diff options
Diffstat (limited to 'meta/recipes-connectivity/wpa-supplicant/wpa-supplicant-0.7.3/wpa_supplicant.conf')
-rw-r--r-- | meta/recipes-connectivity/wpa-supplicant/wpa-supplicant-0.7.3/wpa_supplicant.conf | 690 |
1 files changed, 690 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant-0.7.3/wpa_supplicant.conf b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant-0.7.3/wpa_supplicant.conf new file mode 100644 index 0000000000..f0c993d195 --- /dev/null +++ b/meta/recipes-connectivity/wpa-supplicant/wpa-supplicant-0.7.3/wpa_supplicant.conf | |||
@@ -0,0 +1,690 @@ | |||
1 | ##### Example wpa_supplicant configuration file ############################### | ||
2 | # | ||
3 | # This file describes configuration file format and lists all available option. | ||
4 | # Please also take a look at simpler configuration examples in 'examples' | ||
5 | # subdirectory. | ||
6 | # | ||
7 | # Empty lines and lines starting with # are ignored | ||
8 | |||
9 | # NOTE! This file may contain password information and should probably be made | ||
10 | # readable only by root user on multiuser systems. | ||
11 | |||
12 | # Note: All file paths in this configuration file should use full (absolute, | ||
13 | # not relative to working directory) path in order to allow working directory | ||
14 | # to be changed. This can happen if wpa_supplicant is run in the background. | ||
15 | |||
16 | # Whether to allow wpa_supplicant to update (overwrite) configuration | ||
17 | # | ||
18 | # This option can be used to allow wpa_supplicant to overwrite configuration | ||
19 | # file whenever configuration is changed (e.g., new network block is added with | ||
20 | # wpa_cli or wpa_gui, or a password is changed). This is required for | ||
21 | # wpa_cli/wpa_gui to be able to store the configuration changes permanently. | ||
22 | # Please note that overwriting configuration file will remove the comments from | ||
23 | # it. | ||
24 | #update_config=1 | ||
25 | |||
26 | # global configuration (shared by all network blocks) | ||
27 | # | ||
28 | # Parameters for the control interface. If this is specified, wpa_supplicant | ||
29 | # will open a control interface that is available for external programs to | ||
30 | # manage wpa_supplicant. The meaning of this string depends on which control | ||
31 | # interface mechanism is used. For all cases, the existance of this parameter | ||
32 | # in configuration is used to determine whether the control interface is | ||
33 | # enabled. | ||
34 | # | ||
35 | # For UNIX domain sockets (default on Linux and BSD): This is a directory that | ||
36 | # will be created for UNIX domain sockets for listening to requests from | ||
37 | # external programs (CLI/GUI, etc.) for status information and configuration. | ||
38 | # The socket file will be named based on the interface name, so multiple | ||
39 | # wpa_supplicant processes can be run at the same time if more than one | ||
40 | # interface is used. | ||
41 | # /var/run/wpa_supplicant is the recommended directory for sockets and by | ||
42 | # default, wpa_cli will use it when trying to connect with wpa_supplicant. | ||
43 | # | ||
44 | # Access control for the control interface can be configured by setting the | ||
45 | # directory to allow only members of a group to use sockets. This way, it is | ||
46 | # possible to run wpa_supplicant as root (since it needs to change network | ||
47 | # configuration and open raw sockets) and still allow GUI/CLI components to be | ||
48 | # run as non-root users. However, since the control interface can be used to | ||
49 | # change the network configuration, this access needs to be protected in many | ||
50 | # cases. By default, wpa_supplicant is configured to use gid 0 (root). If you | ||
51 | # want to allow non-root users to use the control interface, add a new group | ||
52 | # and change this value to match with that group. Add users that should have | ||
53 | # control interface access to this group. If this variable is commented out or | ||
54 | # not included in the configuration file, group will not be changed from the | ||
55 | # value it got by default when the directory or socket was created. | ||
56 | # | ||
57 | # When configuring both the directory and group, use following format: | ||
58 | # DIR=/var/run/wpa_supplicant GROUP=wheel | ||
59 | # DIR=/var/run/wpa_supplicant GROUP=0 | ||
