP does not have PMF enabled.
431*a90b9d01SCy Schubert#  3) ieee80211w is unset, pmf=1 is enabled globally, and
432*a90b9d01SCy Schubert#     the device does not support the BIP cipher.
433*a90b9d01SCy Schubert# Consider the configuration of global parameterss sae_check_mfp=1, pmf=1 and a
434*a90b9d01SCy Schubert# network configured with ieee80211w unset and key_mgmt=SAE WPA-PSK.
435*a90b9d01SCy Schubert# In the example WPA-PSK will be used if the device does not support
436*a90b9d01SCy Schubert# the BIP cipher or the AP has PMF disabled.
437*a90b9d01SCy Schubert# Limiting SAE with this check can avoid failing to associate to an AP
438*a90b9d01SCy Schubert# that is configured with sae_requires_mfp=1 if the device does
439*a90b9d01SCy Schubert# not support PMF due to lack of the BIP cipher.
440*a90b9d01SCy Schubert#
441*a90b9d01SCy Schubert# Enabling this check helps with compliance of the WPA3
442*a90b9d01SCy Schubert# specification for WPA3-Personal transition mode.
443*a90b9d01SCy Schubert# The WPA3 specification section 2.3 "WPA3-Personal transition mode" item 8
444*a90b9d01SCy Schubert# states "A STA shall negotiate PMF when associating to an AP using SAE".
445*a90b9d01SCy Schubert# With this check WPA3 capable devices when connecting
446*a90b9d01SCy Schubert# to transition mode APs that do not advertise PMF support
447*a90b9d01SCy Schubert# will not use SAE and instead fallback to PSK.
448*a90b9d01SCy Schubert#sae_check_mfp=0
449*a90b9d01SCy Schubert
4505b9c547cSRui Paulo# Enabled SAE finite cyclic groups in preference order
4515b9c547cSRui Paulo# By default (if this parameter is not set), the mandatory group 19 (ECC group
4524bc52338SCy Schubert# defined over a 256-bit prime order field, NIST P-256) is preferred and groups
4534bc52338SCy Schubert# 20 (NIST P-384) and 21 (NIST P-521) are also enabled. If this parameter is
4544bc52338SCy Schubert# set, the groups will be tried in the indicated order.
4554bc52338SCy Schubert# The group values are listed in the IANA registry:
4565b9c547cSRui Paulo# http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9
4574bc52338SCy Schubert# Note that groups 1, 2, 5, 22, 23, and 24 should not be used in production
4584bc52338SCy Schubert# purposes due limited security (see RFC 8247). Groups that are not as strong as
4594bc52338SCy Schubert# group 19 (ECC, NIST P-256) are unlikely to be useful for production use cases
4604bc52338SCy Schubert# since all implementations are required to support group 19.
4614bc52338SCy Schubert#sae_groups=19 20 21
4625b9c547cSRui Paulo
463c1d255d3SCy Schubert# SAE mechanism for PWE derivation
464c1d255d3SCy Schubert# 0 = hunting-and-pecking loop only (default without password identifier)
465c1d255d3SCy Schubert# 1 = hash-to-element only (default with password identifier)
466c1d255d3SCy Schubert# 2 = both hunting-and-pecking loop and hash-to-element enabled
467c1d255d3SCy Schubert# Note: The default value is likely to change from 0 to 2 once the new
468c1d255d3SCy Schubert# hash-to-element mechanism has received more interoperability testing.
469c1d255d3SCy Schubert# When using SAE password identifier, the hash-to-element mechanism is used
470c1d255d3SCy Schubert# regardless of the sae_pwe parameter value.
471c1d255d3SCy Schubert#sae_pwe=0
472c1d255d3SCy Schubert
4735b9c547cSRui Paulo# Default value for DTIM period (if not overridden in network block)
4745b9c547cSRui Paulo#dtim_period=2
4755b9c547cSRui Paulo
4765b9c547cSRui Paulo# Default value for Beacon interval (if not overridden in network block)
4775b9c547cSRui Paulo#beacon_int=100
4785b9c547cSRui Paulo
4795b9c547cSRui Paulo# Additional vendor specific elements for Beacon and Probe Response frames
4805b9c547cSRui Paulo# This parameter can be used to add additional vendor specific element(s) into
4815b9c547cSRui Paulo# the end of the Beacon and Probe Response frames. The format for these
4825b9c547cSRui Paulo# element(s) is a hexdump of the raw information elements (id+len+payload for
4835b9c547cSRui Paulo# one or more elements). This is used in AP and P2P GO modes.
4845b9c547cSRui Paulo#ap_vendor_elements=dd0411223301
4855b9c547cSRui Paulo
4865b9c547cSRui Paulo# Ignore scan results older than request
4875b9c547cSRui Paulo#
4885b9c547cSRui Paulo# The driver may have a cache of scan results that makes it return
4895b9c547cSRui Paulo# information that is older than our scan trigger. This parameter can
4905b9c547cSRui Paulo# be used to configure such old information to be ignored instead of
4915b9c547cSRui Paulo# allowing it to update the internal BSS table.
4925b9c547cSRui Paulo#ignore_old_scan_res=0
4935b9c547cSRui Paulo
4945b9c547cSRui Paulo# scan_cur_freq: Whether to scan only the current frequency
4955b9c547cSRui Paulo# 0:  Scan all available frequencies. (Default)
4965b9c547cSRui Paulo# 1:  Scan current operating frequency if another VIF on the same radio
4975b9c547cSRui Paulo#     is already associated.
4985b9c547cSRui Paulo
499c1d255d3SCy Schubert# Seconds to consider old scan results valid for association (default: 5)
500c1d255d3SCy Schubert#scan_res_valid_for_connect=5
501c1d255d3SCy Schubert
5025b9c547cSRui Paulo# MAC address policy default
5035b9c547cSRui Paulo# 0 = use permanent MAC address
5045b9c547cSRui Paulo# 1 = use random MAC address for each ESS connection
5055b9c547cSRui Paulo# 2 = like 1, but maintain OUI (with local admin bit set)
506*a90b9d01SCy Schubert# 3 = use dedicated/pregenerated MAC address (see mac_value)
5075b9c547cSRui Paulo#
5085b9c547cSRui Paulo# By default, permanent MAC address is used unless policy is changed by
5095b9c547cSRui Paulo# the per-network mac_addr parameter. Global mac_addr=1 can be used to
5105b9c547cSRui Paulo# change this default behavior.
5115b9c547cSRui Paulo#mac_addr=0
5125b9c547cSRui Paulo
513*a90b9d01SCy Schubert# Local MAC address to use whenever connecting with this network profile
514*a90b9d01SCy Schubert# This is used with mac_addr=3.
515*a90b9d01SCy Schubert#mac_value=02:12:34:56:78:9a
516*a90b9d01SCy Schubert
5175b9c547cSRui Paulo# Lifetime of random MAC address in seconds (default: 60)
5185b9c547cSRui Paulo#rand_addr_lifetime=60
5195b9c547cSRui Paulo
5205b9c547cSRui Paulo# MAC address policy for pre-association operations (scanning, ANQP)
5215b9c547cSRui Paulo# 0 = use permanent MAC address
5225b9c547cSRui Paulo# 1 = use random MAC address
5235b9c547cSRui Paulo# 2 = like 1, but maintain OUI (with local admin bit set)
5245b9c547cSRui Paulo#preassoc_mac_addr=0
5255b9c547cSRui Paulo
52685732ac8SCy Schubert# MAC address policy for GAS operations
52785732ac8SCy Schubert# 0 = use permanent MAC address
52885732ac8SCy Schubert# 1 = use random MAC address
52985732ac8SCy Schubert# 2 = like 1, but maintain OUI (with local admin bit set)
530c1d255d3SCy Schubert# Note that this setting is ignored when a specific MAC address is needed for
531c1d255d3SCy Schubert# a full protocol exchange that includes GAS, e.g., when going through a DPP
532c1d255d3SCy Schubert# exchange that exposes the configured interface address as part of the DP
533c1d255d3SCy Schubert# Public Action frame exchanges before using GAS. That same address is then used
534c1d255d3SCy Schubert# during the GAS exchange as well to avoid breaking the protocol expectations.
53585732ac8SCy Schubert#gas_rand_mac_addr=0
53685732ac8SCy Schubert
53785732ac8SCy Schubert# Lifetime of GAS random MAC address in seconds (default: 60)
53885732ac8SCy Schubert#gas_rand_addr_lifetime=60
53985732ac8SCy Schubert
540f05cddf9SRui Paulo# Interworking (IEEE 802.11u)
541f05cddf9SRui Paulo
542f05cddf9SRui Paulo# Enable Interworking
543f05cddf9SRui Paulo# interworking=1
544f05cddf9SRui Paulo
54585732ac8SCy Schubert# Enable P2P GO advertisement of Interworking
54685732ac8SCy Schubert# go_interworking=1
54785732ac8SCy Schubert
54885732ac8SCy Schubert# P2P GO Interworking: Access Network Type
54985732ac8SCy Schubert# 0 = Private network
55085732ac8SCy Schubert# 1 = Private network with guest access
55185732ac8SCy Schubert# 2 = Chargeable public network
55285732ac8SCy Schubert# 3 = Free public network
55385732ac8SCy Schubert# 4 = Personal device network
55485732ac8SCy Schubert# 5 = Emergency services only network
55585732ac8SCy Schubert# 14 = Test or experimental
55685732ac8SCy Schubert# 15 = Wildcard
55785732ac8SCy Schubert#go_access_network_type=0
55885732ac8SCy Schubert
55985732ac8SCy Schubert# P2P GO Interworking: Whether the network provides connectivity to the Internet
56085732ac8SCy Schubert# 0 = Unspecified
56185732ac8SCy Schubert# 1 = Network provides connectivity to the Internet
56285732ac8SCy Schubert#go_internet=1
56385732ac8SCy Schubert
56485732ac8SCy Schubert# P2P GO Interworking: Group Venue Info (optional)
56585732ac8SCy Schubert# The available values are defined in IEEE Std 802.11-2016, 9.4.1.35.
56685732ac8SCy Schubert# Example values (group,type):
56785732ac8SCy Schubert# 0,0 = Unspecified
56885732ac8SCy Schubert# 1,7 = Convention Center
56985732ac8SCy Schubert# 1,13 = Coffee Shop
57085732ac8SCy Schubert# 2,0 = Unspecified Business
57185732ac8SCy Schubert# 7,1  Private Residence
57285732ac8SCy Schubert#go_venue_group=7
57385732ac8SCy Schubert#go_venue_type=1
57485732ac8SCy Schubert
575c1d255d3SCy Schubert# Homogeneous ESS identifier
576f05cddf9SRui Paulo# If this is set, scans will be used to request response only from BSSes
577f05cddf9SRui Paulo# belonging to the specified Homogeneous ESS. This is used only if interworking
578f05cddf9SRui Paulo# is enabled.
579f05cddf9SRui Paulo# hessid=00:11:22:33:44:55
580f05cddf9SRui Paulo
581f05cddf9SRui Paulo# Automatic network selection behavior
582f05cddf9SRui Paulo# 0 = do not automatically go through Interworking network selection
583f05cddf9SRui Paulo#     (i.e., require explicit interworking_select command for this; default)
584f05cddf9SRui Paulo# 1 = perform Interworking network selection if one or more
585f05cddf9SRui Paulo#     credentials have been configured and scan did not find a
586f05cddf9SRui Paulo#     matching network block
587f05cddf9SRui Paulo#auto_interworking=0
588f05cddf9SRui Paulo
589780fb4a2SCy Schubert# GAS Address3 field behavior
590780fb4a2SCy Schubert# 0 = P2P specification (Address3 = AP BSSID); default
591780fb4a2SCy Schubert# 1 = IEEE 802.11 standard compliant (Address3 = Wildcard BSSID when
592780fb4a2SCy Schubert#     sent to not-associated AP; if associated, AP BSSID)
593780fb4a2SCy Schubert#gas_address3=0
594780fb4a2SCy Schubert
595780fb4a2SCy Schubert# Publish fine timing measurement (FTM) responder functionality in
596780fb4a2SCy Schubert# the Extended Capabilities element bit 70.
597780fb4a2SCy Schubert# Controls whether FTM responder functionality will be published by AP/STA.
598780fb4a2SCy Schubert# Note that actual FTM responder operation is managed outside wpa_supplicant.
599780fb4a2SCy Schubert# 0 = Do not publish; default
600780fb4a2SCy Schubert# 1 = Publish
601780fb4a2SCy Schubert#ftm_responder=0
602780fb4a2SCy Schubert
603780fb4a2SCy Schubert# Publish fine timing measurement (FTM) initiator functionality in
604780fb4a2SCy Schubert# the Extended Capabilities element bit 71.
605780fb4a2SCy Schubert# Controls whether FTM initiator functionality will be published by AP/STA.
606780fb4a2SCy Schubert# Note that actual FTM initiator operation is managed outside wpa_supplicant.
607780fb4a2SCy Schubert# 0 = Do not publish; default
608780fb4a2SCy Schubert# 1 = Publish
609780fb4a2SCy Schubert#ftm_initiator=0
610780fb4a2SCy Schubert
611f05cddf9SRui Paulo# credential block
612f05cddf9SRui Paulo#
613f05cddf9SRui Paulo# Each credential used for automatic network selection is configured as a set
614f05cddf9SRui Paulo# of parameters that are compared to the information advertised by the APs when
615f05cddf9SRui Paulo# interworking_select and interworking_connect commands are used.
616f05cddf9SRui Paulo#
617f05cddf9SRui Paulo# credential fields:
618f05cddf9SRui Paulo#
6195b9c547cSRui Paulo# temporary: Whether this credential is temporary and not to be saved
6205b9c547cSRui Paulo#
621f05cddf9SRui Paulo# priority: Priority group
622f05cddf9SRui Paulo#	By default, all networks and credentials get the same priority group
623f05cddf9SRui Paulo#	(0). This field can be used to give higher priority for credentials
624f05cddf9SRui Paulo#	(and similarly in struct wpa_ssid for network blocks) to change the
625f05cddf9SRui Paulo#	Interworking automatic networking selection behavior. The matching
626f05cddf9SRui Paulo#	network (based on either an enabled network block or a credential)
627f05cddf9SRui Paulo#	with the highest priority value will be selected.
628f05cddf9SRui Paulo#
629f05cddf9SRui Paulo# pcsc: Use PC/SC and SIM/USIM card
630f05cddf9SRui Paulo#
631f05cddf9SRui Paulo# realm: Home Realm for Interworking
632f05cddf9SRui Paulo#
633f05cddf9SRui Paulo# username: Username for Interworking network selection
634f05cddf9SRui Paulo#
635f05cddf9SRui Paulo# password: Password for Interworking network selection
636f05cddf9SRui Paulo#
637f05cddf9SRui Paulo# ca_cert: CA certificate for Interworking network selection
638f05cddf9SRui Paulo#
639f05cddf9SRui Paulo# client_cert: File path to client certificate file (PEM/DER)
640f05cddf9SRui Paulo#	This field is used with Interworking networking selection for a case
641f05cddf9SRui Paulo#	where client certificate/private key is used for authentication
642f05cddf9SRui Paulo#	(EAP-TLS). Full path to the file should be used since working
643f05cddf9SRui Paulo#	directory may change when wpa_supplicant is run in the background.
644f05cddf9SRui Paulo#
645780fb4a2SCy Schubert#	Certificates from PKCS#11 tokens can be referenced by a PKCS#11 URI.
