xref: /freebsd/contrib/wpa/wpa_supplicant/wpa_supplicant.conf (revision c1cdf6a42f0d951ba720688dfc6ce07608b02f6e) 
1##### Example wpa_supplicant configuration file ###############################
2#
3# ***** Please check wpa_supplicant.conf(5) for details on these options *****
4#
5# This file describes configuration file format and lists all available option.
6# Please also take a look at simpler configuration examples in 'examples'
7# subdirectory.
8#
9# Empty lines and lines starting with # are ignored
10
11# NOTE! This file may contain password information and should probably be made
12# readable only by root user on multiuser systems.
13
14# Note: All file paths in this configuration file should use full (absolute,
15# not relative to working directory) path in order to allow working directory
16# to be changed. This can happen if wpa_supplicant is run in the background.
17
18# Whether to allow wpa_supplicant to update (overwrite) configuration
19#
20# This option can be used to allow wpa_supplicant to overwrite configuration
21# file whenever configuration is changed (e.g., new network block is added with
22# wpa_cli or wpa_gui, or a password is changed). This is required for
23# wpa_cli/wpa_gui to be able to store the configuration changes permanently.
24# Please note that overwriting configuration file will remove the comments from
25# it.
26#update_config=1
27
28# global configuration (shared by all network blocks)
29#
30# Parameters for the control interface. If this is specified, wpa_supplicant
31# will open a control interface that is available for external programs to
32# manage wpa_supplicant. The meaning of this string depends on which control
33# interface mechanism is used. For all cases, the existence of this parameter
34# in configuration is used to determine whether the control interface is
35# enabled.
36#
37# For UNIX domain sockets (default on Linux and BSD): This is a directory that
38# will be created for UNIX domain sockets for listening to requests from
39# external programs (CLI/GUI, etc.) for status information and configuration.
40# The socket file will be named based on the interface name, so multiple
41# wpa_supplicant processes can be run at the same time if more than one
42# interface is used.
43# /var/run/wpa_supplicant is the recommended directory for sockets and by
44# default, wpa_cli will use it when trying to connect with wpa_supplicant.
45#
46# Access control for the control interface can be configured by setting the
47# directory to allow only members of a group to use sockets. This way, it is
48# possible to run wpa_supplicant as root (since it needs to change network
49# configuration and open raw sockets) and still allow GUI/CLI components to be
50# run as non-root users. However, since the control interface can be used to
51# change the network configuration, this access needs to be protected in many
52# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you
53# want to allow non-root users to use the control interface, add a new group
54# and change this value to match with that group. Add users that should have
55# control interface access to this group. If this variable is commented out or
56# not included in the configuration file, group will not be changed from the
57# value it got by default when the directory or socket was created.
58#
59# When configuring both the directory and group, use following format:
60# DIR=/var/run/wpa_supplicant GROUP=wheel
61# DIR=/var/run/wpa_supplicant GROUP=0
62# (group can be either group name or gid)
63#
64ctrl_interface=/var/run/wpa_supplicant
65
66# IEEE 802.1X/EAPOL version
67# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines
68# EAPOL version 2. However, there are many APs that do not handle the new
69# version number correctly (they seem to drop the frames completely). In order
70# to make wpa_supplicant interoperate with these APs, the version number is set
71# to 1 by default. This configuration value can be used to set it to the new
72# version (2).
73# Note: When using MACsec, eapol_version shall be set to 3, which is
74# defined in IEEE Std 802.1X-2010.
75eapol_version=1
76
77# AP scanning/selection
78# By default, wpa_supplicant requests driver to perform AP scanning and then
79# uses the scan results to select a suitable AP. Another alternative is to
80# allow the driver to take care of AP scanning and selection and use
81# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association
82# information from the driver.
83# 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to
84#    the currently enabled networks are found, a new network (IBSS or AP mode
85#    operation) may be initialized (if configured) (default)
86# 0: driver takes care of scanning, AP selection, and IEEE 802.11 association
87#    parameters (e.g., WPA IE generation); this mode can also be used with
88#    non-WPA drivers when using IEEE 802.1X mode; do not try to associate with
89#    APs (i.e., external program needs to control association). This mode must
90#    also be used when using wired Ethernet drivers.
91#    Note: macsec_qca driver is one type of Ethernet driver which implements
92#    macsec feature.
93# 2: like 0, but associate with APs using security policy and SSID (but not
94#    BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to
95#    enable operation with hidden SSIDs and optimized roaming; in this mode,
96#    the network blocks in the configuration file are tried one by one until
97#    the driver reports successful association; each network block should have
98#    explicit security policy (i.e., only one option in the lists) for
99#    key_mgmt, pairwise, group, proto variables
100#
101# For use in FreeBSD with the wlan module ap_scan must be set to 1.
102#
103# When using IBSS or AP mode, ap_scan=2 mode can force the new network to be
104# created immediately regardless of scan results. ap_scan=1 mode will first try
105# to scan for existing networks and only if no matches with the enabled
106# networks are found, a new IBSS or AP mode network is created.
107ap_scan=1
108
109# Whether to force passive scan for network connection
110#
111# By default, scans will send out Probe Request frames on channels that allow
112# active scanning. This advertise the local station to the world. Normally this
113# is fine, but users may wish to do passive scanning where the radio should only
114# listen quietly for Beacon frames and not send any Probe Request frames. Actual
115# functionality may be driver dependent.
116#
117# This parameter can be used to force only passive scanning to be used
118# for network connection cases. It should be noted that this will slow
119# down scan operations and reduce likelihood of finding the AP. In
120# addition, some use cases will override this due to functional
121# requirements, e.g., for finding an AP that uses hidden SSID
122# (scan_ssid=1) or P2P device discovery.
123#
124# 0:  Do normal scans (allow active scans) (default)
125# 1:  Do passive scans.
126#passive_scan=0
127
128# MPM residency
129# By default, wpa_supplicant implements the mesh peering manager (MPM) for an
130# open mesh. However, if the driver can implement the MPM, you may set this to
131# 0 to use the driver version. When AMPE is enabled, the wpa_supplicant MPM is
132# always used.
133# 0: MPM lives in the driver
134# 1: wpa_supplicant provides an MPM which handles peering (default)
135#user_mpm=1
136
137# Maximum number of peer links (0-255; default: 99)
138# Maximum number of mesh peering currently maintained by the STA.
139#max_peer_links=99
140
141# Timeout in seconds to detect STA inactivity (default: 300 seconds)
142#
143# This timeout value is used in mesh STA to clean up inactive stations.
144#mesh_max_inactivity=300
145
146# cert_in_cb - Whether to include a peer certificate dump in events
147# This controls whether peer certificates for authentication server and
148# its certificate chain are included in EAP peer certificate events. This is
149# enabled by default.
150#cert_in_cb=1
151
152# EAP fast re-authentication
153# By default, fast re-authentication is enabled for all EAP methods that
154# support it. This variable can be used to disable fast re-authentication.
155# Normally, there is no need to disable this.
156fast_reauth=1
157
158# OpenSSL Engine support
159# These options can be used to load OpenSSL engines in special or legacy
160# modes.
161# The two engines that are supported currently are shown below:
162# They are both from the opensc project (http://www.opensc.org/)
163# By default the PKCS#11 engine is loaded if the client_cert or
164# private_key option appear to be a PKCS#11 URI, and these options
165# should not need to be used explicitly.
166# make the opensc engine available
167#opensc_engine_path=/usr/lib/opensc/engine_opensc.so
168# make the pkcs11 engine available
169#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so
170# configure the path to the pkcs11 module required by the pkcs11 engine
171#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so
172
173# OpenSSL cipher string
174#
175# This is an OpenSSL specific configuration option for configuring the default
176# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default.
177# See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation
178# on cipher suite configuration. This is applicable only if wpa_supplicant is
179# built to use OpenSSL.
180#openssl_ciphers=DEFAULT:!EXP:!LOW
181
182
183# Dynamic EAP methods
184# If EAP methods were built dynamically as shared object files, they need to be
185# loaded here before being used in the network blocks. By default, EAP methods
186# are included statically in the build, so these lines are not needed
187#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so
188#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so
189
190# Driver interface parameters
191# This field can be used to configure arbitrary driver interface parameters. The
192# format is specific to the selected driver interface. This field is not used
193# in most cases.
194#driver_param="field=value"
195
196# Country code
197# The ISO/IEC alpha2 country code for the country in which this device is
198# currently operating.
