1##### Example wpa_supplicant configuration file ############################### 2# 3# This file describes configuration file format and lists all available option. 4# Please also take a look at simpler configuration examples in 'examples' 5# subdirectory. 6# 7# Empty lines and lines starting with # are ignored 8 9# NOTE! This file may contain password information and should probably be made 10# readable only by root user on multiuser systems. 11 12# Note: All file paths in this configuration file should use full (absolute, 13# not relative to working directory) path in order to allow working directory 14# to be changed. This can happen if wpa_supplicant is run in the background. 15 16# Whether to allow wpa_supplicant to update (overwrite) configuration 17# 18# This option can be used to allow wpa_supplicant to overwrite configuration 19# file whenever configuration is changed (e.g., new network block is added with 20# wpa_cli or wpa_gui, or a password is changed). This is required for 21# wpa_cli/wpa_gui to be able to store the configuration changes permanently. 22# Please note that overwriting configuration file will remove the comments from 23# it. 24update_config=1 25 26# global configuration (shared by all network blocks) 27# 28# Parameters for the control interface. If this is specified, wpa_supplicant 29# will open a control interface that is available for external programs to 30# manage wpa_supplicant. The meaning of this string depends on which control 31# interface mechanism is used. For all cases, the existance of this parameter 32# in configuration is used to determine whether the control interface is 33# enabled. 34# 35# For UNIX domain sockets (default on Linux and BSD): This is a directory that 36# will be created for UNIX domain sockets for listening to requests from 37# external programs (CLI/GUI, etc.) for status information and configuration. 38# The socket file will be named based on the interface name, so multiple 39# wpa_supplicant processes can be run at the same time if more than one 40# interface is used. 41# /var/run/wpa_supplicant is the recommended directory for sockets and by 42# default, wpa_cli will use it when trying to connect with wpa_supplicant. 43# 44# Access control for the control interface can be configured by setting the 45# directory to allow only members of a group to use sockets. This way, it is 46# possible to run wpa_supplicant as root (since it needs to change network 47# configuration and open raw sockets) and still allow GUI/CLI components to be 48# run as non-root users. However, since the control interface can be used to 49# change the network configuration, this access needs to be protected in many 50# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you 51# want to allow non-root users to use the control interface, add a new group 52# and change this value to match with that group. Add users that should have 53# control interface access to this group. If this variable is commented out or 54# not included in the configuration file, group will not be changed from the 55# value it got by default when the directory or socket was created. 56# 57# When configuring both the directory and group, use following format: 58# DIR=/var/run/wpa_supplicant GROUP=wheel 59# DIR=/var/run/wpa_supplicant GROUP=0 60# (group can be either group name or gid) 61ctrl_interface=wlan0 62 63# IEEE 802.1X/EAPOL version 64# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines 65# EAPOL version 2. However, there are many APs that do not handle the new 66# version number correctly (they seem to drop the frames completely). In order 67# to make wpa_supplicant interoperate with these APs, the version number is set 68# to 1 by default. This configuration value can be used to set it to the new 69# version (2). 70eapol_version=1 71 72# AP scanning/selection 73# By default, wpa_supplicant requests driver to perform AP scanning and then 74# uses the scan results to select a suitable AP. Another alternative is to 75# allow the driver to take care of AP scanning and selection and use 76# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association 77# information from the driver. 78# 1: wpa_supplicant initiates scanning and AP selection 79# 0: driver takes care of scanning, AP selection, and IEEE 802.11 association 80# parameters (e.g., WPA IE generation); this mode can also be used with 81# non-WPA drivers when using IEEE 802.1X mode; do not try to associate with 82# APs (i.e., external program needs to control association). This mode must 83# also be used when using wired Ethernet drivers. 