Navigation

Project: wok

Clone project: hg clone http://hg.slitaz.org/wok

  • Download tarball:
  • bz2
  • gz

Search

wok changeset 15914:62082fa37457

Update wpa_supplicant (2.1) And use /etc/wpa
author Christophe Lincoln <pankso@slitaz.org>
date Sat Feb 15 19:55:40 2014 +0100 (10 months ago ago)
parents f2f0afdddde7
children 0677483d2636
files wpa_supplicant/receipt wpa_supplicant/stuff/etc/wpa/wpa_empty.conf wpa_supplicant/stuff/etc/wpa/wpa_supplicant.conf wpa_supplicant/stuff/etc/wpa_supplicant.conf
line diff
     1.1 --- a/wpa_supplicant/receipt	Sat Feb 15 15:38:27 2014 +0100
     1.2 +++ b/wpa_supplicant/receipt	Sat Feb 15 19:55:40 2014 +0100
     1.3 @@ -1,7 +1,7 @@
     1.4  # SliTaz package receipt.
     1.5  
     1.6  PACKAGE="wpa_supplicant"
     1.7 -VERSION="1.1"
     1.8 +VERSION="2.1"
     1.9  CATEGORY="utilities"
    1.10  SHORT_DESC="WPA Supplicant with support for WPA and WPA2"
    1.11  MAINTAINER="0dddba11@googlemail.com"
    1.12 @@ -57,20 +57,22 @@
    1.13  		$src/wpa_supplicant/dbus/dbus-wpa_supplicant.conf \
    1.14  		$fs/etc/dbus-1/system.d/wpa_supplicant.conf
    1.15  
    1.16 -	# Startup script and cleaned up wpa_supplicant.conf
    1.17 -	cp -a stuff/etc $fs
    1.18 -	# dont copy the original
    1.19 -	# cp -a $src/$PACKAGE/wpa_supplicant.conf $fs/etc
    1.20 +	# Startup script and cleaned up wpa_empty.conf
    1.21 +	cp -a $stuff/etc $fs
    1.22 +	cp -a $src/$PACKAGE/wpa_supplicant.conf $fs/etc/wpa
    1.23  }
    1.24  
    1.25  # Pre and post install commands for Tazpkg.
    1.26  post_install()
    1.27  {
    1.28 -	grep -qs ^WPA_OPTIONS= $1/etc/daemons.conf || cat >> $1/etc/daemons.conf <<EOT
    1.29 +	grep -qs ^WPA_OPTIONS= $1/etc/daemons.conf || cat >> $1/etc/daemons.conf << EOT
    1.30 +
    1.31  # wpa_supplicant daemon options
    1.32 -WPA_OPTIONS="-B -u -P /var/run/wpa_supplicant.pid -c /etc/wpa_supplicant.conf -i \$(. /etc/network.conf ; echo \$WIFI_INTERFACE)"
    1.33 +WPA_OPTIONS="-B -u -P /var/run/wpa_supplicant.pid -c /etc/wpa/wpa.conf -i \$(. /etc/network.conf ; echo \$WIFI_INTERFACE)"
    1.34  
    1.35  EOT
    1.36 +	# We use /etc/wpa/wpa.conf from SliTaz 5.0
    1.37 +	sed -i s'#/etc/wpa_supplicant.conf#/etc/wpa/wpa.conf#'/ $1/etc/daemons.conf 2> /dev/null
    1.38  	# 'w' option dont exist anymore with < 0.6.9
    1.39  	sed -i s/'-Bw'/'-B'/ $1/etc/daemons.conf 2> /dev/null
    1.40  	sed -i s/'-B -w'/'-B'/g $1/etc/init.d/network.sh 2> /dev/null
     2.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     2.2 +++ b/wpa_supplicant/stuff/etc/wpa/wpa_empty.conf	Sat Feb 15 19:55:40 2014 +0100
     2.3 @@ -0,0 +1,37 @@
     2.4 +# /etc/wpa/wpa.conf: wpa_supplicant configuration file.
     2.5 +#
     2.6 +
     2.7 +# Whether to allow wpa_supplicant to update (overwrite) configuration
     2.8 +#update_config=1
     2.9 +
    2.10 +#
    2.11 +# global configuration (shared by all network blocks)
    2.12 +#
    2.13 +
    2.14 +# Parameters for the control interface
    2.15 +ctrl_interface=/var/run/wpa_supplicant
    2.16 +
    2.17 +# Ensure that only root can read the WPA configuration
    2.18 +ctrl_interface_group=0
    2.19 +
    2.20 +# IEEE 802.1X/EAPOL version: 1 or 2
    2.21 +eapol_version=2
    2.22 +
    2.23 +# AP scanning/selection
    2.24 +ap_scan=1
    2.25 +
    2.26 +# EAP fast re-authentication
    2.27 +fast_reauth=1
    2.28 +
    2.29 +# Network configuration example.
    2.30 +#network={
    2.31 +	#ssid=""
    2.32 +	#psk=""
    2.33 +	#scan_ssid=1
    2.34 +	#proto=WPA RSN
    2.35 +	#key_mgmt=WPA-PSK WPA-EAP
    2.36 +#}
    2.37 +
    2.38 +# Network configuration added by /etc/init.d/network.sh using
    2.39 +# setting from /etc/network.conf
    2.40 +
     3.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     3.2 +++ b/wpa_supplicant/stuff/etc/wpa/wpa_supplicant.conf	Sat Feb 15 19:55:40 2014 +0100
     3.3 @@ -0,0 +1,1273 @@
     3.4 +##### Example wpa_supplicant configuration file ###############################
     3.5 +#
     3.6 +# This file describes configuration file format and lists all available option.
     3.7 +# Please also take a look at simpler configuration examples in 'examples'
     3.8 +# subdirectory.
     3.9 +#
    3.10 +# Empty lines and lines starting with # are ignored
    3.11 +
    3.12 +# NOTE! This file may contain password information and should probably be made
    3.13 +# readable only by root user on multiuser systems.
    3.14 +
    3.15 +# Note: All file paths in this configuration file should use full (absolute,
    3.16 +# not relative to working directory) path in order to allow working directory
    3.17 +# to be changed. This can happen if wpa_supplicant is run in the background.
    3.18 +
    3.19 +# Whether to allow wpa_supplicant to update (overwrite) configuration
    3.20 +#
    3.21 +# This option can be used to allow wpa_supplicant to overwrite configuration
    3.22 +# file whenever configuration is changed (e.g., new network block is added with
    3.23 +# wpa_cli or wpa_gui, or a password is changed). This is required for
    3.24 +# wpa_cli/wpa_gui to be able to store the configuration changes permanently.
    3.25 +# Please note that overwriting configuration file will remove the comments from
    3.26 +# it.
    3.27 +#update_config=1
    3.28 +
    3.29 +# global configuration (shared by all network blocks)
    3.30 +#
    3.31 +# Parameters for the control interface. If this is specified, wpa_supplicant
    3.32 +# will open a control interface that is available for external programs to
    3.33 +# manage wpa_supplicant. The meaning of this string depends on which control
    3.34 +# interface mechanism is used. For all cases, the existence of this parameter
    3.35 +# in configuration is used to determine whether the control interface is
    3.36 +# enabled.
    3.37 +#
    3.38 +# For UNIX domain sockets (default on Linux and BSD): This is a directory that
    3.39 +# will be created for UNIX domain sockets for listening to requests from
    3.40 +# external programs (CLI/GUI, etc.) for status information and configuration.
    3.41 +# The socket file will be named based on the interface name, so multiple
    3.42 +# wpa_supplicant processes can be run at the same time if more than one
    3.43 +# interface is used.
    3.44 +# /var/run/wpa_supplicant is the recommended directory for sockets and by
    3.45 +# default, wpa_cli will use it when trying to connect with wpa_supplicant.
    3.46 +#
    3.47 +# Access control for the control interface can be configured by setting the
    3.48 +# directory to allow only members of a group to use sockets. This way, it is
    3.49 +# possible to run wpa_supplicant as root (since it needs to change network
    3.50 +# configuration and open raw sockets) and still allow GUI/CLI components to be
    3.51 +# run as non-root users. However, since the control interface can be used to
    3.52 +# change the network configuration, this access needs to be protected in many
    3.53 +# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you
    3.54 +# want to allow non-root users to use the control interface, add a new group
    3.55 +# and change this value to match with that group. Add users that should have
    3.56 +# control interface access to this group. If this variable is commented out or
    3.57 +# not included in the configuration file, group will not be changed from the
    3.58 +# value it got by default when the directory or socket was created.
    3.59 +#
    3.60 +# When configuring both the directory and group, use following format:
    3.61 +# DIR=/var/run/wpa_supplicant GROUP=wheel
    3.62 +# DIR=/var/run/wpa_supplicant GROUP=0
    3.63 +# (group can be either group name or gid)
    3.64 +#
    3.65 +# For UDP connections (default on Windows): The value will be ignored. This
    3.66 +# variable is just used to select that the control interface is to be created.
    3.67 +# The value can be set to, e.g., udp (ctrl_interface=udp)
    3.68 +#
    3.69 +# For Windows Named Pipe: This value can be used to set the security descriptor
    3.70 +# for controlling access to the control interface. Security descriptor can be
    3.71 +# set using Security Descriptor String Format (see http://msdn.microsoft.com/
    3.72 +# library/default.asp?url=/library/en-us/secauthz/security/
    3.73 +# security_descriptor_string_format.asp). The descriptor string needs to be
    3.74 +# prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty
    3.75 +# DACL (which will reject all connections). See README-Windows.txt for more
    3.76 +# information about SDDL string format.
    3.77 +#
    3.78 +ctrl_interface=/var/run/wpa_supplicant
    3.79 +
    3.80 +# IEEE 802.1X/EAPOL version
    3.81 +# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines
    3.82 +# EAPOL version 2. However, there are many APs that do not handle the new
    3.83 +# version number correctly (they seem to drop the frames completely). In order
    3.84 +# to make wpa_supplicant interoperate with these APs, the version number is set
    3.85 +# to 1 by default. This configuration value can be used to set it to the new
    3.86 +# version (2).
    3.87 +eapol_version=1
    3.88 +
    3.89 +# AP scanning/selection
    3.90 +# By default, wpa_supplicant requests driver to perform AP scanning and then
    3.91 +# uses the scan results to select a suitable AP. Another alternative is to
    3.92 +# allow the driver to take care of AP scanning and selection and use
    3.93 +# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association
    3.94 +# information from the driver.
    3.95 +# 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to
    3.96 +#    the currently enabled networks are found, a new network (IBSS or AP mode
    3.97 +#    operation) may be initialized (if configured) (default)
    3.98 +# 0: driver takes care of scanning, AP selection, and IEEE 802.11 association
    3.99 +#    parameters (e.g., WPA IE generation); this mode can also be used with
   3.100 +#    non-WPA drivers when using IEEE 802.1X mode; do not try to associate with
   3.101 +#    APs (i.e., external program needs to control association). This mode must
   3.102 +#    also be used when using wired Ethernet drivers.
   3.103 +# 2: like 0, but associate with APs using security policy and SSID (but not
   3.104 +#    BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to
   3.105 +#    enable operation with hidden SSIDs and optimized roaming; in this mode,
   3.106 +#    the network blocks in the configuration file are tried one by one until
   3.107 +#    the driver reports successful association; each network block should have
   3.108 +#    explicit security policy (i.e., only one option in the lists) for
   3.109 +#    key_mgmt, pairwise, group, proto variables
   3.110 +# When using IBSS or AP mode, ap_scan=2 mode can force the new network to be
   3.111 +# created immediately regardless of scan results. ap_scan=1 mode will first try
   3.112 +# to scan for existing networks and only if no matches with the enabled
   3.113 +# networks are found, a new IBSS or AP mode network is created.
   3.114 +ap_scan=1
   3.115 +
   3.116 +# EAP fast re-authentication
   3.117 +# By default, fast re-authentication is enabled for all EAP methods that
   3.118 +# support it. This variable can be used to disable fast re-authentication.
   3.119 +# Normally, there is no need to disable this.
   3.120 +fast_reauth=1
   3.121 +
   3.122 +# OpenSSL Engine support
   3.123 +# These options can be used to load OpenSSL engines.
   3.124 +# The two engines that are supported currently are shown below:
   3.125 +# They are both from the opensc project (http://www.opensc.org/)
   3.126 +# By default no engines are loaded.
   3.127 +# make the opensc engine available
   3.128 +#opensc_engine_path=/usr/lib/opensc/engine_opensc.so
   3.129 +# make the pkcs11 engine available
   3.130 +#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so
   3.131 +# configure the path to the pkcs11 module required by the pkcs11 engine
   3.132 +#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so
   3.133 +
   3.134 +# Dynamic EAP methods
   3.135 +# If EAP methods were built dynamically as shared object files, they need to be
   3.136 +# loaded here before being used in the network blocks. By default, EAP methods
   3.137 +# are included statically in the build, so these lines are not needed
   3.138 +#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so
   3.139 +#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so
   3.140 +
   3.141 +# Driver interface parameters
   3.142 +# This field can be used to configure arbitrary driver interace parameters. The
   3.143 +# format is specific to the selected driver interface. This field is not used
   3.144 +# in most cases.
   3.145 +#driver_param="field=value"
   3.146 +
   3.147 +# Country code
   3.148 +# The ISO/IEC alpha2 country code for the country in which this device is
   3.149 +# currently operating.
