daily pastebin goal
5%
SHARE
TWEET

Untitled

a guest Mar 8th, 2018 264 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. jc@bopper ~/Pictures2018 $ cat /etc/wpa_supplicant/wpa_supplicant.conf
  2. #------> /usr/share/doc/wpa_supplicant-2.6-r3/wpa_supplicant.conf.bz2 <------
  3. ##### Example wpa_supplicant configuration file ###############################
  4. #
  5. # This file describes configuration file format and lists all available option.
  6. # Please also take a look at simpler configuration examples in 'examples'
  7. # subdirectory.
  8. #
  9. # Empty lines and lines starting with # are ignored
  10.  
  11. # NOTE! This file may contain password information and should probably be made
  12. # readable only by root user on multiuser systems.
  13.  
  14. # Note: All file paths in this configuration file should use full (absolute,
  15. # not relative to working directory) path in order to allow working directory
  16. # to be changed. This can happen if wpa_supplicant is run in the background.
  17.  
  18. # Whether to allow wpa_supplicant to update (overwrite) configuration
  19. #
  20. # This option can be used to allow wpa_supplicant to overwrite configuration
  21. # file whenever configuration is changed (e.g., new network block is added with
  22. # wpa_cli or wpa_gui, or a password is changed). This is required for
  23. # wpa_cli/wpa_gui to be able to store the configuration changes permanently.
  24. # Please note that overwriting configuration file will remove the comments from
  25. # it.
  26. #update_config=1
  27. update_config=1
  28.  
  29. # global configuration (shared by all network blocks)
  30. #
  31. # Parameters for the control interface. If this is specified, wpa_supplicant
  32. # will open a control interface that is available for external programs to
  33. # manage wpa_supplicant. The meaning of this string depends on which control
  34. # interface mechanism is used. For all cases, the existence of this parameter
  35. # in configuration is used to determine whether the control interface is
  36. # enabled.
  37. #
  38. # For UNIX domain sockets (default on Linux and BSD): This is a directory that
  39. # will be created for UNIX domain sockets for listening to requests from
  40. # external programs (CLI/GUI, etc.) for status information and configuration.
  41. # The socket file will be named based on the interface name, so multiple
  42. # wpa_supplicant processes can be run at the same time if more than one
  43. # interface is used.
  44. # /var/run/wpa_supplicant is the recommended directory for sockets and by
  45. # default, wpa_cli will use it when trying to connect with wpa_supplicant.
  46. #
  47. # Access control for the control interface can be configured by setting the
  48. # directory to allow only members of a group to use sockets. This way, it is
  49. # possible to run wpa_supplicant as root (since it needs to change network
  50. # configuration and open raw sockets) and still allow GUI/CLI components to be
  51. # run as non-root users. However, since the control interface can be used to
  52. # change the network configuration, this access needs to be protected in many
  53. # cases. By default, wpa_supplicant is configured to use gid 0 (root). If you
  54. # want to allow non-root users to use the control interface, add a new group
  55. # and change this value to match with that group. Add users that should have
  56. # control interface access to this group. If this variable is commented out or
  57. # not included in the configuration file, group will not be changed from the
  58. # value it got by default when the directory or socket was created.
  59. #
  60. # When configuring both the directory and group, use following format:
  61. # DIR=/var/run/wpa_supplicant GROUP=wheel
  62. DIR=/var/run/wpa_supplicant GROUP=wheel
  63. # DIR=/var/run/wpa_supplicant GROUP=0
  64. # (group can be either group name or gid)
  65. #
  66. # For UDP connections (default on Windows): The value will be ignored. This
  67. # variable is just used to select that the control interface is to be created.
  68. # The value can be set to, e.g., udp (ctrl_interface=udp)
  69. #
  70. # For Windows Named Pipe: This value can be used to set the security descriptor
  71. # for controlling access to the control interface. Security descriptor can be
  72. # set using Security Descriptor String Format (see http://msdn.microsoft.com/
  73. # library/default.asp?url=/library/en-us/secauthz/security/
  74. # security_descriptor_string_format.asp). The descriptor string needs to be
  75. # prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty
  76. # DACL (which will reject all connections). See README-Windows.txt for more
  77. # information about SDDL string format.
  78. #
  79. ctrl_interface=/var/run/wpa_supplicant
  80.  
  81. # IEEE 802.1X/EAPOL version
  82. # wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines
  83. # EAPOL version 2. However, there are many APs that do not handle the new
  84. # version number correctly (they seem to drop the frames completely). In order
  85. # to make wpa_supplicant interoperate with these APs, the version number is set
  86. # to 1 by default. This configuration value can be used to set it to the new
  87. # version (2).
  88. # Note: When using MACsec, eapol_version shall be set to 3, which is
  89. # defined in IEEE Std 802.1X-2010.
  90. eapol_version=1
  91.  
  92. # AP scanning/selection
  93. # By default, wpa_supplicant requests driver to perform AP scanning and then
  94. # uses the scan results to select a suitable AP. Another alternative is to
  95. # allow the driver to take care of AP scanning and selection and use
  96. # wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association
  97. # information from the driver.
  98. # 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to
  99. #    the currently enabled networks are found, a new network (IBSS or AP mode
  100. #    operation) may be initialized (if configured) (default)
  101. # 0: driver takes care of scanning, AP selection, and IEEE 802.11 association
  102. #    parameters (e.g., WPA IE generation); this mode can also be used with
  103. #    non-WPA drivers when using IEEE 802.1X mode; do not try to associate with
  104. #    APs (i.e., external program needs to control association). This mode must
  105. #    also be used when using wired Ethernet drivers.
  106. #    Note: macsec_qca driver is one type of Ethernet driver which implements
  107. #    macsec feature.
  108. # 2: like 0, but associate with APs using security policy and SSID (but not
  109. #    BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to
  110. #    enable operation with hidden SSIDs and optimized roaming; in this mode,
  111. #    the network blocks in the configuration file are tried one by one until
  112. #    the driver reports successful association; each network block should have
  113. #    explicit security policy (i.e., only one option in the lists) for
  114. #    key_mgmt, pairwise, group, proto variables
  115. # Note: ap_scan=2 should not be used with the nl80211 driver interface (the
  116. # current Linux interface). ap_scan=1 is optimized work working with nl80211.
  117. # For finding networks using hidden SSID, scan_ssid=1 in the network block can
  118. # be used with nl80211.
  119. # When using IBSS or AP mode, ap_scan=2 mode can force the new network to be
  120. # created immediately regardless of scan results. ap_scan=1 mode will first try
  121. # to scan for existing networks and only if no matches with the enabled
  122. # networks are found, a new IBSS or AP mode network is created.
  123. ap_scan=1
  124.  
  125. # Whether to force passive scan for network connection
  126. #
  127. # By default, scans will send out Probe Request frames on channels that allow
  128. # active scanning. This advertise the local station to the world. Normally this
  129. # is fine, but users may wish to do passive scanning where the radio should only
  130. # listen quietly for Beacon frames and not send any Probe Request frames. Actual
  131. # functionality may be driver dependent.
  132. #
  133. # This parameter can be used to force only passive scanning to be used
  134. # for network connection cases. It should be noted that this will slow
  135. # down scan operations and reduce likelihood of finding the AP. In
  136. # addition, some use cases will override this due to functional
  137. # requirements, e.g., for finding an AP that uses hidden SSID
  138. # (scan_ssid=1) or P2P device discovery.
  139. #
  140. # 0:  Do normal scans (allow active scans) (default)
  141. # 1:  Do passive scans.
  142. #passive_scan=0
  143.  
  144. # MPM residency
  145. # By default, wpa_supplicant implements the mesh peering manager (MPM) for an
  146. # open mesh. However, if the driver can implement the MPM, you may set this to
  147. # 0 to use the driver version. When AMPE is enabled, the wpa_supplicant MPM is
  148. # always used.
  149. # 0: MPM lives in the driver
  150. # 1: wpa_supplicant provides an MPM which handles peering (default)
  151. #user_mpm=1
  152.  
  153. # Maximum number of peer links (0-255; default: 99)
  154. # Maximum number of mesh peering currently maintained by the STA.
  155. #max_peer_links=99
  156.  
  157. # Timeout in seconds to detect STA inactivity (default: 300 seconds)
  158. #
  159. # This timeout value is used in mesh STA to clean up inactive stations.
  160. #mesh_max_inactivity=300
  161.  
  162. # cert_in_cb - Whether to include a peer certificate dump in events
  163. # This controls whether peer certificates for authentication server and
  164. # its certificate chain are included in EAP peer certificate events. This is
  165. # enabled by default.
  166. #cert_in_cb=1
  167.  
  168. # EAP fast re-authentication
  169. # By default, fast re-authentication is enabled for all EAP methods that
  170. # support it. This variable can be used to disable fast re-authentication.
  171. # Normally, there is no need to disable this.
  172. fast_reauth=1
  173.  
  174. # OpenSSL Engine support
  175. # These options can be used to load OpenSSL engines in special or legacy
  176. # modes.
  177. # The two engines that are supported currently are shown below:
  178. # They are both from the opensc project (http://www.opensc.org/)
  179. # By default the PKCS#11 engine is loaded if the client_cert or
  180. # private_key option appear to be a PKCS#11 URI, and these options
  181. # should not need to be used explicitly.
  182. # make the opensc engine available
  183. #opensc_engine_path=/usr/lib64/engine_opensc.so
  184. # make the pkcs11 engine available
  185. #pkcs11_engine_path=/usr/lib64/engine_pkcs11.so
  186. # configure the path to the pkcs11 module required by the pkcs11 engine
  187. #pkcs11_module_path=/usr/lib64/opensc-pkcs11.so
  188.  