60 | # (group can be either group name or gid) | ||
61 | # | ||
62 | # For UDP connections (default on Windows): The value will be ignored. This | ||
63 | # variable is just used to select that the control interface is to be created. | ||
64 | # The value can be set to, e.g., udp (ctrl_interface=udp) | ||
65 | # | ||
66 | # For Windows Named Pipe: This value can be used to set the security descriptor | ||
67 | # for controlling access to the control interface. Security descriptor can be | ||
68 | # set using Security Descriptor String Format (see http://msdn.microsoft.com/ | ||
69 | # library/default.asp?url=/library/en-us/secauthz/security/ | ||
70 | # security_descriptor_string_format.asp). The descriptor string needs to be | ||
71 | # prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty | ||
72 | # DACL (which will reject all connections). See README-Windows.txt for more | ||
73 | # information about SDDL string format. | ||
74 | # | ||
75 | ctrl_interface=/var/run/wpa_supplicant | ||
76 | |||
77 | # IEEE 802.1X/EAPOL version | ||
78 | # wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines | ||
79 | # EAPOL version 2. However, there are many APs that do not handle the new | ||
80 | # version number correctly (they seem to drop the frames completely). In order | ||
81 | # to make wpa_supplicant interoperate with these APs, the version number is set | ||
82 | # to 1 by default. This configuration value can be used to set it to the new | ||
83 | # version (2). | ||
84 | eapol_version=1 | ||
85 | |||
86 | # AP scanning/selection | ||
87 | # By default, wpa_supplicant requests driver to perform AP scanning and then | ||
88 | # uses the scan results to select a suitable AP. Another alternative is to | ||
89 | # allow the driver to take care of AP scanning and selection and use | ||
90 | # wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association | ||
91 | # information from the driver. | ||
92 | # 1: wpa_supplicant initiates scanning and AP selection | ||
93 | # 0: driver takes care of scanning, AP selection, and IEEE 802.11 association | ||
94 | # parameters (e.g., WPA IE generation); this mode can also be used with | ||
95 | # non-WPA drivers when using IEEE 802.1X mode; do not try to associate with | ||
96 | # APs (i.e., external program needs to control association). This mode must | ||
97 | # also be used when using wired Ethernet drivers. | ||
98 | # 2: like 0, but associate with APs using security policy and SSID (but not | ||
99 | # BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to | ||
100 | # enable operation with hidden SSIDs and optimized roaming; in this mode, | ||
101 | # the network blocks in the configuration file are tried one by one until | ||
102 | # the driver reports successful association; each network block should have | ||
103 | # explicit security policy (i.e., only one option in the lists) for | ||
104 | # key_mgmt, pairwise, group, proto variables | ||
105 | ap_scan=1 | ||
106 | |||
107 | # EAP fast re-authentication | ||
108 | # By default, fast re-authentication is enabled for all EAP methods that | ||
109 | # support it. This variable can be used to disable fast re-authentication. | ||
110 | # Normally, there is no need to disable this. | ||
111 | fast_reauth=1 | ||
112 | |||
113 | # OpenSSL Engine support | ||
114 | # These options can be used to load OpenSSL engines. | ||
115 | # The two engines that are supported currently are shown below: | ||
116 | # They are both from the opensc project (http://www.opensc.org/) | ||
117 | # By default no engines are loaded. | ||
118 | # make the opensc engine available | ||
119 | #opensc_engine_path=/usr/lib/opensc/engine_opensc.so | ||
120 | # make the pkcs11 engine available | ||
121 | #pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so | ||
122 | # configure the path to the pkcs11 module required by the pkcs11 engine | ||
123 | #pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so | ||
124 | |||
125 | # Dynamic EAP methods | ||
126 | # If EAP methods were built dynamically as shared object files, they need to be | ||
127 | # loaded here before being used in the network blocks. By default, EAP methods | ||
128 | # are included statically in the build, so these lines are not needed | ||
129 | #load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so | ||
130 | #load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so | ||
131 | |||