   3.150 +#country=US
   3.151 +
   3.152 +# Maximum lifetime for PMKSA in seconds; default 43200
   3.153 +#dot11RSNAConfigPMKLifetime=43200
   3.154 +# Threshold for reauthentication (percentage of PMK lifetime); default 70
   3.155 +#dot11RSNAConfigPMKReauthThreshold=70
   3.156 +# Timeout for security association negotiation in seconds; default 60
   3.157 +#dot11RSNAConfigSATimeout=60
   3.158 +
   3.159 +# Wi-Fi Protected Setup (WPS) parameters
   3.160 +
   3.161 +# Universally Unique IDentifier (UUID; see RFC 4122) of the device
   3.162 +# If not configured, UUID will be generated based on the local MAC address.
   3.163 +#uuid=12345678-9abc-def0-1234-56789abcdef0
   3.164 +
   3.165 +# Device Name
   3.166 +# User-friendly description of device; up to 32 octets encoded in UTF-8
   3.167 +#device_name=Wireless Client
   3.168 +
   3.169 +# Manufacturer
   3.170 +# The manufacturer of the device (up to 64 ASCII characters)
   3.171 +#manufacturer=Company
   3.172 +
   3.173 +# Model Name
   3.174 +# Model of the device (up to 32 ASCII characters)
   3.175 +#model_name=cmodel
   3.176 +
   3.177 +# Model Number
   3.178 +# Additional device description (up to 32 ASCII characters)
   3.179 +#model_number=123
   3.180 +
   3.181 +# Serial Number
   3.182 +# Serial number of the device (up to 32 characters)
   3.183 +#serial_number=12345
   3.184 +
   3.185 +# Primary Device Type
   3.186 +# Used format: <categ>-<OUI>-<subcateg>
   3.187 +# categ = Category as an integer value
   3.188 +# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for
   3.189 +#       default WPS OUI
   3.190 +# subcateg = OUI-specific Sub Category as an integer value
   3.191 +# Examples:
   3.192 +#   1-0050F204-1 (Computer / PC)
   3.193 +#   1-0050F204-2 (Computer / Server)
   3.194 +#   5-0050F204-1 (Storage / NAS)
   3.195 +#   6-0050F204-1 (Network Infrastructure / AP)
   3.196 +#device_type=1-0050F204-1
   3.197 +
   3.198 +# OS Version
   3.199 +# 4-octet operating system version number (hex string)
   3.200 +#os_version=01020300
   3.201 +
   3.202 +# Config Methods
   3.203 +# List of the supported configuration methods
   3.204 +# Available methods: usba ethernet label display ext_nfc_token int_nfc_token
   3.205 +#	nfc_interface push_button keypad virtual_display physical_display
   3.206 +#	virtual_push_button physical_push_button
   3.207 +# For WSC 1.0:
   3.208 +#config_methods=label display push_button keypad
   3.209 +# For WSC 2.0:
   3.210 +#config_methods=label virtual_display virtual_push_button keypad
   3.211 +
   3.212 +# Credential processing
   3.213 +#   0 = process received credentials internally (default)
   3.214 +#   1 = do not process received credentials; just pass them over ctrl_iface to
   3.215 +#	external program(s)
   3.216 +#   2 = process received credentials internally and pass them over ctrl_iface
   3.217 +#	to external program(s)
   3.218 +#wps_cred_processing=0
   3.219 +
   3.220 +# Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing
   3.221 +# The vendor attribute contents to be added in M1 (hex string)
   3.222 +#wps_vendor_ext_m1=000137100100020001
   3.223 +
   3.224 +# NFC password token for WPS
   3.225 +# These parameters can be used to configure a fixed NFC password token for the
   3.226 +# station. This can be generated, e.g., with nfc_pw_token. When these
   3.227 +# parameters are used, the station is assumed to be deployed with a NFC tag
   3.228 +# that includes the matching NFC password token (e.g., written based on the
   3.229 +# NDEF record from nfc_pw_token).
   3.230 +#
   3.231 +#wps_nfc_dev_pw_id: Device Password ID (16..65535)
   3.232 +#wps_nfc_dh_pubkey: Hexdump of DH Public Key
   3.233 +#wps_nfc_dh_privkey: Hexdump of DH Private Key
   3.234 +#wps_nfc_dev_pw: Hexdump of Device Password
   3.235 +
   3.236 +# Maximum number of BSS entries to keep in memory
   3.237 +# Default: 200
   3.238 +# This can be used to limit memory use on the BSS entries (cached scan
   3.239 +# results). A larger value may be needed in environments that have huge number
   3.240 +# of APs when using ap_scan=1 mode.
   3.241 +#bss_max_count=200
   3.242 +
   3.243 +# Automatic scan
   3.244 +# This is an optional set of parameters for automatic scanning
   3.245 +# within an interface in following format:
   3.246 +#autoscan=<autoscan module name>:<module parameters>
   3.247 +# autoscan is like bgscan but on disconnected or inactive state.
   3.248 +# For instance, on exponential module parameters would be <base>:<limit>
   3.249 +#autoscan=exponential:3:300
   3.250 +# Which means a delay between scans on a base exponential of 3,
   3.251 +# up to the limit of 300 seconds (3, 9, 27 ... 300)
   3.252 +# For periodic module, parameters would be <fixed interval>
   3.253 +#autoscan=periodic:30
   3.254 +# So a delay of 30 seconds will be applied between each scan
   3.255 +
   3.256 +# filter_ssids - SSID-based scan result filtering
   3.257 +# 0 = do not filter scan results (default)
   3.258 +# 1 = only include configured SSIDs in scan results/BSS table
   3.259 +#filter_ssids=0
   3.260 +
   3.261 +# Password (and passphrase, etc.) backend for external storage
   3.262 +# format: <backend name>[:<optional backend parameters>]
   3.263 +#ext_password_backend=test:pw1=password|pw2=testing
   3.264 +
   3.265 +# Timeout in seconds to detect STA inactivity (default: 300 seconds)
   3.266 +#
   3.267 +# This timeout value is used in P2P GO mode to clean up
   3.268 +# inactive stations.
   3.269 +#p2p_go_max_inactivity=300
   3.270 +
   3.271 +# Opportunistic Key Caching (also known as Proactive Key Caching) default
   3.272 +# This parameter can be used to set the default behavior for the
   3.273 +# proactive_key_caching parameter. By default, OKC is disabled unless enabled
   3.274 +# with the global okc=1 parameter or with the per-network
   3.275 +# proactive_key_caching=1 parameter. With okc=1, OKC is enabled by default, but
   3.276 +# can be disabled with per-network proactive_key_caching=0 parameter.
   3.277 +#okc=0
   3.278 +
   3.279 +# Protected Management Frames default
   3.280 +# This parameter can be used to set the default behavior for the ieee80211w
   3.281 +# parameter. By default, PMF is disabled unless enabled with the global pmf=1/2
   3.282 +# parameter or with the per-network ieee80211w=1/2 parameter. With pmf=1/2, PMF
   3.283 +# is enabled/required by default, but can be disabled with the per-network
   3.284 +# ieee80211w parameter.
   3.285 +#pmf=0
   3.286 +
   3.287 +# Enabled SAE finite cyclic groups in preference order
   3.288 +# By default (if this parameter is not set), the mandatory group 19 (ECC group
   3.289 +# defined over a 256-bit prime order field) is preferred, but other groups are
   3.290 +# also enabled. If this parameter is set, the groups will be tried in the
   3.291 +# indicated order. The group values are listed in the IANA registry:
   3.292 +# http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9
   3.293 +#sae_groups=21 20 19 26 25
   3.294 +
   3.295 +# Default value for DTIM period (if not overridden in network block)
   3.296 +#dtim_period=2
   3.297 +
   3.298 +# Default value for Beacon interval (if not overridden in network block)
   3.299 +#beacon_int=100
   3.300 +
   3.301 +# Additional vendor specific elements for Beacon and Probe Response frames
   3.302 +# This parameter can be used to add additional vendor specific element(s) into
   3.303 +# the end of the Beacon and Probe Response frames. The format for these
   3.304 +# element(s) is a hexdump of the raw information elements (id+len+payload for
   3.305 +# one or more elements). This is used in AP and P2P GO modes.
   3.306 +#ap_vendor_elements=dd0411223301
   3.307 +
   3.308 +# Ignore scan results older than request
   3.309 +#
   3.310 +# The driver may have a cache of scan results that makes it return
   3.311 +# information that is older than our scan trigger. This parameter can
   3.312 +# be used to configure such old information to be ignored instead of
   3.313 +# allowing it to update the internal BSS table.
   3.314 +#ignore_old_scan_res=0
   3.315 +
   3.316 +# scan_cur_freq: Whether to scan only the current frequency
   3.317 +# 0:  Scan all available frequencies. (Default)
   3.318 +# 1:  Scan current operating frequency if another VIF on the same radio
   3.319 +#     is already associated.
   3.320 +
   3.321 +# Interworking (IEEE 802.11u)
   3.322 +
   3.323 +# Enable Interworking
   3.324 +# interworking=1
   3.325 +
   3.326 +# Homogenous ESS identifier
   3.327 +# If this is set, scans will be used to request response only from BSSes
   3.328 +# belonging to the specified Homogeneous ESS. This is used only if interworking
   3.329 +# is enabled.
   3.330 +# hessid=00:11:22:33:44:55
   3.331 +
   3.332 +# Automatic network selection behavior
   3.333 +# 0 = do not automatically go through Interworking network selection
   3.334 +#     (i.e., require explicit interworking_select command for this; default)
   3.335 +# 1 = perform Interworking network selection if one or more
   3.336 +#     credentials have been configured and scan did not find a
   3.337 +#     matching network block
   3.338 +#auto_interworking=0
   3.339 +
   3.340 +# credential block
   3.341 +#
   3.342 +# Each credential used for automatic network selection is configured as a set
   3.343 +# of parameters that are compared to the information advertised by the APs when
   3.344 +# interworking_select and interworking_connect commands are used.
   3.345 +#
   3.346 +# credential fields:
   3.347 +#
   3.348 +# temporary: Whether this credential is temporary and not to be saved
   3.349 +#
   3.350 +# priority: Priority group
   3.351 +#	By default, all networks and credentials get the same priority group
   3.352 +#	(0). This field can be used to give higher priority for credentials
   3.353 +#	(and similarly in struct wpa_ssid for network blocks) to change the
   3.354 +#	Interworking automatic networking selection behavior. The matching
   3.355 +#	network (based on either an enabled network block or a credential)
   3.356 +#	with the highest priority value will be selected.
   3.357 +#
   3.358 +# pcsc: Use PC/SC and SIM/USIM card
   3.359 +#
   3.360 +# realm: Home Realm for Interworking
   3.361 +#
   3.362 +# username: Username for Interworking network selection
   3.363 +#
   3.364 +# password: Password for Interworking network selection
   3.365 +#
   3.366 +# ca_cert: CA certificate for Interworking network selection
   3.367 +#
   3.368 +# client_cert: File path to client certificate file (PEM/DER)
   3.369 +#	This field is used with Interworking networking selection for a case
   3.370 +#	where client certificate/private key is used for authentication
   3.371 +#	(EAP-TLS). Full path to the file should be used since working
   3.372 +#	directory may change when wpa_supplicant is run in the background.
   3.373 +#
   3.374 +#	Alternatively, a named configuration blob can be used by setting
   3.375 +#	this to blob://blob_name.
   3.376 +#
   3.377 +# private_key: File path to client private key file (PEM/DER/PFX)
   3.378 +#	When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
   3.379 +#	commented out. Both the private key and certificate will be read
   3.380 +#	from the PKCS#12 file in this case. Full path to the file should be
   3.381 +#	used since working directory may change when wpa_supplicant is run
   3.382 +#	in the background.
   3.383 +#
   3.384 +#	Windows certificate store can be used by leaving client_cert out and
   3.385 +#	configuring private_key in one of the following formats:
   3.386 +#
   3.387 +#	cert://substring_to_match
   3.388 +#
   3.389 +#	hash://certificate_thumbprint_in_hex
   3.390 +#
   3.391 +#	For example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
   3.392 +#
   3.393 +#	Note that when running wpa_supplicant as an application, the user
   3.394 +#	certificate store (My user account) is used, whereas computer store
   3.395 +#	(Computer account) is used when running wpasvc as a service.
   3.396 +#
   3.397 +#	Alternatively, a named configuration blob can be used by setting
   3.398 +#	this to blob://blob_name.
   3.399 +#
   3.400 +# private_key_passwd: Password for private key file
   3.401 +#
   3.402 +# imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format
   3.403 +#
   3.404 +# milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN>
   3.405 +#	format
   3.406 +#
   3.407 +# domain: Home service provider FQDN(s)
   3.408 +#	This is used to compare against the Domain Name List to figure out
   3.409 +#	whether the AP is operated by the Home SP. Multiple domain entries can
   3.410 +#	be used to configure alternative FQDNs that will be considered home
   3.411 +#	networks.
   3.412 +#
   3.413 +# roaming_consortium: Roaming Consortium OI
   3.414 +#	If roaming_consortium_len is non-zero, this field contains the
   3.415 +#	Roaming Consortium OI that can be used to determine which access
   3.416 +#	points support authentication with this credential. This is an
   3.417 +#	alternative to the use of the realm parameter. When using Roaming
   3.418 +#	Consortium to match the network, the EAP parameters need to be
   3.419 +#	pre-configured with the credential since the NAI Realm information
   3.420 +#	may not be available or fetched.
   3.421 +#
   3.422 +# eap: Pre-configured EAP method
   3.423 +#	This optional field can be used to specify which EAP method will be
   3.424 +#	used with this credential. If not set, the EAP method is selected
   3.425 +#	automatically based on ANQP information (e.g., NAI Realm).
