Tidy up the markup (fixing some nearby content bugs).

Timeout from:	sam
Approved by:	re (blanket manpages)
This commit is contained in:
ru 2005-06-27 06:40:43 +00:00
parent 64582f3995
commit 6ff738eb1b
6 changed files with 417 additions and 282 deletions

View File

@ -32,56 +32,65 @@
.Nd "authenticator for IEEE 802.11 networks"
.Sh SYNOPSIS
.Nm
.Op Fl BddhKtv
.Op Fl BdhKtv
.Ar config-file ...
.Sh DESCRIPTION
The
.Nm
utility
is an authenticator for IEEE 802.11 networks.
It provides full support for WPA/IEEE 802.11i and
can also act as an IEEE 802.1X Authenticator with a suitable
backend Authentication Server (typically FreeRADIUS).
backend Authentication Server (typically
.Tn FreeRADIUS ) .
The
.Nm
utility
implements the authentication protocols that piggyback on top
of the normal IEEE 802.11 protocol mechanisms.
To use
.Nm
as an authenticator the underlying device must support some
as an authenticator, the underlying device must support some
basic functionality such as the ability to set security information
in the 802.11 management frames.
Beware that not all devices have this support.
.Pp
The
.Nm
is designed to be a "daemon" program that runs in the
utility
is designed to be a
.Dq daemon
program that runs in the
background and acts as the backend component controlling
the wireless connection.
.Nm
supports separate frontend programs such as the
It supports separate frontend programs such as the
text-based frontend,
.Xr hostapd_cli 8
.Xr hostapd_cli 8 .
.Pp
The following arguments must be specified on the command line:
.Bl -tag -width indent
.It Fl c Ar config-file
.It Ar config-file
Use the settings in the specified configuration file; the name of
the specified wireless interface is contained in this file.
See
See
.Xr hostapd.conf 5
for a description of the configuration file syntax.
.Pp
Changes to the configuration file can be reloaded by sending a
.Nm SIGHUP
Changes to the configuration file can be reloaded by sending a
.Dv SIGHUP
to the
.Nm
processor or with the
.Xr hostapd_cli
utility, using ``hostapd_cli reconfigure''.
.Xr hostapd_cli 8
utility, using
.Dq Li "hostapd_cli reconfigure" .
.El
.Sh OPTIONS
The options are as follows:
.Bl -tag -width indent
.It Fl d
Enable debugging messages.
If this option is supplied twice more verbose messages are displayed.
If this option is supplied twice, more verbose messages are displayed.
.It Fl h
Show help text.
.It Fl t
@ -96,13 +105,13 @@ Include key information in debugging output.
.El
.Sh SEE ALSO
.Xr ath 4 ,
.Xr iwi 4 ,
.Xr ipw 4 ,
.Xr iwi 4 ,
.Xr ral 4 ,
.Xr ural 4 ,
.Xr wi 4 ,
.Xr hostapd_cli 8 ,
.Xr hostapd.conf 5 ,
.Xr hostapd_cli 8 ,
.Xr ifconfig 8
.Sh HISTORY
The
@ -114,7 +123,8 @@ The
.Nm
utility was written by
.An Jouni Malinen Aq jkmaline@cc.hut.fi .
This manual page is derived from the README file included in the
This manual page is derived from the
.Pa README
file included in the
.Nm
distribution.
.Sh BUGS

View File

@ -29,22 +29,27 @@
.Os
.Sh NAME
.Nm hostapd.conf
.Nd "configuration file for hostapd utility"
.Nd configuration file for
.Xr hostapd 8
utility
.Sh DESCRIPTION
This is a placeholder for a real manual page.
.Sh SEE ALSO
.Xr hostapd 8 ,
.Xr hostapd_cli 8 .
.Xr hostapd_cli 8
.Sh HISTORY
The
.Nm
manual page and
.Nm hostapd
.Xr hostapd 8
functionality first appeared in
.Fx 6.0 .
.Sh AUTHORS
This manual page is derived from the README and hostapd.conf
This manual page is derived from the
.Pa README
and
.Pa hostapd.conf
files in the
.Nm hostapd
distribution provided by
.An Jouni Malinen Aq jkmaline@cc.hut.fi .
.An Jouni Malinen Aq jkmaline@cc.hut.fi .

View File

@ -29,29 +29,35 @@
.Os
.Sh NAME
.Nm hostapd_cli
.Nd "text-based frontend program for interacting with hostapd"
.Nd text-based frontend program for interacting with
.Xr hostapd 8
.Sh SYNOPSIS
.Nm
.Op commands
.Op Ar commands
.Sh DESCRIPTION
The
.Nm
utility
is a text-based frontend program for interacting with
.Xr hostapd 8 .