  189. # OpenSSL cipher string
  190. #
  191. # This is an OpenSSL specific configuration option for configuring the default
  192. # ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default.
  193. # See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation
  194. # on cipher suite configuration. This is applicable only if wpa_supplicant is
  195. # built to use OpenSSL.
  196. #openssl_ciphers=DEFAULT:!EXP:!LOW
  197.  
  198.  
  199. # Dynamic EAP methods
  200. # If EAP methods were built dynamically as shared object files, they need to be
  201. # loaded here before being used in the network blocks. By default, EAP methods
  202. # are included statically in the build, so these lines are not needed
  203. #load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so
  204. #load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so
  205.  
  206. # Driver interface parameters
  207. # This field can be used to configure arbitrary driver interface parameters. The
  208. # format is specific to the selected driver interface. This field is not used
  209. # in most cases.
  210. #driver_param="field=value"
  211.  
  212. # Country code
  213. # The ISO/IEC alpha2 country code for the country in which this device is
  214. # currently operating.
  215. #country=US
  216.  
  217. # Maximum lifetime for PMKSA in seconds; default 43200
  218. #dot11RSNAConfigPMKLifetime=43200
  219. # Threshold for reauthentication (percentage of PMK lifetime); default 70
  220. #dot11RSNAConfigPMKReauthThreshold=70
  221. # Timeout for security association negotiation in seconds; default 60
  222. #dot11RSNAConfigSATimeout=60
  223.  
  224. # Wi-Fi Protected Setup (WPS) parameters
  225.  
  226. # Universally Unique IDentifier (UUID; see RFC 4122) of the device
  227. # If not configured, UUID will be generated based on the local MAC address.
  228. #uuid=12345678-9abc-def0-1234-56789abcdef0
  229.  
  230. # Device Name
  231. # User-friendly description of device; up to 32 octets encoded in UTF-8
  232. #device_name=Wireless Client
  233.  
  234. # Manufacturer
  235. # The manufacturer of the device (up to 64 ASCII characters)
  236. #manufacturer=Company
  237.  
  238. # Model Name
  239. # Model of the device (up to 32 ASCII characters)
  240. #model_name=cmodel
  241.  
  242. # Model Number
  243. # Additional device description (up to 32 ASCII characters)
  244. #model_number=123
  245.  
  246. # Serial Number
  247. # Serial number of the device (up to 32 characters)
  248. #serial_number=12345
  249.  
  250. # Primary Device Type
  251. # Used format: <categ>-<OUI>-<subcateg>
  252. # categ = Category as an integer value
  253. # OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for
  254. #       default WPS OUI
  255. # subcateg = OUI-specific Sub Category as an integer value
  256. # Examples:
  257. #   1-0050F204-1 (Computer / PC)
  258. #   1-0050F204-2 (Computer / Server)
  259. #   5-0050F204-1 (Storage / NAS)
  260. #   6-0050F204-1 (Network Infrastructure / AP)
  261. #device_type=1-0050F204-1
  262.  
  263. # OS Version
  264. # 4-octet operating system version number (hex string)
  265. #os_version=01020300
  266.  
  267. # Config Methods
  268. # List of the supported configuration methods
  269. # Available methods: usba ethernet label display ext_nfc_token int_nfc_token
  270. #       nfc_interface push_button keypad virtual_display physical_display
  271. #       virtual_push_button physical_push_button
  272. # For WSC 1.0:
  273. #config_methods=label display push_button keypad
  274. # For WSC 2.0:
  275. #config_methods=label virtual_display virtual_push_button keypad
  276.  
  277. # Credential processing
  278. #   0 = process received credentials internally (default)
  279. #   1 = do not process received credentials; just pass them over ctrl_iface to
  280. #       external program(s)
  281. #   2 = process received credentials internally and pass them over ctrl_iface
  282. #       to external program(s)
  283. #wps_cred_processing=0
  284.  
  285. # Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing
  286. # The vendor attribute contents to be added in M1 (hex string)
  287. #wps_vendor_ext_m1=000137100100020001
  288.  
  289. # NFC password token for WPS
  290. # These parameters can be used to configure a fixed NFC password token for the
  291. # station. This can be generated, e.g., with nfc_pw_token. When these
  292. # parameters are used, the station is assumed to be deployed with a NFC tag
  293. # that includes the matching NFC password token (e.g., written based on the
  294. # NDEF record from nfc_pw_token).
  295. #
  296. #wps_nfc_dev_pw_id: Device Password ID (16..65535)
  297. #wps_nfc_dh_pubkey: Hexdump of DH Public Key
  298. #wps_nfc_dh_privkey: Hexdump of DH Private Key
  299. #wps_nfc_dev_pw: Hexdump of Device Password
  300.  
  301. # Priority for the networks added through WPS
  302. # This priority value will be set to each network profile that is added
  303. # by executing the WPS protocol.
  304. #wps_priority=0
  305.  
  306. # Maximum number of BSS entries to keep in memory
  307. # Default: 200
  308. # This can be used to limit memory use on the BSS entries (cached scan
  309. # results). A larger value may be needed in environments that have huge number
  310. # of APs when using ap_scan=1 mode.
  311. #bss_max_count=200
  312.  
  313. # Automatic scan
  314. # This is an optional set of parameters for automatic scanning
  315. # within an interface in following format:
  316. #autoscan=<autoscan module name>:<module parameters>
  317. # autoscan is like bgscan but on disconnected or inactive state.
  318. # For instance, on exponential module parameters would be <base>:<limit>
  319. #autoscan=exponential:3:300
  320. # Which means a delay between scans on a base exponential of 3,
  321. # up to the limit of 300 seconds (3, 9, 27 ... 300)
  322. # For periodic module, parameters would be <fixed interval>
  323. #autoscan=periodic:30
  324. # So a delay of 30 seconds will be applied between each scan.
  325. # Note: If sched_scan_plans are configured and supported by the driver,
  326. # autoscan is ignored.
  327.  
  328. # filter_ssids - SSID-based scan result filtering
  329. # 0 = do not filter scan results (default)
  330. # 1 = only include configured SSIDs in scan results/BSS table
  331. #filter_ssids=0
  332.  
  333. # Password (and passphrase, etc.) backend for external storage
  334. # format: <backend name>[:<optional backend parameters>]
  335. #ext_password_backend=test:pw1=password|pw2=testing
  336.  
  337.  
  338. # Disable P2P functionality
  339. # p2p_disabled=1
  340.  
  341. # Timeout in seconds to detect STA inactivity (default: 300 seconds)
  342. #
  343. # This timeout value is used in P2P GO mode to clean up
  344. # inactive stations.
  345. #p2p_go_max_inactivity=300
  346.  
  347. # Passphrase length (8..63) for P2P GO
  348. #
  349. # This parameter controls the length of the random passphrase that is
  350. # generated at the GO. Default: 8.
  351. #p2p_passphrase_len=8
  352.  
  353. # Extra delay between concurrent P2P search iterations
  354. #
  355. # This value adds extra delay in milliseconds between concurrent search
  356. # iterations to make p2p_find friendlier to concurrent operations by avoiding
  357. # it from taking 100% of radio resources. The default value is 500 ms.
  358. #p2p_search_delay=500
  359.  
  360. # Opportunistic Key Caching (also known as Proactive Key Caching) default
  361. # This parameter can be used to set the default behavior for the
  362. # proactive_key_caching parameter. By default, OKC is disabled unless enabled
  363. # with the global okc=1 parameter or with the per-network
  364. # proactive_key_caching=1 parameter. With okc=1, OKC is enabled by default, but
  365. # can be disabled with per-network proactive_key_caching=0 parameter.
  366. #okc=0
  367.  
  368. # Protected Management Frames default
  369. # This parameter can be used to set the default behavior for the ieee80211w
  370. # parameter for RSN networks. By default, PMF is disabled unless enabled with
  371. # the global pmf=1/2 parameter or with the per-network ieee80211w=1/2 parameter.
  372. # With pmf=1/2, PMF is enabled/required by default, but can be disabled with the
  373. # per-network ieee80211w parameter. This global default value does not apply
  374. # for non-RSN networks (key_mgmt=NONE) since PMF is available only when using
  375. # RSN.
  376. #pmf=0
  377.  
  378. # Enabled SAE finite cyclic groups in preference order
  379. # By default (if this parameter is not set), the mandatory group 19 (ECC group
  380. # defined over a 256-bit prime order field) is preferred, but other groups are
  381. # also enabled. If this parameter is set, the groups will be tried in the
  382. # indicated order. The group values are listed in the IANA registry:
  383. # http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9
  384. #sae_groups=21 20 19 26 25
  385.  
  386. # Default value for DTIM period (if not overridden in network block)
  387. #dtim_period=2
  388.  
  389. # Default value for Beacon interval (if not overridden in network block)
  390. #beacon_int=100
  391.  
  392. # Additional vendor specific elements for Beacon and Probe Response frames
  393. # This parameter can be used to add additional vendor specific element(s) into
  394. # the end of the Beacon and Probe Response frames. The format for these
  395. # element(s) is a hexdump of the raw information elements (id+len+payload for
  396. # one or more elements). This is used in AP and P2P GO modes.
  397. #ap_vendor_elements=dd0411223301
  398.  
  399. # Ignore scan results older than request
  400. #
  401. # The driver may have a cache of scan results that makes it return
  402. # information that is older than our scan trigger. This parameter can
  403. # be used to configure such old information to be ignored instead of
  404. # allowing it to update the internal BSS table.
  405. #ignore_old_scan_res=0
  406.  
  407. # scan_cur_freq: Whether to scan only the current frequency
  408. # 0:  Scan all available frequencies. (Default)
  409. # 1:  Scan current operating frequency if another VIF on the same radio
  410. #     is already associated.
  411.  