   3.426 +#
   3.427 +# phase1: Pre-configure Phase 1 (outer authentication) parameters
   3.428 +#	This optional field is used with like the 'eap' parameter.
   3.429 +#
   3.430 +# phase2: Pre-configure Phase 2 (inner authentication) parameters
   3.431 +#	This optional field is used with like the 'eap' parameter.
   3.432 +#
   3.433 +# excluded_ssid: Excluded SSID
   3.434 +#	This optional field can be used to excluded specific SSID(s) from
   3.435 +#	matching with the network. Multiple entries can be used to specify more
   3.436 +#	than one SSID.
   3.437 +#
   3.438 +# for example:
   3.439 +#
   3.440 +#cred={
   3.441 +#	realm="example.com"
   3.442 +#	username="user@example.com"
   3.443 +#	password="password"
   3.444 +#	ca_cert="/etc/wpa_supplicant/ca.pem"
   3.445 +#	domain="example.com"
   3.446 +#}
   3.447 +#
   3.448 +#cred={
   3.449 +#	imsi="310026-000000000"
   3.450 +#	milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82"
   3.451 +#}
   3.452 +#
   3.453 +#cred={
   3.454 +#	realm="example.com"
   3.455 +#	username="user"
   3.456 +#	password="password"
   3.457 +#	ca_cert="/etc/wpa_supplicant/ca.pem"
   3.458 +#	domain="example.com"
   3.459 +#	roaming_consortium=223344
   3.460 +#	eap=TTLS
   3.461 +#	phase2="auth=MSCHAPV2"
   3.462 +#}
   3.463 +
   3.464 +# Hotspot 2.0
   3.465 +# hs20=1
   3.466 +
   3.467 +# network block
   3.468 +#
   3.469 +# Each network (usually AP's sharing the same SSID) is configured as a separate
   3.470 +# block in this configuration file. The network blocks are in preference order
   3.471 +# (the first match is used).
   3.472 +#
   3.473 +# network block fields:
   3.474 +#
   3.475 +# disabled:
   3.476 +#	0 = this network can be used (default)
   3.477 +#	1 = this network block is disabled (can be enabled through ctrl_iface,
   3.478 +#	    e.g., with wpa_cli or wpa_gui)
   3.479 +#
   3.480 +# id_str: Network identifier string for external scripts. This value is passed
   3.481 +#	to external action script through wpa_cli as WPA_ID_STR environment
   3.482 +#	variable to make it easier to do network specific configuration.
   3.483 +#
   3.484 +# ssid: SSID (mandatory); network name in one of the optional formats:
   3.485 +#	- an ASCII string with double quotation
   3.486 +#	- a hex string (two characters per octet of SSID)
   3.487 +#	- a printf-escaped ASCII string P"<escaped string>"
   3.488 +#
   3.489 +# scan_ssid:
   3.490 +#	0 = do not scan this SSID with specific Probe Request frames (default)
   3.491 +#	1 = scan with SSID-specific Probe Request frames (this can be used to
   3.492 +#	    find APs that do not accept broadcast SSID or use multiple SSIDs;
   3.493 +#	    this will add latency to scanning, so enable this only when needed)
   3.494 +#
   3.495 +# bssid: BSSID (optional); if set, this network block is used only when
   3.496 +#	associating with the AP using the configured BSSID
   3.497 +#
   3.498 +# priority: priority group (integer)
   3.499 +# By default, all networks will get same priority group (0). If some of the
   3.500 +# networks are more desirable, this field can be used to change the order in
   3.501 +# which wpa_supplicant goes through the networks when selecting a BSS. The
   3.502 +# priority groups will be iterated in decreasing priority (i.e., the larger the
   3.503 +# priority value, the sooner the network is matched against the scan results).
   3.504 +# Within each priority group, networks will be selected based on security
   3.505 +# policy, signal strength, etc.
   3.506 +# Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not
   3.507 +# using this priority to select the order for scanning. Instead, they try the
   3.508 +# networks in the order that used in the configuration file.
   3.509 +#
   3.510 +# mode: IEEE 802.11 operation mode
   3.511 +# 0 = infrastructure (Managed) mode, i.e., associate with an AP (default)
   3.512 +# 1 = IBSS (ad-hoc, peer-to-peer)
   3.513 +# 2 = AP (access point)
   3.514 +# Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) and
   3.515 +# WPA-PSK (with proto=RSN). In addition, key_mgmt=WPA-NONE (fixed group key
   3.516 +# TKIP/CCMP) is available for backwards compatibility, but its use is
   3.517 +# deprecated. WPA-None requires following network block options:
   3.518 +# proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not
   3.519 +# both), and psk must also be set.
   3.520 +#
   3.521 +# frequency: Channel frequency in megahertz (MHz) for IBSS, e.g.,
   3.522 +# 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial
   3.523 +# channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode.
   3.524 +# In addition, this value is only used by the station that creates the IBSS. If
   3.525 +# an IBSS network with the configured SSID is already present, the frequency of
   3.526 +# the network will be used instead of this configured value.
   3.527 +#
   3.528 +# scan_freq: List of frequencies to scan
   3.529 +# Space-separated list of frequencies in MHz to scan when searching for this
   3.530 +# BSS. If the subset of channels used by the network is known, this option can
   3.531 +# be used to optimize scanning to not occur on channels that the network does
   3.532 +# not use. Example: scan_freq=2412 2437 2462
   3.533 +#
   3.534 +# freq_list: Array of allowed frequencies
   3.535 +# Space-separated list of frequencies in MHz to allow for selecting the BSS. If
   3.536 +# set, scan results that do not match any of the specified frequencies are not
   3.537 +# considered when selecting a BSS.
   3.538 +#
   3.539 +# This can also be set on the outside of the network block. In this case,
   3.540 +# it limits the frequencies that will be scanned.
   3.541 +#
   3.542 +# bgscan: Background scanning
   3.543 +# wpa_supplicant behavior for background scanning can be specified by
   3.544 +# configuring a bgscan module. These modules are responsible for requesting
   3.545 +# background scans for the purpose of roaming within an ESS (i.e., within a
   3.546 +# single network block with all the APs using the same SSID). The bgscan
   3.547 +# parameter uses following format: "<bgscan module name>:<module parameters>"
   3.548 +# Following bgscan modules are available:
   3.549 +# simple - Periodic background scans based on signal strength
   3.550 +# bgscan="simple:<short bgscan interval in seconds>:<signal strength threshold>:
   3.551 +# <long interval>"
   3.552 +# bgscan="simple:30:-45:300"
   3.553 +# learn - Learn channels used by the network and try to avoid bgscans on other
   3.554 +# channels (experimental)
   3.555 +# bgscan="learn:<short bgscan interval in seconds>:<signal strength threshold>:
   3.556 +# <long interval>[:<database file name>]"
   3.557 +# bgscan="learn:30:-45:300:/etc/wpa_supplicant/network1.bgscan"
   3.558 +#
   3.559 +# This option can also be set outside of all network blocks for the bgscan
   3.560 +# parameter to apply for all the networks that have no specific bgscan
   3.561 +# parameter.
   3.562 +#
   3.563 +# proto: list of accepted protocols
   3.564 +# WPA = WPA/IEEE 802.11i/D3.0
   3.565 +# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN)
   3.566 +# If not set, this defaults to: WPA RSN
   3.567 +#
   3.568 +# key_mgmt: list of accepted authenticated key management protocols
   3.569 +# WPA-PSK = WPA pre-shared key (this requires 'psk' field)
   3.570 +# WPA-EAP = WPA using EAP authentication
   3.571 +# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically
   3.572 +#	generated WEP keys
   3.573 +# NONE = WPA is not used; plaintext or static WEP could be used
   3.574 +# WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms
   3.575 +# WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms
   3.576 +# If not set, this defaults to: WPA-PSK WPA-EAP
   3.577 +#
   3.578 +# ieee80211w: whether management frame protection is enabled
   3.579 +# 0 = disabled (default unless changed with the global pmf parameter)
   3.580 +# 1 = optional
   3.581 +# 2 = required
   3.582 +# The most common configuration options for this based on the PMF (protected
   3.583 +# management frames) certification program are:
   3.584 +# PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256
   3.585 +# PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256
   3.586 +# (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used)
   3.587 +#
   3.588 +# auth_alg: list of allowed IEEE 802.11 authentication algorithms
   3.589 +# OPEN = Open System authentication (required for WPA/WPA2)
   3.590 +# SHARED = Shared Key authentication (requires static WEP keys)
   3.591 +# LEAP = LEAP/Network EAP (only used with LEAP)
   3.592 +# If not set, automatic selection is used (Open System with LEAP enabled if
   3.593 +# LEAP is allowed as one of the EAP methods).
   3.594 +#
   3.595 +# pairwise: list of accepted pairwise (unicast) ciphers for WPA
   3.596 +# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
   3.597 +# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
   3.598 +# NONE = Use only Group Keys (deprecated, should not be included if APs support
   3.599 +#	pairwise keys)
   3.600 +# If not set, this defaults to: CCMP TKIP
   3.601 +#
   3.602 +# group: list of accepted group (broadcast/multicast) ciphers for WPA
   3.603 +# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
   3.604 +# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
   3.605 +# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key
   3.606 +# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11]
   3.607 +# If not set, this defaults to: CCMP TKIP WEP104 WEP40
   3.608 +#
   3.609 +# psk: WPA preshared key; 256-bit pre-shared key
   3.610 +# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e.,
   3.611 +# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be
   3.612 +# generated using the passphrase and SSID). ASCII passphrase must be between
   3.613 +# 8 and 63 characters (inclusive). ext:<name of external PSK field> format can
   3.614 +# be used to indicate that the PSK/passphrase is stored in external storage.
   3.615 +# This field is not needed, if WPA-EAP is used.
   3.616 +# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys
   3.617 +# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant
   3.618 +# startup and reconfiguration time can be optimized by generating the PSK only
   3.619 +# only when the passphrase or SSID has actually changed.
   3.620 +#
   3.621 +# eapol_flags: IEEE 802.1X/EAPOL options (bit field)
   3.622 +# Dynamic WEP key required for non-WPA mode
   3.623 +# bit0 (1): require dynamically generated unicast WEP key
   3.624 +# bit1 (2): require dynamically generated broadcast WEP key
   3.625 +# 	(3 = require both keys; default)
   3.626 +# Note: When using wired authentication, eapol_flags must be set to 0 for the
   3.627 +# authentication to be completed successfully.
   3.628 +#
   3.629 +# mixed_cell: This option can be used to configure whether so called mixed
   3.630 +# cells, i.e., networks that use both plaintext and encryption in the same
   3.631 +# SSID, are allowed when selecting a BSS from scan results.
   3.632 +# 0 = disabled (default)
   3.633 +# 1 = enabled
   3.634 +#
   3.635 +# proactive_key_caching:
   3.636 +# Enable/disable opportunistic PMKSA caching for WPA2.
   3.637 +# 0 = disabled (default unless changed with the global okc parameter)
   3.638 +# 1 = enabled
   3.639 +#
   3.640 +# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or
   3.641 +# hex without quotation, e.g., 0102030405)
   3.642 +# wep_tx_keyidx: Default WEP key index (TX) (0..3)
   3.643 +#
   3.644 +# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is
   3.645 +# allowed. This is only used with RSN/WPA2.
   3.646 +# 0 = disabled (default)
   3.647 +# 1 = enabled
   3.648 +#peerkey=1
   3.649 +#
   3.650 +# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to
   3.651 +# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies.
   3.652 +#
   3.653 +# Following fields are only used with internal EAP implementation.
   3.654 +# eap: space-separated list of accepted EAP methods
   3.655 +#	MD5 = EAP-MD5 (unsecure and does not generate keying material ->
   3.656 +#			cannot be used with WPA; to be used as a Phase 2 method
   3.657 +#			with EAP-PEAP or EAP-TTLS)
   3.658 +#       MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used
   3.659 +#		as a Phase 2 method with EAP-PEAP or EAP-TTLS)
   3.660 +#       OTP = EAP-OTP (cannot be used separately with WPA; to be used
   3.661 +#		as a Phase 2 method with EAP-PEAP or EAP-TTLS)
   3.662 +#       GTC = EAP-GTC (cannot be used separately with WPA; to be used
   3.663 +#		as a Phase 2 method with EAP-PEAP or EAP-TTLS)
   3.664 +#	TLS = EAP-TLS (client and server certificate)
   3.665 +#	PEAP = EAP-PEAP (with tunnelled EAP authentication)
   3.666 +#	TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2
   3.667 +#			 authentication)
   3.668 +#	If not set, all compiled in methods are allowed.
   3.669 +#
   3.670 +# identity: Identity string for EAP
   3.671 +#	This field is also used to configure user NAI for
   3.672 +#	EAP-PSK/PAX/SAKE/GPSK.
   3.673 +# anonymous_identity: Anonymous identity string for EAP (to be used as the
   3.674 +#	unencrypted identity with EAP types that support different tunnelled
   3.675 +#	identity, e.g., EAP-TTLS). This field can also be used with
   3.676 +#	EAP-SIM/AKA/AKA' to store the pseudonym identity.
   3.677 +# password: Password string for EAP. This field can include either the
   3.678 +#	plaintext password (using ASCII or hex string) or a NtPasswordHash
   3.679 +#	(16-byte MD4 hash of password) in hash:<32 hex digits> format.
   3.680 +#	NtPasswordHash can only be used when the password is for MSCHAPv2 or
   3.681 +#	MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP).
