xref: /freebsd/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.conf.5 (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1.\" Copyright (c) 2005 Sam Leffler <sam@errno.com>
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.\" $FreeBSD$
26.\"
27.Dd July 8, 2007
28.Dt WPA_SUPPLICANT.CONF 5
29.Os
30.Sh NAME
31.Nm wpa_supplicant.conf
32.Nd configuration file for
33.Xr wpa_supplicant 8
34.Sh DESCRIPTION
35The
36.Xr wpa_supplicant 8
37utility is an implementation of the WPA Supplicant component,
38i.e., the part that runs in the client stations.
39It implements WPA key negotiation with a WPA Authenticator
40and EAP authentication with Authentication Server using
41configuration information stored in a text file.
42.Pp
43The configuration file consists of optional global parameter
44settings and one or more network blocks, e.g.\&
45one for each used SSID.
46The
47.Xr wpa_supplicant 8
48utility
49will automatically select the best network based on the order of
50the network blocks in the configuration file, network security level
51(WPA/WPA2 is preferred), and signal strength.
52Comments are indicated with the
53.Ql #
54character; all text to the
55end of the line will be ignored.
56.Sh GLOBAL PARAMETERS
57Default parameters used by
58.Xr wpa_supplicant 8
59may be overridden by specifying
60.Pp
61.Dl parameter=value
62.Pp
63in the configuration file (note no spaces are allowed).
64Values with embedded spaces must be enclosed in quote marks.
65.Pp
66The following parameters are recognized:
67.Bl -tag -width indent
68.It Va ctrl_interface
69The pathname of the directory in which
70.Xr wpa_supplicant 8
71creates
72.Ux
73domain socket files for communication
74with frontend programs such as
75.Xr wpa_cli 8 .
76.It Va ctrl_interface_group
77A group name or group ID to use in setting protection on the
78control interface file.
79This can be set to allow non-root users to access the
80control interface files.
81If no group is specified, the group ID of the control interface
82is not modified and will, typically, be the
83group ID of the directory in which the socket is created.
84.It Va eapol_version
85The IEEE 802.1x/EAPOL protocol version to use; either 1 (default) or 2.
86The
87.Xr wpa_supplicant 8
88utility
89is implemented according to IEEE 802-1X-REV-d8 which defines
90EAPOL version to be 2.
91However, some access points do not work when presented with
92this version so by default
93.Xr wpa_supplicant 8
94will announce that it is using EAPOL version 1.
95If version 2 must be announced for correct operation with an
96access point, this value may be set to 2.
97.It Va ap_scan
98Access point scanning and selection control; one of 0, 1 (default), or 2.
99Only setting 1 should be used with the
100.Xr wlan 4
101module; the other settings are for use on other operating systems.
102.It Va fast_reauth
103EAP fast re-authentication; either 1 (default) or 0.
104Control fast re-authentication support in EAP methods that support it.
105.El
106.Sh NETWORK BLOCKS
107Each potential network/access point should have a
108.Dq "network block"
109that describes how to identify it and how to set up security.
110When multiple network blocks are listed in a configuration file,
111the highest priority one is selected for use or, if multiple networks
112with the same priority are identified, the first one listed in the
113configuration file is used.
114.Pp
115A network block description is of the form:
116.Bd -literal -offset indent
117network={
118	parameter=value
119	...
120}
121.Ed
122.Pp
123(note the leading
124.Qq Li "network={"
125may have no spaces).
126The block specification contains one or more parameters
127from the following list:
128.Bl -tag -width indent
129.It Va ssid No (required)
130Network name (as announced by the access point).
131An
132.Tn ASCII
133or hex string enclosed in quotation marks.
134.It Va scan_ssid
135SSID scan technique; 0 (default) or 1.
136Technique 0 scans for the SSID using a broadcast Probe Request
137frame while 1 uses a directed Probe Request frame.
138Access points that cloak themselves by not broadcasting their SSID
139require technique 1, but beware that this scheme can cause scanning
140to take longer to complete.
141.It Va bssid
142Network BSSID (typically the MAC address of the access point).
143.It Va priority
144The priority of a network when selecting among multiple networks;
145a higher value means a network is more desirable.
146By default networks have priority 0.
147When multiple networks with the same priority are considered
148for selection, other information such as security policy and
149signal strength are used to select one.
150.It Va mode
151IEEE 802.11 operation mode; either 0 (infrastructure, default) or 1 (IBSS).
152Note that IBSS (adhoc) mode can only be used with
153.Va key_mgmt
154set to
155.Li NONE
156(plaintext and static WEP).