.Nm
is used to query current status.
It is used to query the current status.
.Pp
The
.Nm
utility
can show the
current authentication status,
dot11 and dot1x MIBs, etc.
.Pp
The
.Nm
utility
supports two modes: interactive and command line.
Both modes share the same command set.
.Pp
Interactive mode is started when
.Nm
is executed without with any parameters on the command line.
is executed without any parameters on the command line.
Commands are then entered from the controlling terminal in
response to the
.Nm
@ -62,33 +68,33 @@ entered as command line arguments.
The following commands may be supplied on the command line
or at a prompt when operating interactively.
.Bl -tag -width indent
.It mib
.It Ic mib
Report MIB variables (dot1x, dot11) for the current interface.
.It sta <addr>
Report the MIB variables for the associated station with MAC address <addr>.
.It all_sta
.It Ic sta Ar addr
Report the MIB variables for the associated station with MAC address
.Ar addr .
.It Ic all_sta
Report the MIB variables for all associated stations.
.It help
.It Ic help
Show usage help.
.It interface [ Ar ifname ]
.It Ic interface Op Ar ifname
Show available interfaces and/or set the current interface
when multiple are available.
.It level <debug level>
.It Ic level Ar debug_level
Change the debugging level in
.Nm hostapd .
.Xr hostapd 8 .
Larger numbers generate more messages.
.It license
.It Ic license
Display the full
.Nm
license for
.Nm .
.It quit
.It Ic quit
Exit
.Nm .
.El
.Sh SEE ALSO
.Xr hostapd 8 ,
.Xr hostapd.conf 5
.Xr hostapd.conf 5 ,
.Xr hostapd 8
.Sh HISTORY
The
.Nm
@ -99,7 +105,8 @@ The
.Nm
utility was written by
.An Jouni Malinen Aq jkmaline@cc.hut.fi .
This manual page is derived from the README file included in the
.Nm
This manual page is derived from the
.Pa README
file included in the
.Nm hostapd
distribution.
.Sh BUGS

View File

@ -32,41 +32,48 @@
.Nd "text-based frontend program for interacting with wpa_supplicant"
.Sh SYNOPSIS
.Nm
.Op commands
.Op Ar commands
.Sh DESCRIPTION
The
.Nm
utility
is a text-based frontend program for interacting with
.Xr wpa_supplicant 1 .
.Nm
is used to query current status,
.Xr wpa_supplicant 8 .
It is used to query current status,
change configuration,
trigger events,
and
request interactive user input.
.Pp
The
.Nm
utility
can show the
current authentication status,
selected security
mode, dot11 and dot1x MIBs, etc.
In addition,
In addition,
.Nm
can configure EAPOL state machine
parameters and trigger events such as reassociation
and IEEE 802.1X logoff/logon.
.Pp
The
.Nm
utility
provides an interface to supply authentication information
such as username and password when it is not provided in
.Nm wpa_supplicant's
such as username and password when it is not provided in
.Xr wpa_supplicant.conf 5
configuration file.
This can be used, for example, to implement
one-time-passwords or generic token card
one-time passwords or generic token card
authentication where the authentication is based on a
challenge-response that uses an external device for generating the
response.
.Pp
The
.Nm
utility
supports two modes: interactive and command line.
Both modes share the same command set and the main difference
is in interactive mode providing access to unsolicited messages
@ -74,7 +81,7 @@ is in interactive mode providing access to unsolicited messages
.Pp
Interactive mode is started when
.Nm
is executed without with any parameters on the command line.
is executed without any parameters on the command line.
Commands are then entered from the controlling terminal in
response to the
.Nm
@ -83,40 +90,52 @@ In command line mode, the same commands are
entered as command line arguments.
.Pp
The control interface of
.Nm wpa_supplicant
.Xr wpa_supplicant 8
can be configured to allow
non-root user access by using the
ctrl_interface_group parameter
.Va ctrl_interface_group
parameter
in the
.Nm wpa_supplicant
.Xr wpa_supplicant.conf 5
configuration file.
This makes it possible to run
This makes it possible to run
.Nm
with a normal user account.
.Sh AUTHENTICATION PARAMETERS
.Pp
When
.Nm wpa_supplicant
.Xr wpa_supplicant 8
needs authentication parameters, such as username and password,
that are not present in the configuration file, it sends a
request message to all attached frontend programs, e.g.,
request message to all attached frontend programs, e.g.,
.Nm
in interactive mode.
The
.Nm
utility
shows these requests with a
"CTRL-REQ-<type>-<id>:<text>" prefix.
<type> is IDENTITY, PASSWORD, or OTP (one-time-password).
<id> is a unique identifier for the current network.
<text> is description of the request.
