diff options
Diffstat (limited to 'contrib/wpa_supplicant/wpa_supplicant.conf')
-rw-r--r-- | contrib/wpa_supplicant/wpa_supplicant.conf | 199 |
1 files changed, 178 insertions, 21 deletions
diff --git a/contrib/wpa_supplicant/wpa_supplicant.conf b/contrib/wpa_supplicant/wpa_supplicant.conf index e8be91a..92e9ec1 100644 --- a/contrib/wpa_supplicant/wpa_supplicant.conf +++ b/contrib/wpa_supplicant/wpa_supplicant.conf @@ -1,9 +1,28 @@ ##### Example wpa_supplicant configuration file ############################### +# +# This file describes configuration file format and lists all available option. +# Please also take a look at simpler configuration examples in 'examples' +# subdirectory. +# # Empty lines and lines starting with # are ignored # NOTE! This file may contain password information and should probably be made # readable only by root user on multiuser systems. +# Note: All file paths in this configuration file should use full (absolute, +# not relative to working directory) path in order to allow working directory +# to be changed. This can happen if wpa_supplicant is run in the background. + +# Whether to allow wpa_supplicant to update (overwrite) configuration +# +# This option can be used to allow wpa_supplicant to overwrite configuration +# file whenever configuration is changed (e.g., new network block is added with +# wpa_cli or wpa_gui, or a password is changed). This is required for +# wpa_cli/wpa_gui to be able to store the configuration changes permanently. +# Please note that overwriting configuration file will remove the comments from +# it. +#update_config=1 + # global configuration (shared by all network blocks) # # Interface for separate control program. If this is specified, wpa_supplicant @@ -52,13 +71,15 @@ eapol_version=1 # 0: driver takes care of scanning, AP selection, and IEEE 802.11 association # parameters (e.g., WPA IE generation); this mode can also be used with # non-WPA drivers when using IEEE 802.1X mode; do not try to associate with -# APs (i.e., external program needs to control association) +# APs (i.e., external program needs to control association). This mode must +# also be used when using wired Ethernet drivers. # 2: like 0, but associate with APs using security policy and SSID (but not -# BSSID); this can be used, e.g., with ndiswrapper and NDIS driver to +# BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to # enable operation with hidden SSIDs and optimized roaming; in this mode, -# only the first network block in the configuration file is used and this -# configuration should have explicit security policy (i.e., only one option -# in the lists) for key_mgmt, pairwise, group, proto variables +# the network blocks in the configuration file are tried one by one until +# the driver reports successful association; each network block should have +# explicit security policy (i.e., only one option in the lists) for +# key_mgmt, pairwise, group, proto variables ap_scan=1 # EAP fast re-authentication @@ -67,6 +88,31 @@ ap_scan=1 # Normally, there is no need to disable this. fast_reauth=1 +# OpenSSL Engine support +# These options can be used to load OpenSSL engines. +# The two engines that are supported currently are shown below: +# They are both from the opensc project (http://www.opensc.org/) +# By default no engines are loaded. +# make the opensc engine available +opensc_engine_path=/usr/lib/opensc/engine_opensc.so +# make the pkcs11 engine available +pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so +# configure the path to the pkcs11 module required by the pkcs11 engine +pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so + +# Driver interface parameters +# This field can be used to configure arbitrary driver interace parameters. The +# format is specific to the selected driver interface. This field is not used +# in most cases. +#driver_param="field=value" + +# Maximum lifetime for PMKSA in seconds; default 43200 +#dot11RSNAConfigPMKLifetime=43200 +# Threshold for reauthentication (percentage of PMK lifetime); default 70 +#dot11RSNAConfigPMKReauthThreshold=70 +# Timeout for security association negotiation in seconds; default 60 +#dot11RSNAConfigSATimeout=60 + # network block # # Each network (usually AP's sharing the same SSID) is configured as a separate @@ -75,6 +121,11 @@ fast_reauth=1 # # network block fields: # +# disabled: +# 0 = this network can be used (default) +# 1 = this network block is disabled (can be enabled