wpa_supplicant.conf 70 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790
  1. ##### Example wpa_supplicant configuration file ###############################
  2. #
  3. # This file describes configuration file format and lists all available option.
  4. # Please also take a look at simpler configuration examples in 'examples'
  5. # subdirectory.
  6. #
  7. # Empty lines and lines starting with # are ignored
  8. # NOTE! This file may contain password information and should probably be made
  9. # readable only by root user on multiuser systems.
  10. # Note: All file paths in this configuration file should use full (absolute,
  11. # not relative to working directory) path in order to allow working directory
  12. # to be changed. This can happen if wpa_supplicant is run in the background.
  13. # Whether to allow wpa_supplicant to update (overwrite) configuration
  14. #
  15. # This option can be used to allow wpa_supplicant to overwrite configuration
  16. # file whenever configuration is changed (e.g., new network block is added with
  17. # wpa_cli or wpa_gui, or a password is changed). This is required for
  18. # wpa_cli/wpa_gui to be able to store the configuration changes permanently.
  19. # Please note that overwriting configuration file will remove the comments from
  20. # it.
  21. #update_config=1
  22. # global configuration (shared by all network blocks)
  23. #
  24. # Parameters for the control interface. If this is specified, wpa_supplicant
  25. # will open a control interface that is available for external programs to
  26. # manage wpa_supplicant. The meaning of this string depends on which control
  27. # interface mechanism is used. For all cases, the existence of this parameter
  28. # in configuration is used to determine whether the control interface is
  29. # enabled.
  30. #
  31. # For UNIX domain sockets (default on Linux and BSD): This is a directory that
  32. # will be created for UNIX domain sockets for listening to requests from
  33. # external programs (CLI/GUI, etc.) for status information and configuration.
  34. # The socket file will be named based on the interface name, so multiple
  35. # wpa_supplicant processes can be run at the same time if more than one
  36. # interface is used.
  37. # /var/run/wpa_supplicant is the recommended directory for sockets and by
  38. # default, wpa_cli will use it when trying to connect with wpa_supplicant.
  39. #
  40. # Access control for the control interface can be configured by setting the
  41. # directory to allow only members of a group to use sockets. This way, it is
  42. # possible to run wpa_supplicant as root (since it needs to change network
  43. # configuration and open raw sockets) and still allow GUI/CLI components to be
  44. # run as non-root users. However, since the control interface can be used to
  45. # change the network configuration, this access needs to be protected in many
  46. # cases. By default, wpa_supplicant is configured to use gid 0 (root). If you
  47. # want to allow non-root users to use the control interface, add a new group
  48. # and change this value to match with that group. Add users that should have
  49. # control interface access to this group. If this variable is commented out or
  50. # not included in the configuration file, group will not be changed from the
  51. # value it got by default when the directory or socket was created.
  52. #
  53. # When configuring both the directory and group, use following format:
  54. # DIR=/var/run/wpa_supplicant GROUP=wheel
  55. # DIR=/var/run/wpa_supplicant GROUP=0
  56. # (group can be either group name or gid)
  57. #
  58. # For UDP connections (default on Windows): The value will be ignored. This
  59. # variable is just used to select that the control interface is to be created.
  60. # The value can be set to, e.g., udp (ctrl_interface=udp)
  61. #
  62. # For Windows Named Pipe: This value can be used to set the security descriptor
  63. # for controlling access to the control interface. Security descriptor can be
  64. # set using Security Descriptor String Format (see http://msdn.microsoft.com/
  65. # library/default.asp?url=/library/en-us/secauthz/security/
  66. # security_descriptor_string_format.asp). The descriptor string needs to be
  67. # prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty
  68. # DACL (which will reject all connections). See README-Windows.txt for more
  69. # information about SDDL string format.
  70. #
  71. ctrl_interface=/var/run/wpa_supplicant
  72. # IEEE 802.1X/EAPOL version
  73. # wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines
  74. # EAPOL version 2. However, there are many APs that do not handle the new
  75. # version number correctly (they seem to drop the frames completely). In order
  76. # to make wpa_supplicant interoperate with these APs, the version number is set
  77. # to 1 by default. This configuration value can be used to set it to the new
  78. # version (2).
  79. # Note: When using MACsec, eapol_version shall be set to 3, which is
  80. # defined in IEEE Std 802.1X-2010.
  81. eapol_version=1
  82. # AP scanning/selection
  83. # By default, wpa_supplicant requests driver to perform AP scanning and then
  84. # uses the scan results to select a suitable AP. Another alternative is to
  85. # allow the driver to take care of AP scanning and selection and use
  86. # wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association
  87. # information from the driver.
  88. # 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to
  89. # the currently enabled networks are found, a new network (IBSS or AP mode
  90. # operation) may be initialized (if configured) (default)
  91. # 0: driver takes care of scanning, AP selection, and IEEE 802.11 association
  92. # parameters (e.g., WPA IE generation); this mode can also be used with
  93. # non-WPA drivers when using IEEE 802.1X mode; do not try to associate with
  94. # APs (i.e., external program needs to control association). This mode must
  95. # also be used when using wired Ethernet drivers (including MACsec).
  96. # 2: like 0, but associate with APs using security policy and SSID (but not
  97. # BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to
  98. # enable operation with hidden SSIDs and optimized roaming; in this mode,
  99. # the network blocks in the configuration file are tried one by one until
  100. # the driver reports successful association; each network block should have
  101. # explicit security policy (i.e., only one option in the lists) for
  102. # key_mgmt, pairwise, group, proto variables
  103. # Note: ap_scan=2 should not be used with the nl80211 driver interface (the
  104. # current Linux interface). ap_scan=1 is optimized work working with nl80211.
  105. # For finding networks using hidden SSID, scan_ssid=1 in the network block can
  106. # be used with nl80211.
  107. # When using IBSS or AP mode, ap_scan=2 mode can force the new network to be
  108. # created immediately regardless of scan results. ap_scan=1 mode will first try
  109. # to scan for existing networks and only if no matches with the enabled
  110. # networks are found, a new IBSS or AP mode network is created.
  111. ap_scan=1
  112. # Whether to force passive scan for network connection
  113. #
  114. # By default, scans will send out Probe Request frames on channels that allow
  115. # active scanning. This advertise the local station to the world. Normally this
  116. # is fine, but users may wish to do passive scanning where the radio should only
  117. # listen quietly for Beacon frames and not send any Probe Request frames. Actual
  118. # functionality may be driver dependent.
  119. #
  120. # This parameter can be used to force only passive scanning to be used
  121. # for network connection cases. It should be noted that this will slow
  122. # down scan operations and reduce likelihood of finding the AP. In
  123. # addition, some use cases will override this due to functional
  124. # requirements, e.g., for finding an AP that uses hidden SSID
  125. # (scan_ssid=1) or P2P device discovery.
  126. #
  127. # 0: Do normal scans (allow active scans) (default)
  128. # 1: Do passive scans.
  129. #passive_scan=0
  130. # MPM residency
  131. # By default, wpa_supplicant implements the mesh peering manager (MPM) for an
  132. # open mesh. However, if the driver can implement the MPM, you may set this to
  133. # 0 to use the driver version. When AMPE is enabled, the wpa_supplicant MPM is
  134. # always used.
  135. # 0: MPM lives in the driver
  136. # 1: wpa_supplicant provides an MPM which handles peering (default)
  137. #user_mpm=1
  138. # Maximum number of peer links (0-255; default: 99)
  139. # Maximum number of mesh peering currently maintained by the STA.
  140. #max_peer_links=99
  141. # Timeout in seconds to detect STA inactivity (default: 300 seconds)
  142. #
  143. # This timeout value is used in mesh STA to clean up inactive stations.
  144. #mesh_max_inactivity=300
  145. # cert_in_cb - Whether to include a peer certificate dump in events
  146. # This controls whether peer certificates for authentication server and
  147. # its certificate chain are included in EAP peer certificate events. This is
  148. # enabled by default.
  149. #cert_in_cb=1
  150. # EAP fast re-authentication
  151. # By default, fast re-authentication is enabled for all EAP methods that
  152. # support it. This variable can be used to disable fast re-authentication.
  153. # Normally, there is no need to disable this.
  154. fast_reauth=1
  155. # OpenSSL Engine support
  156. # These options can be used to load OpenSSL engines in special or legacy
  157. # modes.
  158. # The two engines that are supported currently are shown below:
  159. # They are both from the opensc project (http://www.opensc.org/)
  160. # By default the PKCS#11 engine is loaded if the client_cert or
  161. # private_key option appear to be a PKCS#11 URI, and these options
  162. # should not need to be used explicitly.
  163. # make the opensc engine available
  164. #opensc_engine_path=/usr/lib/opensc/engine_opensc.so
  165. # make the pkcs11 engine available
  166. #pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so
  167. # configure the path to the pkcs11 module required by the pkcs11 engine
  168. #pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so
  169. # OpenSSL cipher string
  170. #
  171. # This is an OpenSSL specific configuration option for configuring the default
  172. # ciphers. If not set, the value configured at build time ("DEFAULT:!EXP:!LOW"
  173. # by default) is used.
  174. # See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation
  175. # on cipher suite configuration. This is applicable only if wpa_supplicant is
  176. # built to use OpenSSL.
  177. #openssl_ciphers=DEFAULT:!EXP:!LOW
  178. # Dynamic EAP methods
  179. # If EAP methods were built dynamically as shared object files, they need to be
  180. # loaded here before being used in the network blocks. By default, EAP methods
  181. # are included statically in the build, so these lines are not needed
  182. #load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so
  183. #load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so
  184. # Driver interface parameters
  185. # This field can be used to configure arbitrary driver interface parameters. The
  186. # format is specific to the selected driver interface. This field is not used
  187. # in most cases.
  188. #driver_param="field=value"
  189. # Country code
  190. # The ISO/IEC alpha2 country code for the country in which this device is
  191. # currently operating.
