xref: /freebsd/contrib/wpa/wpa_supplicant/wpa_supplicant.conf (revision 98e0ffaefb0f241cda3a72395d3be04192ae0d47) 
1##### Example wpa_supplicant configuration file ###############################
2#
3# ***** Please check wpa_supplicant.conf(5) for details on these options *****
4#
5# This file describes configuration file format and lists all available option.
6# Please also take a look at simpler configuration examples in 'examples'
7# subdirectory.
8#
9# Empty lines and lines starting with # are ignored
10
11# NOTE! This file may contain password information and should probably be made
12# readable only by root user on multiuser systems.
13
14# Note: All file paths in this configuration file should use full (absolute,
15# not relative to working directory) path in order to allow working directory
16# to be changed. This can happen if wpa_supplicant is run in the background.
17
18# Whether to allow wpa_supplicant to update (overwrite) configuration
19#
20# This option can be used to allow wpa_supplicant to overwrite configuration
21# file whenever configuration is changed (e.g., new network block is added with
22# wpa_cli or wpa_gui, or a password is changed). This is required for
23# wpa_cli/wpa_gui to be able to store the configuration changes permanently.
24# Please note that overwriting configuration file will remove the comments from
25# it.
26#update_config=1
27
28# global configuration (shared by all network blocks)
29#
30# Parameters for the control interface. If this is specified, wpa_supplicant
31# will open a control interface that is available for external programs to
32# manage wpa_supplicant. The meaning of this string depends on which control
33# interface mechanism is used. For all cases, the existence of this parameter
34# in configuration is used to determine whether the control interface is
35# enabled.
36#
37# For UNIX domain sockets (default on Linux and BSD): This is a directory that
38# will be created for UNIX domain sockets for listening to requests from
39# external programs (CLI/GUI, etc.) for status information and configuration.
40# The socket file will be named based on the interface name, so multiple
41# wpa_supplicant processes can be run at the same time if more than one
42# interface is used.
43# /var/run/wpa_supplicant is the recommended directory for sockets and by
44# default, wpa_cli will use it when trying to connect with wpa_supplicant.
45#
46# Access control for the control interface can be configured by setting the
47# directory to allow only members of a group to use sockets. This way, it is
48# possible to run wpa_supplicant as root (since it needs to change network
49# configuration and open raw sockets) and still allow GUI/CLI components to be
50# run as non-root users. However, since the control interface can be used to
51# change the network configuration, this access needs to be protected in many
52# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you
53# want to allow non-root users to use the control interface, add a new group
54# and change this value to match with that group. Add users that should have
55# control interface access to this group. If this variable is commented out or
56# not included in the configuration file, group will not be changed from the
57# value it got by default when the directory or socket was created.
58#
59# When configuring both the directory and group, use following format:
60# DIR=/var/run/wpa_supplicant GROUP=wheel
61# DIR=/var/run/wpa_supplicant GROUP=0
62# (group can be either group name or gid)
63#
64ctrl_interface=/var/run/wpa_supplicant
65
66# IEEE 802.1X/EAPOL version
67# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines
68# EAPOL version 2. However, there are many APs that do not handle the new
69# version number correctly (they seem to drop the frames completely). In order
70# to make wpa_supplicant interoperate with these APs, the version number is set
71# to 1 by default. This configuration value can be used to set it to the new
72# version (2).
73# Note: When using MACsec, eapol_version shall be set to 3, which is
74# defined in IEEE Std 802.1X-2010.
75eapol_version=1
76
77# AP scanning/selection
78# By default, wpa_supplicant requests driver to perform AP scanning and then
79# uses the scan results to select a suitable AP. Another alternative is to
80# allow the driver to take care of AP scanning and selection and use
81# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association
82# information from the driver.
83# 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to
84#    the currently enabled networks are found, a new network (IBSS or AP mode
85#    operation) may be initialized (if configured) (default)
86# 0: driver takes care of scanning, AP selection, and IEEE 802.11 association
87#    parameters (e.g., WPA IE generation); this mode can also be used with
88#    non-WPA drivers when using IEEE 802.1X mode; do not try to associate with
89#    APs (i.e., external program needs to control association). This mode must
90#    also be used when using wired Ethernet drivers.
91#    Note: macsec_qca driver is one type of Ethernet driver which implements
92#    macsec feature.
93# 2: like 0, but associate with APs using security policy and SSID (but not
94#    BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to
95#    enable operation with hidden SSIDs and optimized roaming; in this mode,
96#    the network blocks in the configuration file are tried one by one until
97#    the driver reports successful association; each network block should have
98#    explicit security policy (i.e., only one option in the lists) for
99#    key_mgmt, pairwise, group, proto variables
100#
101# For use in FreeBSD with the wlan module ap_scan must be set to 1.
102# When using IBSS or AP mode, ap_scan=2 mode can force the new network to be
103# created immediately regardless of scan results. ap_scan=1 mode will first try
104# to scan for existing networks and only if no matches with the enabled
105# networks are found, a new IBSS or AP mode network is created.
106ap_scan=1
107
108# MPM residency
109# By default, wpa_supplicant implements the mesh peering manager (MPM) for an
110# open mesh. However, if the driver can implement the MPM, you may set this to
111# 0 to use the driver version. When AMPE is enabled, the wpa_supplicant MPM is
112# always used.
113# 0: MPM lives in the driver
114# 1: wpa_supplicant provides an MPM which handles peering (default)
115#user_mpm=1
116
117# Maximum number of peer links (0-255; default: 99)
118# Maximum number of mesh peering currently maintained by the STA.
119#max_peer_links=99
120
121# Timeout in seconds to detect STA inactivity (default: 300 seconds)
122#
123# This timeout value is used in mesh STA to clean up inactive stations.
124#mesh_max_inactivity=300
125
126# cert_in_cb - Whether to include a peer certificate dump in events
127# This controls whether peer certificates for authentication server and
128# its certificate chain are included in EAP peer certificate events. This is
129# enabled by default.
130#cert_in_cb=1
131
132# EAP fast re-authentication
133# By default, fast re-authentication is enabled for all EAP methods that
134# support it. This variable can be used to disable fast re-authentication.
135# Normally, there is no need to disable this.
136fast_reauth=1
137
138# OpenSSL Engine support
139# These options can be used to load OpenSSL engines.
140# The two engines that are supported currently are shown below:
141# They are both from the opensc project (http://www.opensc.org/)
142# By default no engines are loaded.
143# make the opensc engine available
144#opensc_engine_path=/usr/lib/opensc/engine_opensc.so
145# make the pkcs11 engine available
146#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so
147# configure the path to the pkcs11 module required by the pkcs11 engine
148#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so
149
150# OpenSSL cipher string
151#
152# This is an OpenSSL specific configuration option for configuring the default
153# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default.
154# See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation
155# on cipher suite configuration. This is applicable only if wpa_supplicant is
156# built to use OpenSSL.
157#openssl_ciphers=DEFAULT:!EXP:!LOW
158
159
160# Dynamic EAP methods
161# If EAP methods were built dynamically as shared object files, they need to be
162# loaded here before being used in the network blocks. By default, EAP methods
163# are included statically in the build, so these lines are not needed
164#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so
165#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so
166
167# Driver interface parameters
168# This field can be used to configure arbitrary driver interace parameters. The
169# format is specific to the selected driver interface. This field is not used
170# in most cases.
171#driver_param="field=value"
172
173# Country code
174# The ISO/IEC alpha2 country code for the country in which this device is
175# currently operating.
