1WPA_SUPPLICANT.CONF(5) WPA_SUPPLICANT.CONF(5)
2
3
4
6 wpa_supplicant.conf - configuration file for wpa_supplicant
7
9 wpa_supplicant is configured using a text file that lists all accepted
10 networks and security policies, including pre-shared keys. See the
11 example configuration file, probably in /usr/share/doc/wpa_supplicant/,
12 for detailed information about the configuration format and supported
13 fields.
14
15 All file paths in this configuration file should use full (absolute,
16 not relative to working directory) path in order to allow working
17 directory to be changed. This can happen if wpa_supplicant is run in
18 the background.
19
20 Changes to configuration file can be reloaded be sending SIGHUP signal
21 to wpa_supplicant ('killall -HUP wpa_supplicant'). Similarly, reloading
22 can be triggered with the wpa_cli reconfigure command.
23
24 Configuration file can include one or more network blocks, e.g., one
25 for each used SSID. wpa_supplicant will automatically select the best
26 network based on the order of network blocks in the configuration file,
27 network security level (WPA/WPA2 is preferred), and signal strength.
28
30 1. WPA-Personal (PSK) as home network and WPA-Enterprise with EAP-TLS
31 as work network.
32
33
34 # allow frontend (e.g., wpa_cli) to be used by all users in 'wheel' group
35 ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
36 #
37 # home network; allow all valid ciphers
38 network={
39 ssid="home"
40 scan_ssid=1
41 key_mgmt=WPA-PSK
42 psk="very secret passphrase"
43 }
44 #
45 # work network; use EAP-TLS with WPA; allow only CCMP and TKIP ciphers
46 network={
47 ssid="work"
48 scan_ssid=1
49 key_mgmt=WPA-EAP
50 pairwise=CCMP TKIP
51 group=CCMP TKIP
52 eap=TLS
53 identity="user@example.com"
54 ca_cert="/etc/cert/ca.pem"
55 client_cert="/etc/cert/user.pem"
56 private_key="/etc/cert/user.prv"
57 private_key_passwd="password"
58 }
59
60 2. WPA-RADIUS/EAP-PEAP/MSCHAPv2 with RADIUS servers that use old
61 peaplabel (e.g., Funk Odyssey and SBR, Meetinghouse Aegis, Interlink
62 RAD-Series)
63
64
65 ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
66 network={
67 ssid="example"
68 scan_ssid=1
69 key_mgmt=WPA-EAP
70 eap=PEAP
71 identity="user@example.com"
72 password="foobar"
73 ca_cert="/etc/cert/ca.pem"
74 phase1="peaplabel=0"
75 phase2="auth=MSCHAPV2"
76 }
77
78 3. EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for
79 the unencrypted use. Real identity is sent only within an encrypted
80 TLS tunnel.
81
82
83 ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
84 network={
85 ssid="example"
86 scan_ssid=1
87 key_mgmt=WPA-EAP
88 eap=TTLS
89 identity="user@example.com"
90 anonymous_identity="anonymous@example.com"
91 password="foobar"
92 ca_cert="/etc/cert/ca.pem"
93 phase2="auth=MD5"
94 }
95
96 4. IEEE 802.1X (i.e., no WPA) with dynamic WEP keys (require both uni‐
97 cast and broadcast); use EAP-TLS for authentication
98
99
100 ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
101 network={
102 ssid="1x-test"
103 scan_ssid=1
104 key_mgmt=IEEE8021X
105 eap=TLS
106 identity="user@example.com"
107 ca_cert="/etc/cert/ca.pem"
108 client_cert="/etc/cert/user.pem"
109 private_key="/etc/cert/user.prv"
110 private_key_passwd="password"
111 eapol_flags=3
112 }
113
114 5. Catch all example that allows more or less all configuration modes.
115 The configuration options are used based on what security policy is
116 used in the selected SSID. This is mostly for testing and is not
117 recommended for normal use.
118
119
120 ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
121 network={
122 ssid="example"
123 scan_ssid=1
124 key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
125 pairwise=CCMP TKIP
126 group=CCMP TKIP WEP104 WEP40
127 psk="very secret passphrase"
128 eap=TTLS PEAP TLS
129 identity="user@example.com"
130 password="foobar"
131 ca_cert="/etc/cert/ca.pem"
132 client_cert="/etc/cert/user.pem"
133 private_key="/etc/cert/user.prv"
134 private_key_passwd="password"
135 phase1="peaplabel=0"
136 ca_cert2="/etc/cert/ca2.pem"
137 client_cert2="/etc/cer/user.pem"
138 private_key2="/etc/cer/user.prv"
139 private_key2_passwd="password"
140 }
141
142 6. Authentication for wired Ethernet. This can be used with wired or
143 roboswitch interface (-Dwired or -Droboswitch on command line).
144
145
146 ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
147 ap_scan=0
148 network={
149 key_mgmt=IEEE8021X
150 eap=MD5
151 identity="user"
152 password="password"
153 eapol_flags=0
154 }
155
157 Some EAP authentication methods require use of certificates. EAP-TLS
158 uses both server side and client certificates whereas EAP-PEAP and EAP-
159 TTLS only require the server side certificate. When client certificate
160 is used, a matching private key file has to also be included in config‐
161 uration. If the private key uses a passphrase, this has to be config‐
162 ured in wpa_supplicant.conf ("private_key_passwd").
163
164 wpa_supplicant supports X.509 certificates in PEM and DER formats. User
165 certificate and private key can be included in the same file.
166
167 If the user certificate and private key is received in PKCS#12/PFX for‐
168 mat, they need to be converted to suitable PEM/DER format for wpa_sup‐
169 plicant. This can be done, e.g., with following commands:
170
171
172 # convert client certificate and private key to PEM format
173 openssl pkcs12 -in example.pfx -out user.pem -clcerts
174 # convert CA certificate (if included in PFX file) to PEM format
175 openssl pkcs12 -in example.pfx -out ca.pem -cacerts -nokeys
176
178 wpa_supplicant(8) openssl(1)
179
180
181
182 15 February 2009 WPA_SUPPLICANT.CONF(5)