  192. #country=US
  193. # Maximum lifetime for PMKSA in seconds; default 43200
  194. #dot11RSNAConfigPMKLifetime=43200
  195. # Threshold for reauthentication (percentage of PMK lifetime); default 70
  196. #dot11RSNAConfigPMKReauthThreshold=70
  197. # Timeout for security association negotiation in seconds; default 60
  198. #dot11RSNAConfigSATimeout=60
  199. # Wi-Fi Protected Setup (WPS) parameters
  200. # Universally Unique IDentifier (UUID; see RFC 4122) of the device
  201. # If not configured, UUID will be generated based on the mechanism selected with
  202. # the auto_uuid parameter.
  203. #uuid=12345678-9abc-def0-1234-56789abcdef0
  204. # Automatic UUID behavior
  205. # 0 = generate static value based on the local MAC address (default)
  206. # 1 = generate a random UUID every time wpa_supplicant starts
  207. #auto_uuid=0
  208. # Device Name
  209. # User-friendly description of device; up to 32 octets encoded in UTF-8
  210. #device_name=Wireless Client
  211. # Manufacturer
  212. # The manufacturer of the device (up to 64 ASCII characters)
  213. #manufacturer=Company
  214. # Model Name
  215. # Model of the device (up to 32 ASCII characters)
  216. #model_name=cmodel
  217. # Model Number
  218. # Additional device description (up to 32 ASCII characters)
  219. #model_number=123
  220. # Serial Number
  221. # Serial number of the device (up to 32 characters)
  222. #serial_number=12345
  223. # Primary Device Type
  224. # Used format: <categ>-<OUI>-<subcateg>
  225. # categ = Category as an integer value
  226. # OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for
  227. # default WPS OUI
  228. # subcateg = OUI-specific Sub Category as an integer value
  229. # Examples:
  230. # 1-0050F204-1 (Computer / PC)
  231. # 1-0050F204-2 (Computer / Server)
  232. # 5-0050F204-1 (Storage / NAS)
  233. # 6-0050F204-1 (Network Infrastructure / AP)
  234. #device_type=1-0050F204-1
  235. # OS Version
  236. # 4-octet operating system version number (hex string)
  237. #os_version=01020300
  238. # Config Methods
  239. # List of the supported configuration methods
  240. # Available methods: usba ethernet label display ext_nfc_token int_nfc_token
  241. # nfc_interface push_button keypad virtual_display physical_display
  242. # virtual_push_button physical_push_button
  243. # For WSC 1.0:
  244. #config_methods=label display push_button keypad
  245. # For WSC 2.0:
  246. #config_methods=label virtual_display virtual_push_button keypad
  247. # Credential processing
  248. # 0 = process received credentials internally (default)
  249. # 1 = do not process received credentials; just pass them over ctrl_iface to
  250. # external program(s)
  251. # 2 = process received credentials internally and pass them over ctrl_iface
  252. # to external program(s)
  253. #wps_cred_processing=0
  254. # Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing
  255. # The vendor attribute contents to be added in M1 (hex string)
  256. #wps_vendor_ext_m1=000137100100020001
  257. # NFC password token for WPS
  258. # These parameters can be used to configure a fixed NFC password token for the
  259. # station. This can be generated, e.g., with nfc_pw_token. When these
  260. # parameters are used, the station is assumed to be deployed with a NFC tag
  261. # that includes the matching NFC password token (e.g., written based on the
  262. # NDEF record from nfc_pw_token).
  263. #
  264. #wps_nfc_dev_pw_id: Device Password ID (16..65535)
  265. #wps_nfc_dh_pubkey: Hexdump of DH Public Key
  266. #wps_nfc_dh_privkey: Hexdump of DH Private Key
  267. #wps_nfc_dev_pw: Hexdump of Device Password
  268. # Priority for the networks added through WPS
  269. # This priority value will be set to each network profile that is added
  270. # by executing the WPS protocol.
  271. #wps_priority=0
  272. # Maximum number of BSS entries to keep in memory
  273. # Default: 200
  274. # This can be used to limit memory use on the BSS entries (cached scan
  275. # results). A larger value may be needed in environments that have huge number
  276. # of APs when using ap_scan=1 mode.
  277. #bss_max_count=200
  278. # Automatic scan
  279. # This is an optional set of parameters for automatic scanning
  280. # within an interface in following format:
  281. #autoscan=<autoscan module name>:<module parameters>
  282. # autoscan is like bgscan but on disconnected or inactive state.
  283. # For instance, on exponential module parameters would be <base>:<limit>
  284. #autoscan=exponential:3:300
  285. # Which means a delay between scans on a base exponential of 3,
  286. # up to the limit of 300 seconds (3, 9, 27 ... 300)
  287. # For periodic module, parameters would be <fixed interval>
  288. #autoscan=periodic:30
  289. # So a delay of 30 seconds will be applied between each scan.
  290. # Note: If sched_scan_plans are configured and supported by the driver,
  291. # autoscan is ignored.
  292. # filter_ssids - SSID-based scan result filtering
  293. # 0 = do not filter scan results (default)
  294. # 1 = only include configured SSIDs in scan results/BSS table
  295. #filter_ssids=0
  296. # Password (and passphrase, etc.) backend for external storage
  297. # format: <backend name>[:<optional backend parameters>]
  298. #ext_password_backend=test:pw1=password|pw2=testing
  299. # Disable P2P functionality
  300. # p2p_disabled=1
  301. # Timeout in seconds to detect STA inactivity (default: 300 seconds)
  302. #
  303. # This timeout value is used in P2P GO mode to clean up
  304. # inactive stations.
  305. #p2p_go_max_inactivity=300
  306. # Passphrase length (8..63) for P2P GO
  307. #
  308. # This parameter controls the length of the random passphrase that is
  309. # generated at the GO. Default: 8.
  310. #p2p_passphrase_len=8
  311. # Extra delay between concurrent P2P search iterations
  312. #
  313. # This value adds extra delay in milliseconds between concurrent search
  314. # iterations to make p2p_find friendlier to concurrent operations by avoiding
  315. # it from taking 100% of radio resources. The default value is 500 ms.
  316. #p2p_search_delay=500
  317. # Opportunistic Key Caching (also known as Proactive Key Caching) default
  318. # This parameter can be used to set the default behavior for the
  319. # proactive_key_caching parameter. By default, OKC is disabled unless enabled
  320. # with the global okc=1 parameter or with the per-network
  321. # proactive_key_caching=1 parameter. With okc=1, OKC is enabled by default, but
  322. # can be disabled with per-network proactive_key_caching=0 parameter.
  323. #okc=0
  324. # Protected Management Frames default
  325. # This parameter can be used to set the default behavior for the ieee80211w
  326. # parameter for RSN networks. By default, PMF is disabled unless enabled with
  327. # the global pmf=1/2 parameter or with the per-network ieee80211w=1/2 parameter.
  328. # With pmf=1/2, PMF is enabled/required by default, but can be disabled with the
  329. # per-network ieee80211w parameter. This global default value does not apply
  330. # for non-RSN networks (key_mgmt=NONE) since PMF is available only when using
  331. # RSN.
  332. #pmf=0
  333. # Enabled SAE finite cyclic groups in preference order
  334. # By default (if this parameter is not set), the mandatory group 19 (ECC group
  335. # defined over a 256-bit prime order field) is preferred, but other groups are
  336. # also enabled. If this parameter is set, the groups will be tried in the
  337. # indicated order. The group values are listed in the IANA registry:
  338. # http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9
  339. #sae_groups=21 20 19 26 25
  340. # Default value for DTIM period (if not overridden in network block)
  341. #dtim_period=2
  342. # Default value for Beacon interval (if not overridden in network block)
  343. #beacon_int=100
  344. # Additional vendor specific elements for Beacon and Probe Response frames
  345. # This parameter can be used to add additional vendor specific element(s) into
  346. # the end of the Beacon and Probe Response frames. The format for these
  347. # element(s) is a hexdump of the raw information elements (id+len+payload for
  348. # one or more elements). This is used in AP and P2P GO modes.
  349. #ap_vendor_elements=dd0411223301
  350. # Ignore scan results older than request
  351. #
  352. # The driver may have a cache of scan results that makes it return
  353. # information that is older than our scan trigger. This parameter can
  354. # be used to configure such old information to be ignored instead of
  355. # allowing it to update the internal BSS table.
  356. #ignore_old_scan_res=0
  357. # scan_cur_freq: Whether to scan only the current frequency
  358. # 0: Scan all available frequencies. (Default)
  359. # 1: Scan current operating frequency if another VIF on the same radio
  360. # is already associated.
  361. # MAC address policy default
  362. # 0 = use permanent MAC address
  363. # 1 = use random MAC address for each ESS connection
  364. # 2 = like 1, but maintain OUI (with local admin bit set)
  365. #
  366. # By default, permanent MAC address is used unless policy is changed by
  367. # the per-network mac_addr parameter. Global mac_addr=1 can be used to
  368. # change this default behavior.
