diff options
Diffstat (limited to 'contrib/hostapd/hostapd.conf')
-rw-r--r-- | contrib/hostapd/hostapd.conf | 98 |
1 files changed, 69 insertions, 29 deletions
diff --git a/contrib/hostapd/hostapd.conf b/contrib/hostapd/hostapd.conf index bb792dc..ecd7663 100644 --- a/contrib/hostapd/hostapd.conf +++ b/contrib/hostapd/hostapd.conf @@ -2,9 +2,14 @@ # Empty lines and lines starting with # are ignored # AP netdevice name (without 'ap' prefix, i.e., wlan0 uses wlan0ap for -# management frames) +# management frames); ath0 for madwifi interface=wlan0 +# In case of madwifi driver, an additional configuration parameter, bridge, +# must be used to notify hostapd if the interface is included in a bridge. This +# parameter is not used with Host AP driver. +#bridge=br0 + # Driver interface type (hostap/wired/madwifi/prism54; default: hostap) # driver=hostap @@ -40,7 +45,7 @@ debug=0 # Dump file for state information (on SIGUSR1) dump_file=/tmp/hostapd.dump -# Interface for separate control program. If this is specified, wpa_supplicant +# Interface for separate control program. If this is specified, hostapd # will create this directory and a UNIX domain socket for listening to requests # from external programs (CLI/GUI, etc.) for status information and # configuration. The socket file will be named based on the interface name, so @@ -52,11 +57,11 @@ ctrl_interface=/var/run/hostapd # Access control for the control interface can be configured by setting the # directory to allow only members of a group to use sockets. This way, it is -# possible to run wpa_supplicant as root (since it needs to change network +# possible to run hostapd as root (since it needs to change network # configuration and open raw sockets) and still allow GUI/CLI components to be # run as non-root users. However, since the control interface can be used to # change the network configuration, this access needs to be protected in many -# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you +# cases. By default, hostapd is configured to use gid 0 (root). If you # want to allow non-root users to use the contron interface, add a new group # and change this value to match with that group. Add users that should have # control interface access to this group. @@ -96,16 +101,54 @@ auth_algs=3 #assoc_ap_addr=00:12:34:56:78:9a -##### IEEE 802.1X (and IEEE 802.1aa/D4) related configuration ################# +##### IEEE 802.1X-2004 related configuration ################################## # Require IEEE 802.1X authorization #ieee8021x=1 -# Use integrated EAP authenticator instead of external RADIUS authentication -# server -eap_authenticator=0 +# Optional displayable message sent with EAP Request-Identity. The first \0 +# in this string will be converted to ASCII-0 (nul). This can be used to +# separate network info (comma separated list of attribute=value pairs); see, +# e.g., draft-adrangi-eap-network-discovery-07.txt. +#eap_message=hello +#eap_message=hello\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com + +# WEP rekeying (disabled if key lengths are not set or are set to 0) +# Key lengths for default/broadcast and individual/unicast keys: +# 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits) +# 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits) +#wep_key_len_broadcast=5 +#wep_key_len_unicast=5 +# Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once) +#wep_rekey_period=300 + +# EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if +# only broadcast keys are used) +eapol_key_index_workaround=0 + +# EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable +# reauthentication). +#eap_reauth_period=3600 + +# Use PAE group address (01:80:c2:00:00:03) instead of individual target +# address when sending EAPOL frames with driver=wired. This is the most common +# mechanism used in wired authentication, but it also requires that the port +# is only used by one station. +#use_pae_group_addr=1 + +##### Integrated EAP server ################################################### + +# Optionally, hostapd can be configured to use an integrated EAP server +# to process EAP authentication locally without need for an external RADIUS +# server. This functionality can be used both as a local authentication server +# for IEEE 802.1X/EAPOL and as a RADIUS server for other devices. -# Path for EAP authenticator user database +# Use integrated EAP server instead of external RADIUS authentication +# server. This is also needed if hostapd is configured to act as a RADIUS +# authentication server. +eap_server=0 + +# Path for EAP server user database #eap_user_file=/etc/hostapd.eap_user # CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS @@ -124,31 +167,23 @@ eap_authenticator=0 # Passphrase for private key #private_key_passwd=secret passphrase +# Enable CRL verification. +# Note: hostapd does not yet support CRL downloading based on CDP. Thus, a +# valid CRL signed by the CA is required to be included in the ca_cert file. +# This can be done by using PEM format for CA certificate and CRL and +# concatenating these into one file. Whenever CRL changes, hostapd needs to be +# restarted to take the new CRL into use. +# 0 = do not verify CRLs (default) +# 1 = check the CRL of the user certificate +# 2 = check all CRLs in the certificate path +#check_crl=1 + # Configuration data for EAP-SIM database/authentication gateway interface. # This is a text string in implementation specific format. The example # implementation in eap_sim_db.c uses this as the file name for the GSM # authentication triplets. #eap_sim_db=/etc/hostapd.sim_db -# Optional displayable message sent with EAP Request-Identity -eap_message=hello - -# WEP rekeying (disabled if key lengths are not set or are set to 0) -# Key lengths for default/broadcast and individual/unicast keys: -# 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits) -# 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits) -#wep_key_len_broadcast=5 -#wep_key_len_unicast=5 -# Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once) -#wep_rekey_period=300 - -# EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if -# only broadcast keys are used) -eapol_key_index_workaround=0 - -# EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable -# reauthentication). -#eap_reauth_period=3600 ##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) ####################### @@ -156,7 +191,7 @@ eapol_key_index_workaround=0 #iapp_interface=eth0 -##### RADIUS configuration #################################################### +##### RADIUS client configuration ############################################# # for IEEE 802.1X with external Authentication Server, IEEE 802.11 # authentication with external ACL for MAC addresses, and accounting @@ -208,6 +243,8 @@ own_ip_addr=127.0.0.1 #radius_acct_interim_interval=600 +##### RADIUS authentication server configuration ############################## + # hostapd can be used as a RADIUS authentication server for other hosts. This # requires that the integrated EAP authenticator is also enabled and both # authentication services are sharing the same configuration. @@ -219,6 +256,9 @@ own_ip_addr=127.0.0.1 # The UDP port number for the RADIUS authentication server #radius_server_auth_port=1812 +# Use IPv6 with RADIUS server (IPv4 will also be supported using IPv6 API) +#radius_server_ipv6=1 + ##### WPA/IEEE 802.11i configuration ########################################## |