199#country=US
200
201# Maximum lifetime for PMKSA in seconds; default 43200
202#dot11RSNAConfigPMKLifetime=43200
203# Threshold for reauthentication (percentage of PMK lifetime); default 70
204#dot11RSNAConfigPMKReauthThreshold=70
205# Timeout for security association negotiation in seconds; default 60
206#dot11RSNAConfigSATimeout=60
207
208# Wi-Fi Protected Setup (WPS) parameters
209
210# Universally Unique IDentifier (UUID; see RFC 4122) of the device
211# If not configured, UUID will be generated based on the local MAC address.
212#uuid=12345678-9abc-def0-1234-56789abcdef0
213
214# Device Name
215# User-friendly description of device; up to 32 octets encoded in UTF-8
216#device_name=Wireless Client
217
218# Manufacturer
219# The manufacturer of the device (up to 64 ASCII characters)
220#manufacturer=Company
221
222# Model Name
223# Model of the device (up to 32 ASCII characters)
224#model_name=cmodel
225
226# Model Number
227# Additional device description (up to 32 ASCII characters)
228#model_number=123
229
230# Serial Number
231# Serial number of the device (up to 32 characters)
232#serial_number=12345
233
234# Primary Device Type
235# Used format: <categ>-<OUI>-<subcateg>
236# categ = Category as an integer value
237# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for
238#       default WPS OUI
239# subcateg = OUI-specific Sub Category as an integer value
240# Examples:
241#   1-0050F204-1 (Computer / PC)
242#   1-0050F204-2 (Computer / Server)
243#   5-0050F204-1 (Storage / NAS)
244#   6-0050F204-1 (Network Infrastructure / AP)
245#device_type=1-0050F204-1
246
247# OS Version
248# 4-octet operating system version number (hex string)
249#os_version=01020300
250
251# Config Methods
252# List of the supported configuration methods
253# Available methods: usba ethernet label display ext_nfc_token int_nfc_token
254#	nfc_interface push_button keypad virtual_display physical_display
255#	virtual_push_button physical_push_button
256# For WSC 1.0:
257#config_methods=label display push_button keypad
258# For WSC 2.0:
259#config_methods=label virtual_display virtual_push_button keypad
260
261# Credential processing
262#   0 = process received credentials internally (default)
263#   1 = do not process received credentials; just pass them over ctrl_iface to
264#	external program(s)
265#   2 = process received credentials internally and pass them over ctrl_iface
266#	to external program(s)
267#wps_cred_processing=0
268
269# Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing
270# The vendor attribute contents to be added in M1 (hex string)
271#wps_vendor_ext_m1=000137100100020001
272
273# NFC password token for WPS
274# These parameters can be used to configure a fixed NFC password token for the
275# station. This can be generated, e.g., with nfc_pw_token. When these
276# parameters are used, the station is assumed to be deployed with a NFC tag
277# that includes the matching NFC password token (e.g., written based on the
278# NDEF record from nfc_pw_token).
279#
280#wps_nfc_dev_pw_id: Device Password ID (16..65535)
281#wps_nfc_dh_pubkey: Hexdump of DH Public Key
282#wps_nfc_dh_privkey: Hexdump of DH Private Key
283#wps_nfc_dev_pw: Hexdump of Device Password
284
285# Priority for the networks added through WPS
286# This priority value will be set to each network profile that is added
287# by executing the WPS protocol.
288#wps_priority=0
289
290# Maximum number of BSS entries to keep in memory
291# Default: 200
292# This can be used to limit memory use on the BSS entries (cached scan
293# results). A larger value may be needed in environments that have huge number
294# of APs when using ap_scan=1 mode.
295#bss_max_count=200
296
297# Automatic scan
298# This is an optional set of parameters for automatic scanning
299# within an interface in following format:
300#autoscan=<autoscan module name>:<module parameters>
301# autoscan is like bgscan but on disconnected or inactive state.
302# For instance, on exponential module parameters would be <base>:<limit>
303#autoscan=exponential:3:300
304# Which means a delay between scans on a base exponential of 3,
305# up to the limit of 300 seconds (3, 9, 27 ... 300)
306# For periodic module, parameters would be <fixed interval>
307#autoscan=periodic:30
308# So a delay of 30 seconds will be applied between each scan.
309# Note: If sched_scan_plans are configured and supported by the driver,
310# autoscan is ignored.
311
312# filter_ssids - SSID-based scan result filtering
313# 0 = do not filter scan results (default)
314# 1 = only include configured SSIDs in scan results/BSS table
315#filter_ssids=0
316
317# Password (and passphrase, etc.) backend for external storage
318# format: <backend name>[:<optional backend parameters>]
319#ext_password_backend=test:pw1=password|pw2=testing
320
321
322# Disable P2P functionality
323# p2p_disabled=1
324
325# Timeout in seconds to detect STA inactivity (default: 300 seconds)
326#
327# This timeout value is used in P2P GO mode to clean up
328# inactive stations.
329#p2p_go_max_inactivity=300
330
331# Passphrase length (8..63) for P2P GO
332#
333# This parameter controls the length of the random passphrase that is
334# generated at the GO. Default: 8.
335#p2p_passphrase_len=8
336
337# Extra delay between concurrent P2P search iterations
338#
339# This value adds extra delay in milliseconds between concurrent search
340# iterations to make p2p_find friendlier to concurrent operations by avoiding
341# it from taking 100% of radio resources. The default value is 500 ms.
342#p2p_search_delay=500
343
344# Opportunistic Key Caching (also known as Proactive Key Caching) default
345# This parameter can be used to set the default behavior for the
346# proactive_key_caching parameter. By default, OKC is disabled unless enabled
347# with the global okc=1 parameter or with the per-network
348# proactive_key_caching=1 parameter. With okc=1, OKC is enabled by default, but
349# can be disabled with per-network proactive_key_caching=0 parameter.
350#okc=0
351
352# Protected Management Frames default
353# This parameter can be used to set the default behavior for the ieee80211w
354# parameter for RSN networks. By default, PMF is disabled unless enabled with
355# the global pmf=1/2 parameter or with the per-network ieee80211w=1/2 parameter.
356# With pmf=1/2, PMF is enabled/required by default, but can be disabled with the
357# per-network ieee80211w parameter. This global default value does not apply
358# for non-RSN networks (key_mgmt=NONE) since PMF is available only when using
359# RSN.
360#pmf=0
361
362# Enabled SAE finite cyclic groups in preference order
363# By default (if this parameter is not set), the mandatory group 19 (ECC group
364# defined over a 256-bit prime order field) is preferred, but other groups are
365# also enabled. If this parameter is set, the groups will be tried in the
366# indicated order. The group values are listed in the IANA registry:
367# http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9
368#sae_groups=21 20 19 26 25
369
370# Default value for DTIM period (if not overridden in network block)
371#dtim_period=2
372
373# Default value for Beacon interval (if not overridden in network block)
374#beacon_int=100
375
376# Additional vendor specific elements for Beacon and Probe Response frames
377# This parameter can be used to add additional vendor specific element(s) into
378# the end of the Beacon and Probe Response frames. The format for these
379# element(s) is a hexdump of the raw information elements (id+len+payload for
380# one or more elements). This is used in AP and P2P GO modes.
381#ap_vendor_elements=dd0411223301
382
383# Ignore scan results older than request
384#
385# The driver may have a cache of scan results that makes it return
386# information that is older than our scan trigger. This parameter can
387# be used to configure such old information to be ignored instead of
388# allowing it to update the internal BSS table.
389#ignore_old_scan_res=0
390
391# scan_cur_freq: Whether to scan only the current frequency
392# 0:  Scan all available frequencies. (Default)
393# 1:  Scan current operating frequency if another VIF on the same radio
394#     is already associated.
395
396# MAC address policy default
397# 0 = use permanent MAC address
398# 1 = use random MAC address for each ESS connection
399# 2 = like 1, but maintain OUI (with local admin bit set)
400#
401# By default, permanent MAC address is used unless policy is changed by
402# the per-network mac_addr parameter. Global mac_addr=1 can be used to
403# change this default behavior.
404#mac_addr=0
405
406# Lifetime of random MAC address in seconds (default: 60)
407#rand_addr_lifetime=60
408
409# MAC address policy for pre-association operations (scanning, ANQP)
410# 0 = use permanent MAC address
411# 1 = use random MAC address
412# 2 = like 1, but maintain OUI (with local admin bit set)
413#preassoc_mac_addr=0
414
415# Interworking (IEEE 802.11u)
416
417# Enable Interworking
418# interworking=1
419
420# Homogenous ESS identifier
421# If this is set, scans will be used to request response only from BSSes
422# belonging to the specified Homogeneous ESS. This is used only if interworking
423# is enabled.