  369. #mac_addr=0
  370. # Lifetime of random MAC address in seconds (default: 60)
  371. #rand_addr_lifetime=60
  372. # MAC address policy for pre-association operations (scanning, ANQP)
  373. # 0 = use permanent MAC address
  374. # 1 = use random MAC address
  375. # 2 = like 1, but maintain OUI (with local admin bit set)
  376. #preassoc_mac_addr=0
  377. # MAC address policy for GAS operations
  378. # 0 = use permanent MAC address
  379. # 1 = use random MAC address
  380. # 2 = like 1, but maintain OUI (with local admin bit set)
  381. #gas_rand_mac_addr=0
  382. # Lifetime of GAS random MAC address in seconds (default: 60)
  383. #gas_rand_addr_lifetime=60
  384. # Interworking (IEEE 802.11u)
  385. # Enable Interworking
  386. # interworking=1
  387. # Enable P2P GO advertisement of Interworking
  388. # go_interworking=1
  389. # P2P GO Interworking: Access Network Type
  390. # 0 = Private network
  391. # 1 = Private network with guest access
  392. # 2 = Chargeable public network
  393. # 3 = Free public network
  394. # 4 = Personal device network
  395. # 5 = Emergency services only network
  396. # 14 = Test or experimental
  397. # 15 = Wildcard
  398. #go_access_network_type=0
  399. # P2P GO Interworking: Whether the network provides connectivity to the Internet
  400. # 0 = Unspecified
  401. # 1 = Network provides connectivity to the Internet
  402. #go_internet=1
  403. # P2P GO Interworking: Group Venue Info (optional)
  404. # The available values are defined in IEEE Std 802.11-2016, 9.4.1.35.
  405. # Example values (group,type):
  406. # 0,0 = Unspecified
  407. # 1,7 = Convention Center
  408. # 1,13 = Coffee Shop
  409. # 2,0 = Unspecified Business
  410. # 7,1 Private Residence
  411. #go_venue_group=7
  412. #go_venue_type=1
  413. # Homogenous ESS identifier
  414. # If this is set, scans will be used to request response only from BSSes
  415. # belonging to the specified Homogeneous ESS. This is used only if interworking
  416. # is enabled.
  417. # hessid=00:11:22:33:44:55
  418. # Automatic network selection behavior
  419. # 0 = do not automatically go through Interworking network selection
  420. # (i.e., require explicit interworking_select command for this; default)
  421. # 1 = perform Interworking network selection if one or more
  422. # credentials have been configured and scan did not find a
  423. # matching network block
  424. #auto_interworking=0
  425. # GAS Address3 field behavior
  426. # 0 = P2P specification (Address3 = AP BSSID); default
  427. # 1 = IEEE 802.11 standard compliant (Address3 = Wildcard BSSID when
  428. # sent to not-associated AP; if associated, AP BSSID)
  429. #gas_address3=0
  430. # Publish fine timing measurement (FTM) responder functionality in
  431. # the Extended Capabilities element bit 70.
  432. # Controls whether FTM responder functionality will be published by AP/STA.
  433. # Note that actual FTM responder operation is managed outside wpa_supplicant.
  434. # 0 = Do not publish; default
  435. # 1 = Publish
  436. #ftm_responder=0
  437. # Publish fine timing measurement (FTM) initiator functionality in
  438. # the Extended Capabilities element bit 71.
  439. # Controls whether FTM initiator functionality will be published by AP/STA.
  440. # Note that actual FTM initiator operation is managed outside wpa_supplicant.
  441. # 0 = Do not publish; default
  442. # 1 = Publish
  443. #ftm_initiator=0
  444. # credential block
  445. #
  446. # Each credential used for automatic network selection is configured as a set
  447. # of parameters that are compared to the information advertised by the APs when
  448. # interworking_select and interworking_connect commands are used.
  449. #
  450. # credential fields:
  451. #
  452. # temporary: Whether this credential is temporary and not to be saved
  453. #
  454. # priority: Priority group
  455. # By default, all networks and credentials get the same priority group
  456. # (0). This field can be used to give higher priority for credentials
  457. # (and similarly in struct wpa_ssid for network blocks) to change the
  458. # Interworking automatic networking selection behavior. The matching
  459. # network (based on either an enabled network block or a credential)
  460. # with the highest priority value will be selected.
  461. #
  462. # pcsc: Use PC/SC and SIM/USIM card
  463. #
  464. # realm: Home Realm for Interworking
  465. #
  466. # username: Username for Interworking network selection
  467. #
  468. # password: Password for Interworking network selection
  469. #
  470. # ca_cert: CA certificate for Interworking network selection
  471. #
  472. # client_cert: File path to client certificate file (PEM/DER)
  473. # This field is used with Interworking networking selection for a case
  474. # where client certificate/private key is used for authentication
  475. # (EAP-TLS). Full path to the file should be used since working
  476. # directory may change when wpa_supplicant is run in the background.
  477. #
  478. # Certificates from PKCS#11 tokens can be referenced by a PKCS#11 URI.
  479. #
  480. # For example: private_key="pkcs11:manufacturer=piv_II;id=%01"
  481. #
  482. # Alternatively, a named configuration blob can be used by setting
  483. # this to blob://blob_name.
  484. #
  485. # private_key: File path to client private key file (PEM/DER/PFX)
  486. # When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
  487. # commented out. Both the private key and certificate will be read
  488. # from the PKCS#12 file in this case. Full path to the file should be
  489. # used since working directory may change when wpa_supplicant is run
  490. # in the background.
  491. #
  492. # Keys in PKCS#11 tokens can be referenced by a PKCS#11 URI.
  493. # For example: private_key="pkcs11:manufacturer=piv_II;id=%01"
  494. #
  495. # Windows certificate store can be used by leaving client_cert out and
  496. # configuring private_key in one of the following formats:
  497. #
  498. # cert://substring_to_match
  499. #
  500. # hash://certificate_thumbprint_in_hex
  501. #
  502. # For example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
  503. #
  504. # Note that when running wpa_supplicant as an application, the user
  505. # certificate store (My user account) is used, whereas computer store
  506. # (Computer account) is used when running wpasvc as a service.
  507. #
  508. # Alternatively, a named configuration blob can be used by setting
  509. # this to blob://blob_name.
  510. #
  511. # private_key_passwd: Password for private key file
  512. #
  513. # imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format
  514. #
  515. # milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN>
  516. # format
  517. #
  518. # domain: Home service provider FQDN(s)
  519. # This is used to compare against the Domain Name List to figure out
  520. # whether the AP is operated by the Home SP. Multiple domain entries can
  521. # be used to configure alternative FQDNs that will be considered home
  522. # networks.
  523. #
  524. # roaming_consortium: Roaming Consortium OI
  525. # If roaming_consortium_len is non-zero, this field contains the
  526. # Roaming Consortium OI that can be used to determine which access
  527. # points support authentication with this credential. This is an
  528. # alternative to the use of the realm parameter. When using Roaming
  529. # Consortium to match the network, the EAP parameters need to be
  530. # pre-configured with the credential since the NAI Realm information
  531. # may not be available or fetched.
  532. #
  533. # eap: Pre-configured EAP method
  534. # This optional field can be used to specify which EAP method will be
  535. # used with this credential. If not set, the EAP method is selected
  536. # automatically based on ANQP information (e.g., NAI Realm).
  537. #
  538. # phase1: Pre-configure Phase 1 (outer authentication) parameters
  539. # This optional field is used with like the 'eap' parameter.
  540. #
  541. # phase2: Pre-configure Phase 2 (inner authentication) parameters
  542. # This optional field is used with like the 'eap' parameter.
  543. #
  544. # excluded_ssid: Excluded SSID
  545. # This optional field can be used to excluded specific SSID(s) from
  546. # matching with the network. Multiple entries can be used to specify more
  547. # than one SSID.
  548. #
  549. # roaming_partner: Roaming partner information
  550. # This optional field can be used to configure preferences between roaming
  551. # partners. The field is a string in following format:
  552. # <FQDN>,<0/1 exact match>,<priority>,<* or country code>
  553. # (non-exact match means any subdomain matches the entry; priority is in
  554. # 0..255 range with 0 being the highest priority)
  555. #
  556. # update_identifier: PPS MO ID
  557. # (Hotspot 2.0 PerProviderSubscription/UpdateIdentifier)
  558. #
  559. # provisioning_sp: FQDN of the SP that provisioned the credential
  560. # This optional field can be used to keep track of the SP that provisioned
  561. # the credential to find the PPS MO (./Wi-Fi/<provisioning_sp>).
  562. #
  563. # Minimum backhaul threshold (PPS/<X+>/Policy/MinBackhauldThreshold/*)
  564. # These fields can be used to specify minimum download/upload backhaul
  565. # bandwidth that is preferred for the credential. This constraint is
  566. # ignored if the AP does not advertise WAN Metrics information or if the
  567. # limit would prevent any connection. Values are in kilobits per second.
  568. # min_dl_bandwidth_home
  569. # min_ul_bandwidth_home
  570. # min_dl_bandwidth_roaming
  571. # min_ul_bandwidth_roaming
  572. #
  573. # max_bss_load: Maximum BSS Load Channel Utilization (1..255)
  574. # (PPS/<X+>/Policy/MaximumBSSLoadValue)
  575. # This value is used as the maximum channel utilization for network
  576. # selection purposes for home networks. If the AP does not advertise
  577. # BSS Load or if the limit would prevent any connection, this constraint
  578. # will be ignored.
  579. #
  580. # req_conn_capab: Required connection capability
  581. # (PPS/<X+>/Policy/RequiredProtoPortTuple)
  582. # This value is used to configure set of required protocol/port pairs that
  583. # a roaming network shall support (include explicitly in Connection
  584. # Capability ANQP element). This constraint is ignored if the AP does not
  585. # advertise Connection Capability or if this constraint would prevent any
  586. # network connection. This policy is not used in home networks.
  587. # Format: <protocol>[:<comma-separated list of ports]
  588. # Multiple entries can be used to list multiple requirements.
