1IWD.NETWORK(5) Linux Connectivity IWD.NETWORK(5)
2
6 iwd.network - Network configuration for wireless daemon
7
9 Network configuration files .open, .psk and .8021x
10
12 iwd stores information on known networks, and reads information on
13 pre-provisioned networks, from small text configuration files. Those
14 files live in the state directory specified by the environment variable
15 $STATE_DIRECTORY, which is normally provided by systemd. In the ab‐
16 sence of such an environment variable it defaults to $LIBDIR/iwd, which
17 normally is set to /var/lib/iwd. You can create, modify or remove
18 those files. iwd monitors the directory for changes and will update
19 its state accordingly. iwd will also modify these files in the course
20 of network connections or as a result of D-Bus API invocations.
21
23 The syntax is similar to that of GNOME keyfile syntax (which is based
24 on the format defined in the Desktop Entry Specification, see
25 http://freedesktop.org/Standards/desktop-entry-spec). The recognized
26 groups as well as keys and values in each group are documented here.
27 Defaults are written in bold.
28 For completeness we include the description of the file syntax here.
30 This is the syntax that the ell library's l_settings class implements.
31 The syntax is based on lines and lines are delimited by newline charac‐
32 ters.
33 Empty lines are ignored and whitespace at the beginning of a line is
35 ignored. Comment lines have # as their first non-whitespace character.
36 Key-value lines contain a setting key, an equal sign and the value of
38 the setting. Whitespace preceding the key, the equal sign or the
39 value, is ignored. The key must be a continuous string of alphanumeric
40 and underscore characters and minus signs only. The value starts at
41 the first non-whitespace character after the first equal sign on the
42 line and ends at the end of the line and must be correctly UTF-8-en‐
43 coded. A boolean value can be true or false but 0 or 1 are also al‐
44 lowed. Integer values are written in base 10. String values, includ‐
45 ing file paths and hexstrings, are written as is except for five char‐
46 acters that may be backslash-escaped: space, \t, \r, \n and backslash
47 itself. The latter three must be escaped. A space character must be
48 escaped if it is the first character in the value string and is written
49 as \s.
50 Settings are interpreted depending on the group they are in. A group
52 starts with a group header line and contains all settings until the
53 next group's header line. A group header line contains a [ character
54 followed by the group name and a ] character. Whitespace is allowed
55 before the [ and after the ]. A group name consists of printable char‐
56 acters other than [ and ].
57 If a group name starts with the @ sign, that group's content is handled
59 by a parser extension instead and does not cause the previous non-ex‐
60 tension group to end. The initial @ sign must be followed by a
61 non-empty extension name, another @ sign and a group name as defined
62 above. The extension name consists of printable characters other than
63 @. No whitespace is allowed after the group header in this case. The
64 extension payload syntax and length are determined by the extension
65 name. Normal parsing rules defined in this section resume at the end
66 of the payload and any settings after the end of the payload are han‐
67 dled as part of the previous non-extension group.
68 Currently the only extension supported is named pem and allows embed‐
70 ding the contents of a single RFC7468 PEM-formatted payload or a se‐
71 quence of multiple PEM payloads. The payload should start with the
72 -----BEGIN string on a line following the group header line and end
73 with an -----END line as specified in the RFC. Newline characters be‐
74 fore, between and after PEM payloads are included in the extension pay‐
75 load. No other extra characters are allowed.
76
78 File names are based on the network's SSID and security type: Open,
79 PSK-protected or 802.1x. The name consist of the encoding of the SSID
80 followed by .open, .psk or .8021x. The SSID appears verbatim in the
81 name if it contains only alphanumeric characters, spaces, underscores
82 or minus signs. Otherwise it is encoded as an equal sign followed by
83 the lower-case hex encoding of the name.
84
86 The settings below are split into several sections and grouped into
87 broad categories. Each category has a group associated with it which
88 is given at the beginning of each sub-section. Recognized keys and
89 valid values are listed following the group definition.
