head 1.1;
branch 1.1.1;
access;
symbols
netbsd-11-0-RC5:1.1.1.2
netbsd-11-0-RC4:1.1.1.2
netbsd-11-0-RC3:1.1.1.2
netbsd-11-0-RC2:1.1.1.2
netbsd-11-0-RC1:1.1.1.2
perseant-exfatfs-base-20250801:1.1.1.2
netbsd-11:1.1.1.2.0.2
netbsd-11-base:1.1.1.2
netbsd-10-1-RELEASE:1.1.1.1
v2_11:1.1.1.2
perseant-exfatfs-base-20240630:1.1.1.1
perseant-exfatfs:1.1.1.1.0.58
perseant-exfatfs-base:1.1.1.1
netbsd-8-3-RELEASE:1.1.1.1
netbsd-9-4-RELEASE:1.1.1.1
netbsd-10-0-RELEASE:1.1.1.1
netbsd-10-0-RC6:1.1.1.1
netbsd-10-0-RC5:1.1.1.1
netbsd-10-0-RC4:1.1.1.1
netbsd-10-0-RC3:1.1.1.1
netbsd-10-0-RC2:1.1.1.1
netbsd-10-0-RC1:1.1.1.1
netbsd-10:1.1.1.1.0.56
netbsd-10-base:1.1.1.1
netbsd-9-3-RELEASE:1.1.1.1
cjep_sun2x-base1:1.1.1.1
cjep_sun2x:1.1.1.1.0.54
cjep_sun2x-base:1.1.1.1
cjep_staticlib_x-base1:1.1.1.1
netbsd-9-2-RELEASE:1.1.1.1
cjep_staticlib_x:1.1.1.1.0.52
cjep_staticlib_x-base:1.1.1.1
v2_9:1.1.1.1
netbsd-9-1-RELEASE:1.1.1.1
phil-wifi-20200421:1.1.1.1
phil-wifi-20200411:1.1.1.1
is-mlppp:1.1.1.1.0.50
is-mlppp-base:1.1.1.1
phil-wifi-20200406:1.1.1.1
netbsd-8-2-RELEASE:1.1.1.1
netbsd-9-0-RELEASE:1.1.1.1
netbsd-9-0-RC2:1.1.1.1
netbsd-9-0-RC1:1.1.1.1
phil-wifi-20191119:1.1.1.1
netbsd-9:1.1.1.1.0.48
netbsd-9-base:1.1.1.1
phil-wifi-20190609:1.1.1.1
netbsd-8-1-RELEASE:1.1.1.1
netbsd-8-1-RC1:1.1.1.1
pgoyette-compat-merge-20190127:1.1.1.1
pgoyette-compat-20190127:1.1.1.1
pgoyette-compat-20190118:1.1.1.1
v2_7:1.1.1.1
pgoyette-compat-1226:1.1.1.1
pgoyette-compat-1126:1.1.1.1
pgoyette-compat-1020:1.1.1.1
pgoyette-compat-0930:1.1.1.1
pgoyette-compat-0906:1.1.1.1
netbsd-7-2-RELEASE:1.1.1.1
pgoyette-compat-0728:1.1.1.1
netbsd-8-0-RELEASE:1.1.1.1
phil-wifi:1.1.1.1.0.46
phil-wifi-base:1.1.1.1
pgoyette-compat-0625:1.1.1.1
netbsd-8-0-RC2:1.1.1.1
pgoyette-compat-0521:1.1.1.1
pgoyette-compat-0502:1.1.1.1
pgoyette-compat-0422:1.1.1.1
netbsd-8-0-RC1:1.1.1.1
pgoyette-compat-0415:1.1.1.1
pgoyette-compat-0407:1.1.1.1
pgoyette-compat-0330:1.1.1.1
pgoyette-compat-0322:1.1.1.1
pgoyette-compat-0315:1.1.1.1
netbsd-7-1-2-RELEASE:1.1.1.1
pgoyette-compat:1.1.1.1.0.44
pgoyette-compat-base:1.1.1.1
netbsd-7-1-1-RELEASE:1.1.1.1
matt-nb8-mediatek:1.1.1.1.0.42
matt-nb8-mediatek-base:1.1.1.1
