diff --git a/etc/wpa_supplicant.conf b/etc/wpa_supplicant.conf index 8e2d6603ec..f685dabf63 100644 --- a/etc/wpa_supplicant.conf +++ b/etc/wpa_supplicant.conf @@ -81,6 +81,8 @@ ctrl_interface=/var/run/wpa_supplicant # to make wpa_supplicant interoperate with these APs, the version number is set # to 1 by default. This configuration value can be used to set it to the new # version (2). +# Note: When using MACsec, eapol_version shall be set to 3, which is +# defined in IEEE Std 802.1X-2010. eapol_version=1 # AP scanning/selection @@ -96,7 +98,7 @@ eapol_version=1 # parameters (e.g., WPA IE generation); this mode can also be used with # non-WPA drivers when using IEEE 802.1X mode; do not try to associate with # APs (i.e., external program needs to control association). This mode must -# also be used when using wired Ethernet drivers. +# also be used when using wired Ethernet drivers (including MACsec). # 2: like 0, but associate with APs using security policy and SSID (but not # BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to # enable operation with hidden SSIDs and optimized roaming; in this mode, @@ -104,12 +106,59 @@ eapol_version=1 # the driver reports successful association; each network block should have # explicit security policy (i.e., only one option in the lists) for # key_mgmt, pairwise, group, proto variables +# Note: ap_scan=2 should not be used with the nl80211 driver interface (the +# current Linux interface). ap_scan=1 is optimized work working with nl80211. +# For finding networks using hidden SSID, scan_ssid=1 in the network block can +# be used with nl80211. # When using IBSS or AP mode, ap_scan=2 mode can force the new network to be # created immediately regardless of scan results. ap_scan=1 mode will first try # to scan for existing networks and only if no matches with the enabled # networks are found, a new IBSS or AP mode network is created. ap_scan=1 +# Whether to force passive scan for network connection +# +# By default, scans will send out Probe Request frames on channels that allow +# active scanning. This advertise the local station to the world. Normally this +# is fine, but users may wish to do passive scanning where the radio should only +# listen quietly for Beacon frames and not send any Probe Request frames. Actual +# functionality may be driver dependent. +# +# This parameter can be used to force only passive scanning to be used +# for network connection cases. It should be noted that this will slow +# down scan operations and reduce likelihood of finding the AP. In +# addition, some use cases will override this due to functional +# requirements, e.g., for finding an AP that uses hidden SSID +# (scan_ssid=1) or P2P device discovery. +# +# 0: Do normal scans (allow active scans) (default) +# 1: Do passive scans. +#passive_scan=0 + +# MPM residency +# By default, wpa_supplicant implements the mesh peering manager (MPM) for an +# open mesh. However, if the driver can implement the MPM, you may set this to +# 0 to use the driver version. When AMPE is enabled, the wpa_supplicant MPM is +# always used. +# 0: MPM lives in the driver +# 1: wpa_supplicant provides an MPM which handles peering (default) +#user_mpm=1 + +# Maximum number of peer links (0-255; default: 99) +# Maximum number of mesh peering currently maintained by the STA. +#max_peer_links=99 + +# Timeout in seconds to detect STA inactivity (default: 300 seconds) +# +# This timeout value is used in mesh STA to clean up inactive stations. +#mesh_max_inactivity=300 + +# cert_in_cb - Whether to include a peer certificate dump in events +# This controls whether peer certificates for authentication server and +# its certificate chain are included in EAP peer certificate events. This is +# enabled by default. +#cert_in_cb=1 + # EAP fast re-authentication # By default, fast re-authentication is enabled for all EAP methods that # support it. This variable can be used to disable fast re-authentication. @@ -117,10 +166,13 @@ ap_scan=1 fast_reauth=1 # OpenSSL Engine support -# These options can be used to load OpenSSL engines. +# These options can be used to load OpenSSL engines in special or legacy +# modes. # The two engines that are supported currently are shown below: # They are both from the opensc project (http://www.opensc.org/) -# By default no engines are loaded. +# By default the PKCS#11 engine is loaded if the client_cert or +# private_key option appear to be a PKCS#11 URI, and these options +# should not need to be used explicitly. # make the opensc engine available #opensc_engine_path=/usr/lib/opensc/engine_opensc.so # make the pkcs11 engine available @@ -128,6 +180,16 @@ fast_reauth=1 # configure the path to the pkcs11 module required by the pkcs11 engine #pkcs11_module_path=/usr/lib/pkcs11/opensc-pkcs11.so +# OpenSSL cipher string +# +# This is an OpenSSL specific configuration option for configuring the default +# ciphers. If not set, the value configured at build time ("DEFAULT:!EXP:!LOW" +# by default) is used. +# See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation +# on cipher suite configuration. This is applicable only if wpa_supplicant is +# built to use OpenSSL. +#openssl_ciphers=DEFAULT:!EXP:!LOW + # Dynamic EAP methods # If EAP methods were built dynamically as shared object files, they need to be # loaded here before being used in the network blocks. By default, EAP methods @@ -136,7 +198,7 @@ fast_reauth=1 #load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so # Driver interface parameters -# This