logo

oasis-root

Compiled tree of Oasis Linux based on own branch at <https://hacktivis.me/git/oasis/> git clone https://anongit.hacktivis.me/git/oasis-root.git

wpa_supplicant.conf.5 (5729B)


  1. .\" This manpage has been automatically generated by docbook2man
  2. .\" from a DocBook document. This tool can be found at:
  3. .\" <http://shell.ipoline.com/~elmert/comp/docbook2X/>
  4. .\" Please send any bug reports, improvements, comments, patches,
  5. .\" etc. to Steve Cheng <steve@ggi-project.org>.
  6. .TH "WPA_SUPPLICANT.CONF" "5" "07 August 2019" "" ""
  7. .SH NAME
  8. wpa_supplicant.conf \- configuration file for wpa_supplicant
  9. .SH "OVERVIEW"
  10. .PP
  11. \fBwpa_supplicant\fR is configured using a text
  12. file that lists all accepted networks and security policies,
  13. including pre-shared keys. See the example configuration file,
  14. probably in \fB/usr/share/doc/wpa_supplicant/\fR, for
  15. detailed information about the configuration format and supported
  16. fields.
  17. .PP
  18. All file paths in this configuration file should use full
  19. (absolute, not relative to working directory) path in order to allow
  20. working directory to be changed. This can happen if wpa_supplicant is
  21. run in the background.
  22. .PP
  23. Changes to configuration file can be reloaded be sending
  24. SIGHUP signal to \fBwpa_supplicant\fR ('killall -HUP
  25. wpa_supplicant'). Similarly, reloading can be triggered with
  26. the \fBwpa_cli reconfigure\fR command.
  27. .PP
  28. Configuration file can include one or more network blocks,
  29. e.g., one for each used SSID. wpa_supplicant will automatically
  30. select the best network based on the order of network blocks in
  31. the configuration file, network security level (WPA/WPA2 is
  32. preferred), and signal strength.
  33. .SH "QUICK EXAMPLES"
  34. .TP 3
  35. 1.
  36. WPA-Personal (PSK) as home network and WPA-Enterprise with
  37. EAP-TLS as work network.
  38. .sp
  39. .RS
  40. .nf
  41. # allow frontend (e.g., wpa_cli) to be used by all users in 'wheel' group
  42. ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
  43. #
  44. # home network; allow all valid ciphers
  45. network={
  46. ssid="home"
  47. scan_ssid=1
  48. key_mgmt=WPA-PSK
  49. psk="very secret passphrase"
  50. }
  51. #
  52. # work network; use EAP-TLS with WPA; allow only CCMP and TKIP ciphers
  53. network={
  54. ssid="work"
  55. scan_ssid=1
  56. key_mgmt=WPA-EAP
  57. pairwise=CCMP TKIP
  58. group=CCMP TKIP
  59. eap=TLS
  60. identity="user@example.com"
  61. ca_cert="/etc/cert/ca.pem"
  62. client_cert="/etc/cert/user.pem"
  63. private_key="/etc/cert/user.prv"
  64. private_key_passwd="password"
  65. }
  66. .fi
  67. .RE
  68. .TP 3
  69. 2.
  70. WPA-RADIUS/EAP-PEAP/MSCHAPv2 with RADIUS servers that
  71. use old peaplabel (e.g., Funk Odyssey and SBR, Meetinghouse
  72. Aegis, Interlink RAD-Series)
  73. .sp
  74. .RS
  75. .nf
  76. ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
  77. network={
  78. ssid="example"
  79. scan_ssid=1
  80. key_mgmt=WPA-EAP
  81. eap=PEAP
  82. identity="user@example.com"
  83. password="foobar"
  84. ca_cert="/etc/cert/ca.pem"
  85. phase1="peaplabel=0"
  86. phase2="auth=MSCHAPV2"
  87. }
  88. .fi
  89. .RE
  90. .TP 3
  91. 3.
  92. EAP-TTLS/EAP-MD5-Challenge configuration with anonymous
  93. identity for the unencrypted use. Real identity is sent only
  94. within an encrypted TLS tunnel.
  95. .sp
  96. .RS
  97. .nf
  98. ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
  99. network={
  100. ssid="example"
  101. scan_ssid=1