   3.682 +#	EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit
   3.683 +#	PSK) is also configured using this field. For EAP-GPSK, this is a
   3.684 +#	variable length PSK. ext:<name of external password field> format can
   3.685 +#	be used to indicate that the password is stored in external storage.
   3.686 +# ca_cert: File path to CA certificate file (PEM/DER). This file can have one
   3.687 +#	or more trusted CA certificates. If ca_cert and ca_path are not
   3.688 +#	included, server certificate will not be verified. This is insecure and
   3.689 +#	a trusted CA certificate should always be configured when using
   3.690 +#	EAP-TLS/TTLS/PEAP. Full path should be used since working directory may
   3.691 +#	change when wpa_supplicant is run in the background.
   3.692 +#
   3.693 +#	Alternatively, this can be used to only perform matching of the server
   3.694 +#	certificate (SHA-256 hash of the DER encoded X.509 certificate). In
   3.695 +#	this case, the possible CA certificates in the server certificate chain
   3.696 +#	are ignored and only the server certificate is verified. This is
   3.697 +#	configured with the following format:
   3.698 +#	hash:://server/sha256/cert_hash_in_hex
   3.699 +#	For example: "hash://server/sha256/
   3.700 +#	5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"
   3.701 +#
   3.702 +#	On Windows, trusted CA certificates can be loaded from the system
   3.703 +#	certificate store by setting this to cert_store://<name>, e.g.,
   3.704 +#	ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".
   3.705 +#	Note that when running wpa_supplicant as an application, the user
   3.706 +#	certificate store (My user account) is used, whereas computer store
   3.707 +#	(Computer account) is used when running wpasvc as a service.
   3.708 +# ca_path: Directory path for CA certificate files (PEM). This path may
   3.709 +#	contain multiple CA certificates in OpenSSL format. Common use for this
   3.710 +#	is to point to system trusted CA list which is often installed into
   3.711 +#	directory like /etc/ssl/certs. If configured, these certificates are
   3.712 +#	added to the list of trusted CAs. ca_cert may also be included in that
   3.713 +#	case, but it is not required.
   3.714 +# client_cert: File path to client certificate file (PEM/DER)
   3.715 +#	Full path should be used since working directory may change when
   3.716 +#	wpa_supplicant is run in the background.
   3.717 +#	Alternatively, a named configuration blob can be used by setting this
   3.718 +#	to blob://<blob name>.
   3.719 +# private_key: File path to client private key file (PEM/DER/PFX)
   3.720 +#	When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
   3.721 +#	commented out. Both the private key and certificate will be read from
   3.722 +#	the PKCS#12 file in this case. Full path should be used since working
   3.723 +#	directory may change when wpa_supplicant is run in the background.
   3.724 +#	Windows certificate store can be used by leaving client_cert out and
   3.725 +#	configuring private_key in one of the following formats:
   3.726 +#	cert://substring_to_match
   3.727 +#	hash://certificate_thumbprint_in_hex
   3.728 +#	for example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
   3.729 +#	Note that when running wpa_supplicant as an application, the user
   3.730 +#	certificate store (My user account) is used, whereas computer store
   3.731 +#	(Computer account) is used when running wpasvc as a service.
   3.732 +#	Alternatively, a named configuration blob can be used by setting this
   3.733 +#	to blob://<blob name>.
   3.734 +# private_key_passwd: Password for private key file (if left out, this will be
   3.735 +#	asked through control interface)
   3.736 +# dh_file: File path to DH/DSA parameters file (in PEM format)
   3.737 +#	This is an optional configuration file for setting parameters for an
   3.738 +#	ephemeral DH key exchange. In most cases, the default RSA
   3.739 +#	authentication does not use this configuration. However, it is possible
   3.740 +#	setup RSA to use ephemeral DH key exchange. In addition, ciphers with
   3.741 +#	DSA keys always use ephemeral DH keys. This can be used to achieve
   3.742 +#	forward secrecy. If the file is in DSA parameters format, it will be
   3.743 +#	automatically converted into DH params.
   3.744 +# subject_match: Substring to be matched against the subject of the
   3.745 +#	authentication server certificate. If this string is set, the server
   3.746 +#	sertificate is only accepted if it contains this string in the subject.
   3.747 +#	The subject string is in following format:
   3.748 +#	/C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com
   3.749 +# altsubject_match: Semicolon separated string of entries to be matched against
   3.750 +#	the alternative subject name of the authentication server certificate.
   3.751 +#	If this string is set, the server sertificate is only accepted if it
   3.752 +#	contains one of the entries in an alternative subject name extension.
   3.753 +#	altSubjectName string is in following format: TYPE:VALUE
   3.754 +#	Example: EMAIL:server@example.com
   3.755 +#	Example: DNS:server.example.com;DNS:server2.example.com
   3.756 +#	Following types are supported: EMAIL, DNS, URI
   3.757 +# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters
   3.758 +#	(string with field-value pairs, e.g., "peapver=0" or
   3.759 +#	"peapver=1 peaplabel=1")
   3.760 +#	'peapver' can be used to force which PEAP version (0 or 1) is used.
   3.761 +#	'peaplabel=1' can be used to force new label, "client PEAP encryption",
   3.762 +#	to be used during key derivation when PEAPv1 or newer. Most existing
   3.763 +#	PEAPv1 implementation seem to be using the old label, "client EAP
   3.764 +#	encryption", and wpa_supplicant is now using that as the default value.
   3.765 +#	Some servers, e.g., Radiator, may require peaplabel=1 configuration to
   3.766 +#	interoperate with PEAPv1; see eap_testing.txt for more details.
   3.767 +#	'peap_outer_success=0' can be used to terminate PEAP authentication on
   3.768 +#	tunneled EAP-Success. This is required with some RADIUS servers that
   3.769 +#	implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
   3.770 +#	Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode)
   3.771 +#	include_tls_length=1 can be used to force wpa_supplicant to include
   3.772 +#	TLS Message Length field in all TLS messages even if they are not
   3.773 +#	fragmented.
   3.774 +#	sim_min_num_chal=3 can be used to configure EAP-SIM to require three
   3.775 +#	challenges (by default, it accepts 2 or 3)
   3.776 +#	result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use
   3.777 +#	protected result indication.
   3.778 +#	'crypto_binding' option can be used to control PEAPv0 cryptobinding
   3.779 +#	behavior:
   3.780 +#	 * 0 = do not use cryptobinding (default)
   3.781 +#	 * 1 = use cryptobinding if server supports it
   3.782 +#	 * 2 = require cryptobinding
   3.783 +#	EAP-WSC (WPS) uses following options: pin=<Device Password> or
   3.784 +#	pbc=1.
   3.785 +# phase2: Phase2 (inner authentication with TLS tunnel) parameters
   3.786 +#	(string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
   3.787 +#	"autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS)
   3.788 +#
   3.789 +# TLS-based methods can use the following parameters to control TLS behavior
   3.790 +# (these are normally in the phase1 parameter, but can be used also in the
   3.791 +# phase2 parameter when EAP-TLS is used within the inner tunnel):
   3.792 +# tls_allow_md5=1 - allow MD5-based certificate signatures (depending on the
   3.793 +#	TLS library, these may be disabled by default to enforce stronger
   3.794 +#	security)
   3.795 +# tls_disable_time_checks=1 - ignore certificate validity time (this requests
   3.796 +#	the TLS library to accept certificates even if they are not currently
   3.797 +#	valid, i.e., have expired or have not yet become valid; this should be
   3.798 +#	used only for testing purposes)
   3.799 +# tls_disable_session_ticket=1 - disable TLS Session Ticket extension
   3.800 +# tls_disable_session_ticket=0 - allow TLS Session Ticket extension to be used
   3.801 +#	Note: If not set, this is automatically set to 1 for EAP-TLS/PEAP/TTLS
   3.802 +#	as a workaround for broken authentication server implementations unless
   3.803 +#	EAP workarounds are disabled with eap_workarounds=0.
   3.804 +#	For EAP-FAST, this must be set to 0 (or left unconfigured for the
   3.805 +#	default value to be used automatically).
   3.806 +#
   3.807 +# Following certificate/private key fields are used in inner Phase2
   3.808 +# authentication when using EAP-TTLS or EAP-PEAP.
   3.809 +# ca_cert2: File path to CA certificate file. This file can have one or more
   3.810 +#	trusted CA certificates. If ca_cert2 and ca_path2 are not included,
   3.811 +#	server certificate will not be verified. This is insecure and a trusted
   3.812 +#	CA certificate should always be configured.
   3.813 +# ca_path2: Directory path for CA certificate files (PEM)
   3.814 +# client_cert2: File path to client certificate file
   3.815 +# private_key2: File path to client private key file
   3.816 +# private_key2_passwd: Password for private key file
   3.817 +# dh_file2: File path to DH/DSA parameters file (in PEM format)
   3.818 +# subject_match2: Substring to be matched against the subject of the
   3.819 +#	authentication server certificate.
   3.820 +# altsubject_match2: Substring to be matched against the alternative subject
   3.821 +#	name of the authentication server certificate.
   3.822 +#
   3.823 +# fragment_size: Maximum EAP fragment size in bytes (default 1398).
   3.824 +#	This value limits the fragment size for EAP methods that support
   3.825 +#	fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set
   3.826 +#	small enough to make the EAP messages fit in MTU of the network
   3.827 +#	interface used for EAPOL. The default value is suitable for most
   3.828 +#	cases.
   3.829 +#
   3.830 +# ocsp: Whether to use/require OCSP to check server certificate
   3.831 +#	0 = do not use OCSP stapling (TLS certificate status extension)
   3.832 +#	1 = try to use OCSP stapling, but not require response
   3.833 +#	2 = require valid OCSP stapling response
   3.834 +#
   3.835 +# EAP-FAST variables:
   3.836 +# pac_file: File path for the PAC entries. wpa_supplicant will need to be able
   3.837 +#	to create this file and write updates to it when PAC is being
   3.838 +#	provisioned or refreshed. Full path to the file should be used since
   3.839 +#	working directory may change when wpa_supplicant is run in the
   3.840 +#	background. Alternatively, a named configuration blob can be used by
   3.841 +#	setting this to blob://<blob name>
   3.842 +# phase1: fast_provisioning option can be used to enable in-line provisioning
   3.843 +#         of EAP-FAST credentials (PAC):
   3.844 +#         0 = disabled,
   3.845 +#         1 = allow unauthenticated provisioning,
   3.846 +#         2 = allow authenticated provisioning,
   3.847 +#         3 = allow both unauthenticated and authenticated provisioning
   3.848 +#	fast_max_pac_list_len=<num> option can be used to set the maximum
   3.849 +#		number of PAC entries to store in a PAC list (default: 10)
   3.850 +#	fast_pac_format=binary option can be used to select binary format for
   3.851 +#		storing PAC entries in order to save some space (the default
   3.852 +#		text format uses about 2.5 times the size of minimal binary
   3.853 +#		format)
   3.854 +#
   3.855 +# wpa_supplicant supports number of "EAP workarounds" to work around
   3.856 +# interoperability issues with incorrectly behaving authentication servers.
   3.857 +# These are enabled by default because some of the issues are present in large
   3.858 +# number of authentication servers. Strict EAP conformance mode can be
   3.859 +# configured by disabling workarounds with eap_workaround=0.
   3.860 +
   3.861 +# Station inactivity limit
   3.862 +#
   3.863 +# If a station does not send anything in ap_max_inactivity seconds, an
   3.864 +# empty data frame is sent to it in order to verify whether it is
   3.865 +# still in range. If this frame is not ACKed, the station will be
   3.866 +# disassociated and then deauthenticated. This feature is used to
   3.867 +# clear station table of old entries when the STAs move out of the
   3.868 +# range.
   3.869 +#
   3.870 +# The station can associate again with the AP if it is still in range;
   3.871 +# this inactivity poll is just used as a nicer way of verifying
   3.872 +# inactivity; i.e., client will not report broken connection because
   3.873 +# disassociation frame is not sent immediately without first polling
   3.874 +# the STA with a data frame.
   3.875 +# default: 300 (i.e., 5 minutes)
   3.876 +#ap_max_inactivity=300
   3.877 +
   3.878 +# DTIM period in Beacon intervals for AP mode (default: 2)
   3.879 +#dtim_period=2
   3.880 +
   3.881 +# Beacon interval (default: 100 TU)
   3.882 +#beacon_int=100
   3.883 +
   3.884 +# disable_ht: Whether HT (802.11n) should be disabled.
   3.885 +# 0 = HT enabled (if AP supports it)
   3.886 +# 1 = HT disabled
   3.887 +#
   3.888 +# disable_ht40: Whether HT-40 (802.11n) should be disabled.
   3.889 +# 0 = HT-40 enabled (if AP supports it)
   3.890 +# 1 = HT-40 disabled
   3.891 +#
   3.892 +# disable_sgi: Whether SGI (short guard interval) should be disabled.
   3.893 +# 0 = SGI enabled (if AP supports it)
   3.894 +# 1 = SGI disabled
   3.895 +#
   3.896 +# ht_mcs:  Configure allowed MCS rates.
   3.897 +#  Parsed as an array of bytes, in base-16 (ascii-hex)
   3.898 +# ht_mcs=""                                   // Use all available (default)
   3.899 +# ht_mcs="0xff 00 00 00 00 00 00 00 00 00 "   // Use MCS 0-7 only
   3.900 +# ht_mcs="0xff ff 00 00 00 00 00 00 00 00 "   // Use MCS 0-15 only
   3.901 +#
   3.902 +# disable_max_amsdu:  Whether MAX_AMSDU should be disabled.
   3.903 +# -1 = Do not make any changes.