  412. # MAC address policy default
  413. # 0 = use permanent MAC address
  414. # 1 = use random MAC address for each ESS connection
  415. # 2 = like 1, but maintain OUI (with local admin bit set)
  416. #
  417. # By default, permanent MAC address is used unless policy is changed by
  418. # the per-network mac_addr parameter. Global mac_addr=1 can be used to
  419. # change this default behavior.
  420. #mac_addr=0
  421.  
  422. # Lifetime of random MAC address in seconds (default: 60)
  423. #rand_addr_lifetime=60
  424.  
  425. # MAC address policy for pre-association operations (scanning, ANQP)
  426. # 0 = use permanent MAC address
  427. # 1 = use random MAC address
  428. # 2 = like 1, but maintain OUI (with local admin bit set)
  429. #preassoc_mac_addr=0
  430.  
  431. # Interworking (IEEE 802.11u)
  432.  
  433. # Enable Interworking
  434. # interworking=1
  435.  
  436. # Homogenous ESS identifier
  437. # If this is set, scans will be used to request response only from BSSes
  438. # belonging to the specified Homogeneous ESS. This is used only if interworking
  439. # is enabled.
  440. # hessid=00:11:22:33:44:55
  441.  
  442. # Automatic network selection behavior
  443. # 0 = do not automatically go through Interworking network selection
  444. #     (i.e., require explicit interworking_select command for this; default)
  445. # 1 = perform Interworking network selection if one or more
  446. #     credentials have been configured and scan did not find a
  447. #     matching network block
  448. #auto_interworking=0
  449.  
  450. # GAS Address3 field behavior
  451. # 0 = P2P specification (Address3 = AP BSSID); default
  452. # 1 = IEEE 802.11 standard compliant (Address3 = Wildcard BSSID when
  453. #     sent to not-associated AP; if associated, AP BSSID)
  454. #gas_address3=0
  455.  
  456. # Publish fine timing measurement (FTM) responder functionality in
  457. # the Extended Capabilities element bit 70.
  458. # Controls whether FTM responder functionality will be published by AP/STA.
  459. # Note that actual FTM responder operation is managed outside wpa_supplicant.
  460. # 0 = Do not publish; default
  461. # 1 = Publish
  462. #ftm_responder=0
  463.  
  464. # Publish fine timing measurement (FTM) initiator functionality in
  465. # the Extended Capabilities element bit 71.
  466. # Controls whether FTM initiator functionality will be published by AP/STA.
  467. # Note that actual FTM initiator operation is managed outside wpa_supplicant.
  468. # 0 = Do not publish; default
  469. # 1 = Publish
  470. #ftm_initiator=0
  471.  
  472. # credential block
  473. #
  474. # Each credential used for automatic network selection is configured as a set
  475. # of parameters that are compared to the information advertised by the APs when
  476. # interworking_select and interworking_connect commands are used.
  477. #
  478. # credential fields:
  479. #
  480. # temporary: Whether this credential is temporary and not to be saved
  481. #
  482. # priority: Priority group
  483. #       By default, all networks and credentials get the same priority group
  484. #       (0). This field can be used to give higher priority for credentials
  485. #       (and similarly in struct wpa_ssid for network blocks) to change the
  486. #       Interworking automatic networking selection behavior. The matching
  487. #       network (based on either an enabled network block or a credential)
  488. #       with the highest priority value will be selected.
  489. #
  490. # pcsc: Use PC/SC and SIM/USIM card
  491. #
  492. # realm: Home Realm for Interworking
  493. #
  494. # username: Username for Interworking network selection
  495. #
  496. # password: Password for Interworking network selection
  497. #
  498. # ca_cert: CA certificate for Interworking network selection
  499. #
  500. # client_cert: File path to client certificate file (PEM/DER)
  501. #       This field is used with Interworking networking selection for a case
  502. #       where client certificate/private key is used for authentication
  503. #       (EAP-TLS). Full path to the file should be used since working
  504. #       directory may change when wpa_supplicant is run in the background.
  505. #
  506. #       Certificates from PKCS#11 tokens can be referenced by a PKCS#11 URI.
  507. #
  508. #       For example: private_key="pkcs11:manufacturer=piv_II;id=%01"
  509. #
  510. #       Alternatively, a named configuration blob can be used by setting
  511. #       this to blob://blob_name.
  512. #
  513. # private_key: File path to client private key file (PEM/DER/PFX)
  514. #       When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
  515. #       commented out. Both the private key and certificate will be read
  516. #       from the PKCS#12 file in this case. Full path to the file should be
  517. #       used since working directory may change when wpa_supplicant is run
  518. #       in the background.
  519. #
  520. #       Keys in PKCS#11 tokens can be referenced by a PKCS#11 URI.
  521. #       For example: private_key="pkcs11:manufacturer=piv_II;id=%01"
  522. #
  523. #       Windows certificate store can be used by leaving client_cert out and
  524. #       configuring private_key in one of the following formats:
  525. #
  526. #       cert://substring_to_match
  527. #
  528. #       hash://certificate_thumbprint_in_hex
  529. #
  530. #       For example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
  531. #
  532. #       Note that when running wpa_supplicant as an application, the user
  533. #       certificate store (My user account) is used, whereas computer store
  534. #       (Computer account) is used when running wpasvc as a service.
  535. #
  536. #       Alternatively, a named configuration blob can be used by setting
  537. #       this to blob://blob_name.
  538. #
  539. # private_key_passwd: Password for private key file
  540. #
  541. # imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format
  542. #
  543. # milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN>
  544. #       format
  545. #
  546. # domain: Home service provider FQDN(s)
  547. #       This is used to compare against the Domain Name List to figure out
  548. #       whether the AP is operated by the Home SP. Multiple domain entries can
  549. #       be used to configure alternative FQDNs that will be considered home
  550. #       networks.
  551. #
  552. # roaming_consortium: Roaming Consortium OI
  553. #       If roaming_consortium_len is non-zero, this field contains the
  554. #       Roaming Consortium OI that can be used to determine which access
  555. #       points support authentication with this credential. This is an
  556. #       alternative to the use of the realm parameter. When using Roaming
  557. #       Consortium to match the network, the EAP parameters need to be
  558. #       pre-configured with the credential since the NAI Realm information
  559. #       may not be available or fetched.
  560. #
  561. # eap: Pre-configured EAP method
  562. #       This optional field can be used to specify which EAP method will be
  563. #       used with this credential. If not set, the EAP method is selected
  564. #       automatically based on ANQP information (e.g., NAI Realm).
  565. #
  566. # phase1: Pre-configure Phase 1 (outer authentication) parameters
  567. #       This optional field is used with like the 'eap' parameter.
  568. #
  569. # phase2: Pre-configure Phase 2 (inner authentication) parameters
  570. #       This optional field is used with like the 'eap' parameter.
  571. #
  572. # excluded_ssid: Excluded SSID
  573. #       This optional field can be used to excluded specific SSID(s) from
  574. #       matching with the network. Multiple entries can be used to specify more
  575. #       than one SSID.
  576. #
  577. # roaming_partner: Roaming partner information
  578. #       This optional field can be used to configure preferences between roaming
  579. #       partners. The field is a string in following format:
  580. #       <FQDN>,<0/1 exact match>,<priority>,<* or country code>
  581. #       (non-exact match means any subdomain matches the entry; priority is in
  582. #       0..255 range with 0 being the highest priority)
  583. #
  584. # update_identifier: PPS MO ID
  585. #       (Hotspot 2.0 PerProviderSubscription/UpdateIdentifier)
  586. #
  587. # provisioning_sp: FQDN of the SP that provisioned the credential
  588. #       This optional field can be used to keep track of the SP that provisioned
  589. #       the credential to find the PPS MO (./Wi-Fi/<provisioning_sp>).
  590. #
  591. # Minimum backhaul threshold (PPS/<X+>/Policy/MinBackhauldThreshold/*)
  592. #       These fields can be used to specify minimum download/upload backhaul
  593. #       bandwidth that is preferred for the credential. This constraint is
  594. #       ignored if the AP does not advertise WAN Metrics information or if the
  595. #       limit would prevent any connection. Values are in kilobits per second.
  596. # min_dl_bandwidth_home
  597. # min_ul_bandwidth_home
  598. # min_dl_bandwidth_roaming
  599. # min_ul_bandwidth_roaming
  600. #
  601. # max_bss_load: Maximum BSS Load Channel Utilization (1..255)
  602. #       (PPS/<X+>/Policy/MaximumBSSLoadValue)
  603. #       This value is used as the maximum channel utilization for network
  604. #       selection purposes for home networks. If the AP does not advertise
  605. #       BSS Load or if the limit would prevent any connection, this constraint
  606. #       will be ignored.
  607. #
  608. # req_conn_capab: Required connection capability
  609. #       (PPS/<X+>/Policy/RequiredProtoPortTuple)
  610. #       This value is used to configure set of required protocol/port pairs that
  611. #       a roaming network shall support (include explicitly in Connection
  612. #       Capability ANQP element). This constraint is ignored if the AP does not
  613. #       advertise Connection Capability or if this constraint would prevent any
  614. #       network connection. This policy is not used in home networks.
  615. #       Format: <protocol>[:<comma-separated list of ports]
  616. #       Multiple entries can be used to list multiple requirements.