  102. key_mgmt=WPA-EAP
  103. eap=TTLS
  104. identity="user@example.com"
  105. anonymous_identity="anonymous@example.com"
  106. password="foobar"
  107. ca_cert="/etc/cert/ca.pem"
  108. phase2="auth=MD5"
  109. }
  110. .fi
  111. .RE
  112. .TP 3
  113. 4.
  114. IEEE 802.1X (i.e., no WPA) with dynamic WEP keys
  115. (require both unicast and broadcast); use EAP-TLS for
  116. authentication
  117. .sp
  118. .RS
  119. .nf
  120. ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
  121. network={
  122. ssid="1x-test"
  123. scan_ssid=1
  124. key_mgmt=IEEE8021X
  125. eap=TLS
  126. identity="user@example.com"
  127. ca_cert="/etc/cert/ca.pem"
  128. client_cert="/etc/cert/user.pem"
  129. private_key="/etc/cert/user.prv"
  130. private_key_passwd="password"
  131. eapol_flags=3
  132. }
  133. .fi
  134. .RE
  135. .TP 3
  136. 5.
  137. Catch all example that allows more or less all
  138. configuration modes. The configuration options are used based
  139. on what security policy is used in the selected SSID. This is
  140. mostly for testing and is not recommended for normal
  141. use.
  142. .sp
  143. .RS
  144. .nf
  145. ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
  146. network={
  147. ssid="example"
  148. scan_ssid=1
  149. key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
  150. pairwise=CCMP TKIP
  151. group=CCMP TKIP WEP104 WEP40
  152. psk="very secret passphrase"
  153. eap=TTLS PEAP TLS
  154. identity="user@example.com"
  155. password="foobar"
  156. ca_cert="/etc/cert/ca.pem"
  157. client_cert="/etc/cert/user.pem"
  158. private_key="/etc/cert/user.prv"
  159. private_key_passwd="password"
  160. phase1="peaplabel=0"
  161. ca_cert2="/etc/cert/ca2.pem"
  162. client_cert2="/etc/cer/user.pem"
  163. private_key2="/etc/cer/user.prv"
  164. private_key2_passwd="password"
  165. }
  166. .fi
  167. .RE
  168. .TP 3
  169. 6.
  170. Authentication for wired Ethernet. This can be used with
  171. \fBwired\fR or \fBroboswitch\fR interface
  172. (-Dwired or -Droboswitch on command line).
  173. .sp
  174. .RS
  175. .nf
  176. ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
  177. ap_scan=0
  178. network={
  179. key_mgmt=IEEE8021X
  180. eap=MD5
  181. identity="user"
  182. password="password"
  183. eapol_flags=0
  184. }
  185. .fi
  186. .RE
  187. .SH "CERTIFICATES"
  188. .PP
  189. Some EAP authentication methods require use of
  190. certificates. EAP-TLS uses both server side and client
  191. certificates whereas EAP-PEAP and EAP-TTLS only require the server
  192. side certificate. When client certificate is used, a matching
  193. private key file has to also be included in configuration. If the
  194. private key uses a passphrase, this has to be configured in
  195. wpa_supplicant.conf ("private_key_passwd").
  196. .PP
  197. wpa_supplicant supports X.509 certificates in PEM and DER
  198. formats. User certificate and private key can be included in the
  199. same file.
  200. .PP
  201. If the user certificate and private key is received in
  202. PKCS#12/PFX format, they need to be converted to suitable PEM/DER
  203. format for wpa_supplicant. This can be done, e.g., with following
  204. commands:
  205. .sp
  206. .RS
  207. .nf
  208. # convert client certificate and private key to PEM format
  209. openssl pkcs12 -in example.pfx -out user.pem -clcerts
  210. # convert CA certificate (if included in PFX file) to PEM format
  211. openssl pkcs12 -in example.pfx -out ca.pem -cacerts -nokeys
  212. .fi
  213. .RE
  214. .SH "SEE ALSO"
  215. .PP
  216. \fBwpa_supplicant\fR(8)
  217. \fBopenssl\fR(1)