summaryrefslogtreecommitdiffstats
path: root/contrib/hostapd/hostapd.conf
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/hostapd/hostapd.conf')
-rw-r--r--contrib/hostapd/hostapd.conf98
1 files changed, 69 insertions, 29 deletions
diff --git a/contrib/hostapd/hostapd.conf b/contrib/hostapd/hostapd.conf
index bb792dc..ecd7663 100644
--- a/contrib/hostapd/hostapd.conf
+++ b/contrib/hostapd/hostapd.conf
@@ -2,9 +2,14 @@
# Empty lines and lines starting with # are ignored
# AP netdevice name (without 'ap' prefix, i.e., wlan0 uses wlan0ap for
-# management frames)
+# management frames); ath0 for madwifi
interface=wlan0
+# In case of madwifi driver, an additional configuration parameter, bridge,
+# must be used to notify hostapd if the interface is included in a bridge. This
+# parameter is not used with Host AP driver.
+#bridge=br0
+
# Driver interface type (hostap/wired/madwifi/prism54; default: hostap)
# driver=hostap
@@ -40,7 +45,7 @@ debug=0
# Dump file for state information (on SIGUSR1)
dump_file=/tmp/hostapd.dump
-# Interface for separate control program. If this is specified, wpa_supplicant
+# Interface for separate control program. If this is specified, hostapd
# will create this directory and a UNIX domain socket for listening to requests
# from external programs (CLI/GUI, etc.) for status information and
# configuration. The socket file will be named based on the interface name, so
@@ -52,11 +57,11 @@ ctrl_interface=/var/run/hostapd
# Access control for the control interface can be configured by setting the
# directory to allow only members of a group to use sockets. This way, it is
-# possible to run wpa_supplicant as root (since it needs to change network
+# possible to run hostapd as root (since it needs to change network
# configuration and open raw sockets) and still allow GUI/CLI components to be
# run as non-root users. However, since the control interface can be used to
# change the network configuration, this access needs to be protected in many
-# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you
+# cases. By default, hostapd is configured to use gid 0 (root). If you
# want to allow non-root users to use the contron interface, add a new group
# and change this value to match with that group. Add users that should have
# control interface access to this group.
@@ -96,16 +101,54 @@ auth_algs=3
#assoc_ap_addr=00:12:34:56:78:9a
-##### IEEE 802.1X (and IEEE 802.1aa/D4) related configuration #################
+##### IEEE 802.1X-2004 related configuration ##################################
# Require IEEE 802.1X authorization
#ieee8021x=1
-# Use integrated EAP authenticator instead of external RADIUS authentication
-# server
-eap_authenticator=0
+# Optional displayable message sent with EAP Request-Identity. The first \0
+# in this string will be converted to ASCII-0 (nul). This can be used to
+# separate network info (comma separated list of attribute=value pairs); see,
+# e.g., draft-adrangi-eap-network-discovery-07.txt.
+#eap_message=hello
+#eap_message=hello\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com
+
+# WEP rekeying (disabled if key lengths are not set or are set to 0)
+# Key lengths for default/broadcast and individual/unicast keys:
+# 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits)
+# 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits)
+#wep_key_len_broadcast=5
+#wep_key_len_unicast=5
+# Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once)
+#wep_rekey_period=300
+
+# EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if
+# only broadcast keys are used)
+eapol_key_index_workaround=0
+
+# EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable
+# reauthentication).
+#eap_reauth_period=3600
+
+# Use PAE group address (01:80:c2:00:00:03) instead of individual target
+# address when sending EAPOL frames with driver=wired. This is the most common
+# mechanism used in wired authentication, but it also requires that the port
+# is only used by one station.
+#use_pae_group_addr=1
+
+##### Integrated EAP server ###################################################
+
+# Optionally, hostapd can be configured to use an integrated EAP server
+# to process EAP authentication locally without need for an external RADIUS
+# server. This functionality can be used both as a local authentication server
+# for IEEE 802.1X/EAPOL and as a RADIUS server for other devices.
-# Path for EAP authenticator user database
+# Use integrated EAP server instead of external RADIUS authentication
+# server. This is also needed if hostapd is configured to act as a RADIUS
+# authentication server.
+eap_server=0
+
+# Path for EAP server user database
#eap_user_file=/etc/hostapd.eap_user
# CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS
@@ -124,31 +167,23 @@ eap_authenticator=0
# Passphrase for private key
#private_key_passwd=secret passphrase
+# Enable CRL verification.
+# Note: hostapd does not yet support CRL downloading based on CDP. Thus, a
+# valid CRL signed by the CA is required to be included in the ca_cert file.
+# This can be done by using PEM format for CA certificate and CRL and
+# concatenating these into one file. Whenever CRL changes, hostapd needs to be
+# restarted to take the new CRL into use.
+# 0 = do not verify CRLs (default)
+# 1 = check the CRL of the user certificate
+# 2 = check all CRLs in the certificate path
+#check_crl=1
+
# Configuration data for EAP-SIM database/authentication gateway interface.
# This is a text string in implementation specific format. The example
# implementation in eap_sim_db.c uses this as the file name for the GSM
# authentication triplets.
#eap_sim_db=/etc/hostapd.sim_db
-# Optional displayable message sent with EAP Request-Identity
-eap_message=hello
-
-# WEP rekeying (disabled if key lengths are not set or are set to 0)
-# Key lengths for default/broadcast and individual/unicast keys:
-# 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits)
-# 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits)
-#wep_key_len_broadcast=5
-#wep_key_len_unicast=5
-# Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once)
-#wep_rekey_period=300
-
-# EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if
-# only broadcast keys are used)
-eapol_key_index_workaround=0
-
-# EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable
-# reauthentication).
-#eap_reauth_period=3600
##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) #######################
@@ -156,7 +191,7 @@ eapol_key_index_workaround=0
#iapp_interface=eth0
-##### RADIUS configuration ####################################################
+##### RADIUS client configuration #############################################
# for IEEE 802.1X with external Authentication Server, IEEE 802.11
# authentication with external ACL for MAC addresses, and accounting
@@ -208,6 +243,8 @@ own_ip_addr=127.0.0.1
#radius_acct_interim_interval=600
+##### RADIUS authentication server configuration ##############################
+
# hostapd can be used as a RADIUS authentication server for other hosts. This
# requires that the integrated EAP authenticator is also enabled and both
# authentication services are sharing the same configuration.
@@ -219,6 +256,9 @@ own_ip_addr=127.0.0.1
# The UDP port number for the RADIUS authentication server
#radius_server_auth_port=1812
+# Use IPv6 with RADIUS server (IPv4 will also be supported using IPv6 API)
+#radius_server_ipv6=1
+
##### WPA/IEEE 802.11i configuration ##########################################
OpenPOWER on IntegriCloud