132 | # Driver interface parameters | ||
133 | # This field can be used to configure arbitrary driver interace parameters. The | ||
134 | # format is specific to the selected driver interface. This field is not used | ||
135 | # in most cases. | ||
136 | #driver_param="field=value" | ||
137 | |||
138 | # Maximum lifetime for PMKSA in seconds; default 43200 | ||
139 | #dot11RSNAConfigPMKLifetime=43200 | ||
140 | # Threshold for reauthentication (percentage of PMK lifetime); default 70 | ||
141 | #dot11RSNAConfigPMKReauthThreshold=70 | ||
142 | # Timeout for security association negotiation in seconds; default 60 | ||
143 | #dot11RSNAConfigSATimeout=60 | ||
144 | |||
145 | # network block | ||
146 | # | ||
147 | # Each network (usually AP's sharing the same SSID) is configured as a separate | ||
148 | # block in this configuration file. The network blocks are in preference order | ||
149 | # (the first match is used). | ||
150 | # | ||
151 | # network block fields: | ||
152 | # | ||
153 | # disabled: | ||
154 | # 0 = this network can be used (default) | ||
155 | # 1 = this network block is disabled (can be enabled through ctrl_iface, | ||
156 | # e.g., with wpa_cli or wpa_gui) | ||
157 | # | ||
158 | # id_str: Network identifier string for external scripts. This value is passed | ||
159 | # to external action script through wpa_cli as WPA_ID_STR environment | ||
160 | # variable to make it easier to do network specific configuration. | ||
161 | # | ||
162 | # ssid: SSID (mandatory); either as an ASCII string with double quotation or | ||
163 | # as hex string; network name | ||
164 | # | ||
165 | # scan_ssid: | ||
166 | # 0 = do not scan this SSID with specific Probe Request frames (default) | ||
167 | # 1 = scan with SSID-specific Probe Request frames (this can be used to | ||
168 | # find APs that do not accept broadcast SSID or use multiple SSIDs; | ||
169 | # this will add latency to scanning, so enable this only when needed) | ||
170 | # | ||
171 | # bssid: BSSID (optional); if set, this network block is used only when | ||
172 | # associating with the AP using the configured BSSID | ||
173 | # | ||
174 | # priority: priority group (integer) | ||
175 | # By default, all networks will get same priority group (0). If some of the | ||
176 | # networks are more desirable, this field can be used to change the order in | ||
177 | # which wpa_supplicant goes through the networks when selecting a BSS. The | ||
178 | # priority groups will be iterated in decreasing priority (i.e., the larger the | ||
179 | # priority value, the sooner the network is matched against the scan results). | ||
180 | # Within each priority group, networks will be selected based on security | ||
181 | # policy, signal strength, etc. | ||
182 | # Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not | ||
183 | # using this priority to select the order for scanning. Instead, they try the | ||
184 | # networks in the order that used in the configuration file. | ||
185 | # | ||
186 | # mode: IEEE 802.11 operation mode | ||
187 | # 0 = infrastructure (Managed) mode, i.e., associate with an AP (default) | ||
188 | # 1 = IBSS (ad-hoc, peer-to-peer) | ||
189 | # Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) | ||
190 | # and key_mgmt=WPA-NONE (fixed group key TKIP/CCMP). In addition, ap_scan has | ||
191 | # to be set to 2 for IBSS. WPA-None requires following network block options: | ||
192 | # proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not | ||
193 | # both), and psk must also be set. | ||
194 | # | ||
195 | # proto: list of accepted protocols | ||
196 | # WPA = WPA/IEEE 802.11i/D3.0 | ||
197 | # RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN) | ||
198 | # If not set, this defaults to: WPA RSN | ||
199 | # | ||
200 | # key_mgmt: list of accepted authenticated key management protocols | ||
201 | # WPA-PSK = WPA pre-shared key (this requires 'psk' field) | ||
202 | # WPA-EAP = WPA using EAP authentication (this can use an external | ||
203 | # program, e.g., Xsupplicant, for IEEE 802.1X EAP Authentication | ||
204 | # IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically | ||
205 | # generated WEP keys | ||
206 | # NONE = WPA is not used; plaintext or static WEP could be used | ||
207 | # If not set, this defaults to: WPA-PSK WPA-EAP | ||
208 | # | ||
209 | # auth_alg: list of allowed IEEE 802.11 authentication algorithms | ||