In the case of a OTP (One Time Password) request,
.Dq Li CTRL-REQ- Ns Ao Ar type Ac Ns Li - Ns Ao Ar id Ac Ns Li : Ns Aq Ar text
prefix, where
.Aq Ar type
is
.Li IDENTITY , PASSWORD ,
or
.Li OTP
(one-time password),
.Aq Ar id
is a unique identifier for the current network,
.Aq Ar text
is description of the request.
In the case of a
.Li OTP
(One Time Password) request,
it includes the challenge from the authentication server.
.Pp
A user must supply
.Nm wpa_supplicant
A user must supply
.Xr wpa_supplicant 8
the needed parameters in response to these requests.
.Pp
For example,
.Bd -literal
.Bd -literal -offset indent
CTRL-REQ-PASSWORD-1:Password needed for SSID foobar
> password 1 mysecretpassword
@ -129,59 +148,63 @@ CTRL-REQ-OTP-2:Challenge 1235663 needed for SSID foobar
The following commands may be supplied on the command line
or at a prompt when operating interactively.
.Bl -tag -width indent
.It status
.It Ic status
Report the current WPA/EAPOL/EAP status for the current interface.
.It mib
.It Ic mib
Report MIB variables (dot1x, dot11) for the current interface.
.It help
.It Ic help
Show usage help.
.It interface [ Ar ifname ]
.It Ic interface Op Ar ifname
Show available interfaces and/or set the current interface
when multiple are available.
.It level <debug level>
.It Ic level Ar debug_level
Change the debugging level in
.Nm wpa_supplicant .
.Xr wpa_supplicant 8 .
Larger numbers generate more messages.
.It license
.It Ic license
Display the full
.Nm
license for
.Nm .
.It logoff
Send the IEEE 802.1X EAPOL state machine into the logoff state.
.It logon
Send the IEEE 802.1X EAPOL state machine into the logon state.
.It set [ settings ]
.It Ic logoff
Send the IEEE 802.1X EAPOL state machine into the
.Dq logoff
state.
.It Ic logon
Send the IEEE 802.1X EAPOL state machine into the
.Dq logon
state.
.It Ic set Op Ar settings
Set variables.
When no arguments are supplied the known variables and their settings
When no arguments are supplied, the known variables and their settings
are displayed.
.It pmksa
.It Ic pmksa
Show the contents of the PMKSA cache.
.It reassociate
.It Ic reassociate
Force a reassociation to the current access point.
.It reconfigure
Force
.Nm
to re-read its configuration file.
.It preauthenticate <BSSID>
Force preauthentication of the specified BSSID.
.It identity <network id> <identity>
Configure an identity for an SSID.
.It password <network id> <password>
Configure a password for an SSID.
.It otp <network id> <password>
Configure a one-time-password for an SSID.
.It terminate
.It Ic reconfigure
Force
.Nm wpa_supplicant
.Xr wpa_supplicant 8
to re-read its configuration file.
.It Ic preauthenticate Ar BSSID
Force preauthentication of the specified
.Ar BSSID .
.It Ic identity Ar network_id identity
Configure an identity for an SSID.
.It Ic password Ar network_id password
Configure a password for an SSID.
.It Ic otp Ar network_id password
Configure a one-time password for an SSID.
.It Ic terminate
Force
.Xr wpa_supplicant 8
to terminate.
.It quit
.It Ic quit
Exit
.Nm .
.El
.Sh SEE ALSO
.Xr wpa_supplicant 8 ,
.Xr wpa_supplicant.conf 5
.Xr wpa_supplicant.conf 5 ,
.Xr wpa_supplicant 8
.Sh HISTORY
The
.Nm
@ -192,7 +215,8 @@ The
.Nm
utility was written by
.An Jouni Malinen Aq jkmaline@cc.hut.fi .
This manual page is derived from the README file included in the
.Nm
This manual page is derived from the
.Pa README
file included in the
.Nm wpa_supplicant
distribution.
.Sh BUGS

View File

@ -32,31 +32,35 @@
.Nd "WPA/802.11i Supplicant for wireless network devices"
.Sh SYNOPSIS
.Nm
.Op Fl BddehLqqvw
.Op Fl BdehLqvw
.Fl i Ar ifname
.Fl c Ar config-file
.Op Fl N i Ar ifname Fl c Ar config-file ....
.Op Fl N i Ar ifname Fl c Ar config-file ...
.Sh DESCRIPTION
The
.Nm
utility
is an implementation of the WPA Supplicant component,
i.e., the part that runs in the client stations.
.Nm
implements WPA key negotiation with a WPA Authenticator
It implements WPA key negotiation with a WPA Authenticator
and EAP authentication with an Authentication Server.