176#country=US
177
178# Maximum lifetime for PMKSA in seconds; default 43200
179#dot11RSNAConfigPMKLifetime=43200
180# Threshold for reauthentication (percentage of PMK lifetime); default 70
181#dot11RSNAConfigPMKReauthThreshold=70
182# Timeout for security association negotiation in seconds; default 60
183#dot11RSNAConfigSATimeout=60
184
185# Wi-Fi Protected Setup (WPS) parameters
186
187# Universally Unique IDentifier (UUID; see RFC 4122) of the device
188# If not configured, UUID will be generated based on the local MAC address.
189#uuid=12345678-9abc-def0-1234-56789abcdef0
190
191# Device Name
192# User-friendly description of device; up to 32 octets encoded in UTF-8
193#device_name=Wireless Client
194
195# Manufacturer
196# The manufacturer of the device (up to 64 ASCII characters)
197#manufacturer=Company
198
199# Model Name
200# Model of the device (up to 32 ASCII characters)
201#model_name=cmodel
202
203# Model Number
204# Additional device description (up to 32 ASCII characters)
205#model_number=123
206
207# Serial Number
208# Serial number of the device (up to 32 characters)
209#serial_number=12345
210
211# Primary Device Type
212# Used format: <categ>-<OUI>-<subcateg>
213# categ = Category as an integer value
214# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for
215#       default WPS OUI
216# subcateg = OUI-specific Sub Category as an integer value
217# Examples:
218#   1-0050F204-1 (Computer / PC)
219#   1-0050F204-2 (Computer / Server)
220#   5-0050F204-1 (Storage / NAS)
221#   6-0050F204-1 (Network Infrastructure / AP)
222#device_type=1-0050F204-1
223
224# OS Version
225# 4-octet operating system version number (hex string)
226#os_version=01020300
227
228# Config Methods
229# List of the supported configuration methods
230# Available methods: usba ethernet label display ext_nfc_token int_nfc_token
231#	nfc_interface push_button keypad virtual_display physical_display
232#	virtual_push_button physical_push_button
233# For WSC 1.0:
234#config_methods=label display push_button keypad
235# For WSC 2.0:
236#config_methods=label virtual_display virtual_push_button keypad
237
238# Credential processing
239#   0 = process received credentials internally (default)
240#   1 = do not process received credentials; just pass them over ctrl_iface to
241#	external program(s)
242#   2 = process received credentials internally and pass them over ctrl_iface
243#	to external program(s)
244#wps_cred_processing=0
245
246# Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing
247# The vendor attribute contents to be added in M1 (hex string)
248#wps_vendor_ext_m1=000137100100020001
249
250# NFC password token for WPS
251# These parameters can be used to configure a fixed NFC password token for the
252# station. This can be generated, e.g., with nfc_pw_token. When these
253# parameters are used, the station is assumed to be deployed with a NFC tag
254# that includes the matching NFC password token (e.g., written based on the
255# NDEF record from nfc_pw_token).
256#
257#wps_nfc_dev_pw_id: Device Password ID (16..65535)
258#wps_nfc_dh_pubkey: Hexdump of DH Public Key
259#wps_nfc_dh_privkey: Hexdump of DH Private Key
260#wps_nfc_dev_pw: Hexdump of Device Password
261
262# Maximum number of BSS entries to keep in memory
263# Default: 200
264# This can be used to limit memory use on the BSS entries (cached scan
265# results). A larger value may be needed in environments that have huge number
266# of APs when using ap_scan=1 mode.
267#bss_max_count=200
268
269# Automatic scan
270# This is an optional set of parameters for automatic scanning
271# within an interface in following format:
272#autoscan=<autoscan module name>:<module parameters>
273# autoscan is like bgscan but on disconnected or inactive state.
274# For instance, on exponential module parameters would be <base>:<limit>
275#autoscan=exponential:3:300
276# Which means a delay between scans on a base exponential of 3,
277# up to the limit of 300 seconds (3, 9, 27 ... 300)
278# For periodic module, parameters would be <fixed interval>
279#autoscan=periodic:30
280# So a delay of 30 seconds will be applied between each scan
281
282# filter_ssids - SSID-based scan result filtering
283# 0 = do not filter scan results (default)
284# 1 = only include configured SSIDs in scan results/BSS table
285#filter_ssids=0
286
287# Password (and passphrase, etc.) backend for external storage
288# format: <backend name>[:<optional backend parameters>]
289#ext_password_backend=test:pw1=password|pw2=testing
290
291# Timeout in seconds to detect STA inactivity (default: 300 seconds)
292#
293# This timeout value is used in P2P GO mode to clean up
294# inactive stations.
295#p2p_go_max_inactivity=300
296
297# Passphrase length (8..63) for P2P GO
298#
299# This parameter controls the length of the random passphrase that is
300# generated at the GO. Default: 8.
301#p2p_passphrase_len=8
302
303# Extra delay between concurrent P2P search iterations
304#
305# This value adds extra delay in milliseconds between concurrent search
306# iterations to make p2p_find friendlier to concurrent operations by avoiding
307# it from taking 100% of radio resources. The default value is 500 ms.
308#p2p_search_delay=500
309
310# Opportunistic Key Caching (also known as Proactive Key Caching) default
311# This parameter can be used to set the default behavior for the
312# proactive_key_caching parameter. By default, OKC is disabled unless enabled
313# with the global okc=1 parameter or with the per-network
314# proactive_key_caching=1 parameter. With okc=1, OKC is enabled by default, but
315# can be disabled with per-network proactive_key_caching=0 parameter.
316#okc=0
317
318# Protected Management Frames default
319# This parameter can be used to set the default behavior for the ieee80211w
320# parameter. By default, PMF is disabled unless enabled with the global pmf=1/2
321# parameter or with the per-network ieee80211w=1/2 parameter. With pmf=1/2, PMF
322# is enabled/required by default, but can be disabled with the per-network
323# ieee80211w parameter.
324#pmf=0
325
326# Enabled SAE finite cyclic groups in preference order
327# By default (if this parameter is not set), the mandatory group 19 (ECC group
328# defined over a 256-bit prime order field) is preferred, but other groups are
329# also enabled. If this parameter is set, the groups will be tried in the
330# indicated order. The group values are listed in the IANA registry:
331# http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9
332#sae_groups=21 20 19 26 25
333
334# Default value for DTIM period (if not overridden in network block)
335#dtim_period=2
336
337# Default value for Beacon interval (if not overridden in network block)
338#beacon_int=100
339
340# Additional vendor specific elements for Beacon and Probe Response frames
341# This parameter can be used to add additional vendor specific element(s) into
342# the end of the Beacon and Probe Response frames. The format for these
343# element(s) is a hexdump of the raw information elements (id+len+payload for
344# one or more elements). This is used in AP and P2P GO modes.
345#ap_vendor_elements=dd0411223301
346
347# Ignore scan results older than request
348#
349# The driver may have a cache of scan results that makes it return
350# information that is older than our scan trigger. This parameter can
351# be used to configure such old information to be ignored instead of
352# allowing it to update the internal BSS table.
353#ignore_old_scan_res=0
354
355# scan_cur_freq: Whether to scan only the current frequency
356# 0:  Scan all available frequencies. (Default)
357# 1:  Scan current operating frequency if another VIF on the same radio
358#     is already associated.
359
360# MAC address policy default
361# 0 = use permanent MAC address
362# 1 = use random MAC address for each ESS connection
363# 2 = like 1, but maintain OUI (with local admin bit set)
364#
365# By default, permanent MAC address is used unless policy is changed by
366# the per-network mac_addr parameter. Global mac_addr=1 can be used to
367# change this default behavior.