perseant-stdc-iso10646:1.1.1.1.0.40
perseant-stdc-iso10646-base:1.1.1.1
netbsd-8:1.1.1.1.0.38
netbsd-8-base:1.1.1.1
prg-localcount2-base3:1.1.1.1
prg-localcount2-base2:1.1.1.1
prg-localcount2-base1:1.1.1.1
prg-localcount2:1.1.1.1.0.36
prg-localcount2-base:1.1.1.1
pgoyette-localcount-20170426:1.1.1.1
bouyer-socketcan-base1:1.1.1.1
pgoyette-localcount-20170320:1.1.1.1
netbsd-7-1:1.1.1.1.0.34
netbsd-7-1-RELEASE:1.1.1.1
netbsd-7-1-RC2:1.1.1.1
netbsd-7-nhusb-base-20170116:1.1.1.1
bouyer-socketcan:1.1.1.1.0.32
bouyer-socketcan-base:1.1.1.1
pgoyette-localcount-20170107:1.1.1.1
netbsd-7-1-RC1:1.1.1.1
v2_6:1.1.1.1
pgoyette-localcount-20161104:1.1.1.1
netbsd-7-0-2-RELEASE:1.1.1.1
localcount-20160914:1.1.1.1
netbsd-7-nhusb:1.1.1.1.0.30
netbsd-7-nhusb-base:1.1.1.1
pgoyette-localcount-20160806:1.1.1.1
pgoyette-localcount-20160726:1.1.1.1
pgoyette-localcount:1.1.1.1.0.28
pgoyette-localcount-base:1.1.1.1
netbsd-7-0-1-RELEASE:1.1.1.1
netbsd-7-0:1.1.1.1.0.26
netbsd-7-0-RELEASE:1.1.1.1
netbsd-7-0-RC3:1.1.1.1
netbsd-7-0-RC2:1.1.1.1
netbsd-7-0-RC1:1.1.1.1
v2_4:1.1.1.1
v2_3:1.1.1.1
netbsd-6-0-6-RELEASE:1.1.1.1
netbsd-6-1-5-RELEASE:1.1.1.1
netbsd-7:1.1.1.1.0.24
netbsd-7-base:1.1.1.1
yamt-pagecache-base9:1.1.1.1
yamt-pagecache-tag8:1.1.1.1
netbsd-6-1-4-RELEASE:1.1.1.1
netbsd-6-0-5-RELEASE:1.1.1.1
tls-earlyentropy:1.1.1.1.0.22
tls-earlyentropy-base:1.1.1.1
riastradh-xf86-video-intel-2-7-1-pre-2-21-15:1.1.1.1
riastradh-drm2-base3:1.1.1.1
netbsd-6-1-3-RELEASE:1.1.1.1
netbsd-6-0-4-RELEASE:1.1.1.1
v2_0:1.1.1.1
netbsd-6-1-2-RELEASE:1.1.1.1
netbsd-6-0-3-RELEASE:1.1.1.1
netbsd-6-1-1-RELEASE:1.1.1.1
riastradh-drm2-base2:1.1.1.1
riastradh-drm2-base1:1.1.1.1
riastradh-drm2:1.1.1.1.0.16
v1_1:1.1.1.1
riastradh-drm2-base:1.1.1.1
netbsd-6-1:1.1.1.1.0.20
netbsd-6-0-2-RELEASE:1.1.1.1
netbsd-6-1-RELEASE:1.1.1.1
netbsd-6-1-RC4:1.1.1.1
netbsd-6-1-RC3:1.1.1.1
agc-symver:1.1.1.1.0.18
agc-symver-base:1.1.1.1
netbsd-6-1-RC2:1.1.1.1
netbsd-6-1-RC1:1.1.1.1
yamt-pagecache-base8:1.1.1.1
netbsd-6-0-1-RELEASE:1.1.1.1
yamt-pagecache-base7:1.1.1.1
matt-nb6-plus-nbase:1.1.1.1
yamt-pagecache-base6:1.1.1.1
netbsd-6-0:1.1.1.1.0.14
netbsd-6-0-RELEASE:1.1.1.1
v1_0:1.1.1.1
netbsd-6-0-RC2:1.1.1.1
tls-maxphys:1.1.1.1.0.12