  617. #       For example, number of common TCP protocols:
  618. #       req_conn_capab=6,22,80,443
  619. #       For example, IPSec/IKE:
  620. #       req_conn_capab=17:500
  621. #       req_conn_capab=50
  622. #
  623. # ocsp: Whether to use/require OCSP to check server certificate
  624. #       0 = do not use OCSP stapling (TLS certificate status extension)
  625. #       1 = try to use OCSP stapling, but not require response
  626. #       2 = require valid OCSP stapling response
  627. #       3 = require valid OCSP stapling response for all not-trusted
  628. #           certificates in the server certificate chain
  629. #
  630. # sim_num: Identifier for which SIM to use in multi-SIM devices
  631. #
  632. # for example:
  633. #
  634. #cred={
  635. #       realm="example.com"
  636. #       username="user@example.com"
  637. #       password="password"
  638. #       ca_cert="/etc/wpa_supplicant/ca.pem"
  639. #       domain="example.com"
  640. #}
  641. #
  642. #cred={
  643. #       imsi="310026-000000000"
  644. #       milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82"
  645. #}
  646. #
  647. #cred={
  648. #       realm="example.com"
  649. #       username="user"
  650. #       password="password"
  651. #       ca_cert="/etc/wpa_supplicant/ca.pem"
  652. #       domain="example.com"
  653. #       roaming_consortium=223344
  654. #       eap=TTLS
  655. #       phase2="auth=MSCHAPV2"
  656. #}
  657.  
  658. # Hotspot 2.0
  659. # hs20=1
  660.  
  661. # Scheduled scan plans
  662. #
  663. # A space delimited list of scan plans. Each scan plan specifies the scan
  664. # interval and number of iterations, delimited by a colon. The last scan plan
  665. # will run infinitely and thus must specify only the interval and not the number
  666. # of iterations.
  667. #
  668. # The driver advertises the maximum number of scan plans supported. If more scan
  669. # plans than supported are configured, only the first ones are set (up to the
  670. # maximum supported). The last scan plan that specifies only the interval is
  671. # always set as the last plan.
  672. #
  673. # If the scan interval or the number of iterations for a scan plan exceeds the
  674. # maximum supported, it will be set to the maximum supported value.
  675. #
  676. # Format:
  677. # sched_scan_plans=<interval:iterations> <interval:iterations> ... <interval>
  678. #
  679. # Example:
  680. # sched_scan_plans=10:100 20:200 30
  681.  
  682. # Multi Band Operation (MBO) non-preferred channels
  683. # A space delimited list of non-preferred channels where each channel is a colon
  684. # delimited list of values.
  685. # Format:
  686. # non_pref_chan=<oper_class>:<chan>:<preference>:<reason>
  687. # Example:
  688. # non_pref_chan="81:5:10:2 81:1:0:2 81:9:0:2"
  689.  
  690. # MBO Cellular Data Capabilities
  691. # 1 = Cellular data connection available
  692. # 2 = Cellular data connection not available
  693. # 3 = Not cellular capable (default)
  694. #mbo_cell_capa=3
  695.  
  696. # network block
  697. #
  698. # Each network (usually AP's sharing the same SSID) is configured as a separate
  699. # block in this configuration file. The network blocks are in preference order
  700. # (the first match is used).
  701. #
  702. # network block fields:
  703. #
  704. # disabled:
  705. #       0 = this network can be used (default)
  706. #       1 = this network block is disabled (can be enabled through ctrl_iface,
  707. #           e.g., with wpa_cli or wpa_gui)
  708. #
  709. # id_str: Network identifier string for external scripts. This value is passed
  710. #       to external action script through wpa_cli as WPA_ID_STR environment
  711. #       variable to make it easier to do network specific configuration.
  712. #
  713. # ssid: SSID (mandatory); network name in one of the optional formats:
  714. #       - an ASCII string with double quotation
  715. #       - a hex string (two characters per octet of SSID)
  716. #       - a printf-escaped ASCII string P"<escaped string>"
  717. #
  718. # scan_ssid:
  719. #       0 = do not scan this SSID with specific Probe Request frames (default)
  720. #       1 = scan with SSID-specific Probe Request frames (this can be used to
  721. #           find APs that do not accept broadcast SSID or use multiple SSIDs;
  722. #           this will add latency to scanning, so enable this only when needed)
  723. #
  724. # bssid: BSSID (optional); if set, this network block is used only when
  725. #       associating with the AP using the configured BSSID
  726. #
  727. # priority: priority group (integer)
  728. # By default, all networks will get same priority group (0). If some of the
  729. # networks are more desirable, this field can be used to change the order in
  730. # which wpa_supplicant goes through the networks when selecting a BSS. The
  731. # priority groups will be iterated in decreasing priority (i.e., the larger the
  732. # priority value, the sooner the network is matched against the scan results).
  733. # Within each priority group, networks will be selected based on security
  734. # policy, signal strength, etc.
  735. # Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not
  736. # using this priority to select the order for scanning. Instead, they try the
  737. # networks in the order that used in the configuration file.
  738. #
  739. # mode: IEEE 802.11 operation mode
  740. # 0 = infrastructure (Managed) mode, i.e., associate with an AP (default)
  741. # 1 = IBSS (ad-hoc, peer-to-peer)
  742. # 2 = AP (access point)
  743. # Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) and
  744. # WPA-PSK (with proto=RSN). In addition, key_mgmt=WPA-NONE (fixed group key
  745. # TKIP/CCMP) is available for backwards compatibility, but its use is
  746. # deprecated. WPA-None requires following network block options:
  747. # proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not
  748. # both), and psk must also be set.
  749. #
  750. # frequency: Channel frequency in megahertz (MHz) for IBSS, e.g.,
  751. # 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial
  752. # channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode.
  753. # In addition, this value is only used by the station that creates the IBSS. If
  754. # an IBSS network with the configured SSID is already present, the frequency of
  755. # the network will be used instead of this configured value.
  756. #
  757. # pbss: Whether to use PBSS. Relevant to IEEE 802.11ad networks only.
  758. # 0 = do not use PBSS
  759. # 1 = use PBSS
  760. # 2 = don't care (not allowed in AP mode)
  761. # Used together with mode configuration. When mode is AP, it means to start a
  762. # PCP instead of a regular AP. When mode is infrastructure it means connect
  763. # to a PCP instead of AP. In this mode you can also specify 2 (don't care)
  764. # which means connect to either PCP or AP.
  765. # P2P_GO and P2P_GROUP_FORMATION modes must use PBSS in IEEE 802.11ad network.
  766. # For more details, see IEEE Std 802.11ad-2012.
  767. #
  768. # scan_freq: List of frequencies to scan
  769. # Space-separated list of frequencies in MHz to scan when searching for this
  770. # BSS. If the subset of channels used by the network is known, this option can
  771. # be used to optimize scanning to not occur on channels that the network does
  772. # not use. Example: scan_freq=2412 2437 2462
  773. #
  774. # freq_list: Array of allowed frequencies
  775. # Space-separated list of frequencies in MHz to allow for selecting the BSS. If
  776. # set, scan results that do not match any of the specified frequencies are not
  777. # considered when selecting a BSS.
  778. #
  779. # This can also be set on the outside of the network block. In this case,
  780. # it limits the frequencies that will be scanned.
  781. #
  782. # bgscan: Background scanning
  783. # wpa_supplicant behavior for background scanning can be specified by
  784. # configuring a bgscan module. These modules are responsible for requesting
  785. # background scans for the purpose of roaming within an ESS (i.e., within a
  786. # single network block with all the APs using the same SSID). The bgscan
  787. # parameter uses following format: "<bgscan module name>:<module parameters>"
  788. # Following bgscan modules are available:
  789. # simple - Periodic background scans based on signal strength
  790. # bgscan="simple:<short bgscan interval in seconds>:<signal strength threshold>:
  791. # <long interval>"
  792. # bgscan="simple:30:-45:300"
  793. # learn - Learn channels used by the network and try to avoid bgscans on other
  794. # channels (experimental)
  795. # bgscan="learn:<short bgscan interval in seconds>:<signal strength threshold>:
  796. # <long interval>[:<database file name>]"
  797. # bgscan="learn:30:-45:300:/etc/wpa_supplicant/network1.bgscan"
  798. # Explicitly disable bgscan by setting
  799. # bgscan=""
  800. #
  801. # This option can also be set outside of all network blocks for the bgscan
  802. # parameter to apply for all the networks that have no specific bgscan
  803. # parameter.
  804. #
  805. # proto: list of accepted protocols
  806. # WPA = WPA/IEEE 802.11i/D3.0
  807. # RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN)
  808. # If not set, this defaults to: WPA RSN
  809. #
  810. # key_mgmt: list of accepted authenticated key management protocols
  811. # WPA-PSK = WPA pre-shared key (this requires 'psk' field)
  812. # WPA-EAP = WPA using EAP authentication
  813. # IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically
  814. #       generated WEP keys
  815. # NONE = WPA is not used; plaintext or static WEP could be used
  816. # WPA-NONE = WPA-None for IBSS (deprecated; use proto=RSN key_mgmt=WPA-PSK
  817. #       instead)
  818. # FT-PSK = Fast BSS Transition (IEEE 802.11r) with pre-shared key
  819. # FT-EAP = Fast BSS Transition (IEEE 802.11r) with EAP authentication
  820. # WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms
  821. # WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms
  822. # SAE = Simultaneous authentication of equals; pre-shared key/password -based
  823. #       authentication with stronger security than WPA-PSK especially when using
  824. #       not that strong password
  825. # FT-SAE = SAE with FT
  826. # WPA-EAP-SUITE-B = Suite B 128-bit level
  827. # WPA-EAP-SUITE-B-192 = Suite B 192-bit level
  828. # OSEN = Hotspot 2.0 Rel 2 online signup connection
  829. # If not set, this defaults to: WPA-PSK WPA-EAP
  830. #
  831. # ieee80211w: whether management frame protection is enabled
  832. # 0 = disabled (default unless changed with the global pmf parameter)
  833. # 1 = optional
  834. # 2 = required
  835. # The most common configuration options for this based on the PMF (protected
  836. # management frames) certification program are:
  837. # PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256
  838. # PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256
  839. # (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used)
  840. #
  841. # auth_alg: list of allowed IEEE 802.11 authentication algorithms
  842. # OPEN = Open System authentication (required for WPA/WPA2)
  843. # SHARED = Shared Key authentication (requires static WEP keys)
  844. # LEAP = LEAP/Network EAP (only used with LEAP)
  845. # If not set, automatic selection is used (Open System with LEAP enabled if
  846. # LEAP is allowed as one of the EAP methods).