   3.904 +# 0  = Enable MAX-AMSDU if hardware supports it.
   3.905 +# 1  = Disable AMSDU
   3.906 +#
   3.907 +# ampdu_density:  Allow overriding AMPDU density configuration.
   3.908 +#  Treated as hint by the kernel.
   3.909 +# -1 = Do not make any changes.
   3.910 +# 0-3 = Set AMPDU density (aka factor) to specified value.
   3.911 +
   3.912 +# disable_vht: Whether VHT should be disabled.
   3.913 +# 0 = VHT enabled (if AP supports it)
   3.914 +# 1 = VHT disabled
   3.915 +#
   3.916 +# vht_capa: VHT capabilities to set in the override
   3.917 +# vht_capa_mask: mask of VHT capabilities
   3.918 +#
   3.919 +# vht_rx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for RX NSS 1-8
   3.920 +# vht_tx_mcs_nss_1/2/3/4/5/6/7/8: override the MCS set for TX NSS 1-8
   3.921 +#  0: MCS 0-7
   3.922 +#  1: MCS 0-8
   3.923 +#  2: MCS 0-9
   3.924 +#  3: not supported
   3.925 +
   3.926 +# Example blocks:
   3.927 +
   3.928 +# Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers
   3.929 +network={
   3.930 +	ssid="simple"
   3.931 +	psk="very secret passphrase"
   3.932 +	priority=5
   3.933 +}
   3.934 +
   3.935 +# Same as previous, but request SSID-specific scanning (for APs that reject
   3.936 +# broadcast SSID)
   3.937 +network={
   3.938 +	ssid="second ssid"
   3.939 +	scan_ssid=1
   3.940 +	psk="very secret passphrase"
   3.941 +	priority=2
   3.942 +}
   3.943 +
   3.944 +# Only WPA-PSK is used. Any valid cipher combination is accepted.
   3.945 +network={
   3.946 +	ssid="example"
   3.947 +	proto=WPA
   3.948 +	key_mgmt=WPA-PSK
   3.949 +	pairwise=CCMP TKIP
   3.950 +	group=CCMP TKIP WEP104 WEP40
   3.951 +	psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
   3.952 +	priority=2
   3.953 +}
   3.954 +
   3.955 +# WPA-Personal(PSK) with TKIP and enforcement for frequent PTK rekeying
   3.956 +network={
   3.957 +	ssid="example"
   3.958 +	proto=WPA
   3.959 +	key_mgmt=WPA-PSK
   3.960 +	pairwise=TKIP
   3.961 +	group=TKIP
   3.962 +	psk="not so secure passphrase"
   3.963 +	wpa_ptk_rekey=600
   3.964 +}
   3.965 +
   3.966 +# Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104
   3.967 +# or WEP40 as the group cipher will not be accepted.
   3.968 +network={
   3.969 +	ssid="example"
   3.970 +	proto=RSN
   3.971 +	key_mgmt=WPA-EAP
   3.972 +	pairwise=CCMP TKIP
   3.973 +	group=CCMP TKIP
   3.974 +	eap=TLS
   3.975 +	identity="user@example.com"
   3.976 +	ca_cert="/etc/cert/ca.pem"
   3.977 +	client_cert="/etc/cert/user.pem"
   3.978 +	private_key="/etc/cert/user.prv"
   3.979 +	private_key_passwd="password"
   3.980 +	priority=1
   3.981 +}
   3.982 +
   3.983 +# EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel
   3.984 +# (e.g., Radiator)
   3.985 +network={
   3.986 +	ssid="example"
   3.987 +	key_mgmt=WPA-EAP
   3.988 +	eap=PEAP
   3.989 +	identity="user@example.com"
   3.990 +	password="foobar"
   3.991 +	ca_cert="/etc/cert/ca.pem"
   3.992 +	phase1="peaplabel=1"
   3.993 +	phase2="auth=MSCHAPV2"
   3.994 +	priority=10
   3.995 +}
   3.996 +
   3.997 +# EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the
   3.998 +# unencrypted use. Real identity is sent only within an encrypted TLS tunnel.
   3.999 +network={
  3.1000 +	ssid="example"
  3.1001 +	key_mgmt=WPA-EAP
  3.1002 +	eap=TTLS
  3.1003 +	identity="user@example.com"
  3.1004 +	anonymous_identity="anonymous@example.com"
  3.1005 +	password="foobar"
  3.1006 +	ca_cert="/etc/cert/ca.pem"
  3.1007 +	priority=2
  3.1008 +}
  3.1009 +
  3.1010 +# EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted
  3.1011 +# use. Real identity is sent only within an encrypted TLS tunnel.
  3.1012 +network={
  3.1013 +	ssid="example"
  3.1014 +	key_mgmt=WPA-EAP
  3.1015 +	eap=TTLS
  3.1016 +	identity="user@example.com"
  3.1017 +	anonymous_identity="anonymous@example.com"
  3.1018 +	password="foobar"
  3.1019 +	ca_cert="/etc/cert/ca.pem"
  3.1020 +	phase2="auth=MSCHAPV2"
  3.1021 +}
  3.1022 +
  3.1023 +# WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner
  3.1024 +# authentication.
  3.1025 +network={
  3.1026 +	ssid="example"
  3.1027 +	key_mgmt=WPA-EAP
  3.1028 +	eap=TTLS
  3.1029 +	# Phase1 / outer authentication
  3.1030 +	anonymous_identity="anonymous@example.com"
  3.1031 +	ca_cert="/etc/cert/ca.pem"
  3.1032 +	# Phase 2 / inner authentication
  3.1033 +	phase2="autheap=TLS"
  3.1034 +	ca_cert2="/etc/cert/ca2.pem"
  3.1035 +	client_cert2="/etc/cer/user.pem"
  3.1036 +	private_key2="/etc/cer/user.prv"
  3.1037 +	private_key2_passwd="password"
  3.1038 +	priority=2
  3.1039 +}
  3.1040 +
  3.1041 +# Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and
  3.1042 +# group cipher.
  3.1043 +network={
  3.1044 +	ssid="example"
  3.1045 +	bssid=00:11:22:33:44:55
  3.1046 +	proto=WPA RSN
  3.1047 +	key_mgmt=WPA-PSK WPA-EAP
  3.1048 +	pairwise=CCMP
  3.1049 +	group=CCMP
  3.1050 +	psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
  3.1051 +}
  3.1052 +
  3.1053 +# Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP
  3.1054 +# and all valid ciphers.
  3.1055 +network={
  3.1056 +	ssid=00010203
  3.1057 +	psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
  3.1058 +}
  3.1059 +
  3.1060 +
  3.1061 +# EAP-SIM with a GSM SIM or USIM
  3.1062 +network={
  3.1063 +	ssid="eap-sim-test"
  3.1064 +	key_mgmt=WPA-EAP
  3.1065 +	eap=SIM
  3.1066 +	pin="1234"
  3.1067 +	pcsc=""
  3.1068 +}
  3.1069 +
  3.1070 +
  3.1071 +# EAP-PSK
  3.1072 +network={
  3.1073 +	ssid="eap-psk-test"
  3.1074 +	key_mgmt=WPA-EAP
  3.1075 +	eap=PSK
  3.1076 +	anonymous_identity="eap_psk_user"
  3.1077 +	password=06b4be19da289f475aa46a33cb793029
  3.1078 +	identity="eap_psk_user@example.com"
  3.1079 +}
  3.1080 +
  3.1081 +
  3.1082 +# IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using
  3.1083 +# EAP-TLS for authentication and key generation; require both unicast and
  3.1084 +# broadcast WEP keys.
  3.1085 +network={
  3.1086 +	ssid="1x-test"
  3.1087 +	key_mgmt=IEEE8021X
  3.1088 +	eap=TLS
  3.1089 +	identity="user@example.com"
  3.1090 +	ca_cert="/etc/cert/ca.pem"
  3.1091 +	client_cert="/etc/cert/user.pem"
  3.1092 +	private_key="/etc/cert/user.prv"
  3.1093 +	private_key_passwd="password"
  3.1094 +	eapol_flags=3
  3.1095 +}
  3.1096 +
  3.1097 +
  3.1098 +# LEAP with dynamic WEP keys
  3.1099 +network={
  3.1100 +	ssid="leap-example"
  3.1101 +	key_mgmt=IEEE8021X
  3.1102 +	eap=LEAP
  3.1103 +	identity="user"
  3.1104 +	password="foobar"
  3.1105 +}
  3.1106 +
  3.1107 +# EAP-IKEv2 using shared secrets for both server and peer authentication
  3.1108 +network={
  3.1109 +	ssid="ikev2-example"
  3.1110 +	key_mgmt=WPA-EAP
  3.1111 +	eap=IKEV2
  3.1112 +	identity="user"
  3.1113 +	password="foobar"
  3.1114 +}
  3.1115 +
  3.1116 +# EAP-FAST with WPA (WPA or WPA2)
  3.1117 +network={
  3.1118 +	ssid="eap-fast-test"
  3.1119 +	key_mgmt=WPA-EAP
  3.1120 +	eap=FAST
  3.1121 +	anonymous_identity="FAST-000102030405"
  3.1122 +	identity="username"
  3.1123 +	password="password"
  3.1124 +	phase1="fast_provisioning=1"
  3.1125 +	pac_file="/etc/wpa_supplicant.eap-fast-pac"
  3.1126 +}
  3.1127 +
  3.1128 +network={
  3.1129 +	ssid="eap-fast-test"
  3.1130 +	key_mgmt=WPA-EAP
  3.1131 +	eap=FAST
  3.1132 +	anonymous_identity="FAST-000102030405"
  3.1133 +	identity="username"
  3.1134 +	password="password"
  3.1135 +	phase1="fast_provisioning=1"
  3.1136 +	pac_file="blob://eap-fast-pac"
  3.1137 +}
  3.1138 +
  3.1139 +# Plaintext connection (no WPA, no IEEE 802.1X)
  3.1140 +network={
  3.1141 +	ssid="plaintext-test"
  3.1142 +	key_mgmt=NONE
  3.1143 +}
  3.1144 +
  3.1145 +
  3.1146 +# Shared WEP key connection (no WPA, no IEEE 802.1X)
  3.1147 +network={
  3.1148 +	ssid="static-wep-test"
  3.1149 +	key_mgmt=NONE
  3.1150 +	wep_key0="abcde"
  3.1151 +	wep_key1=0102030405
  3.1152 +	wep_key2="1234567890123"
  3.1153 +	wep_tx_keyidx=0
  3.1154 +	priority=5
  3.1155 +}
  3.1156 +
  3.1157 +
  3.1158 +# Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key
  3.1159 +# IEEE 802.11 authentication
  3.1160 +network={
  3.1161 +	ssid="static-wep-test2"
  3.1162 +	key_mgmt=NONE
  3.1163 +	wep_key0="abcde"
  3.1164 +	wep_key1=0102030405
  3.1165 +	wep_key2="1234567890123"
  3.1166 +	wep_tx_keyidx=0
  3.1167 +	priority=5
  3.1168 +	auth_alg=SHARED
  3.1169 +}
  3.1170 +
  3.1171 +
  3.1172 +# IBSS/ad-hoc network with RSN
  3.1173 +network={
  3.1174 +	ssid="ibss-rsn"
  3.1175 +	key_mgmt=WPA-PSK
  3.1176 +	proto=RSN
  3.1177 +	psk="12345678"
  3.1178 +	mode=1
  3.1179 +	frequency=2412
  3.1180 +	pairwise=CCMP
  3.1181 +	group=CCMP
  3.1182 +}
  3.1183 +
  3.1184 +# IBSS/ad-hoc network with WPA-None/TKIP (deprecated)
  3.1185 +network={
  3.1186 +	ssid="test adhoc"
  3.1187 +	mode=1
  3.1188 +	frequency=2412
  3.1189 +	proto=WPA
  3.1190 +	key_mgmt=WPA-NONE
  3.1191 +	pairwise=NONE
  3.1192 +	group=TKIP
  3.1193 +	psk="secret passphrase"
  3.1194 +}
  3.1195 +
  3.1196 +
  3.1197 +# Catch all example that allows more or less all configuration modes
  3.1198 +network={
  3.1199 +	ssid="example"
  3.1200 +	scan_ssid=1
  3.1201 +	key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
  3.1202 +	pairwise=CCMP TKIP
  3.1203 +	group=CCMP TKIP WEP104 WEP40
  3.1204 +	psk="very secret passphrase"
  3.1205 +	eap=TTLS PEAP TLS
  3.1206 +	identity="user@example.com"
  3.1207 +	password="foobar"
  3.1208 +	ca_cert="/etc/cert/ca.pem"
  3.1209 +	client_cert="/etc/cert/user.pem"
  3.1210 +	private_key="/etc/cert/user.prv"
  3.1211 +	private_key_passwd="password"
  3.1212 +	phase1="peaplabel=0"
  3.1213 +}
  3.1214 +
  3.1215 +# Example of EAP-TLS with smartcard (openssl engine)
  3.1216 +network={
  3.1217 +	ssid="example"
  3.1218 +	key_mgmt=WPA-EAP
  3.1219 +	eap=TLS
  3.1220 +	proto=RSN
  3.1221 +	pairwise=CCMP TKIP
  3.1222 +	group=CCMP TKIP
  3.1223 +	identity="user@example.com"
  3.1224 +	ca_cert="/etc/cert/ca.pem"
  3.1225 +	client_cert="/etc/cert/user.pem"
  3.1226 +
  3.1227 +	engine=1
  3.1228 +
  3.1229 +	# The engine configured here must be available. Look at
  3.1230 +	# OpenSSL engine support in the global section.