tls-maxphys-base:1.1.1.1
matt-nb6-plus:1.1.1.1.0.10
matt-nb6-plus-base:1.1.1.1
netbsd-6-0-RC1:1.1.1.1
yamt-pagecache-base5:1.1.1.1
yamt-pagecache-base4:1.1.1.1
netbsd-6:1.1.1.1.0.8
netbsd-6-base:1.1.1.1
yamt-pagecache-base3:1.1.1.1
yamt-pagecache-base2:1.1.1.1
yamt-pagecache:1.1.1.1.0.6
yamt-pagecache-base:1.1.1.1
v0_7_3:1.1.1.1
cherry-xenmp:1.1.1.1.0.4
cherry-xenmp-base:1.1.1.1
bouyer-quota2-nbase:1.1.1.1
bouyer-quota2:1.1.1.1.0.2
bouyer-quota2-base:1.1.1.1
matt-mips64-premerge-20101231:1.1.1.1
v0_7_2:1.1.1.1
MALINEN:1.1.1;
locks; strict;
comment @# @;
1.1
date 2010.08.04.10.24.26; author christos; state Exp;
branches
1.1.1.1;
next ;
1.1.1.1
date 2010.08.04.10.24.26; author christos; state Exp;
branches
1.1.1.1.58.1;
next 1.1.1.2;
1.1.1.2
date 2024.09.18.15.02.56; author christos; state Exp;
branches;
next ;
commitid VitRusbKkuz5DiqF;
1.1.1.1.58.1
date 2025.08.02.05.24.29; author perseant; state Exp;
branches;
next ;
commitid 23j6GFaDws3O875G;
desc
@@
1.1
log
@Initial revision
@
text
@
wpa_supplicant.conf
5
wpa_supplicant.conf
configuration file for wpa_supplicant
Overview
wpa_supplicant is configured using a text
file that lists all accepted networks and security policies,
including pre-shared keys. See the example configuration file,
probably in /usr/share/doc/wpa_supplicant/, for
detailed information about the configuration format and supported
fields.
All file paths in this configuration file should use full
(absolute, not relative to working directory) path in order to allow
working directory to be changed. This can happen if wpa_supplicant is
run in the background.
Changes to configuration file can be reloaded be sending
SIGHUP signal to wpa_supplicant ('killall -HUP
wpa_supplicant'). Similarly, reloading can be triggered with
the wpa_cli reconfigure command.
Configuration file can include one or more network blocks,
e.g., one for each used SSID. wpa_supplicant will automatically
select the best network based on the order of network blocks in
the configuration file, network security level (WPA/WPA2 is
preferred), and signal strength.
Quick Examples
WPA-Personal (PSK) as home network and WPA-Enterprise with
EAP-TLS as work network.