646780fb4a2SCy Schubert#
647780fb4a2SCy Schubert#	For example: private_key="pkcs11:manufacturer=piv_II;id=%01"
648780fb4a2SCy Schubert#
649f05cddf9SRui Paulo#	Alternatively, a named configuration blob can be used by setting
650f05cddf9SRui Paulo#	this to blob://blob_name.
651f05cddf9SRui Paulo#
652f05cddf9SRui Paulo# private_key: File path to client private key file (PEM/DER/PFX)
653f05cddf9SRui Paulo#	When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
654f05cddf9SRui Paulo#	commented out. Both the private key and certificate will be read
655f05cddf9SRui Paulo#	from the PKCS#12 file in this case. Full path to the file should be
656f05cddf9SRui Paulo#	used since working directory may change when wpa_supplicant is run
657f05cddf9SRui Paulo#	in the background.
658f05cddf9SRui Paulo#
659780fb4a2SCy Schubert#	Keys in PKCS#11 tokens can be referenced by a PKCS#11 URI.
660780fb4a2SCy Schubert#	For example: private_key="pkcs11:manufacturer=piv_II;id=%01"
661780fb4a2SCy Schubert#
662f05cddf9SRui Paulo#	Windows certificate store can be used by leaving client_cert out and
663f05cddf9SRui Paulo#	configuring private_key in one of the following formats:
664f05cddf9SRui Paulo#
665f05cddf9SRui Paulo#	cert://substring_to_match
666f05cddf9SRui Paulo#
667f05cddf9SRui Paulo#	hash://certificate_thumbprint_in_hex
668f05cddf9SRui Paulo#
669f05cddf9SRui Paulo#	For example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
670f05cddf9SRui Paulo#
671f05cddf9SRui Paulo#	Note that when running wpa_supplicant as an application, the user
672f05cddf9SRui Paulo#	certificate store (My user account) is used, whereas computer store
673f05cddf9SRui Paulo#	(Computer account) is used when running wpasvc as a service.
674f05cddf9SRui Paulo#
675f05cddf9SRui Paulo#	Alternatively, a named configuration blob can be used by setting
676f05cddf9SRui Paulo#	this to blob://blob_name.
677f05cddf9SRui Paulo#
678f05cddf9SRui Paulo# private_key_passwd: Password for private key file
679f05cddf9SRui Paulo#
680f05cddf9SRui Paulo# imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format
681f05cddf9SRui Paulo#
682f05cddf9SRui Paulo# milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN>
683f05cddf9SRui Paulo#	format
684f05cddf9SRui Paulo#
6855b9c547cSRui Paulo# domain: Home service provider FQDN(s)
686f05cddf9SRui Paulo#	This is used to compare against the Domain Name List to figure out
6875b9c547cSRui Paulo#	whether the AP is operated by the Home SP. Multiple domain entries can
6885b9c547cSRui Paulo#	be used to configure alternative FQDNs that will be considered home
6895b9c547cSRui Paulo#	networks.
690f05cddf9SRui Paulo#
691*a90b9d01SCy Schubert# home_ois: Home OI(s)
692*a90b9d01SCy Schubert#	This string field contains one or more comma delimited OIs (hexdump)
693*a90b9d01SCy Schubert#	identifying the access the access points that support authentication
694*a90b9d01SCy Schubert#	with this credential. There are an alternative to the use of the realm
695*a90b9d01SCy Schubert#	parameter. When using Home OIs to match the network, the EAP parameters
696*a90b9d01SCy Schubert#	need to be pre-configured with the credentials since the NAI Realm
697*a90b9d01SCy Schubert#	information may not be available or fetched.
698*a90b9d01SCy Schubert#	A successful authentication with the access point is possible as soon
699*a90b9d01SCy Schubert#	as at least one Home OI from the list matches an OI in the Roaming
700*a90b9d01SCy Schubert#	Consortium advertised by the access point.
701*a90b9d01SCy Schubert#	(Hotspot 2.0 PerProviderSubscription/<X+>/HomeSP/HomeOIList/<X+>/HomeOI)
702*a90b9d01SCy Schubert#
703*a90b9d01SCy Schubert# required_home_ois: Required Home OI(s)
704*a90b9d01SCy Schubert#	This string field contains the set of Home OI(s) (hexdump) that are
705*a90b9d01SCy Schubert#	required to be advertised by the AP for the credential to be considered
706*a90b9d01SCy Schubert#	matching.
707*a90b9d01SCy Schubert#	(Hotspot 2.0 PerProviderSubscription/<X+>/HomeSP/HomeOIList/<X+>/HomeOIRequired)
708*a90b9d01SCy Schubert#
709f05cddf9SRui Paulo# roaming_consortium: Roaming Consortium OI
710*a90b9d01SCy Schubert#	Deprecated: use home_ois instead.
711f05cddf9SRui Paulo#	If roaming_consortium_len is non-zero, this field contains the
712f05cddf9SRui Paulo#	Roaming Consortium OI that can be used to determine which access
713f05cddf9SRui Paulo#	points support authentication with this credential. This is an
714f05cddf9SRui Paulo#	alternative to the use of the realm parameter. When using Roaming
715f05cddf9SRui Paulo#	Consortium to match the network, the EAP parameters need to be
716f05cddf9SRui Paulo#	pre-configured with the credential since the NAI Realm information
717f05cddf9SRui Paulo#	may not be available or fetched.
718f05cddf9SRui Paulo#
71985732ac8SCy Schubert# required_roaming_consortium: Required Roaming Consortium OI
720*a90b9d01SCy Schubert#	Deprecated: use required_home_ois instead.
72185732ac8SCy Schubert#	If required_roaming_consortium_len is non-zero, this field contains the
72285732ac8SCy Schubert#	Roaming Consortium OI that is required to be advertised by the AP for
72385732ac8SCy Schubert#	the credential to be considered matching.
72485732ac8SCy Schubert#
72585732ac8SCy Schubert# roaming_consortiums: Roaming Consortium OI(s) memberships
72685732ac8SCy Schubert#	This string field contains one or more comma delimited OIs (hexdump)
72785732ac8SCy Schubert#	identifying the roaming consortiums of which the provider is a member.
72885732ac8SCy Schubert#	The list is sorted from the most preferred one to the least preferred
72985732ac8SCy Schubert#	one. A match between the Roaming Consortium OIs advertised by an AP and
73085732ac8SCy Schubert#	the OIs in this list indicates that successful authentication is
73185732ac8SCy Schubert#	possible.
73285732ac8SCy Schubert#	(Hotspot 2.0 PerProviderSubscription/<X+>/HomeSP/RoamingConsortiumOI)
73385732ac8SCy Schubert#
734f05cddf9SRui Paulo# eap: Pre-configured EAP method
735f05cddf9SRui Paulo#	This optional field can be used to specify which EAP method will be
736f05cddf9SRui Paulo#	used with this credential. If not set, the EAP method is selected
737f05cddf9SRui Paulo#	automatically based on ANQP information (e.g., NAI Realm).
738f05cddf9SRui Paulo#
739f05cddf9SRui Paulo# phase1: Pre-configure Phase 1 (outer authentication) parameters
740f05cddf9SRui Paulo#	This optional field is used with like the 'eap' parameter.
741f05cddf9SRui Paulo#
742f05cddf9SRui Paulo# phase2: Pre-configure Phase 2 (inner authentication) parameters
743f05cddf9SRui Paulo#	This optional field is used with like the 'eap' parameter.
744f05cddf9SRui Paulo#
745f05cddf9SRui Paulo# excluded_ssid: Excluded SSID
746f05cddf9SRui Paulo#	This optional field can be used to excluded specific SSID(s) from
747f05cddf9SRui Paulo#	matching with the network. Multiple entries can be used to specify more
748f05cddf9SRui Paulo#	than one SSID.
749f05cddf9SRui Paulo#
7505b9c547cSRui Paulo# roaming_partner: Roaming partner information
7515b9c547cSRui Paulo#	This optional field can be used to configure preferences between roaming
7525b9c547cSRui Paulo#	partners. The field is a string in following format:
7535b9c547cSRui Paulo#	<FQDN>,<0/1 exact match>,<priority>,<* or country code>
7545b9c547cSRui Paulo#	(non-exact match means any subdomain matches the entry; priority is in
7555b9c547cSRui Paulo#	0..255 range with 0 being the highest priority)
7565b9c547cSRui Paulo#
7575b9c547cSRui Paulo# update_identifier: PPS MO ID
7585b9c547cSRui Paulo#	(Hotspot 2.0 PerProviderSubscription/UpdateIdentifier)
7595b9c547cSRui Paulo#
7605b9c547cSRui Paulo# provisioning_sp: FQDN of the SP that provisioned the credential
7615b9c547cSRui Paulo#	This optional field can be used to keep track of the SP that provisioned
7625b9c547cSRui Paulo#	the credential to find the PPS MO (./Wi-Fi/<provisioning_sp>).
7635b9c547cSRui Paulo#
7645b9c547cSRui Paulo# Minimum backhaul threshold (PPS/<X+>/Policy/MinBackhauldThreshold/*)
7655b9c547cSRui Paulo#	These fields can be used to specify minimum download/upload backhaul
7665b9c547cSRui Paulo#	bandwidth that is preferred for the credential. This constraint is
7675b9c547cSRui Paulo#	ignored if the AP does not advertise WAN Metrics information or if the
7685b9c547cSRui Paulo#	limit would prevent any connection. Values are in kilobits per second.
7695b9c547cSRui Paulo# min_dl_bandwidth_home
7705b9c547cSRui Paulo# min_ul_bandwidth_home
7715b9c547cSRui Paulo# min_dl_bandwidth_roaming
7725b9c547cSRui Paulo# min_ul_bandwidth_roaming
7735b9c547cSRui Paulo#
7745b9c547cSRui Paulo# max_bss_load: Maximum BSS Load Channel Utilization (1..255)
7755b9c547cSRui Paulo#	(PPS/<X+>/Policy/MaximumBSSLoadValue)
7765b9c547cSRui Paulo#	This value is used as the maximum channel utilization for network
7775b9c547cSRui Paulo#	selection purposes for home networks. If the AP does not advertise
7785b9c547cSRui Paulo#	BSS Load or if the limit would prevent any connection, this constraint
7795b9c547cSRui Paulo#	will be ignored.
7805b9c547cSRui Paulo#
7815b9c547cSRui Paulo# req_conn_capab: Required connection capability
7825b9c547cSRui Paulo#	(PPS/<X+>/Policy/RequiredProtoPortTuple)
7835b9c547cSRui Paulo#	This value is used to configure set of required protocol/port pairs that
7845b9c547cSRui Paulo#	a roaming network shall support (include explicitly in Connection
7855b9c547cSRui Paulo#	Capability ANQP element). This constraint is ignored if the AP does not
7865b9c547cSRui Paulo#	advertise Connection Capability or if this constraint would prevent any
7875b9c547cSRui Paulo#	network connection. This policy is not used in home networks.
7885b9c547cSRui Paulo#	Format: <protocol>[:<comma-separated list of ports]
7895b9c547cSRui Paulo#	Multiple entries can be used to list multiple requirements.
7905b9c547cSRui Paulo#	For example, number of common TCP protocols:
7915b9c547cSRui Paulo#	req_conn_capab=6,22,80,443
7925b9c547cSRui Paulo#	For example, IPSec/IKE:
7935b9c547cSRui Paulo#	req_conn_capab=17:500
7945b9c547cSRui Paulo#	req_conn_capab=50
7955b9c547cSRui Paulo#
7965b9c547cSRui Paulo# ocsp: Whether to use/require OCSP to check server certificate
7975b9c547cSRui Paulo#	0 = do not use OCSP stapling (TLS certificate status extension)
7985b9c547cSRui Paulo#	1 = try to use OCSP stapling, but not require response
7995b9c547cSRui Paulo#	2 = require valid OCSP stapling response
800780fb4a2SCy Schubert#	3 = require valid OCSP stapling response for all not-trusted
801780fb4a2SCy Schubert#	    certificates in the server certificate chain
8025b9c547cSRui Paulo#
8035b9c547cSRui Paulo# sim_num: Identifier for which SIM to use in multi-SIM devices
8045b9c547cSRui Paulo#
805f05cddf9SRui Paulo# for example:
806f05cddf9SRui Paulo#
807f05cddf9SRui Paulo#cred={
808f05cddf9SRui Paulo#	realm="example.com"
809f05cddf9SRui Paulo#	username="user@example.com"
810f05cddf9SRui Paulo#	password="password"
811f05cddf9SRui Paulo#	ca_cert="/etc/wpa_supplicant/ca.pem"
812f05cddf9SRui Paulo#	domain="example.com"
813f05cddf9SRui Paulo#}
814f05cddf9SRui Paulo#
815f05cddf9SRui Paulo#cred={
816f05cddf9SRui Paulo#	imsi="310026-000000000"
817f05cddf9SRui Paulo#	milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82"
818f05cddf9SRui Paulo#}
819f05cddf9SRui Paulo#
820f05cddf9SRui Paulo#cred={
821f05cddf9SRui Paulo#	realm="example.com"
822f05cddf9SRui Paulo#	username="user"
823f05cddf9SRui Paulo#	password="password"
824f05cddf9SRui Paulo#	ca_cert="/etc/wpa_supplicant/ca.pem"
825f05cddf9SRui Paulo#	domain="example.com"
826*a90b9d01SCy Schubert#	home_ois="223344"
827f05cddf9SRui Paulo#	eap=TTLS
828f05cddf9SRui Paulo#	phase2="auth=MSCHAPV2"
829f05cddf9SRui Paulo#}
830f05cddf9SRui Paulo
831f05cddf9SRui Paulo# Hotspot 2.0
832f05cddf9SRui Paulo# hs20=1
833e28a4053SRui Paulo
834780fb4a2SCy Schubert# Scheduled scan plans
835780fb4a2SCy Schubert#
836780fb4a2SCy Schubert# A space delimited list of scan plans. Each scan plan specifies the scan
837780fb4a2SCy Schubert# interval and number of iterations, delimited by a colon. The last scan plan
838780fb4a2SCy Schubert# will run infinitely and thus must specify only the interval and not the number
839780fb4a2SCy Schubert# of iterations.
840780fb4a2SCy Schubert#
841780fb4a2SCy Schubert# The driver advertises the maximum number of scan plans supported. If more scan
842780fb4a2SCy Schubert# plans than supported are configured, only the first ones are set (up to the
843780fb4a2SCy Schubert# maximum supported). The last scan plan that specifies only the interval is
844780fb4a2SCy Schubert# always set as the last plan.
845780fb4a2SCy Schubert#
846780fb4a2SCy Schubert# If the scan interval or the number of iterations for a scan plan exceeds the
847780fb4a2SCy Schubert# maximum supported, it will be set to the maximum supported value.
848780fb4a2SCy Schubert#
849780fb4a2SCy Schubert# Format:
850780fb4a2SCy Schubert# sched_scan_plans=<interval:iterations> <interval:iterations> ... <interval>
851780fb4a2SCy Schubert#
852780fb4a2SCy Schubert# Example:
853780fb4a2SCy Schubert# sched_scan_plans=10:100 20:200 30
854780fb4a2SCy Schubert
855780fb4a2SCy Schubert# Multi Band Operation (MBO) non-preferred channels
856780fb4a2SCy Schubert# A space delimited list of non-preferred channels where each channel is a colon
857780fb4a2SCy Schubert# delimited list of values.