157.It Va proto
158List of acceptable protocols; one or more of:
159.Li WPA
160(IEEE 802.11i/D3.0)
161and
162.Li RSN
163(IEEE 802.11i).
164.Li WPA2
165is another name for
166.Li RSN .
167If not set this defaults to
168.Qq Li "WPA RSN" .
169.It Va key_mgmt
170List of acceptable key management protocols; one or more of:
171.Li WPA-PSK
172(WPA pre-shared key),
173.Li WPA-EAP
174(WPA using EAP authentication),
175.Li IEEE8021X
176(IEEE 802.1x using EAP authentication and,
177optionally, dynamically generated WEP keys),
178.Li NONE
179(plaintext or static WEP keys).
180If not set this defaults to
181.Qq Li "WPA-PSK WPA-EAP" .
182.It Va auth_alg
183List of allowed IEEE 802.11 authentication algorithms; one or more of:
184.Li OPEN
185(Open System authentication, required for WPA/WPA2),
186.Li SHARED
187(Shared Key authentication),
188.Li LEAP
189(LEAP/Network EAP).
190If not set automatic selection is used (Open System with LEAP
191enabled if LEAP is allowed as one of the EAP methods).
192.It Va pairwise
193List of acceptable pairwise (unicast) ciphers for WPA; one or more of:
194.Li CCMP
195(AES in Counter mode with CBC-MAC, RFC 3610, IEEE 802.11i/D7.0),
196.Li TKIP
197(Temporal Key Integrity Protocol, IEEE 802.11i/D7.0),
198.Li NONE
199(deprecated).
200If not set this defaults to
201.Qq Li "CCMP TKIP" .
202.It Va group
203List of acceptable group (multicast) ciphers for WPA; one or more of:
204.Li CCMP
205(AES in Counter mode with CBC-MAC, RFC 3610, IEEE 802.11i/D7.0),
206.Li TKIP
207(Temporal Key Integrity Protocol, IEEE 802.11i/D7.0),
208.Li WEP104
209(WEP with 104-bit key),
210.Li WEP40
211(WEP with 40-bit key).
212If not set this defaults to
213.Qq Li "CCMP TKIP WEP104 WEP40" .
214.It Va psk
215WPA preshared key used in WPA-PSK mode.
216The key is specified as 64 hex digits or as
217an 8-63 character
218.Tn ASCII
219passphrase.
220.Tn ASCII
221passphrases are dynamically converted to a 256-bit key at runtime
222using the network SSID, or they can be statically converted at
223configuration time using
224the
225.Xr wpa_passphrase 8
226utility.
227.It Va eapol_flags
228Dynamic WEP key usage for non-WPA mode, specified as a bit field.
229Bit 0 (1) forces dynamically generated unicast WEP keys to be used.
230Bit 1 (2) forces dynamically generated broadcast WEP keys to be used.
231By default this is set to 3 (use both).
232.It Va eap
233List of acceptable EAP methods; one or more of:
234.Li MD5
235(EAP-MD5, cannot be used with WPA,
236used only as a Phase 2 method with EAP-PEAP or EAP-TTLS),
237.Li MSCHAPV2
238(EAP-MSCHAPV2, cannot be used with WPA;
239used only as a Phase 2 method with EAP-PEAP or EAP-TTLS),
240.Li OTP
241(EAP-OTP, cannot be used with WPA;
242used only as a Phase 2 metod with EAP-PEAP or EAP-TTLS),
243.Li GTC
244(EAP-GTC, cannot be used with WPA;
245used only as a Phase 2 metod with EAP-PEAP or EAP-TTLS),
246.Li TLS
247(EAP-TLS, client and server certificate),
248.Li PEAP
249(EAP-PEAP, with tunneled EAP authentication),
250.Li TTLS
251(EAP-TTLS, with tunneled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 authentication).
252If not set this defaults to all available methods compiled in to
253.Xr wpa_supplicant 8 .
254Note that by default
255.Xr wpa_supplicant 8
256is compiled with EAP support; see
257.Xr make.conf 5
258for the
259.Va NO_WPA_SUPPLICANT_EAPOL
260configuration variable that can be used to disable EAP support.
261.It Va identity
262Identity string for EAP.
263.It Va anonymous_identity
264Anonymous identity string for EAP (to be used as the unencrypted identity
265with EAP types that support different tunneled identities; e.g.\& EAP-TTLS).
266.It Va mixed_cell
267Configure whether networks that allow both plaintext and encryption
268are allowed when selecting a BSS from the scan results.
269By default this is set to 0 (disabled).
270.It Va password
271Password string for EAP.