210 | # OPEN = Open System authentication (required for WPA/WPA2) | ||
211 | # SHARED = Shared Key authentication (requires static WEP keys) | ||
212 | # LEAP = LEAP/Network EAP (only used with LEAP) | ||
213 | # If not set, automatic selection is used (Open System with LEAP enabled if | ||
214 | # LEAP is allowed as one of the EAP methods). | ||
215 | # | ||
216 | # pairwise: list of accepted pairwise (unicast) ciphers for WPA | ||
217 | # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] | ||
218 | # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] | ||
219 | # NONE = Use only Group Keys (deprecated, should not be included if APs support | ||
220 | # pairwise keys) | ||
221 | # If not set, this defaults to: CCMP TKIP | ||
222 | # | ||
223 | # group: list of accepted group (broadcast/multicast) ciphers for WPA | ||
224 | # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] | ||
225 | # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] | ||
226 | # WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key | ||
227 | # WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11] | ||
228 | # If not set, this defaults to: CCMP TKIP WEP104 WEP40 | ||
229 | # | ||
230 | # psk: WPA preshared key; 256-bit pre-shared key | ||
231 | # The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e., | ||
232 | # 32 bytes or as an ASCII passphrase (in which case, the real PSK will be | ||
233 | # generated using the passphrase and SSID). ASCII passphrase must be between | ||
234 | # 8 and 63 characters (inclusive). | ||
235 | # This field is not needed, if WPA-EAP is used. | ||
236 | # Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys | ||
237 | # from ASCII passphrase. This process uses lot of CPU and wpa_supplicant | ||
238 | # startup and reconfiguration time can be optimized by generating the PSK only | ||
239 | # only when the passphrase or SSID has actually changed. | ||
240 | # | ||
241 | # eapol_flags: IEEE 802.1X/EAPOL options (bit field) | ||
242 | # Dynamic WEP key required for non-WPA mode | ||
243 | # bit0 (1): require dynamically generated unicast WEP key | ||
244 | # bit1 (2): require dynamically generated broadcast WEP key | ||
245 | # (3 = require both keys; default) | ||
246 | # Note: When using wired authentication, eapol_flags must be set to 0 for the | ||
247 | # authentication to be completed successfully. | ||
248 | # | ||
249 | # proactive_key_caching: | ||
250 | # Enable/disable opportunistic PMKSA caching for WPA2. | ||
251 | # 0 = disabled (default) | ||
252 | # 1 = enabled | ||
253 | # | ||
254 | # wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or | ||
255 | # hex without quotation, e.g., 0102030405) | ||
256 | # wep_tx_keyidx: Default WEP key index (TX) (0..3) | ||
257 | # | ||
258 | # peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is | ||
259 | # allowed. This is only used with RSN/WPA2. | ||
260 | # 0 = disabled (default) | ||
261 | # 1 = enabled | ||
262 | #peerkey=1 | ||
263 | # | ||
264 | # Following fields are only used with internal EAP implementation. | ||
265 | # eap: space-separated list of accepted EAP methods | ||
266 | # MD5 = EAP-MD5 (unsecure and does not generate keying material -> | ||
267 | # cannot be used with WPA; to be used as a Phase 2 method | ||
268 | # with EAP-PEAP or EAP-TTLS) | ||
269 | # MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used | ||
270 | # as a Phase 2 method with EAP-PEAP or EAP-TTLS) | ||
271 | # OTP = EAP-OTP (cannot be used separately with WPA; to be used | ||
272 | # as a Phase 2 method with EAP-PEAP or EAP-TTLS) | ||
273 | # GTC = EAP-GTC (cannot be used separately with WPA; to be used | ||
274 | # as a Phase 2 method with EAP-PEAP or EAP-TTLS) | ||
275 | # TLS = EAP-TLS (client and server certificate) | ||
276 | # PEAP = EAP-PEAP (with tunnelled EAP authentication) | ||
277 | # TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 | ||
278 | # authentication) | ||
279 | # If not set, all compiled in methods are allowed. | ||
280 | # | ||
281 | # identity: Identity string for EAP | ||
282 | # anonymous_identity: Anonymous identity string for EAP (to be used as the | ||
283 | # unencrypted identity with EAP types that support different tunnelled | ||
284 | # identity, e.g., EAP-TTLS) | ||
285 | # password: Password string for EAP | ||
286 | # ca_cert: File path to CA certificate file (PEM/DER). This file can have one | ||