424# hessid=00:11:22:33:44:55
425
426# Automatic network selection behavior
427# 0 = do not automatically go through Interworking network selection
428#     (i.e., require explicit interworking_select command for this; default)
429# 1 = perform Interworking network selection if one or more
430#     credentials have been configured and scan did not find a
431#     matching network block
432#auto_interworking=0
433
434# GAS Address3 field behavior
435# 0 = P2P specification (Address3 = AP BSSID); default
436# 1 = IEEE 802.11 standard compliant (Address3 = Wildcard BSSID when
437#     sent to not-associated AP; if associated, AP BSSID)
438#gas_address3=0
439
440# Publish fine timing measurement (FTM) responder functionality in
441# the Extended Capabilities element bit 70.
442# Controls whether FTM responder functionality will be published by AP/STA.
443# Note that actual FTM responder operation is managed outside wpa_supplicant.
444# 0 = Do not publish; default
445# 1 = Publish
446#ftm_responder=0
447
448# Publish fine timing measurement (FTM) initiator functionality in
449# the Extended Capabilities element bit 71.
450# Controls whether FTM initiator functionality will be published by AP/STA.
451# Note that actual FTM initiator operation is managed outside wpa_supplicant.
452# 0 = Do not publish; default
453# 1 = Publish
454#ftm_initiator=0
455
456# credential block
457#
458# Each credential used for automatic network selection is configured as a set
459# of parameters that are compared to the information advertised by the APs when
460# interworking_select and interworking_connect commands are used.
461#
462# credential fields:
463#
464# temporary: Whether this credential is temporary and not to be saved
465#
466# priority: Priority group
467#	By default, all networks and credentials get the same priority group
468#	(0). This field can be used to give higher priority for credentials
469#	(and similarly in struct wpa_ssid for network blocks) to change the
470#	Interworking automatic networking selection behavior. The matching
471#	network (based on either an enabled network block or a credential)
472#	with the highest priority value will be selected.
473#
474# pcsc: Use PC/SC and SIM/USIM card
475#
476# realm: Home Realm for Interworking
477#
478# username: Username for Interworking network selection
479#
480# password: Password for Interworking network selection
481#
482# ca_cert: CA certificate for Interworking network selection
483#
484# client_cert: File path to client certificate file (PEM/DER)
485#	This field is used with Interworking networking selection for a case
486#	where client certificate/private key is used for authentication
487#	(EAP-TLS). Full path to the file should be used since working
488#	directory may change when wpa_supplicant is run in the background.
489#
490#	Certificates from PKCS#11 tokens can be referenced by a PKCS#11 URI.
491#
492#	For example: private_key="pkcs11:manufacturer=piv_II;id=%01"
493#
494#	Alternatively, a named configuration blob can be used by setting
495#	this to blob://blob_name.
496#
497# private_key: File path to client private key file (PEM/DER/PFX)
498#	When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
499#	commented out. Both the private key and certificate will be read
500#	from the PKCS#12 file in this case. Full path to the file should be
501#	used since working directory may change when wpa_supplicant is run
502#	in the background.
503#
504#	Keys in PKCS#11 tokens can be referenced by a PKCS#11 URI.
505#	For example: private_key="pkcs11:manufacturer=piv_II;id=%01"
506#
507#	Windows certificate store can be used by leaving client_cert out and
508#	configuring private_key in one of the following formats:
509#
510#	cert://substring_to_match
511#
512#	hash://certificate_thumbprint_in_hex
513#
514#	For example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
515#
516#	Note that when running wpa_supplicant as an application, the user
517#	certificate store (My user account) is used, whereas computer store
518#	(Computer account) is used when running wpasvc as a service.
519#
520#	Alternatively, a named configuration blob can be used by setting
521#	this to blob://blob_name.
522#
523# private_key_passwd: Password for private key file
524#
525# imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format
526#
527# milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN>
528#	format
529#
530# domain: Home service provider FQDN(s)
531#	This is used to compare against the Domain Name List to figure out
532#	whether the AP is operated by the Home SP. Multiple domain entries can
533#	be used to configure alternative FQDNs that will be considered home
534#	networks.
535#
536# roaming_consortium: Roaming Consortium OI
537#	If roaming_consortium_len is non-zero, this field contains the
538#	Roaming Consortium OI that can be used to determine which access
539#	points support authentication with this credential. This is an
540#	alternative to the use of the realm parameter. When using Roaming
541#	Consortium to match the network, the EAP parameters need to be
542#	pre-configured with the credential since the NAI Realm information
543#	may not be available or fetched.
544#
545# eap: Pre-configured EAP method
546#	This optional field can be used to specify which EAP method will be
547#	used with this credential. If not set, the EAP method is selected
548#	automatically based on ANQP information (e.g., NAI Realm).
549#
550# phase1: Pre-configure Phase 1 (outer authentication) parameters
551#	This optional field is used with like the 'eap' parameter.
552#
553# phase2: Pre-configure Phase 2 (inner authentication) parameters
554#	This optional field is used with like the 'eap' parameter.
555#
556# excluded_ssid: Excluded SSID
557#	This optional field can be used to excluded specific SSID(s) from
558#	matching with the network. Multiple entries can be used to specify more
559#	than one SSID.
560#
561# roaming_partner: Roaming partner information
562#	This optional field can be used to configure preferences between roaming
563#	partners. The field is a string in following format:
564#	<FQDN>,<0/1 exact match>,<priority>,<* or country code>
565#	(non-exact match means any subdomain matches the entry; priority is in
566#	0..255 range with 0 being the highest priority)
567#
568# update_identifier: PPS MO ID
569#	(Hotspot 2.0 PerProviderSubscription/UpdateIdentifier)
570#
571# provisioning_sp: FQDN of the SP that provisioned the credential
572#	This optional field can be used to keep track of the SP that provisioned
573#	the credential to find the PPS MO (./Wi-Fi/<provisioning_sp>).
574#
575# Minimum backhaul threshold (PPS/<X+>/Policy/MinBackhauldThreshold/*)
576#	These fields can be used to specify minimum download/upload backhaul
577#	bandwidth that is preferred for the credential. This constraint is
578#	ignored if the AP does not advertise WAN Metrics information or if the
579#	limit would prevent any connection. Values are in kilobits per second.
580# min_dl_bandwidth_home
581# min_ul_bandwidth_home
582# min_dl_bandwidth_roaming
583# min_ul_bandwidth_roaming
584#
585# max_bss_load: Maximum BSS Load Channel Utilization (1..255)
586#	(PPS/<X+>/Policy/MaximumBSSLoadValue)
587#	This value is used as the maximum channel utilization for network
588#	selection purposes for home networks. If the AP does not advertise
589#	BSS Load or if the limit would prevent any connection, this constraint
590#	will be ignored.
591#
592# req_conn_capab: Required connection capability
593#	(PPS/<X+>/Policy/RequiredProtoPortTuple)
594#	This value is used to configure set of required protocol/port pairs that
595#	a roaming network shall support (include explicitly in Connection
596#	Capability ANQP element). This constraint is ignored if the AP does not
597#	advertise Connection Capability or if this constraint would prevent any
598#	network connection. This policy is not used in home networks.
599#	Format: <protocol>[:<comma-separated list of ports]
600#	Multiple entries can be used to list multiple requirements.
601#	For example, number of common TCP protocols:
602#	req_conn_capab=6,22,80,443
603#	For example, IPSec/IKE:
604#	req_conn_capab=17:500
605#	req_conn_capab=50
606#
607# ocsp: Whether to use/require OCSP to check server certificate
608#	0 = do not use OCSP stapling (TLS certificate status extension)
609#	1 = try to use OCSP stapling, but not require response
610#	2 = require valid OCSP stapling response
611#	3 = require valid OCSP stapling response for all not-trusted
612#	    certificates in the server certificate chain
613#
614# sim_num: Identifier for which SIM to use in multi-SIM devices
615#
616# for example:
617#
618#cred={
619#	realm="example.com"
620#	username="user@example.com"
621#	password="password"
622#	ca_cert="/etc/wpa_supplicant/ca.pem"
623#	domain="example.com"
624#}
625#
626#cred={
627#	imsi="310026-000000000"
628#	milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82"
629#}
630#
631#cred={
632#	realm="example.com"
633#	username="user"
634#	password="password"
635#	ca_cert="/etc/wpa_supplicant/ca.pem"
636#	domain="example.com"
637#	roaming_consortium=223344
638#	eap=TTLS
639#	phase2="auth=MSCHAPV2"
640#}
641
642# Hotspot 2.0
643# hs20=1
644
645# Scheduled scan plans
646#
647# A space delimited list of scan plans. Each scan plan specifies the scan
648# interval and number of iterations, delimited by a colon. The last scan plan
649# will run infinitely and thus must specify only the interval and not the number
650# of iterations.