858780fb4a2SCy Schubert# Format:
859780fb4a2SCy Schubert# non_pref_chan=<oper_class>:<chan>:<preference>:<reason>
860780fb4a2SCy Schubert# Example:
86185732ac8SCy Schubert# non_pref_chan=81:5:10:2 81:1:0:2 81:9:0:2
862780fb4a2SCy Schubert
863780fb4a2SCy Schubert# MBO Cellular Data Capabilities
864780fb4a2SCy Schubert# 1 = Cellular data connection available
865780fb4a2SCy Schubert# 2 = Cellular data connection not available
866780fb4a2SCy Schubert# 3 = Not cellular capable (default)
867780fb4a2SCy Schubert#mbo_cell_capa=3
868780fb4a2SCy Schubert
86985732ac8SCy Schubert# Optimized Connectivity Experience (OCE)
87085732ac8SCy Schubert# oce: Enable OCE features (bitmap)
87185732ac8SCy Schubert# Set BIT(0) to Enable OCE in non-AP STA mode (default; disabled if the driver
87285732ac8SCy Schubert#	does not indicate support for OCE in STA mode)
87385732ac8SCy Schubert# Set BIT(1) to Enable OCE in STA-CFON mode
87485732ac8SCy Schubert#oce=1
87585732ac8SCy Schubert
876c1d255d3SCy Schubert# Extended Key ID support for Individually Addressed frames
877c1d255d3SCy Schubert# 0 = force off: Do not use Extended Key ID (default)
878c1d255d3SCy Schubert# 1 = auto: Activate Extended Key ID support if the driver supports it
879c1d255d3SCy Schubert#extended_key_id=0
880c1d255d3SCy Schubert
88139beb93cSSam Leffler# network block
88239beb93cSSam Leffler#
88339beb93cSSam Leffler# Each network (usually AP's sharing the same SSID) is configured as a separate
88439beb93cSSam Leffler# block in this configuration file. The network blocks are in preference order
88539beb93cSSam Leffler# (the first match is used).
88639beb93cSSam Leffler#
88739beb93cSSam Leffler# network block fields:
88839beb93cSSam Leffler#
88939beb93cSSam Leffler# disabled:
89039beb93cSSam Leffler#	0 = this network can be used (default)
89139beb93cSSam Leffler#	1 = this network block is disabled (can be enabled through ctrl_iface,
89239beb93cSSam Leffler#	    e.g., with wpa_cli or wpa_gui)
89339beb93cSSam Leffler#
89439beb93cSSam Leffler# id_str: Network identifier string for external scripts. This value is passed
89539beb93cSSam Leffler#	to external action script through wpa_cli as WPA_ID_STR environment
89639beb93cSSam Leffler#	variable to make it easier to do network specific configuration.
89739beb93cSSam Leffler#
898f05cddf9SRui Paulo# ssid: SSID (mandatory); network name in one of the optional formats:
899f05cddf9SRui Paulo#	- an ASCII string with double quotation
900f05cddf9SRui Paulo#	- a hex string (two characters per octet of SSID)
901f05cddf9SRui Paulo#	- a printf-escaped ASCII string P"<escaped string>"
90239beb93cSSam Leffler#
90339beb93cSSam Leffler# scan_ssid:
90439beb93cSSam Leffler#	0 = do not scan this SSID with specific Probe Request frames (default)
90539beb93cSSam Leffler#	1 = scan with SSID-specific Probe Request frames (this can be used to
906c1d255d3SCy Schubert#	    find APs that do not accept broadcast SSID or use multiple SSIDs;
90739beb93cSSam Leffler#	    this will add latency to scanning, so enable this only when needed)
90839beb93cSSam Leffler#
90939beb93cSSam Leffler# bssid: BSSID (optional); if set, this network block is used only when
91039beb93cSSam Leffler#	associating with the AP using the configured BSSID
91139beb93cSSam Leffler#
912c1d255d3SCy Schubert# ignore_broadcast_ssid: SSID broadcast behavior
913c1d255d3SCy Schubert# Send empty SSID in beacons and ignore probe request frames that do not
914c1d255d3SCy Schubert# specify full SSID, i.e., require stations to know SSID.
915c1d255d3SCy Schubert# default: disabled (0)
916c1d255d3SCy Schubert# 1 = send empty (length=0) SSID in beacon and ignore probe request for
917c1d255d3SCy Schubert#     broadcast SSID
918c1d255d3SCy Schubert# 2 = clear SSID (ASCII 0), but keep the original length (this may be required
919c1d255d3SCy Schubert#     with some clients that do not support empty SSID) and ignore probe
920c1d255d3SCy Schubert#     requests for broadcast SSID
921c1d255d3SCy Schubert#
92239beb93cSSam Leffler# priority: priority group (integer)
92339beb93cSSam Leffler# By default, all networks will get same priority group (0). If some of the
92439beb93cSSam Leffler# networks are more desirable, this field can be used to change the order in
92539beb93cSSam Leffler# which wpa_supplicant goes through the networks when selecting a BSS. The
92639beb93cSSam Leffler# priority groups will be iterated in decreasing priority (i.e., the larger the
92739beb93cSSam Leffler# priority value, the sooner the network is matched against the scan results).
92839beb93cSSam Leffler# Within each priority group, networks will be selected based on security
92939beb93cSSam Leffler# policy, signal strength, etc.
93039beb93cSSam Leffler# Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not
93139beb93cSSam Leffler# using this priority to select the order for scanning. Instead, they try the
932c1d255d3SCy Schubert# networks in the order that used in the configuration file.
93339beb93cSSam Leffler#
93439beb93cSSam Leffler# mode: IEEE 802.11 operation mode
93539beb93cSSam Leffler# 0 = infrastructure (Managed) mode, i.e., associate with an AP (default)
93639beb93cSSam Leffler# 1 = IBSS (ad-hoc, peer-to-peer)
937e28a4053SRui Paulo# 2 = AP (access point)
9385b9c547cSRui Paulo# Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) and
9395b9c547cSRui Paulo# WPA-PSK (with proto=RSN). In addition, key_mgmt=WPA-NONE (fixed group key
9405b9c547cSRui Paulo# TKIP/CCMP) is available for backwards compatibility, but its use is
9415b9c547cSRui Paulo# deprecated. WPA-None requires following network block options:
94239beb93cSSam Leffler# proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not
94339beb93cSSam Leffler# both), and psk must also be set.
94439beb93cSSam Leffler#
94539beb93cSSam Leffler# frequency: Channel frequency in megahertz (MHz) for IBSS, e.g.,
94639beb93cSSam Leffler# 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial
94739beb93cSSam Leffler# channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode.
94839beb93cSSam Leffler# In addition, this value is only used by the station that creates the IBSS. If
94939beb93cSSam Leffler# an IBSS network with the configured SSID is already present, the frequency of
95039beb93cSSam Leffler# the network will be used instead of this configured value.
95139beb93cSSam Leffler#
952780fb4a2SCy Schubert# pbss: Whether to use PBSS. Relevant to IEEE 802.11ad networks only.
953780fb4a2SCy Schubert# 0 = do not use PBSS
954780fb4a2SCy Schubert# 1 = use PBSS
955780fb4a2SCy Schubert# 2 = don't care (not allowed in AP mode)
956780fb4a2SCy Schubert# Used together with mode configuration. When mode is AP, it means to start a
957780fb4a2SCy Schubert# PCP instead of a regular AP. When mode is infrastructure it means connect
958780fb4a2SCy Schubert# to a PCP instead of AP. In this mode you can also specify 2 (don't care)
959780fb4a2SCy Schubert# which means connect to either PCP or AP.
960780fb4a2SCy Schubert# P2P_GO and P2P_GROUP_FORMATION modes must use PBSS in IEEE 802.11ad network.
961780fb4a2SCy Schubert# For more details, see IEEE Std 802.11ad-2012.
962780fb4a2SCy Schubert#
963e28a4053SRui Paulo# scan_freq: List of frequencies to scan
964e28a4053SRui Paulo# Space-separated list of frequencies in MHz to scan when searching for this
965e28a4053SRui Paulo# BSS. If the subset of channels used by the network is known, this option can
966e28a4053SRui Paulo# be used to optimize scanning to not occur on channels that the network does
967e28a4053SRui Paulo# not use. Example: scan_freq=2412 2437 2462
968e28a4053SRui Paulo#
969e28a4053SRui Paulo# freq_list: Array of allowed frequencies
970e28a4053SRui Paulo# Space-separated list of frequencies in MHz to allow for selecting the BSS. If
971e28a4053SRui Paulo# set, scan results that do not match any of the specified frequencies are not
972e28a4053SRui Paulo# considered when selecting a BSS.
973e28a4053SRui Paulo#
9745b9c547cSRui Paulo# This can also be set on the outside of the network block. In this case,
9755b9c547cSRui Paulo# it limits the frequencies that will be scanned.
9765b9c547cSRui Paulo#
977f05cddf9SRui Paulo# bgscan: Background scanning
978f05cddf9SRui Paulo# wpa_supplicant behavior for background scanning can be specified by
979f05cddf9SRui Paulo# configuring a bgscan module. These modules are responsible for requesting
980f05cddf9SRui Paulo# background scans for the purpose of roaming within an ESS (i.e., within a
981f05cddf9SRui Paulo# single network block with all the APs using the same SSID). The bgscan
982f05cddf9SRui Paulo# parameter uses following format: "<bgscan module name>:<module parameters>"
983f05cddf9SRui Paulo# Following bgscan modules are available:
984f05cddf9SRui Paulo# simple - Periodic background scans based on signal strength
985*a90b9d01SCy Schubert# send_btm_query > 0 means do this many BTM queries before attempting a scan.
986f05cddf9SRui Paulo# bgscan="simple:<short bgscan interval in seconds>:<signal strength threshold>:
987*a90b9d01SCy Schubert# <long interval>[:<send_btm_query>]"
988f05cddf9SRui Paulo# bgscan="simple:30:-45:300"
989*a90b9d01SCy Schubert# bgscan="simple:30:-45:300:3"
990f05cddf9SRui Paulo# learn - Learn channels used by the network and try to avoid bgscans on other
991f05cddf9SRui Paulo# channels (experimental)
992f05cddf9SRui Paulo# bgscan="learn:<short bgscan interval in seconds>:<signal strength threshold>:
993f05cddf9SRui Paulo# <long interval>[:<database file name>]"
994f05cddf9SRui Paulo# bgscan="learn:30:-45:300:/etc/wpa_supplicant/network1.bgscan"
9955b9c547cSRui Paulo# Explicitly disable bgscan by setting
9965b9c547cSRui Paulo# bgscan=""
9975b9c547cSRui Paulo#
9985b9c547cSRui Paulo# This option can also be set outside of all network blocks for the bgscan
9995b9c547cSRui Paulo# parameter to apply for all the networks that have no specific bgscan
10005b9c547cSRui Paulo# parameter.
1001f05cddf9SRui Paulo#
100239beb93cSSam Leffler# proto: list of accepted protocols
100339beb93cSSam Leffler# WPA = WPA/IEEE 802.11i/D3.0
100439beb93cSSam Leffler# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN)
100585732ac8SCy Schubert# Note that RSN is used also for WPA3.
100639beb93cSSam Leffler# If not set, this defaults to: WPA RSN
100739beb93cSSam Leffler#
100839beb93cSSam Leffler# key_mgmt: list of accepted authenticated key management protocols
100939beb93cSSam Leffler# WPA-PSK = WPA pre-shared key (this requires 'psk' field)
101039beb93cSSam Leffler# WPA-EAP = WPA using EAP authentication
101139beb93cSSam Leffler# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically
101239beb93cSSam Leffler#	generated WEP keys
101339beb93cSSam Leffler# NONE = WPA is not used; plaintext or static WEP could be used
1014780fb4a2SCy Schubert# WPA-NONE = WPA-None for IBSS (deprecated; use proto=RSN key_mgmt=WPA-PSK
1015780fb4a2SCy Schubert#	instead)
1016780fb4a2SCy Schubert# FT-PSK = Fast BSS Transition (IEEE 802.11r) with pre-shared key
1017780fb4a2SCy Schubert# FT-EAP = Fast BSS Transition (IEEE 802.11r) with EAP authentication
101885732ac8SCy Schubert# FT-EAP-SHA384 = Fast BSS Transition (IEEE 802.11r) with EAP authentication
101985732ac8SCy Schubert#	and using SHA384
102039beb93cSSam Leffler# WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms
102139beb93cSSam Leffler# WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms
1022780fb4a2SCy Schubert# SAE = Simultaneous authentication of equals; pre-shared key/password -based
1023780fb4a2SCy Schubert#	authentication with stronger security than WPA-PSK especially when using
102485732ac8SCy Schubert#	not that strong password; a.k.a. WPA3-Personal
1025780fb4a2SCy Schubert# FT-SAE = SAE with FT
1026780fb4a2SCy Schubert# WPA-EAP-SUITE-B = Suite B 128-bit level
1027780fb4a2SCy Schubert# WPA-EAP-SUITE-B-192 = Suite B 192-bit level
1028780fb4a2SCy Schubert# OSEN = Hotspot 2.0 Rel 2 online signup connection
102985732ac8SCy Schubert# FILS-SHA256 = Fast Initial Link Setup with SHA256
103085732ac8SCy Schubert# FILS-SHA384 = Fast Initial Link Setup with SHA384
103185732ac8SCy Schubert# FT-FILS-SHA256 = FT and Fast Initial Link Setup with SHA256
103285732ac8SCy Schubert# FT-FILS-SHA384 = FT and Fast Initial Link Setup with SHA384
103385732ac8SCy Schubert# OWE = Opportunistic Wireless Encryption (a.k.a. Enhanced Open)
103485732ac8SCy Schubert# DPP = Device Provisioning Protocol
103539beb93cSSam Leffler# If not set, this defaults to: WPA-PSK WPA-EAP
103639beb93cSSam Leffler#
1037f05cddf9SRui Paulo# ieee80211w: whether management frame protection is enabled
1038f05cddf9SRui Paulo# 0 = disabled (default unless changed with the global pmf parameter)
1039f05cddf9SRui Paulo# 1 = optional
1040f05cddf9SRui Paulo# 2 = required
1041f05cddf9SRui Paulo# The most common configuration options for this based on the PMF (protected
1042f05cddf9SRui Paulo# management frames) certification program are:
1043f05cddf9SRui Paulo# PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256
1044f05cddf9SRui Paulo# PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256
1045c1d255d3SCy Schubert# (and similarly for WPA-PSK and WPA-PSK-SHA256 if WPA2-Personal is used)
1046c1d255d3SCy Schubert# WPA3-Personal-only mode: ieee80211w=2 and key_mgmt=SAE
1047f05cddf9SRui Paulo#
10484bc52338SCy Schubert# ocv: whether operating channel validation is enabled
10494b72b91aSCy Schubert# This is a countermeasure against multi-channel on-path attacks.
10504bc52338SCy Schubert# Enabling this automatically also enables ieee80211w, if not yet enabled.
10514bc52338SCy Schubert# 0 = disabled (default)
1052c1d255d3SCy Schubert# 1 = enabled if wpa_supplicant's SME in use. Otherwise enabled only when the
1053c1d255d3SCy Schubert#     driver indicates support for operating channel validation.