84# 2: like 0, but associate with APs using security policy and SSID (but not 85# BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to 86# enable operation with hidden SSIDs and optimized roaming; in this mode, 87# the network blocks in the configuration file are tried one by one until 88# the driver reports successful association; each network block should have 89# explicit security policy (i.e., only one option in the lists) for 90# key_mgmt, pairwise, group, proto variables 91ap_scan=1 92 93# EAP fast re-authentication 94# By default, fast re-authentication is enabled for all EAP methods that 95# support it. This variable can be used to disable fast re-authentication. 96# Normally, there is no need to disable this. 97fast_reauth=1 98 99#Disable the default behavior of adding a separate interface for the P2P 100#group when driver support for concurrent interfaces is available. 101p2p_no_group_iface=1 102 103# OpenSSL Engine support 104# These options can be used to load OpenSSL engines. 105# The two engines that are supported currently are shown below: 106# They are both from the opensc project (http://www.opensc.org/) 107# By default no engines are loaded. 108# make the opensc engine available 109#opensc_engine_path=/usr/lib/opensc/engine_opensc.so 110# make the pkcs11 engine available 111#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so 112# configure the path to the pkcs11 module required by the pkcs11 engine 113#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so 114 115# Dynamic EAP methods 116# If EAP methods were built dynamically as shared object files, they need to be 117# loaded here before being used in the network blocks. By default, EAP methods 118# are included statically in the build, so these lines are not needed 119#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so 120#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so 121 122# Driver interface parameters 123# This field can be used to configure arbitrary driver interace parameters. The 124# format is specific to the selected driver interface. This field is not used 125# in most cases. 126#driver_param="field=value" 127 128# Country code 129# The ISO/IEC alpha2 country code for the country in which this device is 130# currently operating. 131#country=US 132 133# Maximum lifetime for PMKSA in seconds; default 43200 134#dot11RSNAConfigPMKLifetime=43200 135# Threshold for reauthentication (percentage of PMK lifetime); default 70 136#dot11RSNAConfigPMKReauthThreshold=70 137# Timeout for security association negotiation in seconds; default 60 138#dot11RSNAConfigSATimeout=60 139 140# Wi-Fi Protected Setup (WPS) parameters 141 142# Universally Unique IDentifier (UUID; see RFC 4122) of the device 143# If not configured, UUID will be generated based on the local MAC address. 144#uuid=12345678-9abc-def0-1234-56789abcdef0 145 146# Device Name 147# User-friendly description of device; up to 32 octets encoded in UTF-8 148#device_name=Wireless Client 149 150# Manufacturer 151# The manufacturer of the device (up to 64 ASCII characters) 152#manufacturer=Company 153 154# Model Name 155# Model of the device (up to 32 ASCII characters) 156#model_name=cmodel 157 158# Model Number 159# Additional device description (up to 32 ASCII characters) 160#model_number=123 161 162# Serial Number 163# Serial number of the device (up to 32 characters) 164#serial_number=12345 165 166# Primary Device Type 167# Used format: <categ>-<OUI>-<subcateg> 168# categ = Category as an integer value 169# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for 170# default WPS OUI 171# subcateg = OUI-specific Sub Category as an integer value 172# Examples: 173# 1-0050F204-1 (Computer / PC) 174# 1-0050F204-2 (Computer / Server) 175# 5-0050F204-1 (Storage / NAS) 176# 6-0050F204-1 (Network Infrastructure / AP) 177#device_type=1-0050F204-1 178 179# OS Version 180# 4-octet operating system version number (hex string) 181#os_version=01020300 182 183# Credential processing 184# 0 = process received credentials internally (default) 185# 1 = do not process received credentials; just pass them over ctrl_iface to 186# external program(s) 187# 2 = process received credentials internally and pass them over ctrl_iface 188# to external program(s) 189#wps_cred_processing=0 190 191# network block 192# 193# Each network (usually AP's sharing the same SSID) is configured as a separate 194# block in this configuration file. The network blocks are in preference order 195# (the first match is used). 196# 197# network block fields: 198# 199# disabled: 200# 0 = this network can be used (default) 201# 1 = this network block is disabled (can be enabled through ctrl_iface, 202# e.g., with wpa_cli or wpa_gui) 203# 204# id_str: Network identifier string for external scripts. This value is passed 205# to external action script through wpa_cli as WPA_ID_STR environment 206# variable to make it easier to do network specific configuration. 