1IWD.NETWORK(5)                Linux Connectivity                IWD.NETWORK(5)
2
3
4

NAME

6       iwd.network - Network configuration for wireless daemon
7

SYNOPSIS

9       Network configuration files .open, .psk and .8021x
10

DESCRIPTION

12       iwd  stores  information  on  known  networks, and reads information on
13       pre-provisioned networks, from small text configuration  files.   Those
14       files live in the state directory specified by the environment variable
15       $STATE_DIRECTORY, which  is  normally  provided  by  systemd.   In  the
16       absence  of  such  an  environment variable it defaults to $LIBDIR/iwd,
17       which normally is set to  /var/lib/iwd.   You  can  create,  modify  or
18       remove  those  files.   iwd monitors the directory for changes and will
19       update its state accordingly.  iwd will also modify these files in  the
20       course of network connections or as a result of D-Bus API invocations.
21

FILE FORMAT

23       The  syntax  is similar to that of GNOME keyfile syntax (which is based
24       on  the  format  defined  in  the  Desktop  Entry  Specification,   see
25       http://freedesktop.org/Standards/desktop-entry-spec).   The  recognized
26       groups as well as keys and values in each group  are  documented  here.
27       Defaults are written in bold.
28
29       For  completeness  we  include the description of the file syntax here.
30       This is the syntax that the ell library's l_settings class  implements.
31       The syntax is based on lines and lines are delimited by newline charac‐
32       ters.
33
34       Empty lines are ignored and whitespace at the beginning of  a  line  is
35       ignored.  Comment lines have # as their first non-whitespace character.
36
37       Key-value  lines  contain a setting key, an equal sign and the value of
38       the setting.  Whitespace preceding the  key,  the  equal  sign  or  the
39       value, is ignored.  The key must be a continuous string of alphanumeric
40       and underscore characters and minus signs only.  The  value  starts  at
41       the  first  non-whitespace  character after the first equal sign on the
42       line  and  ends  at  the  end  of  the  line  and  must  be   correctly
43       UTF-8-encoded. A boolean value can be true or false but 0 or 1 are also
44       allowed.  Integer values  are  written  in  base  10.   String  values,
45       including  file paths and hexstrings, are written as is except for five
46       characters that may be backslash-escaped: space, \t, \r, \n  and  back‐
47       slash  itself.   The  latter  three must be escaped.  A space character
48       must be escaped if it is the first character in the value string and is
49       written as \s.
50
51       Settings  are  interpreted depending on the group they are in.  A group
52       starts with a group header line and contains  all  settings  until  the
53       next  group's  header line.  A group header line contains a [ character
54       followed by the group name and a ] character.   Whitespace  is  allowed
55       before the [ and after the ].  A group name consists of printable char‐
56       acters other than [ and ].
57

NAMING

59       File names are based on the network's SSID  and  security  type:  Open,
60       PSK-protected  or  802.1x. The name consist of the encoding of the SSID
61       followed by .open, .psk or .8021x.  The SSID appears  verbatim  in  the
62       name  if  it contains only alphanumeric characters, spaces, underscores
63       or minus signs.  Otherwise it is encoded as an equal sign  followed  by
64       the lower-case hex encoding of the name.
65