field can be used to configure arbitrary driver interace parameters. The +# This field can be used to configure arbitrary driver interface parameters. The # format is specific to the selected driver interface. This field is not used # in most cases. #driver_param="field=value" @@ -156,9 +218,15 @@ fast_reauth=1 # Wi-Fi Protected Setup (WPS) parameters # Universally Unique IDentifier (UUID; see RFC 4122) of the device -# If not configured, UUID will be generated based on the local MAC address. +# If not configured, UUID will be generated based on the mechanism selected with +# the auto_uuid parameter. #uuid=12345678-9abc-def0-1234-56789abcdef0 +# Automatic UUID behavior +# 0 = generate static value based on the local MAC address (default) +# 1 = generate a random UUID every time wpa_supplicant starts +#auto_uuid=0 + # Device Name # User-friendly description of device; up to 32 octets encoded in UTF-8 #device_name=Wireless Client @@ -214,6 +282,14 @@ fast_reauth=1 # to external program(s) #wps_cred_processing=0 +# Whether to enable SAE (WPA3-Personal transition mode) automatically for +# WPA2-PSK credentials received using WPS. +# 0 = only add the explicitly listed WPA2-PSK configuration (default) +# 1 = add both the WPA2-PSK and SAE configuration and enable PMF so that the +# station gets configured in WPA3-Personal transition mode (supports both +# WPA2-Personal (PSK) and WPA3-Personal (SAE) APs). +#wps_cred_add_sae=0 + # Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing # The vendor attribute contents to be added in M1 (hex string) #wps_vendor_ext_m1=000137100100020001 @@ -230,6 +306,11 @@ fast_reauth=1 #wps_nfc_dh_privkey: Hexdump of DH Private Key #wps_nfc_dev_pw: Hexdump of Device Password +# Priority for the networks added through WPS +# This priority value will be set to each network profile that is added +# by executing the WPS protocol. +#wps_priority=0 + # Maximum number of BSS entries to keep in memory # Default: 200 # This can be used to limit memory use on the BSS entries (cached scan @@ -237,6 +318,15 @@ fast_reauth=1 # of APs when using ap_scan=1 mode. #bss_max_count=200 +# BSS expiration age in seconds. A BSS will be removed from the local cache +# if it is not in use and has not been seen for this time. Default is 180. +#bss_expiration_age=180 + +# BSS expiration after number of scans. A BSS will be removed from the local +# cache if it is not seen in this number of scans. +# Default is 2. +#bss_expiration_scan_count=2 + # Automatic scan # This is an optional set of parameters for automatic scanning # within an interface in following format: @@ -248,7 +338,9 @@ fast_reauth=1 # up to the limit of 300 seconds (3, 9, 27 ... 300) # For periodic module, parameters would be #autoscan=periodic:30 -# So a delay of 30 seconds will be applied between each scan +# So a delay of 30 seconds will be applied between each scan. +# Note: If sched_scan_plans are configured and supported by the driver, +# autoscan is ignored. # filter_ssids - SSID-based scan result filtering # 0 = do not filter scan results (default) @@ -259,12 +351,29 @@ fast_reauth=1 # format: [:] #ext_password_backend=test:pw1=password|pw2=testing + +# Disable P2P functionality +# p2p_disabled=1 + # Timeout in seconds to detect STA inactivity (default: 300 seconds) # # This timeout value is used in P2P GO mode to clean up # inactive stations. #p2p_go_max_inactivity=300 +# Passphrase length (8..63) for P2P GO +# +# This parameter controls the length of the random passphrase that is +# generated at the GO. Default: 8. +#p2p_passphrase_len=8 + +# Extra delay between concurrent P2P search iterations +# +# This value adds extra delay in milliseconds between concurrent search +# iterations to make p2p_find friendlier to concurrent operations by avoiding +# it from taking 100% of radio resources. The default value is 500 ms. +#p2p_search_delay=500 + # Opportunistic Key Caching (also known as Proactive Key Caching) default # This parameter can be used to set the default behavior for the # proactive_key_caching parameter. By default, OKC is disabled unless enabled @@ -275,19 +384,26 @@ fast_reauth=1 # Protected Management Frames default # This parameter can be used to set the default behavior for the ieee80211w -# parameter. By default, PMF is disabled unless enabled with the global pmf=1/2 -# parameter or with the per-network ieee80211w=1/2 parameter. With pmf=1/2, PMF -# is enabled/required by default, but can be disabled with the per-network -# ieee80211w parameter. +# parameter for RSN networks. By default, PMF is disabled unless enabled with +# the global pmf=1/2 parameter or with the per-network ieee80211w=1/2 parameter. +# With pmf=1/2, PMF is enabled/required by default, but can be disabled with the +# per-network ieee80211w parameter. This global default value does not apply +# for non-RSN networks (key_mgmt=NONE) since PMF is available only when using +# RSN. #pmf=0 # Enabled SAE finite cyclic groups in preference order # By default (if this parameter is not set), the mandatory group 19 (ECC group -# defined over a 256-bit prime order field) is preferred, but other groups are -# also enabled. If this parameter is set, the groups will be tried in the -# indicated order. The group values are listed in the IANA registry: +# defined over a 256-bit prime order field, NIST P-256) is preferred and groups +# 20 (NIST P-384) and 21 (NIST P-521) are also enabled. If this parameter is +# set, the groups will be tried in the indicated order. +# The group values are