# This is an example configuration file for xsupplicant versions after 0.8b.##

1. # This is an example configuration file for xsupplicant versions after 0.8b.
2.  
3. ### GLOBAL SECTION
4.  
5. # network_list: defines all of the networks in this file which
6. # should be kept in memory and used.Comma delimited list or "all"
7. # for keeping all defined configurations in memory. For efficiency,
8. # keep only the networks you might roam to in memory.
9. # To avoid errors, make sure your default network is always
10. # in the network_list. In general, you will want to leave this set to
11. # "all".
12.  
13. network_list = all
14. #network_list = default, test1, test2
15.  
16. # default_netname: some users may actually have a network named "default".
17. # since "default" is a keyword in the network section below, you can
18. # change which is to be used as the replacement for this keyword
19. #
20. # As of Xsupplicant 1.2.2, wireless interfaces will no longer use the default
21. # network name if they are unable to find a valid config. If you have
22. # auto association turned on, Xsupplicant will find a new network to connect
23. # to. Otherwise, it will do nothing.
24.  
25. default_netname = default
26. #default_netname = my_defaults
27.  
28. # destination: defines how Xsupplicant should determine the destination address
29. # that should be used for the 802.1X conversation.
30. #
31. # Valid Options are :
32. # Auto - respond to source address from the last packet we saw.
33. # Source - same as Auto
34. # BSSID - Always answer to the BSSID of the AP we are associated to.
35. # Multicast - always use the multicast address defined in 802.1X-2001.
36. #
37. #destination = auto
38.  
39. # Do we want xsupplicant to pick the best AP to connect to? Or should the
40. # 'firmware' be allowed to select the AP? (In most cases, letting Xsupplicant
41. # make the decision for you is currently better.)
42. #roaming = xsupplicant
43.  
44. # Should we do passive scanning while associated/authenticated with an AP?
45. # In order to support preauthentication, this *MUST* be enabled. However,
46. # some wireless cards don't do passive scanning correctly, and will end up
47. # disconnecting you from the network while a scan is completed.
48. #passive_scanning = yes
49.  
50. # The amount of time (in seconds) that should pass between passive scan
51. # attempts. When the scan is commplete, Xsupplicant will make a decision
52. # about which AP is the best. If a better AP is found, Xsupplicant will
53. # jump to it. If 'passive_scanning' is set to 'no', then this setting does
54. # nothing.
55. #passive_timer = 300
56.  
57. # EAP request identity messages may contain a network id field in it. This
58. # network ID can be useful for determining a network name on wired networks.
59. # For wireless networks, this ID usually matches the SSID so leaving it
60. # enabled is a good idea unless you have a reason not to.
61. # use_eap_hints = yes
62.  
63. # When running in daemon, or non-foreground mode, you may want to have the
64. # output of the program. So, define a log file here. Each time XSupplicant
65. # is started, this file will be replaced. So, there is no need to roll the
66. # log file. If the logfile name is set to "syslog", then all messages will
67. # be sent to the syslog. If syslog is defined, you should also define
68. # "log_facility" to specify which logging facility will be used.
69. logfile = syslog
70.  
71. # If you have set the logfile option to "syslog", then you should define
72. # log_facility in order to tell Xsupplicant where to send log messages.
73. # Valid settings are cron, daemon, ftp, kern, local0, local1, local2,
74. # local3, local4, local5, local6, local7, lpr, news, user, and uucp
75. log_facility = daemon
76.  
77. # If we want Xsupplicant to control the associations for networks, we need
78. # to set the following setting to "auto". If you want to control the network
79. # you connect to via iwconfig (or other SSID setting utility) you should set
80. # this option to manual. The default is auto.
81. #association = auto
82.  
83. # This value should be changed to reflect how long it takes your card to
84. # determine if it is associated. (Basically, the value should be the number
85. # of seconds it takes for your card to scan every possible frequency and
86. # speed it is aware of.) For most cards, 30 seconds is enough time. However
87. # if your card is capable of doing 802.11a/b/g, you may need to set this
88. # value higher.
89.  
90. #association_timeout = 30
91.  
92. # The auth_period, held_period, and max_starts modify the timers in the state
93. # machine. (Please reference the 802.1x spec for info on how they are used.)
94. # For most people, there is no reason to define these values, as the defaults
95. # should work.
96.  
97. #auth_period = 30
98.  
99. #held_period = 30
100.  
101. #max_starts = 3
102.  
103. # The "default_interface" is the interface that will be used if one is not
104. # specified on the command line.
105.  
106. #default_interface = eth1
107.  
108. # Enable or disable friendly warnings. The default setting is "yes".
109.  
110. # friendly_warnings = no
111.  
112. # The stale key timeout is how long a unicast key should be in use before a
113. # warning is issued. It doesn't actually change the way the program functions
114. # and should be considered cosmetic. However, it may be useful to put this
115. # to a lower value if you believe that WEP keys can be broken quicker than the
116. # default setting of 10 minutes. If friendly_warnings is set to no, then
117. # this does nothing.
118.  