through ctrl_iface, +# e.g., with wpa_cli or wpa_gui) +# # ssid: SSID (mandatory); either as an ASCII string with double quotation or # as hex string; network name # @@ -95,9 +146,9 @@ fast_reauth=1 # priority value, the sooner the network is matched against the scan results). # Within each priority group, networks will be selected based on security # policy, signal strength, etc. -# Please note that AP scanning with scan_ssid=1 is not using this priority to -# select the order for scanning. Instead, it uses the order the networks are in -# the configuration file. +# Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not +# using this priority to select the order for scanning. Instead, they try the +# networks in the order that used in the configuration file. # # mode: IEEE 802.11 operation mode # 0 = infrastructure (Managed) mode, i.e., associate with an AP (default) @@ -155,10 +206,21 @@ fast_reauth=1 # only when the passphrase or SSID has actually changed. # # eapol_flags: IEEE 802.1X/EAPOL options (bit field) -# Dynamic WEP key require for non-WPA mode +# Dynamic WEP key required for non-WPA mode # bit0 (1): require dynamically generated unicast WEP key # bit1 (2): require dynamically generated broadcast WEP key # (3 = require both keys; default) +# Note: When using wired authentication, eapol_flags must be set to 0 for the +# authentication to be completed successfully. +# +# proactive_key_caching: +# Enable/disable opportunistic PMKSA caching for WPA2. +# 0 = disabled (default) +# 1 = enabled +# +# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or +# hex without quotation, e.g., 0102030405) +# wep_tx_keyidx: Default WEP key index (TX) (0..3) # # Following fields are only used with internal EAP implementation. # eap: space-separated list of accepted EAP methods @@ -182,16 +244,40 @@ fast_reauth=1 # unencrypted identity with EAP types that support different tunnelled # identity, e.g., EAP-TTLS) # password: Password string for EAP -# ca_cert: File path to CA certificate file. This file can have one or more -# trusted CA certificates. If ca_cert is not included, server certificate -# will not be verified. This is insecure and the CA file should always be -# configured. +# ca_cert: File path to CA certificate file (PEM/DER). This file can have one +# or more trusted CA certificates. If ca_cert and ca_path are not +# included, server certificate will not be verified. This is insecure and +# a trusted CA certificate should always be configured when using +# EAP-TLS/TTLS/PEAP. Full path should be used since working directory may +# change when wpa_supplicant is run in the background. +# On Windows, trusted CA certificates can be loaded from the system +# certificate store by setting this to cert_store://<name>, e.g., +# ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT". +# ca_path: Directory path for CA certificate files (PEM). This path may +# contain multiple CA certificates in OpenSSL format. Common use for this +# is to point to system trusted CA list which is often installed into +# directory like /etc/ssl/certs. If configured, these certificates are +# added to the list of trusted CAs. ca_cert may also be included in that +# case, but it is not required. # client_cert: File path to client certificate file (PEM/DER) +# Full path should be used since working directory may change when +# wpa_supplicant is run in the background. +# Alternatively, a named configuration blob can be used by setting this +# to blob://<blob name>. # private_key: File path to client private key file (PEM/DER/PFX) # When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be # commented out. Both the private key and certificate will be read from -# the PKCS#12 file in this case. -# private_key_passwd: Password for private key file +# the PKCS#12 file in this case. Full path should be used since working +# directory may change when wpa_supplicant is run in the background. +# Windows certificate store can be used by leaving client_cert out and +# configuring private_key in one of the following formats: +# cert://substring_to_match +# hash://certificate_thumbprint_in_hex +# for example: private_key="hash://63093aa9c47f56ae88334c7b65a4" +# Alternatively, a named configuration blob can be used by setting this +# to blob://<blob name>. +# private_key_passwd: Password for private key file (if left out, this will be +# asked through control interface) # dh_file: File path to DH/DSA parameters file (in