10544bc52338SCy Schubert#ocv=1
10554bc52338SCy Schubert#
105639beb93cSSam Leffler# auth_alg: list of allowed IEEE 802.11 authentication algorithms
105739beb93cSSam Leffler# OPEN = Open System authentication (required for WPA/WPA2)
105839beb93cSSam Leffler# SHARED = Shared Key authentication (requires static WEP keys)
105939beb93cSSam Leffler# LEAP = LEAP/Network EAP (only used with LEAP)
106039beb93cSSam Leffler# If not set, automatic selection is used (Open System with LEAP enabled if
106139beb93cSSam Leffler# LEAP is allowed as one of the EAP methods).
106239beb93cSSam Leffler#
106339beb93cSSam Leffler# pairwise: list of accepted pairwise (unicast) ciphers for WPA
106439beb93cSSam Leffler# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
106539beb93cSSam Leffler# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
106639beb93cSSam Leffler# NONE = Use only Group Keys (deprecated, should not be included if APs support
106739beb93cSSam Leffler#	pairwise keys)
106839beb93cSSam Leffler# If not set, this defaults to: CCMP TKIP
106939beb93cSSam Leffler#
107039beb93cSSam Leffler# group: list of accepted group (broadcast/multicast) ciphers for WPA
107139beb93cSSam Leffler# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
107239beb93cSSam Leffler# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
107339beb93cSSam Leffler# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key
107439beb93cSSam Leffler# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11]
107539beb93cSSam Leffler# If not set, this defaults to: CCMP TKIP WEP104 WEP40
107639beb93cSSam Leffler#
107785732ac8SCy Schubert# group_mgmt: list of accepted group management ciphers for RSN (PMF)
107885732ac8SCy Schubert# AES-128-CMAC = BIP-CMAC-128
107985732ac8SCy Schubert# BIP-GMAC-128
108085732ac8SCy Schubert# BIP-GMAC-256
108185732ac8SCy Schubert# BIP-CMAC-256
108285732ac8SCy Schubert# If not set, no constraint on the cipher, i.e., accept whichever cipher the AP
108385732ac8SCy Schubert# indicates.
108485732ac8SCy Schubert#
108539beb93cSSam Leffler# psk: WPA preshared key; 256-bit pre-shared key
108639beb93cSSam Leffler# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e.,
108739beb93cSSam Leffler# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be
108839beb93cSSam Leffler# generated using the passphrase and SSID). ASCII passphrase must be between
1089f05cddf9SRui Paulo# 8 and 63 characters (inclusive). ext:<name of external PSK field> format can
1090f05cddf9SRui Paulo# be used to indicate that the PSK/passphrase is stored in external storage.
109139beb93cSSam Leffler# This field is not needed, if WPA-EAP is used.
109239beb93cSSam Leffler# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys
109339beb93cSSam Leffler# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant
109439beb93cSSam Leffler# startup and reconfiguration time can be optimized by generating the PSK only
109539beb93cSSam Leffler# only when the passphrase or SSID has actually changed.
109639beb93cSSam Leffler#
1097325151a3SRui Paulo# mem_only_psk: Whether to keep PSK/passphrase only in memory
1098325151a3SRui Paulo# 0 = allow psk/passphrase to be stored to the configuration file
1099325151a3SRui Paulo# 1 = do not store psk/passphrase to the configuration file
1100325151a3SRui Paulo#mem_only_psk=0
1101325151a3SRui Paulo#
110285732ac8SCy Schubert# sae_password: SAE password
110385732ac8SCy Schubert# This parameter can be used to set a password for SAE. By default, the
110485732ac8SCy Schubert# passphrase from the psk parameter is used if this separate parameter is not
110585732ac8SCy Schubert# used, but psk follows the WPA-PSK constraints (8..63 characters) even though
110685732ac8SCy Schubert# SAE passwords do not have such constraints.
110785732ac8SCy Schubert#
110885732ac8SCy Schubert# sae_password_id: SAE password identifier
110985732ac8SCy Schubert# This parameter can be used to set an identifier for the SAE password. By
111085732ac8SCy Schubert# default, no such identifier is used. If set, the specified identifier value
111185732ac8SCy Schubert# is used by the other peer to select which password to use for authentication.
111285732ac8SCy Schubert#
111339beb93cSSam Leffler# eapol_flags: IEEE 802.1X/EAPOL options (bit field)
111439beb93cSSam Leffler# Dynamic WEP key required for non-WPA mode
111539beb93cSSam Leffler# bit0 (1): require dynamically generated unicast WEP key
111639beb93cSSam Leffler# bit1 (2): require dynamically generated broadcast WEP key
111739beb93cSSam Leffler# 	(3 = require both keys; default)
111885732ac8SCy Schubert# Note: When using wired authentication (including MACsec drivers),
11195b9c547cSRui Paulo# eapol_flags must be set to 0 for the authentication to be completed
11205b9c547cSRui Paulo# successfully.
11215b9c547cSRui Paulo#
11225b9c547cSRui Paulo# macsec_policy: IEEE 802.1X/MACsec options
112385732ac8SCy Schubert# This determines how sessions are secured with MACsec (only for MACsec
112485732ac8SCy Schubert# drivers).
11255b9c547cSRui Paulo# 0: MACsec not in use (default)
11265b9c547cSRui Paulo# 1: MACsec enabled - Should secure, accept key server's advice to
11275b9c547cSRui Paulo#    determine whether to use a secure session or not.
112839beb93cSSam Leffler#
112985732ac8SCy Schubert# macsec_integ_only: IEEE 802.1X/MACsec transmit mode
113085732ac8SCy Schubert# This setting applies only when MACsec is in use, i.e.,
113185732ac8SCy Schubert#  - macsec_policy is enabled
113285732ac8SCy Schubert#  - the key server has decided to enable MACsec
113385732ac8SCy Schubert# 0: Encrypt traffic (default)
113485732ac8SCy Schubert# 1: Integrity only
113585732ac8SCy Schubert#
11364bc52338SCy Schubert# macsec_replay_protect: IEEE 802.1X/MACsec replay protection
11374bc52338SCy Schubert# This setting applies only when MACsec is in use, i.e.,
11384bc52338SCy Schubert#  - macsec_policy is enabled
11394bc52338SCy Schubert#  - the key server has decided to enable MACsec
11404bc52338SCy Schubert# 0: Replay protection disabled (default)
11414bc52338SCy Schubert# 1: Replay protection enabled
11424bc52338SCy Schubert#
11434bc52338SCy Schubert# macsec_replay_window: IEEE 802.1X/MACsec replay protection window
11444bc52338SCy Schubert# This determines a window in which replay is tolerated, to allow receipt
11454bc52338SCy Schubert# of frames that have been misordered by the network.
11464bc52338SCy Schubert# This setting applies only when MACsec replay protection active, i.e.,
11474bc52338SCy Schubert#  - macsec_replay_protect is enabled
11484bc52338SCy Schubert#  - the key server has decided to enable MACsec
11494bc52338SCy Schubert# 0: No replay window, strict check (default)
11504bc52338SCy Schubert# 1..2^32-1: number of packets that could be misordered
11514bc52338SCy Schubert#
1152*a90b9d01SCy Schubert# macsec_offload - Enable MACsec hardware offload
1153*a90b9d01SCy Schubert#
1154*a90b9d01SCy Schubert# This setting applies only when MACsec is in use, i.e.,
1155*a90b9d01SCy Schubert#  - the key server has decided to enable MACsec
1156*a90b9d01SCy Schubert#
1157*a90b9d01SCy Schubert# 0 = MACSEC_OFFLOAD_OFF (default)
1158*a90b9d01SCy Schubert# 1 = MACSEC_OFFLOAD_PHY
1159*a90b9d01SCy Schubert# 2 = MACSEC_OFFLOAD_MAC
1160*a90b9d01SCy Schubert#
116185732ac8SCy Schubert# macsec_port: IEEE 802.1X/MACsec port
116285732ac8SCy Schubert# Port component of the SCI
116385732ac8SCy Schubert# Range: 1-65534 (default: 1)
116485732ac8SCy Schubert#
116585732ac8SCy Schubert# mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode
116685732ac8SCy Schubert# This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair.
116785732ac8SCy Schubert# In this mode, instances of wpa_supplicant can act as MACsec peers. The peer
116885732ac8SCy Schubert# with lower priority will become the key server and start distributing SAKs.
11694bc52338SCy Schubert# mka_cak (CAK = Secure Connectivity Association Key) takes a 16-byte (128-bit)
11704bc52338SCy Schubert# hex-string (32 hex-digits) or a 32-byte (256-bit) hex-string (64 hex-digits)
11714bc52338SCy Schubert# mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string
11724bc52338SCy Schubert# (2..64 hex-digits)
117385732ac8SCy Schubert# mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being
117485732ac8SCy Schubert# default priority
117585732ac8SCy Schubert#
117639beb93cSSam Leffler# mixed_cell: This option can be used to configure whether so called mixed
117739beb93cSSam Leffler# cells, i.e., networks that use both plaintext and encryption in the same
1178f05cddf9SRui Paulo# SSID, are allowed when selecting a BSS from scan results.
117939beb93cSSam Leffler# 0 = disabled (default)
118039beb93cSSam Leffler# 1 = enabled
118139beb93cSSam Leffler#
118239beb93cSSam Leffler# proactive_key_caching:
118339beb93cSSam Leffler# Enable/disable opportunistic PMKSA caching for WPA2.
1184f05cddf9SRui Paulo# 0 = disabled (default unless changed with the global okc parameter)
118539beb93cSSam Leffler# 1 = enabled
118639beb93cSSam Leffler#
1187206b73d0SCy Schubert# ft_eap_pmksa_caching:
1188206b73d0SCy Schubert# Whether FT-EAP PMKSA caching is allowed
1189206b73d0SCy Schubert# 0 = do not try to use PMKSA caching with FT-EAP (default)
1190206b73d0SCy Schubert# 1 = try to use PMKSA caching with FT-EAP
1191206b73d0SCy Schubert# This controls whether to try to use PMKSA caching with FT-EAP for the
1192206b73d0SCy Schubert# FT initial mobility domain association.
1193206b73d0SCy Schubert#ft_eap_pmksa_caching=0
1194206b73d0SCy Schubert#
119539beb93cSSam Leffler# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or
119639beb93cSSam Leffler# hex without quotation, e.g., 0102030405)
119739beb93cSSam Leffler# wep_tx_keyidx: Default WEP key index (TX) (0..3)
119839beb93cSSam Leffler#
119939beb93cSSam Leffler# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to
120039beb93cSSam Leffler# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies.
120139beb93cSSam Leffler#
1202c1d255d3SCy Schubert# wpa_deny_ptk0_rekey: Workaround for PTK rekey issues
1203c1d255d3SCy Schubert# PTK0 rekeys (using only one Key ID value for pairwise keys) can degrade the
1204c1d255d3SCy Schubert# security and stability with some cards.
1205c1d255d3SCy Schubert# To avoid the issues wpa_supplicant can replace those PTK rekeys (including
1206c1d255d3SCy Schubert# EAP reauthentications) with fast reconnects.
1207c1d255d3SCy Schubert#
1208c1d255d3SCy Schubert# Available options:
1209c1d255d3SCy Schubert# 0 = always rekey when configured/instructed (default)
1210c1d255d3SCy Schubert# 1 = only rekey when the local driver is explicitly indicating it can perform
1211c1d255d3SCy Schubert#	this operation without issues
1212c1d255d3SCy Schubert# 2 = never allow problematic PTK0 rekeys
1213c1d255d3SCy Schubert#
1214780fb4a2SCy Schubert# group_rekey: Group rekeying time in seconds. This value, if non-zero, is used
1215780fb4a2SCy Schubert# as the dot11RSNAConfigGroupRekeyTime parameter when operating in
121685732ac8SCy Schubert# Authenticator role in IBSS, or in AP and mesh modes.
1217780fb4a2SCy Schubert#
121839beb93cSSam Leffler# Following fields are only used with internal EAP implementation.
121939beb93cSSam Leffler# eap: space-separated list of accepted EAP methods
1220780fb4a2SCy Schubert#	MD5 = EAP-MD5 (insecure and does not generate keying material ->
122139beb93cSSam Leffler#			cannot be used with WPA; to be used as a Phase 2 method
122239beb93cSSam Leffler#			with EAP-PEAP or EAP-TTLS)
122339beb93cSSam Leffler#       MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used
122439beb93cSSam Leffler#		as a Phase 2 method with EAP-PEAP or EAP-TTLS)
122539beb93cSSam Leffler#       OTP = EAP-OTP (cannot be used separately with WPA; to be used
122639beb93cSSam Leffler#		as a Phase 2 method with EAP-PEAP or EAP-TTLS)
122739beb93cSSam Leffler#       GTC = EAP-GTC (cannot be used separately with WPA; to be used
122839beb93cSSam Leffler#		as a Phase 2 method with EAP-PEAP or EAP-TTLS)
122939beb93cSSam Leffler#	TLS = EAP-TLS (client and server certificate)
123039beb93cSSam Leffler#	PEAP = EAP-PEAP (with tunnelled EAP authentication)
123139beb93cSSam Leffler#	TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2
123239beb93cSSam Leffler#			 authentication)
123339beb93cSSam Leffler#	If not set, all compiled in methods are allowed.
123439beb93cSSam Leffler#
123539beb93cSSam Leffler# identity: Identity string for EAP
123639beb93cSSam Leffler#	This field is also used to configure user NAI for
123739beb93cSSam Leffler#	EAP-PSK/PAX/SAKE/GPSK.
123839beb93cSSam Leffler# anonymous_identity: Anonymous identity string for EAP (to be used as the
123939beb93cSSam Leffler#	unencrypted identity with EAP types that support different tunnelled
1240f05cddf9SRui Paulo#	identity, e.g., EAP-TTLS). This field can also be used with
1241f05cddf9SRui Paulo#	EAP-SIM/AKA/AKA' to store the pseudonym identity.
124239beb93cSSam Leffler# password: Password string for EAP. This field can include either the
124339beb93cSSam Leffler#	plaintext password (using ASCII or hex string) or a NtPasswordHash
124439beb93cSSam Leffler#	(16-byte MD4 hash of password) in hash:<32 hex digits> format.
124539beb93cSSam Leffler#	NtPasswordHash can only be used when the password is for MSCHAPv2 or
124639beb93cSSam Leffler#	MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP).
124739beb93cSSam Leffler#	EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit
124839beb93cSSam Leffler#	PSK) is also configured using this field. For EAP-GPSK, this is a
1249f05cddf9SRui Paulo#	variable length PSK. ext:<name of external password field> format can
1250f05cddf9SRui Paulo#	be used to indicate that the password is stored in external storage.
125139beb93cSSam Leffler# ca_cert: File path to CA certificate file (PEM/DER). This file can have one
125239beb93cSSam Leffler#	or more trusted CA certificates. If ca_cert and ca_path are not
125339beb93cSSam Leffler#	included, server certificate will not be verified. This is insecure and
125439beb93cSSam Leffler#	a trusted CA certificate should always be configured when using
125539beb93cSSam Leffler#	EAP-TLS/TTLS/PEAP. Full path should be used since working directory may
125639beb93cSSam Leffler#	change when wpa_supplicant is run in the background.
1257e28a4053SRui Paulo#
1258e28a4053SRui Paulo#	Alternatively, this can be used to only perform matching of the server
1259e28a4053SRui Paulo#	certificate (SHA-256 hash of the DER encoded X.509 certificate). In
1260e28a4053SRui Paulo#	this case, the possible CA certificates in the server certificate chain
1261e28a4053SRui Paulo#	are ignored and only the server certificate is verified. This is
1262e28a4053SRui Paulo#	configured with the following format:
1263e28a4053SRui Paulo#	hash:://server/sha256/cert_hash_in_hex
1264e28a4053SRui Paulo#	For example: "hash://server/sha256/
1265e28a4053SRui Paulo#	5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"
1266e28a4053SRui Paulo#
126739beb93cSSam Leffler#	On Windows, trusted CA certificates can be loaded from the system
126839beb93cSSam Leffler#	certificate store by setting this to cert_store://<name>, e.g.,
126939beb93cSSam Leffler#	ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".