  847. #
  848. # pairwise: list of accepted pairwise (unicast) ciphers for WPA
  849. # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
  850. # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
  851. # NONE = Use only Group Keys (deprecated, should not be included if APs support
  852. #       pairwise keys)
  853. # If not set, this defaults to: CCMP TKIP
  854. #
  855. # group: list of accepted group (broadcast/multicast) ciphers for WPA
  856. # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
  857. # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
  858. # WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key
  859. # WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11]
  860. # If not set, this defaults to: CCMP TKIP WEP104 WEP40
  861. #
  862. # psk: WPA preshared key; 256-bit pre-shared key
  863. # The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e.,
  864. # 32 bytes or as an ASCII passphrase (in which case, the real PSK will be
  865. # generated using the passphrase and SSID). ASCII passphrase must be between
  866. # 8 and 63 characters (inclusive). ext:<name of external PSK field> format can
  867. # be used to indicate that the PSK/passphrase is stored in external storage.
  868. # This field is not needed, if WPA-EAP is used.
  869. # Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys
  870. # from ASCII passphrase. This process uses lot of CPU and wpa_supplicant
  871. # startup and reconfiguration time can be optimized by generating the PSK only
  872. # only when the passphrase or SSID has actually changed.
  873. #
  874. # mem_only_psk: Whether to keep PSK/passphrase only in memory
  875. # 0 = allow psk/passphrase to be stored to the configuration file
  876. # 1 = do not store psk/passphrase to the configuration file
  877. #mem_only_psk=0
  878. #
  879. # eapol_flags: IEEE 802.1X/EAPOL options (bit field)
  880. # Dynamic WEP key required for non-WPA mode
  881. # bit0 (1): require dynamically generated unicast WEP key
  882. # bit1 (2): require dynamically generated broadcast WEP key
  883. #       (3 = require both keys; default)
  884. # Note: When using wired authentication (including macsec_qca driver),
  885. # eapol_flags must be set to 0 for the authentication to be completed
  886. # successfully.
  887. #
  888. # macsec_policy: IEEE 802.1X/MACsec options
  889. # This determines how sessions are secured with MACsec. It is currently
  890. # applicable only when using the macsec_qca driver interface.
  891. # 0: MACsec not in use (default)
  892. # 1: MACsec enabled - Should secure, accept key server's advice to
  893. #    determine whether to use a secure session or not.
  894. #
  895. # mixed_cell: This option can be used to configure whether so called mixed
  896. # cells, i.e., networks that use both plaintext and encryption in the same
  897. # SSID, are allowed when selecting a BSS from scan results.
  898. # 0 = disabled (default)
  899. # 1 = enabled
  900. #
  901. # proactive_key_caching:
  902. # Enable/disable opportunistic PMKSA caching for WPA2.
  903. # 0 = disabled (default unless changed with the global okc parameter)
  904. # 1 = enabled
  905. #
  906. # wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or
  907. # hex without quotation, e.g., 0102030405)
  908. # wep_tx_keyidx: Default WEP key index (TX) (0..3)
  909. #
  910. # peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is
  911. # allowed. This is only used with RSN/WPA2.
  912. # 0 = disabled (default)
  913. # 1 = enabled
  914. #peerkey=1
  915. #
  916. # wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to
  917. # enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies.
  918. #
  919. # group_rekey: Group rekeying time in seconds. This value, if non-zero, is used
  920. # as the dot11RSNAConfigGroupRekeyTime parameter when operating in
  921. # Authenticator role in IBSS.
  922. #
  923. # Following fields are only used with internal EAP implementation.
  924. # eap: space-separated list of accepted EAP methods
  925. #       MD5 = EAP-MD5 (insecure and does not generate keying material ->
  926. #                       cannot be used with WPA; to be used as a Phase 2 method
  927. #                       with EAP-PEAP or EAP-TTLS)
  928. #       MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used
  929. #               as a Phase 2 method with EAP-PEAP or EAP-TTLS)
  930. #       OTP = EAP-OTP (cannot be used separately with WPA; to be used
  931. #               as a Phase 2 method with EAP-PEAP or EAP-TTLS)
  932. #       GTC = EAP-GTC (cannot be used separately with WPA; to be used
  933. #               as a Phase 2 method with EAP-PEAP or EAP-TTLS)
  934. #       TLS = EAP-TLS (client and server certificate)
  935. #       PEAP = EAP-PEAP (with tunnelled EAP authentication)
  936. #       TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2
  937. #                        authentication)
  938. #       If not set, all compiled in methods are allowed.
  939. #
  940. # identity: Identity string for EAP
  941. #       This field is also used to configure user NAI for
  942. #       EAP-PSK/PAX/SAKE/GPSK.
  943. # anonymous_identity: Anonymous identity string for EAP (to be used as the
  944. #       unencrypted identity with EAP types that support different tunnelled
  945. #       identity, e.g., EAP-TTLS). This field can also be used with
  946. #       EAP-SIM/AKA/AKA' to store the pseudonym identity.
  947. # password: Password string for EAP. This field can include either the
  948. #       plaintext password (using ASCII or hex string) or a NtPasswordHash
  949. #       (16-byte MD4 hash of password) in hash:<32 hex digits> format.
  950. #       NtPasswordHash can only be used when the password is for MSCHAPv2 or
  951. #       MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP).
  952. #       EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit
  953. #       PSK) is also configured using this field. For EAP-GPSK, this is a
  954. #       variable length PSK. ext:<name of external password field> format can
  955. #       be used to indicate that the password is stored in external storage.
  956. # ca_cert: File path to CA certificate file (PEM/DER). This file can have one
  957. #       or more trusted CA certificates. If ca_cert and ca_path are not
  958. #       included, server certificate will not be verified. This is insecure and
  959. #       a trusted CA certificate should always be configured when using
  960. #       EAP-TLS/TTLS/PEAP. Full path should be used since working directory may
  961. #       change when wpa_supplicant is run in the background.
  962. #
  963. #       Alternatively, this can be used to only perform matching of the server
  964. #       certificate (SHA-256 hash of the DER encoded X.509 certificate). In
  965. #       this case, the possible CA certificates in the server certificate chain
  966. #       are ignored and only the server certificate is verified. This is
  967. #       configured with the following format:
  968. #       hash:://server/sha256/cert_hash_in_hex
  969. #       For example: "hash://server/sha256/
  970. #       5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"
  971. #
  972. #       On Windows, trusted CA certificates can be loaded from the system
  973. #       certificate store by setting this to cert_store://<name>, e.g.,
  974. #       ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".
  975. #       Note that when running wpa_supplicant as an application, the user
  976. #       certificate store (My user account) is used, whereas computer store
  977. #       (Computer account) is used when running wpasvc as a service.
  978. # ca_path: Directory path for CA certificate files (PEM). This path may
  979. #       contain multiple CA certificates in OpenSSL format. Common use for this
  980. #       is to point to system trusted CA list which is often installed into
  981. #       directory like /etc/ssl/certs. If configured, these certificates are
  982. #       added to the list of trusted CAs. ca_cert may also be included in that
  983. #       case, but it is not required.
  984. # client_cert: File path to client certificate file (PEM/DER)
  985. #       Full path should be used since working directory may change when
  986. #       wpa_supplicant is run in the background.
  987. #       Alternatively, a named configuration blob can be used by setting this
  988. #       to blob://<blob name>.
  989. # private_key: File path to client private key file (PEM/DER/PFX)
  990. #       When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
  991. #       commented out. Both the private key and certificate will be read from
  992. #       the PKCS#12 file in this case. Full path should be used since working
  993. #       directory may change when wpa_supplicant is run in the background.
  994. #       Windows certificate store can be used by leaving client_cert out and
  995. #       configuring private_key in one of the following formats:
  996. #       cert://substring_to_match
  997. #       hash://certificate_thumbprint_in_hex
  998. #       for example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
  999. #       Note that when running wpa_supplicant as an application, the user
  1000. #       certificate store (My user account) is used, whereas computer store
  1001. #       (Computer account) is used when running wpasvc as a service.
  1002. #       Alternatively, a named configuration blob can be used by setting this
  1003. #       to blob://<blob name>.
  1004. # private_key_passwd: Password for private key file (if left out, this will be
  1005. #       asked through control interface)
  1006. # dh_file: File path to DH/DSA parameters file (in PEM format)
  1007. #       This is an optional configuration file for setting parameters for an
  1008. #       ephemeral DH key exchange. In most cases, the default RSA
  1009. #       authentication does not use this configuration. However, it is possible
  1010. #       setup RSA to use ephemeral DH key exchange. In addition, ciphers with
  1011. #       DSA keys always use ephemeral DH keys. This can be used to achieve
  1012. #       forward secrecy. If the file is in DSA parameters format, it will be
  1013. #       automatically converted into DH params.
  1014. # subject_match: Substring to be matched against the subject of the
  1015. #       authentication server certificate. If this string is set, the server
  1016. #       certificate is only accepted if it contains this string in the subject.
  1017. #       The subject string is in following format:
  1018. #       /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com
  1019. #       Note: Since this is a substring match, this cannot be used securely to
  1020. #       do a suffix match against a possible domain name in the CN entry. For
  1021. #       such a use case, domain_suffix_match or domain_match should be used
  1022. #       instead.
  1023. # altsubject_match: Semicolon separated string of entries to be matched against
  1024. #       the alternative subject name of the authentication server certificate.