  589. # For example, number of common TCP protocols:
  590. # req_conn_capab=6,22,80,443
  591. # For example, IPSec/IKE:
  592. # req_conn_capab=17:500
  593. # req_conn_capab=50
  594. #
  595. # ocsp: Whether to use/require OCSP to check server certificate
  596. # 0 = do not use OCSP stapling (TLS certificate status extension)
  597. # 1 = try to use OCSP stapling, but not require response
  598. # 2 = require valid OCSP stapling response
  599. # 3 = require valid OCSP stapling response for all not-trusted
  600. # certificates in the server certificate chain
  601. #
  602. # sim_num: Identifier for which SIM to use in multi-SIM devices
  603. #
  604. # for example:
  605. #
  606. #cred={
  607. # realm="example.com"
  608. # username="user@example.com"
  609. # password="password"
  610. # ca_cert="/etc/wpa_supplicant/ca.pem"
  611. # domain="example.com"
  612. #}
  613. #
  614. #cred={
  615. # imsi="310026-000000000"
  616. # milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82"
  617. #}
  618. #
  619. #cred={
  620. # realm="example.com"
  621. # username="user"
  622. # password="password"
  623. # ca_cert="/etc/wpa_supplicant/ca.pem"
  624. # domain="example.com"
  625. # roaming_consortium=223344
  626. # eap=TTLS
  627. # phase2="auth=MSCHAPV2"
  628. #}
  629. # Hotspot 2.0
  630. # hs20=1
  631. # Scheduled scan plans
  632. #
  633. # A space delimited list of scan plans. Each scan plan specifies the scan
  634. # interval and number of iterations, delimited by a colon. The last scan plan
  635. # will run infinitely and thus must specify only the interval and not the number
  636. # of iterations.
  637. #
  638. # The driver advertises the maximum number of scan plans supported. If more scan
  639. # plans than supported are configured, only the first ones are set (up to the
  640. # maximum supported). The last scan plan that specifies only the interval is
  641. # always set as the last plan.
  642. #
  643. # If the scan interval or the number of iterations for a scan plan exceeds the
  644. # maximum supported, it will be set to the maximum supported value.
  645. #
  646. # Format:
  647. # sched_scan_plans=<interval:iterations> <interval:iterations> ... <interval>
  648. #
  649. # Example:
  650. # sched_scan_plans=10:100 20:200 30
  651. # Multi Band Operation (MBO) non-preferred channels
  652. # A space delimited list of non-preferred channels where each channel is a colon
  653. # delimited list of values.
  654. # Format:
  655. # non_pref_chan=<oper_class>:<chan>:<preference>:<reason>
  656. # Example:
  657. # non_pref_chan=81:5:10:2 81:1:0:2 81:9:0:2
  658. # MBO Cellular Data Capabilities
  659. # 1 = Cellular data connection available
  660. # 2 = Cellular data connection not available
  661. # 3 = Not cellular capable (default)
  662. #mbo_cell_capa=3
  663. # Optimized Connectivity Experience (OCE)
  664. # oce: Enable OCE features (bitmap)
  665. # Set BIT(0) to Enable OCE in non-AP STA mode (default; disabled if the driver
  666. # does not indicate support for OCE in STA mode)
  667. # Set BIT(1) to Enable OCE in STA-CFON mode
  668. #oce=1
  669. # network block
  670. #
  671. # Each network (usually AP's sharing the same SSID) is configured as a separate
  672. # block in this configuration file. The network blocks are in preference order
  673. # (the first match is used).
  674. #
  675. # network block fields:
  676. #
  677. # disabled:
  678. # 0 = this network can be used (default)
  679. # 1 = this network block is disabled (can be enabled through ctrl_iface,
  680. # e.g., with wpa_cli or wpa_gui)
  681. #
  682. # id_str: Network identifier string for external scripts. This value is passed
  683. # to external action script through wpa_cli as WPA_ID_STR environment
  684. # variable to make it easier to do network specific configuration.
  685. #
  686. # ssid: SSID (mandatory); network name in one of the optional formats:
  687. # - an ASCII string with double quotation
  688. # - a hex string (two characters per octet of SSID)
  689. # - a printf-escaped ASCII string P"<escaped string>"
  690. #
  691. # scan_ssid:
  692. # 0 = do not scan this SSID with specific Probe Request frames (default)
  693. # 1 = scan with SSID-specific Probe Request frames (this can be used to
  694. # find APs that do not accept broadcast SSID or use multiple SSIDs;
  695. # this will add latency to scanning, so enable this only when needed)
  696. #
  697. # bssid: BSSID (optional); if set, this network block is used only when
  698. # associating with the AP using the configured BSSID
  699. #
  700. # priority: priority group (integer)
  701. # By default, all networks will get same priority group (0). If some of the
  702. # networks are more desirable, this field can be used to change the order in
  703. # which wpa_supplicant goes through the networks when selecting a BSS. The
  704. # priority groups will be iterated in decreasing priority (i.e., the larger the
  705. # priority value, the sooner the network is matched against the scan results).
  706. # Within each priority group, networks will be selected based on security
  707. # policy, signal strength, etc.
  708. # Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not
  709. # using this priority to select the order for scanning. Instead, they try the
  710. # networks in the order that used in the configuration file.
  711. #
  712. # mode: IEEE 802.11 operation mode
  713. # 0 = infrastructure (Managed) mode, i.e., associate with an AP (default)
  714. # 1 = IBSS (ad-hoc, peer-to-peer)
  715. # 2 = AP (access point)
  716. # Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) and
  717. # WPA-PSK (with proto=RSN). In addition, key_mgmt=WPA-NONE (fixed group key
  718. # TKIP/CCMP) is available for backwards compatibility, but its use is
  719. # deprecated. WPA-None requires following network block options:
  720. # proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not
  721. # both), and psk must also be set.
  722. #
  723. # frequency: Channel frequency in megahertz (MHz) for IBSS, e.g.,
  724. # 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial
  725. # channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode.
  726. # In addition, this value is only used by the station that creates the IBSS. If
  727. # an IBSS network with the configured SSID is already present, the frequency of
  728. # the network will be used instead of this configured value.
  729. #
  730. # pbss: Whether to use PBSS. Relevant to IEEE 802.11ad networks only.
  731. # 0 = do not use PBSS
  732. # 1 = use PBSS
  733. # 2 = don't care (not allowed in AP mode)
  734. # Used together with mode configuration. When mode is AP, it means to start a
  735. # PCP instead of a regular AP. When mode is infrastructure it means connect
  736. # to a PCP instead of AP. In this mode you can also specify 2 (don't care)
  737. # which means connect to either PCP or AP.
  738. # P2P_GO and P2P_GROUP_FORMATION modes must use PBSS in IEEE 802.11ad network.
  739. # For more details, see IEEE Std 802.11ad-2012.
  740. #
  741. # scan_freq: List of frequencies to scan
  742. # Space-separated list of frequencies in MHz to scan when searching for this
  743. # BSS. If the subset of channels used by the network is known, this option can
  744. # be used to optimize scanning to not occur on channels that the network does
  745. # not use. Example: scan_freq=2412 2437 2462
  746. #
  747. # freq_list: Array of allowed frequencies
  748. # Space-separated list of frequencies in MHz to allow for selecting the BSS. If
  749. # set, scan results that do not match any of the specified frequencies are not
  750. # considered when selecting a BSS.
  751. #
  752. # This can also be set on the outside of the network block. In this case,
  753. # it limits the frequencies that will be scanned.
  754. #
  755. # bgscan: Background scanning
  756. # wpa_supplicant behavior for background scanning can be specified by
  757. # configuring a bgscan module. These modules are responsible for requesting
  758. # background scans for the purpose of roaming within an ESS (i.e., within a
  759. # single network block with all the APs using the same SSID). The bgscan
  760. # parameter uses following format: "<bgscan module name>:<module parameters>"
  761. # Following bgscan modules are available:
  762. # simple - Periodic background scans based on signal strength
  763. # bgscan="simple:<short bgscan interval in seconds>:<signal strength threshold>:
  764. # <long interval>"
  765. # bgscan="simple:30:-45:300"
  766. # learn - Learn channels used by the network and try to avoid bgscans on other
  767. # channels (experimental)
  768. # bgscan="learn:<short bgscan interval in seconds>:<signal strength threshold>:
  769. # <long interval>[:<database file name>]"
  770. # bgscan="learn:30:-45:300:/etc/wpa_supplicant/network1.bgscan"
  771. # Explicitly disable bgscan by setting
  772. # bgscan=""
  773. #
  774. # This option can also be set outside of all network blocks for the bgscan
  775. # parameter to apply for all the networks that have no specific bgscan
  776. # parameter.
  777. #
  778. # proto: list of accepted protocols
  779. # WPA = WPA/IEEE 802.11i/D3.0
  780. # RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN)
  781. # If not set, this defaults to: WPA RSN
  782. #
  783. # key_mgmt: list of accepted authenticated key management protocols
  784. # WPA-PSK = WPA pre-shared key (this requires 'psk' field)
  785. # WPA-EAP = WPA using EAP authentication
  786. # IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically
  787. # generated WEP keys
  788. # NONE = WPA is not used; plaintext or static WEP could be used
  789. # WPA-NONE = WPA-None for IBSS (deprecated; use proto=RSN key_mgmt=WPA-PSK
  790. # instead)
  791. # FT-PSK = Fast BSS Transition (IEEE 802.11r) with pre-shared key
  792. # FT-EAP = Fast BSS Transition (IEEE 802.11r) with EAP authentication
  793. # WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms
  794. # WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms
  795. # SAE = Simultaneous authentication of equals; pre-shared key/password -based
  796. # authentication with stronger security than WPA-PSK especially when using
  797. # not that strong password
  798. # FT-SAE = SAE with FT
  799. # WPA-EAP-SUITE-B = Suite B 128-bit level
  800. # WPA-EAP-SUITE-B-192 = Suite B 192-bit level
  801. # OSEN = Hotspot 2.0 Rel 2 online signup connection
  802. # FILS-SHA256 = Fast Initial Link Setup with SHA256
  803. # FILS-SHA384 = Fast Initial Link Setup with SHA384
  804. # FT-FILS-SHA256 = FT and Fast Initial Link Setup with SHA256
  805. # FT-FILS-SHA384 = FT and Fast Initial Link Setup with SHA384
  806. # If not set, this defaults to: WPA-PSK WPA-EAP
  807. #
  808. # ieee80211w: whether management frame protection is enabled
  809. # 0 = disabled (default unless changed with the global pmf parameter)
  810. # 1 = optional
  811. # 2 = required
  812. # The most common configuration options for this based on the PMF (protected
  813. # management frames) certification program are:
  814. # PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256
  815. # PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256
  816. # (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used)
  817. #
  818. # auth_alg: list of allowed IEEE 802.11 authentication algorithms
  819. # OPEN = Open System authentication (required for WPA/WPA2)
  820. # SHARED = Shared Key authentication (requires static WEP keys)
  821. # LEAP = LEAP/Network EAP (only used with LEAP)
  822. # If not set, automatic selection is used (Open System with LEAP enabled if
  823. # LEAP is allowed as one of the EAP methods).
