1##### Example wpa_supplicant configuration file ###############################
2#
3# This file describes configuration file format and lists all available option.
4# Please also take a look at simpler configuration examples in 'examples'
5# subdirectory.
6#
7# Empty lines and lines starting with # are ignored
8
9# NOTE! This file may contain password information and should probably be made
10# readable only by root user on multiuser systems.
11
12# Note: All file paths in this configuration file should use full (absolute,
13# not relative to working directory) path in order to allow working directory
14# to be changed. This can happen if wpa_supplicant is run in the background.
15
16# Whether to allow wpa_supplicant to update (overwrite) configuration
17#
18# This option can be used to allow wpa_supplicant to overwrite configuration
19# file whenever configuration is changed (e.g., new network block is added with
20# wpa_cli or wpa_gui, or a password is changed). This is required for
21# wpa_cli/wpa_gui to be able to store the configuration changes permanently.
22# Please note that overwriting configuration file will remove the comments from
23# it.
24#update_config=1
25
26# global configuration (shared by all network blocks)
27#
28# Parameters for the control interface. If this is specified, wpa_supplicant
29# will open a control interface that is available for external programs to
30# manage wpa_supplicant. The meaning of this string depends on which control
31# interface mechanism is used. For all cases, the existence of this parameter
32# in configuration is used to determine whether the control interface is
33# enabled.
34#
35# For UNIX domain sockets (default on Linux and BSD): This is a directory that
36# will be created for UNIX domain sockets for listening to requests from
37# external programs (CLI/GUI, etc.) for status information and configuration.
38# The socket file will be named based on the interface name, so multiple
39# wpa_supplicant processes can be run at the same time if more than one
40# interface is used.
41# /var/run/wpa_supplicant is the recommended directory for sockets and by
42# default, wpa_cli will use it when trying to connect with wpa_supplicant.
43#
44# Access control for the control interface can be configured by setting the
45# directory to allow only members of a group to use sockets. This way, it is
46# possible to run wpa_supplicant as root (since it needs to change network
47# configuration and open raw sockets) and still allow GUI/CLI components to be
48# run as non-root users. However, since the control interface can be used to
49# change the network configuration, this access needs to be protected in many
50# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you
51# want to allow non-root users to use the control interface, add a new group
52# and change this value to match with that group. Add users that should have
53# control interface access to this group. If this variable is commented out or
54# not included in the configuration file, group will not be changed from the
55# value it got by default when the directory or socket was created.
56#
57# When configuring both the directory and group, use following format:
58# DIR=/var/run/wpa_supplicant GROUP=wheel
59# DIR=/var/run/wpa_supplicant GROUP=0
60# (group can be either group name or gid)
61#
62# For UDP connections (default on Windows): The value will be ignored. This
63# variable is just used to select that the control interface is to be created.
64# The value can be set to, e.g., udp (ctrl_interface=udp)
65#
66# For Windows Named Pipe: This value can be used to set the security descriptor
67# for controlling access to the control interface. Security descriptor can be
68# set using Security Descriptor String Format (see http://msdn.microsoft.com/
69# library/default.asp?url=/library/en-us/secauthz/security/
70# security_descriptor_string_format.asp). The descriptor string needs to be
71# prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty
72# DACL (which will reject all connections). See README-Windows.txt for more
73# information about SDDL string format.
74#
75ctrl_interface=/var/run/wpa_supplicant
76
77# IEEE 802.1X/EAPOL version
78# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines
79# EAPOL version 2. However, there are many APs that do not handle the new
80# version number correctly (they seem to drop the frames completely). In order
81# to make wpa_supplicant interoperate with these APs, the version number is set
82# to 1 by default. This configuration value can be used to set it to the new
83# version (2).
84# Note: When using MACsec, eapol_version shall be set to 3, which is
85# defined in IEEE Std 802.1X-2010.
86eapol_version=1
87
88# AP scanning/selection
89# By default, wpa_supplicant requests driver to perform AP scanning and then
90# uses the scan results to select a suitable AP. Another alternative is to
91# allow the driver to take care of AP scanning and selection and use
92# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association
93# information from the driver.
94# 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to
95#    the currently enabled networks are found, a new network (IBSS or AP mode
96#    operation) may be initialized (if configured) (default)
97# 0: driver takes care of scanning, AP selection, and IEEE 802.11 association
98#    parameters (e.g., WPA IE generation); this mode can also be used with
99#    non-WPA drivers when using IEEE 802.1X mode; do not try to associate with
100#    APs (i.e., external program needs to control association). This mode must
101#    also be used when using wired Ethernet drivers.
102#    Note: macsec_qca driver is one type of Ethernet driver which implements
103#    macsec feature.
104# 2: like 0, but associate with APs using security policy and SSID (but not
105#    BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to
106#    enable operation with hidden SSIDs and optimized roaming; in this mode,
107#    the network blocks in the configuration file are tried one by one until
108#    the driver reports successful association; each network block should have
109#    explicit security policy (i.e., only one option in the lists) for
110#    key_mgmt, pairwise, group, proto variables
111# Note: ap_scan=2 should not be used with the nl80211 driver interface (the
112# current Linux interface). ap_scan=1 is optimized work working with nl80211.
113# For finding networks using hidden SSID, scan_ssid=1 in the network block can
114# be used with nl80211.
115# When using IBSS or AP mode, ap_scan=2 mode can force the new network to be
116# created immediately regardless of scan results. ap_scan=1 mode will first try
117# to scan for existing networks and only if no matches with the enabled
118# networks are found, a new IBSS or AP mode network is created.
119ap_scan=1
120
121# Whether to force passive scan for network connection
122#
123# By default, scans will send out Probe Request frames on channels that allow
124# active scanning. This advertise the local station to the world. Normally this
125# is fine, but users may wish to do passive scanning where the radio should only
126# listen quietly for Beacon frames and not send any Probe Request frames. Actual
127# functionality may be driver dependent.
128#
129# This parameter can be used to force only passive scanning to be used
130# for network connection cases. It should be noted that this will slow
131# down scan operations and reduce likelihood of finding the AP. In
132# addition, some use cases will override this due to functional
133# requirements, e.g., for finding an AP that uses hidden SSID
134# (scan_ssid=1) or P2P device discovery.
135#
136# 0:  Do normal scans (allow active scans) (default)
137# 1:  Do passive scans.
138#passive_scan=0
139
140# MPM residency
141# By default, wpa_supplicant implements the mesh peering manager (MPM) for an
142# open mesh. However, if the driver can implement the MPM, you may set this to
143# 0 to use the driver version. When AMPE is enabled, the wpa_supplicant MPM is
144# always used.
145# 0: MPM lives in the driver
146# 1: wpa_supplicant provides an MPM which handles peering (default)
147#user_mpm=1
148
149# Maximum number of peer links (0-255; default: 99)
150# Maximum number of mesh peering currently maintained by the STA.
151#max_peer_links=99
152
153# Timeout in seconds to detect STA inactivity (default: 300 seconds)
154#
155# This timeout value is used in mesh STA to clean up inactive stations.
156#mesh_max_inactivity=300
157
158# cert_in_cb - Whether to include a peer certificate dump in events
159# This controls whether peer certificates for authentication server and
160# its certificate chain are included in EAP peer certificate events. This is
161# enabled by default.
162#cert_in_cb=1
163
164# EAP fast re-authentication
165# By default, fast re-authentication is enabled for all EAP methods that
166# support it. This variable can be used to disable fast re-authentication.
167# Normally, there is no need to disable this.
168fast_reauth=1
169
170# OpenSSL Engine support
171# These options can be used to load OpenSSL engines.
172# The two engines that are supported currently are shown below:
173# They are both from the opensc project (http://www.opensc.org/)
174# By default no engines are loaded.
175# make the opensc engine available
176#opensc_engine_path=/usr/lib/opensc/engine_opensc.so
177# make the pkcs11 engine available
178#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so
179# configure the path to the pkcs11 module required by the pkcs11 engine
180#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so
181
182# OpenSSL cipher string
183#
184# This is an OpenSSL specific configuration option for configuring the default
185# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default.
186# See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation
187# on cipher suite configuration. This is applicable only if wpa_supplicant is
188# built to use OpenSSL.