207# 208# ssid: SSID (mandatory); either as an ASCII string with double quotation or 209# as hex string; network name 210# 211# scan_ssid: 212# 0 = do not scan this SSID with specific Probe Request frames (default) 213# 1 = scan with SSID-specific Probe Request frames (this can be used to 214# find APs that do not accept broadcast SSID or use multiple SSIDs; 215# this will add latency to scanning, so enable this only when needed) 216# 217# bssid: BSSID (optional); if set, this network block is used only when 218# associating with the AP using the configured BSSID 219# 220# priority: priority group (integer) 221# By default, all networks will get same priority group (0). If some of the 222# networks are more desirable, this field can be used to change the order in 223# which wpa_supplicant goes through the networks when selecting a BSS. The 224# priority groups will be iterated in decreasing priority (i.e., the larger the 225# priority value, the sooner the network is matched against the scan results). 226# Within each priority group, networks will be selected based on security 227# policy, signal strength, etc. 228# Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not 229# using this priority to select the order for scanning. Instead, they try the 230# networks in the order that used in the configuration file. 231# 232# mode: IEEE 802.11 operation mode 233# 0 = infrastructure (Managed) mode, i.e., associate with an AP (default) 234# 1 = IBSS (ad-hoc, peer-to-peer) 235# Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) 236# and key_mgmt=WPA-NONE (fixed group key TKIP/CCMP). In addition, ap_scan has 237# to be set to 2 for IBSS. WPA-None requires following network block options: 238# proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not 239# both), and psk must also be set. 240# 241# frequency: Channel frequency in megahertz (MHz) for IBSS, e.g., 242# 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial 243# channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode. 244# In addition, this value is only used by the station that creates the IBSS. If 245# an IBSS network with the configured SSID is already present, the frequency of 246# the network will be used instead of this configured value. 247# 248# proto: list of accepted protocols 249# WPA = WPA/IEEE 802.11i/D3.0 250# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN) 251# If not set, this defaults to: WPA RSN 252# 253# key_mgmt: list of accepted authenticated key management protocols 254# WPA-PSK = WPA pre-shared key (this requires 'psk' field) 255# WPA-EAP = WPA using EAP authentication 256# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically 257# generated WEP keys 258# NONE = WPA is not used; plaintext or static WEP could be used 259# WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms 260# WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms 261# If not set, this defaults to: WPA-PSK WPA-EAP 262# 263# auth_alg: list of allowed IEEE 802.11 authentication algorithms 264# OPEN = Open System authentication (required for WPA/WPA2) 265# SHARED = Shared Key authentication (requires static WEP keys) 266# LEAP = LEAP/Network EAP (only used with LEAP) 267# If not set, automatic selection is used (Open System with LEAP enabled if 268# LEAP is allowed as one of the EAP methods). 269# 270# pairwise: list of accepted pairwise (unicast) ciphers for WPA 271# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 272# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 273# NONE = Use only Group Keys (deprecated, should not be included if APs support 274# pairwise keys) 275# If not set, this defaults to: CCMP TKIP 276# 277# group: list of accepted group (broadcast/multicast) ciphers for WPA 278# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 279# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 280# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key 281# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11] 282# If not set, this defaults to: CCMP TKIP WEP104 WEP40 283# 284# psk: WPA preshared key; 256-bit pre-shared key 285# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e., 286# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be 287# generated using the passphrase and SSID). ASCII passphrase must be between 288# 8 and 63 characters (inclusive). 289# This field is not needed, if WPA-EAP is used. 290# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys 291# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant 292# startup and reconfiguration time can be optimized by generating the PSK only 293# only when the passphrase or SSID has actually changed. 294# 295# eapol_flags: IEEE 802.1X/EAPOL options (bit field) 296# Dynamic WEP key required for non-WPA mode 297# bit0 (1): require dynamically generated unicast WEP key 298# bit1 (2): require dynamically generated broadcast WEP key 299# (3 = require both keys; default) 300# Note: When using wired authentication, eapol_flags must be set to 0 for the 301# authentication to be completed successfully. 