SETTINGS

67       The  settings  below  are  split into several sections and grouped into
68       broad categories.  Each category has a group associated with  it  which
69       is  given  at  the  beginning of each sub-section.  Recognized keys and
70       valid values are listed following the group definition.
71
72   General Settings
73       The group [Settings] contains general settings.
74
75                     ┌────────────┬────────────────────────────┐
76                     │AutoConnect │ Values: true, false        │
77                     │            │                            │
78                     │            │ Whether the network can be │
79                     │            │ connected to automatically │
80                     ├────────────┼────────────────────────────┤
81                     │Hidden      │ Values: true, false        
82                     │            │                            │
83                     │            │ Whether   the  network  is │
84                     │            │ hidden, i.e. its SSID must │
85                     │            │ be  included  in an active │
86                     │            │ scan request               │
87                     └────────────┴────────────────────────────┘
88
89   Network Authentication Settings
90       The group [Security] contains settings for Wi-Fi security and authenti‐
91       cation configuration.
92
93      ┌───────────────────────────┬────────────────────────────────────────────┐
94      │Passphrase                 │ 8..63 character string                     │
95      │                           │                                            │
96      │                           │ Passphrase to be used when                 │
97      │                           │ connecting to WPA-Personal                 │
98      │                           │ networks.   Required  when                 │
99      │                           │ connecting  to   WPA3-Per‐                 │
100      │                           │ sonal    (SAE)   networks.                 │
101      │                           │ Also required if the  Pre‐
102      │                           │ SharedKey is not provided.                 │
103      │                           │ If not  provided  in  set‐                 │
104      │                           │ tings,  the  agent will be                 │
105      │                           │ asked for  the  passphrase                 │
106      │                           │ at connection time.                        │
107      ├───────────────────────────┼────────────────────────────────────────────┤
108      │PreSharedKey               │ 64 character hex string                    │
109      │                           │                                            │
110      │                           │ Processed  passphrase  for                 │
111      │                           │ this network in  the  form                 │
112      │                           │ of  a  hex-encoded 32 byte                 │
113      │                           │ pre-shared key.   Must  be                 │
114      │                           │ provided  if Passphrase is                 │
115      │                           │ omitted.                                   │
116      ├───────────────────────────┼────────────────────────────────────────────┤
117      │EAP-Method                 │ one of the following meth‐                 │
118      │                           │ ods:                                       │
119      │                           │                                            │
120      │                           │ AKA,   AKA',   GTC,   MD5,                 │
121      │                           │ MSCHAPV2, PEAP, PWD,  SIM,                 │
122      │                           │ TLS, TTLS                                  │
123      └───────────────────────────┴────────────────────────────────────────────┘
124
125
126
127
128
129
130
131
132
133
134
135
136
137      │EAP-Identity               │ string                                     │
138      │                           │                                            │
139      │                           │ Identity  string transmit‐                 │
140      │                           │ ted in plaintext.  Depend‐                 │
141      │                           │ ing  on  the  EAP  method,                 │
142      │                           │ this value can be optional                 │
143      │                           │ or  mandatory.   GTC, MD5,                 │
144      │                           │ MSCHAPV2, PWD  require  an                 │
145      │                           │ identity,  so  if not pro‐                 │
146      │                           │ vided, the agent  will  be                 │
147      │                           │ asked for it at connection                 │
148      │                           │ time.  TLS  based  methods                 │
149      │                           │ (PEAP,  TLS,  TTLS)  might                 │
150      │                           │ still require an EAP-Iden‐
151      │                           │ tity  to be set, depending                 │
152      │                           │ on the RADIUS server  con‐                 │
153      │                           │ figuration.                                │
154      ├───────────────────────────┼────────────────────────────────────────────┤
155      │EAP-Password               │ string                                     │
156      │                           │                                            │
157      │                           │ Password  to  be  provided                 │
158      │                           │ for WPA-Enterprise authen‐                 │
159      │                           │ tication.    If  not  pro‐                 │
160      │                           │ vided, the agent  will  be                 │
161      │                           │ asked  for the password at                 │
162      │                           │ connection time.  Required                 │
163      │                           │ by:  GTC,  MD5,  MSCHAPV2,                 │
164      │                           │ PWD.                                       │