listed in the IANA registry: # http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9 -#sae_groups=21 20 19 26 25 +# Note that groups 1, 2, 5, 22, 23, and 24 should not be used in production +# purposes due limited security (see RFC 8247). Groups that are not as strong as +# group 19 (ECC, NIST P-256) are unlikely to be useful for production use cases +# since all implementations are required to support group 19. +#sae_groups=19 20 21 # Default value for DTIM period (if not overridden in network block) #dtim_period=2 @@ -315,11 +431,69 @@ fast_reauth=1 # 1: Scan current operating frequency if another VIF on the same radio # is already associated. +# MAC address policy default +# 0 = use permanent MAC address +# 1 = use random MAC address for each ESS connection +# 2 = like 1, but maintain OUI (with local admin bit set) +# +# By default, permanent MAC address is used unless policy is changed by +# the per-network mac_addr parameter. Global mac_addr=1 can be used to +# change this default behavior. +#mac_addr=0 + +# Lifetime of random MAC address in seconds (default: 60) +#rand_addr_lifetime=60 + +# MAC address policy for pre-association operations (scanning, ANQP) +# 0 = use permanent MAC address +# 1 = use random MAC address +# 2 = like 1, but maintain OUI (with local admin bit set) +#preassoc_mac_addr=0 + +# MAC address policy for GAS operations +# 0 = use permanent MAC address +# 1 = use random MAC address +# 2 = like 1, but maintain OUI (with local admin bit set) +#gas_rand_mac_addr=0 + +# Lifetime of GAS random MAC address in seconds (default: 60) +#gas_rand_addr_lifetime=60 + # Interworking (IEEE 802.11u) # Enable Interworking # interworking=1 +# Enable P2P GO advertisement of Interworking +# go_interworking=1 + +# P2P GO Interworking: Access Network Type +# 0 = Private network +# 1 = Private network with guest access +# 2 = Chargeable public network +# 3 = Free public network +# 4 = Personal device network +# 5 = Emergency services only network +# 14 = Test or experimental +# 15 = Wildcard +#go_access_network_type=0 + +# P2P GO Interworking: Whether the network provides connectivity to the Internet +# 0 = Unspecified +# 1 = Network provides connectivity to the Internet +#go_internet=1 + +# P2P GO Interworking: Group Venue Info (optional) +# The available values are defined in IEEE Std 802.11-2016, 9.4.1.35. +# Example values (group,type): +# 0,0 = Unspecified +# 1,7 = Convention Center +# 1,13 = Coffee Shop +# 2,0 = Unspecified Business +# 7,1 Private Residence +#go_venue_group=7 +#go_venue_type=1 + # Homogenous ESS identifier # If this is set, scans will be used to request response only from BSSes # belonging to the specified Homogeneous ESS. This is used only if interworking @@ -334,6 +508,28 @@ fast_reauth=1 # matching network block #auto_interworking=0 +# GAS Address3 field behavior +# 0 = P2P specification (Address3 = AP BSSID); default +# 1 = IEEE 802.11 standard compliant (Address3 = Wildcard BSSID when +# sent to not-associated AP; if associated, AP BSSID) +#gas_address3=0 + +# Publish fine timing measurement (FTM) responder functionality in +# the Extended Capabilities element bit 70. +# Controls whether FTM responder functionality will be published by AP/STA. +# Note that actual FTM responder operation is managed outside wpa_supplicant. +# 0 = Do not publish; default +# 1 = Publish +#ftm_responder=0 + +# Publish fine timing measurement (FTM) initiator functionality in +# the Extended Capabilities element bit 71. +# Controls whether FTM initiator functionality will be published by AP/STA. +# Note that actual FTM initiator operation is managed outside wpa_supplicant. +# 0 = Do not publish; default +# 1 = Publish +#ftm_initiator=0 + # credential block # # Each credential used for automatic network selection is configured as a set @@ -368,6 +564,10 @@ fast_reauth=1 # (EAP-TLS). Full path to the file should be used since working # directory may change when wpa_supplicant is run in the background. # +# Certificates from PKCS#11 tokens can be referenced by a PKCS#11 URI. +# +# For example: private_key="pkcs11:manufacturer=piv_II;id=%01" +# # Alternatively, a named configuration blob can be used by setting # this to blob://blob_name. # @@ -378,6 +578,9 @@ fast_reauth=1 # used since working directory may change when wpa_supplicant is run # in the background. # +# Keys in PKCS#11 tokens can be referenced by a PKCS#11 URI. +# For example: private_key="pkcs11:manufacturer=piv_II;id=%01" +# # Windows certificate store can be used by leaving client_cert out and # configuring private_key in one of the following formats: # @@ -416,6 +619,20 @@ fast_reauth=1 # pre-configured with the credential since the NAI Realm information # may not be available or fetched. # +# required_roaming_consortium: Required Roaming Consortium OI +# If required_roaming_consortium_len is non-zero, this field contains the +# Roaming Consortium OI that is required to be advertised by the AP for +# the credential to be considered matching. +# +# roaming_consortiums: Roaming Consortium OI(s) memberships +# This string field contains one or more comma delimited OIs (hexdump) +# identifying the roaming consortiums of which the provider is a member. +# The list is sorted from the most preferred one to the least preferred +# one. A match between the Roaming Consortium OIs advertised by an AP and +# the OIs in this list indicates that successful authentication is +# possible. +# (Hotspot 2.0 PerProviderSubscription//HomeSP/RoamingConsortiumOI) +# # eap: Pre-configured EAP method # This optional field can be used to specify which EAP method will be # used with this credential. If not set, the EAP method is selected @@ -432,6 +649,61 @@ fast_reauth=1 # matching with the network. Multiple entries can be used to specify more # than one SSID. # +# roaming_partner: Roaming partner information +# This optional field can be used to configure preferences between roaming +# partners. The field is a string in following format: +# ,<0/1 exact match>,,<* or country code> +# (non-exact match means any subdomain matches the entry; priority is in +# 0..255 range with 0 being the highest priority) +# +# update_identifier: PPS MO ID +# (Hotspot 2.0 PerProviderSubscription/UpdateIdentifier) +# +# provisioning_sp: FQDN of the SP that provisioned the credential +# This optional field can be used to keep track of the SP that provisioned +# the credential to find the PPS MO (./Wi-Fi/). +# +# Minimum backhaul threshold (PPS//Policy/MinBackhauldThreshold/*) +# These fields can be used to specify minimum download/upload backhaul +# bandwidth that is preferred for the credential. This constraint is +# ignored if the AP does not advertise WAN Metrics information or if the +# limit would prevent any connection. Values are in kilobits per second. +# min_dl_bandwidth_home +# min_ul_bandwidth_home +# min_dl_bandwidth_roaming +# min_ul_bandwidth_roaming +# +# max_bss_load: Maximum BSS Load Channel Utilization (1..255) +# (PPS//Policy/MaximumBSSLoadValue) +# This value is used as the maximum channel utilization for network +# selection purposes for home networks. If the AP does not advertise +# BSS Load or if the limit would prevent any connection, this constraint +# will be ignored. +# +# req_conn_capab: Required connection capability +# (PPS//Policy/RequiredProtoPortTuple) +# This value is used to configure set of required protocol/port pairs that +# a roaming network shall support (include explicitly in Connection +# Capability ANQP element). This constraint is ignored if the AP does not +# advertise Connection Capability or if this constraint would prevent any +# network connection. This policy is not used in home networks. +# Format: [: ... +# +# Example: +# sched_scan_plans=10:100 20:200 30 + +# Multi Band Operation (MBO) non-preferred channels +# A space delimited list of non-preferred channels where each channel is a colon +# delimited list of values. +# Format: +# non_pref_chan=::: +# Example: +# non_pref_chan=81:5:10:2 81:1:0:2 81:9:0:2 + +# MBO Cellular Data Capabilities +# 1 = Cellular data connection available +# 2 = Cellular data connection not available +# 3 = Not cellular capable (default) +#mbo_cell_capa=3 + +# Optimized Connectivity Experience (OCE) +# oce: Enable OCE features (bitmap) +# Set BIT(0) to Enable OCE in non-AP STA mode (default; disabled if the driver +# does not indicate support for OCE in STA mode) +# Set BIT(1) to Enable OCE in STA-CFON mode +#oce=1 + # network block # # Each network (usually AP's sharing the same SSID) is configured as a separate @@ -522,6 +836,17 @@ fast_reauth=1 # an IBSS network with the configured SSID is already present, the frequency of # the network will be used instead of this configured value. # +# pbss: Whether to use PBSS. Relevant to IEEE 802.11ad networks only. +# 0 = do not use PBSS +# 1 = use PBSS +# 2 = don't care (not allowed in AP mode) +# Used together with mode configuration. When mode is AP, it means to start a +# PCP instead of a regular AP. When mode is infrastructure it means connect +# to a PCP instead of AP. In this mode you can also specify 2 (don't care) +# which means connect to either PCP or AP. +# P2P_GO and P2P_GROUP_FORMATION modes must use PBSS in IEEE 802.11ad network. +# For more details, see IEEE Std 802.11ad-2012. +# # scan_freq: List of frequencies to scan # Space-separated list of frequencies in MHz to scan when searching for this # BSS. If the subset of channels used by the network is known, this option can @@ -552,6 +877,8 @@ fast_reauth=1 # bgscan="learn::: # [:]" # bgscan="learn:30:-45:300:/etc/wpa_supplicant/network1.bgscan" +# Explicitly disable bgscan by setting +# bgscan="" # # This option can also be set outside of all network blocks for the bgscan # parameter to apply for all the networks that have no specific bgscan @@ -560,6 +887,7 @@ fast_reauth=1 # proto: list of accepted protocols # WPA = WPA/IEEE 802.11i/D3.0 # RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN) +# Note that RSN is used also for WPA3. # If not set, this defaults to: WPA RSN # # key_mgmt: list of accepted authenticated key management protocols @@ -568,8 +896,27 @@ fast_reauth=1 # IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically # generated WEP keys # NONE = WPA is not used; plaintext or static WEP could be used +# WPA-NONE = WPA-None for IBSS (deprecated; use proto=RSN key_mgmt=WPA-PSK +# instead) +# FT-PSK = Fast BSS Transition (IEEE 802.11r) with pre-shared key +# FT-EAP = Fast BSS Transition (IEEE 802.11r) with EAP authentication +# FT-EAP-SHA384 = Fast BSS Transition (IEEE 802.11r) with EAP authentication +# and using SHA384 # WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms # WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms +# SAE = Simultaneous authentication of equals; pre-shared key/password -based +# authentication with stronger security than WPA-PSK especially when using +# not that strong password; a.k.a. WPA3-Personal +# FT-SAE = SAE with FT +# WPA-EAP-SUITE-B = Suite B 128-bit level +# WPA-EAP-SUITE-B-192 = Suite B 192-bit level +# OSEN = Hotspot 2.0 Rel 2 online signup connection +# FILS-SHA256 = Fast Initial Link Setup with SHA256 +# FILS-SHA384 = Fast Initial Link Setup with SHA384 +# FT-FILS-SHA256 = FT and Fast Initial Link Setup with SHA256 +# FT-FILS-SHA384 = FT and Fast Initial Link Setup with SHA384 +# OWE = Opportunistic Wireless Encryption (a.k.a. Enhanced Open) +# DPP = Device Provisioning Protocol # If not set, this defaults to: WPA-PSK WPA-EAP # # ieee80211w: whether management frame protection is enabled @@ -582,6 +929,13 @@ fast_reauth=1 # PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256 # (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used) # +# ocv: whether operating channel validation is enabled +# This is a countermeasure against multi-channel man-in-the-middle attacks. +# Enabling this automatically also enables ieee80211w, if not yet enabled. +# 0 = disabled (default) +# 1 = enabled +#ocv=1 +# # auth_alg: list of allowed IEEE 802.11 authentication algorithms # OPEN = Open System authentication (required for WPA/WPA2) # SHARED = Shared Key authentication (requires static WEP keys) @@ -603,6 +957,14 @@ fast_reauth=1 # WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11] # If not set, this defaults to: CCMP TKIP WEP104 WEP40 # +# group_mgmt: list of accepted group management ciphers for RSN (PMF) +# AES-128-CMAC = BIP-CMAC-128 +# BIP-GMAC-128 +# BIP-GMAC-256 +# BIP-CMAC-256 +# If not set, no constraint on the cipher, i.e., accept whichever cipher the AP +# indicates. +# # psk: WPA preshared key; 256-bit pre-shared key # The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e., # 32 bytes or as an ASCII passphrase (in which case, the real PSK will be @@ -615,13 +977,75 @@ fast_reauth=1 # startup and reconfiguration time can be optimized by generating the PSK only # only when the passphrase or SSID has actually changed. # +# mem_only_psk: Whether to keep PSK/passphrase only in memory +# 0 = allow psk/passphrase to be stored to the configuration file +# 1 = do not store psk/passphrase to the configuration file +#mem_only_psk=0 +# +# sae_password: SAE password +# This parameter can be used to set a password for SAE. By default, the +# passphrase from the psk parameter is used if this separate parameter is not +# used, but psk follows the WPA-PSK constraints (8..63 characters) even though +# SAE passwords do not have such constraints. +# +# sae_password_id: SAE password identifier +# This parameter can be used to set an identifier for the SAE password. By +# default, no such identifier is used. If set, the specified identifier value +# is used by the other peer to select which password to use for authentication. +# # eapol_flags: IEEE 802.1X/EAPOL options (bit field) # Dynamic WEP key required for non-WPA mode # bit0 (1): require dynamically generated unicast WEP key # bit1 (2): require dynamically generated broadcast WEP key # (3 = require both keys; default) -# Note: When using wired authentication, eapol_flags must be set to 0 for the -# authentication to be completed successfully. +# Note: When using wired authentication (including MACsec drivers), +# eapol_flags must be set to 0 for the authentication to be completed +# successfully. +# +# macsec_policy: IEEE 802.1X/MACsec options +# This determines how sessions are secured with MACsec (only for MACsec +# drivers). +# 0: MACsec not in use (default) +# 1: MACsec enabled - Should secure, accept key server's advice to +# determine whether to use a secure session or not. +# +# macsec_integ_only: IEEE 802.1X/MACsec transmit mode +# This setting applies only when MACsec is in use, i.e., +# - macsec_policy is enabled +# - the key server has decided to enable MACsec +# 0: Encrypt traffic (default) +# 1: Integrity only +# +# macsec_replay_protect: IEEE 802.1X/MACsec replay protection +# This setting applies only when MACsec is in use, i.e., +# - macsec_policy is enabled +# - the key server has decided to enable MACsec +# 0: Replay protection disabled (default) +# 1: Replay protection enabled +# +# macsec_replay_window: IEEE 802.1X/MACsec replay protection window +# This determines a window in which replay is tolerated, to allow receipt +# of frames that have been misordered by the network. +# This setting applies only when MACsec replay protection active, i.e., +# - macsec_replay_protect is enabled +# - the key server has decided to enable MACsec +# 0: No replay window, strict check (default) +# 1..2^32-1: number of packets that could be misordered +# +# macsec_port: IEEE 802.1X/MACsec port +# Port component of the SCI +# Range: 1-65534 (default: 1) +# +# mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode +# This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair. +# In this mode, instances of wpa_supplicant can act as MACsec peers. The peer +# with lower priority will become the key server and start distributing SAKs. +# mka_cak (CAK = Secure Connectivity Association Key) takes a 16-byte (128-bit) +# hex-string (32 hex-digits) or a 32-byte (256-bit) hex-string (64 hex-digits) +# mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string +# (2..64 hex-digits) +# mka_priority (Priority of MKA Actor) is in 0..255 range with 255 being +# default priority # # mixed_cell: This option can be used to configure whether so called mixed # cells, i.e., networks that use both plaintext and encryption in the same @@ -634,22 +1058,28 @@ fast_reauth=1 # 0 = disabled (default unless changed with the global okc parameter) # 1 = enabled # +# ft_eap_pmksa_caching: +# Whether FT-EAP PMKSA caching is allowed +# 0 = do not try to use PMKSA caching with FT-EAP (default) +# 1 = try to use PMKSA caching with FT-EAP +# This controls whether to try to use PMKSA caching with FT-EAP for the +# FT initial mobility domain association. +#ft_eap_pmksa_caching=0 +# # wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or # hex without quotation, e.g., 0102030405) # wep_tx_keyidx: Default WEP key index (TX) (0..3) # -# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is -# allowed. This is only used with RSN/WPA2. -# 0 = disabled (default) -# 1 = enabled -#peerkey=1 -# # wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to # enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies. # +# group_rekey: Group rekeying time in seconds. This value, if non-zero, is used +# as the dot11RSNAConfigGroupRekeyTime parameter when operating in +# Authenticator role in IBSS, or in AP and mesh modes. +# # Following fields are only used with internal EAP implementation. # eap: space-separated list of accepted EAP methods -# MD5 = EAP-MD5 (unsecure and does not generate keying material -> +# MD5 = EAP-MD5 (insecure and does not generate keying material -> # cannot be used with WPA; to be used as a Phase 2 method # with EAP-PEAP or EAP-TTLS) # MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used @@ -740,17 +1170,57 @@ fast_reauth=1 # automatically converted into DH params. # subject_match: Substring to be matched against the subject of the # authentication server certificate. If this string is set, the server -# sertificate is only accepted if it contains this string in the subject. +# certificate is only accepted if it contains this string in the subject. # The subject string is in following format: # /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com +# Note: Since this is a substring match, this cannot be used securely to +# do a suffix match against a possible domain name in the CN entry. For +# such a use case, domain_suffix_match or domain_match should be used +# instead. # altsubject_match: Semicolon separated string of entries to be matched against # the alternative subject name of the authentication server certificate. -# If this string is set, the server sertificate is only accepted if it +# If this string is set, the server certificate is only accepted if it # contains one of the entries in an alternative subject name extension. # altSubjectName string is in following format: TYPE:VALUE # Example: EMAIL:server@example.com # Example: DNS:server.example.com;DNS:server2.example.com # Following types are supported: EMAIL, DNS, URI +# domain_suffix_match: Constraint for server domain name. If set, this FQDN is +# used as a suffix match requirement for the AAA server certificate in +# SubjectAltName dNSName element(s). If a matching dNSName is found, this +# constraint is met. If no dNSName values are present, this constraint is +# matched against SubjectName CN using same suffix match comparison. +# +# Suffix match here means that the host/domain name is compared one label +# at a time starting from the top-level domain and all the labels in +# domain_suffix_match shall be included in the certificate. The +# certificate may include additional sub-level labels in addition to the +# required labels. +# +# More than one match string can be provided by using semicolons to +# separate the strings (e.g., example.org;example.com). When multiple +# strings are specified, a match with any one of the values is considered +# a sufficient match for the certificate, i.e., the conditions are ORed +# together. +# +# For example, domain_suffix_match=example.com would match +# test.example.com but would not match test-example.com. +# domain_match: Constraint for server domain name +# If set, this FQDN is used as a full match requirement for the +# server certificate in SubjectAltName dNSName element(s). If a +# matching dNSName is found, this constraint is met. If no dNSName +# values are present, this constraint is matched against SubjectName CN +# using same full match comparison. This behavior is similar to +# domain_suffix_match, but has the requirement of a full match, i.e., +# no subdomains or wildcard matches are allowed. Case-insensitive +# comparison is used, so "Example.com" matches "example.com", but would +# not match "test.Example.com". +# +# More than one match string can be provided by using semicolons to +# separate the strings (e.g., example.org;example.com). When multiple +# strings are specified, a match with any one of the values is considered +# a sufficient match for the certificate, i.e., the conditions are ORed +# together. # phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters # (string with field-value pairs, e.g., "peapver=0" or # "peapver=1 peaplabel=1") @@ -779,9 +1249,20 @@ fast_reauth=1 # * 2 = require cryptobinding # EAP-WSC (WPS) uses following options: pin= or # pbc=1. +# +# For wired IEEE 802.1X authentication, "allow_canned_success=1" can be +# used to configure a mode that allows EAP-Success (and EAP-Failure) +# without going through authentication step. Some switches use such +# sequence when forcing the port to be authorized/unauthorized or as a +# fallback option if the authentication server is unreachable. By default, +# wpa_supplicant discards such frames to protect against potential attacks +# by rogue devices, but this option can be used to disable that protection +# for cases where the server/authenticator does not need