In addition,
In addition,
.Nm
controls the roaming and IEEE 802.11
authentication/association support of the
.Xr wlan 4
module and can be used to configure static WEP keys
module and can be used to configure static WEP keys
based on identified networks.
.Pp
The
.Nm
is designed to be a "daemon" program that runs in the
utility
is designed to be a
.Dq daemon
program that runs in the
background and acts as the backend component controlling
the wireless connection.
.Nm
supports separate frontend programs such as the
It supports separate frontend programs such as the
text-based
.Xr wpa_cli 8
program.
@ -66,26 +70,27 @@ The following arguments must be specified on the command line:
.It Fl i Ar ifname
Use the specified wireless interface.
.It Fl c Ar config-file
Use the settings in the specified configuration file when managing
Use the settings in the specified configuration file when managing
the wireless interface.
See
See
.Xr wpa_supplicant.conf 5
for a description of the configuration file syntax and contents.
.Pp
Changes to the configuration file can be reloaded by sending a
.Nm SIGHUP
Changes to the configuration file can be reloaded by sending a
.Dv SIGHUP
to the
.Nm
process or with the
.Nm wpa_cli
utility, using ``wpa_cli reconfigure''.
.Xr wpa_cli 8
utility, using
.Dq Li "wpa_cli reconfigure" .
.El
.Sh OPTIONS
The following options are available:
.Bl -tag -width indent
.It Fl d
Enable debugging messages.
If this option is supplied twice more verbose messages are displayed.
If this option is supplied twice, more verbose messages are displayed.
.It Fl e
Use an external IEEE 802.1X Supplicant program and disable the
internal Supplicant.
@ -93,15 +98,15 @@ This option is not normally used.
.It Fl h
Show help text.
.It Fl q
Decrease debugging verbosity (i.e. counteract the use of the
Decrease debugging verbosity (i.e., counteract the use of the
.Fl d
flag.
flag).
.It Fl v
Display version information on the terminal and exit.
.It Fl w
If the specified interface is not present, wait for it to be
added; e.g. a cardbus device to be inserted.
This option is not normally used; instead
added; e.g.\& a cardbus device to be inserted.
This option is not normally used; instead,
.Xr devd 8
should be configured to launch
.Nm
@ -113,7 +118,7 @@ in the background.
Include key information in debugging output.
.It Fl L
Display the license for this program on the terminal and exit.
.It Fl N Fl i Ar iface Fl Ar config-file
.It Fl N i Ar ifname Fl c Ar config-file ...
Specify an additional interface and configuration file.
If multiple interfaces are specified then
.Nm
@ -121,16 +126,16 @@ will manage them all with a single process.
.El
.Sh SEE ALSO
.Xr ath 4 ,
.Xr iwi 4 ,
.Xr ipw 4 ,
.Xr iwi 4 ,
.Xr ral 4 ,
.Xr ural 4 ,
.Xr wi 4 ,
.Xr wlan 4 ,
.Xr wpa_supplicant.conf 5 ,
.Xr devd 8 ,
.Xr wpa_cli 8 ,
.Xr ifconfig 8 .
.Xr ifconfig 8 ,
.Xr wpa_cli 8
.Sh HISTORY
The
.Nm
@ -141,7 +146,8 @@ The
.Nm
utility was written by
.An Jouni Malinen Aq jkmaline@cc.hut.fi .
This manual page is derived from the README file included in the
This manual page is derived from the
.Pa README
file included in the
.Nm
distribution.
.Sh BUGS

View File

@ -29,318 +29,398 @@
.Os
.Sh NAME
.Nm wpa_supplicant.conf
.Nd "configuration file for wpa_supplicant utility"
.Nd configuration file for
.Xr wpa_supplicant 8
.Sh DESCRIPTION
The
.Xr wpa_supplicant 1
program is an implementation of the WPA Supplicant component,
.Xr wpa_supplicant 8
utility is an implementation of the WPA Supplicant component,
i.e., the part that runs in the client stations.
.Nm wpa_supplicant
implements WPA key negotiation with a WPA Authenticator
It implements WPA key negotiation with a WPA Authenticator
and EAP authentication with Authentication Server using
configuration information stored in a text file.
.Pp
The configuration file consists of optional global parameter
settings and one or more network blocks, e.g.
settings and one or more network blocks, e.g.\&
one for each used SSID.
.Nm wpa_supplicant
The
.Xr wpa_supplicant 8
utility
will automatically select the best network based on the order of
the network blocks in the configuration file, network security level
(WPA/WPA2 is preferred), and signal strength.
Comments are indicated with the ``#'' character; all text to the
Comments are indicated with the
.Ql #
character; all text to the
end of the line will be ignored.