  824. #
  825. # pairwise: list of accepted pairwise (unicast) ciphers for WPA
  826. # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
  827. # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
  828. # NONE = Use only Group Keys (deprecated, should not be included if APs support
  829. # pairwise keys)
  830. # If not set, this defaults to: CCMP TKIP
  831. #
  832. # group: list of accepted group (broadcast/multicast) ciphers for WPA
  833. # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
  834. # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
  835. # WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key
  836. # WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11]
  837. # If not set, this defaults to: CCMP TKIP WEP104 WEP40
  838. #
  839. # group_mgmt: list of accepted group management ciphers for RSN (PMF)
  840. # AES-128-CMAC = BIP-CMAC-128
  841. # BIP-GMAC-128
  842. # BIP-GMAC-256
  843. # BIP-CMAC-256
  844. # If not set, no constraint on the cipher, i.e., accept whichever cipher the AP
  845. # indicates.
  846. #
  847. # psk: WPA preshared key; 256-bit pre-shared key
  848. # The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e.,
  849. # 32 bytes or as an ASCII passphrase (in which case, the real PSK will be
  850. # generated using the passphrase and SSID). ASCII passphrase must be between
  851. # 8 and 63 characters (inclusive). ext:<name of external PSK field> format can
  852. # be used to indicate that the PSK/passphrase is stored in external storage.
  853. # This field is not needed, if WPA-EAP is used.
  854. # Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys
  855. # from ASCII passphrase. This process uses lot of CPU and wpa_supplicant
  856. # startup and reconfiguration time can be optimized by generating the PSK only
  857. # only when the passphrase or SSID has actually changed.
  858. #
  859. # mem_only_psk: Whether to keep PSK/passphrase only in memory
  860. # 0 = allow psk/passphrase to be stored to the configuration file
  861. # 1 = do not store psk/passphrase to the configuration file
  862. #mem_only_psk=0
  863. #
  864. # sae_password: SAE password
  865. # This parameter can be used to set a password for SAE. By default, the
  866. # passphrase value is used if this separate parameter is not used, but
  867. # passphrase follows the WPA-PSK constraints (8..63 characters) even
  868. # though SAE passwords do not have such constraints.
  869. #
  870. # eapol_flags: IEEE 802.1X/EAPOL options (bit field)
  871. # Dynamic WEP key required for non-WPA mode
  872. # bit0 (1): require dynamically generated unicast WEP key
  873. # bit1 (2): require dynamically generated broadcast WEP key
  874. # (3 = require both keys; default)
  875. # Note: When using wired authentication (including MACsec drivers),
  876. # eapol_flags must be set to 0 for the authentication to be completed
  877. # successfully.
  878. #
  879. # macsec_policy: IEEE 802.1X/MACsec options
  880. # This determines how sessions are secured with MACsec (only for MACsec
  881. # drivers).
  882. # 0: MACsec not in use (default)
  883. # 1: MACsec enabled - Should secure, accept key server's advice to
  884. # determine whether to use a secure session or not.
  885. #
  886. # macsec_integ_only: IEEE 802.1X/MACsec transmit mode
  887. # This setting applies only when MACsec is in use, i.e.,
  888. # - macsec_policy is enabled
  889. # - the key server has decided to enable MACsec
  890. # 0: Encrypt traffic (default)
  891. # 1: Integrity only
  892. #
  893. # macsec_port: IEEE 802.1X/MACsec port
  894. # Port component of the SCI
  895. # Range: 1-65534 (default: 1)
  896. #
  897. # mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode
  898. # This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair.
  899. # In this mode, instances of wpa_supplicant can act as MACsec peers. The peer
  900. # with lower priority will become the key server and start distributing SAKs.
  901. # mka_cak (CAK = Secure Connectivity Association Key) takes a 16-bytes (128 bit)
  902. # hex-string (32 hex-digits)
  903. # mka_ckn (CKN = CAK Name) takes a 32-bytes (256 bit) hex-string (64 hex-digits)
  904. # mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being
  905. # default priority
  906. #
  907. # mixed_cell: This option can be used to configure whether so called mixed
  908. # cells, i.e., networks that use both plaintext and encryption in the same
  909. # SSID, are allowed when selecting a BSS from scan results.
  910. # 0 = disabled (default)
  911. # 1 = enabled
  912. #
  913. # proactive_key_caching:
  914. # Enable/disable opportunistic PMKSA caching for WPA2.
  915. # 0 = disabled (default unless changed with the global okc parameter)
  916. # 1 = enabled
  917. #
  918. # wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or
  919. # hex without quotation, e.g., 0102030405)
  920. # wep_tx_keyidx: Default WEP key index (TX) (0..3)
  921. #
  922. # wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to
  923. # enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies.
  924. #
  925. # group_rekey: Group rekeying time in seconds. This value, if non-zero, is used
  926. # as the dot11RSNAConfigGroupRekeyTime parameter when operating in
  927. # Authenticator role in IBSS, or in AP and mesh modes.
  928. #
  929. # Following fields are only used with internal EAP implementation.
  930. # eap: space-separated list of accepted EAP methods
  931. # MD5 = EAP-MD5 (insecure and does not generate keying material ->
  932. # cannot be used with WPA; to be used as a Phase 2 method
  933. # with EAP-PEAP or EAP-TTLS)
  934. # MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used
  935. # as a Phase 2 method with EAP-PEAP or EAP-TTLS)
  936. # OTP = EAP-OTP (cannot be used separately with WPA; to be used
  937. # as a Phase 2 method with EAP-PEAP or EAP-TTLS)
  938. # GTC = EAP-GTC (cannot be used separately with WPA; to be used
  939. # as a Phase 2 method with EAP-PEAP or EAP-TTLS)
  940. # TLS = EAP-TLS (client and server certificate)
  941. # PEAP = EAP-PEAP (with tunnelled EAP authentication)
  942. # TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2
  943. # authentication)
  944. # If not set, all compiled in methods are allowed.
  945. #
  946. # identity: Identity string for EAP
  947. # This field is also used to configure user NAI for
  948. # EAP-PSK/PAX/SAKE/GPSK.
  949. # anonymous_identity: Anonymous identity string for EAP (to be used as the
  950. # unencrypted identity with EAP types that support different tunnelled
  951. # identity, e.g., EAP-TTLS). This field can also be used with
  952. # EAP-SIM/AKA/AKA' to store the pseudonym identity.
  953. # password: Password string for EAP. This field can include either the
  954. # plaintext password (using ASCII or hex string) or a NtPasswordHash
  955. # (16-byte MD4 hash of password) in hash:<32 hex digits> format.
  956. # NtPasswordHash can only be used when the password is for MSCHAPv2 or
  957. # MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP).
  958. # EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit
  959. # PSK) is also configured using this field. For EAP-GPSK, this is a
  960. # variable length PSK. ext:<name of external password field> format can
  961. # be used to indicate that the password is stored in external storage.
  962. # ca_cert: File path to CA certificate file (PEM/DER). This file can have one
  963. # or more trusted CA certificates. If ca_cert and ca_path are not
  964. # included, server certificate will not be verified. This is insecure and
  965. # a trusted CA certificate should always be configured when using
  966. # EAP-TLS/TTLS/PEAP. Full path should be used since working directory may
  967. # change when wpa_supplicant is run in the background.
  968. #
  969. # Alternatively, this can be used to only perform matching of the server
  970. # certificate (SHA-256 hash of the DER encoded X.509 certificate). In
  971. # this case, the possible CA certificates in the server certificate chain
  972. # are ignored and only the server certificate is verified. This is
  973. # configured with the following format:
  974. # hash:://server/sha256/cert_hash_in_hex
  975. # For example: "hash://server/sha256/
  976. # 5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"
  977. #
  978. # On Windows, trusted CA certificates can be loaded from the system
  979. # certificate store by setting this to cert_store://<name>, e.g.,
  980. # ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".
  981. # Note that when running wpa_supplicant as an application, the user
  982. # certificate store (My user account) is used, whereas computer store
  983. # (Computer account) is used when running wpasvc as a service.
  984. # ca_path: Directory path for CA certificate files (PEM). This path may
  985. # contain multiple CA certificates in OpenSSL format. Common use for this
  986. # is to point to system trusted CA list which is often installed into
  987. # directory like /etc/ssl/certs. If configured, these certificates are
  988. # added to the list of trusted CAs. ca_cert may also be included in that
  989. # case, but it is not required.
  990. # client_cert: File path to client certificate file (PEM/DER)
  991. # Full path should be used since working directory may change when
  992. # wpa_supplicant is run in the background.
  993. # Alternatively, a named configuration blob can be used by setting this
  994. # to blob://<blob name>.
  995. # private_key: File path to client private key file (PEM/DER/PFX)
  996. # When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
  997. # commented out. Both the private key and certificate will be read from
  998. # the PKCS#12 file in this case. Full path should be used since working
  999. # directory may change when wpa_supplicant is run in the background.
  1000. # Windows certificate store can be used by leaving client_cert out and
  1001. # configuring private_key in one of the following formats:
  1002. # cert://substring_to_match
  1003. # hash://certificate_thumbprint_in_hex
  1004. # for example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
  1005. # Note that when running wpa_supplicant as an application, the user
  1006. # certificate store (My user account) is used, whereas computer store
  1007. # (Computer account) is used when running wpasvc as a service.