368#mac_addr=0
369
370# Lifetime of random MAC address in seconds (default: 60)
371#rand_addr_lifetime=60
372
373# MAC address policy for pre-association operations (scanning, ANQP)
374# 0 = use permanent MAC address
375# 1 = use random MAC address
376# 2 = like 1, but maintain OUI (with local admin bit set)
377#preassoc_mac_addr=0
378
379# Interworking (IEEE 802.11u)
380
381# Enable Interworking
382# interworking=1
383
384# Homogenous ESS identifier
385# If this is set, scans will be used to request response only from BSSes
386# belonging to the specified Homogeneous ESS. This is used only if interworking
387# is enabled.
388# hessid=00:11:22:33:44:55
389
390# Automatic network selection behavior
391# 0 = do not automatically go through Interworking network selection
392#     (i.e., require explicit interworking_select command for this; default)
393# 1 = perform Interworking network selection if one or more
394#     credentials have been configured and scan did not find a
395#     matching network block
396#auto_interworking=0
397
398# credential block
399#
400# Each credential used for automatic network selection is configured as a set
401# of parameters that are compared to the information advertised by the APs when
402# interworking_select and interworking_connect commands are used.
403#
404# credential fields:
405#
406# temporary: Whether this credential is temporary and not to be saved
407#
408# priority: Priority group
409#	By default, all networks and credentials get the same priority group
410#	(0). This field can be used to give higher priority for credentials
411#	(and similarly in struct wpa_ssid for network blocks) to change the
412#	Interworking automatic networking selection behavior. The matching
413#	network (based on either an enabled network block or a credential)
414#	with the highest priority value will be selected.
415#
416# pcsc: Use PC/SC and SIM/USIM card
417#
418# realm: Home Realm for Interworking
419#
420# username: Username for Interworking network selection
421#
422# password: Password for Interworking network selection
423#
424# ca_cert: CA certificate for Interworking network selection
425#
426# client_cert: File path to client certificate file (PEM/DER)
427#	This field is used with Interworking networking selection for a case
428#	where client certificate/private key is used for authentication
429#	(EAP-TLS). Full path to the file should be used since working
430#	directory may change when wpa_supplicant is run in the background.
431#
432#	Alternatively, a named configuration blob can be used by setting
433#	this to blob://blob_name.
434#
435# private_key: File path to client private key file (PEM/DER/PFX)
436#	When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
437#	commented out. Both the private key and certificate will be read
438#	from the PKCS#12 file in this case. Full path to the file should be
439#	used since working directory may change when wpa_supplicant is run
440#	in the background.
441#
442#	Windows certificate store can be used by leaving client_cert out and
443#	configuring private_key in one of the following formats:
444#
445#	cert://substring_to_match
446#
447#	hash://certificate_thumbprint_in_hex
448#
449#	For example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
450#
451#	Note that when running wpa_supplicant as an application, the user
452#	certificate store (My user account) is used, whereas computer store
453#	(Computer account) is used when running wpasvc as a service.
454#
455#	Alternatively, a named configuration blob can be used by setting
456#	this to blob://blob_name.
457#
458# private_key_passwd: Password for private key file
459#
460# imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format
461#
462# milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN>
463#	format
464#
465# domain: Home service provider FQDN(s)
466#	This is used to compare against the Domain Name List to figure out
467#	whether the AP is operated by the Home SP. Multiple domain entries can
468#	be used to configure alternative FQDNs that will be considered home
469#	networks.
470#
471# roaming_consortium: Roaming Consortium OI
472#	If roaming_consortium_len is non-zero, this field contains the
473#	Roaming Consortium OI that can be used to determine which access
474#	points support authentication with this credential. This is an
475#	alternative to the use of the realm parameter. When using Roaming
476#	Consortium to match the network, the EAP parameters need to be
477#	pre-configured with the credential since the NAI Realm information
478#	may not be available or fetched.
479#
480# eap: Pre-configured EAP method
481#	This optional field can be used to specify which EAP method will be
482#	used with this credential. If not set, the EAP method is selected
483#	automatically based on ANQP information (e.g., NAI Realm).
484#
485# phase1: Pre-configure Phase 1 (outer authentication) parameters
486#	This optional field is used with like the 'eap' parameter.
487#
488# phase2: Pre-configure Phase 2 (inner authentication) parameters
489#	This optional field is used with like the 'eap' parameter.
490#
491# excluded_ssid: Excluded SSID
492#	This optional field can be used to excluded specific SSID(s) from
493#	matching with the network. Multiple entries can be used to specify more
494#	than one SSID.
495#
496# roaming_partner: Roaming partner information
497#	This optional field can be used to configure preferences between roaming
498#	partners. The field is a string in following format:
499#	<FQDN>,<0/1 exact match>,<priority>,<* or country code>
500#	(non-exact match means any subdomain matches the entry; priority is in
501#	0..255 range with 0 being the highest priority)
502#
503# update_identifier: PPS MO ID
504#	(Hotspot 2.0 PerProviderSubscription/UpdateIdentifier)
505#
506# provisioning_sp: FQDN of the SP that provisioned the credential
507#	This optional field can be used to keep track of the SP that provisioned
508#	the credential to find the PPS MO (./Wi-Fi/<provisioning_sp>).
509#
510# Minimum backhaul threshold (PPS/<X+>/Policy/MinBackhauldThreshold/*)
511#	These fields can be used to specify minimum download/upload backhaul
512#	bandwidth that is preferred for the credential. This constraint is
513#	ignored if the AP does not advertise WAN Metrics information or if the
514#	limit would prevent any connection. Values are in kilobits per second.
515# min_dl_bandwidth_home
516# min_ul_bandwidth_home
517# min_dl_bandwidth_roaming
518# min_ul_bandwidth_roaming
519#
520# max_bss_load: Maximum BSS Load Channel Utilization (1..255)
521#	(PPS/<X+>/Policy/MaximumBSSLoadValue)
522#	This value is used as the maximum channel utilization for network
523#	selection purposes for home networks. If the AP does not advertise
524#	BSS Load or if the limit would prevent any connection, this constraint
525#	will be ignored.
526#
527# req_conn_capab: Required connection capability
528#	(PPS/<X+>/Policy/RequiredProtoPortTuple)
529#	This value is used to configure set of required protocol/port pairs that
530#	a roaming network shall support (include explicitly in Connection
531#	Capability ANQP element). This constraint is ignored if the AP does not
532#	advertise Connection Capability or if this constraint would prevent any
533#	network connection. This policy is not used in home networks.
534#	Format: <protocol>[:<comma-separated list of ports]
535#	Multiple entries can be used to list multiple requirements.
536#	For example, number of common TCP protocols:
537#	req_conn_capab=6,22,80,443
538#	For example, IPSec/IKE:
539#	req_conn_capab=17:500
540#	req_conn_capab=50
541#
542# ocsp: Whether to use/require OCSP to check server certificate
543#	0 = do not use OCSP stapling (TLS certificate status extension)
544#	1 = try to use OCSP stapling, but not require response
545#	2 = require valid OCSP stapling response
546#
547# sim_num: Identifier for which SIM to use in multi-SIM devices
548#
549# for example:
550#
551#cred={
552#	realm="example.com"
553#	username="user@example.com"
554#	password="password"
555#	ca_cert="/etc/wpa_supplicant/ca.pem"
556#	domain="example.com"
557#}
558#
559#cred={
560#	imsi="310026-000000000"
561#	milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82"
562#}
563#
564#cred={
565#	realm="example.com"
566#	username="user"
567#	password="password"
568#	ca_cert="/etc/wpa_supplicant/ca.pem"
569#	domain="example.com"
570#	roaming_consortium=223344
571#	eap=TTLS
572#	phase2="auth=MSCHAPV2"
573#}
574
575# Hotspot 2.0
576# hs20=1
577
578# network block
579#
580# Each network (usually AP's sharing the same SSID) is configured as a separate
581# block in this configuration file. The network blocks are in preference order
582# (the first match is used).