651#
652# The driver advertises the maximum number of scan plans supported. If more scan
653# plans than supported are configured, only the first ones are set (up to the
654# maximum supported). The last scan plan that specifies only the interval is
655# always set as the last plan.
656#
657# If the scan interval or the number of iterations for a scan plan exceeds the
658# maximum supported, it will be set to the maximum supported value.
659#
660# Format:
661# sched_scan_plans=<interval:iterations> <interval:iterations> ... <interval>
662#
663# Example:
664# sched_scan_plans=10:100 20:200 30
665
666# Multi Band Operation (MBO) non-preferred channels
667# A space delimited list of non-preferred channels where each channel is a colon
668# delimited list of values.
669# Format:
670# non_pref_chan=<oper_class>:<chan>:<preference>:<reason>
671# Example:
672# non_pref_chan="81:5:10:2 81:1:0:2 81:9:0:2"
673
674# MBO Cellular Data Capabilities
675# 1 = Cellular data connection available
676# 2 = Cellular data connection not available
677# 3 = Not cellular capable (default)
678#mbo_cell_capa=3
679
680# network block
681#
682# Each network (usually AP's sharing the same SSID) is configured as a separate
683# block in this configuration file. The network blocks are in preference order
684# (the first match is used).
685#
686# network block fields:
687#
688# disabled:
689#	0 = this network can be used (default)
690#	1 = this network block is disabled (can be enabled through ctrl_iface,
691#	    e.g., with wpa_cli or wpa_gui)
692#
693# id_str: Network identifier string for external scripts. This value is passed
694#	to external action script through wpa_cli as WPA_ID_STR environment
695#	variable to make it easier to do network specific configuration.
696#
697# ssid: SSID (mandatory); network name in one of the optional formats:
698#	- an ASCII string with double quotation
699#	- a hex string (two characters per octet of SSID)
700#	- a printf-escaped ASCII string P"<escaped string>"
701#
702# scan_ssid:
703#	0 = do not scan this SSID with specific Probe Request frames (default)
704#	1 = scan with SSID-specific Probe Request frames (this can be used to
705#	    find APs that hide (do not broadcast) SSID or use multiple SSIDs;
706#	    this will add latency to scanning, so enable this only when needed)
707#
708# bssid: BSSID (optional); if set, this network block is used only when
709#	associating with the AP using the configured BSSID
710#
711# priority: priority group (integer)
712# By default, all networks will get same priority group (0). If some of the
713# networks are more desirable, this field can be used to change the order in
714# which wpa_supplicant goes through the networks when selecting a BSS. The
715# priority groups will be iterated in decreasing priority (i.e., the larger the
716# priority value, the sooner the network is matched against the scan results).
717# Within each priority group, networks will be selected based on security
718# policy, signal strength, etc.
719# Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not
720# using this priority to select the order for scanning. Instead, they try the
721# networks in the order that they are listed in the configuration file.
722#
723# mode: IEEE 802.11 operation mode
724# 0 = infrastructure (Managed) mode, i.e., associate with an AP (default)
725# 1 = IBSS (ad-hoc, peer-to-peer)
726# 2 = AP (access point)
727# Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) and
728# WPA-PSK (with proto=RSN). In addition, key_mgmt=WPA-NONE (fixed group key
729# TKIP/CCMP) is available for backwards compatibility, but its use is
730# deprecated. WPA-None requires following network block options:
731# proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not
732# both), and psk must also be set.
733#
734# frequency: Channel frequency in megahertz (MHz) for IBSS, e.g.,
735# 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial
736# channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode.
737# In addition, this value is only used by the station that creates the IBSS. If
738# an IBSS network with the configured SSID is already present, the frequency of
739# the network will be used instead of this configured value.
740#
741# pbss: Whether to use PBSS. Relevant to IEEE 802.11ad networks only.
742# 0 = do not use PBSS
743# 1 = use PBSS
744# 2 = don't care (not allowed in AP mode)
745# Used together with mode configuration. When mode is AP, it means to start a
746# PCP instead of a regular AP. When mode is infrastructure it means connect
747# to a PCP instead of AP. In this mode you can also specify 2 (don't care)
748# which means connect to either PCP or AP.
749# P2P_GO and P2P_GROUP_FORMATION modes must use PBSS in IEEE 802.11ad network.
750# For more details, see IEEE Std 802.11ad-2012.
751#
752# scan_freq: List of frequencies to scan
753# Space-separated list of frequencies in MHz to scan when searching for this
754# BSS. If the subset of channels used by the network is known, this option can
755# be used to optimize scanning to not occur on channels that the network does
756# not use. Example: scan_freq=2412 2437 2462
757#
758# freq_list: Array of allowed frequencies
759# Space-separated list of frequencies in MHz to allow for selecting the BSS. If
760# set, scan results that do not match any of the specified frequencies are not
761# considered when selecting a BSS.
762#
763# This can also be set on the outside of the network block. In this case,
764# it limits the frequencies that will be scanned.
765#
766# bgscan: Background scanning
767# wpa_supplicant behavior for background scanning can be specified by
768# configuring a bgscan module. These modules are responsible for requesting
769# background scans for the purpose of roaming within an ESS (i.e., within a
770# single network block with all the APs using the same SSID). The bgscan
771# parameter uses following format: "<bgscan module name>:<module parameters>"
772# Following bgscan modules are available:
773# simple - Periodic background scans based on signal strength
774# bgscan="simple:<short bgscan interval in seconds>:<signal strength threshold>:
775# <long interval>"
776# bgscan="simple:30:-45:300"
777# learn - Learn channels used by the network and try to avoid bgscans on other
778# channels (experimental)
779# bgscan="learn:<short bgscan interval in seconds>:<signal strength threshold>:
780# <long interval>[:<database file name>]"
781# bgscan="learn:30:-45:300:/etc/wpa_supplicant/network1.bgscan"
782# Explicitly disable bgscan by setting
783# bgscan=""
784#
785# This option can also be set outside of all network blocks for the bgscan
786# parameter to apply for all the networks that have no specific bgscan
787# parameter.
788#
789# proto: list of accepted protocols
790# WPA = WPA/IEEE 802.11i/D3.0
791# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN)
792# If not set, this defaults to: WPA RSN
793#
794# key_mgmt: list of accepted authenticated key management protocols
795# WPA-PSK = WPA pre-shared key (this requires 'psk' field)
796# WPA-EAP = WPA using EAP authentication
797# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically
798#	generated WEP keys
799# NONE = WPA is not used; plaintext or static WEP could be used
800# WPA-NONE = WPA-None for IBSS (deprecated; use proto=RSN key_mgmt=WPA-PSK
801#	instead)
802# FT-PSK = Fast BSS Transition (IEEE 802.11r) with pre-shared key
803# FT-EAP = Fast BSS Transition (IEEE 802.11r) with EAP authentication
804# WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms
805# WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms
806# SAE = Simultaneous authentication of equals; pre-shared key/password -based
807#	authentication with stronger security than WPA-PSK especially when using
808#	not that strong password
809# FT-SAE = SAE with FT
810# WPA-EAP-SUITE-B = Suite B 128-bit level
811# WPA-EAP-SUITE-B-192 = Suite B 192-bit level
812# OSEN = Hotspot 2.0 Rel 2 online signup connection
813# If not set, this defaults to: WPA-PSK WPA-EAP
814#
815# ieee80211w: whether management frame protection is enabled
816# 0 = disabled (default unless changed with the global pmf parameter)
817# 1 = optional
818# 2 = required
819# The most common configuration options for this based on the PMF (protected
820# management frames) certification program are:
821# PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256
822# PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256
823# (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used)
824#
825# auth_alg: list of allowed IEEE 802.11 authentication algorithms
826# OPEN = Open System authentication (required for WPA/WPA2)
827# SHARED = Shared Key authentication (requires static WEP keys)
828# LEAP = LEAP/Network EAP (only used with LEAP)
829# If not set, automatic selection is used (Open System with LEAP enabled if
830# LEAP is allowed as one of the EAP methods).