  3.1231 +	# The key available through the engine must be the private key
  3.1232 +	# matching the client certificate configured above.
  3.1233 +
  3.1234 +	# use the opensc engine
  3.1235 +	#engine_id="opensc"
  3.1236 +	#key_id="45"
  3.1237 +
  3.1238 +	# use the pkcs11 engine
  3.1239 +	engine_id="pkcs11"
  3.1240 +	key_id="id_45"
  3.1241 +
  3.1242 +	# Optional PIN configuration; this can be left out and PIN will be
  3.1243 +	# asked through the control interface
  3.1244 +	pin="1234"
  3.1245 +}
  3.1246 +
  3.1247 +# Example configuration showing how to use an inlined blob as a CA certificate
  3.1248 +# data instead of using external file
  3.1249 +network={
  3.1250 +	ssid="example"
  3.1251 +	key_mgmt=WPA-EAP
  3.1252 +	eap=TTLS
  3.1253 +	identity="user@example.com"
  3.1254 +	anonymous_identity="anonymous@example.com"
  3.1255 +	password="foobar"
  3.1256 +	ca_cert="blob://exampleblob"
  3.1257 +	priority=20
  3.1258 +}
  3.1259 +
  3.1260 +blob-base64-exampleblob={
  3.1261 +SGVsbG8gV29ybGQhCg==
  3.1262 +}
  3.1263 +
  3.1264 +
  3.1265 +# Wildcard match for SSID (plaintext APs only). This example select any
  3.1266 +# open AP regardless of its SSID.
  3.1267 +network={
  3.1268 +	key_mgmt=NONE
  3.1269 +}
  3.1270 +
  3.1271 +
  3.1272 +# Example config file that will only scan on channel 36.
  3.1273 +freq_list=5180
  3.1274 +network={
  3.1275 +	key_mgmt=NONE
  3.1276 +}
     4.1 --- a/wpa_supplicant/stuff/etc/wpa_supplicant.conf	Sat Feb 15 15:38:27 2014 +0100
     4.2 +++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
     4.3 @@ -1,754 +0,0 @@
     4.4 -##### Example wpa_supplicant configuration file ###############################
     4.5 -#
     4.6 -# This file describes configuration file format and lists all available option.
     4.7 -# Please also take a look at simpler configuration examples in 'examples'
     4.8 -# subdirectory.
     4.9 -#
    4.10 -# Empty lines and lines starting with # are ignored
    4.11 -
    4.12 -# NOTE! This file may contain password information and should probably be made
    4.13 -# readable only by root user on multiuser systems.
    4.14 -
    4.15 -# Note: All file paths in this configuration file should use full (absolute,
    4.16 -# not relative to working directory) path in order to allow working directory
    4.17 -# to be changed. This can happen if wpa_supplicant is run in the background.
    4.18 -
    4.19 -# Whether to allow wpa_supplicant to update (overwrite) configuration
    4.20 -#
    4.21 -# This option can be used to allow wpa_supplicant to overwrite configuration
    4.22 -# file whenever configuration is changed (e.g., new network block is added with
    4.23 -# wpa_cli or wpa_gui, or a password is changed). This is required for
    4.24 -# wpa_cli/wpa_gui to be able to store the configuration changes permanently.
    4.25 -# Please note that overwriting configuration file will remove the comments from
    4.26 -# it.
    4.27 -#update_config=1
    4.28 -
    4.29 -# global configuration (shared by all network blocks)
    4.30 -#
    4.31 -# Parameters for the control interface. If this is specified, wpa_supplicant
    4.32 -# will open a control interface that is available for external programs to
    4.33 -# manage wpa_supplicant. The meaning of this string depends on which control
    4.34 -# interface mechanism is used. For all cases, the existance of this parameter
    4.35 -# in configuration is used to determine whether the control interface is
    4.36 -# enabled.
    4.37 -#
    4.38 -# For UNIX domain sockets (default on Linux and BSD): This is a directory that
    4.39 -# will be created for UNIX domain sockets for listening to requests from
    4.40 -# external programs (CLI/GUI, etc.) for status information and configuration.
    4.41 -# The socket file will be named based on the interface name, so multiple
    4.42 -# wpa_supplicant processes can be run at the same time if more than one
    4.43 -# interface is used.
    4.44 -# /var/run/wpa_supplicant is the recommended directory for sockets and by
    4.45 -# default, wpa_cli will use it when trying to connect with wpa_supplicant.
    4.46 -#
    4.47 -# Access control for the control interface can be configured by setting the
    4.48 -# directory to allow only members of a group to use sockets. This way, it is
    4.49 -# possible to run wpa_supplicant as root (since it needs to change network
    4.50 -# configuration and open raw sockets) and still allow GUI/CLI components to be
    4.51 -# run as non-root users. However, since the control interface can be used to
    4.52 -# change the network configuration, this access needs to be protected in many
    4.53 -# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you
    4.54 -# want to allow non-root users to use the control interface, add a new group
    4.55 -# and change this value to match with that group. Add users that should have
    4.56 -# control interface access to this group. If this variable is commented out or
    4.57 -# not included in the configuration file, group will not be changed from the
    4.58 -# value it got by default when the directory or socket was created.
    4.59 -#
    4.60 -# When configuring both the directory and group, use following format:
    4.61 -# DIR=/var/run/wpa_supplicant GROUP=wheel
    4.62 -# DIR=/var/run/wpa_supplicant GROUP=0
    4.63 -# (group can be either group name or gid)
    4.64 -#
    4.65 -# For UDP connections (default on Windows): The value will be ignored. This
    4.66 -# variable is just used to select that the control interface is to be created.
    4.67 -# The value can be set to, e.g., udp (ctrl_interface=udp)
    4.68 -#
    4.69 -# For Windows Named Pipe: This value can be used to set the security descriptor
    4.70 -# for controlling access to the control interface. Security descriptor can be
    4.71 -# set using Security Descriptor String Format (see http://msdn.microsoft.com/
    4.72 -# library/default.asp?url=/library/en-us/secauthz/security/
    4.73 -# security_descriptor_string_format.asp). The descriptor string needs to be
    4.74 -# prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty
    4.75 -# DACL (which will reject all connections). See README-Windows.txt for more
    4.76 -# information about SDDL string format.
    4.77 -#
    4.78 -ctrl_interface=/var/run/wpa_supplicant
    4.79 -
    4.80 -# Ensure that only root can read the WPA configuration
    4.81 -ctrl_interface_group=0
    4.82 -
    4.83 -
    4.84 -# IEEE 802.1X/EAPOL version
    4.85 -# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines
    4.86 -# EAPOL version 2. However, there are many APs that do not handle the new
    4.87 -# version number correctly (they seem to drop the frames completely). In order
    4.88 -# to make wpa_supplicant interoperate with these APs, the version number is set
    4.89 -# to 1 by default. This configuration value can be used to set it to the new
    4.90 -# version (2).
    4.91 -eapol_version=1
    4.92 -
    4.93 -# AP scanning/selection
    4.94 -# By default, wpa_supplicant requests driver to perform AP scanning and then
    4.95 -# uses the scan results to select a suitable AP. Another alternative is to
    4.96 -# allow the driver to take care of AP scanning and selection and use
    4.97 -# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association
    4.98 -# information from the driver.
    4.99 -# 1: wpa_supplicant initiates scanning and AP selection
   4.100 -# 0: driver takes care of scanning, AP selection, and IEEE 802.11 association
   4.101 -#    parameters (e.g., WPA IE generation); this mode can also be used with
   4.102 -#    non-WPA drivers when using IEEE 802.1X mode; do not try to associate with
   4.103 -#    APs (i.e., external program needs to control association). This mode must
   4.104 -#    also be used when using wired Ethernet drivers.
   4.105 -# 2: like 0, but associate with APs using security policy and SSID (but not
   4.106 -#    BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to
   4.107 -#    enable operation with hidden SSIDs and optimized roaming; in this mode,
   4.108 -#    the network blocks in the configuration file are tried one by one until
   4.109 -#    the driver reports successful association; each network block should have
   4.110 -#    explicit security policy (i.e., only one option in the lists) for
   4.111 -#    key_mgmt, pairwise, group, proto variables
   4.112 -ap_scan=0
   4.113 -
   4.114 -# EAP fast re-authentication
   4.115 -# By default, fast re-authentication is enabled for all EAP methods that
   4.116 -# support it. This variable can be used to disable fast re-authentication.
   4.117 -# Normally, there is no need to disable this.
   4.118 -fast_reauth=1
   4.119 -
   4.120 -# OpenSSL Engine support
   4.121 -# These options can be used to load OpenSSL engines.
   4.122 -# The two engines that are supported currently are shown below:
   4.123 -# They are both from the opensc project (http://www.opensc.org/)
   4.124 -# By default no engines are loaded.
   4.125 -# make the opensc engine available
   4.126 -#opensc_engine_path=/usr/lib/opensc/engine_opensc.so
   4.127 -# make the pkcs11 engine available
   4.128 -#pkcs11_engine_path=/usr/lib/opensc/engine_pkcs11.so
   4.129 -# configure the path to the pkcs11 module required by the pkcs11 engine
   4.130 -#pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so
   4.131 -
   4.132 -# Dynamic EAP methods
   4.133 -# If EAP methods were built dynamically as shared object files, they need to be
   4.134 -# loaded here before being used in the network blocks. By default, EAP methods
   4.135 -# are included statically in the build, so these lines are not needed
   4.136 -#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so
   4.137 -#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so
   4.138 -
   4.139 -# Driver interface parameters
   4.140 -# This field can be used to configure arbitrary driver interace parameters. The
   4.141 -# format is specific to the selected driver interface. This field is not used
   4.142 -# in most cases.
   4.143 -#driver_param="field=value"
   4.144 -
   4.145 -# Maximum lifetime for PMKSA in seconds; default 43200
   4.146 -#dot11RSNAConfigPMKLifetime=43200
   4.147 -# Threshold for reauthentication (percentage of PMK lifetime); default 70
   4.148 -#dot11RSNAConfigPMKReauthThreshold=70
   4.149 -# Timeout for security association negotiation in seconds; default 60
   4.150 -#dot11RSNAConfigSATimeout=60
   4.151 -
   4.152 -# network block
   4.153 -#
   4.154 -# Each network (usually AP's sharing the same SSID) is configured as a separate
   4.155 -# block in this configuration file. The network blocks are in preference order
   4.156 -# (the first match is used).
   4.157 -#
   4.158 -# network block fields:
   4.159 -#
   4.160 -# disabled:
   4.161 -#	0 = this network can be used (default)
   4.162 -#	1 = this network block is disabled (can be enabled through ctrl_iface,
   4.163 -#	    e.g., with wpa_cli or wpa_gui)
   4.164 -#
   4.165 -# id_str: Network identifier string for external scripts. This value is passed
   4.166 -#	to external action script through wpa_cli as WPA_ID_STR environment
   4.167 -#	variable to make it easier to do network specific configuration.
   4.168 -#
   4.169 -# ssid: SSID (mandatory); either as an ASCII string with double quotation or
   4.170 -#	as hex string; network name
   4.171 -#
   4.172 -# scan_ssid:
   4.173 -#	0 = do not scan this SSID with specific Probe Request frames (default)
   4.174 -#	1 = scan with SSID-specific Probe Request frames (this can be used to
   4.175 -#	    find APs that do not accept broadcast SSID or use multiple SSIDs;
   4.176 -#	    this will add latency to scanning, so enable this only when needed)
   4.177 -#
   4.178 -# bssid: BSSID (optional); if set, this network block is used only when
   4.179 -#	associating with the AP using the configured BSSID
   4.180 -#
   4.181 -# priority: priority group (integer)
   4.182 -# By default, all networks will get same priority group (0). If some of the
   4.183 -# networks are more desirable, this field can be used to change the order in
   4.184 -# which wpa_supplicant goes through the networks when selecting a BSS. The
   4.185 -# priority groups will be iterated in decreasing priority (i.e., the larger the
   4.186 -# priority value, the sooner the network is matched against the scan results).
   4.187 -# Within each priority group, networks will be selected based on security
   4.188 -# policy, signal strength, etc.
   4.189 -# Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not
   4.190 -# using this priority to select the order for scanning. Instead, they try the
   4.191 -# networks in the order that used in the configuration file.
   4.192 -#
   4.193 -# mode: IEEE 802.11 operation mode
   4.194 -# 0 = infrastructure (Managed) mode, i.e., associate with an AP (default)
   4.195 -# 1 = IBSS (ad-hoc, peer-to-peer)
   4.196 -# Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP)
   4.197 -# and key_mgmt=WPA-NONE (fixed group key TKIP/CCMP). In addition, ap_scan has
   4.198 -# to be set to 2 for IBSS. WPA-None requires following network block options:
   4.199 -# proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not
   4.200 -# both), and psk must also be set.
   4.201 -#
   4.202 -# frequency: Channel frequency in megahertz (MHz) for IBSS, e.g.,
   4.203 -# 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial
   4.204 -# channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode.
   4.205 -# In addition, this value is only used by the station that creates the IBSS. If
   4.206 -# an IBSS network with the configured SSID is already present, the frequency of
   4.207 -# the network will be used instead of this configured value.