90 General Settings
92 The group [Settings] contains general settings.
93 ┌────────────────────────┬────────────────────────────┐
95 │AutoConnect │ Values: true, false │
96 │ │ │
97 │ │ Whether the network can be │
98 │ │ connected to automatically │
99 ├────────────────────────┼────────────────────────────┤
100 │Hidden │ Values: true, false │
101 │ │ │
102 │ │ Whether the network is │
103 │ │ hidden, i.e. its SSID must │
104 │ │ be included in an active │
105 │ │ scan request │
106 ├────────────────────────┼────────────────────────────┤
107 │AlwaysRandomizeAddress │ Values: true, false │
108 │ │ │
109 │ │ If enabled, the MAC ad‐ │
110 │ │ dress will be fully ran‐ │
111 │ │ domized on each connec‐ │
112 │ │ tion. This option is only │
113 │ │ used if [General].Address‐ │
114 │ │ Randomization is set to │
115 │ │ 'network'. See iwd.config. │
116 │ │ This setting should not be │
117 │ │ used with [Settings].Ad‐ │
118 │ │ dressOverride, if both are │
119 │ │ set AddressOverride will │
120 │ │ be used. │
121 └────────────────────────┴────────────────────────────┘
122 │AddressOverride │ MAC address string │
134 │ │ │
135 │ │ Override the MAC address │
136 │ │ used for connecting to │
137 │ │ this network. This option │
138 │ │ is only used if [Gen‐ │
139 │ │ eral].AddressRandomization │
140 │ │ is set to 'network'. See │
141 │ │ iwd.config. This setting │
142 │ │ should not be used with │
143 │ │ [Settings].AlwaysRandom‐ │
144 │ │ izeAddress, if both are │
145 │ │ set AddressOverride will │
146 │ │ be used. │
147 ├────────────────────────┼────────────────────────────┤
148 │TransitionDisable │ Values: true, false │
149 │ │ │
150 │ │ If enabled, the use of │
151 │ │ TKIP pairwise cipher and │
152 │ │ connections without Man‐ │
153 │ │ agement Frame Protection │
154 │ │ are disallowed. This will │
155 │ │ make certain legacy access │
156 │ │ points unavailable for │
157 │ │ use. Additional security │
158 │ │ hardening can also be ap‐ │
159 │ │ plied via the [Set‐ │
160 │ │ tings].DisabledTransition‐ │
161 │ │ Modes setting. │
162 │ │ │
163 │ │ Properly configured Access │
164 │ │ Points will typically up‐ │
165 │ │ date this setting appro‐ │
166 │ │ priately via Transition │
167 │ │ Disable indications. User │
168 │ │ customization of this │
169 │ │ value is thus typically │
170 │ │ not required. │
171 └────────────────────────┴────────────────────────────┘
172 │DisabledTransitionModes │ Comma-separated list of │
200 │ │ disabled transition modes: │
201 │ │ │
202 │ │ • personal │
203 │ │ │
204 │ │ • enterprise │
205 │ │ │
206 │ │ • open │
207 │ │ │
208 │ │ If 'personal' mode │
209 │ │ is disabled, then │
210 │ │ legacy WPA2-Per‐ │
211 │ │ sonal access points │
212 │ │ are no longer │
213 │ │ available to be │
214 │ │ connected to or │
215 │ │ roamed to. Only │
216 │ │ access points uti‐ │
217 │ │ lizing WPA3-Per‐ │
218 │ │ sonal will be con‐ │
219 │ │ sidered. │
220 │ │ │
221 │ │ If 'enterprise' │
222 │ │ mode is disabled, │
223 │ │ then legacy │
224 │ │ WPA2-Enterprise ac‐ │
225 │ │ cess points are no │
226 │ │ longer available to │
227 │ │ be connected to or │
228 │ │ roamed to. │
229 │ │ │
230 │ │ If 'open' mode is │
231 │ │ disabled, then │
232 │ │ non-OWE enabled ac‐ │
233 │ │ cess points will │
234 │ │ not be connected │
235 │ │ to. │
236 │ │ │
237 │ │ Properly configured │
238 │ │ Access Points will │
239 │ │ typically update │
240 │ │ this setting appro‐ │
241 │ │ priately via Tran‐ │
242 │ │ sition Disable in‐ │
243 │ │ dications. User │
244 │ │ customization of │
245 │ │ this value is thus │
246 │ │ typically not re‐ │
247 │ │ quired. │
248 └────────────────────────┴────────────────────────────┘
249 Network Authentication Settings
251 The group [Security] contains settings for Wi-Fi security and authenti‐
252 cation configuration. This group can be encrypted by enabling System‐
253 dEncrypt, see iwd.config for details on this option. If this section is
254 encrypted (only contains EncryptedSalt/EncryptedSecurity) it should not
255 be modified. Modifying these values will result in the inability to
256 connect to that network.
