274 lines
7.7 KiB
HTML
274 lines
7.7 KiB
HTML
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<HTML><HEAD><TITLE>Man page of WPA_SUPPLICANT.CONF</TITLE>
|
|
</HEAD><BODY>
|
|
<H1>WPA_SUPPLICANT.CONF</H1>
|
|
Section: (5)<BR>Updated: 01 March 2021<BR><A HREF="#index">Index</A>
|
|
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
|
|
|
|
<P>
|
|
<A NAME="lbAB"> </A>
|
|
<H2>NAME</H2>
|
|
|
|
wpa_supplicant.conf - configuration file for wpa_supplicant
|
|
<A NAME="lbAC"> </A>
|
|
<H2>OVERVIEW</H2>
|
|
|
|
<P>
|
|
|
|
<B>wpa_supplicant</B> is configured using a text
|
|
file that lists all accepted networks and security policies,
|
|
including pre-shared keys. See the example configuration file,
|
|
probably in <B>/usr/share/doc/wpa_supplicant/</B>, for
|
|
detailed information about the configuration format and supported
|
|
fields.
|
|
<P>
|
|
|
|
All file paths in this configuration file should use full
|
|
(absolute, not relative to working directory) path in order to allow
|
|
working directory to be changed. This can happen if wpa_supplicant is
|
|
run in the background.
|
|
<P>
|
|
|
|
Changes to configuration file can be reloaded be sending
|
|
SIGHUP signal to <B>wpa_supplicant</B> ('killall -HUP
|
|
wpa_supplicant'). Similarly, reloading can be triggered with
|
|
the <B>wpa_cli reconfigure</B> command.
|
|
<P>
|
|
|
|
Configuration file can include one or more network blocks,
|
|
e.g., one for each used SSID. wpa_supplicant will automatically
|
|
select the best network based on the order of network blocks in
|
|
the configuration file, network security level (WPA/WPA2 is
|
|
preferred), and signal strength.
|
|
<A NAME="lbAD"> </A>
|
|
<H2>QUICK EXAMPLES</H2>
|
|
|
|
<DL COMPACT>
|
|
<DT id="1">1. <DD>
|
|
WPA-Personal (PSK) as home network and WPA-Enterprise with
|
|
EAP-TLS as work network.
|
|
<P>
|
|
<DL COMPACT><DT id="2"><DD>
|
|
<P>
|
|
<PRE>
|
|
# allow frontend (e.g., wpa_cli) to be used by all users in 'wheel' group
|
|
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
|
|
#
|
|
# home network; allow all valid ciphers
|
|
network={
|
|
ssid="home"
|
|
scan_ssid=1
|
|
key_mgmt=WPA-PSK
|
|
psk="very secret passphrase"
|
|
}
|
|
#
|
|
# work network; use EAP-TLS with WPA; allow only CCMP and TKIP ciphers
|
|
network={
|
|
ssid="work"
|
|
scan_ssid=1
|
|
key_mgmt=WPA-EAP
|
|
pairwise=CCMP TKIP
|
|
group=CCMP TKIP
|
|
eap=TLS
|
|
identity="<A HREF="mailto:user@example.com">user@example.com</A>"
|
|
ca_cert="/etc/cert/ca.pem"
|
|
client_cert="/etc/cert/user.pem"
|
|
private_key="/etc/cert/user.prv"
|
|
private_key_passwd="password"
|
|
}
|
|
</PRE>
|
|
|
|
</DL>
|
|
|
|
<DT id="3">2. <DD>
|
|
WPA-RADIUS/EAP-PEAP/MSCHAPv2 with RADIUS servers that
|
|
use old peaplabel (e.g., Funk Odyssey and SBR, Meetinghouse
|
|
Aegis, Interlink RAD-Series)
|
|
<P>
|
|
<DL COMPACT><DT id="4"><DD>
|
|
<P>
|
|
<PRE>
|
|
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
|
|
network={
|
|
ssid="example"
|
|
scan_ssid=1
|
|
key_mgmt=WPA-EAP
|
|
eap=PEAP
|
|
identity="<A HREF="mailto:user@example.com">user@example.com</A>"
|
|
password="foobar"
|
|
ca_cert="/etc/cert/ca.pem"
|
|
phase1="peaplabel=0"
|
|
phase2="auth=MSCHAPV2"
|
|
}
|
|
</PRE>
|
|
|
|
</DL>
|
|
|
|
<DT id="5">3. <DD>
|
|
EAP-TTLS/EAP-MD5-Challenge configuration with anonymous
|
|
identity for the unencrypted use. Real identity is sent only
|
|
within an encrypted TLS tunnel.