302# 303# mixed_cell: This option can be used to configure whether so called mixed 304# cells, i.e., networks that use both plaintext and encryption in the same 305# SSID, are allowed when selecting a BSS form scan results. 306# 0 = disabled (default) 307# 1 = enabled 308# 309# proactive_key_caching: 310# Enable/disable opportunistic PMKSA caching for WPA2. 311# 0 = disabled (default) 312# 1 = enabled 313# 314# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or 315# hex without quotation, e.g., 0102030405) 316# wep_tx_keyidx: Default WEP key index (TX) (0..3) 317# 318# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is 319# allowed. This is only used with RSN/WPA2. 320# 0 = disabled (default) 321# 1 = enabled 322#peerkey=1 323# 324# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to 325# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies. 326# 327# Following fields are only used with internal EAP implementation. 328# eap: space-separated list of accepted EAP methods 329# MD5 = EAP-MD5 (unsecure and does not generate keying material -> 330# cannot be used with WPA; to be used as a Phase 2 method 331# with EAP-PEAP or EAP-TTLS) 332# MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used 333# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 334# OTP = EAP-OTP (cannot be used separately with WPA; to be used 335# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 336# GTC = EAP-GTC (cannot be used separately with WPA; to be used 337# as a Phase 2 method with EAP-PEAP or EAP-TTLS) 338# TLS = EAP-TLS (client and server certificate) 339# PEAP = EAP-PEAP (with tunnelled EAP authentication) 340# TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 341# authentication) 342# If not set, all compiled in methods are allowed. 343# 344# identity: Identity string for EAP 345# This field is also used to configure user NAI for 346# EAP-PSK/PAX/SAKE/GPSK. 347# anonymous_identity: Anonymous identity string for EAP (to be used as the 348# unencrypted identity with EAP types that support different tunnelled 349# identity, e.g., EAP-TTLS) 350# password: Password string for EAP. This field can include either the 351# plaintext password (using ASCII or hex string) or a NtPasswordHash 352# (16-byte MD4 hash of password) in hash:<32 hex digits> format. 353# NtPasswordHash can only be used when the password is for MSCHAPv2 or 354# MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP). 355# EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit 356# PSK) is also configured using this field. For EAP-GPSK, this is a 357# variable length PSK. 358# ca_cert: File path to CA certificate file (PEM/DER). This file can have one 359# or more trusted CA certificates. If ca_cert and ca_path are not 360# included, server certificate will not be verified. This is insecure and 361# a trusted CA certificate should always be configured when using 362# EAP-TLS/TTLS/PEAP. Full path should be used since working directory may 363# change when wpa_supplicant is run in the background. 364# On Windows, trusted CA certificates can be loaded from the system 365# certificate store by setting this to cert_store://<name>, e.g., 366# ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT". 367# Note that when running wpa_supplicant as an application, the user 368# certificate store (My user account) is used, whereas computer store 369# (Computer account) is used when running wpasvc as a service. 370# ca_path: Directory path for CA certificate files (PEM). This path may 371# contain multiple CA certificates in OpenSSL format. Common use for this 372# is to point to system trusted CA list which is often installed into 373# directory like /etc/ssl/certs. If configured, these certificates are 374# added to the list of trusted CAs. ca_cert may also be included in that 375# case, but it is not required. 376# client_cert: File path to client certificate file (PEM/DER) 377# Full path should be used since working directory may change when 378# wpa_supplicant is run in the background. 379# Alternatively, a named configuration blob can be used by setting this 380# to blob://<blob name>. 381# private_key: File path to client private key file (PEM/DER/PFX) 382# When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be 383# commented out. Both the private key and certificate will be read from 384# the PKCS#12 file in this case. Full path should be used since working 385# directory may change when wpa_supplicant is run in the background. 386# Windows certificate store can be used by leaving client_cert out and 387# configuring private_key in one of the following formats: 388# cert://substring_to_match 389# hash://certificate_thumbprint_in_hex 390# for example: private_key="hash://63093aa9c47f56ae88334c7b65a4" 391# Note that when running wpa_supplicant as an application, the user 392# certificate store (My user account) is used, whereas computer store 393# (Computer account) is used when running wpasvc as a service. 