.Sh GLOBAL PARAMETERS
.Nm wpa_supplicant's
default parameters may be overridden by specifying
.Bd -literal
parameter=value
.Ed
Default parameters used by
.Xr wpa_supplicant 8
may be overridden by specifying
.Pp
.Dl parameter=value
.Pp
in the configuration file (note no spaces are allowed).
Values with embedded spaces must enclosed in quote marks.
Values with embedded spaces must be enclosed in quote marks.
.Pp
The following parameters are recognized:
.Bl -tag -width indent
.It ctrl_interface
.It Va ctrl_interface
The pathname of the directory in which
.Nm wpa_supplicant
creates UNIX domain socket files for communication
.Xr wpa_supplicant 8
creates
.Ux
domain socket files for communication
with frontend programs such as
.Xr wpa_cli 8 .
.It ctrl_interface_group
.It Va ctrl_interface_group
A group name or group ID to use in setting protection on the
control interface file.
This can be set to allow non-root users to access the
control interface files.
If no group is specified the group ID of the control interface
If no group is specified, the group ID of the control interface
is not modified and will, typically, be the
group ID of the directory in which the socket is created.
.It eapol_version
.It Va eapol_version
The IEEE 802.1x/EAPOL protocol version to use; either 1 (default) or 2.
.Nm wpa_supplicant
The
.Xr wpa_supplicant 8
utility
is implemented according to IEEE 802-1X-REV-d8 which defines
EAPOL version to be 2.
However some access points do not work when presented with
However, some access points do not work when presented with
this version so by default
.Nm wpa_supplicant
.Xr wpa_supplicant 8
will announce that it is using EAPOL version 1.
If version 2 must be announced for correct operation with an
access point this value may be set to 2.
.It ap_scan
access point, this value may be set to 2.
.It Va ap_scan
Access point scanning and selection control; one of 0, 1 (default), or 2.
Only setting 1 should be used with the
.Xr wlan 4
module; the other settings are for use on other operating systems.
.It fast_reauth
.It Va fast_reauth
EAP fast re-authentication; either 1 (default) or 0.
Control fast re-authentication support in EAP methods that support it.
.El
.Sh NETWORK BLOCKS
Each potential network/access point should have a ``network block''
that describes how to identify it and how to setup security.
When multiple network blocks are listed in a configuration file
Each potential network/access point should have a
.Dq "network block"
that describes how to identify it and how to set up security.
When multiple network blocks are listed in a configuration file,
the highest priority one is selected for use or, if multiple networks
with the same priority are identified, the first one listed in the
configuration file is used.
.Pp
A network block description is of the form:
.Bd -literal
.Bd -literal -offset indent
network={
parameter=value
...
}
.Ed
.Pp
(note the leading "network={" may have no spaces).
(note the leading
.Qq Li "network={"
may have no spaces).
The block specification contains one or more parameters
from the following list:
.Bl -tag -width indent
.It ssid (required)
.It Va ssid No (required)
Network name (as announced by the access point).
An ASCII or hex string enclosed in quotation marks.
.It scan_ssid
An
.Tn ASCII
or hex string enclosed in quotation marks.
.It Va scan_ssid
SSID scan technique; 0 (default) or 1.
Technique 0 scans for the SSID using a broadcast Probe Request
frame while 1 uses a directed Probe Request frame.
Access points that cloak themself by not braodcasting their SSID
require technique 1, but beware that this scheme can cause scanning
to take longer to complete.
.It bssid
.It Va bssid
Network BSSID (typically the MAC address of the access point).
.It priority
.It Va priority
The priority of a network when selecting among multiple networks;
a higher value means a network is more desirable.
By default networks have priority 0.
When multiple networks with the same priority are considered
for selection other information such as security policy and
for selection, other information such as security policy and
signal strength are used to select one.
.It mode
.It Va mode
IEEE 802.11 operation mode; either 0 (infrastructure, default) or 1 (IBSS).
Note that IBSS (adhoc) mode can only be used with
key_mgmt
.Va key_mgmt
set to
NONE (plaintext and static WEP).
.It proto
.Li NONE
(plaintext and static WEP).
.It Va proto
List of acceptable protocols; one or more of:
WPA (IEEE 802.11i/D3.0)
.Li WPA
(IEEE 802.11i/D3.0)
and
RSN (IEEE 802.11i).
WPA2 is another name for RSN.
If not set this defaults to "WPA RSN".
.It key_mgmt
.Li RSN
(IEEE 802.11i).
.Li WPA2
is another name for
.Li RSN .
If not set this defaults to
.Qq Li "WPA RSN" .