127039beb93cSSam Leffler#	Note that when running wpa_supplicant as an application, the user
127139beb93cSSam Leffler#	certificate store (My user account) is used, whereas computer store
127239beb93cSSam Leffler#	(Computer account) is used when running wpasvc as a service.
127339beb93cSSam Leffler# ca_path: Directory path for CA certificate files (PEM). This path may
127439beb93cSSam Leffler#	contain multiple CA certificates in OpenSSL format. Common use for this
127539beb93cSSam Leffler#	is to point to system trusted CA list which is often installed into
127639beb93cSSam Leffler#	directory like /etc/ssl/certs. If configured, these certificates are
127739beb93cSSam Leffler#	added to the list of trusted CAs. ca_cert may also be included in that
127839beb93cSSam Leffler#	case, but it is not required.
127939beb93cSSam Leffler# client_cert: File path to client certificate file (PEM/DER)
128039beb93cSSam Leffler#	Full path should be used since working directory may change when
128139beb93cSSam Leffler#	wpa_supplicant is run in the background.
128239beb93cSSam Leffler#	Alternatively, a named configuration blob can be used by setting this
128339beb93cSSam Leffler#	to blob://<blob name>.
128439beb93cSSam Leffler# private_key: File path to client private key file (PEM/DER/PFX)
128539beb93cSSam Leffler#	When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
128639beb93cSSam Leffler#	commented out. Both the private key and certificate will be read from
128739beb93cSSam Leffler#	the PKCS#12 file in this case. Full path should be used since working
128839beb93cSSam Leffler#	directory may change when wpa_supplicant is run in the background.
128939beb93cSSam Leffler#	Windows certificate store can be used by leaving client_cert out and
129039beb93cSSam Leffler#	configuring private_key in one of the following formats:
129139beb93cSSam Leffler#	cert://substring_to_match
129239beb93cSSam Leffler#	hash://certificate_thumbprint_in_hex
129339beb93cSSam Leffler#	for example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
129439beb93cSSam Leffler#	Note that when running wpa_supplicant as an application, the user
129539beb93cSSam Leffler#	certificate store (My user account) is used, whereas computer store
129639beb93cSSam Leffler#	(Computer account) is used when running wpasvc as a service.
129739beb93cSSam Leffler#	Alternatively, a named configuration blob can be used by setting this
129839beb93cSSam Leffler#	to blob://<blob name>.
129939beb93cSSam Leffler# private_key_passwd: Password for private key file (if left out, this will be
130039beb93cSSam Leffler#	asked through control interface)
130139beb93cSSam Leffler# subject_match: Substring to be matched against the subject of the
130239beb93cSSam Leffler#	authentication server certificate. If this string is set, the server
1303780fb4a2SCy Schubert#	certificate is only accepted if it contains this string in the subject.
130439beb93cSSam Leffler#	The subject string is in following format:
130539beb93cSSam Leffler#	/C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com
1306780fb4a2SCy Schubert#	Note: Since this is a substring match, this cannot be used securely to
13075b9c547cSRui Paulo#	do a suffix match against a possible domain name in the CN entry. For
13085b9c547cSRui Paulo#	such a use case, domain_suffix_match or domain_match should be used
13095b9c547cSRui Paulo#	instead.
131039beb93cSSam Leffler# altsubject_match: Semicolon separated string of entries to be matched against
131139beb93cSSam Leffler#	the alternative subject name of the authentication server certificate.
1312780fb4a2SCy Schubert#	If this string is set, the server certificate is only accepted if it
131339beb93cSSam Leffler#	contains one of the entries in an alternative subject name extension.
131439beb93cSSam Leffler#	altSubjectName string is in following format: TYPE:VALUE
131539beb93cSSam Leffler#	Example: EMAIL:server@example.com
131639beb93cSSam Leffler#	Example: DNS:server.example.com;DNS:server2.example.com
131739beb93cSSam Leffler#	Following types are supported: EMAIL, DNS, URI
13185b9c547cSRui Paulo# domain_suffix_match: Constraint for server domain name. If set, this FQDN is
13195b9c547cSRui Paulo#	used as a suffix match requirement for the AAA server certificate in
13205b9c547cSRui Paulo#	SubjectAltName dNSName element(s). If a matching dNSName is found, this
13215b9c547cSRui Paulo#	constraint is met. If no dNSName values are present, this constraint is
13225b9c547cSRui Paulo#	matched against SubjectName CN using same suffix match comparison.
13235b9c547cSRui Paulo#
13245b9c547cSRui Paulo#	Suffix match here means that the host/domain name is compared one label
13255b9c547cSRui Paulo#	at a time starting from the top-level domain and all the labels in
13265b9c547cSRui Paulo#	domain_suffix_match shall be included in the certificate. The
13275b9c547cSRui Paulo#	certificate may include additional sub-level labels in addition to the
13285b9c547cSRui Paulo#	required labels.
13295b9c547cSRui Paulo#
13304bc52338SCy Schubert#	More than one match string can be provided by using semicolons to
13314bc52338SCy Schubert#	separate the strings (e.g., example.org;example.com). When multiple
13324bc52338SCy Schubert#	strings are specified, a match with any one of the values is considered
13334bc52338SCy Schubert#	a sufficient match for the certificate, i.e., the conditions are ORed
13344bc52338SCy Schubert#	together.
13354bc52338SCy Schubert#
13365b9c547cSRui Paulo#	For example, domain_suffix_match=example.com would match
13375b9c547cSRui Paulo#	test.example.com but would not match test-example.com.
13385b9c547cSRui Paulo# domain_match: Constraint for server domain name
13395b9c547cSRui Paulo#	If set, this FQDN is used as a full match requirement for the
13405b9c547cSRui Paulo#	server certificate in SubjectAltName dNSName element(s). If a
13415b9c547cSRui Paulo#	matching dNSName is found, this constraint is met. If no dNSName
13425b9c547cSRui Paulo#	values are present, this constraint is matched against SubjectName CN
13435b9c547cSRui Paulo#	using same full match comparison. This behavior is similar to
13445b9c547cSRui Paulo#	domain_suffix_match, but has the requirement of a full match, i.e.,
13455b9c547cSRui Paulo#	no subdomains or wildcard matches are allowed. Case-insensitive
13465b9c547cSRui Paulo#	comparison is used, so "Example.com" matches "example.com", but would
13475b9c547cSRui Paulo#	not match "test.Example.com".
13484bc52338SCy Schubert#
13494bc52338SCy Schubert#	More than one match string can be provided by using semicolons to
13504bc52338SCy Schubert#	separate the strings (e.g., example.org;example.com). When multiple
13514bc52338SCy Schubert#	strings are specified, a match with any one of the values is considered
13524bc52338SCy Schubert#	a sufficient match for the certificate, i.e., the conditions are ORed
13534bc52338SCy Schubert#	together.
135439beb93cSSam Leffler# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters
135539beb93cSSam Leffler#	(string with field-value pairs, e.g., "peapver=0" or
135639beb93cSSam Leffler#	"peapver=1 peaplabel=1")
135739beb93cSSam Leffler#	'peapver' can be used to force which PEAP version (0 or 1) is used.
135839beb93cSSam Leffler#	'peaplabel=1' can be used to force new label, "client PEAP encryption",
135939beb93cSSam Leffler#	to be used during key derivation when PEAPv1 or newer. Most existing
136039beb93cSSam Leffler#	PEAPv1 implementation seem to be using the old label, "client EAP
136139beb93cSSam Leffler#	encryption", and wpa_supplicant is now using that as the default value.
136239beb93cSSam Leffler#	Some servers, e.g., Radiator, may require peaplabel=1 configuration to
136339beb93cSSam Leffler#	interoperate with PEAPv1; see eap_testing.txt for more details.
136439beb93cSSam Leffler#	'peap_outer_success=0' can be used to terminate PEAP authentication on
136539beb93cSSam Leffler#	tunneled EAP-Success. This is required with some RADIUS servers that
136639beb93cSSam Leffler#	implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
136739beb93cSSam Leffler#	Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode)
136839beb93cSSam Leffler#	include_tls_length=1 can be used to force wpa_supplicant to include
136939beb93cSSam Leffler#	TLS Message Length field in all TLS messages even if they are not
137039beb93cSSam Leffler#	fragmented.
137139beb93cSSam Leffler#	sim_min_num_chal=3 can be used to configure EAP-SIM to require three
137239beb93cSSam Leffler#	challenges (by default, it accepts 2 or 3)
137339beb93cSSam Leffler#	result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use
137439beb93cSSam Leffler#	protected result indication.
137539beb93cSSam Leffler#	'crypto_binding' option can be used to control PEAPv0 cryptobinding
137639beb93cSSam Leffler#	behavior:
137739beb93cSSam Leffler#	 * 0 = do not use cryptobinding (default)
137839beb93cSSam Leffler#	 * 1 = use cryptobinding if server supports it
137939beb93cSSam Leffler#	 * 2 = require cryptobinding
1380*a90b9d01SCy Schubert#	'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
1381*a90b9d01SCy Schubert#	tunnel) behavior for PEAP:
1382*a90b9d01SCy Schubert#	 * 0 = do not require Phase 2 authentication
1383*a90b9d01SCy Schubert#	 * 1 = require Phase 2 authentication when client certificate
1384*a90b9d01SCy Schubert#	   (private_key/client_cert) is no used and TLS session resumption was
1385*a90b9d01SCy Schubert#	   not used (default)
1386*a90b9d01SCy Schubert#	 * 2 = require Phase 2 authentication in all cases
138739beb93cSSam Leffler#	EAP-WSC (WPS) uses following options: pin=<Device Password> or
138839beb93cSSam Leffler#	pbc=1.
13895b9c547cSRui Paulo#
13905b9c547cSRui Paulo#	For wired IEEE 802.1X authentication, "allow_canned_success=1" can be
13915b9c547cSRui Paulo#	used to configure a mode that allows EAP-Success (and EAP-Failure)
13925b9c547cSRui Paulo#	without going through authentication step. Some switches use such
13935b9c547cSRui Paulo#	sequence when forcing the port to be authorized/unauthorized or as a
13945b9c547cSRui Paulo#	fallback option if the authentication server is unreachable. By default,
13955b9c547cSRui Paulo#	wpa_supplicant discards such frames to protect against potential attacks
13965b9c547cSRui Paulo#	by rogue devices, but this option can be used to disable that protection
13975b9c547cSRui Paulo#	for cases where the server/authenticator does not need to be
13985b9c547cSRui Paulo#	authenticated.
139939beb93cSSam Leffler# phase2: Phase2 (inner authentication with TLS tunnel) parameters
140039beb93cSSam Leffler#	(string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
14015b9c547cSRui Paulo#	"autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS). "mschapv2_retry=0" can be
14025b9c547cSRui Paulo#	used to disable MSCHAPv2 password retry in authentication failure cases.
1403f05cddf9SRui Paulo#
1404f05cddf9SRui Paulo# TLS-based methods can use the following parameters to control TLS behavior
1405f05cddf9SRui Paulo# (these are normally in the phase1 parameter, but can be used also in the
1406f05cddf9SRui Paulo# phase2 parameter when EAP-TLS is used within the inner tunnel):
1407f05cddf9SRui Paulo# tls_allow_md5=1 - allow MD5-based certificate signatures (depending on the
1408f05cddf9SRui Paulo#	TLS library, these may be disabled by default to enforce stronger
1409f05cddf9SRui Paulo#	security)
1410f05cddf9SRui Paulo# tls_disable_time_checks=1 - ignore certificate validity time (this requests
1411f05cddf9SRui Paulo#	the TLS library to accept certificates even if they are not currently
1412f05cddf9SRui Paulo#	valid, i.e., have expired or have not yet become valid; this should be
1413f05cddf9SRui Paulo#	used only for testing purposes)
1414f05cddf9SRui Paulo# tls_disable_session_ticket=1 - disable TLS Session Ticket extension
1415f05cddf9SRui Paulo# tls_disable_session_ticket=0 - allow TLS Session Ticket extension to be used
1416f05cddf9SRui Paulo#	Note: If not set, this is automatically set to 1 for EAP-TLS/PEAP/TTLS
1417f05cddf9SRui Paulo#	as a workaround for broken authentication server implementations unless
1418325151a3SRui Paulo#	EAP workarounds are disabled with eap_workaround=0.
1419f05cddf9SRui Paulo#	For EAP-FAST, this must be set to 0 (or left unconfigured for the
1420f05cddf9SRui Paulo#	default value to be used automatically).
1421325151a3SRui Paulo# tls_disable_tlsv1_0=1 - disable use of TLSv1.0
14224bc52338SCy Schubert# tls_disable_tlsv1_0=0 - explicitly enable use of TLSv1.0 (this allows
14234bc52338SCy Schubert#	systemwide TLS policies to be overridden)
14245b9c547cSRui Paulo# tls_disable_tlsv1_1=1 - disable use of TLSv1.1 (a workaround for AAA servers
14255b9c547cSRui Paulo#	that have issues interoperating with updated TLS version)
14264bc52338SCy Schubert# tls_disable_tlsv1_1=0 - explicitly enable use of TLSv1.1 (this allows
14274bc52338SCy Schubert#	systemwide TLS policies to be overridden)
14285b9c547cSRui Paulo# tls_disable_tlsv1_2=1 - disable use of TLSv1.2 (a workaround for AAA servers
14295b9c547cSRui Paulo#	that have issues interoperating with updated TLS version)
14304bc52338SCy Schubert# tls_disable_tlsv1_2=0 - explicitly enable use of TLSv1.2 (this allows
14314bc52338SCy Schubert#	systemwide TLS policies to be overridden)
143285732ac8SCy Schubert# tls_disable_tlsv1_3=1 - disable use of TLSv1.3 (a workaround for AAA servers
143385732ac8SCy Schubert#	that have issues interoperating with updated TLS version)
14344bc52338SCy Schubert# tls_disable_tlsv1_3=0 - enable TLSv1.3 (experimental - disabled by default)
1435780fb4a2SCy Schubert# tls_ext_cert_check=0 - No external server certificate validation (default)
1436780fb4a2SCy Schubert# tls_ext_cert_check=1 - External server certificate validation enabled; this
1437780fb4a2SCy Schubert#	requires an external program doing validation of server certificate
1438780fb4a2SCy Schubert#	chain when receiving CTRL-RSP-EXT_CERT_CHECK event from the control
1439780fb4a2SCy Schubert#	interface and report the result of the validation with
1440780fb4a2SCy Schubert#	CTRL-RSP_EXT_CERT_CHECK.
144185732ac8SCy Schubert# tls_suiteb=0 - do not apply Suite B 192-bit constraints on TLS (default)
144285732ac8SCy Schubert# tls_suiteb=1 - apply Suite B 192-bit constraints on TLS; this is used in
144385732ac8SCy Schubert#	particular when using Suite B with RSA keys of >= 3K (3072) bits
1444*a90b9d01SCy Schubert# allow_unsafe_renegotiation=1 - allow connection with a TLS server that does
1445*a90b9d01SCy Schubert#	not support safe renegotiation (RFC 5746); please note that this
1446*a90b9d01SCy Schubert#	workaround should be only when having to authenticate with an old
1447*a90b9d01SCy Schubert#	authentication server that cannot be updated to use secure TLS
1448*a90b9d01SCy Schubert#	implementation.