394# Alternatively, a named configuration blob can be used by setting this 395# to blob://<blob name>. 396# private_key_passwd: Password for private key file (if left out, this will be 397# asked through control interface) 398# dh_file: File path to DH/DSA parameters file (in PEM format) 399# This is an optional configuration file for setting parameters for an 400# ephemeral DH key exchange. In most cases, the default RSA 401# authentication does not use this configuration. However, it is possible 402# setup RSA to use ephemeral DH key exchange. In addition, ciphers with 403# DSA keys always use ephemeral DH keys. This can be used to achieve 404# forward secrecy. If the file is in DSA parameters format, it will be 405# automatically converted into DH params. 406# subject_match: Substring to be matched against the subject of the 407# authentication server certificate. If this string is set, the server 408# sertificate is only accepted if it contains this string in the subject. 409# The subject string is in following format: 410# /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress[email protected] 411# altsubject_match: Semicolon separated string of entries to be matched against 412# the alternative subject name of the authentication server certificate. 413# If this string is set, the server sertificate is only accepted if it 414# contains one of the entries in an alternative subject name extension. 415# altSubjectName string is in following format: TYPE:VALUE 416# Example: EMAIL:[email protected] 417# Example: DNS:server.example.com;DNS:server2.example.com 418# Following types are supported: EMAIL, DNS, URI 419# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters 420# (string with field-value pairs, e.g., "peapver=0" or 421# "peapver=1 peaplabel=1") 422# 'peapver' can be used to force which PEAP version (0 or 1) is used. 423# 'peaplabel=1' can be used to force new label, "client PEAP encryption", 424# to be used during key derivation when PEAPv1 or newer. Most existing 425# PEAPv1 implementation seem to be using the old label, "client EAP 426# encryption", and wpa_supplicant is now using that as the default value. 427# Some servers, e.g., Radiator, may require peaplabel=1 configuration to 428# interoperate with PEAPv1; see eap_testing.txt for more details. 429# 'peap_outer_success=0' can be used to terminate PEAP authentication on 430# tunneled EAP-Success. This is required with some RADIUS servers that 431# implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g., 432# Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode) 433# include_tls_length=1 can be used to force wpa_supplicant to include 434# TLS Message Length field in all TLS messages even if they are not 435# fragmented. 436# sim_min_num_chal=3 can be used to configure EAP-SIM to require three 437# challenges (by default, it accepts 2 or 3) 438# result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use 439# protected result indication. 440# 'crypto_binding' option can be used to control PEAPv0 cryptobinding 441# behavior: 442# * 0 = do not use cryptobinding (default) 443# * 1 = use cryptobinding if server supports it 444# * 2 = require cryptobinding 445# EAP-WSC (WPS) uses following options: pin=<Device Password> or 446# pbc=1. 447# phase2: Phase2 (inner authentication with TLS tunnel) parameters 448# (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or 449# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS) 450# Following certificate/private key fields are used in inner Phase2 451# authentication when using EAP-TTLS or EAP-PEAP. 452# ca_cert2: File path to CA certificate file. This file can have one or more 453# trusted CA certificates. If ca_cert2 and ca_path2 are not included, 454# server certificate will not be verified. This is insecure and a trusted 455# CA certificate should always be configured. 456# ca_path2: Directory path for CA certificate files (PEM) 457# client_cert2: File path to client certificate file 458# private_key2: File path to client private key file 459# private_key2_passwd: Password for private key file 460# dh_file2: File path to DH/DSA parameters file (in PEM format) 461# subject_match2: Substring to be matched against the subject of the 462# authentication server certificate. 463# altsubject_match2: Substring to be matched against the alternative subject 464# name of the authentication server certificate. 465# 466# fragment_size: Maximum EAP fragment size in bytes (default 1398). 467# This value limits the fragment size for EAP methods that support 468# fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set 469# small enough to make the EAP messages fit in MTU of the network 470# interface used for EAPOL. The default value is suitable for most 471# cases. 