583#
584# network block fields:
585#
586# disabled:
587#	0 = this network can be used (default)
588#	1 = this network block is disabled (can be enabled through ctrl_iface,
589#	    e.g., with wpa_cli or wpa_gui)
590#
591# id_str: Network identifier string for external scripts. This value is passed
592#	to external action script through wpa_cli as WPA_ID_STR environment
593#	variable to make it easier to do network specific configuration.
594#
595# ssid: SSID (mandatory); network name in one of the optional formats:
596#	- an ASCII string with double quotation
597#	- a hex string (two characters per octet of SSID)
598#	- a printf-escaped ASCII string P"<escaped string>"
599#
600# scan_ssid:
601#	0 = do not scan this SSID with specific Probe Request frames (default)
602#	1 = scan with SSID-specific Probe Request frames (this can be used to
603#	    find APs that hide (do not broadcast) SSID or use multiple SSIDs;
604#	    this will add latency to scanning, so enable this only when needed)
605#
606# bssid: BSSID (optional); if set, this network block is used only when
607#	associating with the AP using the configured BSSID
608#
609# priority: priority group (integer)
610# By default, all networks will get same priority group (0). If some of the
611# networks are more desirable, this field can be used to change the order in
612# which wpa_supplicant goes through the networks when selecting a BSS. The
613# priority groups will be iterated in decreasing priority (i.e., the larger the
614# priority value, the sooner the network is matched against the scan results).
615# Within each priority group, networks will be selected based on security
616# policy, signal strength, etc.
617# Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not
618# using this priority to select the order for scanning. Instead, they try the
619# networks in the order that they are listed in the configuration file.
620#
621# mode: IEEE 802.11 operation mode
622# 0 = infrastructure (Managed) mode, i.e., associate with an AP (default)
623# 1 = IBSS (ad-hoc, peer-to-peer)
624# 2 = AP (access point)
625# Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) and
626# WPA-PSK (with proto=RSN). In addition, key_mgmt=WPA-NONE (fixed group key
627# TKIP/CCMP) is available for backwards compatibility, but its use is
628# deprecated. WPA-None requires following network block options:
629# proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not
630# both), and psk must also be set.
631#
632# frequency: Channel frequency in megahertz (MHz) for IBSS, e.g.,
633# 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial
634# channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode.
635# In addition, this value is only used by the station that creates the IBSS. If
636# an IBSS network with the configured SSID is already present, the frequency of
637# the network will be used instead of this configured value.
638#
639# scan_freq: List of frequencies to scan
640# Space-separated list of frequencies in MHz to scan when searching for this
641# BSS. If the subset of channels used by the network is known, this option can
642# be used to optimize scanning to not occur on channels that the network does
643# not use. Example: scan_freq=2412 2437 2462
644#
645# freq_list: Array of allowed frequencies
646# Space-separated list of frequencies in MHz to allow for selecting the BSS. If
647# set, scan results that do not match any of the specified frequencies are not
648# considered when selecting a BSS.
649#
650# This can also be set on the outside of the network block. In this case,
651# it limits the frequencies that will be scanned.
652#
653# bgscan: Background scanning
654# wpa_supplicant behavior for background scanning can be specified by
655# configuring a bgscan module. These modules are responsible for requesting
656# background scans for the purpose of roaming within an ESS (i.e., within a
657# single network block with all the APs using the same SSID). The bgscan
658# parameter uses following format: "<bgscan module name>:<module parameters>"
659# Following bgscan modules are available:
660# simple - Periodic background scans based on signal strength
661# bgscan="simple:<short bgscan interval in seconds>:<signal strength threshold>:
662# <long interval>"
663# bgscan="simple:30:-45:300"
664# learn - Learn channels used by the network and try to avoid bgscans on other
665# channels (experimental)
666# bgscan="learn:<short bgscan interval in seconds>:<signal strength threshold>:
667# <long interval>[:<database file name>]"
668# bgscan="learn:30:-45:300:/etc/wpa_supplicant/network1.bgscan"
669# Explicitly disable bgscan by setting
670# bgscan=""
671#
672# This option can also be set outside of all network blocks for the bgscan
673# parameter to apply for all the networks that have no specific bgscan
674# parameter.
675#
676# proto: list of accepted protocols
677# WPA = WPA/IEEE 802.11i/D3.0
678# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN)
679# If not set, this defaults to: WPA RSN
680#
681# key_mgmt: list of accepted authenticated key management protocols
682# WPA-PSK = WPA pre-shared key (this requires 'psk' field)
683# WPA-EAP = WPA using EAP authentication
684# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically
685#	generated WEP keys
686# NONE = WPA is not used; plaintext or static WEP could be used
687# WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms
688# WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms
689# If not set, this defaults to: WPA-PSK WPA-EAP
690#
691# ieee80211w: whether management frame protection is enabled
692# 0 = disabled (default unless changed with the global pmf parameter)
693# 1 = optional
694# 2 = required
695# The most common configuration options for this based on the PMF (protected
696# management frames) certification program are:
697# PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256
698# PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256
699# (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used)
700#
701# auth_alg: list of allowed IEEE 802.11 authentication algorithms
702# OPEN = Open System authentication (required for WPA/WPA2)
703# SHARED = Shared Key authentication (requires static WEP keys)
704# LEAP = LEAP/Network EAP (only used with LEAP)
705# If not set, automatic selection is used (Open System with LEAP enabled if
706# LEAP is allowed as one of the EAP methods).
707#
708# pairwise: list of accepted pairwise (unicast) ciphers for WPA
709# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
710# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
711# NONE = Use only Group Keys (deprecated, should not be included if APs support
712#	pairwise keys)
713# If not set, this defaults to: CCMP TKIP
714#
715# group: list of accepted group (broadcast/multicast) ciphers for WPA
716# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
717# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
718# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key
719# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11]
720# If not set, this defaults to: CCMP TKIP WEP104 WEP40
721#
722# psk: WPA preshared key; 256-bit pre-shared key
723# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e.,
724# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be
725# generated using the passphrase and SSID). ASCII passphrase must be between
726# 8 and 63 characters (inclusive). ext:<name of external PSK field> format can
727# be used to indicate that the PSK/passphrase is stored in external storage.
728# This field is not needed, if WPA-EAP is used.
729# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys
730# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant
731# startup and reconfiguration time can be optimized by generating the PSK only
732# only when the passphrase or SSID has actually changed.
733#
734# eapol_flags: IEEE 802.1X/EAPOL options (bit field)
735# Dynamic WEP key required for non-WPA mode
736# bit0 (1): require dynamically generated unicast WEP key
737# bit1 (2): require dynamically generated broadcast WEP key
738# 	(3 = require both keys; default)
739# Note: When using wired authentication (including macsec_qca driver),
740# eapol_flags must be set to 0 for the authentication to be completed
741# successfully.
742#
743# macsec_policy: IEEE 802.1X/MACsec options
744# This determines how sessions are secured with MACsec. It is currently
745# applicable only when using the macsec_qca driver interface.