189#openssl_ciphers=DEFAULT:!EXP:!LOW
190
191
192# Dynamic EAP methods
193# If EAP methods were built dynamically as shared object files, they need to be
194# loaded here before being used in the network blocks. By default, EAP methods
195# are included statically in the build, so these lines are not needed
196#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so
197#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so
198
199# Driver interface parameters
200# This field can be used to configure arbitrary driver interace parameters. The
201# format is specific to the selected driver interface. This field is not used
202# in most cases.
203#driver_param="field=value"
204
205# Country code
206# The ISO/IEC alpha2 country code for the country in which this device is
207# currently operating.
208#country=US
209
210# Maximum lifetime for PMKSA in seconds; default 43200
211#dot11RSNAConfigPMKLifetime=43200
212# Threshold for reauthentication (percentage of PMK lifetime); default 70
213#dot11RSNAConfigPMKReauthThreshold=70
214# Timeout for security association negotiation in seconds; default 60
215#dot11RSNAConfigSATimeout=60
216
217# Wi-Fi Protected Setup (WPS) parameters
218
219# Universally Unique IDentifier (UUID; see RFC 4122) of the device
220# If not configured, UUID will be generated based on the local MAC address.
221#uuid=12345678-9abc-def0-1234-56789abcdef0
222
223# Device Name
224# User-friendly description of device; up to 32 octets encoded in UTF-8
225#device_name=Wireless Client
226
227# Manufacturer
228# The manufacturer of the device (up to 64 ASCII characters)
229#manufacturer=Company
230
231# Model Name
232# Model of the device (up to 32 ASCII characters)
233#model_name=cmodel
234
235# Model Number
236# Additional device description (up to 32 ASCII characters)
237#model_number=123
238
239# Serial Number
240# Serial number of the device (up to 32 characters)
241#serial_number=12345
242
243# Primary Device Type
244# Used format: <categ>-<OUI>-<subcateg>
245# categ = Category as an integer value
246# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for
247#       default WPS OUI
248# subcateg = OUI-specific Sub Category as an integer value
249# Examples:
250#   1-0050F204-1 (Computer / PC)
251#   1-0050F204-2 (Computer / Server)
252#   5-0050F204-1 (Storage / NAS)
253#   6-0050F204-1 (Network Infrastructure / AP)
254#device_type=1-0050F204-1
255
256# OS Version
257# 4-octet operating system version number (hex string)
258#os_version=01020300
259
260# Config Methods
261# List of the supported configuration methods
262# Available methods: usba ethernet label display ext_nfc_token int_nfc_token
263#	nfc_interface push_button keypad virtual_display physical_display
264#	virtual_push_button physical_push_button
265# For WSC 1.0:
266#config_methods=label display push_button keypad
267# For WSC 2.0:
268#config_methods=label virtual_display virtual_push_button keypad
269
270# Credential processing
271#   0 = process received credentials internally (default)
272#   1 = do not process received credentials; just pass them over ctrl_iface to
273#	external program(s)
274#   2 = process received credentials internally and pass them over ctrl_iface
275#	to external program(s)
276#wps_cred_processing=0
277
278# Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing
279# The vendor attribute contents to be added in M1 (hex string)
280#wps_vendor_ext_m1=000137100100020001
281
282# NFC password token for WPS
283# These parameters can be used to configure a fixed NFC password token for the
284# station. This can be generated, e.g., with nfc_pw_token. When these
285# parameters are used, the station is assumed to be deployed with a NFC tag
286# that includes the matching NFC password token (e.g., written based on the
287# NDEF record from nfc_pw_token).
288#
289#wps_nfc_dev_pw_id: Device Password ID (16..65535)
290#wps_nfc_dh_pubkey: Hexdump of DH Public Key
291#wps_nfc_dh_privkey: Hexdump of DH Private Key
292#wps_nfc_dev_pw: Hexdump of Device Password
293
294# Priority for the networks added through WPS
295# This priority value will be set to each network profile that is added
296# by executing the WPS protocol.
297#wps_priority=0
298
299# Maximum number of BSS entries to keep in memory
300# Default: 200
301# This can be used to limit memory use on the BSS entries (cached scan
302# results). A larger value may be needed in environments that have huge number
303# of APs when using ap_scan=1 mode.
304#bss_max_count=200
305
306# Automatic scan
307# This is an optional set of parameters for automatic scanning
308# within an interface in following format:
309#autoscan=<autoscan module name>:<module parameters>
310# autoscan is like bgscan but on disconnected or inactive state.
311# For instance, on exponential module parameters would be <base>:<limit>
312#autoscan=exponential:3:300
313# Which means a delay between scans on a base exponential of 3,
314# up to the limit of 300 seconds (3, 9, 27 ... 300)
315# For periodic module, parameters would be <fixed interval>
316#autoscan=periodic:30
317# So a delay of 30 seconds will be applied between each scan.
318# Note: If sched_scan_plans are configured and supported by the driver,
319# autoscan is ignored.
320
321# filter_ssids - SSID-based scan result filtering
322# 0 = do not filter scan results (default)
323# 1 = only include configured SSIDs in scan results/BSS table
324#filter_ssids=0
325
326# Password (and passphrase, etc.) backend for external storage
327# format: <backend name>[:<optional backend parameters>]
328#ext_password_backend=test:pw1=password|pw2=testing
329
330
331# Disable P2P functionality
332# p2p_disabled=1
333
334# Timeout in seconds to detect STA inactivity (default: 300 seconds)
335#
336# This timeout value is used in P2P GO mode to clean up
337# inactive stations.
338#p2p_go_max_inactivity=300
339
340# Passphrase length (8..63) for P2P GO
341#
342# This parameter controls the length of the random passphrase that is
343# generated at the GO. Default: 8.
344#p2p_passphrase_len=8
345
346# Extra delay between concurrent P2P search iterations
347#
348# This value adds extra delay in milliseconds between concurrent search
349# iterations to make p2p_find friendlier to concurrent operations by avoiding
350# it from taking 100% of radio resources. The default value is 500 ms.
351#p2p_search_delay=500
352
353# Opportunistic Key Caching (also known as Proactive Key Caching) default
354# This parameter can be used to set the default behavior for the
355# proactive_key_caching parameter. By default, OKC is disabled unless enabled
356# with the global okc=1 parameter or with the per-network
357# proactive_key_caching=1 parameter. With okc=1, OKC is enabled by default, but
358# can be disabled with per-network proactive_key_caching=0 parameter.
359#okc=0
360
361# Protected Management Frames default
362# This parameter can be used to set the default behavior for the ieee80211w
363# parameter. By default, PMF is disabled unless enabled with the global pmf=1/2
364# parameter or with the per-network ieee80211w=1/2 parameter. With pmf=1/2, PMF
365# is enabled/required by default, but can be disabled with the per-network
366# ieee80211w parameter.
367#pmf=0
368
369# Enabled SAE finite cyclic groups in preference order
370# By default (if this parameter is not set), the mandatory group 19 (ECC group
371# defined over a 256-bit prime order field) is preferred, but other groups are
372# also enabled. If this parameter is set, the groups will be tried in the
373# indicated order. The group values are listed in the IANA registry:
374# http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9
375#sae_groups=21 20 19 26 25
376
377# Default value for DTIM period (if not overridden in network block)
378#dtim_period=2
379
380# Default value for Beacon interval (if not overridden in network block)
381#beacon_int=100
382
383# Additional vendor specific elements for Beacon and Probe Response frames
384# This parameter can be used to add additional vendor specific element(s) into
385# the end of the Beacon and Probe Response frames. The format for these
386# element(s) is a hexdump of the raw information elements (id+len+payload for
387# one or more elements). This is used in AP and P2P GO modes.
388#ap_vendor_elements=dd0411223301
389
390# Ignore scan results older than request
391#
392# The driver may have a cache of scan results that makes it return
393# information that is older than our scan trigger. This parameter can
394# be used to configure such old information to be ignored instead of
395# allowing it to update the internal BSS table.
396#ignore_old_scan_res=0
397
398# scan_cur_freq: Whether to scan only the current frequency
399# 0:  Scan all available frequencies. (Default)
400# 1:  Scan current operating frequency if another VIF on the same radio
401#     is already associated.
402
403# MAC address policy default
404# 0 = use permanent MAC address
405# 1 = use random MAC address for each ESS connection
406# 2 = like 1, but maintain OUI (with local admin bit set)
407#
408# By default, permanent MAC address is used unless policy is changed by
409# the per-network mac_addr parameter. Global mac_addr=1 can be used to
410# change this default behavior.