472# 473# EAP-FAST variables: 474# pac_file: File path for the PAC entries. wpa_supplicant will need to be able 475# to create this file and write updates to it when PAC is being 476# provisioned or refreshed. Full path to the file should be used since 477# working directory may change when wpa_supplicant is run in the 478# background. Alternatively, a named configuration blob can be used by 479# setting this to blob://<blob name> 480# phase1: fast_provisioning option can be used to enable in-line provisioning 481# of EAP-FAST credentials (PAC): 482# 0 = disabled, 483# 1 = allow unauthenticated provisioning, 484# 2 = allow authenticated provisioning, 485# 3 = allow both unauthenticated and authenticated provisioning 486# fast_max_pac_list_len=<num> option can be used to set the maximum 487# number of PAC entries to store in a PAC list (default: 10) 488# fast_pac_format=binary option can be used to select binary format for 489# storing PAC entries in order to save some space (the default 490# text format uses about 2.5 times the size of minimal binary 491# format) 492# 493# wpa_supplicant supports number of "EAP workarounds" to work around 494# interoperability issues with incorrectly behaving authentication servers. 495# These are enabled by default because some of the issues are present in large 496# number of authentication servers. Strict EAP conformance mode can be 497# configured by disabling workarounds with eap_workaround=0. 498 499# Example blocks: 500 501# Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers 502#network={ 503# ssid="simple" 504# psk="very secret passphrase" 505# priority=5 506#} 507# 508## Same as previous, but request SSID-specific scanning (for APs that reject 509## broadcast SSID) 510#network={ 511# ssid="second ssid" 512# scan_ssid=1 513# psk="very secret passphrase" 514# priority=2 515#} 516# 517## Only WPA-PSK is used. Any valid cipher combination is accepted. 518#network={ 519# ssid="example" 520# proto=WPA 521# key_mgmt=WPA-PSK 522# pairwise=CCMP TKIP 523# group=CCMP TKIP WEP104 WEP40 524# psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb 525# priority=2 526#} 527# 528## WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying 529#network={ 530# ssid="example" 531# proto=WPA 532# key_mgmt=WPA-PSK 533# pairwise=TKIP 534# group=TKIP 535# psk="not so secure passphrase" 536# wpa_ptk_rekey=600 537#} 538# 539## Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104 540## or WEP40 as the group cipher will not be accepted. 541#network={ 542# ssid="example" 543# proto=RSN 544# key_mgmt=WPA-EAP 545# pairwise=CCMP TKIP 546# group=CCMP TKIP 547# eap=TLS 548# identity="[email protected]" 549# ca_cert="/etc/cert/ca.pem" 550# client_cert="/etc/cert/user.pem" 551# private_key="/etc/cert/user.prv" 552# private_key_passwd="password" 553# priority=1 554#} 555# 556## EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel 557## (e.g., Radiator) 558#network={ 559# ssid="example" 560# key_mgmt=WPA-EAP 561# eap=PEAP 562# identity="[email protected]" 563# password="foobar" 564# ca_cert="/etc/cert/ca.pem" 565# phase1="peaplabel=1" 566# phase2="auth=MSCHAPV2" 567# priority=10 568#} 569# 570## EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the 571## unencrypted use. Real identity is sent only within an encrypted TLS tunnel. 572#network={ 573# ssid="example" 574# key_mgmt=WPA-EAP 575# eap=TTLS 576# identity="[email protected]" 577# anonymous_identity="[email protected]" 578# password="foobar" 579# ca_cert="/etc/cert/ca.pem" 580# priority=2 581#} 582# 583## EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted 584## use. Real identity is sent only within an encrypted TLS tunnel. 585#network={ 586# ssid="example" 587# key_mgmt=WPA-EAP 588# eap=TTLS 589# identity="[email protected]" 590# anonymous_identity="[email protected]" 591# password="foobar" 592# ca_cert="/etc/cert/ca.pem" 593# phase2="auth=MSCHAPV2" 594#} 595# 596## WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner 597## authentication. 598#network={ 599# ssid="example" 600# key_mgmt=WPA-EAP 601# eap=TTLS 602# # Phase1 / outer authentication 603# anonymous_identity="[email protected]" 604# ca_cert="/etc/cert/ca.pem" 605# # Phase 2 / inner authentication 606# phase2="autheap=TLS" 607# ca_cert2="/etc/cert/ca2.pem" 608# client_cert2="/etc/cer/user.pem" 609# private_key2="/etc/cer/user.prv" 610# private_key2_passwd="password" 611# priority=2 612#} 613# 614## Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and 615## group cipher. 616#network={ 617# ssid="example" 618# bssid=00:11:22:33:44:55 619# proto=WPA RSN 620# key_mgmt=WPA-PSK WPA-EAP 621# pairwise=CCMP 622# group=CCMP 623# psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb 624#} 625# 626## Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP 627## and all valid ciphers. 