287 | # or more trusted CA certificates. If ca_cert and ca_path are not | ||
288 | # included, server certificate will not be verified. This is insecure and | ||
289 | # a trusted CA certificate should always be configured when using | ||
290 | # EAP-TLS/TTLS/PEAP. Full path should be used since working directory may | ||
291 | # change when wpa_supplicant is run in the background. | ||
292 | # On Windows, trusted CA certificates can be loaded from the system | ||
293 | # certificate store by setting this to cert_store://<name>, e.g., | ||
294 | # ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT". | ||
295 | # Note that when running wpa_supplicant as an application, the user | ||
296 | # certificate store (My user account) is used, whereas computer store | ||
297 | # (Computer account) is used when running wpasvc as a service. | ||
298 | # ca_path: Directory path for CA certificate files (PEM). This path may | ||
299 | # contain multiple CA certificates in OpenSSL format. Common use for this | ||
300 | # is to point to system trusted CA list which is often installed into | ||
301 | # directory like /etc/ssl/certs. If configured, these certificates are | ||
302 | # added to the list of trusted CAs. ca_cert may also be included in that | ||
303 | # case, but it is not required. | ||
304 | # client_cert: File path to client certificate file (PEM/DER) | ||
305 | # Full path should be used since working directory may change when | ||
306 | # wpa_supplicant is run in the background. | ||
307 | # Alternatively, a named configuration blob can be used by setting this | ||
308 | # to blob://<blob name>. | ||
309 | # private_key: File path to client private key file (PEM/DER/PFX) | ||
310 | # When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be | ||
311 | # commented out. Both the private key and certificate will be read from | ||
312 | # the PKCS#12 file in this case. Full path should be used since working | ||
313 | # directory may change when wpa_supplicant is run in the background. | ||
314 | # Windows certificate store can be used by leaving client_cert out and | ||
315 | # configuring private_key in one of the following formats: | ||
316 | # cert://substring_to_match | ||
317 | # hash://certificate_thumbprint_in_hex | ||
318 | # for example: private_key="hash://63093aa9c47f56ae88334c7b65a4" | ||
319 | # Note that when running wpa_supplicant as an application, the user | ||
320 | # certificate store (My user account) is used, whereas computer store | ||
321 | # (Computer account) is used when running wpasvc as a service. | ||
322 | # Alternatively, a named configuration blob can be used by setting this | ||
323 | # to blob://<blob name>. | ||
324 | # private_key_passwd: Password for private key file (if left out, this will be | ||
325 | # asked through control interface) | ||
326 | # dh_file: File path to DH/DSA parameters file (in PEM format) | ||
327 | # This is an optional configuration file for setting parameters for an | ||
328 | # ephemeral DH key exchange. In most cases, the default RSA | ||
329 | # authentication does not use this configuration. However, it is possible | ||
330 | # setup RSA to use ephemeral DH key exchange. In addition, ciphers with | ||
331 | # DSA keys always use ephemeral DH keys. This can be used to achieve | ||
332 | # forward secrecy. If the file is in DSA parameters format, it will be | ||
333 | # automatically converted into DH params. | ||
334 | # subject_match: Substring to be matched against the subject of the | ||
335 | # authentication server certificate. If this string is set, the server | ||
336 | # sertificate is only accepted if it contains this string in the subject. | ||
337 | # The subject string is in following format: | ||
338 | # /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com | ||
339 | # altsubject_match: Semicolon separated string of entries to be matched against | ||
340 | # the alternative subject name of the authentication server certificate. | ||
341 | # If this string is set, the server sertificate is only accepted if it | ||
342 | # contains one of the entries in an alternative subject name extension. | ||
343 | # altSubjectName string is in following format: TYPE:VALUE | ||
344 | # Example: EMAIL:server@example.com | ||
345 | # Example: DNS:server.example.com;DNS:server2.example.com | ||
346 | # Following types are supported: EMAIL, DNS, URI | ||
