xref: /freebsd/usr.sbin/wpa/hostapd/hostapd.conf.5 (revision a64729f5077d77e13b9497cb33ecb3c82e606ee8)
1.\" Copyright (c) 2005 Sam Leffler <sam@errno.com>
2.\" Copyright (c) 2006 Rui Paulo
3.\" All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\" 1. Redistributions of source code must retain the above copyright
9.\"    notice, this list of conditions and the following disclaimer.
10.\" 2. Redistributions in binary form must reproduce the above copyright
11.\"    notice, this list of conditions and the following disclaimer in the
12.\"    documentation and/or other materials provided with the distribution.
13.\"
14.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
15.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
16.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
17.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
18.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
19.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
20.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
21.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
22.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
23.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
24.\" SUCH DAMAGE.
25.\"
26.Dd September 2, 2006
27.Dt HOSTAPD.CONF 5
28.Os
29.Sh NAME
30.Nm hostapd.conf
31.Nd configuration file for
32.Xr hostapd 8
33utility
34.Sh DESCRIPTION
35The
36.Xr hostapd 8
37utility
38is an authenticator for IEEE 802.11 networks.
39It provides full support for WPA/IEEE 802.11i and
40can also act as an IEEE 802.1X Authenticator with a suitable
41backend Authentication Server (typically
42.Tn FreeRADIUS ) .
43.Pp
44The configuration file consists of global parameters and domain
45specific configuration:
46.Bl -bullet -offset indent -compact
47.It
48IEEE 802.1X-2004
49.\" XXX not yet
50.\" .It
51.\" Integrated EAP server
52.\" .It
53.\" IEEE 802.11f - Inter-Access Point Protocol (IAPP)
54.It
55RADIUS client
56.It
57RADIUS authentication server
58.It
59WPA/IEEE 802.11i
60.El
61.Sh GLOBAL PARAMETERS
62The following parameters are recognized:
63.Bl -tag -width indent
64.It Va interface
65Interface name.
66Should be set in
67.Dq hostap
68mode.
69Make certain that there are no spaces after the interface name, or hostapd will
70complain that the interface does not exist.
71.It Va debug
72Debugging mode: 0 = no, 1 = minimal, 2 = verbose, 3 = msg dumps, 4 =
73excessive.
74.It Va dump_file
75Dump file for state information (on
76.Dv SIGUSR1 ) .
77.It Va ctrl_interface
78The pathname of the directory in which
79.Xr hostapd 8
80creates
81.Ux
82domain socket files for communication
83with frontend programs such as
84.Xr hostapd_cli 8 .
85.It Va ctrl_interface_group
86A group name or group ID to use in setting protection on the
87control interface file.
88This can be set to allow non-root users to access the
89control interface files.
90If no group is specified, the group ID of the control interface
91is not modified and will, typically, be the
92group ID of the directory in which the socket is created.
93.El
94.Sh IEEE 802.1X-2004 PARAMETERS
95The following parameters are recognized:
96.Bl -tag -width indent
97.It Va ieee8021x
98Require IEEE 802.1X authorization.
99.It Va eap_message
100Optional displayable message sent with EAP Request-Identity.
101.It Va wep_key_len_broadcast
102Key lengths for broadcast keys.
103.It Va wep_key_len_unicast
104Key lengths for unicast keys.
105.It Va wep_rekey_period
106Rekeying period in seconds.
107.It Va eapol_key_index_workaround
108EAPOL-Key index workaround (set bit7) for WinXP Supplicant.
109.It Va eap_reauth_period
110EAP reauthentication period in seconds.
111To disable reauthentication,
112use
113.Dq 0 .
114.\" XXX not yet
115.\" .It Va use_pae_group_addr
116.El
117.\" XXX not yet
118.\" .Sh IEEE 802.11f - IAPP PARAMETERS
119.\" The following parameters are recognized:
120.\" .Bl -tag -width indent
121.\" .It Va iapp_interface
122.\" Interface to be used for IAPP broadcast packets
123.\" .El
124.Sh RADIUS CLIENT PARAMETERS
125The following parameters are recognized:
126.Bl -tag -width indent
127.It Va own_ip_addr
128The own IP address of the access point (used as NAS-IP-Address).
129.It Va nas_identifier
130Optional NAS-Identifier string for RADIUS messages.
131.It Va auth_server_addr , auth_server_port , auth_server_shared_secret
132RADIUS authentication server parameters.
133Can be defined twice for secondary servers to be used if primary one
134does not reply to RADIUS packets.
135.It Va acct_server_addr , acct_server_port , acct_server_shared_secret
136RADIUS accounting server parameters.
137Can be defined twice for secondary servers to be used if primary one
138does not reply to RADIUS packets.
139.It Va radius_retry_primary_interval
140Retry interval for trying to return to the primary RADIUS server (in
141seconds).
142.It Va radius_acct_interim_interval
143Interim accounting update interval.
144If this is set (larger than 0) and acct_server is configured,
145.Xr hostapd 8
146will send interim accounting updates every N seconds.
147.El
148.Sh RADIUS AUTHENTICATION SERVER PARAMETERS
149The following parameters are recognized:
150.Bl -tag -width indent
151.It Va radius_server_clients
152File name of the RADIUS clients configuration for the RADIUS server.
153If this is commented out, RADIUS server is disabled.
154.It Va radius_server_auth_port
155The UDP port number for the RADIUS authentication server.
156.It Va radius_server_ipv6
157Use IPv6 with RADIUS server.
158.El
159.Sh WPA/IEEE 802.11i PARAMETERS
160The following parameters are recognized:
161.Bl -tag -width indent
162.It Va wpa
163Enable WPA.
164Setting this variable configures the AP to require WPA (either
165WPA-PSK or WPA-RADIUS/EAP based on other configuration).
166.It Va wpa_psk , wpa_passphrase
167WPA pre-shared keys for WPA-PSK.
168This can be either entered as a 256-bit secret in hex format (64 hex
169digits), wpa_psk, or as an ASCII passphrase (8..63 characters) that
170will be converted to PSK.
171This conversion uses SSID so the PSK changes when ASCII passphrase is
172used and the SSID is changed.
173.It Va wpa_psk_file
174Optionally, WPA PSKs can be read from a separate text file containing a
175list of PSK and MAC address pairs.
176.It Va wpa_key_mgmt
177Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both).
178.It Va wpa_pairwise
179Set of accepted cipher suites (encryption algorithms) for pairwise keys
180(unicast packets).
181See the example file for more information.
182.It Va wpa_group_rekey
183Time interval for rekeying GTK (broadcast/multicast encryption keys) in
184seconds.
185.It Va wpa_strict_rekey
186Rekey GTK when any STA that possesses the current GTK is leaving the
187BSS.
188.It Va wpa_gmk_rekey
189Time interval for rekeying GMK (master key used internally to generate GTKs),
190in seconds.
191.El
192.Sh SEE ALSO
193.Xr hostapd 8 ,
194.Xr hostapd_cli 8
195.Sh HISTORY
196The
197.Nm
198manual page and
199.Xr hostapd 8
200functionality first appeared in
201.Fx 6.0 .
202.Sh AUTHORS
203This manual page is derived from the
204.Pa README
205and
206.Pa hostapd.conf
207files in the
208.Nm hostapd
209distribution provided by
210.An Jouni Malinen Aq Mt j@w1.fi .
211