to be +# authenticated. # phase2: Phase2 (inner authentication with TLS tunnel) parameters # (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or -# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS) +# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS). "mschapv2_retry=0" can be +# used to disable MSCHAPv2 password retry in authentication failure cases. # # TLS-based methods can use the following parameters to control TLS behavior # (these are normally in the phase1 parameter, but can be used also in the @@ -797,9 +1278,32 @@ fast_reauth=1 # tls_disable_session_ticket=0 - allow TLS Session Ticket extension to be used # Note: If not set, this is automatically set to 1 for EAP-TLS/PEAP/TTLS # as a workaround for broken authentication server implementations unless -# EAP workarounds are disabled with eap_workarounds=0. +# EAP workarounds are disabled with eap_workaround=0. # For EAP-FAST, this must be set to 0 (or left unconfigured for the # default value to be used automatically). +# tls_disable_tlsv1_0=1 - disable use of TLSv1.0 +# tls_disable_tlsv1_0=0 - explicitly enable use of TLSv1.0 (this allows +# systemwide TLS policies to be overridden) +# tls_disable_tlsv1_1=1 - disable use of TLSv1.1 (a workaround for AAA servers +# that have issues interoperating with updated TLS version) +# tls_disable_tlsv1_1=0 - explicitly enable use of TLSv1.1 (this allows +# systemwide TLS policies to be overridden) +# tls_disable_tlsv1_2=1 - disable use of TLSv1.2 (a workaround for AAA servers +# that have issues interoperating with updated TLS version) +# tls_disable_tlsv1_2=0 - explicitly enable use of TLSv1.2 (this allows +# systemwide TLS policies to be overridden) +# tls_disable_tlsv1_3=1 - disable use of TLSv1.3 (a workaround for AAA servers +# that have issues interoperating with updated TLS version) +# tls_disable_tlsv1_3=0 - enable TLSv1.3 (experimental - disabled by default) +# tls_ext_cert_check=0 - No external server certificate validation (default) +# tls_ext_cert_check=1 - External server certificate validation enabled; this +# requires an external program doing validation of server certificate +# chain when receiving CTRL-RSP-EXT_CERT_CHECK event from the control +# interface and report the result of the validation with +# CTRL-RSP_EXT_CERT_CHECK. +# tls_suiteb=0 - do not apply Suite B 192-bit constraints on TLS (default) +# tls_suiteb=1 - apply Suite B 192-bit constraints on TLS; this is used in +# particular when using Suite B with RSA keys of >= 3K (3072) bits # # Following certificate/private key fields are used in inner Phase2 # authentication when using EAP-TTLS or EAP-PEAP. @@ -813,9 +1317,12 @@ fast_reauth=1 # private_key2_passwd: Password for private key file # dh_file2: File path to DH/DSA parameters file (in PEM format) # subject_match2: Substring to be matched against the subject of the -# authentication server certificate. -# altsubject_match2: Substring to be matched against the alternative subject -# name of the authentication server certificate. +# authentication server certificate. See subject_match for more details. +# altsubject_match2: Semicolon separated string of entries to be matched +# against the alternative subject name of the authentication server +# certificate. See altsubject_match documentation for more details. +# domain_suffix_match2: Constraint for server domain name. See +# domain_suffix_match for more details. # # fragment_size: Maximum EAP fragment size in bytes (default 1398). # This value limits the fragment size for EAP methods that support @@ -828,6 +1335,14 @@ fast_reauth=1 # 0 = do not use OCSP stapling (TLS certificate status extension) # 1 = try to use OCSP stapling, but not require response # 2 = require valid OCSP stapling response +# 3 = require valid OCSP stapling response for all not-trusted +# certificates in the server certificate chain +# +# openssl_ciphers: OpenSSL specific cipher configuration +# This can be used to override the global openssl_ciphers configuration +# parameter (see above). +# +# erp: Whether EAP Re-authentication Protocol (ERP) is enabled # # EAP-FAST variables: # pac_file: File path for the PAC entries. wpa_supplicant will need to be able @@ -855,6 +1370,13 @@ fast_reauth=1 # number of authentication servers. Strict EAP conformance mode can be # configured by disabling workarounds with eap_workaround=0. +# update_identifier: PPS MO ID +# (Hotspot 2.0 PerProviderSubscription/UpdateIdentifier) +# +# roaming_consortium_selection: Roaming Consortium Selection +# The matching Roaming Consortium OI that was used to generate this +# network profile. + # Station inactivity limit # # If a station does not send anything in ap_max_inactivity seconds, an @@ -878,6 +1400,22 @@ fast_reauth=1 # Beacon interval (default: 100 TU) #beacon_int=100 +# WPS in AP mode +# 0 = WPS enabled and configured (default) +# 1 = WPS disabled +#wps_disabled=0 + +# FILS DH Group +# 0 = PFS disabled with FILS shared key authentication (default) +# 1-65535 = DH Group to use for FILS PFS +#fils_dh_group=0 + +# MAC address policy +# 0 = use permanent MAC address +# 1 = use random MAC address for each ESS connection +# 2 = like 1, but maintain OUI (with local admin bit set) +#mac_addr=0 + # disable_ht: Whether HT (802.11n) should be disabled. # 0 = HT enabled (if AP supports it) # 1 = HT disabled @@ -890,6 +1428,14 @@ fast_reauth=1 # 0 = SGI enabled (if AP supports it) # 1 = SGI disabled # +# disable_ldpc: Whether LDPC should be disabled. +# 0 = LDPC enabled (if AP supports it) +# 1 = LDPC disabled +# +# ht40_intolerant: Whether 40 MHz intolerant should be indicated. +# 0 = 40 MHz tolerant (default) +# 1 = 40 MHz intolerant +# # ht_mcs: Configure allowed MCS rates. # Parsed as an array of bytes, in base-16 (ascii-hex) # ht_mcs="" // Use all available (default) @@ -901,10 +1447,27 @@ fast_reauth=1 # 0 = Enable MAX-AMSDU if hardware supports it. # 1 = Disable AMSDU # +# ampdu_factor: Maximum A-MPDU Length Exponent +# Value: 0-3, see 7.3.2.56.3 in IEEE Std 802.11n-2009. +# # ampdu_density: Allow overriding AMPDU density configuration. # Treated as hint by the kernel. # -1 = Do not make any changes. # 0-3 = Set AMPDU density (aka factor) to specified value. +# +# tx_stbc: Allow overriding STBC support for TX streams +# Value: 0-1, see IEEE Std 802.11-2016, 9.4.2.56.2. +# -1 = Do not make any changes (default) +# 0 = Set if not supported +# 1 = Set if supported +# +# rx_stbc: Allow overriding STBC support for RX streams +# Value: 0-3, see IEEE Std 802.11-2016, 9.4.2.56.2. +# -1 = Do not make any changes (default) +# 0 = Set if not supported +# 1 = Set for support of one spatial stream +# 2 = Set for support of one and two spatial streams +# 3 = Set for support of one, two and three spatial streams # disable_vht: Whether VHT should be disabled. # 0 = VHT enabled (if AP supports it) @@ -920,6 +1483,45 @@ fast_reauth=1 # 2: MCS 0-9 # 3: not supported +# multi_ap_backhaul_sta: Multi-AP backhaul STA functionality +# 0 = normal STA (default) +# 1 = backhaul STA +# A backhaul STA sends the Multi-AP IE, fails to associate if the AP does not +# support Multi-AP, and sets 4-address mode if it does. Thus, the netdev can be +# added to a bridge to allow forwarding frames over this backhaul link. + +##### Fast Session Transfer (FST) support ##################################### +# +# The options in this section are only available when the build configuration +# option CONFIG_FST is set while compiling wpa_supplicant. They allow this +# interface to be a part of FST setup. +# +# FST is the transfer of a session from a channel to another channel, in the +# same or different frequency bands. +# +# For details, see IEEE Std 802.11ad-2012. + +# Identifier of an FST Group the interface belongs to. +#fst_group_id=bond0 + +# Interface priority within the FST Group. +# Announcing a higher priority for an interface means declaring it more +# preferable for FST switch. +# fst_priority is in 1..255 range with 1 being the lowest priority. +#fst_priority=100 + +# Default LLT value for this interface in milliseconds. The value used in case +# no value provided during session setup. Default is 50 msec. +# fst_llt is in 1..4294967 range (due to spec limitation, see 10.32.2.2 +# Transitioning between states). +#fst_llt=100 + +# BSS Transition Management +# disable_btm - Disable BSS transition management in STA +# Set to 0 to enable BSS transition management (default behavior) +# Set to 1 to disable BSS transition management +#disable_btm=0 + # Example blocks: # Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers @@ -1190,6 +1792,23 @@ fast_reauth=1 # psk="secret passphrase" #} +# open mesh network +#network={ +# ssid="test mesh" +# mode=5 +# frequency=2437 +# key_mgmt=NONE +#} + +# secure (SAE + AMPE) network +#network={ +# ssid="secure mesh" +# mode=5 +# frequency=2437 +# key_mgmt=SAE +# psk="very secret passphrase" +#} + # Catch all example that allows more or less all configuration modes #network={ @@ -1219,22 +1838,10 @@ fast_reauth=1 # group=CCMP TKIP # identity="user@example.com" # ca_cert="/etc/cert/ca.pem" -# client_cert="/etc/cert/user.pem" # -# engine=1 -# -# # The engine configured here must be available. Look at -# # OpenSSL engine support in the global section. -# # The key available through the engine must be the private key -# # matching the client certificate configured above. -# -# # use the opensc engine -# #engine_id="opensc" -# #key_id="45" -# -# # use the pkcs11 engine -# engine_id="pkcs11" -# key_id="id_45" +# # Certificate and/or key identified by PKCS#11 URI (RFC7512) +# client_cert="pkcs11:manufacturer=piv_II;id=%01" +# private_key="pkcs11:manufacturer=piv_II;id=%01" # # # Optional PIN configuration; this can be left out and PIN will be # # asked through the control interface @@ -1265,9 +1872,49 @@ fast_reauth=1 # key_mgmt=NONE #} +# Example configuration blacklisting two APs - these will be ignored +# for this network. +#network={ +# ssid="example" +# psk="very secret passphrase" +# bssid_blacklist=02:11:22:33:44:55 02:22:aa:44:55:66 +#} + +# Example configuration limiting AP selection to a specific set of APs; +# any other AP not matching the masked address will be ignored. +#network={ +# ssid="example" +# psk="very secret passphrase" +# bssid_whitelist=02:55:ae:bc:00:00/ff:ff:ff:ff:00:00 00:00:77:66:55:44/00:00:ff:ff:ff:ff +#} # Example config file that will only scan on channel 36. #freq_list=5180 #network={ # key_mgmt=NONE #} + + +# Example configuration using EAP-TTLS for authentication and key +# generation for MACsec +#network={ +# key_mgmt=IEEE8021X +# eap=TTLS +# phase2="auth=PAP" +# anonymous_identity="anonymous@example.com" +# identity="user@example.com" +# password="secretr" +# ca_cert="/etc/cert/ca.pem" +# eapol_flags=0 +# macsec_policy=1 +#} + +# Example configuration for MACsec with preshared key +#network={ +# key_mgmt=NONE +# eapol_flags=0 +# macsec_policy=1 +# mka_cak=0123456789ABCDEF0123456789ABCDEF +# mka_ckn=6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435 +# mka_priority=128 +#}