diff options
author | sam <sam@FreeBSD.org> | 2006-03-07 05:47:04 +0000 |
---|---|---|
committer | sam <sam@FreeBSD.org> | 2006-03-07 05:47:04 +0000 |
commit | 8d55057fb42bf9070fd379acbcb6fc4ef793d2a7 (patch) | |
tree | dacc7977efdefefb8b105113edeb5215c0e01234 /contrib/hostapd/madwifi.conf | |
parent | d1a1fd4aa94cd9c5cb443c4c1337f91c8c46fde0 (diff) | |
download | FreeBSD-src-8d55057fb42bf9070fd379acbcb6fc4ef793d2a7.zip FreeBSD-src-8d55057fb42bf9070fd379acbcb6fc4ef793d2a7.tar.gz |
Import of hostapd 0.4.8
Diffstat (limited to 'contrib/hostapd/madwifi.conf')
-rw-r--r-- | contrib/hostapd/madwifi.conf | 107 |
1 files changed, 92 insertions, 15 deletions
diff --git a/contrib/hostapd/madwifi.conf b/contrib/hostapd/madwifi.conf index f72750e..a9bf539 100644 --- a/contrib/hostapd/madwifi.conf +++ b/contrib/hostapd/madwifi.conf @@ -4,6 +4,10 @@ # AP netdevice name (without 'ap' prefix, i.e., wlan0 uses wlan0ap for # management frames) interface=ath0 + +# In case of madwifi driver, an additional configuration parameter, bridge, +# must be used to notify hostapd if the interface is included in a bridge. This +# parameter is not used with Host AP driver. bridge=br0 # Driver interface type (hostap/wired/madwifi; default: hostap) @@ -21,6 +25,7 @@ driver=madwifi # bit 2 (4) = RADIUS # bit 3 (8) = WPA # bit 4 (16) = driver interface +# bit 5 (32) = IAPP # # Levels (minimum value for logged events): # 0 = verbose debugging @@ -46,21 +51,17 @@ dump_file=/tmp/hostapd.dump # SSID to be used in IEEE 802.11 management frames ssid=wpa-test -##### IEEE 802.1X (and IEEE 802.1aa/D4) related configuration ################# +##### IEEE 802.1X-REV related configuration ################################### # Require IEEE 802.1X authorization #ieee8021x=1 -# Use internal minimal EAP Authentication Server for testing IEEE 802.1X. -# This should only be used for testing since it authorizes all users that -# support IEEE 802.1X without any keys or certificates. Please also note that -# the EAP method used with this minimal server does not generate any keying -# material and as such, it cannot be used with dynamic WEP keying -# (wep_key_len_broadcast and wep_key_len_unicast). -minimal_eap=0 - -# Optional displayable message sent with EAP Request-Identity -eap_message=hello +# Optional displayable message sent with EAP Request-Identity. The first \0 +# in this string will be converted to ASCII-0 (nul). This can be used to +# separate network info (comma separated list of attribute=value pairs); see, +# e.g., draft-adrangi-eap-network-discovery-07.txt. +#eap_message=hello +#eap_message=hello\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com # WEP rekeying (disabled if key lengths are not set or are set to 0) # Key lengths for default/broadcast and individual/unicast keys: @@ -79,13 +80,63 @@ eapol_key_index_workaround=0 # reauthentication). #eap_reauth_period=3600 + +##### Integrated EAP server ################################################### + +# Optionally, hostapd can be configured to use an integrated EAP server +# to process EAP authentication locally without need for an external RADIUS +# server. This functionality can be used both as a local authentication server +# for IEEE 802.1X/EAPOL and as a RADIUS server for other devices. + +# Use integrated EAP server instead of external RADIUS authentication +# server. This is also needed if hostapd is configured to act as a RADIUS +# authentication server. +eap_server=0 + +# Path for EAP server user database +#eap_user_file=/etc/hostapd.eap_user + +# CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS +#ca_cert=/etc/hostapd.ca.pem + +# Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS +#server_cert=/etc/hostapd.server.pem + +# Private key matching with the server certificate for EAP-TLS/PEAP/TTLS +# This may point to the same file as server_cert if both certificate and key +# are included in a single file. PKCS#12 (PFX) file (.p12/.pfx) can also be +# used by commenting out server_cert and specifying the PFX file as the +# private_key. +#private_key=/etc/hostapd.server.prv + +# Passphrase for private key +#private_key_passwd=secret passphrase + +# Enable CRL verification. +# Note: hostapd does not yet support CRL