411#mac_addr=0
412
413# Lifetime of random MAC address in seconds (default: 60)
414#rand_addr_lifetime=60
415
416# MAC address policy for pre-association operations (scanning, ANQP)
417# 0 = use permanent MAC address
418# 1 = use random MAC address
419# 2 = like 1, but maintain OUI (with local admin bit set)
420#preassoc_mac_addr=0
421
422# Interworking (IEEE 802.11u)
423
424# Enable Interworking
425# interworking=1
426
427# Homogenous ESS identifier
428# If this is set, scans will be used to request response only from BSSes
429# belonging to the specified Homogeneous ESS. This is used only if interworking
430# is enabled.
431# hessid=00:11:22:33:44:55
432
433# Automatic network selection behavior
434# 0 = do not automatically go through Interworking network selection
435#     (i.e., require explicit interworking_select command for this; default)
436# 1 = perform Interworking network selection if one or more
437#     credentials have been configured and scan did not find a
438#     matching network block
439#auto_interworking=0
440
441# credential block
442#
443# Each credential used for automatic network selection is configured as a set
444# of parameters that are compared to the information advertised by the APs when
445# interworking_select and interworking_connect commands are used.
446#
447# credential fields:
448#
449# temporary: Whether this credential is temporary and not to be saved
450#
451# priority: Priority group
452#	By default, all networks and credentials get the same priority group
453#	(0). This field can be used to give higher priority for credentials
454#	(and similarly in struct wpa_ssid for network blocks) to change the
455#	Interworking automatic networking selection behavior. The matching
456#	network (based on either an enabled network block or a credential)
457#	with the highest priority value will be selected.
458#
459# pcsc: Use PC/SC and SIM/USIM card
460#
461# realm: Home Realm for Interworking
462#
463# username: Username for Interworking network selection
464#
465# password: Password for Interworking network selection
466#
467# ca_cert: CA certificate for Interworking network selection
468#
469# client_cert: File path to client certificate file (PEM/DER)
470#	This field is used with Interworking networking selection for a case
471#	where client certificate/private key is used for authentication
472#	(EAP-TLS). Full path to the file should be used since working
473#	directory may change when wpa_supplicant is run in the background.
474#
475#	Alternatively, a named configuration blob can be used by setting
476#	this to blob://blob_name.
477#
478# private_key: File path to client private key file (PEM/DER/PFX)
479#	When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
480#	commented out. Both the private key and certificate will be read
481#	from the PKCS#12 file in this case. Full path to the file should be
482#	used since working directory may change when wpa_supplicant is run
483#	in the background.
484#
485#	Windows certificate store can be used by leaving client_cert out and
486#	configuring private_key in one of the following formats:
487#
488#	cert://substring_to_match
489#
490#	hash://certificate_thumbprint_in_hex
491#
492#	For example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
493#
494#	Note that when running wpa_supplicant as an application, the user
495#	certificate store (My user account) is used, whereas computer store
496#	(Computer account) is used when running wpasvc as a service.
497#
498#	Alternatively, a named configuration blob can be used by setting
499#	this to blob://blob_name.
500#
501# private_key_passwd: Password for private key file
502#
503# imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format
504#
505# milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN>
506#	format
507#
508# domain: Home service provider FQDN(s)
509#	This is used to compare against the Domain Name List to figure out
510#	whether the AP is operated by the Home SP. Multiple domain entries can
511#	be used to configure alternative FQDNs that will be considered home
512#	networks.
513#
514# roaming_consortium: Roaming Consortium OI
515#	If roaming_consortium_len is non-zero, this field contains the
516#	Roaming Consortium OI that can be used to determine which access
517#	points support authentication with this credential. This is an
518#	alternative to the use of the realm parameter. When using Roaming
519#	Consortium to match the network, the EAP parameters need to be
520#	pre-configured with the credential since the NAI Realm information
521#	may not be available or fetched.
522#
523# eap: Pre-configured EAP method
524#	This optional field can be used to specify which EAP method will be
525#	used with this credential. If not set, the EAP method is selected
526#	automatically based on ANQP information (e.g., NAI Realm).
527#
528# phase1: Pre-configure Phase 1 (outer authentication) parameters
529#	This optional field is used with like the 'eap' parameter.
530#
531# phase2: Pre-configure Phase 2 (inner authentication) parameters
532#	This optional field is used with like the 'eap' parameter.
533#
534# excluded_ssid: Excluded SSID
535#	This optional field can be used to excluded specific SSID(s) from
536#	matching with the network. Multiple entries can be used to specify more
537#	than one SSID.
538#
539# roaming_partner: Roaming partner information
540#	This optional field can be used to configure preferences between roaming
541#	partners. The field is a string in following format:
542#	<FQDN>,<0/1 exact match>,<priority>,<* or country code>
543#	(non-exact match means any subdomain matches the entry; priority is in
544#	0..255 range with 0 being the highest priority)
545#
546# update_identifier: PPS MO ID
547#	(Hotspot 2.0 PerProviderSubscription/UpdateIdentifier)
548#
549# provisioning_sp: FQDN of the SP that provisioned the credential
550#	This optional field can be used to keep track of the SP that provisioned
551#	the credential to find the PPS MO (./Wi-Fi/<provisioning_sp>).
552#
553# Minimum backhaul threshold (PPS/<X+>/Policy/MinBackhauldThreshold/*)
554#	These fields can be used to specify minimum download/upload backhaul
555#	bandwidth that is preferred for the credential. This constraint is
556#	ignored if the AP does not advertise WAN Metrics information or if the
557#	limit would prevent any connection. Values are in kilobits per second.
558# min_dl_bandwidth_home
559# min_ul_bandwidth_home
560# min_dl_bandwidth_roaming
561# min_ul_bandwidth_roaming
562#
563# max_bss_load: Maximum BSS Load Channel Utilization (1..255)
564#	(PPS/<X+>/Policy/MaximumBSSLoadValue)
565#	This value is used as the maximum channel utilization for network
566#	selection purposes for home networks. If the AP does not advertise
567#	BSS Load or if the limit would prevent any connection, this constraint
568#	will be ignored.
569#
570# req_conn_capab: Required connection capability
571#	(PPS/<X+>/Policy/RequiredProtoPortTuple)
572#	This value is used to configure set of required protocol/port pairs that
573#	a roaming network shall support (include explicitly in Connection
574#	Capability ANQP element). This constraint is ignored if the AP does not
575#	advertise Connection Capability or if this constraint would prevent any
576#	network connection. This policy is not used in home networks.
577#	Format: <protocol>[:<comma-separated list of ports]
578#	Multiple entries can be used to list multiple requirements.
579#	For example, number of common TCP protocols:
580#	req_conn_capab=6,22,80,443
581#	For example, IPSec/IKE:
582#	req_conn_capab=17:500
583#	req_conn_capab=50
584#
585# ocsp: Whether to use/require OCSP to check server certificate
586#	0 = do not use OCSP stapling (TLS certificate status extension)
587#	1 = try to use OCSP stapling, but not require response
588#	2 = require valid OCSP stapling response
589#	3 = require valid OCSP stapling response for all not-trusted
590#	    certificates in the server certificate chain
591#
592# sim_num: Identifier for which SIM to use in multi-SIM devices
593#
594# for example:
595#
596#cred={
597#	realm="example.com"
598#	username="user@example.com"
599#	password="password"
600#	ca_cert="/etc/wpa_supplicant/ca.pem"
601#	domain="example.com"
602#}
603#
604#cred={
605#	imsi="310026-000000000"
606#	milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82"
607#}
608#
609#cred={
610#	realm="example.com"
611#	username="user"
612#	password="password"
613#	ca_cert="/etc/wpa_supplicant/ca.pem"
614#	domain="example.com"
615#	roaming_consortium=223344
616#	eap=TTLS
617#	phase2="auth=MSCHAPV2"
618#}
619
620# Hotspot 2.0
621# hs20=1
622
623# Scheduled scan plans
624#
625# A space delimited list of scan plans. Each scan plan specifies the scan
626# interval and number of iterations, delimited by a colon. The last scan plan
627# will run infinitely and thus must specify only the interval and not the number
628# of iterations.