# allow frontend (e.g., wpa_cli) to be used by all users in 'wheel' group
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
#
# home network; allow all valid ciphers
network={
ssid="home"
scan_ssid=1
key_mgmt=WPA-PSK
psk="very secret passphrase"
}
#
# work network; use EAP-TLS with WPA; allow only CCMP and TKIP ciphers
network={
ssid="work"
scan_ssid=1
key_mgmt=WPA-EAP
pairwise=CCMP TKIP
group=CCMP TKIP
eap=TLS
identity="user@@example.com"
ca_cert="/etc/cert/ca.pem"
client_cert="/etc/cert/user.pem"
private_key="/etc/cert/user.prv"
private_key_passwd="password"
}
WPA-RADIUS/EAP-PEAP/MSCHAPv2 with RADIUS servers that
use old peaplabel (e.g., Funk Odyssey and SBR, Meetinghouse
Aegis, Interlink RAD-Series)
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
network={
ssid="example"
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
identity="user@@example.com"
password="foobar"
ca_cert="/etc/cert/ca.pem"
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}
EAP-TTLS/EAP-MD5-Challenge configuration with anonymous
identity for the unencrypted use. Real identity is sent only
within an encrypted TLS tunnel.
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
network={
ssid="example"
scan_ssid=1
key_mgmt=WPA-EAP
eap=TTLS
identity="user@@example.com"
anonymous_identity="anonymous@@example.com"
password="foobar"
ca_cert="/etc/cert/ca.pem"
phase2="auth=MD5"
}
IEEE 802.1X (i.e., no WPA) with dynamic WEP keys
(require both unicast and broadcast); use EAP-TLS for
authentication
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
network={
ssid="1x-test"
scan_ssid=1
key_mgmt=IEEE8021X
eap=TLS
identity="user@@example.com"
ca_cert="/etc/cert/ca.pem"
client_cert="/etc/cert/user.pem"
private_key="/etc/cert/user.prv"
private_key_passwd="password"
eapol_flags=3
}
Catch all example that allows more or less all
configuration modes. The configuration options are used based
on what security policy is used in the selected SSID. This is
mostly for testing and is not recommended for normal
use.
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
network={
ssid="example"
scan_ssid=1
key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
pairwise=CCMP TKIP
group=CCMP TKIP WEP104 WEP40
psk="very secret passphrase"
eap=TTLS PEAP TLS
identity="user@@example.com"
password="foobar"
ca_cert="/etc/cert/ca.pem"
client_cert="/etc/cert/user.pem"
private_key="/etc/cert/user.prv"
private_key_passwd="password"
phase1="peaplabel=0"
ca_cert2="/etc/cert/ca2.pem"
client_cert2="/etc/cer/user.pem"
private_key2="/etc/cer/user.prv"
private_key2_passwd="password"
}
Authentication for wired Ethernet. This can be used with
wired or roboswitch interface
(-Dwired or -Droboswitch on command line).
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
ap_scan=0
network={
key_mgmt=IEEE8021X
eap=MD5
identity="user"
password="password"
eapol_flags=0
}
Certificates
Some EAP authentication methods require use of
certificates. EAP-TLS uses both server side and client
certificates whereas EAP-PEAP and EAP-TTLS only require the server
side certificate. When client certificate is used, a matching
private key file has to also be included in configuration. If the
private key uses a passphrase, this has to be configured in
wpa_supplicant.conf ("private_key_passwd").
wpa_supplicant supports X.509 certificates in PEM and DER
formats. User certificate and private key can be included in the
same file.