  1008. # Alternatively, a named configuration blob can be used by setting this
  1009. # to blob://<blob name>.
  1010. # private_key_passwd: Password for private key file (if left out, this will be
  1011. # asked through control interface)
  1012. # dh_file: File path to DH/DSA parameters file (in PEM format)
  1013. # This is an optional configuration file for setting parameters for an
  1014. # ephemeral DH key exchange. In most cases, the default RSA
  1015. # authentication does not use this configuration. However, it is possible
  1016. # setup RSA to use ephemeral DH key exchange. In addition, ciphers with
  1017. # DSA keys always use ephemeral DH keys. This can be used to achieve
  1018. # forward secrecy. If the file is in DSA parameters format, it will be
  1019. # automatically converted into DH params.
  1020. # subject_match: Substring to be matched against the subject of the
  1021. # authentication server certificate. If this string is set, the server
  1022. # certificate is only accepted if it contains this string in the subject.
  1023. # The subject string is in following format:
  1024. # /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com
  1025. # Note: Since this is a substring match, this cannot be used securely to
  1026. # do a suffix match against a possible domain name in the CN entry. For
  1027. # such a use case, domain_suffix_match or domain_match should be used
  1028. # instead.
  1029. # altsubject_match: Semicolon separated string of entries to be matched against
  1030. # the alternative subject name of the authentication server certificate.
  1031. # If this string is set, the server certificate is only accepted if it
  1032. # contains one of the entries in an alternative subject name extension.
  1033. # altSubjectName string is in following format: TYPE:VALUE
  1034. # Example: EMAIL:server@example.com
  1035. # Example: DNS:server.example.com;DNS:server2.example.com
  1036. # Following types are supported: EMAIL, DNS, URI
  1037. # domain_suffix_match: Constraint for server domain name. If set, this FQDN is
  1038. # used as a suffix match requirement for the AAA server certificate in
  1039. # SubjectAltName dNSName element(s). If a matching dNSName is found, this
  1040. # constraint is met. If no dNSName values are present, this constraint is
  1041. # matched against SubjectName CN using same suffix match comparison.
  1042. #
  1043. # Suffix match here means that the host/domain name is compared one label
  1044. # at a time starting from the top-level domain and all the labels in
  1045. # domain_suffix_match shall be included in the certificate. The
  1046. # certificate may include additional sub-level labels in addition to the
  1047. # required labels.
  1048. #
  1049. # For example, domain_suffix_match=example.com would match
  1050. # test.example.com but would not match test-example.com.
  1051. # domain_match: Constraint for server domain name
  1052. # If set, this FQDN is used as a full match requirement for the
  1053. # server certificate in SubjectAltName dNSName element(s). If a
  1054. # matching dNSName is found, this constraint is met. If no dNSName
  1055. # values are present, this constraint is matched against SubjectName CN
  1056. # using same full match comparison. This behavior is similar to
  1057. # domain_suffix_match, but has the requirement of a full match, i.e.,
  1058. # no subdomains or wildcard matches are allowed. Case-insensitive
  1059. # comparison is used, so "Example.com" matches "example.com", but would
  1060. # not match "test.Example.com".
  1061. # phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters
  1062. # (string with field-value pairs, e.g., "peapver=0" or
  1063. # "peapver=1 peaplabel=1")
  1064. # 'peapver' can be used to force which PEAP version (0 or 1) is used.
  1065. # 'peaplabel=1' can be used to force new label, "client PEAP encryption",
  1066. # to be used during key derivation when PEAPv1 or newer. Most existing
  1067. # PEAPv1 implementation seem to be using the old label, "client EAP
  1068. # encryption", and wpa_supplicant is now using that as the default value.
  1069. # Some servers, e.g., Radiator, may require peaplabel=1 configuration to
  1070. # interoperate with PEAPv1; see eap_testing.txt for more details.
  1071. # 'peap_outer_success=0' can be used to terminate PEAP authentication on
  1072. # tunneled EAP-Success. This is required with some RADIUS servers that
  1073. # implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
  1074. # Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode)
  1075. # include_tls_length=1 can be used to force wpa_supplicant to include
  1076. # TLS Message Length field in all TLS messages even if they are not
  1077. # fragmented.
  1078. # sim_min_num_chal=3 can be used to configure EAP-SIM to require three
  1079. # challenges (by default, it accepts 2 or 3)
  1080. # result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use
  1081. # protected result indication.
  1082. # 'crypto_binding' option can be used to control PEAPv0 cryptobinding
  1083. # behavior:
  1084. # * 0 = do not use cryptobinding (default)
  1085. # * 1 = use cryptobinding if server supports it
  1086. # * 2 = require cryptobinding
  1087. # EAP-WSC (WPS) uses following options: pin=<Device Password> or
  1088. # pbc=1.
  1089. #
  1090. # For wired IEEE 802.1X authentication, "allow_canned_success=1" can be
  1091. # used to configure a mode that allows EAP-Success (and EAP-Failure)
  1092. # without going through authentication step. Some switches use such
  1093. # sequence when forcing the port to be authorized/unauthorized or as a
  1094. # fallback option if the authentication server is unreachable. By default,
  1095. # wpa_supplicant discards such frames to protect against potential attacks
  1096. # by rogue devices, but this option can be used to disable that protection
  1097. # for cases where the server/authenticator does not need to be
  1098. # authenticated.
  1099. # phase2: Phase2 (inner authentication with TLS tunnel) parameters
  1100. # (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
  1101. # "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS). "mschapv2_retry=0" can be
  1102. # used to disable MSCHAPv2 password retry in authentication failure cases.
  1103. #
  1104. # TLS-based methods can use the following parameters to control TLS behavior
  1105. # (these are normally in the phase1 parameter, but can be used also in the
  1106. # phase2 parameter when EAP-TLS is used within the inner tunnel):
  1107. # tls_allow_md5=1 - allow MD5-based certificate signatures (depending on the
  1108. # TLS library, these may be disabled by default to enforce stronger
  1109. # security)
  1110. # tls_disable_time_checks=1 - ignore certificate validity time (this requests
  1111. # the TLS library to accept certificates even if they are not currently
  1112. # valid, i.e., have expired or have not yet become valid; this should be
  1113. # used only for testing purposes)
  1114. # tls_disable_session_ticket=1 - disable TLS Session Ticket extension
  1115. # tls_disable_session_ticket=0 - allow TLS Session Ticket extension to be used
  1116. # Note: If not set, this is automatically set to 1 for EAP-TLS/PEAP/TTLS
  1117. # as a workaround for broken authentication server implementations unless
  1118. # EAP workarounds are disabled with eap_workaround=0.
  1119. # For EAP-FAST, this must be set to 0 (or left unconfigured for the
  1120. # default value to be used automatically).
  1121. # tls_disable_tlsv1_0=1 - disable use of TLSv1.0
  1122. # tls_disable_tlsv1_1=1 - disable use of TLSv1.1 (a workaround for AAA servers
  1123. # that have issues interoperating with updated TLS version)
  1124. # tls_disable_tlsv1_2=1 - disable use of TLSv1.2 (a workaround for AAA servers
  1125. # that have issues interoperating with updated TLS version)
  1126. # tls_ext_cert_check=0 - No external server certificate validation (default)
  1127. # tls_ext_cert_check=1 - External server certificate validation enabled; this
  1128. # requires an external program doing validation of server certificate
  1129. # chain when receiving CTRL-RSP-EXT_CERT_CHECK event from the control
  1130. # interface and report the result of the validation with
  1131. # CTRL-RSP_EXT_CERT_CHECK.
  1132. # tls_suiteb=0 - do not apply Suite B 192-bit constraints on TLS (default)
  1133. # tls_suiteb=1 - apply Suite B 192-bit constraints on TLS; this is used in
  1134. # particular when using Suite B with RSA keys of >= 3K (3072) bits
  1135. #
  1136. # Following certificate/private key fields are used in inner Phase2
  1137. # authentication when using EAP-TTLS or EAP-PEAP.
  1138. # ca_cert2: File path to CA certificate file. This file can have one or more
  1139. # trusted CA certificates. If ca_cert2 and ca_path2 are not included,
  1140. # server certificate will not be verified. This is insecure and a trusted
  1141. # CA certificate should always be configured.
  1142. # ca_path2: Directory path for CA certificate files (PEM)
  1143. # client_cert2: File path to client certificate file
  1144. # private_key2: File path to client private key file
  1145. # private_key2_passwd: Password for private key file
  1146. # dh_file2: File path to DH/DSA parameters file (in PEM format)
  1147. # subject_match2: Substring to be matched against the subject of the
  1148. # authentication server certificate. See subject_match for more details.
  1149. # altsubject_match2: Semicolon separated string of entries to be matched
  1150. # against the alternative subject name of the authentication server
  1151. # certificate. See altsubject_match documentation for more details.
  1152. # domain_suffix_match2: Constraint for server domain name. See
  1153. # domain_suffix_match for more details.
  1154. #
  1155. # fragment_size: Maximum EAP fragment size in bytes (default 1398).
  1156. # This value limits the fragment size for EAP methods that support
  1157. # fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set
  1158. # small enough to make the EAP messages fit in MTU of the network
  1159. # interface used for EAPOL. The default value is suitable for most
  1160. # cases.
  1161. #
  1162. # ocsp: Whether to use/require OCSP to check server certificate
  1163. # 0 = do not use OCSP stapling (TLS certificate status extension)
  1164. # 1 = try to use OCSP stapling, but not require response
  1165. # 2 = require valid OCSP stapling response
  1166. # 3 = require valid OCSP stapling response for all not-trusted
  1167. # certificates in the server certificate chain
  1168. #
  1169. # openssl_ciphers: OpenSSL specific cipher configuration
  1170. # This can be used to override the global openssl_ciphers configuration
  1171. # parameter (see above).