257 ┌───────────────────────────────┬────────────────────────────────────────────┐
266 │Passphrase │ 8..63 character string │
267 │ │ │
268 │ │ Passphrase to be used when │
269 │ │ connecting to WPA-Personal │
270 │ │ networks. Required when │
271 │ │ connecting to WPA3-Per‐ │
272 │ │ sonal (SAE) networks. │
273 │ │ Also required if the Pre‐ │
274 │ │ SharedKey is not provided. │
275 │ │ If not provided in set‐ │
276 │ │ tings, the agent will be │
277 │ │ asked for the passphrase │
278 │ │ at connection time. │
279 ├───────────────────────────────┼────────────────────────────────────────────┤
280 │PreSharedKey │ 64 character hex string │
281 │ │ │
282 │ │ Processed passphrase for │
283 │ │ this network in the form │
284 │ │ of a hex-encoded 32 byte │
285 │ │ pre-shared key. Must be │
286 │ │ provided if Passphrase is │
287 │ │ omitted. │
288 ├───────────────────────────────┼────────────────────────────────────────────┤
289 │EAP-Method │ one of the following meth‐ │
290 │ │ ods: │
291 │ │ │
292 │ │ AKA, AKA', MSCHAPV2, PEAP, │
293 │ │ PWD, SIM, TLS, TTLS. │
294 │ │ │
295 │ │ The following additional │
296 │ │ methods are allowed as │
297 │ │ TTLS/PEAP inner methods: │
298 │ │ │
299 │ │ GTC, MD5. │
300 ├───────────────────────────────┼────────────────────────────────────────────┤
301 │EAP-Identity │ string │
302 │ │ │
303 │ │ Identity string transmit‐ │
304 │ │ ted in plaintext. Depend‐ │
305 │ │ ing on the EAP method, │
306 │ │ this value can be optional │
307 │ │ or mandatory. GTC, MD5, │
308 │ │ MSCHAPV2, PWD require an │
309 │ │ identity, so if not pro‐ │
310 │ │ vided, the agent will be │
311 │ │ asked for it at connection │
312 │ │ time. TLS based methods │
313 │ │ (PEAP, TLS, TTLS) might │
314 │ │ still require an EAP-Iden‐ │
315 │ │ tity to be set, depending │
316 │ │ on the RADIUS server con‐ │
317 │ │ figuration. │
318 ├───────────────────────────────┼────────────────────────────────────────────┤
319 │EAP-Password │ string │
320 │ │ │
321 │ │ Password to be provided │
322 │ │ for WPA-Enterprise authen‐ │
323 │ │ tication. If not pro‐ │
324 │ │ vided, the agent will be │
325 │ │ asked for the password at │
326 │ │ connection time. Required │
327 │ │ by: GTC, MD5, MSCHAPV2, │
328 │ │ PWD. │
329 └───────────────────────────────┴────────────────────────────────────────────┘
330 │EAP-Password-Hash │ hex string │
332 │ │ │
333 │ │ Some EAP methods can ac‐ │
334 │ │ cept a pre-hashed version │
335 │ │ of the password. For │
336 │ │ MSCHAPV2, a MD4 hash of │
337 │ │ the password can be given │
338 │ │ here. │
339 ├───────────────────────────────┼────────────────────────────────────────────┤
340 │EAP-TLS-CACert, │ absolute file path or em‐ │
341 │EAP-TTLS-CACert, │ bedded pem │
342 │EAP-PEAP-CACert │ │
343 │ │ Path to a PEM-formatted │
344 │ │ X.509 root certificate │
345 │ │ list to use for trust ver‐ │
346 │ │ ification of the authenti‐ │
347 │ │ cator. The authentica‐ │
348 │ │ tor's server's certificate │
349 │ │ chain must be verified by │
350 │ │ at least one CA in the │
351 │ │ list for the authentica‐ │
352 │ │ tion to succeed. If omit‐ │
353 │ │ ted, then authenticator's │
354 │ │ certificate chain will not │
355 │ │ be verified (not recom‐ │
356 │ │ mended.) │
357 ├───────────────────────────────┼────────────────────────────────────────────┤