   4.208 -#
   4.209 -# proto: list of accepted protocols
   4.210 -# WPA = WPA/IEEE 802.11i/D3.0
   4.211 -# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN)
   4.212 -# If not set, this defaults to: WPA RSN
   4.213 -#
   4.214 -# key_mgmt: list of accepted authenticated key management protocols
   4.215 -# WPA-PSK = WPA pre-shared key (this requires 'psk' field)
   4.216 -# WPA-EAP = WPA using EAP authentication (this can use an external
   4.217 -#	program, e.g., Xsupplicant, for IEEE 802.1X EAP Authentication
   4.218 -# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically
   4.219 -#	generated WEP keys
   4.220 -# NONE = WPA is not used; plaintext or static WEP could be used
   4.221 -# If not set, this defaults to: WPA-PSK WPA-EAP
   4.222 -#
   4.223 -# auth_alg: list of allowed IEEE 802.11 authentication algorithms
   4.224 -# OPEN = Open System authentication (required for WPA/WPA2)
   4.225 -# SHARED = Shared Key authentication (requires static WEP keys)
   4.226 -# LEAP = LEAP/Network EAP (only used with LEAP)
   4.227 -# If not set, automatic selection is used (Open System with LEAP enabled if
   4.228 -# LEAP is allowed as one of the EAP methods).
   4.229 -#
   4.230 -# pairwise: list of accepted pairwise (unicast) ciphers for WPA
   4.231 -# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
   4.232 -# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
   4.233 -# NONE = Use only Group Keys (deprecated, should not be included if APs support
   4.234 -#	pairwise keys)
   4.235 -# If not set, this defaults to: CCMP TKIP
   4.236 -#
   4.237 -# group: list of accepted group (broadcast/multicast) ciphers for WPA
   4.238 -# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
   4.239 -# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
   4.240 -# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key
   4.241 -# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11]
   4.242 -# If not set, this defaults to: CCMP TKIP WEP104 WEP40
   4.243 -#
   4.244 -# psk: WPA preshared key; 256-bit pre-shared key
   4.245 -# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e.,
   4.246 -# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be
   4.247 -# generated using the passphrase and SSID). ASCII passphrase must be between
   4.248 -# 8 and 63 characters (inclusive).
   4.249 -# This field is not needed, if WPA-EAP is used.
   4.250 -# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys
   4.251 -# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant
   4.252 -# startup and reconfiguration time can be optimized by generating the PSK only
   4.253 -# only when the passphrase or SSID has actually changed.
   4.254 -#
   4.255 -# eapol_flags: IEEE 802.1X/EAPOL options (bit field)
   4.256 -# Dynamic WEP key required for non-WPA mode
   4.257 -# bit0 (1): require dynamically generated unicast WEP key
   4.258 -# bit1 (2): require dynamically generated broadcast WEP key
   4.259 -# 	(3 = require both keys; default)
   4.260 -# Note: When using wired authentication, eapol_flags must be set to 0 for the
   4.261 -# authentication to be completed successfully.
   4.262 -#
   4.263 -# mixed_cell: This option can be used to configure whether so called mixed
   4.264 -# cells, i.e., networks that use both plaintext and encryption in the same
   4.265 -# SSID, are allowed when selecting a BSS form scan results.
   4.266 -# 0 = disabled (default)
   4.267 -# 1 = enabled
   4.268 -#
   4.269 -# proactive_key_caching:
   4.270 -# Enable/disable opportunistic PMKSA caching for WPA2.
   4.271 -# 0 = disabled (default)
   4.272 -# 1 = enabled
   4.273 -#
   4.274 -# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or
   4.275 -# hex without quotation, e.g., 0102030405)
   4.276 -# wep_tx_keyidx: Default WEP key index (TX) (0..3)
   4.277 -#
   4.278 -# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is
   4.279 -# allowed. This is only used with RSN/WPA2.
   4.280 -# 0 = disabled (default)
   4.281 -# 1 = enabled
   4.282 -#peerkey=1
   4.283 -#
   4.284 -# Following fields are only used with internal EAP implementation.
   4.285 -# eap: space-separated list of accepted EAP methods
   4.286 -#	MD5 = EAP-MD5 (unsecure and does not generate keying material ->
   4.287 -#			cannot be used with WPA; to be used as a Phase 2 method
   4.288 -#			with EAP-PEAP or EAP-TTLS)
   4.289 -#       MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used
   4.290 -#		as a Phase 2 method with EAP-PEAP or EAP-TTLS)
   4.291 -#       OTP = EAP-OTP (cannot be used separately with WPA; to be used
   4.292 -#		as a Phase 2 method with EAP-PEAP or EAP-TTLS)
   4.293 -#       GTC = EAP-GTC (cannot be used separately with WPA; to be used
   4.294 -#		as a Phase 2 method with EAP-PEAP or EAP-TTLS)
   4.295 -#	TLS = EAP-TLS (client and server certificate)
   4.296 -#	PEAP = EAP-PEAP (with tunnelled EAP authentication)
   4.297 -#	TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2
   4.298 -#			 authentication)
   4.299 -#	If not set, all compiled in methods are allowed.
   4.300 -#
   4.301 -# identity: Identity string for EAP
   4.302 -# anonymous_identity: Anonymous identity string for EAP (to be used as the
   4.303 -#	unencrypted identity with EAP types that support different tunnelled
   4.304 -#	identity, e.g., EAP-TTLS)
   4.305 -# password: Password string for EAP
   4.306 -# ca_cert: File path to CA certificate file (PEM/DER). This file can have one
   4.307 -#	or more trusted CA certificates. If ca_cert and ca_path are not
   4.308 -#	included, server certificate will not be verified. This is insecure and
   4.309 -#	a trusted CA certificate should always be configured when using
   4.310 -#	EAP-TLS/TTLS/PEAP. Full path should be used since working directory may
   4.311 -#	change when wpa_supplicant is run in the background.
   4.312 -#	On Windows, trusted CA certificates can be loaded from the system
   4.313 -#	certificate store by setting this to cert_store://<name>, e.g.,
   4.314 -#	ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".
   4.315 -#	Note that when running wpa_supplicant as an application, the user
   4.316 -#	certificate store (My user account) is used, whereas computer store
   4.317 -#	(Computer account) is used when running wpasvc as a service.
   4.318 -# ca_path: Directory path for CA certificate files (PEM). This path may
   4.319 -#	contain multiple CA certificates in OpenSSL format. Common use for this
   4.320 -#	is to point to system trusted CA list which is often installed into
   4.321 -#	directory like /etc/ssl/certs. If configured, these certificates are
   4.322 -#	added to the list of trusted CAs. ca_cert may also be included in that
   4.323 -#	case, but it is not required.
   4.324 -# client_cert: File path to client certificate file (PEM/DER)
   4.325 -#	Full path should be used since working directory may change when
   4.326 -#	wpa_supplicant is run in the background.
   4.327 -#	Alternatively, a named configuration blob can be used by setting this
   4.328 -#	to blob://<blob name>.
   4.329 -# private_key: File path to client private key file (PEM/DER/PFX)
   4.330 -#	When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
   4.331 -#	commented out. Both the private key and certificate will be read from
   4.332 -#	the PKCS#12 file in this case. Full path should be used since working
   4.333 -#	directory may change when wpa_supplicant is run in the background.
   4.334 -#	Windows certificate store can be used by leaving client_cert out and
   4.335 -#	configuring private_key in one of the following formats:
   4.336 -#	cert://substring_to_match
   4.337 -#	hash://certificate_thumbprint_in_hex
   4.338 -#	for example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
   4.339 -#	Note that when running wpa_supplicant as an application, the user
   4.340 -#	certificate store (My user account) is used, whereas computer store
   4.341 -#	(Computer account) is used when running wpasvc as a service.
   4.342 -#	Alternatively, a named configuration blob can be used by setting this
   4.343 -#	to blob://<blob name>.
   4.344 -# private_key_passwd: Password for private key file (if left out, this will be
   4.345 -#	asked through control interface)
   4.346 -# dh_file: File path to DH/DSA parameters file (in PEM format)
   4.347 -#	This is an optional configuration file for setting parameters for an
   4.348 -#	ephemeral DH key exchange. In most cases, the default RSA
   4.349 -#	authentication does not use this configuration. However, it is possible
   4.350 -#	setup RSA to use ephemeral DH key exchange. In addition, ciphers with
   4.351 -#	DSA keys always use ephemeral DH keys. This can be used to achieve
   4.352 -#	forward secrecy. If the file is in DSA parameters format, it will be
   4.353 -#	automatically converted into DH params.
   4.354 -# subject_match: Substring to be matched against the subject of the
   4.355 -#	authentication server certificate. If this string is set, the server
   4.356 -#	sertificate is only accepted if it contains this string in the subject.
   4.357 -#	The subject string is in following format:
   4.358 -#	/C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com
   4.359 -# altsubject_match: Semicolon separated string of entries to be matched against
   4.360 -#	the alternative subject name of the authentication server certificate.
   4.361 -#	If this string is set, the server sertificate is only accepted if it
   4.362 -#	contains one of the entries in an alternative subject name extension.
   4.363 -#	altSubjectName string is in following format: TYPE:VALUE
   4.364 -#	Example: EMAIL:server@example.com
   4.365 -#	Example: DNS:server.example.com;DNS:server2.example.com
   4.366 -#	Following types are supported: EMAIL, DNS, URI
   4.367 -# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters
   4.368 -#	(string with field-value pairs, e.g., "peapver=0" or
   4.369 -#	"peapver=1 peaplabel=1")
   4.370 -#	'peapver' can be used to force which PEAP version (0 or 1) is used.
   4.371 -#	'peaplabel=1' can be used to force new label, "client PEAP encryption",
   4.372 -#	to be used during key derivation when PEAPv1 or newer. Most existing
   4.373 -#	PEAPv1 implementation seem to be using the old label, "client EAP
   4.374 -#	encryption", and wpa_supplicant is now using that as the default value.
   4.375 -#	Some servers, e.g., Radiator, may require peaplabel=1 configuration to
   4.376 -#	interoperate with PEAPv1; see eap_testing.txt for more details.
   4.377 -#	'peap_outer_success=0' can be used to terminate PEAP authentication on
   4.378 -#	tunneled EAP-Success. This is required with some RADIUS servers that
   4.379 -#	implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
   4.380 -#	Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode)
   4.381 -#	include_tls_length=1 can be used to force wpa_supplicant to include
   4.382 -#	TLS Message Length field in all TLS messages even if they are not
   4.383 -#	fragmented.
   4.384 -#	sim_min_num_chal=3 can be used to configure EAP-SIM to require three
   4.385 -#	challenges (by default, it accepts 2 or 3)
   4.386 -# phase2: Phase2 (inner authentication with TLS tunnel) parameters
   4.387 -#	(string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
   4.388 -#	"autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS)
   4.389 -# Following certificate/private key fields are used in inner Phase2
   4.390 -# authentication when using EAP-TTLS or EAP-PEAP.
   4.391 -# ca_cert2: File path to CA certificate file. This file can have one or more
   4.392 -#	trusted CA certificates. If ca_cert2 and ca_path2 are not included,
   4.393 -#	server certificate will not be verified. This is insecure and a trusted
   4.394 -#	CA certificate should always be configured.
   4.395 -# ca_path2: Directory path for CA certificate files (PEM)
   4.396 -# client_cert2: File path to client certificate file
   4.397 -# private_key2: File path to client private key file
   4.398 -# private_key2_passwd: Password for private key file
   4.399 -# dh_file2: File path to DH/DSA parameters file (in PEM format)
   4.400 -# subject_match2: Substring to be matched against the subject of the
   4.401 -#	authentication server certificate.
   4.402 -# altsubject_match2: Substring to be matched against the alternative subject
   4.403 -#	name of the authentication server certificate.
   4.404 -#
   4.405 -# fragment_size: Maximum EAP fragment size in bytes (default 1398).
   4.406 -#	This value limits the fragment size for EAP methods that support
   4.407 -#	fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set
   4.408 -#	small enough to make the EAP messages fit in MTU of the network
   4.409 -#	interface used for EAPOL. The default value is suitable for most
   4.410 -#	cases.
   4.411 -#
   4.412 -# EAP-PSK variables:
   4.413 -# eappsk: 16-byte (128-bit, 32 hex digits) pre-shared key in hex format
   4.414 -# nai: user NAI
   4.415 -#
   4.416 -# EAP-PAX variables:
   4.417 -# eappsk: 16-byte (128-bit, 32 hex digits) pre-shared key in hex format
   4.418 -#
   4.419 -# EAP-SAKE variables:
   4.420 -# eappsk: 32-byte (256-bit, 64 hex digits) pre-shared key in hex format
   4.421 -#	(this is concatenation of Root-Secret-A and Root-Secret-B)
   4.422 -# nai: user NAI (PEERID)
   4.423 -#
   4.424 -# EAP-GPSK variables:
   4.425 -# eappsk: Pre-shared key in hex format (at least 128 bits, i.e., 32 hex digits)
   4.426 -# nai: user NAI (ID_Client)
   4.427 -#
   4.428 -# EAP-FAST variables:
   4.429 -# pac_file: File path for the PAC entries. wpa_supplicant will need to be able
   4.430 -#	to create this file and write updates to it when PAC is being
   4.431 -#	provisioned or refreshed. Full path to the file should be used since
   4.432 -#	working directory may change when wpa_supplicant is run in the
   4.433 -#	background. Alternatively, a named configuration blob can be used by
   4.434 -#	setting this to blob://<blob name>
   4.435 -# phase1: fast_provisioning=1 option enables in-line provisioning of EAP-FAST
   4.436 -#	credentials (PAC)
   4.437 -#
   4.438 -# wpa_supplicant supports number of "EAP workarounds" to work around
   4.439 -# interoperability issues with incorrectly behaving authentication servers.