  1172. #
  1173. # erp: Whether EAP Re-authentication Protocol (ERP) is enabled
  1174. #
  1175. # EAP-FAST variables:
  1176. # pac_file: File path for the PAC entries. wpa_supplicant will need to be able
  1177. # to create this file and write updates to it when PAC is being
  1178. # provisioned or refreshed. Full path to the file should be used since
  1179. # working directory may change when wpa_supplicant is run in the
  1180. # background. Alternatively, a named configuration blob can be used by
  1181. # setting this to blob://<blob name>
  1182. # phase1: fast_provisioning option can be used to enable in-line provisioning
  1183. # of EAP-FAST credentials (PAC):
  1184. # 0 = disabled,
  1185. # 1 = allow unauthenticated provisioning,
  1186. # 2 = allow authenticated provisioning,
  1187. # 3 = allow both unauthenticated and authenticated provisioning
  1188. # fast_max_pac_list_len=<num> option can be used to set the maximum
  1189. # number of PAC entries to store in a PAC list (default: 10)
  1190. # fast_pac_format=binary option can be used to select binary format for
  1191. # storing PAC entries in order to save some space (the default
  1192. # text format uses about 2.5 times the size of minimal binary
  1193. # format)
  1194. #
  1195. # wpa_supplicant supports number of "EAP workarounds" to work around
  1196. # interoperability issues with incorrectly behaving authentication servers.
  1197. # These are enabled by default because some of the issues are present in large
  1198. # number of authentication servers. Strict EAP conformance mode can be
  1199. # configured by disabling workarounds with eap_workaround=0.
  1200. # update_identifier: PPS MO ID
  1201. # (Hotspot 2.0 PerProviderSubscription/UpdateIdentifier)
  1202. # Station inactivity limit
  1203. #
  1204. # If a station does not send anything in ap_max_inactivity seconds, an
  1205. # empty data frame is sent to it in order to verify whether it is
  1206. # still in range. If this frame is not ACKed, the station will be
  1207. # disassociated and then deauthenticated. This feature is used to
  1208. # clear station table of old entries when the STAs move out of the
  1209. # range.
  1210. #
  1211. # The station can associate again with the AP if it is still in range;
  1212. # this inactivity poll is just used as a nicer way of verifying
  1213. # inactivity; i.e., client will not report broken connection because
  1214. # disassociation frame is not sent immediately without first polling
  1215. # the STA with a data frame.
  1216. # default: 300 (i.e., 5 minutes)
  1217. #ap_max_inactivity=300
  1218. # DTIM period in Beacon intervals for AP mode (default: 2)
  1219. #dtim_period=2
  1220. # Beacon interval (default: 100 TU)
  1221. #beacon_int=100
  1222. # WPS in AP mode
  1223. # 0 = WPS enabled and configured (default)
  1224. # 1 = WPS disabled
  1225. #wps_disabled=0
  1226. # FILS DH Group
  1227. # 0 = PFS disabled with FILS shared key authentication (default)
  1228. # 1-65535 = DH Group to use for FILS PFS
  1229. #fils_dh_group=0
  1230. # MAC address policy
  1231. # 0 = use permanent MAC address
  1232. # 1 = use random MAC address for each ESS connection
  1233. # 2 = like 1, but maintain OUI (with local admin bit set)
  1234. #mac_addr=0
  1235. # disable_ht: Whether HT (802.11n) should be disabled.
  1236. # 0 = HT enabled (if AP supports it)
  1237. # 1 = HT disabled
  1238. #
  1239. # disable_ht40: Whether HT-40 (802.11n) should be disabled.
  1240. # 0 = HT-40 enabled (if AP supports it)
  1241. # 1 = HT-40 disabled
  1242. #
  1243. # disable_sgi: Whether SGI (short guard interval) should be disabled.
  1244. # 0 = SGI enabled (if AP supports it)
  1245. # 1 = SGI disabled
  1246. #
  1247. # disable_ldpc: Whether LDPC should be disabled.
  1248. # 0 = LDPC enabled (if AP supports it)
  1249. # 1 = LDPC disabled
  1250. #
  1251. # ht40_intolerant: Whether 40 MHz intolerant should be indicated.
  1252. # 0 = 40 MHz tolerant (default)
  1253. # 1 = 40 MHz intolerant
  1254. #
  1255. # ht_mcs: Configure allowed MCS rates.
  1256. # Parsed as an array of bytes, in base-16 (ascii-hex)
  1257. # ht_mcs="" // Use all available (default)
  1258. # ht_mcs="0xff 00 00 00 00 00 00 00 00 00 " // Use MCS 0-7 only
  1259. # ht_mcs="0xff ff 00 00 00 00 00 00 00 00 " // Use MCS 0-15 only
  1260. #
  1261. # disable_max_amsdu: Whether MAX_AMSDU should be disabled.
  1262. # -1 = Do not make any changes.
  1263. # 0 = Enable MAX-AMSDU if hardware supports it.
  1264. # 1 = Disable AMSDU
  1265. #
  1266. # ampdu_factor: Maximum A-MPDU Length Exponent
  1267. # Value: 0-3, see 7.3.2.56.3 in IEEE Std 802.11n-2009.
  1268. #
  1269. # ampdu_density: Allow overriding AMPDU density configuration.
  1270. # Treated as hint by the kernel.
  1271. # -1 = Do not make any changes.
  1272. # 0-3 = Set AMPDU density (aka factor) to specified value.
  1273. # disable_vht: Whether VHT should be disabled.
  1274. # 0 = VHT enabled (if AP supports it)
  1275. # 1 = VHT disabled
  1276. #
  1277. # vht_capa: VHT capabilities to set in the override
  1278. # vht_capa_mask: mask of VHT capabilities
  1279. #
  1280. # vht_rx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for RX NSS 1-8
  1281. # vht_tx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for TX NSS 1-8
  1282. # 0: MCS 0-7
  1283. # 1: MCS 0-8
  1284. # 2: MCS 0-9
  1285. # 3: not supported
  1286. ##### Fast Session Transfer (FST) support #####################################
  1287. #
  1288. # The options in this section are only available when the build configuration
  1289. # option CONFIG_FST is set while compiling wpa_supplicant. They allow this
  1290. # interface to be a part of FST setup.
  1291. #
  1292. # FST is the transfer of a session from a channel to another channel, in the
  1293. # same or different frequency bands.
  1294. #
  1295. # For details, see IEEE Std 802.11ad-2012.
  1296. # Identifier of an FST Group the interface belongs to.
  1297. #fst_group_id=bond0
  1298. # Interface priority within the FST Group.
  1299. # Announcing a higher priority for an interface means declaring it more
  1300. # preferable for FST switch.
  1301. # fst_priority is in 1..255 range with 1 being the lowest priority.
  1302. #fst_priority=100
  1303. # Default LLT value for this interface in milliseconds. The value used in case
  1304. # no value provided during session setup. Default is 50 msec.
  1305. # fst_llt is in 1..4294967 range (due to spec limitation, see 10.32.2.2
  1306. # Transitioning between states).
  1307. #fst_llt=100
  1308. # Example blocks:
  1309. # Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers
  1310. network={
  1311. ssid="simple"
  1312. psk="very secret passphrase"
  1313. priority=5
  1314. }
  1315. # Same as previous, but request SSID-specific scanning (for APs that reject
  1316. # broadcast SSID)
  1317. network={
  1318. ssid="second ssid"
  1319. scan_ssid=1
  1320. psk="very secret passphrase"
  1321. priority=2
  1322. }
  1323. # Only WPA-PSK is used. Any valid cipher combination is accepted.
  1324. network={
  1325. ssid="example"
  1326. proto=WPA
  1327. key_mgmt=WPA-PSK
  1328. pairwise=CCMP TKIP
  1329. group=CCMP TKIP WEP104 WEP40
  1330. psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
  1331. priority=2
  1332. }
  1333. # WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying
  1334. network={
  1335. ssid="example"
  1336. proto=WPA
  1337. key_mgmt=WPA-PSK
  1338. pairwise=TKIP
  1339. group=TKIP
  1340. psk="not so secure passphrase"
  1341. wpa_ptk_rekey=600
  1342. }
  1343. # Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104
  1344. # or WEP40 as the group cipher will not be accepted.
  1345. network={
  1346. ssid="example"
  1347. proto=RSN
  1348. key_mgmt=WPA-EAP
  1349. pairwise=CCMP TKIP
  1350. group=CCMP TKIP
  1351. eap=TLS
  1352. identity="user@example.com"
  1353. ca_cert="/etc/cert/ca.pem"
  1354. client_cert="/etc/cert/user.pem"
  1355. private_key="/etc/cert/user.prv"
  1356. private_key_passwd="password"
  1357. priority=1
  1358. }
  1359. # EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel
  1360. # (e.g., Radiator)
  1361. network={
  1362. ssid="example"
  1363. key_mgmt=WPA-EAP
  1364. eap=PEAP
  1365. identity="user@example.com"
  1366. password="foobar"
  1367. ca_cert="/etc/cert/ca.pem"
  1368. phase1="peaplabel=1"
  1369. phase2="auth=MSCHAPV2"
  1370. priority=10
  1371. }
  1372. # EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the
  1373. # unencrypted use. Real identity is sent only within an encrypted TLS tunnel.
  1374. network={
  1375. ssid="example"
  1376. key_mgmt=WPA-EAP
  1377. eap=TTLS
  1378. identity="user@example.com"
  1379. anonymous_identity="anonymous@example.com"
  1380. password="foobar"
  1381. ca_cert="/etc/cert/ca.pem"
  1382. priority=2
  1383. }
  1384. # EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted
  1385. # use. Real identity is sent only within an encrypted TLS tunnel.