165      ├───────────────────────────┼────────────────────────────────────────────┤
166      │EAP-Password-Hash          │ hex string                                 │
167      │                           │                                            │
168      │                           │ Some   EAP   methods   can                 │
169      │                           │ accept  a  pre-hashed ver‐                 │
170      │                           │ sion of the password.  For                 │
171      │                           │ MSCHAPV2,  a  MD4  hash of                 │
172      │                           │ the password can be  given                 │
173      │                           │ here.                                      │
174      ├───────────────────────────┼────────────────────────────────────────────┤
175      │EAP-TLS-CACert,            │ absolute   file   path  or                 │
176      │EAP-TTLS-CACert,           │ embedded pem                               │
177      │EAP-PEAP-CACert            │                                            │
178      │                           │ Path  to  a  PEM-formatted                 │
179      │                           │ X.509   root   certificate                 │
180      │                           │ list to use for trust ver‐                 │
181      │                           │ ification of the authenti‐                 │
182      │                           │ cator.   The   authentica‐                 │
183      │                           │ tor's server's certificate                 │
184      │                           │ chain must be verified  by                 │
185      │                           │ at  least  one  CA  in the                 │
186      │                           │ list for  the  authentica‐                 │
187      │                           │ tion to succeed.  If omit‐                 │
188      │                           │ ted, then  authenticator's                 │
189      │                           │ certificate chain will not                 │
190      │                           │ be  verified  (not  recom‐                 │
191      │                           │ mended.)                                   │
192      ├───────────────────────────┼────────────────────────────────────────────┤
193      │EAP-TLS-ClientCert         │ absolute   file   path  or                 │
194      │                           │ embedded pem                               │
195      │                           │                                            │
196      │                           │ Path  to  a  PEM-formatted                 │
197      │                           │ client  X.509  certificate                 │
198      │                           │ or  certificate  chain  to                 │
199      │                           │ send on server request.                    │
200      └───────────────────────────┴────────────────────────────────────────────┘
201
202
203
204
205      │EAP-TLS-ClientKey          │ absolute   file   path  or                 │
206      │                           │ embedded pem                               │
207      │                           │                                            │
208      │                           │ Path  to  a  PEM-formatted                 │
209      │                           │ client  PKCS#8 private key                 │
210      │                           │ corresponding to the  pub‐                 │
211      │                           │ lic    key   provided   in                 │
212      │                           │ EAP-TLS-ClientCert.                        │
213      ├───────────────────────────┼────────────────────────────────────────────┤
214      │EAP-TLS-                   │ string                                     │
215      │ClientKeyPassphrase        │                                            │
216      │                           │ Decryption  key  for   the                 │
217      │                           │ client  private  key file.                 │
218      │                           │ This is used if  the  pri‐                 │
219      │                           │ vate    key    given    by                 │
220      │                           │ EAP-TLS-ClientKey       is                 │
221      │                           │ encrypted.   If  not  pro‐                 │
222      │                           │ vided, then the  agent  is                 │
223      │                           │ asked  for  the passphrase                 │
224      │                           │ at connection time.                        │
225      ├───────────────────────────┼────────────────────────────────────────────┤
226      │EAP-TLS-ServerDomainMask,  │ string                                     │
227      │EAP-TTLS-ServerDomainMask, │                                            │
228      │EAP-PEAP-ServerDomainMask  │ A  mask  for  the   domain                 │
229      │                           │ names   contained  in  the                 │
230      │                           │ server's  certificate.  At                 │
231      │                           │ least  one  of  the domain                 │
232      │                           │ names present in the  cer‐                 │
233      │                           │ tificate's  Subject Alter‐                 │
234      │                           │ native  Name   extension's                 │
235      │                           │ DNS  Name  fields  or  the                 │
236      │                           │ Common Name has  to  match                 │
237      │                           │ at   least  one  mask,  or                 │
238      │                           │ authentication will  fail.                 │
239      │                           │ Multiple   masks   can  be                 │
240      │                           │ given separated  by  semi‐                 │
241      │                           │ colons.    The  masks  are                 │
242      │                           │ split into segments at the                 │
243      │                           │ dots.  Each segment has to                 │
244      │                           │ match  its   corresponding                 │
245      │                           │ label  in the domain name.                 │