347 | # phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters | ||
348 | # (string with field-value pairs, e.g., "peapver=0" or | ||
349 | # "peapver=1 peaplabel=1") | ||
350 | # 'peapver' can be used to force which PEAP version (0 or 1) is used. | ||
351 | # 'peaplabel=1' can be used to force new label, "client PEAP encryption", | ||
352 | # to be used during key derivation when PEAPv1 or newer. Most existing | ||
353 | # PEAPv1 implementation seem to be using the old label, "client EAP | ||
354 | # encryption", and wpa_supplicant is now using that as the default value. | ||
355 | # Some servers, e.g., Radiator, may require peaplabel=1 configuration to | ||
356 | # interoperate with PEAPv1; see eap_testing.txt for more details. | ||
357 | # 'peap_outer_success=0' can be used to terminate PEAP authentication on | ||
358 | # tunneled EAP-Success. This is required with some RADIUS servers that | ||
359 | # implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g., | ||
360 | # Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode) | ||
361 | # include_tls_length=1 can be used to force wpa_supplicant to include | ||
362 | # TLS Message Length field in all TLS messages even if they are not | ||
363 | # fragmented. | ||
364 | # sim_min_num_chal=3 can be used to configure EAP-SIM to require three | ||
365 | # challenges (by default, it accepts 2 or 3) | ||
366 | # phase2: Phase2 (inner authentication with TLS tunnel) parameters | ||
367 | # (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or | ||
368 | # "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS) | ||
369 | # Following certificate/private key fields are used in inner Phase2 | ||
370 | # authentication when using EAP-TTLS or EAP-PEAP. | ||
371 | # ca_cert2: File path to CA certificate file. This file can have one or more | ||
372 | # trusted CA certificates. If ca_cert2 and ca_path2 are not included, | ||
373 | # server certificate will not be verified. This is insecure and a trusted | ||
374 | # CA certificate should always be configured. | ||
375 | # ca_path2: Directory path for CA certificate files (PEM) | ||
376 | # client_cert2: File path to client certificate file | ||
377 | # private_key2: File path to client private key file | ||
378 | # private_key2_passwd: Password for private key file | ||
379 | # dh_file2: File path to DH/DSA parameters file (in PEM format) | ||
380 | # subject_match2: Substring to be matched against the subject of the | ||
381 | # authentication server certificate. | ||
382 | # altsubject_match2: Substring to be matched against the alternative subject | ||
383 | # name of the authentication server certificate. | ||
384 | # | ||
385 | # fragment_size: Maximum EAP fragment size in bytes (default 1398). | ||
386 | # This value limits the fragment size for EAP methods that support | ||
387 | # fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set | ||
388 | # small enough to make the EAP messages fit in MTU of the network | ||
389 | # interface used for EAPOL. The default value is suitable for most | ||
390 | # cases. | ||
391 | # | ||
392 | # EAP-PSK variables: | ||
393 | # eappsk: 16-byte (128-bit, 32 hex digits) pre-shared key in hex format | ||
394 | # nai: user NAI | ||
395 | # | ||
396 | # EAP-PAX variables: | ||
397 | # eappsk: 16-byte (128-bit, 32 hex digits) pre-shared key in hex format | ||
398 | # | ||
399 | # EAP-SAKE variables: | ||
400 | # eappsk: 32-byte (256-bit, 64 hex digits) pre-shared key in hex format | ||
401 | # (this is concatenation of Root-Secret-A and Root-Secret-B) | ||
402 | # nai: user NAI (PEERID) | ||
403 | # | ||
404 | # EAP-GPSK variables: | ||
405 | # eappsk: Pre-shared key in hex format (at least 128 bits, i.e., 32 hex digits) | ||
406 | # nai: user NAI (ID_Client) | ||
407 | # | ||
408 | # EAP-FAST variables: | ||
409 | # pac_file: File path for the PAC entries. wpa_supplicant will need to be able | ||
410 | # to create this file and write updates to it when PAC is being | ||
411 | # provisioned or refreshed. Full path to the file should be used since | ||
412 | # working directory may change when wpa_supplicant is run in the | ||
413 | # background. Alternatively, a named configuration blob can be used by | ||
414 | # setting this to blob://<blob name> | ||
415 | # phase1: fast_provisioning=1 option enables in-line provisioning of EAP-FAST | ||
416 | # credentials (PAC) | ||
