xref: /freebsd/usr.sbin/wpa/wpa_supplicant/wpa_supplicant.conf.5 (revision 580744621f33383027108364dcadad718df46ffe) 
1.\" Copyright (c) 2005 Sam Leffler <sam@errno.com>
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.\" $FreeBSD$
26.\"
27.Dd March 26, 2018
28.Dt WPA_SUPPLICANT.CONF 5
29.Os
30.Sh NAME
31.Nm wpa_supplicant.conf
32.Nd configuration file for
33.Xr wpa_supplicant 8
34.Sh DESCRIPTION
35The
36.Xr wpa_supplicant 8
37utility is an implementation of the WPA Supplicant component,
38i.e., the part that runs in the client stations.
39It implements WPA key negotiation with a WPA Authenticator
40and EAP authentication with Authentication Server using
41configuration information stored in a text file.
42.Pp
43The configuration file consists of optional global parameter
44settings and one or more network blocks, e.g.\&
45one for each used SSID.
46The
47.Xr wpa_supplicant 8
48utility
49will automatically select the best network based on the order of
50the network blocks in the configuration file, network security level
51(WPA/WPA2 is preferred), and signal strength.
52Comments are indicated with the
53.Ql #
54character; all text to the
55end of the line will be ignored.
56.Sh GLOBAL PARAMETERS
57Default parameters used by
58.Xr wpa_supplicant 8
59may be overridden by specifying
60.Pp
61.Dl parameter=value
62.Pp
63in the configuration file (note no spaces are allowed).
64Values with embedded spaces must be enclosed in quote marks.
65.Pp
66The following parameters are recognized:
67.Bl -tag -width indent
68.It Va ctrl_interface
69The pathname of the directory in which
70.Xr wpa_supplicant 8
71creates
72.Ux
73domain socket files for communication
74with frontend programs such as
75.Xr wpa_cli 8 .
76.It Va ctrl_interface_group
77A group name or group ID to use in setting protection on the
78control interface file.
79This can be set to allow non-root users to access the
80control interface files.
81If no group is specified, the group ID of the control interface
82is not modified and will, typically, be the
83group ID of the directory in which the socket is created.
84.It Va eapol_version
85The IEEE 802.1x/EAPOL protocol version to use; either 1 (default) or 2.
86The
87.Xr wpa_supplicant 8
88utility
89is implemented according to IEEE 802-1X-REV-d8 which defines
90EAPOL version to be 2.
91However, some access points do not work when presented with
92this version so by default
93.Xr wpa_supplicant 8
94will announce that it is using EAPOL version 1.
95If version 2 must be announced for correct operation with an
96access point, this value may be set to 2.
97.It Va ap_scan
98Access point scanning and selection control; one of 0, 1 (default), or 2.
99Only setting 1 should be used with the
100.Xr wlan 4
101module; the other settings are for use on other operating systems.
102.It Va fast_reauth
103EAP fast re-authentication; either 1 (default) or 0.
104Control fast re-authentication support in EAP methods that support it.
105.El
106.Sh NETWORK BLOCKS
107Each potential network/access point should have a
108.Dq "network block"
109that describes how to identify it and how to set up security.
110When multiple network blocks are listed in a configuration file,
111the highest priority one is selected for use or, if multiple networks
112with the same priority are identified, the first one listed in the
113configuration file is used.
114.Pp
115A network block description is of the form:
116.Bd -literal -offset indent
117network={
118	parameter=value
119	...
120}
121.Ed
122.Pp
123(note the leading
124.Qq Li "network={"
125may have no spaces).
126The block specification contains one or more parameters
127from the following list:
128.Bl -tag -width indent
129.It Va ssid No (required)
130Network name (as announced by the access point).
131An
132.Tn ASCII
133or hex string enclosed in quotation marks.
134.It Va scan_ssid
135SSID scan technique; 0 (default) or 1.
136Technique 0 scans for the SSID using a broadcast Probe Request
137frame while 1 uses a directed Probe Request frame.