629#
630# The driver advertises the maximum number of scan plans supported. If more scan
631# plans than supported are configured, only the first ones are set (up to the
632# maximum supported). The last scan plan that specifies only the interval is
633# always set as the last plan.
634#
635# If the scan interval or the number of iterations for a scan plan exceeds the
636# maximum supported, it will be set to the maximum supported value.
637#
638# Format:
639# sched_scan_plans=<interval:iterations> <interval:iterations> ... <interval>
640#
641# Example:
642# sched_scan_plans=10:100 20:200 30
643
644# Multi Band Operation (MBO) non-preferred channels
645# A space delimited list of non-preferred channels where each channel is a colon
646# delimited list of values. Reason detail is optional.
647# Format:
648# non_pref_chan=<oper_class>:<chan>:<preference>:<reason>[:reason_detail]
649# Example:
650# non_pref_chan="81:5:10:2:0 81:1:0:2:0 81:9:0:2"
651
652# MBO Cellular Data Capabilities
653# 1 = Cellular data connection available
654# 2 = Cellular data connection not available
655# 3 = Not cellular capable (default)
656#mbo_cell_capa=3
657
658# network block
659#
660# Each network (usually AP's sharing the same SSID) is configured as a separate
661# block in this configuration file. The network blocks are in preference order
662# (the first match is used).
663#
664# network block fields:
665#
666# disabled:
667#	0 = this network can be used (default)
668#	1 = this network block is disabled (can be enabled through ctrl_iface,
669#	    e.g., with wpa_cli or wpa_gui)
670#
671# id_str: Network identifier string for external scripts. This value is passed
672#	to external action script through wpa_cli as WPA_ID_STR environment
673#	variable to make it easier to do network specific configuration.
674#
675# ssid: SSID (mandatory); network name in one of the optional formats:
676#	- an ASCII string with double quotation
677#	- a hex string (two characters per octet of SSID)
678#	- a printf-escaped ASCII string P"<escaped string>"
679#
680# scan_ssid:
681#	0 = do not scan this SSID with specific Probe Request frames (default)
682#	1 = scan with SSID-specific Probe Request frames (this can be used to
683#	    find APs that do not accept broadcast SSID or use multiple SSIDs;
684#	    this will add latency to scanning, so enable this only when needed)
685#
686# bssid: BSSID (optional); if set, this network block is used only when
687#	associating with the AP using the configured BSSID
688#
689# priority: priority group (integer)
690# By default, all networks will get same priority group (0). If some of the
691# networks are more desirable, this field can be used to change the order in
692# which wpa_supplicant goes through the networks when selecting a BSS. The
693# priority groups will be iterated in decreasing priority (i.e., the larger the
694# priority value, the sooner the network is matched against the scan results).
695# Within each priority group, networks will be selected based on security
696# policy, signal strength, etc.
697# Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not
698# using this priority to select the order for scanning. Instead, they try the
699# networks in the order that used in the configuration file.
700#
701# mode: IEEE 802.11 operation mode
702# 0 = infrastructure (Managed) mode, i.e., associate with an AP (default)
703# 1 = IBSS (ad-hoc, peer-to-peer)
704# 2 = AP (access point)
705# Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) and
706# WPA-PSK (with proto=RSN). In addition, key_mgmt=WPA-NONE (fixed group key
707# TKIP/CCMP) is available for backwards compatibility, but its use is
708# deprecated. WPA-None requires following network block options:
709# proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not
710# both), and psk must also be set.
711#
712# frequency: Channel frequency in megahertz (MHz) for IBSS, e.g.,
713# 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial
714# channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode.
715# In addition, this value is only used by the station that creates the IBSS. If
716# an IBSS network with the configured SSID is already present, the frequency of
717# the network will be used instead of this configured value.
718#
719# pbss: Whether to use PBSS. Relevant to IEEE 802.11ad networks only.
720# Used together with mode configuration. When mode is AP, it means to start a
721# PCP instead of a regular AP. When mode is infrastructure it means connect
722# to a PCP instead of AP. P2P_GO and P2P_GROUP_FORMATION modes must use PBSS
723# in IEEE 802.11ad network.
724# For more details, see IEEE Std 802.11ad-2012.
725#
726# scan_freq: List of frequencies to scan
727# Space-separated list of frequencies in MHz to scan when searching for this
728# BSS. If the subset of channels used by the network is known, this option can
729# be used to optimize scanning to not occur on channels that the network does
730# not use. Example: scan_freq=2412 2437 2462
731#
732# freq_list: Array of allowed frequencies
733# Space-separated list of frequencies in MHz to allow for selecting the BSS. If
734# set, scan results that do not match any of the specified frequencies are not
735# considered when selecting a BSS.
736#
737# This can also be set on the outside of the network block. In this case,
738# it limits the frequencies that will be scanned.
739#
740# bgscan: Background scanning
741# wpa_supplicant behavior for background scanning can be specified by
742# configuring a bgscan module. These modules are responsible for requesting
743# background scans for the purpose of roaming within an ESS (i.e., within a
744# single network block with all the APs using the same SSID). The bgscan
745# parameter uses following format: "<bgscan module name>:<module parameters>"
746# Following bgscan modules are available:
747# simple - Periodic background scans based on signal strength
748# bgscan="simple:<short bgscan interval in seconds>:<signal strength threshold>:
749# <long interval>"
750# bgscan="simple:30:-45:300"
751# learn - Learn channels used by the network and try to avoid bgscans on other
752# channels (experimental)
753# bgscan="learn:<short bgscan interval in seconds>:<signal strength threshold>:
754# <long interval>[:<database file name>]"
755# bgscan="learn:30:-45:300:/etc/wpa_supplicant/network1.bgscan"
756# Explicitly disable bgscan by setting
757# bgscan=""
758#
759# This option can also be set outside of all network blocks for the bgscan
760# parameter to apply for all the networks that have no specific bgscan
761# parameter.
762#
763# proto: list of accepted protocols
764# WPA = WPA/IEEE 802.11i/D3.0
765# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN)
766# If not set, this defaults to: WPA RSN
767#
768# key_mgmt: list of accepted authenticated key management protocols
769# WPA-PSK = WPA pre-shared key (this requires 'psk' field)
770# WPA-EAP = WPA using EAP authentication
771# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically
772#	generated WEP keys
773# NONE = WPA is not used; plaintext or static WEP could be used
774# WPA-NONE = WPA-None for IBSS (deprecated; use proto=RSN key_mgmt=WPA-PSK
775#	instead)
776# FT-PSK = Fast BSS Transition (IEEE 802.11r) with pre-shared key
777# FT-EAP = Fast BSS Transition (IEEE 802.11r) with EAP authentication
778# WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms
779# WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms
780# SAE = Simultaneous authentication of equals; pre-shared key/password -based
781#	authentication with stronger security than WPA-PSK especially when using
782#	not that strong password
783# FT-SAE = SAE with FT
784# WPA-EAP-SUITE-B = Suite B 128-bit level
785# WPA-EAP-SUITE-B-192 = Suite B 192-bit level
786# OSEN = Hotspot 2.0 Rel 2 online signup connection
787# If not set, this defaults to: WPA-PSK WPA-EAP
788#
789# ieee80211w: whether management frame protection is enabled
790# 0 = disabled (default unless changed with the global pmf parameter)
791# 1 = optional
792# 2 = required
793# The most common configuration options for this based on the PMF (protected
794# management frames) certification program are:
795# PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256
796# PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256
797# (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used)
798#
799# auth_alg: list of allowed IEEE 802.11 authentication algorithms
800# OPEN = Open System authentication (required for WPA/WPA2)
801# SHARED = Shared Key authentication (requires static WEP keys)
802# LEAP = LEAP/Network EAP (only used with LEAP)
803# If not set, automatic selection is used (Open System with LEAP enabled if
804# LEAP is allowed as one of the EAP methods).
805#
806# pairwise: list of accepted pairwise (unicast) ciphers for WPA
807# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
808# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
809# NONE = Use only Group Keys (deprecated, should not be included if APs support
810#	pairwise keys)
811# If not set, this defaults to: CCMP TKIP
812#
813# group: list of accepted group (broadcast/multicast) ciphers for WPA
814# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
815# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
816# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key
817# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11]
818# If not set, this defaults to: CCMP TKIP WEP104 WEP40
819#
820# psk: WPA preshared key; 256-bit pre-shared key
821# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e.,
822# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be
823# generated using the passphrase and SSID). ASCII passphrase must be between
824# 8 and 63 characters (inclusive). ext:<name of external PSK field> format can
825# be used to indicate that the PSK/passphrase is stored in external storage.