628#network={ 629# ssid=00010203 630# psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f 631#} 632# 633# 634## EAP-SIM with a GSM SIM or USIM 635#network={ 636# ssid="eap-sim-test" 637# key_mgmt=WPA-EAP 638# eap=SIM 639# pin="1234" 640# pcsc="" 641#} 642# 643# 644## EAP-PSK 645#network={ 646# ssid="eap-psk-test" 647# key_mgmt=WPA-EAP 648# eap=PSK 649# anonymous_identity="eap_psk_user" 650# password=06b4be19da289f475aa46a33cb793029 651# identity="[email protected]" 652#} 653# 654# 655## IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using 656## EAP-TLS for authentication and key generation; require both unicast and 657## broadcast WEP keys. 658#network={ 659# ssid="1x-test" 660# key_mgmt=IEEE8021X 661# eap=TLS 662# identity="[email protected]" 663# ca_cert="/etc/cert/ca.pem" 664# client_cert="/etc/cert/user.pem" 665# private_key="/etc/cert/user.prv" 666# private_key_passwd="password" 667# eapol_flags=3 668#} 669# 670# 671## LEAP with dynamic WEP keys 672#network={ 673# ssid="leap-example" 674# key_mgmt=IEEE8021X 675# eap=LEAP 676# identity="user" 677# password="foobar" 678#} 679# 680## EAP-IKEv2 using shared secrets for both server and peer authentication 681#network={ 682# ssid="ikev2-example" 683# key_mgmt=WPA-EAP 684# eap=IKEV2 685# identity="user" 686# password="foobar" 687#} 688# 689## EAP-FAST with WPA (WPA or WPA2) 690#network={ 691# ssid="eap-fast-test" 692# key_mgmt=WPA-EAP 693# eap=FAST 694# anonymous_identity="FAST-000102030405" 695# identity="username" 696# password="password" 697# phase1="fast_provisioning=1" 698# pac_file="/etc/wpa_supplicant.eap-fast-pac" 699#} 700# 701#network={ 702# ssid="eap-fast-test" 703# key_mgmt=WPA-EAP 704# eap=FAST 705# anonymous_identity="FAST-000102030405" 706# identity="username" 707# password="password" 708# phase1="fast_provisioning=1" 709# pac_file="blob://eap-fast-pac" 710#} 711# 712## Plaintext connection (no WPA, no IEEE 802.1X) 713#network={ 714# ssid="plaintext-test" 715# key_mgmt=NONE 716#} 717# 718# 719## Shared WEP key connection (no WPA, no IEEE 802.1X) 720#network={ 721# ssid="static-wep-test" 722# key_mgmt=NONE 723# wep_key0="abcde" 724# wep_key1=0102030405 725# wep_key2="1234567890123" 726# wep_tx_keyidx=0 727# priority=5 728#} 729# 730# 731## Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key 732## IEEE 802.11 authentication 733#network={ 734# ssid="static-wep-test2" 735# key_mgmt=NONE 736# wep_key0="abcde" 737# wep_key1=0102030405 738# wep_key2="1234567890123" 739# wep_tx_keyidx=0 740# priority=5 741# auth_alg=SHARED 742#} 743# 744# 745## IBSS/ad-hoc network with WPA-None/TKIP. 746#network={ 747# ssid="test adhoc" 748# mode=1 749# frequency=2412 750# proto=WPA 751# key_mgmt=WPA-NONE 752# pairwise=NONE 753# group=TKIP 754# psk="secret passphrase" 755#} 756# 757# 758## Catch all example that allows more or less all configuration modes 759#network={ 760# ssid="example" 761# scan_ssid=1 762# key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE 763# pairwise=CCMP TKIP 764# group=CCMP TKIP WEP104 WEP40 765# psk="very secret passphrase" 766# eap=TTLS PEAP TLS 767# identity="[email protected]" 768# password="foobar" 769# ca_cert="/etc/cert/ca.pem" 770# client_cert="/etc/cert/user.pem" 771# private_key="/etc/cert/user.prv" 772# private_key_passwd="password" 773# phase1="peaplabel=0" 774#} 775# 776## Example of EAP-TLS with smartcard (openssl engine) 777#network={ 778# ssid="example" 779# key_mgmt=WPA-EAP 780# eap=TLS 781# proto=RSN 782# pairwise=CCMP TKIP 783# group=CCMP TKIP 784# identity="[email protected]" 785# ca_cert="/etc/cert/ca.pem" 786# client_cert="/etc/cert/user.pem" 787# 788# engine=1 789# 790# # The engine configured here must be available. Look at 791# # OpenSSL engine support in the global section. 792# # The key available through the engine must be the private key 793# # matching the client certificate configured above. 794# 795# # use the opensc engine 796# #engine_id="opensc" 797# #key_id="45" 798# 799# # use the pkcs11 engine 800# engine_id="pkcs11" 801# key_id="id_45" 802# 803# # Optional PIN configuration; this can be left out and PIN will be 804# # asked through the control interface 805# pin="1234" 806#} 807# 808## Example configuration showing how to use an inlined blob as a CA certificate 809## data instead of using external file 810#network={ 811# ssid="example" 812# key_mgmt=WPA-EAP 813# eap=TTLS 814# identity="[email protected]" 815# anonymous_identity="[email protected]" 816# password="foobar" 817# ca_cert="blob://exampleblob" 818# priority=20 819#} 820# 821#blob-base64-exampleblob={ 822#SGVsbG8gV29ybGQhCg== 823#} 824 825 826# Wildcard match for SSID (plaintext APs only). This example select any 827# open AP regardless of its SSID. 828#network={ 829# key_mgmt=NONE 830#} 831