.It Va key_mgmt
List of acceptable key management protocols; one or more of:
WPA-PSK (WPA pre-shared key),
WPA-EAP (WPA using EAP authentication),
IEEE8021X (IEEE 802.1x using EAP authentication and,
.Li WPA-PSK
(WPA pre-shared key),
.Li WPA-EAP
(WPA using EAP authentication),
.Li IEEE8021X
(IEEE 802.1x using EAP authentication and,
optionally, dynamically generated WEP keys),
NONE (plaintext or static WEP keys).
If not set this defaults to "WPA-PSK WPA-EAP".
.It auth_alg
.Li NONE
(plaintext or static WEP keys).
If not set this defaults to
.Qq Li "WPA-PSK WPA-EAP" .
.It Va auth_alg
List of allowed IEEE 802.11 authentication algorithms; one or more of:
OPEN (Open System authentication, required for WPA/WPA2),
SHARED (Shared Key authentication),
LEAP (LEAP/Network EAP).
.Li OPEN
(Open System authentication, required for WPA/WPA2),
.Li SHARED
(Shared Key authentication),
.Li LEAP
(LEAP/Network EAP).
If not set automatic selection is used (Open System with LEAP
enabled if LEAP is allowed as one of the EAP methods).
.It pairwise
.It Va pairwise
List of acceptable pairwise (unicast) ciphers for WPA; one or more of:
CCMP (AES in Counter mode with CBC-MAC, RFC 3610, IEEE 802.11i/D7.0),
TKIP (Temporal Key Integrity Protocol, IEE 802.11i/D7.0),
NONE (deprecated).
If not set this defaults to "CCMP TKIP".
.It group
.Li CCMP
(AES in Counter mode with CBC-MAC, RFC 3610, IEEE 802.11i/D7.0),
.Li TKIP
(Temporal Key Integrity Protocol, IEE 802.11i/D7.0),
.Li NONE
(deprecated).
If not set this defaults to
.Qq Li "CCMP TKIP" .
.It Va group
List of acceptable group (multicast) ciphers for WPA; one or more of:
CCMP (AES in Counter mode with CBC-MAC, RFC 3610, IEEE 802.11i/D7.0),
TKIP (Temporal Key Integrity Protocol, IEE 802.11i/D7.0),
WEP104 (WEP with 104-bit key),
WEP40 (WEP with 40-bit key).
If not set this defaults to "CCMP TKIP WEP104 WEP40".
.It psk
.Li CCMP
(AES in Counter mode with CBC-MAC, RFC 3610, IEEE 802.11i/D7.0),
.Li TKIP
(Temporal Key Integrity Protocol, IEE 802.11i/D7.0),
.Li WEP104
(WEP with 104-bit key),
.Li WEP40
(WEP with 40-bit key).
If not set this defaults to
.Qq Li "CCMP TKIP WEP104 WEP40" .
.It Va psk
WPA preshared key used in WPA-PSK mode.
The key is specified as 64 hex digits or as
an 8-63 character ASCII passphrase.
ASCII passphrases are converted to a 256-bit key using the network SSID.
.It eapol_flags
an 8-63 character
.Tn ASCII
passphrase.
.Tn ASCII
passphrases are converted to a 256-bit key using the network SSID.
.It Va eapol_flags
Dynamic WEP key usage for non-WPA mode, specified as a bit field.
Bit 0 (1) forces dynamically generated unicast WEP keys to be used.
Bit 1 (2) forces dynamically generated broadcast WEP keys to be used.
By default this is set to 3 (use both).
.It eap
.It Va eap
List of acceptable EAP methods; one or more of:
MD5 (EAP-MD5, cannot be used with WPA, used only as a Phase 2 method with EAP-PEAP or EAP-TTLS)),
MSCHAPV2 (EAP-MSCHAPV2, cannot be used with WPA; used only as a Phase 2 method with EAP-PEAP or EAP-TTLS),
OTP (EAP-OTP, cannot be used with WPA; used only as a Phase 2 metod with EAP-PEAP or EAP-TTLS),
GTC (EAP-GTC, cannot be used with WPA; used only as a Phase 2 metod with EAP-PEAP or EAP-TTLS),
TLS (EAP-TLS, client and server certificate),
PEAP (EAP-PEAP, with tunnelled EAP authentication),
TTLS (EAP-TTLS, with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 authentication).
.Li MD5
(EAP-MD5, cannot be used with WPA,
used only as a Phase 2 method with EAP-PEAP or EAP-TTLS),
.Li MSCHAPV2
(EAP-MSCHAPV2, cannot be used with WPA;
used only as a Phase 2 method with EAP-PEAP or EAP-TTLS),
.Li OTP
(EAP-OTP, cannot be used with WPA;
used only as a Phase 2 metod with EAP-PEAP or EAP-TTLS),
.Li GTC
(EAP-GTC, cannot be used with WPA;
used only as a Phase 2 metod with EAP-PEAP or EAP-TTLS),
.Li TLS
(EAP-TLS, client and server certificate),
.Li PEAP
(EAP-PEAP, with tunnelled EAP authentication),
.Li TTLS
(EAP-TTLS, with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 authentication).