826# This field is not needed, if WPA-EAP is used.
827# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys
828# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant
829# startup and reconfiguration time can be optimized by generating the PSK only
830# only when the passphrase or SSID has actually changed.
831#
832# mem_only_psk: Whether to keep PSK/passphrase only in memory
833# 0 = allow psk/passphrase to be stored to the configuration file
834# 1 = do not store psk/passphrase to the configuration file
835#mem_only_psk=0
836#
837# eapol_flags: IEEE 802.1X/EAPOL options (bit field)
838# Dynamic WEP key required for non-WPA mode
839# bit0 (1): require dynamically generated unicast WEP key
840# bit1 (2): require dynamically generated broadcast WEP key
841# 	(3 = require both keys; default)
842# Note: When using wired authentication (including macsec_qca driver),
843# eapol_flags must be set to 0 for the authentication to be completed
844# successfully.
845#
846# macsec_policy: IEEE 802.1X/MACsec options
847# This determines how sessions are secured with MACsec. It is currently
848# applicable only when using the macsec_qca driver interface.
849# 0: MACsec not in use (default)
850# 1: MACsec enabled - Should secure, accept key server's advice to
851#    determine whether to use a secure session or not.
852#
853# mixed_cell: This option can be used to configure whether so called mixed
854# cells, i.e., networks that use both plaintext and encryption in the same
855# SSID, are allowed when selecting a BSS from scan results.
856# 0 = disabled (default)
857# 1 = enabled
858#
859# proactive_key_caching:
860# Enable/disable opportunistic PMKSA caching for WPA2.
861# 0 = disabled (default unless changed with the global okc parameter)
862# 1 = enabled
863#
864# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or
865# hex without quotation, e.g., 0102030405)
866# wep_tx_keyidx: Default WEP key index (TX) (0..3)
867#
868# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is
869# allowed. This is only used with RSN/WPA2.
870# 0 = disabled (default)
871# 1 = enabled
872#peerkey=1
873#
874# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to
875# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies.
876#
877# Following fields are only used with internal EAP implementation.
878# eap: space-separated list of accepted EAP methods
879#	MD5 = EAP-MD5 (unsecure and does not generate keying material ->
880#			cannot be used with WPA; to be used as a Phase 2 method
881#			with EAP-PEAP or EAP-TTLS)
882#       MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used
883#		as a Phase 2 method with EAP-PEAP or EAP-TTLS)
884#       OTP = EAP-OTP (cannot be used separately with WPA; to be used
885#		as a Phase 2 method with EAP-PEAP or EAP-TTLS)
886#       GTC = EAP-GTC (cannot be used separately with WPA; to be used
887#		as a Phase 2 method with EAP-PEAP or EAP-TTLS)
888#	TLS = EAP-TLS (client and server certificate)
889#	PEAP = EAP-PEAP (with tunnelled EAP authentication)
890#	TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2
891#			 authentication)
892#	If not set, all compiled in methods are allowed.
893#
894# identity: Identity string for EAP
895#	This field is also used to configure user NAI for
896#	EAP-PSK/PAX/SAKE/GPSK.
897# anonymous_identity: Anonymous identity string for EAP (to be used as the
898#	unencrypted identity with EAP types that support different tunnelled
899#	identity, e.g., EAP-TTLS). This field can also be used with
900#	EAP-SIM/AKA/AKA' to store the pseudonym identity.
901# password: Password string for EAP. This field can include either the
902#	plaintext password (using ASCII or hex string) or a NtPasswordHash
903#	(16-byte MD4 hash of password) in hash:<32 hex digits> format.
904#	NtPasswordHash can only be used when the password is for MSCHAPv2 or
905#	MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP).
906#	EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit
907#	PSK) is also configured using this field. For EAP-GPSK, this is a
908#	variable length PSK. ext:<name of external password field> format can
909#	be used to indicate that the password is stored in external storage.
910# ca_cert: File path to CA certificate file (PEM/DER). This file can have one
911#	or more trusted CA certificates. If ca_cert and ca_path are not
912#	included, server certificate will not be verified. This is insecure and
913#	a trusted CA certificate should always be configured when using
914#	EAP-TLS/TTLS/PEAP. Full path should be used since working directory may
915#	change when wpa_supplicant is run in the background.
916#
917#	Alternatively, this can be used to only perform matching of the server
918#	certificate (SHA-256 hash of the DER encoded X.509 certificate). In
919#	this case, the possible CA certificates in the server certificate chain
920#	are ignored and only the server certificate is verified. This is
921#	configured with the following format:
922#	hash:://server/sha256/cert_hash_in_hex
923#	For example: "hash://server/sha256/
924#	5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"
925#
926#	On Windows, trusted CA certificates can be loaded from the system
927#	certificate store by setting this to cert_store://<name>, e.g.,
928#	ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".
929#	Note that when running wpa_supplicant as an application, the user
930#	certificate store (My user account) is used, whereas computer store
931#	(Computer account) is used when running wpasvc as a service.
932# ca_path: Directory path for CA certificate files (PEM). This path may
933#	contain multiple CA certificates in OpenSSL format. Common use for this
934#	is to point to system trusted CA list which is often installed into
935#	directory like /etc/ssl/certs. If configured, these certificates are
936#	added to the list of trusted CAs. ca_cert may also be included in that
937#	case, but it is not required.
938# client_cert: File path to client certificate file (PEM/DER)
939#	Full path should be used since working directory may change when
940#	wpa_supplicant is run in the background.
941#	Alternatively, a named configuration blob can be used by setting this
942#	to blob://<blob name>.
943# private_key: File path to client private key file (PEM/DER/PFX)
944#	When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
945#	commented out. Both the private key and certificate will be read from
946#	the PKCS#12 file in this case. Full path should be used since working
947#	directory may change when wpa_supplicant is run in the background.
948#	Windows certificate store can be used by leaving client_cert out and
949#	configuring private_key in one of the following formats:
950#	cert://substring_to_match
951#	hash://certificate_thumbprint_in_hex
952#	for example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
953#	Note that when running wpa_supplicant as an application, the user
954#	certificate store (My user account) is used, whereas computer store
955#	(Computer account) is used when running wpasvc as a service.
956#	Alternatively, a named configuration blob can be used by setting this
957#	to blob://<blob name>.
958# private_key_passwd: Password for private key file (if left out, this will be
959#	asked through control interface)
960# dh_file: File path to DH/DSA parameters file (in PEM format)
961#	This is an optional configuration file for setting parameters for an
962#	ephemeral DH key exchange. In most cases, the default RSA
963#	authentication does not use this configuration. However, it is possible
964#	setup RSA to use ephemeral DH key exchange. In addition, ciphers with
965#	DSA keys always use ephemeral DH keys. This can be used to achieve
966#	forward secrecy. If the file is in DSA parameters format, it will be
967#	automatically converted into DH params.
968# subject_match: Substring to be matched against the subject of the
969#	authentication server certificate. If this string is set, the server
970#	sertificate is only accepted if it contains this string in the subject.
971#	The subject string is in following format:
972#	/C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com
973#	Note: Since this is a substring match, this cannot be used securily to
974#	do a suffix match against a possible domain name in the CN entry. For
975#	such a use case, domain_suffix_match or domain_match should be used
976#	instead.
977# altsubject_match: Semicolon separated string of entries to be matched against
978#	the alternative subject name of the authentication server certificate.
979#	If this string is set, the server sertificate is only accepted if it
980#	contains one of the entries in an alternative subject name extension.
981#	altSubjectName string is in following format: TYPE:VALUE
982#	Example: EMAIL:server@example.com
983#	Example: DNS:server.example.com;DNS:server2.example.com
984#	Following types are supported: EMAIL, DNS, URI
985# domain_suffix_match: Constraint for server domain name. If set, this FQDN is
986#	used as a suffix match requirement for the AAAserver certificate in
987#	SubjectAltName dNSName element(s). If a matching dNSName is found, this
988#	constraint is met. If no dNSName values are present, this constraint is
989#	matched against SubjectName CN using same suffix match comparison.