138Access points that cloak themselves by not broadcasting their SSID
139require technique 1, but beware that this scheme can cause scanning
140to take longer to complete.
141.It Va bssid
142Network BSSID (typically the MAC address of the access point).
143.It Va priority
144The priority of a network when selecting among multiple networks;
145a higher value means a network is more desirable.
146By default networks have priority 0.
147When multiple networks with the same priority are considered
148for selection, other information such as security policy and
149signal strength are used to select one.
150.It Va mode
151IEEE 802.11 operation mode; either 0 (infrastructure, default) or 1 (IBSS).
152Note that IBSS (adhoc) mode can only be used with
153.Va key_mgmt
154set to
155.Li NONE
156(plaintext and static WEP), or
157.Va key_mgmt
158set to
159.Li WPA-NONE
160(fixed group key TKIP/CCMP).
161In addition,
162.Va ap_scan
163has to be set to 2 for IBSS.
164.Li WPA-NONE
165requires
166.Va proto
167set to WPA,
168.Va key_mgmt
169set to WPA-NONE,
170.Va pairwise
171set to NONE,
172.Va group
173set to either
174CCMP or TKIP (but not both), and
175.Va psk
176must also be set.
177.It Va proto
178List of acceptable protocols; one or more of:
179.Li WPA
180(IEEE 802.11i/D3.0)
181and
182.Li RSN
183(IEEE 802.11i).
184.Li WPA2
185is another name for
186.Li RSN .
187If not set this defaults to
188.Qq Li "WPA RSN" .
189.It Va key_mgmt
190List of acceptable key management protocols; one or more of:
191.Li WPA-PSK
192(WPA pre-shared key),
193.Li WPA-EAP
194(WPA using EAP authentication),
195.Li IEEE8021X
196(IEEE 802.1x using EAP authentication and,
197optionally, dynamically generated WEP keys),
198.Li NONE
199(plaintext or static WEP keys).
200If not set this defaults to
201.Qq Li "WPA-PSK WPA-EAP" .
202.It Va auth_alg
203List of allowed IEEE 802.11 authentication algorithms; one or more of:
204.Li OPEN
205(Open System authentication, required for WPA/WPA2),
206.Li SHARED
207(Shared Key authentication),
208.Li LEAP
209(LEAP/Network EAP).
210If not set automatic selection is used (Open System with LEAP
211enabled if LEAP is allowed as one of the EAP methods).
212.It Va pairwise
213List of acceptable pairwise (unicast) ciphers for WPA; one or more of:
214.Li CCMP
215(AES in Counter mode with CBC-MAC, RFC 3610, IEEE 802.11i/D7.0),
216.Li TKIP
217(Temporal Key Integrity Protocol, IEEE 802.11i/D7.0),
218.Li NONE
219(deprecated).
220If not set this defaults to
221.Qq Li "CCMP TKIP" .
222.It Va group
223List of acceptable group (multicast) ciphers for WPA; one or more of:
224.Li CCMP
225(AES in Counter mode with CBC-MAC, RFC 3610, IEEE 802.11i/D7.0),
226.Li TKIP
227(Temporal Key Integrity Protocol, IEEE 802.11i/D7.0),
228.Li WEP104
229(WEP with 104-bit key),
230.Li WEP40
231(WEP with 40-bit key).
232If not set this defaults to
233.Qq Li "CCMP TKIP WEP104 WEP40" .
234.It Va psk
235WPA preshared key used in WPA-PSK mode.
236The key is specified as 64 hex digits or as
237an 8-63 character
238.Tn ASCII
239passphrase.
240.Tn ASCII
241passphrases are dynamically converted to a 256-bit key at runtime
242using the network SSID, or they can be statically converted at
243configuration time using
244the
245.Xr wpa_passphrase 8
246utility.
247.It Va eapol_flags
248Dynamic WEP key usage for non-WPA mode, specified as a bit field.
249Bit 0 (1) forces dynamically generated unicast WEP keys to be used.
250Bit 1 (2) forces dynamically generated broadcast WEP keys to be used.
251By default this is set to 3 (use both).