417 | # | ||
418 | # wpa_supplicant supports number of "EAP workarounds" to work around | ||
419 | # interoperability issues with incorrectly behaving authentication servers. | ||
420 | # These are enabled by default because some of the issues are present in large | ||
421 | # number of authentication servers. Strict EAP conformance mode can be | ||
422 | # configured by disabling workarounds with eap_workaround=0. | ||
423 | |||
424 | # Example blocks: | ||
425 | |||
426 | # Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers | ||
427 | network={ | ||
428 | ssid="simple" | ||
429 | psk="very secret passphrase" | ||
430 | priority=5 | ||
431 | } | ||
432 | |||
433 | # Same as previous, but request SSID-specific scanning (for APs that reject | ||
434 | # broadcast SSID) | ||
435 | network={ | ||
436 | ssid="second ssid" | ||
437 | scan_ssid=1 | ||
438 | psk="very secret passphrase" | ||
439 | priority=2 | ||
440 | } | ||
441 | |||
442 | # Only WPA-PSK is used. Any valid cipher combination is accepted. | ||
443 | network={ | ||
444 | ssid="example" | ||
445 | proto=WPA | ||
446 | key_mgmt=WPA-PSK | ||
447 | pairwise=CCMP TKIP | ||
448 | group=CCMP TKIP WEP104 WEP40 | ||
449 | psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb | ||
450 | priority=2 | ||
451 | } | ||
452 | |||
453 | # Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104 | ||
454 | # or WEP40 as the group cipher will not be accepted. | ||
455 | network={ | ||
456 | ssid="example" | ||
457 | proto=RSN | ||
458 | key_mgmt=WPA-EAP | ||
459 | pairwise=CCMP TKIP | ||
460 | group=CCMP TKIP | ||
461 | eap=TLS | ||
462 | identity="user@example.com" | ||
463 | ca_cert="/etc/cert/ca.pem" | ||
464 | client_cert="/etc/cert/user.pem" | ||
465 | private_key="/etc/cert/user.prv" | ||
466 | private_key_passwd="password" | ||
467 | priority=1 | ||
468 | } | ||
469 | |||
470 | # EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel | ||
471 | # (e.g., Radiator) | ||
472 | network={ | ||
473 | ssid="example" | ||
474 | key_mgmt=WPA-EAP | ||
475 | eap=PEAP | ||
476 | identity="user@example.com" | ||
477 | password="foobar" | ||
478 | ca_cert="/etc/cert/ca.pem" | ||
479 | phase1="peaplabel=1" | ||
480 | phase2="auth=MSCHAPV2" | ||
481 | priority=10 | ||
482 | } | ||
483 | |||
484 | # EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the | ||
485 | # unencrypted use. Real identity is sent only within an encrypted TLS tunnel. | ||
486 | network={ | ||
487 | ssid="example" | ||
488 | key_mgmt=WPA-EAP | ||
489 | eap=TTLS | ||
490 | identity="user@example.com" | ||
491 | anonymous_identity="anonymous@example.com" | ||
492 | password="foobar" | ||
493 | ca_cert="/etc/cert/ca.pem" | ||
494 | priority=2 | ||
495 | } | ||
496 | |||
497 | # EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted | ||
498 | # use. Real identity is sent only within an encrypted TLS tunnel. | ||
499 | network={ | ||
500 | ssid="example" | ||
501 | key_mgmt=WPA-EAP | ||
502 | eap=TTLS | ||
503 | identity="user@example.com" | ||
504 | anonymous_identity="anonymous@example.com" | ||
505 | password="foobar" | ||
506 | ca_cert="/etc/cert/ca.pem" | ||
507 | phase2="auth=MSCHAPV2" | ||
508 | } | ||
509 | |||
510 | # WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner | ||
511 | # authentication. | ||
512 | network={ | ||
513 | ssid="example" | ||
514 | key_mgmt=WPA-EAP | ||
515 | eap=TTLS | ||
516 | # Phase1 / outer authentication | ||
517 | anonymous_identity="anonymous@example.com" | ||
518 | ca_cert="/etc/cert/ca.pem" | ||
519 | # Phase 2 / inner authentication | ||
520 | phase2="autheap=TLS" | ||
521 | ca_cert2="/etc/cert/ca2.pem" | ||
522 | client_cert2="/etc/cer/user.pem" | ||
523 | private_key2="/etc/cer/user.prv" | ||
524 | private_key2_passwd="password" | ||
525 | priority=2 | ||
526 | } | ||
527 | |||
528 | # Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and | ||
529 | # group cipher. | ||
530 | network={ | ||
531 | ssid="example" | ||
532 | bssid=00:11:22:33:44:55 | ||
533 | proto=WPA RSN | ||
534 | key_mgmt=WPA-PSK WPA-EAP | ||
535 | pairwise=CCMP | ||
536 | group=CCMP | ||
537 | psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb | ||
538 | } | ||
539 | |||
540 | # Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP | ||
541 | # and all valid ciphers. | ||
542 | network={ | ||
543 | ssid=00010203 | ||
544 | psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f | ||