746# 0: MACsec not in use (default)
747# 1: MACsec enabled - Should secure, accept key server's advice to
748#    determine whether to use a secure session or not.
749#
750# mixed_cell: This option can be used to configure whether so called mixed
751# cells, i.e., networks that use both plaintext and encryption in the same
752# SSID, are allowed when selecting a BSS from scan results.
753# 0 = disabled (default)
754# 1 = enabled
755#
756# proactive_key_caching:
757# Enable/disable opportunistic PMKSA caching for WPA2.
758# 0 = disabled (default unless changed with the global okc parameter)
759# 1 = enabled
760#
761# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or
762# hex without quotation, e.g., 0102030405)
763# wep_tx_keyidx: Default WEP key index (TX) (0..3)
764#
765# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is
766# allowed. This is only used with RSN/WPA2.
767# 0 = disabled (default)
768# 1 = enabled
769#peerkey=1
770#
771# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to
772# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies.
773#
774# Following fields are only used with internal EAP implementation.
775# eap: space-separated list of accepted EAP methods
776#	MD5 = EAP-MD5 (unsecure and does not generate keying material ->
777#			cannot be used with WPA; to be used as a Phase 2 method
778#			with EAP-PEAP or EAP-TTLS)
779#       MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used
780#		as a Phase 2 method with EAP-PEAP or EAP-TTLS)
781#       OTP = EAP-OTP (cannot be used separately with WPA; to be used
782#		as a Phase 2 method with EAP-PEAP or EAP-TTLS)
783#       GTC = EAP-GTC (cannot be used separately with WPA; to be used
784#		as a Phase 2 method with EAP-PEAP or EAP-TTLS)
785#	TLS = EAP-TLS (client and server certificate)
786#	PEAP = EAP-PEAP (with tunnelled EAP authentication)
787#	TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2
788#			 authentication)
789#	If not set, all compiled in methods are allowed.
790#
791# identity: Identity string for EAP
792#	This field is also used to configure user NAI for
793#	EAP-PSK/PAX/SAKE/GPSK.
794# anonymous_identity: Anonymous identity string for EAP (to be used as the
795#	unencrypted identity with EAP types that support different tunnelled
796#	identity, e.g., EAP-TTLS). This field can also be used with
797#	EAP-SIM/AKA/AKA' to store the pseudonym identity.
798# password: Password string for EAP. This field can include either the
799#	plaintext password (using ASCII or hex string) or a NtPasswordHash
800#	(16-byte MD4 hash of password) in hash:<32 hex digits> format.
801#	NtPasswordHash can only be used when the password is for MSCHAPv2 or
802#	MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP).
803#	EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit
804#	PSK) is also configured using this field. For EAP-GPSK, this is a
805#	variable length PSK. ext:<name of external password field> format can
806#	be used to indicate that the password is stored in external storage.
807# ca_cert: File path to CA certificate file (PEM/DER). This file can have one
808#	or more trusted CA certificates. If ca_cert and ca_path are not
809#	included, server certificate will not be verified. This is insecure and
810#	a trusted CA certificate should always be configured when using
811#	EAP-TLS/TTLS/PEAP. Full path should be used since working directory may
812#	change when wpa_supplicant is run in the background.
813#
814#	Alternatively, this can be used to only perform matching of the server
815#	certificate (SHA-256 hash of the DER encoded X.509 certificate). In
816#	this case, the possible CA certificates in the server certificate chain
817#	are ignored and only the server certificate is verified. This is
818#	configured with the following format:
819#	hash:://server/sha256/cert_hash_in_hex
820#	For example: "hash://server/sha256/
821#	5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"
822#
823#	On Windows, trusted CA certificates can be loaded from the system
824#	certificate store by setting this to cert_store://<name>, e.g.,
825#	ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".
826#	Note that when running wpa_supplicant as an application, the user
827#	certificate store (My user account) is used, whereas computer store
828#	(Computer account) is used when running wpasvc as a service.
829# ca_path: Directory path for CA certificate files (PEM). This path may
830#	contain multiple CA certificates in OpenSSL format. Common use for this
831#	is to point to system trusted CA list which is often installed into
832#	directory like /etc/ssl/certs. If configured, these certificates are
833#	added to the list of trusted CAs. ca_cert may also be included in that
834#	case, but it is not required.
835# client_cert: File path to client certificate file (PEM/DER)
836#	Full path should be used since working directory may change when
837#	wpa_supplicant is run in the background.
838#	Alternatively, a named configuration blob can be used by setting this
839#	to blob://<blob name>.
840# private_key: File path to client private key file (PEM/DER/PFX)
841#	When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
842#	commented out. Both the private key and certificate will be read from
843#	the PKCS#12 file in this case. Full path should be used since working
844#	directory may change when wpa_supplicant is run in the background.
845#	Windows certificate store can be used by leaving client_cert out and
846#	configuring private_key in one of the following formats:
847#	cert://substring_to_match
848#	hash://certificate_thumbprint_in_hex
849#	for example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
850#	Note that when running wpa_supplicant as an application, the user
851#	certificate store (My user account) is used, whereas computer store
852#	(Computer account) is used when running wpasvc as a service.
853#	Alternatively, a named configuration blob can be used by setting this
854#	to blob://<blob name>.
855# private_key_passwd: Password for private key file (if left out, this will be
856#	asked through control interface)
857# dh_file: File path to DH/DSA parameters file (in PEM format)
858#	This is an optional configuration file for setting parameters for an
859#	ephemeral DH key exchange. In most cases, the default RSA
860#	authentication does not use this configuration. However, it is possible
861#	setup RSA to use ephemeral DH key exchange. In addition, ciphers with
862#	DSA keys always use ephemeral DH keys. This can be used to achieve
863#	forward secrecy. If the file is in DSA parameters format, it will be
864#	automatically converted into DH params.
865# subject_match: Substring to be matched against the subject of the
866#	authentication server certificate. If this string is set, the server
867#	sertificate is only accepted if it contains this string in the subject.
868#	The subject string is in following format:
869#	/C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com
870#	Note: Since this is a substring match, this cannot be used securily to
871#	do a suffix match against a possible domain name in the CN entry. For
872#	such a use case, domain_suffix_match or domain_match should be used
873#	instead.
874# altsubject_match: Semicolon separated string of entries to be matched against
875#	the alternative subject name of the authentication server certificate.
876#	If this string is set, the server sertificate is only accepted if it
877#	contains one of the entries in an alternative subject name extension.
878#	altSubjectName string is in following format: TYPE:VALUE
879#	Example: EMAIL:server@example.com
880#	Example: DNS:server.example.com;DNS:server2.example.com
881#	Following types are supported: EMAIL, DNS, URI
882# domain_suffix_match: Constraint for server domain name. If set, this FQDN is
883#	used as a suffix match requirement for the AAAserver certificate in
884#	SubjectAltName dNSName element(s). If a matching dNSName is found, this
885#	constraint is met. If no dNSName values are present, this constraint is
886#	matched against SubjectName CN using same suffix match comparison.
887#
888#	Suffix match here means that the host/domain name is compared one label
889#	at a time starting from the top-level domain and all the labels in
890#	domain_suffix_match shall be included in the certificate. The
891#	certificate may include additional sub-level labels in addition to the
892#	required labels.
893#
894#	For example, domain_suffix_match=example.com would match
895#	test.example.com but would not match test-example.com.