272.It Va ca_cert
273Pathname to CA certificate file.
274This file can have one or more trusted CA certificates.
275If
276.Va ca_cert
277is not included, server certificates will not be verified (not recommended).
278.It Va client_cert
279Pathname to client certificate file (PEM/DER).
280.It Va private_key
281Pathname to a client private key file (PEM/DER/PFX).
282When a PKCS#12/PFX file is used, then
283.Va client_cert
284should not be specified as both the private key and certificate will be
285read from PKCS#12 file.
286.It Va private_key_passwd
287Password for any private key file.
288.It Va dh_file
289Pathname to a file holding DH/DSA parameters (in PEM format).
290This file holds parameters for an ephemeral DH key exchange.
291In most cases, the default RSA authentication does not use this configuration.
292However, it is possible to set up RSA to use an ephemeral DH key exchange.
293In addition, ciphers with
294DSA keys always use ephemeral DH keys.
295This can be used to achieve forward secrecy.
296If the
297.Va dh_file
298is in DSA parameters format, it will be automatically converted
299into DH params.
300.It Va subject_match
301Substring to be matched against the subject of the
302authentication server certificate.
303If this string is set, the server
304certificate is only accepted if it contains this string in the subject.
305The subject string is in following format:
306.Pp
307.Dl "/C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com"
308.It Va phase1
309Phase1 (outer authentication, i.e., TLS tunnel) parameters
310(string with field-value pairs, e.g.,
311.Qq Li peapver=0
312or
313.Qq Li "peapver=1 peaplabel=1" ) .
314.Bl -inset
315.It Li peapver
316can be used to force which PEAP version (0 or 1) is used.
317.It Li peaplabel=1
318can be used to force new label,
319.Dq "client PEAP encryption" ,
320to be used during key derivation when PEAPv1 or newer.
321Most existing PEAPv1 implementations seem to be using the old label,
322.Dq Li "client EAP encryption" ,
323and
324.Xr wpa_supplicant 8
325is now using that as the
326default value.
327Some servers, e.g.,
328.Tn Radiator ,
329may require
330.Li peaplabel=1
331configuration to interoperate with PEAPv1; see
332.Pa eap_testing.txt
333for more details.
334.It Li peap_outer_success=0
335can be used to terminate PEAP authentication on
336tunneled EAP-Success.
337This is required with some RADIUS servers that
338implement
339.Pa draft-josefsson-pppext-eap-tls-eap-05.txt
340(e.g.,
341.Tn Lucent NavisRadius v4.4.0
342with PEAP in
343.Dq "IETF Draft 5"
344mode).
345.It Li include_tls_length=1
346can be used to force
347.Xr wpa_supplicant 8
348to include
349TLS Message Length field in all TLS messages even if they are not
350fragmented.
351.It Li sim_min_num_chal=3
352can be used to configure EAP-SIM to require three
353challenges (by default, it accepts 2 or 3)
354.It Li fast_provisioning=1
355option enables in-line provisioning of EAP-FAST
356credentials (PAC).
357.El
358.It Va phase2
359phase2: Phase2 (inner authentication with TLS tunnel) parameters
360(string with field-value pairs, e.g.,
361.Qq Li "auth=MSCHAPV2"
362for EAP-PEAP or
363.Qq Li "autheap=MSCHAPV2 autheap=MD5"
364for EAP-TTLS).
365.It Va ca_cert2
366Like
367.Va ca_cert
368but for EAP inner Phase 2.
369.It Va client_cert2
370Like
371.Va client_cert
372but for EAP inner Phase 2.
373.It Va private_key2
374Like
375.Va private_key
376but for EAP inner Phase 2.
377.It Va private_key2_passwd
378Like
379.Va private_key_passwd
380but for EAP inner Phase 2.
381.It Va dh_file2
382Like
383.Va dh_file
384but for EAP inner Phase 2.
385.It Va subject_match2
386Like
387.Va subject_match
388but for EAP inner Phase 2.
389.It Va eappsk
39016-byte pre-shared key in hex format for use with EAP-PSK.
391.It Va nai
392User NAI for use with EAP-PSK.
393.It Va server_nai
394Authentication Server NAI for use with EAP-PSK.
395.It Va pac_file
396Pathname to the file to use for PAC entries with EAP-FAST.
397The
398.Xr wpa_supplicant 8
399utility
400must be able to create this file and write updates to it when
401PAC is being provisioned or refreshed.
402.It Va eap_workaround
403Enable/disable EAP workarounds for various interoperability issues
404with misbehaving authentication servers.
405By default these workarounds are enabled.
406String EAP conformance can be configured by setting this to 0.