1449f05cddf9SRui Paulo#
145039beb93cSSam Leffler# Following certificate/private key fields are used in inner Phase2
145139beb93cSSam Leffler# authentication when using EAP-TTLS or EAP-PEAP.
145239beb93cSSam Leffler# ca_cert2: File path to CA certificate file. This file can have one or more
145339beb93cSSam Leffler#	trusted CA certificates. If ca_cert2 and ca_path2 are not included,
145439beb93cSSam Leffler#	server certificate will not be verified. This is insecure and a trusted
145539beb93cSSam Leffler#	CA certificate should always be configured.
145639beb93cSSam Leffler# ca_path2: Directory path for CA certificate files (PEM)
145739beb93cSSam Leffler# client_cert2: File path to client certificate file
145839beb93cSSam Leffler# private_key2: File path to client private key file
145939beb93cSSam Leffler# private_key2_passwd: Password for private key file
146039beb93cSSam Leffler# dh_file2: File path to DH/DSA parameters file (in PEM format)
146139beb93cSSam Leffler# subject_match2: Substring to be matched against the subject of the
14625b9c547cSRui Paulo#	authentication server certificate. See subject_match for more details.
14635b9c547cSRui Paulo# altsubject_match2: Semicolon separated string of entries to be matched
14645b9c547cSRui Paulo#	against the alternative subject name of the authentication server
14655b9c547cSRui Paulo#	certificate. See altsubject_match documentation for more details.
14665b9c547cSRui Paulo# domain_suffix_match2: Constraint for server domain name. See
14675b9c547cSRui Paulo#	domain_suffix_match for more details.
1468c1d255d3SCy Schubert# ocsp2: See ocsp for more details.
1469c1d255d3SCy Schubert#
1470c1d255d3SCy Schubert# Separate machine credentials can be configured for EAP-TEAP Phase 2 with
1471c1d255d3SCy Schubert# "machine_" prefix (e.g., "machine_identity") in the configuration parameters.
1472c1d255d3SCy Schubert# See the parameters without that prefix for more details on the meaning and
1473c1d255d3SCy Schubert# format of each such parameter.
147439beb93cSSam Leffler#
147539beb93cSSam Leffler# fragment_size: Maximum EAP fragment size in bytes (default 1398).
147639beb93cSSam Leffler#	This value limits the fragment size for EAP methods that support
147739beb93cSSam Leffler#	fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set
147839beb93cSSam Leffler#	small enough to make the EAP messages fit in MTU of the network
147939beb93cSSam Leffler#	interface used for EAPOL. The default value is suitable for most
148039beb93cSSam Leffler#	cases.
148139beb93cSSam Leffler#
14825b9c547cSRui Paulo# ocsp: Whether to use/require OCSP to check server certificate
14835b9c547cSRui Paulo#	0 = do not use OCSP stapling (TLS certificate status extension)
14845b9c547cSRui Paulo#	1 = try to use OCSP stapling, but not require response
14855b9c547cSRui Paulo#	2 = require valid OCSP stapling response
1486780fb4a2SCy Schubert#	3 = require valid OCSP stapling response for all not-trusted
1487780fb4a2SCy Schubert#	    certificates in the server certificate chain
14885b9c547cSRui Paulo#
14895b9c547cSRui Paulo# openssl_ciphers: OpenSSL specific cipher configuration
14905b9c547cSRui Paulo#	This can be used to override the global openssl_ciphers configuration
14915b9c547cSRui Paulo#	parameter (see above).
14925b9c547cSRui Paulo#
14935b9c547cSRui Paulo# erp: Whether EAP Re-authentication Protocol (ERP) is enabled
14945b9c547cSRui Paulo#
149539beb93cSSam Leffler# EAP-FAST variables:
149639beb93cSSam Leffler# pac_file: File path for the PAC entries. wpa_supplicant will need to be able
149739beb93cSSam Leffler#	to create this file and write updates to it when PAC is being
149839beb93cSSam Leffler#	provisioned or refreshed. Full path to the file should be used since
149939beb93cSSam Leffler#	working directory may change when wpa_supplicant is run in the
150039beb93cSSam Leffler#	background. Alternatively, a named configuration blob can be used by
150139beb93cSSam Leffler#	setting this to blob://<blob name>
150239beb93cSSam Leffler# phase1: fast_provisioning option can be used to enable in-line provisioning
150339beb93cSSam Leffler#         of EAP-FAST credentials (PAC):
150439beb93cSSam Leffler#         0 = disabled,
150539beb93cSSam Leffler#         1 = allow unauthenticated provisioning,
150639beb93cSSam Leffler#         2 = allow authenticated provisioning,
150739beb93cSSam Leffler#         3 = allow both unauthenticated and authenticated provisioning
150839beb93cSSam Leffler#	fast_max_pac_list_len=<num> option can be used to set the maximum
150939beb93cSSam Leffler#		number of PAC entries to store in a PAC list (default: 10)
151039beb93cSSam Leffler#	fast_pac_format=binary option can be used to select binary format for
151139beb93cSSam Leffler#		storing PAC entries in order to save some space (the default
151239beb93cSSam Leffler#		text format uses about 2.5 times the size of minimal binary
151339beb93cSSam Leffler#		format)
151439beb93cSSam Leffler#
151539beb93cSSam Leffler# wpa_supplicant supports number of "EAP workarounds" to work around
151639beb93cSSam Leffler# interoperability issues with incorrectly behaving authentication servers.
151739beb93cSSam Leffler# These are enabled by default because some of the issues are present in large
151839beb93cSSam Leffler# number of authentication servers. Strict EAP conformance mode can be
151939beb93cSSam Leffler# configured by disabling workarounds with eap_workaround=0.
152039beb93cSSam Leffler
1521780fb4a2SCy Schubert# update_identifier: PPS MO ID
1522780fb4a2SCy Schubert#	(Hotspot 2.0 PerProviderSubscription/UpdateIdentifier)
152385732ac8SCy Schubert#
152485732ac8SCy Schubert# roaming_consortium_selection: Roaming Consortium Selection
152585732ac8SCy Schubert#	The matching Roaming Consortium OI that was used to generate this
152685732ac8SCy Schubert#	network profile.
1527780fb4a2SCy Schubert
1528f05cddf9SRui Paulo# Station inactivity limit
1529f05cddf9SRui Paulo#
1530f05cddf9SRui Paulo# If a station does not send anything in ap_max_inactivity seconds, an
1531f05cddf9SRui Paulo# empty data frame is sent to it in order to verify whether it is
1532f05cddf9SRui Paulo# still in range. If this frame is not ACKed, the station will be
1533f05cddf9SRui Paulo# disassociated and then deauthenticated. This feature is used to
1534f05cddf9SRui Paulo# clear station table of old entries when the STAs move out of the
1535f05cddf9SRui Paulo# range.
1536f05cddf9SRui Paulo#
1537f05cddf9SRui Paulo# The station can associate again with the AP if it is still in range;
1538f05cddf9SRui Paulo# this inactivity poll is just used as a nicer way of verifying
1539f05cddf9SRui Paulo# inactivity; i.e., client will not report broken connection because
1540f05cddf9SRui Paulo# disassociation frame is not sent immediately without first polling
1541f05cddf9SRui Paulo# the STA with a data frame.
1542f05cddf9SRui Paulo# default: 300 (i.e., 5 minutes)
1543f05cddf9SRui Paulo#ap_max_inactivity=300
1544f05cddf9SRui Paulo
1545f05cddf9SRui Paulo# DTIM period in Beacon intervals for AP mode (default: 2)
1546f05cddf9SRui Paulo#dtim_period=2
1547f05cddf9SRui Paulo
15485b9c547cSRui Paulo# Beacon interval (default: 100 TU)
15495b9c547cSRui Paulo#beacon_int=100
15505b9c547cSRui Paulo
1551780fb4a2SCy Schubert# WPS in AP mode
1552780fb4a2SCy Schubert# 0 = WPS enabled and configured (default)
1553780fb4a2SCy Schubert# 1 = WPS disabled
1554780fb4a2SCy Schubert#wps_disabled=0
1555780fb4a2SCy Schubert
155685732ac8SCy Schubert# FILS DH Group
155785732ac8SCy Schubert# 0 = PFS disabled with FILS shared key authentication (default)
155885732ac8SCy Schubert# 1-65535 = DH Group to use for FILS PFS
155985732ac8SCy Schubert#fils_dh_group=0
156085732ac8SCy Schubert
1561c1d255d3SCy Schubert# DPP PFS
1562c1d255d3SCy Schubert# 0: allow PFS to be used or not used (default)
1563c1d255d3SCy Schubert# 1: require PFS to be used (note: not compatible with DPP R1)
1564c1d255d3SCy Schubert# 2: do not allow PFS to be used
1565c1d255d3SCy Schubert#dpp_pfs=0
1566c1d255d3SCy Schubert
1567*a90b9d01SCy Schubert# DPP Network introduction type
1568*a90b9d01SCy Schubert# 0: unprotected variant from DPP R1 (default)
1569*a90b9d01SCy Schubert# 1: privacy protecting (station Connector encrypted) variant from
1570*a90b9d01SCy Schubert#    DPP R3
1571*a90b9d01SCy Schubert#dpp_connector_privacy=0
1572*a90b9d01SCy Schubert
1573c1d255d3SCy Schubert# Whether beacon protection is enabled
1574c1d255d3SCy Schubert# This depends on management frame protection (ieee80211w) being enabled and
1575c1d255d3SCy Schubert# beacon protection support indication from the driver.
1576c1d255d3SCy Schubert# 0 = disabled (default)
1577c1d255d3SCy Schubert# 1 = enabled
1578c1d255d3SCy Schubert#beacon_prot=0
1579c1d255d3SCy Schubert
1580c1d255d3SCy Schubert# OWE DH Group
1581c1d255d3SCy Schubert# 0: use default (19) first and then try all supported groups one by one if AP
1582c1d255d3SCy Schubert#   rejects the selected group
1583c1d255d3SCy Schubert# 1-65535: DH Group to use for OWE
1584c1d255d3SCy Schubert# Groups 19 (NIST P-256), 20 (NIST P-384), and 21 (NIST P-521) are
1585c1d255d3SCy Schubert# currently supported.
1586c1d255d3SCy Schubert#owe_group=0
1587c1d255d3SCy Schubert
1588c1d255d3SCy Schubert# OWE-only mode (disable transition mode)
1589c1d255d3SCy Schubert# 0: enable transition mode (allow connection to either OWE or open BSS)
1590c1d255d3SCy Schubert# 1 = disable transition mode (allow connection only with OWE)
1591c1d255d3SCy Schubert#owe_only=0
1592c1d255d3SCy Schubert
1593c1d255d3SCy Schubert# OWE PTK derivation workaround
1594c1d255d3SCy Schubert# Initial OWE implementation used SHA256 when deriving the PTK for all
1595c1d255d3SCy Schubert# OWE groups. This was supposed to change to SHA384 for group 20 and
1596c1d255d3SCy Schubert# SHA512 for group 21. This parameter can be used to enable older
1597c1d255d3SCy Schubert# behavior mainly for testing purposes. There is no impact to group 19
1598c1d255d3SCy Schubert# behavior, but if enabled, this will make group 20 and 21 cases use
1599c1d255d3SCy Schubert# SHA256-based PTK derivation which will not work with the updated
1600c1d255d3SCy Schubert# OWE implementation on the AP side.
1601c1d255d3SCy Schubert#owe_ptk_workaround=0
1602c1d255d3SCy Schubert
1603c1d255d3SCy Schubert# Transition Disable indication
1604c1d255d3SCy Schubert# The AP can notify authenticated stations to disable transition mode
1605c1d255d3SCy Schubert# in their network profiles when the network has completed transition
1606c1d255d3SCy Schubert# steps, i.e., once sufficiently large number of APs in the ESS have
1607c1d255d3SCy Schubert# been updated to support the more secure alternative. When this
1608c1d255d3SCy Schubert# indication is used, the stations are expected to automatically
1609c1d255d3SCy Schubert# disable transition mode and less secure security options. This
1610c1d255d3SCy Schubert# includes use of WEP, TKIP (including use of TKIP as the group
1611c1d255d3SCy Schubert# cipher), and connections without PMF.
1612c1d255d3SCy Schubert# Bitmap bits:
1613c1d255d3SCy Schubert# bit 0 (0x01): WPA3-Personal (i.e., disable WPA2-Personal = WPA-PSK
1614c1d255d3SCy Schubert#	and only allow SAE to be used)
1615c1d255d3SCy Schubert# bit 1 (0x02): SAE-PK (disable SAE without use of SAE-PK)
1616c1d255d3SCy Schubert# bit 2 (0x04): WPA3-Enterprise (move to requiring PMF)
1617c1d255d3SCy Schubert# bit 3 (0x08): Enhanced Open (disable use of open network; require
1618c1d255d3SCy Schubert#	OWE)
1619c1d255d3SCy Schubert
1620c1d255d3SCy Schubert# SAE-PK mode
1621c1d255d3SCy Schubert# 0: automatic SAE/SAE-PK selection based on password; enable
1622c1d255d3SCy Schubert#    transition mode (allow SAE authentication without SAE-PK)
1623c1d255d3SCy Schubert# 1: SAE-PK only (disable transition mode; allow SAE authentication
1624c1d255d3SCy Schubert#    only with SAE-PK)
1625c1d255d3SCy Schubert# 2: disable SAE-PK (allow SAE authentication only without SAE-PK)
1626c1d255d3SCy Schubert#sae_pk=0
1627c1d255d3SCy Schubert
16285b9c547cSRui Paulo# MAC address policy
16295b9c547cSRui Paulo# 0 = use permanent MAC address
16305b9c547cSRui Paulo# 1 = use random MAC address for each ESS connection
16315b9c547cSRui Paulo# 2 = like 1, but maintain OUI (with local admin bit set)
16325b9c547cSRui Paulo#mac_addr=0
16335b9c547cSRui Paulo
1634f05cddf9SRui Paulo# disable_ht: Whether HT (802.11n) should be disabled.
1635f05cddf9SRui Paulo# 0 = HT enabled (if AP supports it)
1636f05cddf9SRui Paulo# 1 = HT disabled
1637f05cddf9SRui Paulo#
1638f05cddf9SRui Paulo# disable_ht40: Whether HT-40 (802.11n) should be disabled.
1639f05cddf9SRui Paulo# 0 = HT-40 enabled (if AP supports it)
1640f05cddf9SRui Paulo# 1 = HT-40 disabled
1641f05cddf9SRui Paulo#
1642f05cddf9SRui Paulo# disable_sgi: Whether SGI (short guard interval) should be disabled.
1643f05cddf9SRui Paulo# 0 = SGI enabled (if AP supports it)
1644f05cddf9SRui Paulo# 1 = SGI disabled
1645f05cddf9SRui Paulo#
16465b9c547cSRui Paulo# disable_ldpc: Whether LDPC should be disabled.
16475b9c547cSRui Paulo# 0 = LDPC enabled (if AP supports it)
16485b9c547cSRui Paulo# 1 = LDPC disabled
16495b9c547cSRui Paulo#
16505b9c547cSRui Paulo# ht40_intolerant: Whether 40 MHz intolerant should be indicated.