831#
832# pairwise: list of accepted pairwise (unicast) ciphers for WPA
833# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
834# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
835# NONE = Use only Group Keys (deprecated, should not be included if APs support
836#	pairwise keys)
837# If not set, this defaults to: CCMP TKIP
838#
839# group: list of accepted group (broadcast/multicast) ciphers for WPA
840# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
841# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
842# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key
843# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11]
844# If not set, this defaults to: CCMP TKIP WEP104 WEP40
845#
846# psk: WPA preshared key; 256-bit pre-shared key
847# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e.,
848# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be
849# generated using the passphrase and SSID). ASCII passphrase must be between
850# 8 and 63 characters (inclusive). ext:<name of external PSK field> format can
851# be used to indicate that the PSK/passphrase is stored in external storage.
852# This field is not needed, if WPA-EAP is used.
853# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys
854# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant
855# startup and reconfiguration time can be optimized by generating the PSK only
856# only when the passphrase or SSID has actually changed.
857#
858# mem_only_psk: Whether to keep PSK/passphrase only in memory
859# 0 = allow psk/passphrase to be stored to the configuration file
860# 1 = do not store psk/passphrase to the configuration file
861#mem_only_psk=0
862#
863# eapol_flags: IEEE 802.1X/EAPOL options (bit field)
864# Dynamic WEP key required for non-WPA mode
865# bit0 (1): require dynamically generated unicast WEP key
866# bit1 (2): require dynamically generated broadcast WEP key
867# 	(3 = require both keys; default)
868# Note: When using wired authentication (including macsec_qca driver),
869# eapol_flags must be set to 0 for the authentication to be completed
870# successfully.
871#
872# macsec_policy: IEEE 802.1X/MACsec options
873# This determines how sessions are secured with MACsec. It is currently
874# applicable only when using the macsec_qca driver interface.
875# 0: MACsec not in use (default)
876# 1: MACsec enabled - Should secure, accept key server's advice to
877#    determine whether to use a secure session or not.
878#
879# mixed_cell: This option can be used to configure whether so called mixed
880# cells, i.e., networks that use both plaintext and encryption in the same
881# SSID, are allowed when selecting a BSS from scan results.
882# 0 = disabled (default)
883# 1 = enabled
884#
885# proactive_key_caching:
886# Enable/disable opportunistic PMKSA caching for WPA2.
887# 0 = disabled (default unless changed with the global okc parameter)
888# 1 = enabled
889#
890# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or
891# hex without quotation, e.g., 0102030405)
892# wep_tx_keyidx: Default WEP key index (TX) (0..3)
893#
894# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is
895# allowed. This is only used with RSN/WPA2.
896# 0 = disabled (default)
897# 1 = enabled
898#peerkey=1
899#
900# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to
901# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies.
902#
903# group_rekey: Group rekeying time in seconds. This value, if non-zero, is used
904# as the dot11RSNAConfigGroupRekeyTime parameter when operating in
905# Authenticator role in IBSS.
906#
907# Following fields are only used with internal EAP implementation.
908# eap: space-separated list of accepted EAP methods
909#	MD5 = EAP-MD5 (insecure and does not generate keying material ->
910#			cannot be used with WPA; to be used as a Phase 2 method
911#			with EAP-PEAP or EAP-TTLS)
912#       MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used
913#		as a Phase 2 method with EAP-PEAP or EAP-TTLS)
914#       OTP = EAP-OTP (cannot be used separately with WPA; to be used
915#		as a Phase 2 method with EAP-PEAP or EAP-TTLS)
916#       GTC = EAP-GTC (cannot be used separately with WPA; to be used
917#		as a Phase 2 method with EAP-PEAP or EAP-TTLS)
918#	TLS = EAP-TLS (client and server certificate)
919#	PEAP = EAP-PEAP (with tunnelled EAP authentication)
920#	TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2
921#			 authentication)
922#	If not set, all compiled in methods are allowed.
923#
924# identity: Identity string for EAP
925#	This field is also used to configure user NAI for
926#	EAP-PSK/PAX/SAKE/GPSK.
927# anonymous_identity: Anonymous identity string for EAP (to be used as the
928#	unencrypted identity with EAP types that support different tunnelled
929#	identity, e.g., EAP-TTLS). This field can also be used with
930#	EAP-SIM/AKA/AKA' to store the pseudonym identity.
931# password: Password string for EAP. This field can include either the
932#	plaintext password (using ASCII or hex string) or a NtPasswordHash
933#	(16-byte MD4 hash of password) in hash:<32 hex digits> format.
934#	NtPasswordHash can only be used when the password is for MSCHAPv2 or
935#	MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP).
936#	EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit
937#	PSK) is also configured using this field. For EAP-GPSK, this is a
938#	variable length PSK. ext:<name of external password field> format can
939#	be used to indicate that the password is stored in external storage.
940# ca_cert: File path to CA certificate file (PEM/DER). This file can have one
941#	or more trusted CA certificates. If ca_cert and ca_path are not
942#	included, server certificate will not be verified. This is insecure and
943#	a trusted CA certificate should always be configured when using
944#	EAP-TLS/TTLS/PEAP. Full path should be used since working directory may
945#	change when wpa_supplicant is run in the background.
946#
947#	Alternatively, this can be used to only perform matching of the server
948#	certificate (SHA-256 hash of the DER encoded X.509 certificate). In
949#	this case, the possible CA certificates in the server certificate chain
950#	are ignored and only the server certificate is verified. This is
951#	configured with the following format:
952#	hash:://server/sha256/cert_hash_in_hex
953#	For example: "hash://server/sha256/
954#	5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"
955#
956#	On Windows, trusted CA certificates can be loaded from the system
957#	certificate store by setting this to cert_store://<name>, e.g.,
958#	ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".
959#	Note that when running wpa_supplicant as an application, the user
960#	certificate store (My user account) is used, whereas computer store
961#	(Computer account) is used when running wpasvc as a service.
962# ca_path: Directory path for CA certificate files (PEM). This path may
963#	contain multiple CA certificates in OpenSSL format. Common use for this
964#	is to point to system trusted CA list which is often installed into
965#	directory like /etc/ssl/certs. If configured, these certificates are
966#	added to the list of trusted CAs. ca_cert may also be included in that
967#	case, but it is not required.
968# client_cert: File path to client certificate file (PEM/DER)
969#	Full path should be used since working directory may change when
970#	wpa_supplicant is run in the background.
971#	Alternatively, a named configuration blob can be used by setting this
972#	to blob://<blob name>.
973# private_key: File path to client private key file (PEM/DER/PFX)
974#	When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
975#	commented out. Both the private key and certificate will be read from
976#	the PKCS#12 file in this case. Full path should be used since working
977#	directory may change when wpa_supplicant is run in the background.
978#	Windows certificate store can be used by leaving client_cert out and
979#	configuring private_key in one of the following formats:
980#	cert://substring_to_match
981#	hash://certificate_thumbprint_in_hex
982#	for example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
983#	Note that when running wpa_supplicant as an application, the user
984#	certificate store (My user account) is used, whereas computer store
985#	(Computer account) is used when running wpasvc as a service.
986#	Alternatively, a named configuration blob can be used by setting this
987#	to blob://<blob name>.
988# private_key_passwd: Password for private key file (if left out, this will be
989#	asked through control interface)
990# dh_file: File path to DH/DSA parameters file (in PEM format)
991#	This is an optional configuration file for setting parameters for an
992#	ephemeral DH key exchange. In most cases, the default RSA
993#	authentication does not use this configuration. However, it is possible
994#	setup RSA to use ephemeral DH key exchange. In addition, ciphers with
995#	DSA keys always use ephemeral DH keys. This can be used to achieve
996#	forward secrecy. If the file is in DSA parameters format, it will be
997#	automatically converted into DH params.
998# subject_match: Substring to be matched against the subject of the
999#	authentication server certificate. If this string is set, the server
1000#	certificate is only accepted if it contains this string in the subject.
1001#	The subject string is in following format:
1002#	/C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com
1003#	Note: Since this is a substring match, this cannot be used securely to
1004#	do a suffix match against a possible domain name in the CN entry. For
1005#	such a use case, domain_suffix_match or domain_match should be used
1006#	instead.
1007# altsubject_match: Semicolon separated string of entries to be matched against
1008#	the alternative subject name of the authentication server certificate.
1009#	If this string is set, the server certificate is only accepted if it
1010#	contains one of the entries in an alternative subject name extension.