990#
991#	Suffix match here means that the host/domain name is compared one label
992#	at a time starting from the top-level domain and all the labels in
993#	domain_suffix_match shall be included in the certificate. The
994#	certificate may include additional sub-level labels in addition to the
995#	required labels.
996#
997#	For example, domain_suffix_match=example.com would match
998#	test.example.com but would not match test-example.com.
999# domain_match: Constraint for server domain name
1000#	If set, this FQDN is used as a full match requirement for the
1001#	server certificate in SubjectAltName dNSName element(s). If a
1002#	matching dNSName is found, this constraint is met. If no dNSName
1003#	values are present, this constraint is matched against SubjectName CN
1004#	using same full match comparison. This behavior is similar to
1005#	domain_suffix_match, but has the requirement of a full match, i.e.,
1006#	no subdomains or wildcard matches are allowed. Case-insensitive
1007#	comparison is used, so "Example.com" matches "example.com", but would
1008#	not match "test.Example.com".
1009# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters
1010#	(string with field-value pairs, e.g., "peapver=0" or
1011#	"peapver=1 peaplabel=1")
1012#	'peapver' can be used to force which PEAP version (0 or 1) is used.
1013#	'peaplabel=1' can be used to force new label, "client PEAP encryption",
1014#	to be used during key derivation when PEAPv1 or newer. Most existing
1015#	PEAPv1 implementation seem to be using the old label, "client EAP
1016#	encryption", and wpa_supplicant is now using that as the default value.
1017#	Some servers, e.g., Radiator, may require peaplabel=1 configuration to
1018#	interoperate with PEAPv1; see eap_testing.txt for more details.
1019#	'peap_outer_success=0' can be used to terminate PEAP authentication on
1020#	tunneled EAP-Success. This is required with some RADIUS servers that
1021#	implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
1022#	Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode)
1023#	include_tls_length=1 can be used to force wpa_supplicant to include
1024#	TLS Message Length field in all TLS messages even if they are not
1025#	fragmented.
1026#	sim_min_num_chal=3 can be used to configure EAP-SIM to require three
1027#	challenges (by default, it accepts 2 or 3)
1028#	result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use
1029#	protected result indication.
1030#	'crypto_binding' option can be used to control PEAPv0 cryptobinding
1031#	behavior:
1032#	 * 0 = do not use cryptobinding (default)
1033#	 * 1 = use cryptobinding if server supports it
1034#	 * 2 = require cryptobinding
1035#	EAP-WSC (WPS) uses following options: pin=<Device Password> or
1036#	pbc=1.
1037#
1038#	For wired IEEE 802.1X authentication, "allow_canned_success=1" can be
1039#	used to configure a mode that allows EAP-Success (and EAP-Failure)
1040#	without going through authentication step. Some switches use such
1041#	sequence when forcing the port to be authorized/unauthorized or as a
1042#	fallback option if the authentication server is unreachable. By default,
1043#	wpa_supplicant discards such frames to protect against potential attacks
1044#	by rogue devices, but this option can be used to disable that protection
1045#	for cases where the server/authenticator does not need to be
1046#	authenticated.
1047# phase2: Phase2 (inner authentication with TLS tunnel) parameters
1048#	(string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
1049#	"autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS). "mschapv2_retry=0" can be
1050#	used to disable MSCHAPv2 password retry in authentication failure cases.
1051#
1052# TLS-based methods can use the following parameters to control TLS behavior
1053# (these are normally in the phase1 parameter, but can be used also in the
1054# phase2 parameter when EAP-TLS is used within the inner tunnel):
1055# tls_allow_md5=1 - allow MD5-based certificate signatures (depending on the
1056#	TLS library, these may be disabled by default to enforce stronger
1057#	security)
1058# tls_disable_time_checks=1 - ignore certificate validity time (this requests
1059#	the TLS library to accept certificates even if they are not currently
1060#	valid, i.e., have expired or have not yet become valid; this should be
1061#	used only for testing purposes)
1062# tls_disable_session_ticket=1 - disable TLS Session Ticket extension
1063# tls_disable_session_ticket=0 - allow TLS Session Ticket extension to be used
1064#	Note: If not set, this is automatically set to 1 for EAP-TLS/PEAP/TTLS
1065#	as a workaround for broken authentication server implementations unless
1066#	EAP workarounds are disabled with eap_workaround=0.
1067#	For EAP-FAST, this must be set to 0 (or left unconfigured for the
1068#	default value to be used automatically).
1069# tls_disable_tlsv1_0=1 - disable use of TLSv1.0
1070# tls_disable_tlsv1_1=1 - disable use of TLSv1.1 (a workaround for AAA servers
1071#	that have issues interoperating with updated TLS version)
1072# tls_disable_tlsv1_2=1 - disable use of TLSv1.2 (a workaround for AAA servers
1073#	that have issues interoperating with updated TLS version)
1074# tls_ext_cert_check=0 - No external server certificate validation (default)
1075# tls_ext_cert_check=1 - External server certificate validation enabled; this
1076#	requires an external program doing validation of server certificate
1077#	chain when receiving CTRL-RSP-EXT_CERT_CHECK event from the control
1078#	interface and report the result of the validation with
1079#	CTRL-RSP_EXT_CERT_CHECK.
1080#
1081# Following certificate/private key fields are used in inner Phase2
1082# authentication when using EAP-TTLS or EAP-PEAP.
1083# ca_cert2: File path to CA certificate file. This file can have one or more
1084#	trusted CA certificates. If ca_cert2 and ca_path2 are not included,
1085#	server certificate will not be verified. This is insecure and a trusted
1086#	CA certificate should always be configured.
1087# ca_path2: Directory path for CA certificate files (PEM)
1088# client_cert2: File path to client certificate file
1089# private_key2: File path to client private key file
1090# private_key2_passwd: Password for private key file
1091# dh_file2: File path to DH/DSA parameters file (in PEM format)
1092# subject_match2: Substring to be matched against the subject of the
1093#	authentication server certificate. See subject_match for more details.
1094# altsubject_match2: Semicolon separated string of entries to be matched
1095#	against the alternative subject name of the authentication server
1096#	certificate. See altsubject_match documentation for more details.
1097# domain_suffix_match2: Constraint for server domain name. See
1098#	domain_suffix_match for more details.
1099#
1100# fragment_size: Maximum EAP fragment size in bytes (default 1398).
1101#	This value limits the fragment size for EAP methods that support
1102#	fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set
1103#	small enough to make the EAP messages fit in MTU of the network
1104#	interface used for EAPOL. The default value is suitable for most
1105#	cases.
1106#
1107# ocsp: Whether to use/require OCSP to check server certificate
1108#	0 = do not use OCSP stapling (TLS certificate status extension)
1109#	1 = try to use OCSP stapling, but not require response
1110#	2 = require valid OCSP stapling response
1111#	3 = require valid OCSP stapling response for all not-trusted
1112#	    certificates in the server certificate chain
1113#
1114# openssl_ciphers: OpenSSL specific cipher configuration
1115#	This can be used to override the global openssl_ciphers configuration
1116#	parameter (see above).
1117#
1118# erp: Whether EAP Re-authentication Protocol (ERP) is enabled
1119#
1120# EAP-FAST variables:
1121# pac_file: File path for the PAC entries. wpa_supplicant will need to be able
1122#	to create this file and write updates to it when PAC is being
1123#	provisioned or refreshed. Full path to the file should be used since
1124#	working directory may change when wpa_supplicant is run in the
1125#	background. Alternatively, a named configuration blob can be used by
1126#	setting this to blob://<blob name>
1127# phase1: fast_provisioning option can be used to enable in-line provisioning
1128#         of EAP-FAST credentials (PAC):
1129#         0 = disabled,
1130#         1 = allow unauthenticated provisioning,
1131#         2 = allow authenticated provisioning,
1132#         3 = allow both unauthenticated and authenticated provisioning
1133#	fast_max_pac_list_len=<num> option can be used to set the maximum
1134#		number of PAC entries to store in a PAC list (default: 10)
1135#	fast_pac_format=binary option can be used to select binary format for
1136#		storing PAC entries in order to save some space (the default
1137#		text format uses about 2.5 times the size of minimal binary
1138#		format)
1139#
1140# wpa_supplicant supports number of "EAP workarounds" to work around
1141# interoperability issues with incorrectly behaving authentication servers.
