diff options
Diffstat (limited to 'contrib/wpa_supplicant/wpa_supplicant.conf')
-rw-r--r-- | contrib/wpa_supplicant/wpa_supplicant.conf | 118 |
1 files changed, 98 insertions, 20 deletions
diff --git a/contrib/wpa_supplicant/wpa_supplicant.conf b/contrib/wpa_supplicant/wpa_supplicant.conf index 92e9ec1..dce9d87 100644 --- a/contrib/wpa_supplicant/wpa_supplicant.conf +++ b/contrib/wpa_supplicant/wpa_supplicant.conf @@ -25,16 +25,22 @@ # global configuration (shared by all network blocks) # -# Interface for separate control program. If this is specified, wpa_supplicant -# will create this directory and a UNIX domain socket for listening to requests -# from external programs (CLI/GUI, etc.) for status information and -# configuration. The socket file will be named based on the interface name, so -# multiple wpa_supplicant processes can be run at the same time if more than -# one interface is used. +# Parameters for the control interface. If this is specified, wpa_supplicant +# will open a control interface that is available for external programs to +# manage wpa_supplicant. The meaning of this string depends on which control +# interface mechanism is used. For all cases, the existance of this parameter +# in configuration is used to determine whether the control interface is +# enabled. +# +# For UNIX domain sockets (default on Linux and BSD): This is a directory that +# will be created for UNIX domain sockets for listening to requests from +# external programs (CLI/GUI, etc.) for status information and configuration. +# The socket file will be named based on the interface name, so multiple +# wpa_supplicant processes can be run at the same time if more than one +# interface is used. # /var/run/wpa_supplicant is the recommended directory for sockets and by # default, wpa_cli will use it when trying to connect with wpa_supplicant. -ctrl_interface=/var/run/wpa_supplicant - +# # Access control for the control interface can be configured by setting the # directory to allow only members of a group to use sockets. This way, it is # possible to run wpa_supplicant as root (since it needs to change network @@ -48,12 +54,28 @@ ctrl_interface=/var/run/wpa_supplicant # not included in the configuration file, group will not be changed from the # value it got by default when the directory or socket was created. # -# This variable can be a group name or gid. -#ctrl_interface_group=wheel -ctrl_interface_group=0 +# When configuring both the directory and group, use following format: +# DIR=/var/run/wpa_supplicant GROUP=wheel +# DIR=/var/run/wpa_supplicant GROUP=0 +# (group can be either group name or gid) +# +# For UDP connections (default on Windows): The value will be ignored. This +# variable is just used to select that the control interface is to be created. +# The value can be set to, e.g., udp (ctrl_interface=udp) +# +# For Windows Named Pipe: This value can be used to set the security descriptor +# for controlling access to the control interface. Security descriptor can be +# set using Security Descriptor String Format (see http://msdn.microsoft.com/ +# library/default.asp?url=/library/en-us/secauthz/security/ +# security_descriptor_string_format.asp). The descriptor string needs to be +# prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty +# DACL (which will reject all connections). See README-Windows.txt for more +# information about SDDL string format. +# +ctrl_interface=/var/run/wpa_supplicant # IEEE 802.1X/EAPOL version -# wpa_supplicant was implemented based on IEEE 802-1X-REV-d8 which defines +# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines # EAPOL version 2. However, there are many APs that do not handle the new # version number correctly (they seem to drop the frames completely). In order # to make wpa_supplicant interoperate with these APs, the version number is set @@ -94,11 +116,18 @@ fast_reauth=1 # They are both from the opensc project (http://www.opensc.org/) # By default no engines are loaded. # make the opensc engine available -opensc_engine_path=/usr/lib/opensc/engine_opensc.so +#opensc_engine_path=/usr/lib/opensc/engine_opensc.so # make the pkcs11 engine available -pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so +#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so # configure the path to the pkcs11 module required by the pkcs11 engine -pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so +#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so + +# Dynamic EAP methods +# If EAP methods were built dynamically as shared object files, they need to be +# loaded here before being used in the network blocks. By default, EAP methods +# are included statically in the build, so these lines are not needed +#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so +#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so # Driver interface parameters # This field can be used to configure arbitrary driver interace parameters. The @@ -126,6 +155,10 @@ pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so # 1 = this network block is disabled (can be enabled through ctrl_iface, # e.g., with wpa_cli or wpa_gui) # +# id_str: Network identifier string for external scripts. This value is passed +# to external action