If not set this defaults to all available methods compiled in to
.Nm wpa_supplicant .
.Xr wpa_supplicant 8 .
Note that by default
.Nm wpa_supplicant
.Xr wpa_supplicant 8
is not compiled with EAP support; see
.Xr make.conf 5
.Xr make.conf 5
for the
ENABLE_WPA_SUPPLICANT_EAPOL
.Va ENABLE_WPA_SUPPLICANT_EAPOL
configuration variable.
.It identity
.It Va identity
Identity string for EAP.
.It anonymous_identity
.It Va anonymous_identity
Anonymous identity string for EAP (to be used as the unencrypted identity
with EAP types that support different tunnnelled identity; e.g. EAP-TTLS).
.It password
with EAP types that support different tunnnelled identity; e.g.\& EAP-TTLS).
.It Va password
Password string for EAP.
.It ca_cert
.It Va ca_cert
Pathname to CA certificate file.
This file can have one or more trusted CA certificates.
If
ca_cert
.Va ca_cert
is not included, server certificates will not be verified (not recommended).
.It client_cert
.It Va client_cert
Pathname to client certificate file (PEM/DER).
.It private_key
.It Va private_key
Pathname to a client private key file (PEM/DER/PFX).
When a PKCS#12/PFX file is used, then
client_cert
.Va client_cert
should not be specified as both the private key and certificate will be
read from PKCS#12 file.
.It private_key_passwd
.It Va private_key_passwd
Password for any private key file.
.It dh_file
.It Va dh_file
Pathname to a file holding DH/DSA parameters (in PEM format).
This file holds parameters for an ephemeral DH key exchange.
In most cases, the default RSA authentication does not use this configuration.
However, it is possible to setup RSA to use an ephemeral DH key exchange.
However, it is possible to set up RSA to use an ephemeral DH key exchange.
In addition, ciphers with
DSA keys always use ephemeral DH keys.
This can be used to achieve forward secrecy.
If the
dh_file
.Va dh_file
is in DSA parameters format, it will be automatically converted
into DH params.
.It subject_match
.It Va subject_match
Substring to be matched against the subject of the
authentication server certificate.
If this string is set, the server
sertificate is only accepted if it contains this string in the subject.
The subject string is in following format:
.Bd -literal
/C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com
.Ed
.It phase1
.Pp
.Dl "/C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com"
.It Va phase1
Phase1 (outer authentication, i.e., TLS tunnel) parameters
(string with field-value pairs, e.g., "peapver=0" or "peapver=1 peaplabel=1").
.Pp
peapver can be used to force which PEAP version (0 or 1) is used.
.Pp
peaplabel=1 can be used to force new label, "client PEAP encryption",
(string with field-value pairs, e.g.,
.Qq Li peapver=0
or
.Qq Li "peapver=1 peaplabel=1" ) .
.Bl -inset
.It Li peapver
can be used to force which PEAP version (0 or 1) is used.
.It Li peaplabel=1
can be used to force new label,
.Dq "client PEAP encryption" ,
to be used during key derivation when PEAPv1 or newer.
Most existing PEAPv1 implementation seem to be using the old label,
"client EAP encryption", and wpa_supplicant is now using that as the
Most existing PEAPv1 implementations seem to be using the old label,
.Dq Li "client EAP encryption" ,
and
.Xr wpa_supplicant 8
is now using that as the
default value.
Some servers, e.g., Radiator, may require peaplabel=1 configuration to
interoperate with PEAPv1; see eap_testing.txt for more details.
.Pp
peap_outer_success=0 can be used to terminate PEAP authentication on
Some servers, e.g.,
.Tn Radiator ,
may require
.Li peaplabel=1
configuration to interoperate with PEAPv1; see
.Pa eap_testing.txt
for more details.
.It Li peap_outer_success=0
can be used to terminate PEAP authentication on
tunneled EAP-Success.
This is required with some RADIUS servers that
implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode)
include_tls_length=1 can be used to force wpa_supplicant to include
implement
.Pa draft-josefsson-pppext-eap-tls-eap-05.txt
(e.g.,
.Tn Lucent NavisRadius v4.4.0
with PEAP in
.Dq "IETF Draft 5"
mode).
.It Li include_tls_length=1
can be used to force
.Xr wpa_supplicant 8
to include
TLS Message Length field in all TLS messages even if they are not
fragmented.
.Pp
sim_min_num_chal=3 can be used to configure EAP-SIM to require three
.It Li sim_min_num_chal=3
can be used to configure EAP-SIM to require three
challenges (by default, it accepts 2 or 3)
.Pp
fast_provisioning=1 option enables in-line provisioning of EAP-FAST
.It Li fast_provisioning=1
option enables in-line provisioning of EAP-FAST
credentials (PAC).