1142# These are enabled by default because some of the issues are present in large
1143# number of authentication servers. Strict EAP conformance mode can be
1144# configured by disabling workarounds with eap_workaround=0.
1145
1146# update_identifier: PPS MO ID
1147#	(Hotspot 2.0 PerProviderSubscription/UpdateIdentifier)
1148
1149# Station inactivity limit
1150#
1151# If a station does not send anything in ap_max_inactivity seconds, an
1152# empty data frame is sent to it in order to verify whether it is
1153# still in range. If this frame is not ACKed, the station will be
1154# disassociated and then deauthenticated. This feature is used to
1155# clear station table of old entries when the STAs move out of the
1156# range.
1157#
1158# The station can associate again with the AP if it is still in range;
1159# this inactivity poll is just used as a nicer way of verifying
1160# inactivity; i.e., client will not report broken connection because
1161# disassociation frame is not sent immediately without first polling
1162# the STA with a data frame.
1163# default: 300 (i.e., 5 minutes)
1164#ap_max_inactivity=300
1165
1166# DTIM period in Beacon intervals for AP mode (default: 2)
1167#dtim_period=2
1168
1169# Beacon interval (default: 100 TU)
1170#beacon_int=100
1171
1172# MAC address policy
1173# 0 = use permanent MAC address
1174# 1 = use random MAC address for each ESS connection
1175# 2 = like 1, but maintain OUI (with local admin bit set)
1176#mac_addr=0
1177
1178# disable_ht: Whether HT (802.11n) should be disabled.
1179# 0 = HT enabled (if AP supports it)
1180# 1 = HT disabled
1181#
1182# disable_ht40: Whether HT-40 (802.11n) should be disabled.
1183# 0 = HT-40 enabled (if AP supports it)
1184# 1 = HT-40 disabled
1185#
1186# disable_sgi: Whether SGI (short guard interval) should be disabled.
1187# 0 = SGI enabled (if AP supports it)
1188# 1 = SGI disabled
1189#
1190# disable_ldpc: Whether LDPC should be disabled.
1191# 0 = LDPC enabled (if AP supports it)
1192# 1 = LDPC disabled
1193#
1194# ht40_intolerant: Whether 40 MHz intolerant should be indicated.
1195# 0 = 40 MHz tolerant (default)
1196# 1 = 40 MHz intolerant
1197#
1198# ht_mcs:  Configure allowed MCS rates.
1199#  Parsed as an array of bytes, in base-16 (ascii-hex)
1200# ht_mcs=""                                   // Use all available (default)
1201# ht_mcs="0xff 00 00 00 00 00 00 00 00 00 "   // Use MCS 0-7 only
1202# ht_mcs="0xff ff 00 00 00 00 00 00 00 00 "   // Use MCS 0-15 only
1203#
1204# disable_max_amsdu:  Whether MAX_AMSDU should be disabled.
1205# -1 = Do not make any changes.
1206# 0  = Enable MAX-AMSDU if hardware supports it.
1207# 1  = Disable AMSDU
1208#
1209# ampdu_factor: Maximum A-MPDU Length Exponent
1210# Value: 0-3, see 7.3.2.56.3 in IEEE Std 802.11n-2009.
1211#
1212# ampdu_density:  Allow overriding AMPDU density configuration.
1213#  Treated as hint by the kernel.
1214# -1 = Do not make any changes.
1215# 0-3 = Set AMPDU density (aka factor) to specified value.
1216
1217# disable_vht: Whether VHT should be disabled.
1218# 0 = VHT enabled (if AP supports it)
1219# 1 = VHT disabled
1220#
1221# vht_capa: VHT capabilities to set in the override
1222# vht_capa_mask: mask of VHT capabilities
1223#
1224# vht_rx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for RX NSS 1-8
1225# vht_tx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for TX NSS 1-8
1226#  0: MCS 0-7
1227#  1: MCS 0-8
1228#  2: MCS 0-9
1229#  3: not supported
1230
1231##### Fast Session Transfer (FST) support #####################################
1232#
1233# The options in this section are only available when the build configuration
1234# option CONFIG_FST is set while compiling hostapd. They allow this interface
1235# to be a part of FST setup.
1236#
1237# FST is the transfer of a session from a channel to another channel, in the
1238# same or different frequency bands.
1239#
1240# For detals, see IEEE Std 802.11ad-2012.
1241
1242# Identifier of an FST Group  the interface belongs to.
1243#fst_group_id=bond0
1244
1245# Interface priority within the FST Group.
1246# Announcing a higher priority for an interface means declaring it more
1247# preferable for FST switch.
1248# fst_priority is in 1..255 range with 1 being the lowest priority.
1249#fst_priority=100
1250
1251# Default LLT value for this interface in milliseconds. The value used in case
1252# no value provided during session setup. Default is 50 msec.
1253# fst_llt is in 1..4294967 range (due to spec limitation, see 10.32.2.2
1254# Transitioning between states).
1255#fst_llt=100
1256
1257# Example blocks:
1258
1259# Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers
1260network={
1261	ssid="simple"
1262	psk="very secret passphrase"
1263	priority=5
1264}
1265
1266# Same as previous, but request SSID-specific scanning (for APs that reject
1267# broadcast SSID)
1268network={
1269	ssid="second ssid"
1270	scan_ssid=1
1271	psk="very secret passphrase"
1272	priority=2
1273}
1274
1275# Only WPA-PSK is used. Any valid cipher combination is accepted.
1276network={
1277	ssid="example"
1278	proto=WPA
1279	key_mgmt=WPA-PSK
1280	pairwise=CCMP TKIP
1281	group=CCMP TKIP WEP104 WEP40
1282	psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
1283	priority=2
1284}
1285
1286# WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying
1287network={
1288	ssid="example"
1289	proto=WPA
1290	key_mgmt=WPA-PSK
1291	pairwise=TKIP
1292	group=TKIP
1293	psk="not so secure passphrase"
1294	wpa_ptk_rekey=600
1295}
1296
1297# Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104
1298# or WEP40 as the group cipher will not be accepted.
1299network={
1300	ssid="example"
1301	proto=RSN
1302	key_mgmt=WPA-EAP
1303	pairwise=CCMP TKIP
1304	group=CCMP TKIP
1305	eap=TLS
1306	identity="user@example.com"
1307	ca_cert="/etc/cert/ca.pem"
1308	client_cert="/etc/cert/user.pem"
1309	private_key="/etc/cert/user.prv"
1310	private_key_passwd="password"
1311	priority=1
1312}
1313
1314# EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel
1315# (e.g., Radiator)
1316network={
1317	ssid="example"
1318	key_mgmt=WPA-EAP
1319	eap=PEAP
1320	identity="user@example.com"
1321	password="foobar"
1322	ca_cert="/etc/cert/ca.pem"
1323	phase1="peaplabel=1"
1324	phase2="auth=MSCHAPV2"
1325	priority=10
1326}
1327
1328# EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the
1329# unencrypted use. Real identity is sent only within an encrypted TLS tunnel.
1330network={
1331	ssid="example"
1332	key_mgmt=WPA-EAP
1333	eap=TTLS
1334	identity="user@example.com"
1335	anonymous_identity="anonymous@example.com"
1336	password="foobar"
1337	ca_cert="/etc/cert/ca.pem"
1338	priority=2
1339}
1340
1341# EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted
1342# use. Real identity is sent only within an encrypted TLS tunnel.
1343network={
1344	ssid="example"
1345	key_mgmt=WPA-EAP
1346	eap=TTLS
1347	identity="user@example.com"
1348	anonymous_identity="anonymous@example.com"
1349	password="foobar"
1350	ca_cert="/etc/cert/ca.pem"
1351	phase2="auth=MSCHAPV2"
1352}
1353
1354# WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner
1355# authentication.
1356network={
1357	ssid="example"
1358	key_mgmt=WPA-EAP
1359	eap=TTLS
1360	# Phase1 / outer authentication
1361	anonymous_identity="anonymous@example.com"
1362	ca_cert="/etc/cert/ca.pem"
1363	# Phase 2 / inner authentication
1364	phase2="autheap=TLS"
1365	ca_cert2="/etc/cert/ca2.pem"
1366	client_cert2="/etc/cer/user.pem"
1367	private_key2="/etc/cer/user.prv"
1368	private_key2_passwd="password"
1369	priority=2
1370}
1371
1372# Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and
1373# group cipher.