1011#	altSubjectName string is in following format: TYPE:VALUE
1012#	Example: EMAIL:server@example.com
1013#	Example: DNS:server.example.com;DNS:server2.example.com
1014#	Following types are supported: EMAIL, DNS, URI
1015# domain_suffix_match: Constraint for server domain name. If set, this FQDN is
1016#	used as a suffix match requirement for the AAA server certificate in
1017#	SubjectAltName dNSName element(s). If a matching dNSName is found, this
1018#	constraint is met. If no dNSName values are present, this constraint is
1019#	matched against SubjectName CN using same suffix match comparison.
1020#
1021#	Suffix match here means that the host/domain name is compared one label
1022#	at a time starting from the top-level domain and all the labels in
1023#	domain_suffix_match shall be included in the certificate. The
1024#	certificate may include additional sub-level labels in addition to the
1025#	required labels.
1026#
1027#	For example, domain_suffix_match=example.com would match
1028#	test.example.com but would not match test-example.com.
1029# domain_match: Constraint for server domain name
1030#	If set, this FQDN is used as a full match requirement for the
1031#	server certificate in SubjectAltName dNSName element(s). If a
1032#	matching dNSName is found, this constraint is met. If no dNSName
1033#	values are present, this constraint is matched against SubjectName CN
1034#	using same full match comparison. This behavior is similar to
1035#	domain_suffix_match, but has the requirement of a full match, i.e.,
1036#	no subdomains or wildcard matches are allowed. Case-insensitive
1037#	comparison is used, so "Example.com" matches "example.com", but would
1038#	not match "test.Example.com".
1039# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters
1040#	(string with field-value pairs, e.g., "peapver=0" or
1041#	"peapver=1 peaplabel=1")
1042#	'peapver' can be used to force which PEAP version (0 or 1) is used.
1043#	'peaplabel=1' can be used to force new label, "client PEAP encryption",
1044#	to be used during key derivation when PEAPv1 or newer. Most existing
1045#	PEAPv1 implementation seem to be using the old label, "client EAP
1046#	encryption", and wpa_supplicant is now using that as the default value.
1047#	Some servers, e.g., Radiator, may require peaplabel=1 configuration to
1048#	interoperate with PEAPv1; see eap_testing.txt for more details.
1049#	'peap_outer_success=0' can be used to terminate PEAP authentication on
1050#	tunneled EAP-Success. This is required with some RADIUS servers that
1051#	implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
1052#	Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode)
1053#	include_tls_length=1 can be used to force wpa_supplicant to include
1054#	TLS Message Length field in all TLS messages even if they are not
1055#	fragmented.
1056#	sim_min_num_chal=3 can be used to configure EAP-SIM to require three
1057#	challenges (by default, it accepts 2 or 3)
1058#	result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use
1059#	protected result indication.
1060#	'crypto_binding' option can be used to control PEAPv0 cryptobinding
1061#	behavior:
1062#	 * 0 = do not use cryptobinding (default)
1063#	 * 1 = use cryptobinding if server supports it
1064#	 * 2 = require cryptobinding
1065#	EAP-WSC (WPS) uses following options: pin=<Device Password> or
1066#	pbc=1.
1067#
1068#	For wired IEEE 802.1X authentication, "allow_canned_success=1" can be
1069#	used to configure a mode that allows EAP-Success (and EAP-Failure)
1070#	without going through authentication step. Some switches use such
1071#	sequence when forcing the port to be authorized/unauthorized or as a
1072#	fallback option if the authentication server is unreachable. By default,
1073#	wpa_supplicant discards such frames to protect against potential attacks
1074#	by rogue devices, but this option can be used to disable that protection
1075#	for cases where the server/authenticator does not need to be
1076#	authenticated.
1077# phase2: Phase2 (inner authentication with TLS tunnel) parameters
1078#	(string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
1079#	"autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS). "mschapv2_retry=0" can be
1080#	used to disable MSCHAPv2 password retry in authentication failure cases.
1081#
1082# TLS-based methods can use the following parameters to control TLS behavior
1083# (these are normally in the phase1 parameter, but can be used also in the
1084# phase2 parameter when EAP-TLS is used within the inner tunnel):
1085# tls_allow_md5=1 - allow MD5-based certificate signatures (depending on the
1086#	TLS library, these may be disabled by default to enforce stronger
1087#	security)
1088# tls_disable_time_checks=1 - ignore certificate validity time (this requests
1089#	the TLS library to accept certificates even if they are not currently
1090#	valid, i.e., have expired or have not yet become valid; this should be
1091#	used only for testing purposes)
1092# tls_disable_session_ticket=1 - disable TLS Session Ticket extension
1093# tls_disable_session_ticket=0 - allow TLS Session Ticket extension to be used
1094#	Note: If not set, this is automatically set to 1 for EAP-TLS/PEAP/TTLS
1095#	as a workaround for broken authentication server implementations unless
1096#	EAP workarounds are disabled with eap_workaround=0.
1097#	For EAP-FAST, this must be set to 0 (or left unconfigured for the
1098#	default value to be used automatically).
1099# tls_disable_tlsv1_0=1 - disable use of TLSv1.0
1100# tls_disable_tlsv1_1=1 - disable use of TLSv1.1 (a workaround for AAA servers
1101#	that have issues interoperating with updated TLS version)
1102# tls_disable_tlsv1_2=1 - disable use of TLSv1.2 (a workaround for AAA servers
1103#	that have issues interoperating with updated TLS version)
1104# tls_ext_cert_check=0 - No external server certificate validation (default)
1105# tls_ext_cert_check=1 - External server certificate validation enabled; this
1106#	requires an external program doing validation of server certificate
1107#	chain when receiving CTRL-RSP-EXT_CERT_CHECK event from the control
1108#	interface and report the result of the validation with
1109#	CTRL-RSP_EXT_CERT_CHECK.
1110#
1111# Following certificate/private key fields are used in inner Phase2
1112# authentication when using EAP-TTLS or EAP-PEAP.
1113# ca_cert2: File path to CA certificate file. This file can have one or more
1114#	trusted CA certificates. If ca_cert2 and ca_path2 are not included,
1115#	server certificate will not be verified. This is insecure and a trusted
1116#	CA certificate should always be configured.
1117# ca_path2: Directory path for CA certificate files (PEM)
1118# client_cert2: File path to client certificate file
1119# private_key2: File path to client private key file
1120# private_key2_passwd: Password for private key file
1121# dh_file2: File path to DH/DSA parameters file (in PEM format)
1122# subject_match2: Substring to be matched against the subject of the
1123#	authentication server certificate. See subject_match for more details.
1124# altsubject_match2: Semicolon separated string of entries to be matched
1125#	against the alternative subject name of the authentication server
1126#	certificate. See altsubject_match documentation for more details.
1127# domain_suffix_match2: Constraint for server domain name. See
1128#	domain_suffix_match for more details.
1129#
1130# fragment_size: Maximum EAP fragment size in bytes (default 1398).
1131#	This value limits the fragment size for EAP methods that support
1132#	fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set
1133#	small enough to make the EAP messages fit in MTU of the network
1134#	interface used for EAPOL. The default value is suitable for most
1135#	cases.
1136#
1137# ocsp: Whether to use/require OCSP to check server certificate
1138#	0 = do not use OCSP stapling (TLS certificate status extension)
1139#	1 = try to use OCSP stapling, but not require response
1140#	2 = require valid OCSP stapling response
1141#	3 = require valid OCSP stapling response for all not-trusted
1142#	    certificates in the server certificate chain
1143#
1144# openssl_ciphers: OpenSSL specific cipher configuration
1145#	This can be used to override the global openssl_ciphers configuration
1146#	parameter (see above).
1147#
1148# erp: Whether EAP Re-authentication Protocol (ERP) is enabled
1149#
1150# EAP-FAST variables:
1151# pac_file: File path for the PAC entries. wpa_supplicant will need to be able
1152#	to create this file and write updates to it when PAC is being
1153#	provisioned or refreshed. Full path to the file should be used since
1154#	working directory may change when wpa_supplicant is run in the
1155#	background. Alternatively, a named configuration blob can be used by
1156#	setting this to blob://<blob name>
1157# phase1: fast_provisioning option can be used to enable in-line provisioning
1158#         of EAP-FAST credentials (PAC):
1159#         0 = disabled,
1160#         1 = allow unauthenticated provisioning,
1161#         2 = allow authenticated provisioning,
1162#         3 = allow both unauthenticated and authenticated provisioning
1163#	fast_max_pac_list_len=<num> option can be used to set the maximum
1164#		number of PAC entries to store in a PAC list (default: 10)
1165#	fast_pac_format=binary option can be used to select binary format for
1166#		storing PAC entries in order to save some space (the default
1167#		text format uses about 2.5 times the size of minimal binary
1168#		format)
1169#
1170# wpa_supplicant supports number of "EAP workarounds" to work around
1171# interoperability issues with incorrectly behaving authentication servers.
