xref: /freebsd/usr.sbin/wpa/hostapd/hostapd.conf.5 (revision 63a938566d524836885917d95bd491aa4400b181) 
1.\" Copyright (c) 2005 Sam Leffler <sam@errno.com>
2.\" Copyright (c) 2006 Rui Paulo
3.\" All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\" 1. Redistributions of source code must retain the above copyright
9.\"    notice, this list of conditions and the following disclaimer.
10.\" 2. Redistributions in binary form must reproduce the above copyright
11.\"    notice, this list of conditions and the following disclaimer in the
12.\"    documentation and/or other materials provided with the distribution.
13.\"
14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24.\" SUCH DAMAGE.
25.\"
26.\" $FreeBSD$
27.\"
28.Dd September 2, 2006
29.Dt HOSTAPD.CONF 5
30.Os
31.Sh NAME
32.Nm hostapd.conf
33.Nd configuration file for
34.Xr hostapd 8
35utility
36.Sh DESCRIPTION
37The
38.Xr hostapd 8
39utility
40is an authenticator for IEEE 802.11 networks.
41It provides full support for WPA/IEEE 802.11i and
42can also act as an IEEE 802.1X Authenticator with a suitable
43backend Authentication Server (typically
44.Tn FreeRADIUS ) .
45.Pp
46The configuration file consists of global parameters and domain
47specific configuration:
48.Bl -bullet -offset indent -compact
49.It
50IEEE 802.1X-2004
51.\" XXX not yet
52.\" .It
53.\" Integrated EAP server
54.\" .It
55.\" IEEE 802.11f - Inter-Access Point Protocol (IAPP)
56.It
57RADIUS client
58.It
59RADIUS authentication server
60.It
61WPA/IEEE 802.11i
62.El
63.Sh GLOBAL PARAMETERS
64The following parameters are recognized:
65.Bl -tag -width indent
66.It Va interface
67Interface name.
68Should be set in
69.Dq hostap
70mode.  Make certain that there are no spaces after the interface name,
71or hostapd will complain that the interface does not exist.
72.It Va debug
73Debugging mode: 0 = no, 1 = minimal, 2 = verbose, 3 = msg dumps, 4 =
74excessive.
75.It Va dump_file
76Dump file for state information (on
77.Dv SIGUSR1 ) .
78.It Va ctrl_interface
79The pathname of the directory in which
80.Xr hostapd 8
81creates
82.Ux
83domain socket files for communication
84with frontend programs such as
85.Xr hostapd_cli 8 .
86.It Va ctrl_interface_group
87A group name or group ID to use in setting protection on the
88control interface file.
89This can be set to allow non-root users to access the
90control interface files.
91If no group is specified, the group ID of the control interface
92is not modified and will, typically, be the
93group ID of the directory in which the socket is created.
94.El
95.Sh IEEE 802.1X-2004 PARAMETERS
96The following parameters are recognized:
97.Bl -tag -width indent
98.It Va ieee8021x
99Require IEEE 802.1X authorization.
100.It Va eap_message
101Optional displayable message sent with EAP Request-Identity.
102.It Va wep_key_len_broadcast
103Key lengths for broadcast keys.
104.It Va wep_key_len_unicast
105Key lengths for unicast keys.
106.It Va wep_rekey_period
107Rekeying period in seconds.
108.It Va eapol_key_index_workaround
109EAPOL-Key index workaround (set bit7) for WinXP Supplicant.
110.It Va eap_reauth_period
111EAP reauthentication period in seconds.
112To disable reauthentication,
113use
114.Dq 0 .
115.\" XXX not yet
116.\" .It Va use_pae_group_addr
117.El
118.\" XXX not yet
119.\" .Sh IEEE 802.11f - IAPP PARAMETERS
120.\" The following parameters are recognized:
121.\" .Bl -tag -width indent
122.\" .It Va iapp_interface
123.\" Interface to be used for IAPP broadcast packets
124.\" .El
125.Sh RADIUS CLIENT PARAMETERS
126The following parameters are recognized:
127.Bl -tag -width indent
128.It Va own_ip_addr
129The own IP address of the access point (used as NAS-IP-Address).
130.It Va nas_identifier
131Optional NAS-Identifier string for RADIUS messages.
132.It Va auth_server_addr , auth_server_port , auth_server_shared_secret
133RADIUS authentication server parameters.
134Can be defined twice for secondary servers to be used if primary one
135does not reply to RADIUS packets.
136.It Va acct_server_addr , acct_server_port , acct_server_shared_secret
137RADIUS accounting server parameters.
138Can be defined twice for secondary servers to be used if primary one
139does not reply to RADIUS packets.
140.It Va radius_retry_primary_interval
141Retry interval for trying to return to the primary RADIUS server (in
142seconds).
143.It Va radius_acct_interim_interval
144Interim accounting update interval.
145If this is set (larger than 0) and acct_server is configured,
146.Xr hostapd 8
147will send interim accounting updates every N seconds.
148.El
149.Sh RADIUS AUTHENTICATION SERVER PARAMETERS
150The following parameters are recognized:
151.Bl -tag -width indent
152.It Va radius_server_clients
153File name of the RADIUS clients configuration for the RADIUS server.
154If this is commented out, RADIUS server is disabled.
155.It Va radius_server_auth_port
156The UDP port number for the RADIUS authentication server.
157.It Va radius_server_ipv6
158Use IPv6 with RADIUS server.
159.El
160.Sh WPA/IEEE 802.11i PARAMETERS
161The following parameters are recognized:
162.Bl -tag -width indent
163.It Va wpa
164Enable WPA.
165Setting this variable configures the AP to require WPA (either
166WPA-PSK or WPA-RADIUS/EAP based on other configuration).
167.It Va wpa_psk , wpa_passphrase
168WPA pre-shared keys for WPA-PSK.
169This can be either entered as a 256-bit secret in hex format (64 hex
170digits), wpa_psk, or as an ASCII passphrase (8..63 characters) that
171will be converted to PSK.
172This conversion uses SSID so the PSK changes when ASCII passphrase is
173used and the SSID is changed.
174.It Va wpa_psk_file
175Optionally, WPA PSKs can be read from a separate text file containing a
176list of PSK and MAC address pairs.
177.It Va wpa_key_mgmt
178Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both).
179.It Va wpa_pairwise
180Set of accepted cipher suites (encryption algorithms) for pairwise keys
181(unicast packets).
182See the example file for more information.
183.It Va wpa_group_rekey
184Time interval for rekeying GTK (broadcast/multicast encryption keys) in
185seconds.
186.It Va wpa_strict_rekey
187Rekey GTK when any STA that possesses the current GTK is leaving the
188BSS.
189.It Va wpa_gmk_rekey
190Time interval for rekeying GMK (master key used internally to generate GTKs),
191in seconds.
192.El
193.Sh SEE ALSO
194.Xr hostapd 8 ,
195.Xr hostapd_cli 8
196.Sh HISTORY
197The
198.Nm
199manual page and
200.Xr hostapd 8
201functionality first appeared in
202.Fx 6.0 .
203.Sh AUTHORS
204This manual page is derived from the
205.Pa README
206and
207.Pa hostapd.conf
208files in the
209.Nm hostapd
210distribution provided by
211.An Jouni Malinen Aq Mt j@w1.fi .
212