252.It Va eap
253List of acceptable EAP methods; one or more of:
254.Li MD5
255(EAP-MD5, cannot be used with WPA,
256used only as a Phase 2 method with EAP-PEAP or EAP-TTLS),
257.Li MSCHAPV2
258(EAP-MSCHAPV2, cannot be used with WPA;
259used only as a Phase 2 method with EAP-PEAP or EAP-TTLS),
260.Li OTP
261(EAP-OTP, cannot be used with WPA;
262used only as a Phase 2 metod with EAP-PEAP or EAP-TTLS),
263.Li GTC
264(EAP-GTC, cannot be used with WPA;
265used only as a Phase 2 metod with EAP-PEAP or EAP-TTLS),
266.Li TLS
267(EAP-TLS, client and server certificate),
268.Li PEAP
269(EAP-PEAP, with tunneled EAP authentication),
270.Li TTLS
271(EAP-TTLS, with tunneled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 authentication).
272If not set this defaults to all available methods compiled in to
273.Xr wpa_supplicant 8 .
274Note that by default
275.Xr wpa_supplicant 8
276is compiled with EAP support; see
277.Xr make.conf 5
278for the
279.Va NO_WPA_SUPPLICANT_EAPOL
280configuration variable that can be used to disable EAP support.
281.It Va identity
282Identity string for EAP.
283.It Va anonymous_identity
284Anonymous identity string for EAP (to be used as the unencrypted identity
285with EAP types that support different tunneled identities; e.g.\& EAP-TTLS).
286.It Va mixed_cell
287Configure whether networks that allow both plaintext and encryption
288are allowed when selecting a BSS from the scan results.
289By default this is set to 0 (disabled).
290.It Va password
291Password string for EAP.
292.It Va ca_cert
293Pathname to CA certificate file.
294This file can have one or more trusted CA certificates.
295If
296.Va ca_cert
297is not included, server certificates will not be verified (not recommended).
298.It Va client_cert
299Pathname to client certificate file (PEM/DER).
300.It Va private_key
301Pathname to a client private key file (PEM/DER/PFX).
302When a PKCS#12/PFX file is used, then
303.Va client_cert
304should not be specified as both the private key and certificate will be
305read from PKCS#12 file.
306.It Va private_key_passwd
307Password for any private key file.
308.It Va dh_file
309Pathname to a file holding DH/DSA parameters (in PEM format).
310This file holds parameters for an ephemeral DH key exchange.
311In most cases, the default RSA authentication does not use this configuration.
312However, it is possible to set up RSA to use an ephemeral DH key exchange.
313In addition, ciphers with
314DSA keys always use ephemeral DH keys.
315This can be used to achieve forward secrecy.
316If the
317.Va dh_file
318is in DSA parameters format, it will be automatically converted
319into DH parameters.
320.It Va subject_match
321Substring to be matched against the subject of the
322authentication server certificate.
323If this string is set, the server
324certificate is only accepted if it contains this string in the subject.
325The subject string is in following format:
326.Pp
327.Dl "/C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com"
328.It Va phase1
329Phase1 (outer authentication, i.e., TLS tunnel) parameters
330(string with field-value pairs, e.g.,
331.Qq Li peapver=0
332or
333.Qq Li "peapver=1 peaplabel=1" ) .
334.Bl -inset
335.It Li peapver
336can be used to force which PEAP version (0 or 1) is used.
337.It Li peaplabel=1
338can be used to force new label,
339.Dq "client PEAP encryption" ,
340to be used during key derivation when PEAPv1 or newer.
341Most existing PEAPv1 implementations seem to be using the old label,
342.Dq Li "client EAP encryption" ,
343and
344.Xr wpa_supplicant 8
345is now using that as the
346default value.
347Some servers, e.g.,
348.Tn Radiator ,
349may require
350.Li peaplabel=1
351configuration to interoperate with PEAPv1; see
352.Pa eap_testing.txt
353for more details.
354.It Li peap_outer_success=0
355can be used to terminate PEAP authentication on
356tunneled EAP-Success.