358 │EAP-TLS-ClientCert │ absolute file path or em‐ │
359 │ │ bedded pem │
360 │ │ │
361 │ │ Path to the client X.509 │
362 │ │ certificate or certificate │
363 │ │ chain to send on server │
364 │ │ request. │
365 ├───────────────────────────────┼────────────────────────────────────────────┤
366 │EAP-TLS-ClientKey │ absolute file path or em‐ │
367 │ │ bedded pem │
368 │ │ │
369 │ │ Path to the client private │
370 │ │ key corresponding to the │
371 │ │ public key provided in │
372 │ │ EAP-TLS-ClientCert. The │
373 │ │ recommended format is │
374 │ │ PKCS#8 PEM. │
375 ├───────────────────────────────┼────────────────────────────────────────────┤
376 │EAP-TLS-ClientKeyBundle │ absolute file path │
377 │ │ │
378 │ │ As an alternative to │
379 │ │ EAP-TLS-ClientCert and │
380 │ │ EAP-TLS-ClientKey IWD can │
381 │ │ load both the certificate │
382 │ │ and the private key from a │
383 │ │ container file pointed by │
384 │ │ this setting. The recom‐ │
385 │ │ mended format is PKCS#12 │
386 │ │ when this is used. │
387 └───────────────────────────────┴────────────────────────────────────────────┘
388 │EAP-TLS- │ string │
398 │ClientKeyPassphrase │ │
399 │ │ Decryption key for the │
400 │ │ client key files. This │
401 │ │ should be used if the cer‐ │
402 │ │ tificate or the private │
403 │ │ key in the files mentioned │
404 │ │ above is encrypted. When │
405 │ │ not given, the agent is │
406 │ │ asked for the passphrase │
407 │ │ at connection time. │
408 ├───────────────────────────────┼────────────────────────────────────────────┤
409 │EAP-TLS-ServerDomainMask, │ string │
410 │EAP-TTLS-ServerDomainMask, │ │
411 │EAP-PEAP-ServerDomainMask │ A mask for the domain │
412 │ │ names contained in the │
413 │ │ server's certificate. At │
414 │ │ least one of the domain │
415 │ │ names present in the cer‐ │
416 │ │ tificate's Subject Alter‐ │
417 │ │ native Name extension's │
418 │ │ DNS Name fields or the │
419 │ │ Common Name has to match │
420 │ │ at least one mask, or au‐ │
421 │ │ thentication will fail. │
422 │ │ Multiple masks can be │
423 │ │ given separated by semi‐ │
424 │ │ colons. The masks are │
425 │ │ split into segments at the │
426 │ │ dots. Each segment has to │
427 │ │ match its corresponding │
428 │ │ label in the domain name. │
429 │ │ An asterisk segment in the │
430 │ │ mask matches any label. │
431 │ │ An asterisk segment at the │
432 │ │ beginning of the mask │
433 │ │ matches one or more con‐ │
434 │ │ secutive labels from the │
435 │ │ beginning of the domain │
436 │ │ string. │
437 └───────────────────────────────┴────────────────────────────────────────────┘
438 │EAP-TLS-FastReauthentication, │ Values: true, false │
464 │EAP-TTLS-FastReauthentication, │ │
465 │EAP-PEAP-FastReauthentication, │ Controls whether TLS ses‐ │
466 │ │ sion caching for EAP-TLS, │
467 │ │ EAP-TTLS and EAP-PEAP is │
468 │ │ used. This allows for │
469 │ │ faster re-connections to │
470 │ │ EAP-Enterprise based net‐ │
471 │ │ works. │
472 │ │ │
473 │ │ Some network authentica‐ │
474 │ │ tors may be misconfigured │
475 │ │ in a way that TLS session │
476 │ │ resumption is allowed but │
477 │ │ actually attempting it │
478 │ │ will cause the EAP method │
479 │ │ to fail or time out. In │
480 │ │ that case, assuming the │
481 │ │ credentials and other set‐ │