script through wpa_cli as WPA_ID_STR environment +# variable to make it easier to do network specific configuration. +# # ssid: SSID (mandatory); either as an ASCII string with double quotation or # as hex string; network name # @@ -213,6 +246,12 @@ pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so # Note: When using wired authentication, eapol_flags must be set to 0 for the # authentication to be completed successfully. # +# mixed_cell: This option can be used to configure whether so called mixed +# cells, i.e., networks that use both plaintext and encryption in the same +# SSID, are allowed when selecting a BSS form scan results. +# 0 = disabled (default) +# 1 = enabled +# # proactive_key_caching: # Enable/disable opportunistic PMKSA caching for WPA2. # 0 = disabled (default) @@ -222,6 +261,12 @@ pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so # hex without quotation, e.g., 0102030405) # wep_tx_keyidx: Default WEP key index (TX) (0..3) # +# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is +# allowed. This is only used with RSN/WPA2. +# 0 = disabled (default) +# 1 = enabled +#peerkey=1 +# # Following fields are only used with internal EAP implementation. # eap: space-separated list of accepted EAP methods # MD5 = EAP-MD5 (unsecure and does not generate keying material -> @@ -253,6 +298,9 @@ pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so # On Windows, trusted CA certificates can be loaded from the system # certificate store by setting this to cert_store://<name>, e.g., # ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT". +# Note that when running wpa_supplicant as an application, the user +# certificate store (My user account) is used, whereas computer store +# (Computer account) is used when running wpasvc as a service. # ca_path: Directory path for CA certificate files (PEM). This path may # contain multiple CA certificates in OpenSSL format. Common use for this # is to point to system trusted CA list which is often installed into @@ -274,6 +322,9 @@ pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so # cert://substring_to_match # hash://certificate_thumbprint_in_hex # for example: private_key="hash://63093aa9c47f56ae88334c7b65a4" +# Note that when running wpa_supplicant as an application, the user +# certificate store (My user account) is used, whereas computer store +# (Computer account) is used when running wpasvc as a service. # Alternatively, a named configuration blob can be used by setting this # to blob://<blob name>. # private_key_passwd: Password for private key file (if left out, this will be @@ -291,12 +342,13 @@ pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so # sertificate is only accepted if it contains this string in the subject. # The subject string is in following format: # /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com -# altsubject_match: Substring to be matched against the alternative subject -# name of the authentication server certificate. If this string is set, -# the server sertificate is only accepted if it contains this string in -# an alternative subject name extension. +# altsubject_match: Semicolon separated string of entries to be matched against +# the alternative subject name of the authentication server certificate. +# If this string is set, the server sertificate is only accepted if it +# contains one of the entries in an alternative subject name extension. # altSubjectName string is in following format: TYPE:VALUE -# Example: DNS:server.example.com +# Example: EMAIL:server@example.com +# Example: DNS:server.example.com;DNS:server2.example.com # Following types are supported: EMAIL, DNS, URI # phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters # (string with field-value pairs, e.g., "peapver=0" or @@ -336,10 +388,29 @@ pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so # altsubject_match2: Substring to be matched against the alternative subject # name of the authentication server certificate. # +# fragment_size: Maximum EAP fragment size in bytes (default 1398). +# This value limits the fragment size for EAP methods that support +# fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set +# small enough to make the EAP messages fit in MTU of the network +# interface used for EAPOL. The default value is suitable for most +# cases. +# # EAP-PSK variables: # eappsk: 16-byte (128-bit, 32 hex digits) pre-shared key in hex format # nai: user NAI # +# EAP-PAX variables: +# eappsk: 16-byte (128-bit, 32 hex digits) pre-shared key in hex format +# +# EAP-SAKE variables: +# eappsk: 32-byte (256-bit, 64 hex digits) pre-shared key in hex format +# (this is concatenation of Root-Secret-A and Root-Secret-B) +# nai: user NAI (PEERID) +# +# EAP-GPSK variables: +# eappsk: Pre-shared key in hex format (at least 128 bits, i.e., 32 hex digits) +# nai: user NAI (ID_Client) +# # EAP-FAST variables: # pac_file: File path for the PAC entries. wpa_supplicant will need to be able # to create this file and write updates to it when PAC is being @@ -660,3 +731,10 @@ network={ blob-base64-exampleblob={ SGVsbG8gV29ybGQhCg== } + + +# Wildcard match for SSID (plaintext APs only). This example select any +# open AP regardless of its SSID. +network={ + key_mgmt=NONE +} |