If the user certificate and private key is received in
PKCS#12/PFX format, they need to be converted to suitable PEM/DER
format for wpa_supplicant. This can be done, e.g., with following
commands:
# convert client certificate and private key to PEM format
openssl pkcs12 -in example.pfx -out user.pem -clcerts
# convert CA certificate (if included in PFX file) to PEM format
openssl pkcs12 -in example.pfx -out ca.pem -cacerts -nokeys
See Also
wpa_supplicant
8
openssl
1
@
1.1.1.1
log
@Import wpa_supplicant and hostapd
@
text
@@
1.1.1.1.58.1
log
@Sync with HEAD
@
text
@a2 4
07 August 2019
@
1.1.1.2
log
@Import wpa_supplicant hand hostapd 2.11. Previous was 2.9
1. Changes for hostapd:
2024-07-20 - v2.11
* Wi-Fi Easy Connect
- add support for DPP release 3
- allow Configurator parameters to be provided during config exchange
* HE/IEEE 802.11ax/Wi-Fi 6
- various fixes
* EHT/IEEE 802.11be/Wi-Fi 7
- add preliminary support
* SAE: add support for fetching the password from a RADIUS server
* support OpenSSL 3.0 API changes
* support background radar detection and CAC with some additional
drivers
* support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3)
* EAP-SIM/AKA: support IMSI privacy
* improve 4-way handshake operations
- use Secure=1 in message 3 during PTK rekeying
* OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
to avoid interoperability issues
* support new SAE AKM suites with variable length keys
* support new AKM for 802.1X/EAP with SHA384
* extend PASN support for secure ranging
* FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
- this is based on additional details being added in the IEEE 802.11
standard
- the new implementation is not backwards compatible
* improved ACS to cover additional channel types/bandwidths
* extended Multiple BSSID support
* fix beacon protection with FT protocol (incorrect BIGTK was provided)
* support unsynchronized service discovery (USD)
* add preliminary support for RADIUS/TLS
* add support for explicit SSID protection in 4-way handshake
(a mitigation for CVE-2023-52424; disabled by default for now, can be
enabled with ssid_protection=1)
* fix SAE H2E rejected groups validation to avoid downgrade attacks
* use stricter validation for some RADIUS messages
* a large number of other fixes, cleanup, and extensions
2022-01-16 - v2.10
* SAE changes
- improved protection against side channel attacks
[https://w1.fi/security/2022-1/]
- added option send SAE Confirm immediately (sae_config_immediate=1)
after SAE Commit
- added support for the hash-to-element mechanism (sae_pwe=1 or
sae_pwe=2)
- fixed PMKSA caching with OKC
- added support for SAE-PK
* EAP-pwd changes
- improved protection against side channel attacks
[https://w1.fi/security/2022-1/]
* fixed WPS UPnP SUBSCRIBE handling of invalid operations
[https://w1.fi/security/2020-1/]
* fixed PMF disconnection protection bypass
[https://w1.fi/security/2019-7/]
* added support for using OpenSSL 3.0
* fixed various issues in experimental support for EAP-TEAP server
* added configuration (max_auth_rounds, max_auth_rounds_short) to
increase the maximum number of EAP message exchanges (mainly to
support cases with very large certificates) for the EAP server
* added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
* extended HE (IEEE 802.11ax) support, including 6 GHz support
* removed obsolete IAPP functionality
* fixed EAP-FAST server with TLS GCM/CCM ciphers
* dropped support for libnl 1.1
* added support for nl80211 control port for EAPOL frame TX/RX
* fixed OWE key derivation with groups 20 and 21; this breaks backwards
compatibility for these groups while the default group 19 remains
backwards compatible; owe_ptk_workaround=1 can be used to enabled a
a workaround for the group 20/21 backwards compatibility
* added support for Beacon protection
* added support for Extended Key ID for pairwise keys
* removed WEP support from the default build (CONFIG_WEP=y can be used
to enable it, if really needed)
* added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
* added support for Transition Disable mechanism to allow the AP to
automatically disable transition mode to improve security
* added support for PASN
* added EAP-TLS server support for TLS 1.3 (disabled by default for now)
* a large number of other fixes, cleanup, and extensions
2. Changes for wpa_supplicant
2024-07-20 - v2.11
* Wi-Fi Easy Connect
- add support for DPP release 3
- allow Configurator parameters to be provided during config exchange