482 │ │ tings are correct, every │
483 │ │ other connection attempt │
484 │ │ will fail as sessions are │
485 │ │ cached and forgotten in │
486 │ │ alternating attempts. Use │
487 │ │ this setting to disable │
488 │ │ caching for this network. │
489 ├───────────────────────────────┼────────────────────────────────────────────┤
490 │EAP-TTLS-Phase2-Method │ The following values are allowed: │
491 │ │ Tunneled-CHAP, │
492 │ │ Tunneled-MSCHAP, │
493 │ │ Tunneled-MSCHAPv2, │
494 │ │ Tunneled-PAP or │
495 │ │ a valid EAP method name (see EAP-Method) │
496 │ │ │
497 │ │ │
498 │ │ Phase 2 authentication │
499 │ │ method for EAP-TTLS. Can │
500 │ │ be either one of the │
501 │ │ TTLS-specific non-EAP │
502 │ │ methods (Tunneled-*), or │
503 │ │ any EAP method documented │
504 │ │ here. The following two │
505 │ │ settings are used if any │
506 │ │ of the non-EAP methods is │
507 │ │ used. │
508 ├───────────────────────────────┼────────────────────────────────────────────┤
509 │EAP-TTLS-Phase2-Identity │ The secure identity/username string for │
510 │ │ the TTLS non-EAP Phase 2 methods. If not │
511 │ │ provided iwd will request a username at │
512 │ │ connection time. │
513 ├───────────────────────────────┼────────────────────────────────────────────┤
514 │EAP-TTLS-Phase2-Password │ Password string for the TTLS non-EAP Phase │
515 │ │ 2 methods. If not provided IWD will re‐ │
516 │ │ quest a passphrase at connection time. │
517 ├───────────────────────────────┼────────────────────────────────────────────┤
518 │EAP-TTLS-Phase2-* │ Any settings to be used for the inner EAP │
519 │ │ method if one was specified as │
520 │ │ EAP-TTLS-Phase2-Method, rather than a │
521 │ │ TTLS-specific method. The prefix │
522 │ │ EAP-TTLS-Phase2- replaces the EAP- prefix │
523 │ │ in the setting keys and their usage is un‐ │
524 │ │ changed. Since the inner method's negoti‐ │
525 │ │ ation is encrypted, a secure identity │
526 │ │ string can be provided. │
527 └───────────────────────────────┴────────────────────────────────────────────┘
528 │EAP-PEAP-Phase2-* │ Any settings to be used for the inner EAP │
530 │ │ method with EAP-PEAP as the outer method. │
531 │ │ The prefix EAP-PEAP-Phase2- replaces the │
532 │ │ EAP- prefix in the setting keys and their │
533 │ │ usage is unchanged. Since the inner │
534 │ │ method's negotiation is encrypted, a se‐ │
535 │ │ cure identity string can be provided. │
536 └───────────────────────────────┴────────────────────────────────────────────┘
537 Network Configuration Settings
539 The group [Network] contains general network settings and any network
540 specific overrides for global defaults defined in the main iwd configu‐
541 ration file.
542 ┌─────────────┬────────────────────────────┐
544 │MulticastDNS │ Values: true, false, re‐ │
545 │ │ solve │
546 │ │ │
547 │ │ Configures multicast DNS │
548 │ │ for this network. If not │
549 │ │ specified, systemd-re‐ │
550 │ │ solved's default value │
551 │ │ will remain untouched. │
552 │ │ See man 5 systemd.network │
553 │ │ for details. │
554 │ │ │
555 │ │ Only applies when NameRe‐ │
556 │ │ solvingService=systemd. │
557 └─────────────┴────────────────────────────┘
558 The group [IPv4] contains settings for Internet Protocol version 4
560 (IPv4) network configuration with the static addresses.