119. #stale_key_timeout = 600
120.  
121. # For most people, the default setting for "allmulti" will work just fine. In
122. # some cases, wireless cards have been known to not work when ALLMULTI is
123. # enabled. (Such as certain Orinoco cards, with older drivers.) If "allmulti"
124. # is set to "no", XSupplicant will not attempt to change the state of the
125. # setting in the driver. So, you should make sure to do an "ifconfig ethX
126. # -allmulti".
127.  
128. #allmulti = no
129.  
130. ### NETWORK SECTION
131. # The general format of the network section is a network name followed
132. # by a group of variables.
133.  
134. # Network names may contain the following characters: a-z, A-Z, 0-9, '-',
135. # '_', '\', '/'
136. # Those interested in having an SSID with ANY character in it can use
137. # the ssid tag within the network clause. Otherwise, your ssid will
138. # be the name of the network.
139.  
140. ## Default Network Section
141. # This is the network configuration that will be used in the event that
142. # no valid network configuration can be found. If you are going to leave
143. # Xsupplicant running all the time, it is recommended that you leave this
144. # section blank. A blank network definition will result in Xsupplicant
145. # turning off encryption and turning control over to iwconfig.
146. default
147. {
148. }
149.  
150. my_network
151. {
152. # type: the type of this network. wired or wireless, if this value is not
153. # set, xsupplicant will attempt to determine if the interface is wired or
154. # wireless. In general, you should only need to define this when
155. # xsupplicant incorrectly identifies your network interface.
156. #type = wireless
157.  
158. # wireless_control: If this profile is forced to wired, this will not do
159. # anything. However, if the interface is forced, or detected to be wireless
160. # XSupplicant will take control of re/setting WEP keys when the machine
161. # first starts, and when it jumps to a different AP. In general, you won't
162. # need to define, or set this value.
163. # wireless_control = yes
164.  
165. # allow_types: describes which EAP types this network will allow. The
166. # first type listed will be requested if the server tries to use something
167. # not in this list.
168. # allow_types = eap_tls, eap_md5, eap_gtc, eap-otp
169. allow_types = all
170.  
171. # force_eapol_ver: force the EAPOL version used in frames to be a
172. # specific value. Allowed values are 1, and 2. (Default : Auto) If you
173. # are having problems authenticating, set this value to 1 and see if that
174. # helps. (In general, it won't be needed.)
175. # force_eapol_ver = 1
176.  
177. # identity: what to respond with when presented with an EAP Id Request
178. # Typically, this is the username for this network. If this is a string
179. # that does not contain any spaces, or unusual characters, it can be listed
180. # plain. Otherwise, it should be enclosed in quotes.
181. identity = myid@mynet.net
182.  
183. # wpa_pairwise_cipher, and wpa_group_cipher : Both options need to be set
184. # in order to get WPA working correctly. Valid options for this setting
185. # are WEP40, TKIP, WRAP, CCMP, and WEP104. However, the only settings that
186. # currently work are WEP40, WEP104, and TKIP. (And those depend on having
187. # a driver that works with WPA.)
188.  
189. #wpa_pairwise_cipher = tkip
190. #wpa_group_cipher = tkip
191.  
192. # Force xsupplicant to send it's packets to this destination MAC address.
193. # In most cases, this isn't needed, and shouldn't be defined.
194. #dest_mac = 00:aA:bB:cC:dD:eE
195.  
196. # The initial_wep option allows you to set WEP keys that may be required
197. # to associate to the network and start an 802.1X connection. This should
198. # not be confused with the static_wep option which doesn't do 802.1X, but
199. # only associates to a network with static WEP.
200. initial_wep {
201. # The keys must either be 10, or 26 characters long. They should
202. # *ALWAYS* be quoted!!
203. key1 = "2222222222"
204. key2 = "2222222222"
205. key3 = "2222222222"
206. key4 = "2222222222"
207.  
208. # This is the key that will be used to transmit data. It needs to
209. # match the index that is configured on your AP.
210. tx_key = 1
211. }
212.  
213. ## This option allows you to configure static WEP, so that when you
214. # associate with a network that uses static WEP you don't need to do
215. # anything. If "static_wep" is used, it must be the only option available
216. # in that SSID def!
217. static_wep {
218. # The keys must either be 10, or 26 characters long. They should
219. # *ALWAYS* be quoted!!
220. key1 = "2222222222"
221. key2 = "2222222222"
222. key3 = "2222222222"
223. key4 = "2222222222"
224.  
225. # This is the key that will be used to transmit data. It needs to
226. # match the index that is configured on your AP.
227. tx_key = 1
228. }
229.  
230.  
231. ## method-specific parameters are kept in the method
232. eap_tls {
233. # this section configures the smartcard used with eap-tls
234. # for now the smartcard PIN is handled the same way as the
235. # password for a private key
236. smartcard {
237. # this line actually enables the smartcard and makes xsupplicant use
238. # the opensc engine
239. engine_id = opensc
240. # set the path to the engine
241. opensc_so_path = "/usr/lib/opensc /engine_opensc.so"
242. # set the key id on the smartcard
243. key_id = 45
244. }
245. user_cert = /path/to/certificate
246. user_key = /path/to/private/key
247. user_key_pass = "password for key"
248. root_cert = /path/to/root/cert
249. root_dir = /path/to/valid/root/certs
250. #crl_dir = /path/to/dir/with/crl
251. chunk_size = 1398
252. random_file = /path/to/random/source
253.  