16515b9c547cSRui Paulo# 0 = 40 MHz tolerant (default)
16525b9c547cSRui Paulo# 1 = 40 MHz intolerant
16535b9c547cSRui Paulo#
1654f05cddf9SRui Paulo# ht_mcs:  Configure allowed MCS rates.
1655f05cddf9SRui Paulo#  Parsed as an array of bytes, in base-16 (ascii-hex)
1656f05cddf9SRui Paulo# ht_mcs=""                                   // Use all available (default)
1657f05cddf9SRui Paulo# ht_mcs="0xff 00 00 00 00 00 00 00 00 00 "   // Use MCS 0-7 only
1658f05cddf9SRui Paulo# ht_mcs="0xff ff 00 00 00 00 00 00 00 00 "   // Use MCS 0-15 only
1659f05cddf9SRui Paulo#
1660f05cddf9SRui Paulo# disable_max_amsdu:  Whether MAX_AMSDU should be disabled.
1661f05cddf9SRui Paulo# -1 = Do not make any changes.
1662f05cddf9SRui Paulo# 0  = Enable MAX-AMSDU if hardware supports it.
1663f05cddf9SRui Paulo# 1  = Disable AMSDU
1664f05cddf9SRui Paulo#
16655b9c547cSRui Paulo# ampdu_factor: Maximum A-MPDU Length Exponent
16665b9c547cSRui Paulo# Value: 0-3, see 7.3.2.56.3 in IEEE Std 802.11n-2009.
16675b9c547cSRui Paulo#
1668f05cddf9SRui Paulo# ampdu_density:  Allow overriding AMPDU density configuration.
1669f05cddf9SRui Paulo#  Treated as hint by the kernel.
1670f05cddf9SRui Paulo# -1 = Do not make any changes.
1671f05cddf9SRui Paulo# 0-3 = Set AMPDU density (aka factor) to specified value.
16724bc52338SCy Schubert#
16734bc52338SCy Schubert# tx_stbc: Allow overriding STBC support for TX streams
16744bc52338SCy Schubert# Value: 0-1, see IEEE Std 802.11-2016, 9.4.2.56.2.
16754bc52338SCy Schubert# -1 = Do not make any changes (default)
16764bc52338SCy Schubert# 0 = Set if not supported
16774bc52338SCy Schubert# 1 = Set if supported
16784bc52338SCy Schubert#
16794bc52338SCy Schubert# rx_stbc: Allow overriding STBC support for RX streams
16804bc52338SCy Schubert# Value: 0-3, see IEEE Std 802.11-2016, 9.4.2.56.2.
16814bc52338SCy Schubert# -1 = Do not make any changes (default)
16824bc52338SCy Schubert# 0 = Set if not supported
16834bc52338SCy Schubert# 1 = Set for support of one spatial stream
16844bc52338SCy Schubert# 2 = Set for support of one and two spatial streams
16854bc52338SCy Schubert# 3 = Set for support of one, two and three spatial streams
1686f05cddf9SRui Paulo
16875b9c547cSRui Paulo# disable_vht: Whether VHT should be disabled.
16885b9c547cSRui Paulo# 0 = VHT enabled (if AP supports it)
16895b9c547cSRui Paulo# 1 = VHT disabled
16905b9c547cSRui Paulo#
16915b9c547cSRui Paulo# vht_capa: VHT capabilities to set in the override
16925b9c547cSRui Paulo# vht_capa_mask: mask of VHT capabilities
16935b9c547cSRui Paulo#
16945b9c547cSRui Paulo# vht_rx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for RX NSS 1-8
16955b9c547cSRui Paulo# vht_tx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for TX NSS 1-8
16965b9c547cSRui Paulo#  0: MCS 0-7
16975b9c547cSRui Paulo#  1: MCS 0-8
16985b9c547cSRui Paulo#  2: MCS 0-9
16995b9c547cSRui Paulo#  3: not supported
17005b9c547cSRui Paulo
1701*a90b9d01SCy Schubert# disable_eht: Whether EHT should be disabled.
1702*a90b9d01SCy Schubert# 0 = EHT enabled (if supported) (default)
1703*a90b9d01SCy Schubert# 1 = EHT disabled
1704*a90b9d01SCy Schubert
17054bc52338SCy Schubert# multi_ap_backhaul_sta: Multi-AP backhaul STA functionality
17064bc52338SCy Schubert# 0 = normal STA (default)
17074bc52338SCy Schubert# 1 = backhaul STA
17084bc52338SCy Schubert# A backhaul STA sends the Multi-AP IE, fails to associate if the AP does not
17094bc52338SCy Schubert# support Multi-AP, and sets 4-address mode if it does. Thus, the netdev can be
17104bc52338SCy Schubert# added to a bridge to allow forwarding frames over this backhaul link.
17114bc52338SCy Schubert
1712*a90b9d01SCy Schubert# Multi-AP Profile
1713*a90b9d01SCy Schubert# Indicate the supported Multi-AP profile
1714*a90b9d01SCy Schubert# 1 = Supports Multi-AP profile 1 as defined in Wi-Fi EasyMesh specification
1715*a90b9d01SCy Schubert# 2 = Supports Multi-AP profile 2 as defined in Wi-Fi EasyMesh specification
1716*a90b9d01SCy Schubert#multi_ap_profile=2
1717*a90b9d01SCy Schubert
1718325151a3SRui Paulo##### Fast Session Transfer (FST) support #####################################
1719325151a3SRui Paulo#
1720325151a3SRui Paulo# The options in this section are only available when the build configuration
1721780fb4a2SCy Schubert# option CONFIG_FST is set while compiling wpa_supplicant. They allow this
1722780fb4a2SCy Schubert# interface to be a part of FST setup.
1723325151a3SRui Paulo#
1724325151a3SRui Paulo# FST is the transfer of a session from a channel to another channel, in the
1725325151a3SRui Paulo# same or different frequency bands.
1726325151a3SRui Paulo#
1727780fb4a2SCy Schubert# For details, see IEEE Std 802.11ad-2012.
1728325151a3SRui Paulo
1729325151a3SRui Paulo# Identifier of an FST Group  the interface belongs to.
1730325151a3SRui Paulo#fst_group_id=bond0
1731325151a3SRui Paulo
1732325151a3SRui Paulo# Interface priority within the FST Group.
1733325151a3SRui Paulo# Announcing a higher priority for an interface means declaring it more
1734325151a3SRui Paulo# preferable for FST switch.
1735325151a3SRui Paulo# fst_priority is in 1..255 range with 1 being the lowest priority.
1736325151a3SRui Paulo#fst_priority=100
1737325151a3SRui Paulo
1738325151a3SRui Paulo# Default LLT value for this interface in milliseconds. The value used in case
1739325151a3SRui Paulo# no value provided during session setup. Default is 50 msec.
1740325151a3SRui Paulo# fst_llt is in 1..4294967 range (due to spec limitation, see 10.32.2.2
1741325151a3SRui Paulo# Transitioning between states).
1742325151a3SRui Paulo#fst_llt=100
1743325151a3SRui Paulo
1744206b73d0SCy Schubert# BSS Transition Management
1745206b73d0SCy Schubert# disable_btm - Disable BSS transition management in STA
1746206b73d0SCy Schubert# Set to 0 to enable BSS transition management (default behavior)
1747206b73d0SCy Schubert# Set to 1 to disable BSS transition management
1748206b73d0SCy Schubert#disable_btm=0
1749206b73d0SCy Schubert
1750c1d255d3SCy Schubert# Enable EDMG capability in STA/AP mode, default value is false
1751c1d255d3SCy Schubert#enable_edmg=1
1752c1d255d3SCy Schubert
1753c1d255d3SCy Schubert# This value is used to configure the channel bonding feature.
1754c1d255d3SCy Schubert# Default value is 0.
1755c1d255d3SCy Schubert# Relevant only if enable_edmg is true
1756c1d255d3SCy Schubert# In AP mode it defines the EDMG channel to use for AP operation.
1757c1d255d3SCy Schubert# In STA mode it defines the EDMG channel for connection (if supported by AP).
1758c1d255d3SCy Schubert#edmg_channel=9
1759c1d255d3SCy Schubert
1760*a90b9d01SCy Schubert# BSS max idle period to request
1761*a90b9d01SCy Schubert# If nonzero, request the specified number of 1000 TU (i.e., 1.024 s)
1762*a90b9d01SCy Schubert# as the maximum idle period for the STA during association.
1763*a90b9d01SCy Schubert#max_idle=600
1764*a90b9d01SCy Schubert
176539beb93cSSam Leffler# Example blocks:
176639beb93cSSam Leffler
176739beb93cSSam Leffler# Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers
176839beb93cSSam Lefflernetwork={
176939beb93cSSam Leffler	ssid="simple"
177039beb93cSSam Leffler	psk="very secret passphrase"
177139beb93cSSam Leffler	priority=5
177239beb93cSSam Leffler}
177339beb93cSSam Leffler
177439beb93cSSam Leffler# Same as previous, but request SSID-specific scanning (for APs that reject
177539beb93cSSam Leffler# broadcast SSID)
177639beb93cSSam Lefflernetwork={
177739beb93cSSam Leffler	ssid="second ssid"
177839beb93cSSam Leffler	scan_ssid=1
177939beb93cSSam Leffler	psk="very secret passphrase"
178039beb93cSSam Leffler	priority=2
178139beb93cSSam Leffler}
178239beb93cSSam Leffler
178339beb93cSSam Leffler# Only WPA-PSK is used. Any valid cipher combination is accepted.
178439beb93cSSam Lefflernetwork={
178539beb93cSSam Leffler	ssid="example"
178639beb93cSSam Leffler	proto=WPA
178739beb93cSSam Leffler	key_mgmt=WPA-PSK
178839beb93cSSam Leffler	pairwise=CCMP TKIP
178939beb93cSSam Leffler	group=CCMP TKIP WEP104 WEP40
179039beb93cSSam Leffler	psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
179139beb93cSSam Leffler	priority=2
179239beb93cSSam Leffler}
179339beb93cSSam Leffler
179439beb93cSSam Leffler# WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying
179539beb93cSSam Lefflernetwork={
179639beb93cSSam Leffler	ssid="example"
179739beb93cSSam Leffler	proto=WPA
179839beb93cSSam Leffler	key_mgmt=WPA-PSK
179939beb93cSSam Leffler	pairwise=TKIP
180039beb93cSSam Leffler	group=TKIP
180139beb93cSSam Leffler	psk="not so secure passphrase"
180239beb93cSSam Leffler	wpa_ptk_rekey=600
180339beb93cSSam Leffler}
180439beb93cSSam Leffler
180539beb93cSSam Leffler# Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104
180639beb93cSSam Leffler# or WEP40 as the group cipher will not be accepted.
180739beb93cSSam Lefflernetwork={
180839beb93cSSam Leffler	ssid="example"
180939beb93cSSam Leffler	proto=RSN
181039beb93cSSam Leffler	key_mgmt=WPA-EAP
181139beb93cSSam Leffler	pairwise=CCMP TKIP
181239beb93cSSam Leffler	group=CCMP TKIP
181339beb93cSSam Leffler	eap=TLS
181439beb93cSSam Leffler	identity="user@example.com"
181539beb93cSSam Leffler	ca_cert="/etc/cert/ca.pem"
181639beb93cSSam Leffler	client_cert="/etc/cert/user.pem"
181739beb93cSSam Leffler	private_key="/etc/cert/user.prv"
181839beb93cSSam Leffler	private_key_passwd="password"
181939beb93cSSam Leffler	priority=1
182039beb93cSSam Leffler}
182139beb93cSSam Leffler
182239beb93cSSam Leffler# EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel
182339beb93cSSam Leffler# (e.g., Radiator)
182439beb93cSSam Lefflernetwork={
182539beb93cSSam Leffler	ssid="example"
182639beb93cSSam Leffler	key_mgmt=WPA-EAP
182739beb93cSSam Leffler	eap=PEAP
182839beb93cSSam Leffler	identity="user@example.com"
182939beb93cSSam Leffler	password="foobar"
183039beb93cSSam Leffler	ca_cert="/etc/cert/ca.pem"
183139beb93cSSam Leffler	phase1="peaplabel=1"
183239beb93cSSam Leffler	phase2="auth=MSCHAPV2"
183339beb93cSSam Leffler	priority=10
183439beb93cSSam Leffler}
183539beb93cSSam Leffler
183639beb93cSSam Leffler# EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the
183739beb93cSSam Leffler# unencrypted use. Real identity is sent only within an encrypted TLS tunnel.
183839beb93cSSam Lefflernetwork={
183939beb93cSSam Leffler	ssid="example"
184039beb93cSSam Leffler	key_mgmt=WPA-EAP
184139beb93cSSam Leffler	eap=TTLS
184239beb93cSSam Leffler	identity="user@example.com"
184339beb93cSSam Leffler	anonymous_identity="anonymous@example.com"
184439beb93cSSam Leffler	password="foobar"
184539beb93cSSam Leffler	ca_cert="/etc/cert/ca.pem"
184639beb93cSSam Leffler	priority=2
184739beb93cSSam Leffler}
184839beb93cSSam Leffler
184939beb93cSSam Leffler# EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted
185039beb93cSSam Leffler# use. Real identity is sent only within an encrypted TLS tunnel.
185139beb93cSSam Lefflernetwork={
185239beb93cSSam Leffler	ssid="example"
185339beb93cSSam Leffler	key_mgmt=WPA-EAP
185439beb93cSSam Leffler	eap=TTLS
185539beb93cSSam Leffler	identity="user@example.com"
185639beb93cSSam Leffler	anonymous_identity="anonymous@example.com"
185739beb93cSSam Leffler	password="foobar"
185839beb93cSSam Leffler	ca_cert="/etc/cert/ca.pem"
185939beb93cSSam Leffler	phase2="auth=MSCHAPV2"
186039beb93cSSam Leffler}
186139beb93cSSam Leffler
186239beb93cSSam Leffler# WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner
186339beb93cSSam Leffler# authentication.
186439beb93cSSam Lefflernetwork={
186539beb93cSSam Leffler	ssid="example"
186639beb93cSSam Leffler	key_mgmt=WPA-EAP
186739beb93cSSam Leffler	eap=TTLS
186839beb93cSSam Leffler	# Phase1 / outer authentication
186939beb93cSSam Leffler	anonymous_identity="anonymous@example.com"
187039beb93cSSam Leffler	ca_cert="/etc/cert/ca.pem"
187139beb93cSSam Leffler	# Phase 2 / inner authentication
187239beb93cSSam Leffler	phase2="autheap=TLS"
187339beb93cSSam Leffler	ca_cert2="/etc/cert/ca2.pem"
187439beb93cSSam Leffler	client_cert2="/etc/cer/user.pem"
187539beb93cSSam Leffler	private_key2="/etc/cer/user.prv"
187639beb93cSSam Leffler	private_key2_passwd="password"
187739beb93cSSam Leffler	priority=2
187839beb93cSSam Leffler}
187939beb93cSSam Leffler
188039beb93cSSam Leffler# Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and
188139beb93cSSam Leffler# group cipher.
188239beb93cSSam Lefflernetwork={
188339beb93cSSam Leffler	ssid="example"
188439beb93cSSam Leffler	bssid=00:11:22:33:44:55
188539beb93cSSam Leffler	proto=WPA RSN
188639beb93cSSam Leffler	key_mgmt=WPA-PSK WPA-EAP
188739beb93cSSam Leffler	pairwise=CCMP
188839beb93cSSam Leffler	group=CCMP
188939beb93cSSam Leffler	psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
189039beb93cSSam Leffler}
189139beb93cSSam Leffler
189239beb93cSSam Leffler# Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP
189339beb93cSSam Leffler# and all valid ciphers.