1172# These are enabled by default because some of the issues are present in large
1173# number of authentication servers. Strict EAP conformance mode can be
1174# configured by disabling workarounds with eap_workaround=0.
1175
1176# update_identifier: PPS MO ID
1177#	(Hotspot 2.0 PerProviderSubscription/UpdateIdentifier)
1178
1179# Station inactivity limit
1180#
1181# If a station does not send anything in ap_max_inactivity seconds, an
1182# empty data frame is sent to it in order to verify whether it is
1183# still in range. If this frame is not ACKed, the station will be
1184# disassociated and then deauthenticated. This feature is used to
1185# clear station table of old entries when the STAs move out of the
1186# range.
1187#
1188# The station can associate again with the AP if it is still in range;
1189# this inactivity poll is just used as a nicer way of verifying
1190# inactivity; i.e., client will not report broken connection because
1191# disassociation frame is not sent immediately without first polling
1192# the STA with a data frame.
1193# default: 300 (i.e., 5 minutes)
1194#ap_max_inactivity=300
1195
1196# DTIM period in Beacon intervals for AP mode (default: 2)
1197#dtim_period=2
1198
1199# Beacon interval (default: 100 TU)
1200#beacon_int=100
1201
1202# WPS in AP mode
1203# 0 = WPS enabled and configured (default)
1204# 1 = WPS disabled
1205#wps_disabled=0
1206
1207# MAC address policy
1208# 0 = use permanent MAC address
1209# 1 = use random MAC address for each ESS connection
1210# 2 = like 1, but maintain OUI (with local admin bit set)
1211#mac_addr=0
1212
1213# disable_ht: Whether HT (802.11n) should be disabled.
1214# 0 = HT enabled (if AP supports it)
1215# 1 = HT disabled
1216#
1217# disable_ht40: Whether HT-40 (802.11n) should be disabled.
1218# 0 = HT-40 enabled (if AP supports it)
1219# 1 = HT-40 disabled
1220#
1221# disable_sgi: Whether SGI (short guard interval) should be disabled.
1222# 0 = SGI enabled (if AP supports it)
1223# 1 = SGI disabled
1224#
1225# disable_ldpc: Whether LDPC should be disabled.
1226# 0 = LDPC enabled (if AP supports it)
1227# 1 = LDPC disabled
1228#
1229# ht40_intolerant: Whether 40 MHz intolerant should be indicated.
1230# 0 = 40 MHz tolerant (default)
1231# 1 = 40 MHz intolerant
1232#
1233# ht_mcs:  Configure allowed MCS rates.
1234#  Parsed as an array of bytes, in base-16 (ascii-hex)
1235# ht_mcs=""                                   // Use all available (default)
1236# ht_mcs="0xff 00 00 00 00 00 00 00 00 00 "   // Use MCS 0-7 only
1237# ht_mcs="0xff ff 00 00 00 00 00 00 00 00 "   // Use MCS 0-15 only
1238#
1239# disable_max_amsdu:  Whether MAX_AMSDU should be disabled.
1240# -1 = Do not make any changes.
1241# 0  = Enable MAX-AMSDU if hardware supports it.
1242# 1  = Disable AMSDU
1243#
1244# ampdu_factor: Maximum A-MPDU Length Exponent
1245# Value: 0-3, see 7.3.2.56.3 in IEEE Std 802.11n-2009.
1246#
1247# ampdu_density:  Allow overriding AMPDU density configuration.
1248#  Treated as hint by the kernel.
1249# -1 = Do not make any changes.
1250# 0-3 = Set AMPDU density (aka factor) to specified value.
1251
1252# disable_vht: Whether VHT should be disabled.
1253# 0 = VHT enabled (if AP supports it)
1254# 1 = VHT disabled
1255#
1256# vht_capa: VHT capabilities to set in the override
1257# vht_capa_mask: mask of VHT capabilities
1258#
1259# vht_rx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for RX NSS 1-8
1260# vht_tx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for TX NSS 1-8
1261#  0: MCS 0-7
1262#  1: MCS 0-8
1263#  2: MCS 0-9
1264#  3: not supported
1265
1266##### Fast Session Transfer (FST) support #####################################
1267#
1268# The options in this section are only available when the build configuration
1269# option CONFIG_FST is set while compiling wpa_supplicant. They allow this
1270# interface to be a part of FST setup.
1271#
1272# FST is the transfer of a session from a channel to another channel, in the
1273# same or different frequency bands.
1274#
1275# For details, see IEEE Std 802.11ad-2012.
1276
1277# Identifier of an FST Group  the interface belongs to.
1278#fst_group_id=bond0
1279
1280# Interface priority within the FST Group.
1281# Announcing a higher priority for an interface means declaring it more
1282# preferable for FST switch.
1283# fst_priority is in 1..255 range with 1 being the lowest priority.
1284#fst_priority=100
1285
1286# Default LLT value for this interface in milliseconds. The value used in case
1287# no value provided during session setup. Default is 50 msec.
1288# fst_llt is in 1..4294967 range (due to spec limitation, see 10.32.2.2
1289# Transitioning between states).
1290#fst_llt=100
1291
1292# Example blocks:
1293
1294# Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers
1295network={
1296	ssid="simple"
1297	psk="very secret passphrase"
1298	priority=5
1299}
1300
1301# Same as previous, but request SSID-specific scanning (for APs that reject
1302# broadcast SSID)
1303network={
1304	ssid="second ssid"
1305	scan_ssid=1
1306	psk="very secret passphrase"
1307	priority=2
1308}
1309
1310# Only WPA-PSK is used. Any valid cipher combination is accepted.
1311network={
1312	ssid="example"
1313	proto=WPA
1314	key_mgmt=WPA-PSK
1315	pairwise=CCMP TKIP
1316	group=CCMP TKIP WEP104 WEP40
1317	psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
1318	priority=2
1319}
1320
1321# WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying
1322network={
1323	ssid="example"
1324	proto=WPA
1325	key_mgmt=WPA-PSK
1326	pairwise=TKIP
1327	group=TKIP
1328	psk="not so secure passphrase"
1329	wpa_ptk_rekey=600
1330}
1331
1332# Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104
1333# or WEP40 as the group cipher will not be accepted.
1334network={
1335	ssid="example"
1336	proto=RSN
1337	key_mgmt=WPA-EAP
1338	pairwise=CCMP TKIP
1339	group=CCMP TKIP
1340	eap=TLS
1341	identity="user@example.com"
1342	ca_cert="/etc/cert/ca.pem"
1343	client_cert="/etc/cert/user.pem"
1344	private_key="/etc/cert/user.prv"
1345	private_key_passwd="password"
1346	priority=1
1347}
1348
1349# EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel
1350# (e.g., Radiator)
1351network={
1352	ssid="example"
1353	key_mgmt=WPA-EAP
1354	eap=PEAP
1355	identity="user@example.com"
1356	password="foobar"
1357	ca_cert="/etc/cert/ca.pem"
1358	phase1="peaplabel=1"
1359	phase2="auth=MSCHAPV2"
1360	priority=10
1361}
1362
1363# EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the
1364# unencrypted use. Real identity is sent only within an encrypted TLS tunnel.
1365network={
1366	ssid="example"
1367	key_mgmt=WPA-EAP
1368	eap=TTLS
1369	identity="user@example.com"
1370	anonymous_identity="anonymous@example.com"
1371	password="foobar"
1372	ca_cert="/etc/cert/ca.pem"
1373	priority=2
1374}
1375
1376# EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted
1377# use. Real identity is sent only within an encrypted TLS tunnel.
1378network={
1379	ssid="example"
1380	key_mgmt=WPA-EAP
1381	eap=TTLS
1382	identity="user@example.com"
1383	anonymous_identity="anonymous@example.com"
1384	password="foobar"
1385	ca_cert="/etc/cert/ca.pem"
1386	phase2="auth=MSCHAPV2"
1387}
1388
1389# WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner
1390# authentication.