   4.440 -# These are enabled by default because some of the issues are present in large
   4.441 -# number of authentication servers. Strict EAP conformance mode can be
   4.442 -# configured by disabling workarounds with eap_workaround=0.
   4.443 -
   4.444 -# Example blocks:
   4.445 -
   4.446 -# Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers
   4.447 -#network={
   4.448 -#	ssid="simple"
   4.449 -#	psk="very secret passphrase"
   4.450 -#	priority=5
   4.451 -#}
   4.452 -
   4.453 -# Same as previous, but request SSID-specific scanning (for APs that reject
   4.454 -# broadcast SSID)
   4.455 -#network={
   4.456 -#	ssid="second ssid"
   4.457 -#	scan_ssid=1
   4.458 -#	psk="very secret passphrase"
   4.459 -#	priority=2
   4.460 -#}
   4.461 -
   4.462 -# Only WPA-PSK is used. Any valid cipher combination is accepted.
   4.463 -#network={
   4.464 -#	ssid="example"
   4.465 -#	proto=WPA
   4.466 -#	key_mgmt=WPA-PSK
   4.467 -#	pairwise=CCMP TKIP
   4.468 -#	group=CCMP TKIP WEP104 WEP40
   4.469 -#	psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
   4.470 -#	priority=2
   4.471 -#}
   4.472 -
   4.473 -# Only WPA-EAP is used. Both CCMP and TKIP is accepted. An AP that used WEP104
   4.474 -# or WEP40 as the group cipher will not be accepted.
   4.475 -#network={
   4.476 -#	ssid="example"
   4.477 -#	proto=RSN
   4.478 -#	key_mgmt=WPA-EAP
   4.479 -#	pairwise=CCMP TKIP
   4.480 -#	group=CCMP TKIP
   4.481 -#	eap=TLS
   4.482 -#	identity="user@example.com"
   4.483 -#	ca_cert="/etc/cert/ca.pem"
   4.484 -#	client_cert="/etc/cert/user.pem"
   4.485 -#	private_key="/etc/cert/user.prv"
   4.486 -#	private_key_passwd="password"
   4.487 -#	priority=1
   4.488 -#}
   4.489 -
   4.490 -# EAP-PEAP/MSCHAPv2 configuration for RADIUS servers that use the new peaplabel
   4.491 -# (e.g., Radiator)
   4.492 -#network={
   4.493 -#	ssid="example"
   4.494 -#	key_mgmt=WPA-EAP
   4.495 -#	eap=PEAP
   4.496 -#	identity="user@example.com"
   4.497 -#	password="foobar"
   4.498 -#	ca_cert="/etc/cert/ca.pem"
   4.499 -#	phase1="peaplabel=1"
   4.500 -#	phase2="auth=MSCHAPV2"
   4.501 -#	priority=10
   4.502 -#}
   4.503 -
   4.504 -# EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the
   4.505 -# unencrypted use. Real identity is sent only within an encrypted TLS tunnel.
   4.506 -#network={
   4.507 -#	ssid="example"
   4.508 -#	key_mgmt=WPA-EAP
   4.509 -#	eap=TTLS
   4.510 -#	identity="user@example.com"
   4.511 -#	anonymous_identity="anonymous@example.com"
   4.512 -#	password="foobar"
   4.513 -#	ca_cert="/etc/cert/ca.pem"
   4.514 -#	priority=2
   4.515 -#}
   4.516 -
   4.517 -# EAP-TTLS/MSCHAPv2 configuration with anonymous identity for the unencrypted
   4.518 -# use. Real identity is sent only within an encrypted TLS tunnel.
   4.519 -#network={
   4.520 -#	ssid="example"
   4.521 -#	key_mgmt=WPA-EAP
   4.522 -#	eap=TTLS
   4.523 -#	identity="user@example.com"
   4.524 -#	anonymous_identity="anonymous@example.com"
   4.525 -#	password="foobar"
   4.526 -#	ca_cert="/etc/cert/ca.pem"
   4.527 -#	phase2="auth=MSCHAPV2"
   4.528 -#}
   4.529 -
   4.530 -# WPA-EAP, EAP-TTLS with different CA certificate used for outer and inner
   4.531 -# authentication.
   4.532 -#network={
   4.533 -#	ssid="example"
   4.534 -#	key_mgmt=WPA-EAP
   4.535 -#	eap=TTLS
   4.536 -	# Phase1 / outer authentication
   4.537 -#	anonymous_identity="anonymous@example.com"
   4.538 -#	ca_cert="/etc/cert/ca.pem"
   4.539 -	# Phase 2 / inner authentication
   4.540 -#	phase2="autheap=TLS"
   4.541 -#	ca_cert2="/etc/cert/ca2.pem"
   4.542 -#	client_cert2="/etc/cer/user.pem"
   4.543 -#	private_key2="/etc/cer/user.prv"
   4.544 -#	private_key2_passwd="password"
   4.545 -#	priority=2
   4.546 -#}
   4.547 -
   4.548 -# Both WPA-PSK and WPA-EAP is accepted. Only CCMP is accepted as pairwise and
   4.549 -# group cipher.
   4.550 -#network={
   4.551 -#	ssid="example"
   4.552 -#	bssid=00:11:22:33:44:55
   4.553 -#	proto=WPA RSN
   4.554 -#	key_mgmt=WPA-PSK WPA-EAP
   4.555 -#	pairwise=CCMP
   4.556 -#	group=CCMP
   4.557 -#	psk=06b4be19da289f475aa46a33cb793029d4ab3db7a23ee92382eb0106c72ac7bb
   4.558 -#}
   4.559 -
   4.560 -# Special characters in SSID, so use hex string. Default to WPA-PSK, WPA-EAP
   4.561 -# and all valid ciphers.
   4.562 -#network={
   4.563 -#	ssid=00010203
   4.564 -#	psk=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
   4.565 -#}
   4.566 -
   4.567 -
   4.568 -# EAP-SIM with a GSM SIM or USIM
   4.569 -#network={
   4.570 -#	ssid="eap-sim-test"
   4.571 -#	key_mgmt=WPA-EAP
   4.572 -#	eap=SIM
   4.573 -#	pin="1234"
   4.574 -#	pcsc=""
   4.575 -#}
   4.576 -
   4.577 -
   4.578 -# EAP-PSK
   4.579 -#network={
   4.580 -#	ssid="eap-psk-test"
   4.581 -#	key_mgmt=WPA-EAP
   4.582 -#	eap=PSK
   4.583 -#	identity="eap_psk_user"
   4.584 -#	eappsk=06b4be19da289f475aa46a33cb793029
   4.585 -#	nai="eap_psk_user@example.com"
   4.586 -#}
   4.587 -
   4.588 -
   4.589 -# IEEE 802.1X/EAPOL with dynamically generated WEP keys (i.e., no WPA) using
   4.590 -# EAP-TLS for authentication and key generation; require both unicast and
   4.591 -# broadcast WEP keys.
   4.592 -#network={
   4.593 -#	ssid="1x-test"
   4.594 -#	key_mgmt=IEEE8021X
   4.595 -#	eap=TLS
   4.596 -#	identity="user@example.com"
   4.597 -#	ca_cert="/etc/cert/ca.pem"
   4.598 -#	client_cert="/etc/cert/user.pem"
   4.599 -#	private_key="/etc/cert/user.prv"
   4.600 -#	private_key_passwd="password"
   4.601 -#	eapol_flags=3
   4.602 -#}
   4.603 -
   4.604 -
   4.605 -# LEAP with dynamic WEP keys
   4.606 -#network={
   4.607 -#	ssid="leap-example"
   4.608 -#	key_mgmt=IEEE8021X
   4.609 -#	eap=LEAP
   4.610 -#	identity="user"
   4.611 -#	password="foobar"
   4.612 -#}
   4.613 -
   4.614 -# EAP-FAST with WPA (WPA or WPA2)
   4.615 -#network={
   4.616 -#	ssid="eap-fast-test"
   4.617 -#	key_mgmt=WPA-EAP
   4.618 -#	eap=FAST
   4.619 -#	anonymous_identity="FAST-000102030405"
   4.620 -#	identity="username"
   4.621 -#	password="password"
   4.622 -#	phase1="fast_provisioning=1"
   4.623 -#	pac_file="/etc/wpa_supplicant.eap-fast-pac"
   4.624 -#}
   4.625 -
   4.626 -#network={
   4.627 -#	ssid="eap-fast-test"
   4.628 -#	key_mgmt=WPA-EAP
   4.629 -#	eap=FAST
   4.630 -#	anonymous_identity="FAST-000102030405"
   4.631 -#	identity="username"
   4.632 -#	password="password"
   4.633 -#	phase1="fast_provisioning=1"
   4.634 -#	pac_file="blob://eap-fast-pac"
   4.635 -#}
   4.636 -
   4.637 -# Plaintext connection (no WPA, no IEEE 802.1X)
   4.638 -#network={
   4.639 -#	ssid="plaintext-test"
   4.640 -#	key_mgmt=NONE
   4.641 -#}
   4.642 -
   4.643 -
   4.644 -# Shared WEP key connection (no WPA, no IEEE 802.1X)
   4.645 -#network={
   4.646 -#	ssid="static-wep-test"
   4.647 -#	key_mgmt=NONE
   4.648 -#	wep_key0="abcde"
   4.649 -#	wep_key1=0102030405
   4.650 -#	wep_key2="1234567890123"
   4.651 -#	wep_tx_keyidx=0
   4.652 -#	priority=5
   4.653 -#}
   4.654 -
   4.655 -
   4.656 -# Shared WEP key connection (no WPA, no IEEE 802.1X) using Shared Key
   4.657 -# IEEE 802.11 authentication
   4.658 -#network={
   4.659 -#	ssid="static-wep-test2"
   4.660 -#	key_mgmt=NONE
   4.661 -#	wep_key0="abcde"
   4.662 -#	wep_key1=0102030405
   4.663 -#	wep_key2="1234567890123"
   4.664 -#	wep_tx_keyidx=0
   4.665 -#	priority=5
   4.666 -#	auth_alg=SHARED
   4.667 -#}
   4.668 -
   4.669 -
   4.670 -# IBSS/ad-hoc network with WPA-None/TKIP.
   4.671 -#network={
   4.672 -#	ssid="test adhoc"
   4.673 -#	mode=1
   4.674 -#	frequency=2412
   4.675 -#	proto=WPA
   4.676 -#	key_mgmt=WPA-NONE
   4.677 -#	pairwise=NONE
   4.678 -#	group=TKIP
   4.679 -#	psk="secret passphrase"
   4.680 -#}
   4.681 -
   4.682 -
   4.683 -# Catch all example that allows more or less all configuration modes
   4.684 -#network={
   4.685 -#	ssid="example"
   4.686 -#	scan_ssid=1
   4.687 -#	key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
   4.688 -#	pairwise=CCMP TKIP
   4.689 -#	group=CCMP TKIP WEP104 WEP40
   4.690 -#	psk="very secret passphrase"
   4.691 -#	eap=TTLS PEAP TLS
   4.692 -#	identity="user@example.com"
   4.693 -#	password="foobar"
   4.694 -#	ca_cert="/etc/cert/ca.pem"
   4.695 -#	client_cert="/etc/cert/user.pem"
   4.696 -#	private_key="/etc/cert/user.prv"
   4.697 -#	private_key_passwd="password"
   4.698 -#	phase1="peaplabel=0"
   4.699 -#}
   4.700 -
   4.701 -# Example of EAP-TLS with smartcard (openssl engine)
   4.702 -#network={
   4.703 -#	ssid="example"
   4.704 -#	key_mgmt=WPA-EAP
   4.705 -#	eap=TLS
   4.706 -#	proto=RSN
   4.707 -#	pairwise=CCMP TKIP
   4.708 -#	group=CCMP TKIP
   4.709 -#	identity="user@example.com"
   4.710 -#	ca_cert="/etc/cert/ca.pem"
   4.711 -#	client_cert="/etc/cert/user.pem"
   4.712 -#
   4.713 -#	engine=1
   4.714 -
   4.715 -	# The engine configured here must be available. Look at
   4.716 -	# OpenSSL engine support in the global section.
   4.717 -	# The key available through the engine must be the private key
   4.718 -	# matching the client certificate configured above.
   4.719 -
   4.720 -	# use the opensc engine
   4.721 -	#engine_id="opensc"
   4.722 -	#key_id="45"
   4.723 -
   4.724 -	# use the pkcs11 engine
   4.725 -#	engine_id="pkcs11"
   4.726 -#	key_id="id_45"
   4.727 -#
   4.728 -	# Optional PIN configuration; this can be left out and PIN will be
   4.729 -	# asked through the control interface
   4.730 -#	pin="1234"
   4.731 -#}
   4.732 -
   4.733 -# Example configuration showing how to use an inlined blob as a CA certificate
   4.734 -# data instead of using external file
   4.735 -#network={
   4.736 -#	ssid="example"
   4.737 -#	key_mgmt=WPA-EAP
   4.738 -#	eap=TTLS
   4.739 -#	identity="user@example.com"
   4.740 -#	anonymous_identity="anonymous@example.com"
   4.741 -#	password="foobar"
   4.742 -#	ca_cert="blob://exampleblob"
   4.743 -#	priority=20
   4.744 -#}
   4.745 -
   4.746 -#blob-base64-exampleblob={
   4.747 -#SGVsbG8gV29ybGQhCg==
   4.748 -#}
   4.749 -
   4.750 -
   4.751 -# Wildcard match for SSID (plaintext APs only). This example select any
   4.752 -# open AP regardless of its SSID.
   4.753 -network={
   4.754 -	key_mgmt=NONE
   4.755 -}
   4.756 -
   4.757 -