  1025. #       If this string is set, the server certificate is only accepted if it
  1026. #       contains one of the entries in an alternative subject name extension.
  1027. #       altSubjectName string is in following format: TYPE:VALUE
  1028. #       Example: EMAIL:server@example.com
  1029. #       Example: DNS:server.example.com;DNS:server2.example.com
  1030. #       Following types are supported: EMAIL, DNS, URI
  1031. # domain_suffix_match: Constraint for server domain name. If set, this FQDN is
  1032. #       used as a suffix match requirement for the AAA server certificate in
  1033. #       SubjectAltName dNSName element(s). If a matching dNSName is found, this
  1034. #       constraint is met. If no dNSName values are present, this constraint is
  1035. #       matched against SubjectName CN using same suffix match comparison.
  1036. #
  1037. #       Suffix match here means that the host/domain name is compared one label
  1038. #       at a time starting from the top-level domain and all the labels in
  1039. #       domain_suffix_match shall be included in the certificate. The
  1040. #       certificate may include additional sub-level labels in addition to the
  1041. #       required labels.
  1042. #
  1043. #       For example, domain_suffix_match=example.com would match
  1044. #       test.example.com but would not match test-example.com.
  1045. # domain_match: Constraint for server domain name
  1046. #       If set, this FQDN is used as a full match requirement for the
  1047. #       server certificate in SubjectAltName dNSName element(s). If a
  1048. #       matching dNSName is found, this constraint is met. If no dNSName
  1049. #       values are present, this constraint is matched against SubjectName CN
  1050. #       using same full match comparison. This behavior is similar to
  1051. #       domain_suffix_match, but has the requirement of a full match, i.e.,
  1052. #       no subdomains or wildcard matches are allowed. Case-insensitive
  1053. #       comparison is used, so "Example.com" matches "example.com", but would
  1054. #       not match "test.Example.com".
  1055. # phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters
  1056. #       (string with field-value pairs, e.g., "peapver=0" or
  1057. #       "peapver=1 peaplabel=1")
  1058. #       'peapver' can be used to force which PEAP version (0 or 1) is used.
  1059. #       'peaplabel=1' can be used to force new label, "client PEAP encryption",
  1060. #       to be used during key derivation when PEAPv1 or newer. Most existing
  1061. #       PEAPv1 implementation seem to be using the old label, "client EAP
  1062. #       encryption", and wpa_supplicant is now using that as the default value.
  1063. #       Some servers, e.g., Radiator, may require peaplabel=1 configuration to
  1064. #       interoperate with PEAPv1; see eap_testing.txt for more details.
  1065. #       'peap_outer_success=0' can be used to terminate PEAP authentication on
  1066. #       tunneled EAP-Success. This is required with some RADIUS servers that
  1067. #       implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
  1068. #       Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode)
  1069. #       include_tls_length=1 can be used to force wpa_supplicant to include
  1070. #       TLS Message Length field in all TLS messages even if they are not
  1071. #       fragmented.
  1072. #       sim_min_num_chal=3 can be used to configure EAP-SIM to require three
  1073. #       challenges (by default, it accepts 2 or 3)
  1074. #       result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use
  1075. #       protected result indication.
  1076. #       'crypto_binding' option can be used to control PEAPv0 cryptobinding
  1077. #       behavior:
  1078. #        * 0 = do not use cryptobinding (default)
  1079. #        * 1 = use cryptobinding if server supports it
  1080. #        * 2 = require cryptobinding
  1081. #       EAP-WSC (WPS) uses following options: pin=<Device Password> or
  1082. #       pbc=1.
  1083. #
  1084. #       For wired IEEE 802.1X authentication, "allow_canned_success=1" can be
  1085. #       used to configure a mode that allows EAP-Success (and EAP-Failure)
  1086. #       without going through authentication step. Some switches use such
  1087. #       sequence when forcing the port to be authorized/unauthorized or as a
  1088. #       fallback option if the authentication server is unreachable. By default,
  1089. #       wpa_supplicant discards such frames to protect against potential attacks
  1090. #       by rogue devices, but this option can be used to disable that protection
  1091. #       for cases where the server/authenticator does not need to be
  1092. #       authenticated.
  1093. # phase2: Phase2 (inner authentication with TLS tunnel) parameters
  1094. #       (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
  1095. #       "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS). "mschapv2_retry=0" can be
  1096. #       used to disable MSCHAPv2 password retry in authentication failure cases.
  1097. #
  1098. # TLS-based methods can use the following parameters to control TLS behavior
  1099. # (these are normally in the phase1 parameter, but can be used also in the
  1100. # phase2 parameter when EAP-TLS is used within the inner tunnel):
  1101. # tls_allow_md5=1 - allow MD5-based certificate signatures (depending on the
  1102. #       TLS library, these may be disabled by default to enforce stronger
  1103. #       security)
  1104. # tls_disable_time_checks=1 - ignore certificate validity time (this requests
  1105. #       the TLS library to accept certificates even if they are not currently
  1106. #       valid, i.e., have expired or have not yet become valid; this should be
  1107. #       used only for testing purposes)
  1108. # tls_disable_session_ticket=1 - disable TLS Session Ticket extension
  1109. # tls_disable_session_ticket=0 - allow TLS Session Ticket extension to be used
  1110. #       Note: If not set, this is automatically set to 1 for EAP-TLS/PEAP/TTLS
  1111. #       as a workaround for broken authentication server implementations unless
  1112. #       EAP workarounds are disabled with eap_workaround=0.
  1113. #       For EAP-FAST, this must be set to 0 (or left unconfigured for the
  1114. #       default value to be used automatically).
  1115. # tls_disable_tlsv1_0=1 - disable use of TLSv1.0
  1116. # tls_disable_tlsv1_1=1 - disable use of TLSv1.1 (a workaround for AAA servers
  1117. #       that have issues interoperating with updated TLS version)
  1118. # tls_disable_tlsv1_2=1 - disable use of TLSv1.2 (a workaround for AAA servers
  1119. #       that have issues interoperating with updated TLS version)
  1120. # tls_ext_cert_check=0 - No external server certificate validation (default)
  1121. # tls_ext_cert_check=1 - External server certificate validation enabled; this
  1122. #       requires an external program doing validation of server certificate
  1123. #       chain when receiving CTRL-RSP-EXT_CERT_CHECK event from the control
  1124. #       interface and report the result of the validation with
  1125. #       CTRL-RSP_EXT_CERT_CHECK.
  1126. #
  1127. # Following certificate/private key fields are used in inner Phase2
  1128. # authentication when using EAP-TTLS or EAP-PEAP.
  1129. # ca_cert2: File path to CA certificate file. This file can have one or more
  1130. #       trusted CA certificates. If ca_cert2 and ca_path2 are not included,
  1131. #       server certificate will not be verified. This is insecure and a trusted
  1132. #       CA certificate should always be configured.
  1133. # ca_path2: Directory path for CA certificate files (PEM)
  1134. # client_cert2: File path to client certificate file
  1135. # private_key2: File path to client private key file
  1136. # private_key2_passwd: Password for private key file
  1137. # dh_file2: File path to DH/DSA parameters file (in PEM format)
  1138. # subject_match2: Substring to be matched against the subject of the
  1139. #       authentication server certificate. See subject_match for more details.
  1140. # altsubject_match2: Semicolon separated string of entries to be matched
  1141. #       against the alternative subject name of the authentication server
  1142. #       certificate. See altsubject_match documentation for more details.
  1143. # domain_suffix_match2: Constraint for server domain name. See
  1144. #       domain_suffix_match for more details.
  1145. #
  1146. # fragment_size: Maximum EAP fragment size in bytes (default 1398).
  1147. #       This value limits the fragment size for EAP methods that support
  1148. #       fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set
  1149. #       small enough to make the EAP messages fit in MTU of the network
  1150. #       interface used for EAPOL. The default value is suitable for most
  1151. #       cases.
  1152. #
  1153. # ocsp: Whether to use/require OCSP to check server certificate
  1154. #       0 = do not use OCSP stapling (TLS certificate status extension)
  1155. #       1 = try to use OCSP stapling, but not require response
  1156. #       2 = require valid OCSP stapling response
  1157. #       3 = require valid OCSP stapling response for all not-trusted
  1158. #           certificates in the server certificate chain
  1159. #
  1160. # openssl_ciphers: OpenSSL specific cipher configuration
  1161. #       This can be used to override the global openssl_ciphers configuration
  1162. #       parameter (see above).
  1163. #
  1164. # erp: Whether EAP Re-authentication Protocol (ERP) is enabled
  1165. #
  1166. # EAP-FAST variables:
  1167. # pac_file: File path for the PAC entries. wpa_supplicant will need to be able
  1168. #       to create this file and write updates to it when PAC is being
  1169. #       provisioned or refreshed. Full path to the file should be used since
  1170. #       working directory may change when wpa_supplicant is run in the
  1171. #       background. Alternatively, a named configuration blob can be used by
  1172. #       setting this to blob://<blob name>
  1173. # phase1: fast_provisioning option can be used to enable in-line provisioning
  1174. #         of EAP-FAST credentials (PAC):
  1175. #         0 = disabled,
  1176. #         1 = allow unauthenticated provisioning,
  1177. #         2 = allow authenticated provisioning,
  1178. #         3 = allow both unauthenticated and authenticated provisioning
  1179. #       fast_max_pac_list_len=<num> option can be used to set the maximum
  1180. #               number of PAC entries to store in a PAC list (default: 10)
  1181. #       fast_pac_format=binary option can be used to select binary format for
  1182. #               storing PAC entries in order to save some space (the default
  1183. #               text format uses about 2.5 times the size of minimal binary
  1184. #               format)
  1185. #
  1186. # wpa_supplicant supports number of "EAP workarounds" to work around
  1187. # interoperability issues with incorrectly behaving authentication servers.