189439beb93cSSam Lefflernetwork={
189539beb93cSSam Leffler	ssid=00010203
189639beb93cSSam Leffler	psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
189739beb93cSSam Leffler}
189839beb93cSSam Leffler
189939beb93cSSam Leffler
190039beb93cSSam Leffler# EAP-SIM with a GSM SIM or USIM
190139beb93cSSam Lefflernetwork={
190239beb93cSSam Leffler	ssid="eap-sim-test"
190339beb93cSSam Leffler	key_mgmt=WPA-EAP
190439beb93cSSam Leffler	eap=SIM
190539beb93cSSam Leffler	pin="1234"
190639beb93cSSam Leffler	pcsc=""
190739beb93cSSam Leffler}
190839beb93cSSam Leffler
190939beb93cSSam Leffler
191039beb93cSSam Leffler# EAP-PSK
191139beb93cSSam Lefflernetwork={
191239beb93cSSam Leffler	ssid="eap-psk-test"
191339beb93cSSam Leffler	key_mgmt=WPA-EAP
191439beb93cSSam Leffler	eap=PSK
191539beb93cSSam Leffler	anonymous_identity="eap_psk_user"
191639beb93cSSam Leffler	password=06b4be19da289f475aa46a33cb793029
191739beb93cSSam Leffler	identity="eap_psk_user@example.com"
191839beb93cSSam Leffler}
191939beb93cSSam Leffler
192039beb93cSSam Leffler
192139beb93cSSam Leffler# IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using
192239beb93cSSam Leffler# EAP-TLS for authentication and key generation; require both unicast and
192339beb93cSSam Leffler# broadcast WEP keys.
192439beb93cSSam Lefflernetwork={
192539beb93cSSam Leffler	ssid="1x-test"
192639beb93cSSam Leffler	key_mgmt=IEEE8021X
192739beb93cSSam Leffler	eap=TLS
192839beb93cSSam Leffler	identity="user@example.com"
192939beb93cSSam Leffler	ca_cert="/etc/cert/ca.pem"
193039beb93cSSam Leffler	client_cert="/etc/cert/user.pem"
193139beb93cSSam Leffler	private_key="/etc/cert/user.prv"
193239beb93cSSam Leffler	private_key_passwd="password"
193339beb93cSSam Leffler	eapol_flags=3
193439beb93cSSam Leffler}
193539beb93cSSam Leffler
193639beb93cSSam Leffler
193739beb93cSSam Leffler# LEAP with dynamic WEP keys
193839beb93cSSam Lefflernetwork={
193939beb93cSSam Leffler	ssid="leap-example"
194039beb93cSSam Leffler	key_mgmt=IEEE8021X
194139beb93cSSam Leffler	eap=LEAP
194239beb93cSSam Leffler	identity="user"
194339beb93cSSam Leffler	password="foobar"
194439beb93cSSam Leffler}
194539beb93cSSam Leffler
194639beb93cSSam Leffler# EAP-IKEv2 using shared secrets for both server and peer authentication
194739beb93cSSam Lefflernetwork={
194839beb93cSSam Leffler	ssid="ikev2-example"
194939beb93cSSam Leffler	key_mgmt=WPA-EAP
195039beb93cSSam Leffler	eap=IKEV2
195139beb93cSSam Leffler	identity="user"
195239beb93cSSam Leffler	password="foobar"
195339beb93cSSam Leffler}
195439beb93cSSam Leffler
195539beb93cSSam Leffler# EAP-FAST with WPA (WPA or WPA2)
195639beb93cSSam Lefflernetwork={
195739beb93cSSam Leffler	ssid="eap-fast-test"
195839beb93cSSam Leffler	key_mgmt=WPA-EAP
195939beb93cSSam Leffler	eap=FAST
196039beb93cSSam Leffler	anonymous_identity="FAST-000102030405"
196139beb93cSSam Leffler	identity="username"
196239beb93cSSam Leffler	password="password"
196339beb93cSSam Leffler	phase1="fast_provisioning=1"
196439beb93cSSam Leffler	pac_file="/etc/wpa_supplicant.eap-fast-pac"
196539beb93cSSam Leffler}
196639beb93cSSam Leffler
196739beb93cSSam Lefflernetwork={
196839beb93cSSam Leffler	ssid="eap-fast-test"
196939beb93cSSam Leffler	key_mgmt=WPA-EAP
197039beb93cSSam Leffler	eap=FAST
197139beb93cSSam Leffler	anonymous_identity="FAST-000102030405"
197239beb93cSSam Leffler	identity="username"
197339beb93cSSam Leffler	password="password"
197439beb93cSSam Leffler	phase1="fast_provisioning=1"
197539beb93cSSam Leffler	pac_file="blob://eap-fast-pac"
197639beb93cSSam Leffler}
197739beb93cSSam Leffler
197839beb93cSSam Leffler# Plaintext connection (no WPA, no IEEE 802.1X)
197939beb93cSSam Lefflernetwork={
198039beb93cSSam Leffler	ssid="plaintext-test"
198139beb93cSSam Leffler	key_mgmt=NONE
198239beb93cSSam Leffler}
198339beb93cSSam Leffler
198439beb93cSSam Leffler
198539beb93cSSam Leffler# Shared WEP key connection (no WPA, no IEEE 802.1X)
198639beb93cSSam Lefflernetwork={
198739beb93cSSam Leffler	ssid="static-wep-test"
198839beb93cSSam Leffler	key_mgmt=NONE
198939beb93cSSam Leffler	wep_key0="abcde"
199039beb93cSSam Leffler	wep_key1=0102030405
199139beb93cSSam Leffler	wep_key2="1234567890123"
199239beb93cSSam Leffler	wep_tx_keyidx=0
199339beb93cSSam Leffler	priority=5
199439beb93cSSam Leffler}
199539beb93cSSam Leffler
199639beb93cSSam Leffler
199739beb93cSSam Leffler# Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key
199839beb93cSSam Leffler# IEEE 802.11 authentication
199939beb93cSSam Lefflernetwork={
200039beb93cSSam Leffler	ssid="static-wep-test2"
200139beb93cSSam Leffler	key_mgmt=NONE
200239beb93cSSam Leffler	wep_key0="abcde"
200339beb93cSSam Leffler	wep_key1=0102030405
200439beb93cSSam Leffler	wep_key2="1234567890123"
200539beb93cSSam Leffler	wep_tx_keyidx=0
200639beb93cSSam Leffler	priority=5
200739beb93cSSam Leffler	auth_alg=SHARED
200839beb93cSSam Leffler}
200939beb93cSSam Leffler
201039beb93cSSam Leffler
20115b9c547cSRui Paulo# IBSS/ad-hoc network with RSN
20125b9c547cSRui Paulonetwork={
20135b9c547cSRui Paulo	ssid="ibss-rsn"
20145b9c547cSRui Paulo	key_mgmt=WPA-PSK
20155b9c547cSRui Paulo	proto=RSN
20165b9c547cSRui Paulo	psk="12345678"
20175b9c547cSRui Paulo	mode=1
20185b9c547cSRui Paulo	frequency=2412
20195b9c547cSRui Paulo	pairwise=CCMP
20205b9c547cSRui Paulo	group=CCMP
20215b9c547cSRui Paulo}
20225b9c547cSRui Paulo
20235b9c547cSRui Paulo# IBSS/ad-hoc network with WPA-None/TKIP (deprecated)
202439beb93cSSam Lefflernetwork={
202539beb93cSSam Leffler	ssid="test adhoc"
202639beb93cSSam Leffler	mode=1
202739beb93cSSam Leffler	frequency=2412
202839beb93cSSam Leffler	proto=WPA
202939beb93cSSam Leffler	key_mgmt=WPA-NONE
203039beb93cSSam Leffler	pairwise=NONE
203139beb93cSSam Leffler	group=TKIP
203239beb93cSSam Leffler	psk="secret passphrase"
203339beb93cSSam Leffler}
203439beb93cSSam Leffler
20355b9c547cSRui Paulo# open mesh network
20365b9c547cSRui Paulonetwork={
20375b9c547cSRui Paulo	ssid="test mesh"
20385b9c547cSRui Paulo	mode=5
20395b9c547cSRui Paulo	frequency=2437
20405b9c547cSRui Paulo	key_mgmt=NONE
20415b9c547cSRui Paulo}
20425b9c547cSRui Paulo
20435b9c547cSRui Paulo# secure (SAE + AMPE) network
20445b9c547cSRui Paulonetwork={
20455b9c547cSRui Paulo	ssid="secure mesh"
20465b9c547cSRui Paulo	mode=5
20475b9c547cSRui Paulo	frequency=2437
20485b9c547cSRui Paulo	key_mgmt=SAE
20495b9c547cSRui Paulo	psk="very secret passphrase"
20505b9c547cSRui Paulo}
20515b9c547cSRui Paulo
205239beb93cSSam Leffler
205339beb93cSSam Leffler# Catch all example that allows more or less all configuration modes
205439beb93cSSam Lefflernetwork={
205539beb93cSSam Leffler	ssid="example"
205639beb93cSSam Leffler	scan_ssid=1
205739beb93cSSam Leffler	key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
205839beb93cSSam Leffler	pairwise=CCMP TKIP
205939beb93cSSam Leffler	group=CCMP TKIP WEP104 WEP40
206039beb93cSSam Leffler	psk="very secret passphrase"
206139beb93cSSam Leffler	eap=TTLS PEAP TLS
206239beb93cSSam Leffler	identity="user@example.com"
206339beb93cSSam Leffler	password="foobar"
206439beb93cSSam Leffler	ca_cert="/etc/cert/ca.pem"
206539beb93cSSam Leffler	client_cert="/etc/cert/user.pem"
206639beb93cSSam Leffler	private_key="/etc/cert/user.prv"
206739beb93cSSam Leffler	private_key_passwd="password"
206839beb93cSSam Leffler	phase1="peaplabel=0"
206939beb93cSSam Leffler}
207039beb93cSSam Leffler
207139beb93cSSam Leffler# Example of EAP-TLS with smartcard (openssl engine)
207239beb93cSSam Lefflernetwork={
207339beb93cSSam Leffler	ssid="example"
207439beb93cSSam Leffler	key_mgmt=WPA-EAP
207539beb93cSSam Leffler	eap=TLS
207639beb93cSSam Leffler	proto=RSN
207739beb93cSSam Leffler	pairwise=CCMP TKIP
207839beb93cSSam Leffler	group=CCMP TKIP
207939beb93cSSam Leffler	identity="user@example.com"
208039beb93cSSam Leffler	ca_cert="/etc/cert/ca.pem"
208139beb93cSSam Leffler
2082780fb4a2SCy Schubert	# Certificate and/or key identified by PKCS#11 URI (RFC7512)
2083780fb4a2SCy Schubert	client_cert="pkcs11:manufacturer=piv_II;id=%01"
2084780fb4a2SCy Schubert	private_key="pkcs11:manufacturer=piv_II;id=%01"
208539beb93cSSam Leffler
208639beb93cSSam Leffler	# Optional PIN configuration; this can be left out and PIN will be
208739beb93cSSam Leffler	# asked through the control interface
208839beb93cSSam Leffler	pin="1234"
208939beb93cSSam Leffler}
209039beb93cSSam Leffler
209139beb93cSSam Leffler# Example configuration showing how to use an inlined blob as a CA certificate
209239beb93cSSam Leffler# data instead of using external file
209339beb93cSSam Lefflernetwork={
209439beb93cSSam Leffler	ssid="example"
209539beb93cSSam Leffler	key_mgmt=WPA-EAP
209639beb93cSSam Leffler	eap=TTLS
209739beb93cSSam Leffler	identity="user@example.com"
209839beb93cSSam Leffler	anonymous_identity="anonymous@example.com"
209939beb93cSSam Leffler	password="foobar"
210039beb93cSSam Leffler	ca_cert="blob://exampleblob"
210139beb93cSSam Leffler	priority=20
210239beb93cSSam Leffler}
210339beb93cSSam Leffler
210439beb93cSSam Lefflerblob-base64-exampleblob={
210539beb93cSSam LefflerSGVsbG8gV29ybGQhCg==
210639beb93cSSam Leffler}
210739beb93cSSam Leffler
210839beb93cSSam Leffler
210939beb93cSSam Leffler# Wildcard match for SSID (plaintext APs only). This example select any
211039beb93cSSam Leffler# open AP regardless of its SSID.
211139beb93cSSam Lefflernetwork={
211239beb93cSSam Leffler	key_mgmt=NONE
211339beb93cSSam Leffler}
21145b9c547cSRui Paulo
2115c1d255d3SCy Schubert# Example configuration ignoring two APs - these will be ignored
21165b9c547cSRui Paulo# for this network.
21175b9c547cSRui Paulonetwork={
21185b9c547cSRui Paulo	ssid="example"
21195b9c547cSRui Paulo	psk="very secret passphrase"
2120c1d255d3SCy Schubert	bssid_ignore=02:11:22:33:44:55 02:22:aa:44:55:66
21215b9c547cSRui Paulo}
21225b9c547cSRui Paulo
21235b9c547cSRui Paulo# Example configuration limiting AP selection to a specific set of APs;
21245b9c547cSRui Paulo# any other AP not matching the masked address will be ignored.
21255b9c547cSRui Paulonetwork={
21265b9c547cSRui Paulo	ssid="example"
21275b9c547cSRui Paulo	psk="very secret passphrase"
2128c1d255d3SCy Schubert	bssid_accept=02:55:ae:bc:00:00/ff:ff:ff:ff:00:00 00:00:77:66:55:44/00:00:ff:ff:ff:ff
21295b9c547cSRui Paulo}
21305b9c547cSRui Paulo
21315b9c547cSRui Paulo# Example config file that will only scan on channel 36.
21325b9c547cSRui Paulofreq_list=5180
21335b9c547cSRui Paulonetwork={
21345b9c547cSRui Paulo	key_mgmt=NONE
21355b9c547cSRui Paulo}
21365b9c547cSRui Paulo
21375b9c547cSRui Paulo
213885732ac8SCy Schubert# Example configuration using EAP-TTLS for authentication and key
213985732ac8SCy Schubert# generation for MACsec
214085732ac8SCy Schubertnetwork={
214185732ac8SCy Schubert	key_mgmt=IEEE8021X
214285732ac8SCy Schubert	eap=TTLS
214385732ac8SCy Schubert	phase2="auth=PAP"
214485732ac8SCy Schubert	anonymous_identity="anonymous@example.com"
214585732ac8SCy Schubert	identity="user@example.com"
214685732ac8SCy Schubert	password="secretr"
214785732ac8SCy Schubert	ca_cert="/etc/cert/ca.pem"
214885732ac8SCy Schubert	eapol_flags=0
214985732ac8SCy Schubert	macsec_policy=1
215085732ac8SCy Schubert}
215185732ac8SCy Schubert
215285732ac8SCy Schubert# Example configuration for MACsec with preshared key
215385732ac8SCy Schubertnetwork={
215485732ac8SCy Schubert	key_mgmt=NONE
215585732ac8SCy Schubert	eapol_flags=0
215685732ac8SCy Schubert	macsec_policy=1
215785732ac8SCy Schubert	mka_cak=0123456789ABCDEF0123456789ABCDEF
215885732ac8SCy Schubert	mka_ckn=6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435
215985732ac8SCy Schubert	mka_priority=128
216085732ac8SCy Schubert}
2161