254. # To enable TLS session resumption, you need to set the following
255. # value to "yes". By default, session resumption is disabled.
256. #session_resume = yes
257. }
258.  
259. eap-md5 {
260. username = testuser
261. password = "test user pass!" # Since the password has spaces, quote it.
262. }
263.  
264. eap-ttls {
265. #user_cert = /path/to/certificate
266. #as in tls, define either a root certificate or a directory
267. # containing root certificates
268. root_cert = /path/to/root/certificate
269. #root_dir = /path/to/root/certificate/dir
270. #crl_dir = /path/to/dir/with/crl
271. #user_key = /path/to/private/key
272. #user_key_pass = "password for key"
273. chunk_size = 1398
274. random_file = /path/to/random/source
275. #cncheck = myradius.radius.com # Verify the server certificate
276. # has this value in it's CN field.
277. #cnexact = yes # Should it be an exact match?
278. #session_resume = yes
279. # phase2_type defines which phase2 to actually DO. You
280. # MUST define one of these.
281. phase2_type = pap
282. ## These are definitions for the different methods you might
283. ## do at phase2. only the one specified above will be used
284. ## but it is valid to leave more than one here for convenience
285. ## and easy switching.
286. pap {
287. username = papuser
288. password = "pap passwd"
289. }
290. chap {
291. username = chapuser
292. password = "chap passwd"
293. }
294. mschap {
295. username = mschapuser
296. password = "mschap passwd"
297. }
298. mschapv2 {
299. username = mschapv2user
300. password = "mschapv2 passwd"
301. }
302. }
303.  
304. eap-leap {
305. username = leapuser
306. password = "leap user pass!"
307. }
308.  
309. eap-mschapv2 {
310. username = eapmschapv2user
311. password = eapmschapv2userpass!
312. }
313.  
314. eap-peap {
315. inner_id = my_inner_id
316. user_cert = /path/to/certificate
317. # As in tls, define either a root certificate or a directory
318. # containing root certificates.
319. #root_cert = /path/to/root/certificate
320. root_dir = /path/to/root/certificate/dir
321. crl_dir = /path/to/dir/with/crl
322. user_key = /path/to/private/key
323. user_key_pass = "password for key"
324. chunk_size = 1398
325. random_file = /path/to/random/source
326. cncheck = myradius.radius.com # Verify the server certificate
327. # has this value in it's CN field.
328. cnexact = yes # Should it be an exact match?
329. session_resume = yes
330.  
331. proper_peap_v1_keying = yes # Many RADIUS servers use the
332. # wrong string constant to dervie
333. # the keying material. Setting
334. # this to 'yes' will cause
335. # xsupplicant to use the value
336. # defined in the internet draft
337. # instead of the wrong one. The
338. # default is to use the wrong
339. # constant, since that is what
340. # most RADIUS servers do.
341.  
342. #Currently 'all' is just mschapv2
343. #If no allow_types is defined, all is assumed
344. allow_types = all # where all = MSCHAPv2, MD5, OTP, GTC, SIM
345. #allow_types = eap_mschapv2
346.  
347. # When doing EAP MS-CHAPv2 you need a password, or an ntpwdhash. If you
348. # have both, Xsupplicant will try to use the ntpwdhash.
349. eap-mschapv2 {
350. username = phase2mschapv2
351. ntpwdhash = E653E6452753C97E46792567DFF599B6
352. password = "phase2 mschapv2 pass"
353. }
354. }
355.  
356. eap-sim {
357.  
358. # In order to obtain the IMSI from the SIM card, the password
359. # *MUST* be defined here! Otherwise, you need to specify your
360. # IMSI as the username below.
361. username = simuser
362. password = simuserpin
363. auto_realm = yes
364. }
365.  
366. eap-aka {
367. # In order to obtain the IMSI from the SIM card, the password
368. # *MUST* be defined here! Otherwise, you need to specify your
369. # IMSI as the username below.
370. username = akauser
371. password = akauserpin
372. auto_realm = yes
373. }
374. }
375.  
376. # In this network definition, "test1" is the friendly name. It can match
377. # the essid of the network, which means you won't have to set the "ssid"
378. # variable. However, if it doesn't match, you need to set the "ssid"
379. # variable in order for the network to be detected correctly.
380. test1
381. {
382. type = wired
383.  
384. allow_types = all
385. identity = "Check this out- any char!#$" # Then a comment!
386.  
387. }
388.  
389.  
390. test2
391. {
392. identity = testuser@testnet.com
393.  
394. allow_types = eap-tls
395. type = wireless
396. }
397.  
398. test3
399. {
400. type = wired
401.  
402. identity= "this will work too"
403. }