downloading based on CDP. Thus, a +# valid CRL signed by the CA is required to be included in the ca_cert file. +# This can be done by using PEM format for CA certificate and CRL and +# concatenating these into one file. Whenever CRL changes, hostapd needs to be +# restarted to take the new CRL into use. +# 0 = do not verify CRLs (default) +# 1 = check the CRL of the user certificate +# 2 = check all CRLs in the certificate path +#check_crl=1 + +# Configuration data for EAP-SIM database/authentication gateway interface. +# This is a text string in implementation specific format. The example +# implementation in eap_sim_db.c uses this as the file name for the GSM +# authentication triplets. +#eap_sim_db=/etc/hostapd.sim_db + + ##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) ####################### # Interface to be used for IAPP broadcast packets #iapp_interface=eth0 -##### RADIUS configuration #################################################### +##### RADIUS client configuration ############################################# # for IEEE 802.1X with external Authentication Server, IEEE 802.11 # authentication with external ACL for MAC addresses, and accounting @@ -137,6 +188,23 @@ own_ip_addr=127.0.0.1 #radius_acct_interim_interval=600 +##### RADIUS authentication server configuration ############################## + +# hostapd can be used as a RADIUS authentication server for other hosts. This +# requires that the integrated EAP authenticator is also enabled and both +# authentication services are sharing the same configuration. + +# File name of the RADIUS clients configuration for the RADIUS server. If this +# commented out, RADIUS server is disabled. +#radius_server_clients=/etc/hostapd.radius_clients + +# The UDP port number for the RADIUS authentication server +#radius_server_auth_port=1812 + +# Use IPv6 with RADIUS server (IPv4 will also be supported using IPv6 API) +#radius_server_ipv6=1 + + ##### WPA/IEEE 802.11i configuration ########################################## # Enable WPA. Setting this variable configures the AP to require WPA (either @@ -148,13 +216,15 @@ own_ip_addr=127.0.0.1 # This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0) # and/or WPA2 (full IEEE 802.11i/RSN): # bit0 = WPA -# bit1 = IEEE 802.11i/RSN (WPA2) +# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled) #wpa=1 # WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit # secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase # (8..63 characters) that will be converted to PSK. This conversion uses SSID -# so the PSK changed when ASCII passphrase is used and the SSID is changed. +# so the PSK changes when ASCII passphrase is used and the SSID is changed. +# wpa_psk (dot11RSNAConfigPSKValue) +# wpa_passphrase (dot11RSNAConfigPSKPassPhrase) #wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef #wpa_passphrase=secret passphrase @@ -166,6 +236,7 @@ own_ip_addr=127.0.0.1 # Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The # entries are separated with a space. +# (dot11RSNAConfigAuthenticationSuitesTable) #wpa_key_mgmt=WPA-PSK WPA-EAP # Set of accepted cipher suites (encryption algorithms) for pairwise keys @@ -176,12 +247,17 @@ own_ip_addr=127.0.0.1 # is automatically selected based on this configuration. If only CCMP is # allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise, # TKIP will be used as the group cipher. +# (dot11RSNAConfigPairwiseCiphersTable) #wpa_pairwise=TKIP CCMP # Time interval for rekeying GTK (broadcast/multicast encryption keys) in -# seconds. +# seconds. (dot11RSNAConfigGroupRekeyTime) #wpa_group_rekey=600 +# Rekey GTK when any STA that possesses the current GTK is leaving the BSS. +# (dot11RSNAConfigGroupRekeyStrict) +#wpa_strict_rekey=1 + # Time interval for rekeying GMK (master key used internally to generate GTKs # (in seconds). #wpa_gmk_rekey=86400 @@ -189,6 +265,7 @@ own_ip_addr=127.0.0.1 # Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up # roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN # authentication and key handshake before actually associating with a new AP. +# (dot11RSNAPreauthenticationEnabled) #rsn_preauth=1 # # Space separated list of interfaces from which pre-authentication frames are |