357This is required with some RADIUS servers that
358implement
359.Pa draft-josefsson-pppext-eap-tls-eap-05.txt
360(e.g.,
361.Tn Lucent NavisRadius v4.4.0
362with PEAP in
363.Dq "IETF Draft 5"
364mode).
365.It Li include_tls_length=1
366can be used to force
367.Xr wpa_supplicant 8
368to include
369TLS Message Length field in all TLS messages even if they are not
370fragmented.
371.It Li sim_min_num_chal=3
372can be used to configure EAP-SIM to require three
373challenges (by default, it accepts 2 or 3).
374.It Li fast_provisioning=1
375option enables in-line provisioning of EAP-FAST
376credentials (PAC).
377.El
378.It Va phase2
379phase2: Phase2 (inner authentication with TLS tunnel) parameters
380(string with field-value pairs, e.g.,
381.Qq Li "auth=MSCHAPV2"
382for EAP-PEAP or
383.Qq Li "autheap=MSCHAPV2 autheap=MD5"
384for EAP-TTLS).
385.It Va ca_cert2
386Like
387.Va ca_cert
388but for EAP inner Phase 2.
389.It Va client_cert2
390Like
391.Va client_cert
392but for EAP inner Phase 2.
393.It Va private_key2
394Like
395.Va private_key
396but for EAP inner Phase 2.
397.It Va private_key2_passwd
398Like
399.Va private_key_passwd
400but for EAP inner Phase 2.
401.It Va dh_file2
402Like
403.Va dh_file
404but for EAP inner Phase 2.
405.It Va subject_match2
406Like
407.Va subject_match
408but for EAP inner Phase 2.
409.It Va eappsk
41016-byte pre-shared key in hex format for use with EAP-PSK.
411.It Va nai
412User NAI for use with EAP-PSK.
413.It Va server_nai
414Authentication Server NAI for use with EAP-PSK.
415.It Va pac_file
416Pathname to the file to use for PAC entries with EAP-FAST.
417The
418.Xr wpa_supplicant 8
419utility
420must be able to create this file and write updates to it when
421PAC is being provisioned or refreshed.
422.It Va eap_workaround
423Enable/disable EAP workarounds for various interoperability issues
424with misbehaving authentication servers.
425By default these workarounds are enabled.
426Strict EAP conformance can be configured by setting this to 0.
427.It Va wep_tx_keyidx
428which key to use for transmission of packets.
429.It Va wep_keyN key
430An
431.Tn ASCII
432string enclosed in quotation marks to encode the WEP key.
433Without quotes this is a hex string of the actual key.
434WEP is considered insecure and should be avoided.
435The exact translation from an ASCII key to a hex key varies.
436Use hex keys where possible.
437.El
438.Sh CERTIFICATES
439Some EAP authentication methods require use of certificates.
440EAP-TLS uses both server- and client-side certificates,
441whereas EAP-PEAP and EAP-TTLS only require a server-side certificate.
442When a client certificate is used, a matching private key file must
443also be included in configuration.
444If the private key uses a passphrase, this
445has to be configured in the
446.Nm
447file as
448.Va private_key_passwd .
449.Pp
450The
451.Xr wpa_supplicant 8
452utility
453supports X.509 certificates in PEM and DER formats.
454User certificate and private key can be included in the same file.
455.Pp
456If the user certificate and private key is received in PKCS#12/PFX
457format, they need to be converted to a suitable PEM/DER format for
458use by
459.Xr wpa_supplicant 8 .