  1188. # These are enabled by default because some of the issues are present in large
  1189. # number of authentication servers. Strict EAP conformance mode can be
  1190. # configured by disabling workarounds with eap_workaround=0.
  1191.  
  1192. # update_identifier: PPS MO ID
  1193. #       (Hotspot 2.0 PerProviderSubscription/UpdateIdentifier)
  1194.  
  1195. # Station inactivity limit
  1196. #
  1197. # If a station does not send anything in ap_max_inactivity seconds, an
  1198. # empty data frame is sent to it in order to verify whether it is
  1199. # still in range. If this frame is not ACKed, the station will be
  1200. # disassociated and then deauthenticated. This feature is used to
  1201. # clear station table of old entries when the STAs move out of the
  1202. # range.
  1203. #
  1204. # The station can associate again with the AP if it is still in range;
  1205. # this inactivity poll is just used as a nicer way of verifying
  1206. # inactivity; i.e., client will not report broken connection because
  1207. # disassociation frame is not sent immediately without first polling
  1208. # the STA with a data frame.
  1209. # default: 300 (i.e., 5 minutes)
  1210. #ap_max_inactivity=300
  1211.  
  1212. # DTIM period in Beacon intervals for AP mode (default: 2)
  1213. #dtim_period=2
  1214.  
  1215. # Beacon interval (default: 100 TU)
  1216. #beacon_int=100
  1217.  
  1218. # WPS in AP mode
  1219. # 0 = WPS enabled and configured (default)
  1220. # 1 = WPS disabled
  1221. #wps_disabled=0
  1222.  
  1223. # MAC address policy
  1224. # 0 = use permanent MAC address
  1225. # 1 = use random MAC address for each ESS connection
  1226. # 2 = like 1, but maintain OUI (with local admin bit set)
  1227. #mac_addr=0
  1228.  
  1229. # disable_ht: Whether HT (802.11n) should be disabled.
  1230. # 0 = HT enabled (if AP supports it)
  1231. # 1 = HT disabled
  1232. #
  1233. # disable_ht40: Whether HT-40 (802.11n) should be disabled.
  1234. # 0 = HT-40 enabled (if AP supports it)
  1235. # 1 = HT-40 disabled
  1236. #
  1237. # disable_sgi: Whether SGI (short guard interval) should be disabled.
  1238. # 0 = SGI enabled (if AP supports it)
  1239. # 1 = SGI disabled
  1240. #
  1241. # disable_ldpc: Whether LDPC should be disabled.
  1242. # 0 = LDPC enabled (if AP supports it)
  1243. # 1 = LDPC disabled
  1244. #
  1245. # ht40_intolerant: Whether 40 MHz intolerant should be indicated.
  1246. # 0 = 40 MHz tolerant (default)
  1247. # 1 = 40 MHz intolerant
  1248. #
  1249. # ht_mcs:  Configure allowed MCS rates.
  1250. #  Parsed as an array of bytes, in base-16 (ascii-hex)
  1251. # ht_mcs=""                                   // Use all available (default)
  1252. # ht_mcs="0xff 00 00 00 00 00 00 00 00 00 "   // Use MCS 0-7 only
  1253. # ht_mcs="0xff ff 00 00 00 00 00 00 00 00 "   // Use MCS 0-15 only
  1254. #
  1255. # disable_max_amsdu:  Whether MAX_AMSDU should be disabled.
  1256. # -1 = Do not make any changes.
  1257. # 0  = Enable MAX-AMSDU if hardware supports it.
  1258. # 1  = Disable AMSDU
  1259. #
  1260. # ampdu_factor: Maximum A-MPDU Length Exponent
  1261. # Value: 0-3, see 7.3.2.56.3 in IEEE Std 802.11n-2009.
  1262. #
  1263. # ampdu_density:  Allow overriding AMPDU density configuration.
  1264. #  Treated as hint by the kernel.
  1265. # -1 = Do not make any changes.
  1266. # 0-3 = Set AMPDU density (aka factor) to specified value.
  1267.  
  1268. # disable_vht: Whether VHT should be disabled.
  1269. # 0 = VHT enabled (if AP supports it)
  1270. # 1 = VHT disabled
  1271. #
  1272. # vht_capa: VHT capabilities to set in the override
  1273. # vht_capa_mask: mask of VHT capabilities
  1274. #
  1275. # vht_rx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for RX NSS 1-8
  1276. # vht_tx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for TX NSS 1-8
  1277. #  0: MCS 0-7
  1278. #  1: MCS 0-8
  1279. #  2: MCS 0-9
  1280. #  3: not supported
  1281.  
  1282. ##### Fast Session Transfer (FST) support #####################################
  1283. #
  1284. # The options in this section are only available when the build configuration
  1285. # option CONFIG_FST is set while compiling wpa_supplicant. They allow this
  1286. # interface to be a part of FST setup.
  1287. #
  1288. # FST is the transfer of a session from a channel to another channel, in the
  1289. # same or different frequency bands.
  1290. #
  1291. # For details, see IEEE Std 802.11ad-2012.
  1292.  
  1293. # Identifier of an FST Group  the interface belongs to.
  1294. #fst_group_id=bond0
  1295.  
  1296. # Interface priority within the FST Group.
  1297. # Announcing a higher priority for an interface means declaring it more
  1298. # preferable for FST switch.
  1299. # fst_priority is in 1..255 range with 1 being the lowest priority.
  1300. #fst_priority=100
  1301.  
  1302. # Default LLT value for this interface in milliseconds. The value used in case
  1303. # no value provided during session setup. Default is 50 msec.
  1304. # fst_llt is in 1..4294967 range (due to spec limitation, see 10.32.2.2
  1305. # Transitioning between states).
  1306. #fst_llt=100
  1307.  
  1308. # Example blocks:
  1309.  
  1310. # Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers
  1311. network={
  1312.         ssid="simple"
  1313.         psk="very secret passphrase"
  1314.         priority=5
  1315. }
  1316.  
  1317. # Same as previous, but request SSID-specific scanning (for APs that reject
  1318. # broadcast SSID)
  1319. network={
  1320.         ssid="second ssid"
  1321.         scan_ssid=1
  1322.         psk="very secret passphrase"
  1323.         priority=2
  1324. }
  1325.  
  1326. # Only WPA-PSK is used. Any valid cipher combination is accepted.
  1327. network={
  1328.         ssid="example"
  1329.         proto=WPA
  1330.         key_mgmt=WPA-PSK
  1331.         pairwise=CCMP TKIP
  1332.         group=CCMP TKIP WEP104 WEP40
  1333.         psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
  1334.         priority=2
  1335. }
  1336.  
  1337. # WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying
  1338. network={
  1339.         ssid="example"
  1340.         proto=WPA
  1341.         key_mgmt=WPA-PSK
  1342.         pairwise=TKIP
  1343.         group=TKIP
  1344.         psk="not so secure passphrase"
  1345.         wpa_ptk_rekey=600
  1346. }
  1347.  
  1348. # Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104
  1349. # or WEP40 as the group cipher will not be accepted.
  1350. network={
  1351.         ssid="example"
  1352.         proto=RSN
  1353.         key_mgmt=WPA-EAP
  1354.         pairwise=CCMP TKIP
  1355.         group=CCMP TKIP
  1356.         eap=TLS
  1357.         identity="user@example.com"
  1358.         ca_cert="/etc/cert/ca.pem"
  1359.         client_cert="/etc/cert/user.pem"
  1360.         private_key="/etc/cert/user.prv"
  1361.         private_key_passwd="password"
  1362.         priority=1
  1363. }
  1364.  
  1365. # EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel
  1366. # (e.g., Radiator)
  1367. network={
  1368.         ssid="example"
  1369.         key_mgmt=WPA-EAP
  1370.         eap=PEAP
  1371.         identity="user@example.com"
  1372.         password="foobar"
  1373.         ca_cert="/etc/cert/ca.pem"
  1374.         phase1="peaplabel=1"
  1375.         phase2="auth=MSCHAPV2"
  1376.         priority=10
  1377. }
  1378.  
  1379. # EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the
  1380. # unencrypted use. Real identity is sent only within an encrypted TLS tunnel.
  1381. network={
  1382.         ssid="example"
  1383.         key_mgmt=WPA-EAP
  1384.         eap=TTLS
  1385.         identity="user@example.com"
  1386.         anonymous_identity="anonymous@example.com"
  1387.         password="foobar"
  1388.         ca_cert="/etc/cert/ca.pem"
  1389.         priority=2
  1390. }
  1391.  
  1392. # EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted
  1393. # use. Real identity is sent only within an encrypted TLS tunnel.
  1394. network={
  1395.         ssid="example"
  1396.         key_mgmt=WPA-EAP
  1397.         eap=TTLS
  1398.         identity="user@example.com"
  1399.         anonymous_identity="anonymous@example.com"
  1400.         password="foobar"
  1401.         ca_cert="/etc/cert/ca.pem"
  1402.         phase2="auth=MSCHAPV2"
  1403. }
  1404.  
  1405. # WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner
  1406. # authentication.
  1407. network={
  1408.         ssid="example"
  1409.         key_mgmt=WPA-EAP
  1410.         eap=TTLS
  1411.         # Phase1 / outer authentication
  1412.         anonymous_identity="anonymous@example.com"
  1413.         ca_cert="/etc/cert/ca.pem"
  1414.         # Phase 2 / inner authentication
  1415.         phase2="autheap=TLS"
  1416.         ca_cert2="/etc/cert/ca2.pem"
  1417.         client_cert2="/etc/cer/user.pem"
  1418.         private_key2="/etc/cer/user.prv"
  1419.         private_key2_passwd="password"
  1420.         priority=2
  1421. }
  1422.  