.It phase2
.El
.It Va phase2
phase2: Phase2 (inner authentication with TLS tunnel) parameters
(string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
"autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS).
.It ca_cert2
(string with field-value pairs, e.g.,
.Qq Li "auth=MSCHAPV2"
for EAP-PEAP or
.Qq Li "autheap=MSCHAPV2 autheap=MD5"
for EAP-TTLS).
.It Va ca_cert2
Like
.Nm ca_cert
.Va ca_cert
but for EAP inner Phase 2.
.It client_cert2
.It Va client_cert2
Like
.Nm client_cert
.Va client_cert
but for EAP inner Phase 2.
.It private_key2
.It Va private_key2
Like
.Nm private_key
.Va private_key
but for EAP inner Phase 2.
.It private_key2_passwd
.It Va private_key2_passwd
Like
.Nm private_key_passwd
.Va private_key_passwd
but for EAP inner Phase 2.
.It dh_file2
.It Va dh_file2
Like
.Nm dh_file
.Va dh_file
but for EAP inner Phase 2.
.It subject_match2
.It Va subject_match2
Like
.Nm subject_match
.Va subject_match
but for EAP inner Phase 2.
.It eappsk
.It Va eappsk
16-byte pre-shared key in hext format for use with EAP-PSK.
.It nai
.It Va nai
User NAI for use with EAP-PSK.
.It server_nai
.It Va server_nai
Authentication Server NAI for use with EAP-PSK.
.It pac_file
.It Va pac_file
Pathname to the file to use for PAC entries with EAP-FAST.
.Nm wpa_supplicant
The
.Xr wpa_supplicant 8
utility
must be able to create this file and write updates to it when
PAC is being provisioned or refreshed.
.It eap_workaround
.It Va eap_workaround
Enable/disable EAP workarounds for various interoperability issues
with misbehaving authentication servers.
By default these workarounds are enabled.
String EAP conformance can be configured by setting this to 0.
.El
.Sh CERTIFICATES
.Pp
Some EAP authentication methods require use of certificates.
EAP-TLS uses both server- and client-side certificates,
whereas EAP-PEAP and EAP-TTLS only require a server-side certificate.
When a client certificate is used, a matching private key file must
also be included in configuration.
If the private key uses a passphrase, this
has to be configured in the wpa_supplicant.conf file as "private_key_passwd".
has to be configured in the
.Nm
file as
.Va private_key_passwd .
.Pp
.Nm wpa_supplicant
The
.Xr wpa_supplicant 8
utility
supports X.509 certificates in PEM and DER formats.
User certificate and private key can be included in the same file.
.Pp
If the user certificate and private key is received in PKCS#12/PFX
format, they need to be converted to suitable PEM/DER format for
format, they need to be converted to a suitable PEM/DER format for
use by
.Nm wpa_supplicant.
.Xr wpa_supplicant 8 .
This can be done using the
.Xr openssl 1
program, e.g. with following commands:
program, e.g.\& with the following commands:
.Bd -literal
# convert client certificate and private key to PEM format
openssl pkcs12 -in example.pfx -out user.pem -clcerts
@ -348,7 +428,6 @@ openssl pkcs12 -in example.pfx -out user.pem -clcerts
openssl pkcs12 -in example.pfx -out ca.pem -cacerts -nokeys
.Ed
.Sh EXAMPLES
.Pp
WPA-Personal (PSK) as a home network and WPA-Enterprise with EAP-TLS
as a work network:
.Bd -literal
@ -399,7 +478,8 @@ network={
.Ed
.Pp
EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the
unencrypted use. Real identity is sent only within an encrypted TLS tunnel.
unencrypted use.
Real identity is sent only within an encrypted TLS tunnel.
.Bd -literal
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
@ -416,18 +496,21 @@ network={
}
.Ed
.Sh SEE ALSO
.Xr wpa_supplicant 8 ,
.Xr wpa_cli 8 .
.Xr wpa_cli 8 ,
.Xr wpa_supplicant 8
.Sh HISTORY
The
.Nm
manual page and
.Nm wpa_supplicant
.Xr wpa_supplicant 8
functionality first appeared in
.Fx 6.0 .
.Sh AUTHORS
This manual page is derived from the README and wpa_supplicant.conf
This manual page is derived from the
.Pa README
and
.Pa wpa_supplicant.conf
files in the
.Nm wpa_supplicant
distribution provided by
.An Jouni Malinen Aq jkmaline@cc.hut.fi .
.An Jouni Malinen Aq jkmaline@cc.hut.fi .