407.El
408.Sh CERTIFICATES
409Some EAP authentication methods require use of certificates.
410EAP-TLS uses both server- and client-side certificates,
411whereas EAP-PEAP and EAP-TTLS only require a server-side certificate.
412When a client certificate is used, a matching private key file must
413also be included in configuration.
414If the private key uses a passphrase, this
415has to be configured in the
416.Nm
417file as
418.Va private_key_passwd .
419.Pp
420The
421.Xr wpa_supplicant 8
422utility
423supports X.509 certificates in PEM and DER formats.
424User certificate and private key can be included in the same file.
425.Pp
426If the user certificate and private key is received in PKCS#12/PFX
427format, they need to be converted to a suitable PEM/DER format for
428use by
429.Xr wpa_supplicant 8 .
430This can be done using the
431.Xr openssl 1
432program, e.g.\& with the following commands:
433.Bd -literal
434# convert client certificate and private key to PEM format
435openssl pkcs12 -in example.pfx -out user.pem -clcerts
436# convert CA certificate (if included in PFX file) to PEM format
437openssl pkcs12 -in example.pfx -out ca.pem -cacerts -nokeys
438.Ed
439.Sh EXAMPLES
440WPA-Personal (PSK) as a home network and WPA-Enterprise with EAP-TLS
441as a work network:
442.Bd -literal
443# allow frontend (e.g., wpa_cli) to be used by all users in 'wheel' group
444ctrl_interface=/var/run/wpa_supplicant
445ctrl_interface_group=wheel
446#
447# home network; allow all valid ciphers
448network={
449        ssid="home"
450        scan_ssid=1
451        key_mgmt=WPA-PSK
452        psk="very secret passphrase"
453}
454#
455# work network; use EAP-TLS with WPA; allow only CCMP and TKIP ciphers
456network={
457        ssid="work"
458        scan_ssid=1
459        key_mgmt=WPA-EAP
460        pairwise=CCMP TKIP
461        group=CCMP TKIP
462        eap=TLS
463        identity="user@example.com"
464        ca_cert="/etc/cert/ca.pem"
465        client_cert="/etc/cert/user.pem"
466        private_key="/etc/cert/user.prv"
467        private_key_passwd="password"
468}
469.Ed
470.Pp
471WPA-RADIUS/EAP-PEAP/MSCHAPv2 with RADIUS servers that use old peaplabel
472(e.g., Funk Odyssey and SBR, Meetinghouse Aegis, Interlink RAD-Series):
473.Bd -literal
474ctrl_interface=/var/run/wpa_supplicant
475ctrl_interface_group=wheel
476network={
477        ssid="example"
478        scan_ssid=1
479        key_mgmt=WPA-EAP
480        eap=PEAP
481        identity="user@example.com"
482        password="foobar"
483        ca_cert="/etc/cert/ca.pem"
484        phase1="peaplabel=0"
485        phase2="auth=MSCHAPV2"
486}
487.Ed
488.Pp
489EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the
490unencrypted use.
491Real identity is sent only within an encrypted TLS tunnel.
492.Bd -literal
493ctrl_interface=/var/run/wpa_supplicant
494ctrl_interface_group=wheel
495network={
496        ssid="example"
497        scan_ssid=1
498        key_mgmt=WPA-EAP
499        eap=TTLS
500        identity="user@example.com"
501        anonymous_identity="anonymous@example.com"
502        password="foobar"
503        ca_cert="/etc/cert/ca.pem"
504        phase2="auth=MD5"
505}
506.Ed
507.Pp
508Traditional WEP configuration with 104 bit key specified in hexadecimal.
509Note the WEP key is not quoted.
510.Bd -literal
511ctrl_interface=/var/run/wpa_supplicant
512ctrl_interface_group=wheel
513network={
514        ssid="example"
515        scan_ssid=1
516        key_mgmt=NONE
517        wep_tx_keyidx=0
518        wep_key0=42FEEDDEAFBABEDEAFBEEFAA55
519}
520.Ed
521.Sh SEE ALSO
522.Xr wpa_cli 8 ,
523.Xr wpa_passphrase 8 ,
524.Xr wpa_supplicant 8
525.Sh HISTORY
526The
527.Nm
528manual page and
529.Xr wpa_supplicant 8
530functionality first appeared in
531.Fx 6.0 .
532.Sh AUTHORS
533This manual page is derived from the
534.Pa README
535and
536.Pa wpa_supplicant.conf
537files in the
538.Nm wpa_supplicant
539distribution provided by
540.An Jouni Malinen Aq jkmaline@cc.hut.fi .
541