  1423. # Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and
  1424. # group cipher.
  1425. network={
  1426.         ssid="example"
  1427.         bssid=00:11:22:33:44:55
  1428.         proto=WPA RSN
  1429.         key_mgmt=WPA-PSK WPA-EAP
  1430.         pairwise=CCMP
  1431.         group=CCMP
  1432.         psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
  1433. }
  1434.  
  1435. # Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP
  1436. # and all valid ciphers.
  1437. network={
  1438.         ssid=00010203
  1439.         psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
  1440. }
  1441.  
  1442.  
  1443. # EAP-SIM with a GSM SIM or USIM
  1444. network={
  1445.         ssid="eap-sim-test"
  1446.         key_mgmt=WPA-EAP
  1447.         eap=SIM
  1448.         pin="1234"
  1449.         pcsc=""
  1450. }
  1451.  
  1452.  
  1453. # EAP-PSK
  1454. network={
  1455.         ssid="eap-psk-test"
  1456.         key_mgmt=WPA-EAP
  1457.         eap=PSK
  1458.         anonymous_identity="eap_psk_user"
  1459.         password=06b4be19da289f475aa46a33cb793029
  1460.         identity="eap_psk_user@example.com"
  1461. }
  1462.  
  1463.  
  1464. # IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using
  1465. # EAP-TLS for authentication and key generation; require both unicast and
  1466. # broadcast WEP keys.
  1467. network={
  1468.         ssid="1x-test"
  1469.         key_mgmt=IEEE8021X
  1470.         eap=TLS
  1471.         identity="user@example.com"
  1472.         ca_cert="/etc/cert/ca.pem"
  1473.         client_cert="/etc/cert/user.pem"
  1474.         private_key="/etc/cert/user.prv"
  1475.         private_key_passwd="password"
  1476.         eapol_flags=3
  1477. }
  1478.  
  1479.  
  1480. # LEAP with dynamic WEP keys
  1481. network={
  1482.         ssid="leap-example"
  1483.         key_mgmt=IEEE8021X
  1484.         eap=LEAP
  1485.         identity="user"
  1486.         password="foobar"
  1487. }
  1488.  
  1489. # EAP-IKEv2 using shared secrets for both server and peer authentication
  1490. network={
  1491.         ssid="ikev2-example"
  1492.         key_mgmt=WPA-EAP
  1493.         eap=IKEV2
  1494.         identity="user"
  1495.         password="foobar"
  1496. }
  1497.  
  1498. # EAP-FAST with WPA (WPA or WPA2)
  1499. network={
  1500.         ssid="eap-fast-test"
  1501.         key_mgmt=WPA-EAP
  1502.         eap=FAST
  1503.         anonymous_identity="FAST-000102030405"
  1504.         identity="username"
  1505.         password="password"
  1506.         phase1="fast_provisioning=1"
  1507.         pac_file="/etc/wpa_supplicant.eap-fast-pac"
  1508. }
  1509.  
  1510. network={
  1511.         ssid="eap-fast-test"
  1512.         key_mgmt=WPA-EAP
  1513.         eap=FAST
  1514.         anonymous_identity="FAST-000102030405"
  1515.         identity="username"
  1516.         password="password"
  1517.         phase1="fast_provisioning=1"
  1518.         pac_file="blob://eap-fast-pac"
  1519. }
  1520.  
  1521. # Plaintext connection (no WPA, no IEEE 802.1X)
  1522. network={
  1523.         ssid="plaintext-test"
  1524.         key_mgmt=NONE
  1525. }
  1526.  
  1527.  
  1528. # Shared WEP key connection (no WPA, no IEEE 802.1X)
  1529. network={
  1530.         ssid="static-wep-test"
  1531.         key_mgmt=NONE
  1532.         wep_key0="abcde"
  1533.         wep_key1=0102030405
  1534.         wep_key2="1234567890123"
  1535.         wep_tx_keyidx=0
  1536.         priority=5
  1537. }
  1538.  
  1539.  
  1540. # Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key
  1541. # IEEE 802.11 authentication
  1542. network={
  1543.         ssid="static-wep-test2"
  1544.         key_mgmt=NONE
  1545.         wep_key0="abcde"
  1546.         wep_key1=0102030405
  1547.         wep_key2="1234567890123"
  1548.         wep_tx_keyidx=0
  1549.         priority=5
  1550.         auth_alg=SHARED
  1551. }
  1552.  
  1553.  
  1554. # IBSS/ad-hoc network with RSN
  1555. network={
  1556.         ssid="ibss-rsn"
  1557.         key_mgmt=WPA-PSK
  1558.         proto=RSN
  1559.         psk="12345678"
  1560.         mode=1
  1561.         frequency=2412
  1562.         pairwise=CCMP
  1563.         group=CCMP
  1564. }
  1565.  
  1566. # IBSS/ad-hoc network with WPA-None/TKIP (deprecated)
  1567. network={
  1568.         ssid="test adhoc"
  1569.         mode=1
  1570.         frequency=2412
  1571.         proto=WPA
  1572.         key_mgmt=WPA-NONE
  1573.         pairwise=NONE
  1574.         group=TKIP
  1575.         psk="secret passphrase"
  1576. }
  1577.  
  1578. # open mesh network
  1579. network={
  1580.         ssid="test mesh"
  1581.         mode=5
  1582.         frequency=2437
  1583.         key_mgmt=NONE
  1584. }
  1585.  
  1586. # secure (SAE + AMPE) network
  1587. network={
  1588.         ssid="secure mesh"
  1589.         mode=5
  1590.         frequency=2437
  1591.         key_mgmt=SAE
  1592.         psk="very secret passphrase"
  1593. }
  1594.  
  1595.  
  1596. # Catch all example that allows more or less all configuration modes
  1597. network={
  1598.         ssid="example"
  1599.         scan_ssid=1
  1600.         key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
  1601.         pairwise=CCMP TKIP
  1602.         group=CCMP TKIP WEP104 WEP40
  1603.         psk="very secret passphrase"
  1604.         eap=TTLS PEAP TLS
  1605.         identity="user@example.com"
  1606.         password="foobar"
  1607.         ca_cert="/etc/cert/ca.pem"
  1608.         client_cert="/etc/cert/user.pem"
  1609.         private_key="/etc/cert/user.prv"
  1610.         private_key_passwd="password"
  1611.         phase1="peaplabel=0"
  1612. }
  1613.  
  1614. # Example of EAP-TLS with smartcard (openssl engine)
  1615. network={
  1616.         ssid="example"
  1617.         key_mgmt=WPA-EAP
  1618.         eap=TLS
  1619.         proto=RSN
  1620.         pairwise=CCMP TKIP
  1621.         group=CCMP TKIP
  1622.         identity="user@example.com"
  1623.         ca_cert="/etc/cert/ca.pem"
  1624.  
  1625.         # Certificate and/or key identified by PKCS#11 URI (RFC7512)
  1626.         client_cert="pkcs11:manufacturer=piv_II;id=%01"
  1627.         private_key="pkcs11:manufacturer=piv_II;id=%01"
  1628.  
  1629.         # Optional PIN configuration; this can be left out and PIN will be
  1630.         # asked through the control interface
  1631.         pin="1234"
  1632. }
  1633.  
  1634. # Example configuration showing how to use an inlined blob as a CA certificate
  1635. # data instead of using external file
  1636. network={
  1637.         ssid="example"
  1638.         key_mgmt=WPA-EAP
  1639.         eap=TTLS
  1640.         identity="user@example.com"
  1641.         anonymous_identity="anonymous@example.com"
  1642.         password="foobar"
  1643.         ca_cert="blob://exampleblob"
  1644.         priority=20
  1645. }
  1646.  
  1647. blob-base64-exampleblob={
  1648. SGVsbG8gV29ybGQhCg==
  1649. }
  1650.  
  1651.  
  1652. # Wildcard match for SSID (plaintext APs only). This example select any
  1653. # open AP regardless of its SSID.
  1654. network={
  1655.         key_mgmt=NONE
  1656. }
  1657.  
  1658. # Example configuration blacklisting two APs - these will be ignored
  1659. # for this network.
  1660. network={
  1661.         ssid="example"
  1662.         psk="very secret passphrase"
  1663.         bssid_blacklist=02:11:22:33:44:55 02:22:aa:44:55:66
  1664. }
  1665.  
  1666. # Example configuration limiting AP selection to a specific set of APs;
  1667. # any other AP not matching the masked address will be ignored.
  1668. network={
  1669.         ssid="example"
  1670.         psk="very secret passphrase"
  1671.         bssid_whitelist=02:55:ae:bc:00:00/ff:ff:ff:ff:00:00 00:00:77:66:55:44/00:00:ff:ff:ff:ff
  1672. }
  1673.  
  1674. # Example config file that will only scan on channel 36.
  1675. freq_list=5180
  1676. network={
  1677.         key_mgmt=NONE
  1678. }
  1679.  
  1680.  
  1681. # Example MACsec configuration
  1682. #network={
  1683. #       key_mgmt=IEEE8021X
  1684. #       eap=TTLS
  1685. #       phase2="auth=PAP"
  1686. #       anonymous_identity="anonymous@example.com"
  1687. #       identity="user@example.com"
  1688. #       password="secretr"
  1689. #       ca_cert="/etc/cert/ca.pem"
  1690. #       eapol_flags=0
  1691. #       macsec_policy=1
  1692. #}
  1693. update_config=1
  1694. network={
  1695.         ssid="Cox_House"
  1696.         psk="This_is_the_big_bopper_speaking."
  1697.         priority=10
  1698.  
  1699. }
  1700. network={
  1701.         ssid="Cox_House2"
  1702.         psk="This_is_the_big_bopper_speaking."
  1703.         priority=15
  1704.  
  1705. }
  1706. jc@bopper
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top