896# domain_match: Constraint for server domain name
897#	If set, this FQDN is used as a full match requirement for the
898#	server certificate in SubjectAltName dNSName element(s). If a
899#	matching dNSName is found, this constraint is met. If no dNSName
900#	values are present, this constraint is matched against SubjectName CN
901#	using same full match comparison. This behavior is similar to
902#	domain_suffix_match, but has the requirement of a full match, i.e.,
903#	no subdomains or wildcard matches are allowed. Case-insensitive
904#	comparison is used, so "Example.com" matches "example.com", but would
905#	not match "test.Example.com".
906# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters
907#	(string with field-value pairs, e.g., "peapver=0" or
908#	"peapver=1 peaplabel=1")
909#	'peapver' can be used to force which PEAP version (0 or 1) is used.
910#	'peaplabel=1' can be used to force new label, "client PEAP encryption",
911#	to be used during key derivation when PEAPv1 or newer. Most existing
912#	PEAPv1 implementation seem to be using the old label, "client EAP
913#	encryption", and wpa_supplicant is now using that as the default value.
914#	Some servers, e.g., Radiator, may require peaplabel=1 configuration to
915#	interoperate with PEAPv1; see eap_testing.txt for more details.
916#	'peap_outer_success=0' can be used to terminate PEAP authentication on
917#	tunneled EAP-Success. This is required with some RADIUS servers that
918#	implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
919#	Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode)
920#	include_tls_length=1 can be used to force wpa_supplicant to include
921#	TLS Message Length field in all TLS messages even if they are not
922#	fragmented.
923#	sim_min_num_chal=3 can be used to configure EAP-SIM to require three
924#	challenges (by default, it accepts 2 or 3)
925#	result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use
926#	protected result indication.
927#	'crypto_binding' option can be used to control PEAPv0 cryptobinding
928#	behavior:
929#	 * 0 = do not use cryptobinding (default)
930#	 * 1 = use cryptobinding if server supports it
931#	 * 2 = require cryptobinding
932#	EAP-WSC (WPS) uses following options: pin=<Device Password> or
933#	pbc=1.
934#
935#	For wired IEEE 802.1X authentication, "allow_canned_success=1" can be
936#	used to configure a mode that allows EAP-Success (and EAP-Failure)
937#	without going through authentication step. Some switches use such
938#	sequence when forcing the port to be authorized/unauthorized or as a
939#	fallback option if the authentication server is unreachable. By default,
940#	wpa_supplicant discards such frames to protect against potential attacks
941#	by rogue devices, but this option can be used to disable that protection
942#	for cases where the server/authenticator does not need to be
943#	authenticated.
944# phase2: Phase2 (inner authentication with TLS tunnel) parameters
945#	(string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
946#	"autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS). "mschapv2_retry=0" can be
947#	used to disable MSCHAPv2 password retry in authentication failure cases.
948#
949# TLS-based methods can use the following parameters to control TLS behavior
950# (these are normally in the phase1 parameter, but can be used also in the
951# phase2 parameter when EAP-TLS is used within the inner tunnel):
952# tls_allow_md5=1 - allow MD5-based certificate signatures (depending on the
953#	TLS library, these may be disabled by default to enforce stronger
954#	security)
955# tls_disable_time_checks=1 - ignore certificate validity time (this requests
956#	the TLS library to accept certificates even if they are not currently
957#	valid, i.e., have expired or have not yet become valid; this should be
958#	used only for testing purposes)
959# tls_disable_session_ticket=1 - disable TLS Session Ticket extension
960# tls_disable_session_ticket=0 - allow TLS Session Ticket extension to be used
961#	Note: If not set, this is automatically set to 1 for EAP-TLS/PEAP/TTLS
962#	as a workaround for broken authentication server implementations unless
963#	EAP workarounds are disabled with eap_workarounds=0.
964#	For EAP-FAST, this must be set to 0 (or left unconfigured for the
965#	default value to be used automatically).
966# tls_disable_tlsv1_1=1 - disable use of TLSv1.1 (a workaround for AAA servers
967#	that have issues interoperating with updated TLS version)
968# tls_disable_tlsv1_2=1 - disable use of TLSv1.2 (a workaround for AAA servers
969#	that have issues interoperating with updated TLS version)
970#
971# Following certificate/private key fields are used in inner Phase2
972# authentication when using EAP-TTLS or EAP-PEAP.
973# ca_cert2: File path to CA certificate file. This file can have one or more
974#	trusted CA certificates. If ca_cert2 and ca_path2 are not included,
975#	server certificate will not be verified. This is insecure and a trusted
976#	CA certificate should always be configured.
977# ca_path2: Directory path for CA certificate files (PEM)
978# client_cert2: File path to client certificate file
979# private_key2: File path to client private key file
980# private_key2_passwd: Password for private key file
981# dh_file2: File path to DH/DSA parameters file (in PEM format)
982# subject_match2: Substring to be matched against the subject of the
983#	authentication server certificate. See subject_match for more details.
984# altsubject_match2: Semicolon separated string of entries to be matched
985#	against the alternative subject name of the authentication server
986#	certificate. See altsubject_match documentation for more details.
987# domain_suffix_match2: Constraint for server domain name. See
988#	domain_suffix_match for more details.
989#
990# fragment_size: Maximum EAP fragment size in bytes (default 1398).
991#	This value limits the fragment size for EAP methods that support
992#	fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set
993#	small enough to make the EAP messages fit in MTU of the network
994#	interface used for EAPOL. The default value is suitable for most
995#	cases.
996#
997# ocsp: Whether to use/require OCSP to check server certificate
998#	0 = do not use OCSP stapling (TLS certificate status extension)
999#	1 = try to use OCSP stapling, but not require response
1000#	2 = require valid OCSP stapling response
1001#
1002# openssl_ciphers: OpenSSL specific cipher configuration
1003#	This can be used to override the global openssl_ciphers configuration
1004#	parameter (see above).
1005#
1006# erp: Whether EAP Re-authentication Protocol (ERP) is enabled
1007#
1008# EAP-FAST variables:
1009# pac_file: File path for the PAC entries. wpa_supplicant will need to be able
1010#	to create this file and write updates to it when PAC is being
1011#	provisioned or refreshed. Full path to the file should be used since
1012#	working directory may change when wpa_supplicant is run in the
1013#	background. Alternatively, a named configuration blob can be used by
1014#	setting this to blob://<blob name>
1015# phase1: fast_provisioning option can be used to enable in-line provisioning
1016#         of EAP-FAST credentials (PAC):
1017#         0 = disabled,
1018#         1 = allow unauthenticated provisioning,
1019#         2 = allow authenticated provisioning,
1020#         3 = allow both unauthenticated and authenticated provisioning
1021#	fast_max_pac_list_len=<num> option can be used to set the maximum
1022#		number of PAC entries to store in a PAC list (default: 10)
1023#	fast_pac_format=binary option can be used to select binary format for
1024#		storing PAC entries in order to save some space (the default
1025#		text format uses about 2.5 times the size of minimal binary
1026#		format)
1027#
1028# wpa_supplicant supports number of "EAP workarounds" to work around
1029# interoperability issues with incorrectly behaving authentication servers.
1030# These are enabled by default because some of the issues are present in large
1031# number of authentication servers. Strict EAP conformance mode can be
1032# configured by disabling workarounds with eap_workaround=0.
1033
1034# Station inactivity limit
1035#
1036# If a station does not send anything in ap_max_inactivity seconds, an
1037# empty data frame is sent to it in order to verify whether it is
1038# still in range. If this frame is not ACKed, the station will be
1039# disassociated and then deauthenticated. This feature is used to
1040# clear station table of old entries when the STAs move out of the
1041# range.