561 ┌─────────────┬────────────────────────────┐
563 │Address │ IPv4 address string │
564 │ │ │
565 │ │ The IPv4 address to as‐ │
566 │ │ sign. This field is re‐ │
567 │ │ quired for the static con‐ │
568 │ │ figuration. │
569 ├─────────────┼────────────────────────────┤
570 │Gateway │ IPv4 address string │
571 │ │ │
572 │ │ The IPv4 address of the │
573 │ │ gateway (router). This │
574 │ │ field is required for the │
575 │ │ static configuration. │
576 ├─────────────┼────────────────────────────┤
577 │DNS │ IPv4 address string list, │
578 │ │ space delimited │
579 │ │ │
580 │ │ The IPv4 address(es) of │
581 │ │ the Domain Name System │
582 │ │ (DNS). This field is op‐ │
583 │ │ tional. DNS setting can be │
584 │ │ used to override the DNS │
585 │ │ entries received from the │
586 │ │ DHCP server. │
587 └─────────────┴────────────────────────────┘
588 │Netmask │ IPv4 address string │
596 │ │ │
597 │ │ The IPv4 address of the │
598 │ │ subnet. This field is op‐ │
599 │ │ tional. 255.255.255.0 is │
600 │ │ used as default Netmask. │
601 ├─────────────┼────────────────────────────┤
602 │Broadcast │ IPv4 address string │
603 │ │ │
604 │ │ The IPv4 address to be │
605 │ │ used for the broadcast. │
606 │ │ This field is optional. │
607 ├─────────────┼────────────────────────────┤
608 │DomainName │ string │
609 │ │ │
610 │ │ The DomainName is the name │
611 │ │ of the local Internet do‐ │
612 │ │ main. This field is op‐ │
613 │ │ tional. DomainName setting │
614 │ │ can be used to override │
615 │ │ the DomainName value ob‐ │
616 │ │ tained from the DHCP │
617 │ │ server. │
618 ├─────────────┼────────────────────────────┤
619 │SendHostname │ Values: true, false │
620 │ │ │
621 │ │ Configures DHCP to include │
622 │ │ the hostname in the re‐ │
623 │ │ quest. This setting is │
624 │ │ disabled by default. │
625 └─────────────┴────────────────────────────┘
626 The group [IPv6] contains settings for Internet Protocol version 6
628 (IPv6) network configuration.
629 ┌───────────┬────────────────────────────┐
631 │Enabled │ Boolean │
632 │ │ │
633 │ │ Whether IPv6 is enabled │
634 │ │ for this network. If not │
635 │ │ provided, then the global │
636 │ │ default provided by [Net‐ │
637 │ │ work].EnableIPv6 setting │
638 │ │ will be used. If IPv6 is │
639 │ │ disabled, then the 'dis‐ │
640 │ │ able_ipv6' setting in │
641 │ │ sysfs will be set to 1 and │
642 │ │ no IPv6 addresses or │
643 │ │ routes will be created for │
644 │ │ this network. │
645 ├───────────┼────────────────────────────┤
646 │Address │ IPv6 address string │
647 │ │ │
648 │ │ The IPv6 address to as‐ │
649 │ │ sign. This field is re‐ │
650 │ │ quired for the static con‐ │
651 │ │ figuration. The recog‐ │
652 │ │ nized format is according │
653 │ │ to inet_pton followed by │
654 │ │ '/' and prefix length. If │
655 │ │ prefix length is omitted, │
656 │ │ then 128 is assumed. │
657 └───────────┴────────────────────────────┘
658 │Gateway │ IPv6 address string │
662 │ │ │
663 │ │ The IPv6 address of the │
664 │ │ gateway (router). This │
665 │ │ field is required for the │
666 │ │ static configuration. │
667 ├───────────┼────────────────────────────┤