|
|
<P>
|
|
<DL COMPACT><DT id="6"><DD>
|
|
<P>
|
|
<PRE>
|
|
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
|
|
network={
|
|
ssid="example"
|
|
scan_ssid=1
|
|
key_mgmt=WPA-EAP
|
|
eap=TTLS
|
|
identity="<A HREF="mailto:user@example.com">user@example.com</A>"
|
|
anonymous_identity="<A HREF="mailto:anonymous@example.com">anonymous@example.com</A>"
|
|
password="foobar"
|
|
ca_cert="/etc/cert/ca.pem"
|
|
phase2="auth=MD5"
|
|
}
|
|
</PRE>
|
|
|
|
</DL>
|
|
|
|
<DT id="7">4. <DD>
|
|
IEEE 802.1X (i.e., no WPA) with dynamic WEP keys
|
|
(require both unicast and broadcast); use EAP-TLS for
|
|
authentication
|
|
<P>
|
|
<DL COMPACT><DT id="8"><DD>
|
|
<P>
|
|
<PRE>
|
|
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
|
|
network={
|
|
ssid="1x-test"
|
|
scan_ssid=1
|
|
key_mgmt=IEEE8021X
|
|
eap=TLS
|
|
identity="<A HREF="mailto:user@example.com">user@example.com</A>"
|
|
ca_cert="/etc/cert/ca.pem"
|
|
client_cert="/etc/cert/user.pem"
|
|
private_key="/etc/cert/user.prv"
|
|
private_key_passwd="password"
|
|
eapol_flags=3
|
|
}
|
|
</PRE>
|
|
|
|
</DL>
|
|
|
|
<DT id="9">5. <DD>
|
|
Catch all example that allows more or less all
|
|
configuration modes. The configuration options are used based
|
|
on what security policy is used in the selected SSID. This is
|
|
mostly for testing and is not recommended for normal
|
|
use.
|
|
<P>
|
|
<DL COMPACT><DT id="10"><DD>
|
|
<P>
|
|
<PRE>
|
|
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
|
|
network={
|
|
ssid="example"
|
|
scan_ssid=1
|
|
key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
|
|
pairwise=CCMP TKIP
|
|
group=CCMP TKIP WEP104 WEP40
|
|
psk="very secret passphrase"
|
|
eap=TTLS PEAP TLS
|
|
identity="<A HREF="mailto:user@example.com">user@example.com</A>"
|
|
password="foobar"
|
|
ca_cert="/etc/cert/ca.pem"
|
|
client_cert="/etc/cert/user.pem"
|
|
private_key="/etc/cert/user.prv"
|
|
private_key_passwd="password"
|
|
phase1="peaplabel=0"
|
|
ca_cert2="/etc/cert/ca2.pem"
|
|
client_cert2="/etc/cer/user.pem"
|
|
private_key2="/etc/cer/user.prv"
|
|
private_key2_passwd="password"
|
|
}
|
|
</PRE>
|
|
|
|
</DL>
|
|
|
|
<DT id="11">6. <DD>
|
|
Authentication for wired Ethernet. This can be used with
|
|
<B>wired</B> or <B>roboswitch</B> interface
|
|
(-Dwired or -Droboswitch on command line).
|
|
<P>
|
|
<DL COMPACT><DT id="12"><DD>
|
|
<P>
|
|
<PRE>
|
|
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
|
|
ap_scan=0
|
|
network={
|
|
key_mgmt=IEEE8021X
|
|
eap=MD5
|
|
identity="user"
|
|
password="password"
|
|
eapol_flags=0
|
|
}
|
|
</PRE>
|
|
|
|
</DL>
|
|
|
|
</DL>
|
|
<A NAME="lbAE"> </A>
|
|
<H2>CERTIFICATES</H2>
|
|
|
|
<P>
|
|
|
|
Some EAP authentication methods require use of
|
|
certificates. EAP-TLS uses both server side and client
|
|
certificates whereas EAP-PEAP and EAP-TTLS only require the server
|
|
side certificate. When client certificate is used, a matching
|
|
private key file has to also be included in configuration. If the
|
|
private key uses a passphrase, this has to be configured in
|
|
wpa_supplicant.conf ("private_key_passwd").
|
|
<P>
|
|
|
|
wpa_supplicant supports X.509 certificates in PEM and DER
|
|
formats. User certificate and private key can be included in the
|
|
same file.
|
|
<P>
|
|
|
|
If the user certificate and private key is received in
|
|
PKCS#12/PFX format, they need to be converted to suitable PEM/DER
|
|
format for wpa_supplicant. This can be done, e.g., with following
|
|
commands:
|
|
<P>
|
|
<DL COMPACT><DT id="13"><DD>
|
|
<P>
|
|
<PRE>
|
|
# convert client certificate and private key to PEM format
|
|
openssl pkcs12 -in example.pfx -out user.pem -clcerts
|
|
# convert CA certificate (if included in PFX file) to PEM format
|
|
openssl pkcs12 -in example.pfx -out ca.pem -cacerts -nokeys
|
|
</PRE>
|
|
|
|
</DL>
|
|
|
|
<A NAME="lbAF"> </A>
|
|
<H2>SEE ALSO</H2>
|
|
|
|
<P>
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?8+wpa_supplicant">wpa_supplicant</A></B>(8)
|
|
<B><A HREF="/cgi-bin/man/man2html?1+openssl">openssl</A></B>(1)
|
|
<P>
|
|
|
|
<HR>
|
|
<A NAME="index"> </A><H2>Index</H2>
|
|
<DL>
|
|
<DT id="14"><A HREF="#lbAB">NAME</A><DD>
|
|
<DT id="15"><A HREF="#lbAC">OVERVIEW</A><DD>
|
|
<DT id="16"><A HREF="#lbAD">QUICK EXAMPLES</A><DD>
|
|
<DT id="17"><A HREF="#lbAE">CERTIFICATES</A><DD>
|
|
<DT id="18"><A HREF="#lbAF">SEE ALSO</A><DD>
|
|
</DL>
|
|
<HR>
|
|
This document was created by
|
|
<A HREF="/cgi-bin/man/man2html">man2html</A>,
|
|
using the manual pages.<BR>
|
|
Time: 00:06:06 GMT, March 31, 2021
|
|
</BODY>
|
|
</HTML>
|