545 | } | ||
546 | |||
547 | |||
548 | # IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using | ||
549 | # EAP-TLS for authentication and key generation; require both unicast and | ||
550 | # broadcast WEP keys. | ||
551 | network={ | ||
552 | ssid="1x-test" | ||
553 | key_mgmt=IEEE8021X | ||
554 | eap=TLS | ||
555 | identity="user@example.com" | ||
556 | ca_cert="/etc/cert/ca.pem" | ||
557 | client_cert="/etc/cert/user.pem" | ||
558 | private_key="/etc/cert/user.prv" | ||
559 | private_key_passwd="password" | ||
560 | eapol_flags=3 | ||
561 | } | ||
562 | |||
563 | |||
564 | # LEAP with dynamic WEP keys | ||
565 | network={ | ||
566 | ssid="leap-example" | ||
567 | key_mgmt=IEEE8021X | ||
568 | eap=LEAP | ||
569 | identity="user" | ||
570 | password="foobar" | ||
571 | } | ||
572 | |||
573 | # Plaintext connection (no WPA, no IEEE 802.1X) | ||
574 | network={ | ||
575 | ssid="plaintext-test" | ||
576 | key_mgmt=NONE | ||
577 | } | ||
578 | |||
579 | |||
580 | # Shared WEP key connection (no WPA, no IEEE 802.1X) | ||
581 | network={ | ||
582 | ssid="static-wep-test" | ||
583 | key_mgmt=NONE | ||
584 | wep_key0="abcde" | ||
585 | wep_key1=0102030405 | ||
586 | wep_key2="1234567890123" | ||
587 | wep_tx_keyidx=0 | ||
588 | priority=5 | ||
589 | } | ||
590 | |||
591 | |||
592 | # Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key | ||
593 | # IEEE 802.11 authentication | ||
594 | network={ | ||
595 | ssid="static-wep-test2" | ||
596 | key_mgmt=NONE | ||
597 | wep_key0="abcde" | ||
598 | wep_key1=0102030405 | ||
599 | wep_key2="1234567890123" | ||
600 | wep_tx_keyidx=0 | ||
601 | priority=5 | ||
602 | auth_alg=SHARED | ||
603 | } | ||
604 | |||
605 | |||
606 | # IBSS/ad-hoc network with WPA-None/TKIP. | ||
607 | network={ | ||
608 | ssid="test adhoc" | ||
609 | mode=1 | ||
610 | proto=WPA | ||
611 | key_mgmt=WPA-NONE | ||
612 | pairwise=NONE | ||
613 | group=TKIP | ||
614 | psk="secret passphrase" | ||
615 | } | ||
616 | |||
617 | |||
618 | # Catch all example that allows more or less all configuration modes | ||
619 | network={ | ||
620 | ssid="example" | ||
621 | scan_ssid=1 | ||
622 | key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE | ||
623 | pairwise=CCMP TKIP | ||
624 | group=CCMP TKIP WEP104 WEP40 | ||
625 | psk="very secret passphrase" | ||
626 | eap=TTLS PEAP TLS | ||
627 | identity="user@example.com" | ||
628 | password="foobar" | ||
629 | ca_cert="/etc/cert/ca.pem" | ||
630 | client_cert="/etc/cert/user.pem" | ||
631 | private_key="/etc/cert/user.prv" | ||
632 | private_key_passwd="password" | ||
633 | phase1="peaplabel=0" | ||
634 | } | ||
635 | |||
636 | # Example of EAP-TLS with smartcard (openssl engine) | ||
637 | network={ | ||
638 | ssid="example" | ||
639 | key_mgmt=WPA-EAP | ||
640 | eap=TLS | ||
641 | proto=RSN | ||
642 | pairwise=CCMP TKIP | ||
643 | group=CCMP TKIP | ||
644 | identity="user@example.com" | ||
645 | ca_cert="/etc/cert/ca.pem" | ||
646 | client_cert="/etc/cert/user.pem" | ||
647 | |||
648 | engine=1 | ||
649 | |||
650 | # The engine configured here must be available. Look at | ||
651 | # OpenSSL engine support in the global section. | ||
652 | # The key available through the engine must be the private key | ||
653 | # matching the client certificate configured above. | ||
654 | |||
655 | # use the opensc engine | ||
656 | #engine_id="opensc" | ||
657 | #key_id="45" | ||
658 | |||
659 | # use the pkcs11 engine | ||
660 | engine_id="pkcs11" | ||
661 | key_id="id_45" | ||
662 | |||
663 | # Optional PIN configuration; this can be left out and PIN will be | ||
664 | # asked through the control interface | ||
665 | pin="1234" | ||
666 | } | ||
667 | |||
668 | # Example configuration showing how to use an inlined blob as a CA certificate | ||
669 | # data instead of using external file | ||
670 | network={ | ||
671 | ssid="example" | ||
672 | key_mgmt=WPA-EAP | ||
673 | eap=TTLS | ||
674 | identity="user@example.com" | ||
675 | anonymous_identity="anonymous@example.com" | ||
676 | password="foobar" | ||
677 | ca_cert="blob://exampleblob" | ||
678 | priority=20 | ||
679 | } | ||
680 | |||
681 | blob-base64-exampleblob={ | ||
682 | SGVsbG8gV29ybGQhCg== | ||
683 | } | ||
684 | |||
685 | |||
686 | # Wildcard match for SSID (plaintext APs only). This example select any | ||
687 | # open AP regardless of its SSID. | ||
688 | network={ | ||
689 | key_mgmt=NONE | ||
690 | } | ||