* MACsec
- add support for GCM-AES-256 cipher suite
- remove incorrect EAP Session-Id length constraint
- add hardware offload support for additional drivers
* HE/IEEE 802.11ax/Wi-Fi 6
- support BSS color updates
- various fixes
* EHT/IEEE 802.11be/Wi-Fi 7
- add preliminary support
* support OpenSSL 3.0 API changes
* improve EAP-TLS support for TLSv1.3
* EAP-SIM/AKA: support IMSI privacy
* improve mitigation against DoS attacks when PMF is used
* improve 4-way handshake operations
- discard unencrypted EAPOL frames in additional cases
- use Secure=1 in message 2 during PTK rekeying
* OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
to avoid interoperability issues
* support new SAE AKM suites with variable length keys
* support new AKM for 802.1X/EAP with SHA384
* improve cross-AKM roaming with driver-based SME/BSS selection
* PASN
- extend support for secure ranging
- allow PASN implementation to be used with external programs for
Wi-Fi Aware
* FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
- this is based on additional details being added in the IEEE 802.11
standard
- the new implementation is not backwards compatible, but PMKSA
caching with FT-EAP was, and still is, disabled by default
* support a pregenerated MAC (mac_addr=3) as an alternative mechanism
for using per-network random MAC addresses
* EAP-PEAP: require Phase 2 authentication by default (phase2_auth=1)
to improve security for still unfortunately common invalid
configurations that do not set ca_cert
* extend SCS support for QoS Characteristics
* extend MSCS support
* support unsynchronized service discovery (USD)
* add support for explicit SSID protection in 4-way handshake
(a mitigation for CVE-2023-52424; disabled by default for now, can be
enabled with ssid_protection=1)
- in addition, verify SSID after key setup when beacon protection is
used
* fix SAE H2E rejected groups validation to avoid downgrade attacks
* a large number of other fixes, cleanup, and extensions
2022-01-16 - v2.10
* SAE changes
- improved protection against side channel attacks
[https://w1.fi/security/2022-1/]
- added support for the hash-to-element mechanism (sae_pwe=1 or
sae_pwe=2); this is currently disabled by default, but will likely
get enabled by default in the future
- fixed PMKSA caching with OKC
- added support for SAE-PK
* EAP-pwd changes
- improved protection against side channel attacks
[https://w1.fi/security/2022-1/]
* fixed P2P provision discovery processing of a specially constructed
invalid frame
[https://w1.fi/security/2021-1/]
* fixed P2P group information processing of a specially constructed
invalid frame
[https://w1.fi/security/2020-2/]
* fixed PMF disconnection protection bypass in AP mode
[https://w1.fi/security/2019-7/]
* added support for using OpenSSL 3.0
* increased the maximum number of EAP message exchanges (mainly to
support cases with very large certificates)
* fixed various issues in experimental support for EAP-TEAP peer
* added support for DPP release 2 (Wi-Fi Device Provisioning Protocol)
* a number of MKA/MACsec fixes and extensions
* added support for SAE (WPA3-Personal) AP mode configuration
* added P2P support for EDMG (IEEE 802.11ay) channels
* fixed EAP-FAST peer with TLS GCM/CCM ciphers
* improved throughput estimation and BSS selection
* dropped support for libnl 1.1
* added support for nl80211 control port for EAPOL frame TX/RX
* fixed OWE key derivation with groups 20 and 21; this breaks backwards
compatibility for these groups while the default group 19 remains
backwards compatible
* added support for Beacon protection
* added support for Extended Key ID for pairwise keys
* removed WEP support from the default build (CONFIG_WEP=y can be used
to enable it, if really needed)
* added a build option to remove TKIP support (CONFIG_NO_TKIP=y)
* added support for Transition Disable mechanism to allow the AP to
automatically disable transition mode to improve security
* extended D-Bus interface
* added support for PASN
* added a file-based backend for external password storage to allow
secret information to be moved away from the main configuration file
without requiring external tools
* added EAP-TLS peer support for TLS 1.3 (disabled by default for now)
* added support for SCS, MSCS, DSCP policy
* changed driver interface selection to default to automatic fallback
to other compiled in options
* a large number of other fixes, cleanup, and extensions
@
text
@a2 4
07 August 2019
@