1042#
1043# The station can associate again with the AP if it is still in range;
1044# this inactivity poll is just used as a nicer way of verifying
1045# inactivity; i.e., client will not report broken connection because
1046# disassociation frame is not sent immediately without first polling
1047# the STA with a data frame.
1048# default: 300 (i.e., 5 minutes)
1049#ap_max_inactivity=300
1050
1051# DTIM period in Beacon intervals for AP mode (default: 2)
1052#dtim_period=2
1053
1054# Beacon interval (default: 100 TU)
1055#beacon_int=100
1056
1057# MAC address policy
1058# 0 = use permanent MAC address
1059# 1 = use random MAC address for each ESS connection
1060# 2 = like 1, but maintain OUI (with local admin bit set)
1061#mac_addr=0
1062
1063# disable_ht: Whether HT (802.11n) should be disabled.
1064# 0 = HT enabled (if AP supports it)
1065# 1 = HT disabled
1066#
1067# disable_ht40: Whether HT-40 (802.11n) should be disabled.
1068# 0 = HT-40 enabled (if AP supports it)
1069# 1 = HT-40 disabled
1070#
1071# disable_sgi: Whether SGI (short guard interval) should be disabled.
1072# 0 = SGI enabled (if AP supports it)
1073# 1 = SGI disabled
1074#
1075# disable_ldpc: Whether LDPC should be disabled.
1076# 0 = LDPC enabled (if AP supports it)
1077# 1 = LDPC disabled
1078#
1079# ht40_intolerant: Whether 40 MHz intolerant should be indicated.
1080# 0 = 40 MHz tolerant (default)
1081# 1 = 40 MHz intolerant
1082#
1083# ht_mcs:  Configure allowed MCS rates.
1084#  Parsed as an array of bytes, in base-16 (ascii-hex)
1085# ht_mcs=""                                   // Use all available (default)
1086# ht_mcs="0xff 00 00 00 00 00 00 00 00 00 "   // Use MCS 0-7 only
1087# ht_mcs="0xff ff 00 00 00 00 00 00 00 00 "   // Use MCS 0-15 only
1088#
1089# disable_max_amsdu:  Whether MAX_AMSDU should be disabled.
1090# -1 = Do not make any changes.
1091# 0  = Enable MAX-AMSDU if hardware supports it.
1092# 1  = Disable AMSDU
1093#
1094# ampdu_factor: Maximum A-MPDU Length Exponent
1095# Value: 0-3, see 7.3.2.56.3 in IEEE Std 802.11n-2009.
1096#
1097# ampdu_density:  Allow overriding AMPDU density configuration.
1098#  Treated as hint by the kernel.
1099# -1 = Do not make any changes.
1100# 0-3 = Set AMPDU density (aka factor) to specified value.
1101
1102# disable_vht: Whether VHT should be disabled.
1103# 0 = VHT enabled (if AP supports it)
1104# 1 = VHT disabled
1105#
1106# vht_capa: VHT capabilities to set in the override
1107# vht_capa_mask: mask of VHT capabilities
1108#
1109# vht_rx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for RX NSS 1-8
1110# vht_tx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for TX NSS 1-8
1111#  0: MCS 0-7
1112#  1: MCS 0-8
1113#  2: MCS 0-9
1114#  3: not supported
1115
1116# Example blocks:
1117
1118# Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers
1119network={
1120	ssid="simple"
1121	psk="very secret passphrase"
1122	priority=5
1123}
1124
1125# Same as previous, but request SSID-specific scanning (for APs that reject
1126# broadcast SSID)
1127network={
1128	ssid="second ssid"
1129	scan_ssid=1
1130	psk="very secret passphrase"
1131	priority=2
1132}
1133
1134# Only WPA-PSK is used. Any valid cipher combination is accepted.
1135network={
1136	ssid="example"
1137	proto=WPA
1138	key_mgmt=WPA-PSK
1139	pairwise=CCMP TKIP
1140	group=CCMP TKIP WEP104 WEP40
1141	psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
1142	priority=2
1143}
1144
1145# WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying
1146network={
1147	ssid="example"
1148	proto=WPA
1149	key_mgmt=WPA-PSK
1150	pairwise=TKIP
1151	group=TKIP
1152	psk="not so secure passphrase"
1153	wpa_ptk_rekey=600
1154}
1155
1156# Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104
1157# or WEP40 as the group cipher will not be accepted.
1158network={
1159	ssid="example"
1160	proto=RSN
1161	key_mgmt=WPA-EAP
1162	pairwise=CCMP TKIP
1163	group=CCMP TKIP
1164	eap=TLS
1165	identity="user@example.com"
1166	ca_cert="/etc/cert/ca.pem"
1167	client_cert="/etc/cert/user.pem"
1168	private_key="/etc/cert/user.prv"
1169	private_key_passwd="password"
1170	priority=1
1171}
1172
1173# EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel
1174# (e.g., Radiator)
1175network={
1176	ssid="example"
1177	key_mgmt=WPA-EAP
1178	eap=PEAP
1179	identity="user@example.com"
1180	password="foobar"
1181	ca_cert="/etc/cert/ca.pem"
1182	phase1="peaplabel=1"
1183	phase2="auth=MSCHAPV2"
1184	priority=10
1185}
1186
1187# EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the
1188# unencrypted use. Real identity is sent only within an encrypted TLS tunnel.
1189network={
1190	ssid="example"
1191	key_mgmt=WPA-EAP
1192	eap=TTLS
1193	identity="user@example.com"
1194	anonymous_identity="anonymous@example.com"
1195	password="foobar"
1196	ca_cert="/etc/cert/ca.pem"
1197	priority=2
1198}
1199
1200# EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted
1201# use. Real identity is sent only within an encrypted TLS tunnel.
1202network={
1203	ssid="example"
1204	key_mgmt=WPA-EAP
1205	eap=TTLS
1206	identity="user@example.com"
1207	anonymous_identity="anonymous@example.com"
1208	password="foobar"
1209	ca_cert="/etc/cert/ca.pem"
1210	phase2="auth=MSCHAPV2"
1211}
1212
1213# WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner
1214# authentication.
1215network={
1216	ssid="example"
1217	key_mgmt=WPA-EAP
1218	eap=TTLS
1219	# Phase1 / outer authentication
1220	anonymous_identity="anonymous@example.com"
1221	ca_cert="/etc/cert/ca.pem"
1222	# Phase 2 / inner authentication
1223	phase2="autheap=TLS"
1224	ca_cert2="/etc/cert/ca2.pem"
1225	client_cert2="/etc/cer/user.pem"
1226	private_key2="/etc/cer/user.prv"
1227	private_key2_passwd="password"
1228	priority=2
1229}
1230
1231# Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and
1232# group cipher.
1233network={
1234	ssid="example"
1235	bssid=00:11:22:33:44:55
1236	proto=WPA RSN
1237	key_mgmt=WPA-PSK WPA-EAP
1238	pairwise=CCMP
1239	group=CCMP
1240	psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
1241}
1242
1243# Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP
1244# and all valid ciphers.