  1386. network={
  1387. ssid="example"
  1388. key_mgmt=WPA-EAP
  1389. eap=TTLS
  1390. identity="user@example.com"
  1391. anonymous_identity="anonymous@example.com"
  1392. password="foobar"
  1393. ca_cert="/etc/cert/ca.pem"
  1394. phase2="auth=MSCHAPV2"
  1395. }
  1396. # WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner
  1397. # authentication.
  1398. network={
  1399. ssid="example"
  1400. key_mgmt=WPA-EAP
  1401. eap=TTLS
  1402. # Phase1 / outer authentication
  1403. anonymous_identity="anonymous@example.com"
  1404. ca_cert="/etc/cert/ca.pem"
  1405. # Phase 2 / inner authentication
  1406. phase2="autheap=TLS"
  1407. ca_cert2="/etc/cert/ca2.pem"
  1408. client_cert2="/etc/cer/user.pem"
  1409. private_key2="/etc/cer/user.prv"
  1410. private_key2_passwd="password"
  1411. priority=2
  1412. }
  1413. # Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and
  1414. # group cipher.
  1415. network={
  1416. ssid="example"
  1417. bssid=00:11:22:33:44:55
  1418. proto=WPA RSN
  1419. key_mgmt=WPA-PSK WPA-EAP
  1420. pairwise=CCMP
  1421. group=CCMP
  1422. psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
  1423. }
  1424. # Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP
  1425. # and all valid ciphers.
  1426. network={
  1427. ssid=00010203
  1428. psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
  1429. }
  1430. # EAP-SIM with a GSM SIM or USIM
  1431. network={
  1432. ssid="eap-sim-test"
  1433. key_mgmt=WPA-EAP
  1434. eap=SIM
  1435. pin="1234"
  1436. pcsc=""
  1437. }
  1438. # EAP-PSK
  1439. network={
  1440. ssid="eap-psk-test"
  1441. key_mgmt=WPA-EAP
  1442. eap=PSK
  1443. anonymous_identity="eap_psk_user"
  1444. password=06b4be19da289f475aa46a33cb793029
  1445. identity="eap_psk_user@example.com"
  1446. }
  1447. # IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using
  1448. # EAP-TLS for authentication and key generation; require both unicast and
  1449. # broadcast WEP keys.
  1450. network={
  1451. ssid="1x-test"
  1452. key_mgmt=IEEE8021X
  1453. eap=TLS
  1454. identity="user@example.com"
  1455. ca_cert="/etc/cert/ca.pem"
  1456. client_cert="/etc/cert/user.pem"
  1457. private_key="/etc/cert/user.prv"
  1458. private_key_passwd="password"
  1459. eapol_flags=3
  1460. }
  1461. # LEAP with dynamic WEP keys
  1462. network={
  1463. ssid="leap-example"
  1464. key_mgmt=IEEE8021X
  1465. eap=LEAP
  1466. identity="user"
  1467. password="foobar"
  1468. }
  1469. # EAP-IKEv2 using shared secrets for both server and peer authentication
  1470. network={
  1471. ssid="ikev2-example"
  1472. key_mgmt=WPA-EAP
  1473. eap=IKEV2
  1474. identity="user"
  1475. password="foobar"
  1476. }
  1477. # EAP-FAST with WPA (WPA or WPA2)
  1478. network={
  1479. ssid="eap-fast-test"
  1480. key_mgmt=WPA-EAP
  1481. eap=FAST
  1482. anonymous_identity="FAST-000102030405"
  1483. identity="username"
  1484. password="password"
  1485. phase1="fast_provisioning=1"
  1486. pac_file="/etc/wpa_supplicant.eap-fast-pac"
  1487. }
  1488. network={
  1489. ssid="eap-fast-test"
  1490. key_mgmt=WPA-EAP
  1491. eap=FAST
  1492. anonymous_identity="FAST-000102030405"
  1493. identity="username"
  1494. password="password"
  1495. phase1="fast_provisioning=1"
  1496. pac_file="blob://eap-fast-pac"
  1497. }
  1498. # Plaintext connection (no WPA, no IEEE 802.1X)
  1499. network={
  1500. ssid="plaintext-test"
  1501. key_mgmt=NONE
  1502. }
  1503. # Shared WEP key connection (no WPA, no IEEE 802.1X)
  1504. network={
  1505. ssid="static-wep-test"
  1506. key_mgmt=NONE
  1507. wep_key0="abcde"
  1508. wep_key1=0102030405
  1509. wep_key2="1234567890123"
  1510. wep_tx_keyidx=0
  1511. priority=5
  1512. }
  1513. # Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key
  1514. # IEEE 802.11 authentication
  1515. network={
  1516. ssid="static-wep-test2"
  1517. key_mgmt=NONE
  1518. wep_key0="abcde"
  1519. wep_key1=0102030405
  1520. wep_key2="1234567890123"
  1521. wep_tx_keyidx=0
  1522. priority=5
  1523. auth_alg=SHARED
  1524. }
  1525. # IBSS/ad-hoc network with RSN
  1526. network={
  1527. ssid="ibss-rsn"
  1528. key_mgmt=WPA-PSK
  1529. proto=RSN
  1530. psk="12345678"
  1531. mode=1
  1532. frequency=2412
  1533. pairwise=CCMP
  1534. group=CCMP
  1535. }
  1536. # IBSS/ad-hoc network with WPA-None/TKIP (deprecated)
  1537. network={
  1538. ssid="test adhoc"
  1539. mode=1
  1540. frequency=2412
  1541. proto=WPA
  1542. key_mgmt=WPA-NONE
  1543. pairwise=NONE
  1544. group=TKIP
  1545. psk="secret passphrase"
  1546. }
  1547. # open mesh network
  1548. network={
  1549. ssid="test mesh"
  1550. mode=5
  1551. frequency=2437
  1552. key_mgmt=NONE
  1553. }
  1554. # secure (SAE + AMPE) network
  1555. network={
  1556. ssid="secure mesh"
  1557. mode=5
  1558. frequency=2437
  1559. key_mgmt=SAE
  1560. psk="very secret passphrase"
  1561. }
  1562. # Catch all example that allows more or less all configuration modes
  1563. network={
  1564. ssid="example"
  1565. scan_ssid=1
  1566. key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
  1567. pairwise=CCMP TKIP
  1568. group=CCMP TKIP WEP104 WEP40
  1569. psk="very secret passphrase"
  1570. eap=TTLS PEAP TLS
  1571. identity="user@example.com"
  1572. password="foobar"
  1573. ca_cert="/etc/cert/ca.pem"
  1574. client_cert="/etc/cert/user.pem"
  1575. private_key="/etc/cert/user.prv"
  1576. private_key_passwd="password"
  1577. phase1="peaplabel=0"
  1578. }
  1579. # Example of EAP-TLS with smartcard (openssl engine)
  1580. network={
  1581. ssid="example"
  1582. key_mgmt=WPA-EAP
  1583. eap=TLS
  1584. proto=RSN
  1585. pairwise=CCMP TKIP
  1586. group=CCMP TKIP
  1587. identity="user@example.com"
  1588. ca_cert="/etc/cert/ca.pem"
  1589. # Certificate and/or key identified by PKCS#11 URI (RFC7512)
  1590. client_cert="pkcs11:manufacturer=piv_II;id=%01"
  1591. private_key="pkcs11:manufacturer=piv_II;id=%01"
  1592. # Optional PIN configuration; this can be left out and PIN will be
  1593. # asked through the control interface
  1594. pin="1234"
  1595. }
  1596. # Example configuration showing how to use an inlined blob as a CA certificate
  1597. # data instead of using external file
  1598. network={
  1599. ssid="example"
  1600. key_mgmt=WPA-EAP
  1601. eap=TTLS
  1602. identity="user@example.com"
  1603. anonymous_identity="anonymous@example.com"
  1604. password="foobar"
  1605. ca_cert="blob://exampleblob"
  1606. priority=20
  1607. }
  1608. blob-base64-exampleblob={
  1609. SGVsbG8gV29ybGQhCg==
  1610. }
  1611. # Wildcard match for SSID (plaintext APs only). This example select any
  1612. # open AP regardless of its SSID.
  1613. network={
  1614. key_mgmt=NONE
  1615. }
  1616. # Example configuration blacklisting two APs - these will be ignored
  1617. # for this network.
  1618. network={
  1619. ssid="example"
  1620. psk="very secret passphrase"
  1621. bssid_blacklist=02:11:22:33:44:55 02:22:aa:44:55:66
  1622. }
  1623. # Example configuration limiting AP selection to a specific set of APs;
  1624. # any other AP not matching the masked address will be ignored.
  1625. network={
  1626. ssid="example"
  1627. psk="very secret passphrase"
  1628. bssid_whitelist=02:55:ae:bc:00:00/ff:ff:ff:ff:00:00 00:00:77:66:55:44/00:00:ff:ff:ff:ff
  1629. }
  1630. # Example config file that will only scan on channel 36.
  1631. freq_list=5180
  1632. network={
  1633. key_mgmt=NONE
  1634. }
  1635. # Example configuration using EAP-TTLS for authentication and key
  1636. # generation for MACsec
  1637. network={
  1638. key_mgmt=IEEE8021X
  1639. eap=TTLS
  1640. phase2="auth=PAP"
  1641. anonymous_identity="anonymous@example.com"
  1642. identity="user@example.com"
  1643. password="secretr"
  1644. ca_cert="/etc/cert/ca.pem"
  1645. eapol_flags=0
  1646. macsec_policy=1
  1647. }
  1648. # Example configuration for MACsec with preshared key
  1649. network={
  1650. key_mgmt=NONE
  1651. eapol_flags=0
  1652. macsec_policy=1
  1653. mka_cak=0123456789ABCDEF0123456789ABCDEF
  1654. mka_ckn=6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435
  1655. mka_priority=128
  1656. }