1391network={
1392	ssid="example"
1393	key_mgmt=WPA-EAP
1394	eap=TTLS
1395	# Phase1 / outer authentication
1396	anonymous_identity="anonymous@example.com"
1397	ca_cert="/etc/cert/ca.pem"
1398	# Phase 2 / inner authentication
1399	phase2="autheap=TLS"
1400	ca_cert2="/etc/cert/ca2.pem"
1401	client_cert2="/etc/cer/user.pem"
1402	private_key2="/etc/cer/user.prv"
1403	private_key2_passwd="password"
1404	priority=2
1405}
1406
1407# Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and
1408# group cipher.
1409network={
1410	ssid="example"
1411	bssid=00:11:22:33:44:55
1412	proto=WPA RSN
1413	key_mgmt=WPA-PSK WPA-EAP
1414	pairwise=CCMP
1415	group=CCMP
1416	psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
1417}
1418
1419# Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP
1420# and all valid ciphers.
1421network={
1422	ssid=00010203
1423	psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
1424}
1425
1426
1427# EAP-SIM with a GSM SIM or USIM
1428network={
1429	ssid="eap-sim-test"
1430	key_mgmt=WPA-EAP
1431	eap=SIM
1432	pin="1234"
1433	pcsc=""
1434}
1435
1436
1437# EAP-PSK
1438network={
1439	ssid="eap-psk-test"
1440	key_mgmt=WPA-EAP
1441	eap=PSK
1442	anonymous_identity="eap_psk_user"
1443	password=06b4be19da289f475aa46a33cb793029
1444	identity="eap_psk_user@example.com"
1445}
1446
1447
1448# IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using
1449# EAP-TLS for authentication and key generation; require both unicast and
1450# broadcast WEP keys.
1451network={
1452	ssid="1x-test"
1453	key_mgmt=IEEE8021X
1454	eap=TLS
1455	identity="user@example.com"
1456	ca_cert="/etc/cert/ca.pem"
1457	client_cert="/etc/cert/user.pem"
1458	private_key="/etc/cert/user.prv"
1459	private_key_passwd="password"
1460	eapol_flags=3
1461}
1462
1463
1464# LEAP with dynamic WEP keys
1465network={
1466	ssid="leap-example"
1467	key_mgmt=IEEE8021X
1468	eap=LEAP
1469	identity="user"
1470	password="foobar"
1471}
1472
1473# EAP-IKEv2 using shared secrets for both server and peer authentication
1474network={
1475	ssid="ikev2-example"
1476	key_mgmt=WPA-EAP
1477	eap=IKEV2
1478	identity="user"
1479	password="foobar"
1480}
1481
1482# EAP-FAST with WPA (WPA or WPA2)
1483network={
1484	ssid="eap-fast-test"
1485	key_mgmt=WPA-EAP
1486	eap=FAST
1487	anonymous_identity="FAST-000102030405"
1488	identity="username"
1489	password="password"
1490	phase1="fast_provisioning=1"
1491	pac_file="/etc/wpa_supplicant.eap-fast-pac"
1492}
1493
1494network={
1495	ssid="eap-fast-test"
1496	key_mgmt=WPA-EAP
1497	eap=FAST
1498	anonymous_identity="FAST-000102030405"
1499	identity="username"
1500	password="password"
1501	phase1="fast_provisioning=1"
1502	pac_file="blob://eap-fast-pac"
1503}
1504
1505# Plaintext connection (no WPA, no IEEE 802.1X)
1506network={
1507	ssid="plaintext-test"
1508	key_mgmt=NONE
1509}
1510
1511
1512# Shared WEP key connection (no WPA, no IEEE 802.1X)
1513network={
1514	ssid="static-wep-test"
1515	key_mgmt=NONE
1516	wep_key0="abcde"
1517	wep_key1=0102030405
1518	wep_key2="1234567890123"
1519	wep_tx_keyidx=0
1520	priority=5
1521}
1522
1523
1524# Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key
1525# IEEE 802.11 authentication
1526network={
1527	ssid="static-wep-test2"
1528	key_mgmt=NONE
1529	wep_key0="abcde"
1530	wep_key1=0102030405
1531	wep_key2="1234567890123"
1532	wep_tx_keyidx=0
1533	priority=5
1534	auth_alg=SHARED
1535}
1536
1537
1538# IBSS/ad-hoc network with RSN
1539network={
1540	ssid="ibss-rsn"
1541	key_mgmt=WPA-PSK
1542	proto=RSN
1543	psk="12345678"
1544	mode=1
1545	frequency=2412
1546	pairwise=CCMP
1547	group=CCMP
1548}
1549
1550# IBSS/ad-hoc network with WPA-None/TKIP (deprecated)
1551network={
1552	ssid="test adhoc"
1553	mode=1
1554	frequency=2412
1555	proto=WPA
1556	key_mgmt=WPA-NONE
1557	pairwise=NONE
1558	group=TKIP
1559	psk="secret passphrase"
1560}
1561
1562# open mesh network
1563network={
1564	ssid="test mesh"
1565	mode=5
1566	frequency=2437
1567	key_mgmt=NONE
1568}
1569
1570# secure (SAE + AMPE) network
1571network={
1572	ssid="secure mesh"
1573	mode=5
1574	frequency=2437
1575	key_mgmt=SAE
1576	psk="very secret passphrase"
1577}
1578
1579
1580# Catch all example that allows more or less all configuration modes
1581network={
1582	ssid="example"
1583	scan_ssid=1
1584	key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
1585	pairwise=CCMP TKIP
1586	group=CCMP TKIP WEP104 WEP40
1587	psk="very secret passphrase"
1588	eap=TTLS PEAP TLS
1589	identity="user@example.com"
1590	password="foobar"
1591	ca_cert="/etc/cert/ca.pem"
1592	client_cert="/etc/cert/user.pem"
1593	private_key="/etc/cert/user.prv"
1594	private_key_passwd="password"
1595	phase1="peaplabel=0"
1596}
1597
1598# Example of EAP-TLS with smartcard (openssl engine)
1599network={
1600	ssid="example"
1601	key_mgmt=WPA-EAP
1602	eap=TLS
1603	proto=RSN
1604	pairwise=CCMP TKIP
1605	group=CCMP TKIP
1606	identity="user@example.com"
1607	ca_cert="/etc/cert/ca.pem"
1608
1609	# Certificate and/or key identified by PKCS#11 URI (RFC7512)
1610	client_cert="pkcs11:manufacturer=piv_II;id=%01"
1611	private_key="pkcs11:manufacturer=piv_II;id=%01"
1612
1613	# Optional PIN configuration; this can be left out and PIN will be
1614	# asked through the control interface
1615	pin="1234"
1616}
1617
1618# Example configuration showing how to use an inlined blob as a CA certificate
1619# data instead of using external file
1620network={
1621	ssid="example"
1622	key_mgmt=WPA-EAP
1623	eap=TTLS
1624	identity="user@example.com"
1625	anonymous_identity="anonymous@example.com"
1626	password="foobar"
1627	ca_cert="blob://exampleblob"
1628	priority=20
1629}
1630
1631blob-base64-exampleblob={
1632SGVsbG8gV29ybGQhCg==
1633}
1634
1635
1636# Wildcard match for SSID (plaintext APs only). This example select any
1637# open AP regardless of its SSID.
1638network={
1639	key_mgmt=NONE
1640}
1641
1642# Example configuration blacklisting two APs - these will be ignored
1643# for this network.
1644network={
1645	ssid="example"
1646	psk="very secret passphrase"
1647	bssid_blacklist=02:11:22:33:44:55 02:22:aa:44:55:66
1648}
1649
1650# Example configuration limiting AP selection to a specific set of APs;
1651# any other AP not matching the masked address will be ignored.
1652network={
1653	ssid="example"
1654	psk="very secret passphrase"
1655	bssid_whitelist=02:55:ae:bc:00:00/ff:ff:ff:ff:00:00 00:00:77:66:55:44/00:00:ff:ff:ff:ff
1656}
1657
1658# Example config file that will only scan on channel 36.
1659freq_list=5180
1660network={
1661	key_mgmt=NONE
1662}
1663
1664
1665# Example MACsec configuration
1666#network={
1667#	key_mgmt=IEEE8021X
1668#	eap=TTLS
1669#	phase2="auth=PAP"
1670#	anonymous_identity="anonymous@example.com"
1671#	identity="user@example.com"
1672#	password="secretr"
1673#	ca_cert="/etc/cert/ca.pem"
1674#	eapol_flags=0
1675#	macsec_policy=1
1676#}
1677