PEM format) # This is an optional configuration file for setting parameters for an # ephemeral DH key exchange. In most cases, the default RSA @@ -205,6 +291,13 @@ fast_reauth=1 # sertificate is only accepted if it contains this string in the subject. # The subject string is in following format: # /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com +# altsubject_match: Substring to be matched against the alternative subject +# name of the authentication server certificate. If this string is set, +# the server sertificate is only accepted if it contains this string in +# an alternative subject name extension. +# altSubjectName string is in following format: TYPE:VALUE +# Example: DNS:server.example.com +# Following types are supported: EMAIL, DNS, URI # phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters # (string with field-value pairs, e.g., "peapver=0" or # "peapver=1 peaplabel=1") @@ -230,25 +323,30 @@ fast_reauth=1 # Following certificate/private key fields are used in inner Phase2 # authentication when using EAP-TTLS or EAP-PEAP. # ca_cert2: File path to CA certificate file. This file can have one or more -# trusted CA certificates. If ca_cert2 is not included, server -# certificate will not be verified. This is insecure and the CA file -# should always be configured. +# trusted CA certificates. If ca_cert2 and ca_path2 are not included, +# server certificate will not be verified. This is insecure and a trusted +# CA certificate should always be configured. +# ca_path2: Directory path for CA certificate files (PEM) # client_cert2: File path to client certificate file # private_key2: File path to client private key file # private_key2_passwd: Password for private key file # dh_file2: File path to DH/DSA parameters file (in PEM format) # subject_match2: Substring to be matched against the subject of the # authentication server certificate. +# altsubject_match2: Substring to be matched against the alternative subject +# name of the authentication server certificate. # # EAP-PSK variables: # eappsk: 16-byte (128-bit, 32 hex digits) pre-shared key in hex format # nai: user NAI -# server_nai: authentication server NAI # # EAP-FAST variables: # pac_file: File path for the PAC entries. wpa_supplicant will need to be able # to create this file and write updates to it when PAC is being -# provisioned or refreshed. +# provisioned or refreshed. Full path to the file should be used since +# working directory may change when wpa_supplicant is run in the +# background. Alternatively, a named configuration blob can be used by +# setting this to blob://<blob name> # phase1: fast_provisioning=1 option enables in-line provisioning of EAP-FAST # credentials (PAC) # @@ -400,7 +498,6 @@ network={ identity="eap_psk_user" eappsk=06b4be19da289f475aa46a33cb793029 nai="eap_psk_user@example.com" - server_nai="as@example.com" } @@ -441,6 +538,17 @@ network={ pac_file="/etc/wpa_supplicant.eap-fast-pac" } +network={ + ssid="eap-fast-test" + key_mgmt=WPA-EAP + eap=FAST + anonymous_identity="FAST-000102030405" + identity="username" + password="password" + phase1="fast_provisioning=1" + pac_file="blob://eap-fast-pac" +} + # Plaintext connection (no WPA, no IEEE 802.1X) network={ ssid="plaintext-test" @@ -503,3 +611,52 @@ network={ private_key_passwd="password" phase1="peaplabel=0" } + +# Example of EAP-TLS with smartcard (openssl engine) +network={ + ssid="example" + key_mgmt=WPA-EAP + eap=TLS + proto=RSN + pairwise=CCMP TKIP + group=CCMP TKIP + identity="user@example.com" + ca_cert="/etc/cert/ca.pem" + client_cert="/etc/cert/user.pem" + + engine=1 + + # The engine configured here must be available. Look at + # OpenSSL engine support in the global section. + # The key available through the engine must be the private key + # matching the client certificate configured above. + + # use the opensc engine + #engine_id="opensc" + #key_id="45" + + # use the pkcs11 engine + engine_id="pkcs11" + key_id="id_45" + + # Optional PIN configuration; this can be left out and PIN will be + # asked through the control interface + pin="1234" +} + +# Example configuration showing how to use an inlined blob as a CA certificate +# data instead of using external file +network={ + ssid="example" + key_mgmt=WPA-EAP + eap=TTLS + identity="user@example.com" + anonymous_identity="anonymous@example.com" + password="foobar" + ca_cert="blob://exampleblob" + priority=20 +} + +blob-base64-exampleblob={ +SGVsbG8gV29ybGQhCg== +} |