1374network={
1375	ssid="example"
1376	bssid=00:11:22:33:44:55
1377	proto=WPA RSN
1378	key_mgmt=WPA-PSK WPA-EAP
1379	pairwise=CCMP
1380	group=CCMP
1381	psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
1382}
1383
1384# Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP
1385# and all valid ciphers.
1386network={
1387	ssid=00010203
1388	psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
1389}
1390
1391
1392# EAP-SIM with a GSM SIM or USIM
1393network={
1394	ssid="eap-sim-test"
1395	key_mgmt=WPA-EAP
1396	eap=SIM
1397	pin="1234"
1398	pcsc=""
1399}
1400
1401
1402# EAP-PSK
1403network={
1404	ssid="eap-psk-test"
1405	key_mgmt=WPA-EAP
1406	eap=PSK
1407	anonymous_identity="eap_psk_user"
1408	password=06b4be19da289f475aa46a33cb793029
1409	identity="eap_psk_user@example.com"
1410}
1411
1412
1413# IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using
1414# EAP-TLS for authentication and key generation; require both unicast and
1415# broadcast WEP keys.
1416network={
1417	ssid="1x-test"
1418	key_mgmt=IEEE8021X
1419	eap=TLS
1420	identity="user@example.com"
1421	ca_cert="/etc/cert/ca.pem"
1422	client_cert="/etc/cert/user.pem"
1423	private_key="/etc/cert/user.prv"
1424	private_key_passwd="password"
1425	eapol_flags=3
1426}
1427
1428
1429# LEAP with dynamic WEP keys
1430network={
1431	ssid="leap-example"
1432	key_mgmt=IEEE8021X
1433	eap=LEAP
1434	identity="user"
1435	password="foobar"
1436}
1437
1438# EAP-IKEv2 using shared secrets for both server and peer authentication
1439network={
1440	ssid="ikev2-example"
1441	key_mgmt=WPA-EAP
1442	eap=IKEV2
1443	identity="user"
1444	password="foobar"
1445}
1446
1447# EAP-FAST with WPA (WPA or WPA2)
1448network={
1449	ssid="eap-fast-test"
1450	key_mgmt=WPA-EAP
1451	eap=FAST
1452	anonymous_identity="FAST-000102030405"
1453	identity="username"
1454	password="password"
1455	phase1="fast_provisioning=1"
1456	pac_file="/etc/wpa_supplicant.eap-fast-pac"
1457}
1458
1459network={
1460	ssid="eap-fast-test"
1461	key_mgmt=WPA-EAP
1462	eap=FAST
1463	anonymous_identity="FAST-000102030405"
1464	identity="username"
1465	password="password"
1466	phase1="fast_provisioning=1"
1467	pac_file="blob://eap-fast-pac"
1468}
1469
1470# Plaintext connection (no WPA, no IEEE 802.1X)
1471network={
1472	ssid="plaintext-test"
1473	key_mgmt=NONE
1474}
1475
1476
1477# Shared WEP key connection (no WPA, no IEEE 802.1X)
1478network={
1479	ssid="static-wep-test"
1480	key_mgmt=NONE
1481	wep_key0="abcde"
1482	wep_key1=0102030405
1483	wep_key2="1234567890123"
1484	wep_tx_keyidx=0
1485	priority=5
1486}
1487
1488
1489# Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key
1490# IEEE 802.11 authentication
1491network={
1492	ssid="static-wep-test2"
1493	key_mgmt=NONE
1494	wep_key0="abcde"
1495	wep_key1=0102030405
1496	wep_key2="1234567890123"
1497	wep_tx_keyidx=0
1498	priority=5
1499	auth_alg=SHARED
1500}
1501
1502
1503# IBSS/ad-hoc network with RSN
1504network={
1505	ssid="ibss-rsn"
1506	key_mgmt=WPA-PSK
1507	proto=RSN
1508	psk="12345678"
1509	mode=1
1510	frequency=2412
1511	pairwise=CCMP
1512	group=CCMP
1513}
1514
1515# IBSS/ad-hoc network with WPA-None/TKIP (deprecated)
1516network={
1517	ssid="test adhoc"
1518	mode=1
1519	frequency=2412
1520	proto=WPA
1521	key_mgmt=WPA-NONE
1522	pairwise=NONE
1523	group=TKIP
1524	psk="secret passphrase"
1525}
1526
1527# open mesh network
1528network={
1529	ssid="test mesh"
1530	mode=5
1531	frequency=2437
1532	key_mgmt=NONE
1533}
1534
1535# secure (SAE + AMPE) network
1536network={
1537	ssid="secure mesh"
1538	mode=5
1539	frequency=2437
1540	key_mgmt=SAE
1541	psk="very secret passphrase"
1542}
1543
1544
1545# Catch all example that allows more or less all configuration modes
1546network={
1547	ssid="example"
1548	scan_ssid=1
1549	key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
1550	pairwise=CCMP TKIP
1551	group=CCMP TKIP WEP104 WEP40
1552	psk="very secret passphrase"
1553	eap=TTLS PEAP TLS
1554	identity="user@example.com"
1555	password="foobar"
1556	ca_cert="/etc/cert/ca.pem"
1557	client_cert="/etc/cert/user.pem"
1558	private_key="/etc/cert/user.prv"
1559	private_key_passwd="password"
1560	phase1="peaplabel=0"
1561}
1562
1563# Example of EAP-TLS with smartcard (openssl engine)
1564network={
1565	ssid="example"
1566	key_mgmt=WPA-EAP
1567	eap=TLS
1568	proto=RSN
1569	pairwise=CCMP TKIP
1570	group=CCMP TKIP
1571	identity="user@example.com"
1572	ca_cert="/etc/cert/ca.pem"
1573	client_cert="/etc/cert/user.pem"
1574
1575	engine=1
1576
1577	# The engine configured here must be available. Look at
1578	# OpenSSL engine support in the global section.
1579	# The key available through the engine must be the private key
1580	# matching the client certificate configured above.
1581
1582	# use the opensc engine
1583	#engine_id="opensc"
1584	#key_id="45"
1585
1586	# use the pkcs11 engine
1587	engine_id="pkcs11"
1588	key_id="id_45"
1589
1590	# Optional PIN configuration; this can be left out and PIN will be
1591	# asked through the control interface
1592	pin="1234"
1593}
1594
1595# Example configuration showing how to use an inlined blob as a CA certificate
1596# data instead of using external file
1597network={
1598	ssid="example"
1599	key_mgmt=WPA-EAP
1600	eap=TTLS
1601	identity="user@example.com"
1602	anonymous_identity="anonymous@example.com"
1603	password="foobar"
1604	ca_cert="blob://exampleblob"
1605	priority=20
1606}
1607
1608blob-base64-exampleblob={
1609SGVsbG8gV29ybGQhCg==
1610}
1611
1612
1613# Wildcard match for SSID (plaintext APs only). This example select any
1614# open AP regardless of its SSID.
1615network={
1616	key_mgmt=NONE
1617}
1618
1619# Example configuration blacklisting two APs - these will be ignored
1620# for this network.
1621network={
1622	ssid="example"
1623	psk="very secret passphrase"
1624	bssid_blacklist=02:11:22:33:44:55 02:22:aa:44:55:66
1625}
1626
1627# Example configuration limiting AP selection to a specific set of APs;
1628# any other AP not matching the masked address will be ignored.
1629network={
1630	ssid="example"
1631	psk="very secret passphrase"
1632	bssid_whitelist=02:55:ae:bc:00:00/ff:ff:ff:ff:00:00 00:00:77:66:55:44/00:00:ff:ff:ff:ff
1633}
1634
1635# Example config file that will only scan on channel 36.
1636freq_list=5180
1637network={
1638	key_mgmt=NONE
1639}
1640
1641
1642# Example MACsec configuration
1643#network={
1644#	key_mgmt=IEEE8021X
1645#	eap=TTLS
1646#	phase2="auth=PAP"
1647#	anonymous_identity="anonymous@example.com"
1648#	identity="user@example.com"
1649#	password="secretr"
1650#	ca_cert="/etc/cert/ca.pem"
1651#	eapol_flags=0
1652#	macsec_policy=1
1653#}
1654