668 │DNS │ IPv6 address string list, │
669 │ │ space delimited │
670 │ │ │
671 │ │ The IPv6 address(es) of │
672 │ │ the Domain Name System │
673 │ │ (DNS). This field is op‐ │
674 │ │ tional. DNS setting can be │
675 │ │ used to override the DNS │
676 │ │ entries received from the │
677 │ │ DHCPv6 server or via │
678 │ │ Router Advertisements. │
679 ├───────────┼────────────────────────────┤
680 │DomainName │ string │
681 │ │ │
682 │ │ The DomainName is the name │
683 │ │ of the local Internet do‐ │
684 │ │ main. This field is op‐ │
685 │ │ tional. DomainName setting │
686 │ │ can be used to override │
687 │ │ the DomainName value ob‐ │
688 │ │ tained from the DHCPv6 │
689 │ │ server or via Router Ad‐ │
690 │ │ vertisements. │
691 └───────────┴────────────────────────────┘
692 Embedded PEMs
694 Rather than including an absolute path to a PEM file (for certificates
695 and keys), the PEM itself can be included inside the settings file and
696 referenced directly. This allows IEEE 802.1x network provisioning using
697 a single file without any references to certificates or keys on the
698 system.
699 An embedded PEM can appear anywhere in the settings file using the fol‐
701 lowing format (in this example the PEM is named 'my_ca_cert'):
702 [@pem@my_ca_cert]
704 ----- BEGIN CERTIFICATE -----
705 <PEM data>
706 ----- END CERTIFICATE -----
707 After this special group tag it's as simple as pasting in a PEM file
709 including the BEGIN/END tags. Now 'my_ca_cert' can be used to reference
710 the certificate elsewhere in the settings file by prefixing the value
711 with 'embed:'
712 EAP-TLS-CACert=embed:my_ca_cert
714 This is not limited to CA Certificates either. Client certificates,
716 client keys (encrypted or not), and certificate chains can be included.
717
719 The following are some examples of common configurations
720 Open Network (Hidden)
722 [Settings]
723 Hidden=true
724 Pre-Shared Key (PSK)
726 [Security]
727 Passphrase=secret123
728 PWD
730 [Security]
731 EAP-Method=PWD
732 EAP-Identity=user@domain.com
733 EAP-Password=secret123
734 TLS
736 [Security]
737 EAP-Method=TLS
738 EAP-TLS-ClientCert=/certs/client-cert.pem
739 EAP-TLS-ClientKey=/certs/client-key.pem
740 EAP-TLS-CACert=/certs/ca-cert.pem
741 EAP-TLS-ServerDomainMask=*.domain.com
742 TTLS + PAP
744 [Security]
745 EAP-Method=TTLS
746 EAP-Identity=open@identity.com
747 EAP-TTLS-CACert=/certs/ca-cert.pem
748 EAP-TTLS-Phase2-Method=Tunneled-PAP
749 EAP-TTLS-Phase2-Identity=username
750 EAP-TTLS-Phase2-Password=password
751 EAP-TTLS-ServerDomainMask=*.domain.com
752 PEAP + MSCHAPv2
754 [Security]
755 EAP-Method=PEAP
756 EAP-Identity=open@identity.com
757 EAP-PEAP-CACert=/certs/ca-cert.pem
758 EAP-PEAP-Phase2-Method=MSCHAPV2
759 EAP-PEAP-Phase2-Identity=username
760 EAP-PEAP-Phase2-Password=password
761 EAP-PEAP-ServerDomainMask=*.domain.com
762
764 iwd(8), iwd.config(5)
765
767 Marcel Holtmann <marcel@holtmann.org>, Denis Kenzior
768 <denkenz@gmail.com>, Andrew Zaborowski <andrew.zaborowski@intel.com>,
769 Tim Kourt <tim.a.kourt@linux.intel.com>, James Prestwood <prest‐
770 woj@gmail.com>
771
773 2013-2019 Intel Corporation
774iwd 22 September 2019 IWD.NETWORK(5)