460This can be done using the
461.Xr openssl 1
462program, e.g.\& with the following commands:
463.Bd -literal
464# convert client certificate and private key to PEM format
465openssl pkcs12 -in example.pfx -out user.pem -clcerts
466# convert CA certificate (if included in PFX file) to PEM format
467openssl pkcs12 -in example.pfx -out ca.pem -cacerts -nokeys
468.Ed
469.Sh FILES
470.Bl -tag -width ".Pa /usr/share/examples/etc/wpa_supplicant.conf" -compact
471.It Pa /etc/wpa_supplicant.conf
472.It Pa /usr/share/examples/etc/wpa_supplicant.conf
473.El
474.Sh EXAMPLES
475WPA-Personal (PSK) as a home network and WPA-Enterprise with EAP-TLS
476as a work network:
477.Bd -literal
478# allow frontend (e.g., wpa_cli) to be used by all users in 'wheel' group
479ctrl_interface=/var/run/wpa_supplicant
480ctrl_interface_group=wheel
481#
482# home network; allow all valid ciphers
483network={
484        ssid="home"
485        scan_ssid=1
486        key_mgmt=WPA-PSK
487        psk="very secret passphrase"
488}
489#
490# work network; use EAP-TLS with WPA; allow only CCMP and TKIP ciphers
491network={
492        ssid="work"
493        scan_ssid=1
494        key_mgmt=WPA-EAP
495        pairwise=CCMP TKIP
496        group=CCMP TKIP
497        eap=TLS
498        identity="user@example.com"
499        ca_cert="/etc/cert/ca.pem"
500        client_cert="/etc/cert/user.pem"
501        private_key="/etc/cert/user.prv"
502        private_key_passwd="password"
503}
504.Ed
505.Pp
506WPA-RADIUS/EAP-PEAP/MSCHAPv2 with RADIUS servers that use old peaplabel
507(e.g., Funk Odyssey and SBR, Meetinghouse Aegis, Interlink RAD-Series):
508.Bd -literal
509ctrl_interface=/var/run/wpa_supplicant
510ctrl_interface_group=wheel
511network={
512        ssid="example"
513        scan_ssid=1
514        key_mgmt=WPA-EAP
515        eap=PEAP
516        identity="user@example.com"
517        password="foobar"
518        ca_cert="/etc/cert/ca.pem"
519        phase1="peaplabel=0"
520        phase2="auth=MSCHAPV2"
521}
522.Ed
523.Pp
524EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the
525unencrypted use.
526Real identity is sent only within an encrypted TLS tunnel.
527.Bd -literal
528ctrl_interface=/var/run/wpa_supplicant
529ctrl_interface_group=wheel
530network={
531        ssid="example"
532        scan_ssid=1
533        key_mgmt=WPA-EAP
534        eap=TTLS
535        identity="user@example.com"
536        anonymous_identity="anonymous@example.com"
537        password="foobar"
538        ca_cert="/etc/cert/ca.pem"
539        phase2="auth=MD5"
540}
541.Ed
542.Pp
543Traditional WEP configuration with 104 bit key specified in hexadecimal.
544Note the WEP key is not quoted.
545.Bd -literal
546ctrl_interface=/var/run/wpa_supplicant
547ctrl_interface_group=wheel
548network={
549        ssid="example"
550        scan_ssid=1
551        key_mgmt=NONE
552        wep_tx_keyidx=0
553	# hex keys denoted without quotes
554        wep_key0=42FEEDDEAFBABEDEAFBEEFAA55
555	# ASCII keys denoted with quotes.
556	wep_key1="FreeBSDr0cks!"
557}
558.Ed
559.Pp
560Minimal eduroam configuration.
561.Bd -literal
562ctrl_interface=/var/run/wpa_supplicant
563ctrl_interface_group=wheel
564network={
565        ssid="eduroam"
566        scan_ssid=1
567        key_mgmt=WPA-EAP
568        eap=TTLS
569        identity="user@example.org"
570        password="foobar"
571        phase2="auth=MSCHAPV2"
572}
573.Ed
574.Sh SEE ALSO
575.Xr wpa_cli 8 ,
576.Xr wpa_passphrase 8 ,
577.Xr wpa_supplicant 8
578.Sh HISTORY
579The
580.Nm
581manual page and
582.Xr wpa_supplicant 8
583functionality first appeared in
584.Fx 6.0 .
585.Sh AUTHORS
586This manual page is derived from the
587.Pa README
588and
589.Pa wpa_supplicant.conf
590files in the
591.Nm wpa_supplicant
592distribution provided by
593.An Jouni Malinen Aq Mt j@w1.fi .
594