1245network={
1246	ssid=00010203
1247	psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
1248}
1249
1250
1251# EAP-SIM with a GSM SIM or USIM
1252network={
1253	ssid="eap-sim-test"
1254	key_mgmt=WPA-EAP
1255	eap=SIM
1256	pin="1234"
1257	pcsc=""
1258}
1259
1260
1261# EAP-PSK
1262network={
1263	ssid="eap-psk-test"
1264	key_mgmt=WPA-EAP
1265	eap=PSK
1266	anonymous_identity="eap_psk_user"
1267	password=06b4be19da289f475aa46a33cb793029
1268	identity="eap_psk_user@example.com"
1269}
1270
1271
1272# IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using
1273# EAP-TLS for authentication and key generation; require both unicast and
1274# broadcast WEP keys.
1275network={
1276	ssid="1x-test"
1277	key_mgmt=IEEE8021X
1278	eap=TLS
1279	identity="user@example.com"
1280	ca_cert="/etc/cert/ca.pem"
1281	client_cert="/etc/cert/user.pem"
1282	private_key="/etc/cert/user.prv"
1283	private_key_passwd="password"
1284	eapol_flags=3
1285}
1286
1287
1288# LEAP with dynamic WEP keys
1289network={
1290	ssid="leap-example"
1291	key_mgmt=IEEE8021X
1292	eap=LEAP
1293	identity="user"
1294	password="foobar"
1295}
1296
1297# EAP-IKEv2 using shared secrets for both server and peer authentication
1298network={
1299	ssid="ikev2-example"
1300	key_mgmt=WPA-EAP
1301	eap=IKEV2
1302	identity="user"
1303	password="foobar"
1304}
1305
1306# EAP-FAST with WPA (WPA or WPA2)
1307network={
1308	ssid="eap-fast-test"
1309	key_mgmt=WPA-EAP
1310	eap=FAST
1311	anonymous_identity="FAST-000102030405"
1312	identity="username"
1313	password="password"
1314	phase1="fast_provisioning=1"
1315	pac_file="/etc/wpa_supplicant.eap-fast-pac"
1316}
1317
1318network={
1319	ssid="eap-fast-test"
1320	key_mgmt=WPA-EAP
1321	eap=FAST
1322	anonymous_identity="FAST-000102030405"
1323	identity="username"
1324	password="password"
1325	phase1="fast_provisioning=1"
1326	pac_file="blob://eap-fast-pac"
1327}
1328
1329# Plaintext connection (no WPA, no IEEE 802.1X)
1330network={
1331	ssid="plaintext-test"
1332	key_mgmt=NONE
1333}
1334
1335
1336# Shared WEP key connection (no WPA, no IEEE 802.1X)
1337network={
1338	ssid="static-wep-test"
1339	key_mgmt=NONE
1340	wep_key0="abcde"
1341	wep_key1=0102030405
1342	wep_key2="1234567890123"
1343	wep_tx_keyidx=0
1344	priority=5
1345}
1346
1347
1348# Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key
1349# IEEE 802.11 authentication
1350network={
1351	ssid="static-wep-test2"
1352	key_mgmt=NONE
1353	wep_key0="abcde"
1354	wep_key1=0102030405
1355	wep_key2="1234567890123"
1356	wep_tx_keyidx=0
1357	priority=5
1358	auth_alg=SHARED
1359}
1360
1361
1362# IBSS/ad-hoc network with RSN
1363network={
1364	ssid="ibss-rsn"
1365	key_mgmt=WPA-PSK
1366	proto=RSN
1367	psk="12345678"
1368	mode=1
1369	frequency=2412
1370	pairwise=CCMP
1371	group=CCMP
1372}
1373
1374# IBSS/ad-hoc network with WPA-None/TKIP (deprecated)
1375network={
1376	ssid="test adhoc"
1377	mode=1
1378	frequency=2412
1379	proto=WPA
1380	key_mgmt=WPA-NONE
1381	pairwise=NONE
1382	group=TKIP
1383	psk="secret passphrase"
1384}
1385
1386# open mesh network
1387network={
1388	ssid="test mesh"
1389	mode=5
1390	frequency=2437
1391	key_mgmt=NONE
1392}
1393
1394# secure (SAE + AMPE) network
1395network={
1396	ssid="secure mesh"
1397	mode=5
1398	frequency=2437
1399	key_mgmt=SAE
1400	psk="very secret passphrase"
1401}
1402
1403
1404# Catch all example that allows more or less all configuration modes
1405network={
1406	ssid="example"
1407	scan_ssid=1
1408	key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
1409	pairwise=CCMP TKIP
1410	group=CCMP TKIP WEP104 WEP40
1411	psk="very secret passphrase"
1412	eap=TTLS PEAP TLS
1413	identity="user@example.com"
1414	password="foobar"
1415	ca_cert="/etc/cert/ca.pem"
1416	client_cert="/etc/cert/user.pem"
1417	private_key="/etc/cert/user.prv"
1418	private_key_passwd="password"
1419	phase1="peaplabel=0"
1420}
1421
1422# Example of EAP-TLS with smartcard (openssl engine)
1423network={
1424	ssid="example"
1425	key_mgmt=WPA-EAP
1426	eap=TLS
1427	proto=RSN
1428	pairwise=CCMP TKIP
1429	group=CCMP TKIP
1430	identity="user@example.com"
1431	ca_cert="/etc/cert/ca.pem"
1432	client_cert="/etc/cert/user.pem"
1433
1434	engine=1
1435
1436	# The engine configured here must be available. Look at
1437	# OpenSSL engine support in the global section.
1438	# The key available through the engine must be the private key
1439	# matching the client certificate configured above.
1440
1441	# use the opensc engine
1442	#engine_id="opensc"
1443	#key_id="45"
1444
1445	# use the pkcs11 engine
1446	engine_id="pkcs11"
1447	key_id="id_45"
1448
1449	# Optional PIN configuration; this can be left out and PIN will be
1450	# asked through the control interface
1451	pin="1234"
1452}
1453
1454# Example configuration showing how to use an inlined blob as a CA certificate
1455# data instead of using external file
1456network={
1457	ssid="example"
1458	key_mgmt=WPA-EAP
1459	eap=TTLS
1460	identity="user@example.com"
1461	anonymous_identity="anonymous@example.com"
1462	password="foobar"
1463	ca_cert="blob://exampleblob"
1464	priority=20
1465}
1466
1467blob-base64-exampleblob={
1468SGVsbG8gV29ybGQhCg==
1469}
1470
1471
1472# Wildcard match for SSID (plaintext APs only). This example select any
1473# open AP regardless of its SSID.
1474network={
1475	key_mgmt=NONE
1476}
1477
1478# Example configuration blacklisting two APs - these will be ignored
1479# for this network.
1480network={
1481	ssid="example"
1482	psk="very secret passphrase"
1483	bssid_blacklist=02:11:22:33:44:55 02:22:aa:44:55:66
1484}
1485
1486# Example configuration limiting AP selection to a specific set of APs;
1487# any other AP not matching the masked address will be ignored.
1488network={
1489	ssid="example"
1490	psk="very secret passphrase"
1491	bssid_whitelist=02:55:ae:bc:00:00/ff:ff:ff:ff:00:00 00:00:77:66:55:44/00:00:ff:ff:ff:ff
1492}
1493
1494# Example config file that will only scan on channel 36.
1495freq_list=5180
1496network={
1497	key_mgmt=NONE
1498}
1499
1500
1501# Example MACsec configuration
1502#network={
1503#	key_mgmt=IEEE8021X
1504#	eap=TTLS
1505#	phase2="auth=PAP"
1506#	anonymous_identity="anonymous@example.com"
1507#	identity="user@example.com"
1508#	password="secretr"
1509#	ca_cert="/etc/cert/ca.pem"
1510#	eapol_flags=0
1511#	macsec_policy=1
1512#}
1513