246      │                           │ An asterisk segment in the                 │
247      │                           │ mask  matches  any  label.                 │
248      │                           │ An asterisk segment at the                 │
249      │                           │ beginning   of   the  mask                 │
250      │                           │ matches one or  more  con‐                 │
251      │                           │ secutive  labels  from the                 │
252      │                           │ beginning  of  the  domain                 │
253      │                           │ string.                                    │
254      └───────────────────────────┴────────────────────────────────────────────┘
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273      │EAP-TTLS-Phase2-Method     │ The following values are allowed:          │
274      │                           │   Tunneled-CHAP,                           │
275      │                           │   Tunneled-MSCHAP,                         │
276      │                           │   Tunneled-MSCHAPv2,                       │
277      │                           │   Tunneled-PAP or                          │
278      │                           │   a valid EAP method name (see EAP-Method) │
279      │                           │                                            │
280      │                           │                                            │
281      │                           │ Phase   2   authentication                 │
282      │                           │ method for EAP-TTLS.   Can                 │
283      │                           │ be   either   one  of  the                 │
284      │                           │ TTLS-specific      non-EAP                 │
285      │                           │ methods  (Tunneled-*),  or                 │
286      │                           │ any EAP method  documented                 │
287      │                           │ here.   The  following two                 │
288      │                           │ settings are used  if  any                 │
289      │                           │ of  the non-EAP methods is                 │
290      │                           │ used.                                      │
291      ├───────────────────────────┼────────────────────────────────────────────┤
292      │EAP-TTLS-Phase2-Identity   │ The secure  identity/username  string  for │
293      │                           │ the  TTLS non-EAP Phase 2 methods.  If not │
294      │                           │ provided iwd will request  a  username  at │
295      │                           │ connection time.                           │
296      ├───────────────────────────┼────────────────────────────────────────────┤
297      │EAP-TTLS-Phase2-Password   │ Password string for the TTLS non-EAP Phase │
298      │                           │ 2  methods.  If  not  provided  IWD   will │
299      │                           │ request a passphrase at connection time.   │
300      ├───────────────────────────┼────────────────────────────────────────────┤
301      │EAP-TTLS-Phase2-*          │ Any  settings to be used for the inner EAP │
302      │                           │ method   if   one   was    specified    as │
303      │                           │ EAP-TTLS-Phase2-Method,   rather   than  a │
304      │                           │ TTLS-specific    method.    The     prefix │
305      │                           │ EAP-TTLS-Phase2-  replaces the EAP- prefix │
306      │                           │ in the setting keys  and  their  usage  is │
307      │                           │ unchanged.  Since the inner method's nego‐ │
308      │                           │ tiation is encrypted,  a  secure  identity │
309      │                           │ string can be provided.                    │
310      ├───────────────────────────┼────────────────────────────────────────────┤
311      │EAP-PEAP-Phase2-*          │ Any  settings to be used for the inner EAP │
312      │                           │ method with EAP-PEAP as the outer  method. │
313      │                           │ The  prefix  EAP-PEAP-Phase2- replaces the │
314      │                           │ EAP- prefix in the setting keys and  their │
315      │                           │ usage   is   unchanged.  Since  the  inner │
316      │                           │ method's  negotiation  is   encrypted,   a │
317      │                           │ secure identity string can be provided.    │
318      └───────────────────────────┴────────────────────────────────────────────┘
319
320   Embedded PEMs
321       Rather  than including an absolute path to a PEM file (for certificates
322       and keys), the PEM itself can be included inside the settings file  and
323       referenced directly. This allows IEEE 802.1x network provisioning using
324       a single file without any references to certificates  or  keys  on  the
325       system.
326
327       An embedded PEM can appear anywhere in the settings file using the fol‐
328       lowing format (this example the PEM is named 'my_ca_cert'):
329
330          [@pem@my_ca_cert]
331          ----- BEGIN CERTIFICATE -----
332          <PEM data>
333          ----- END CERTIFICATE -----
334
335       After this special group tag its as simple as pasting  in  a  PEM  file
336       including the BEGIN/END tags. Now 'my_ca_cert' can be used to reference
337       the certificate elsewhere in the settings file by prefixing  the  value
338       with 'embed:'
339
340       EAP-TLS-CACert=embed:my_ca_cert
341
342       This  is  not  limited  to CA Certificates either. Client certificates,
343       client keys (encrypted or not), and certificate chains can be included.
344

EXAMPLES

346       The following are some examples of common configurations
347
348   Open Network (Hidden)
349          [Settings]
350          Hidden=true
351
352   Pre-Shared Key (PSK)
353          [Security]
354          Passphrase=secret123
355
356   PWD
357          [Security]
358          EAP-Method=PWD
359          EAP-Identity=user@domain.com
360          EAP-Password=secret123
361
362   TLS
363          [Security]
364          EAP-Method=TLS
365          EAP-TLS-ClientCert=/certs/client-cert.pem
366          EAP-TLS-ClientKey=/certs/client-key.pem
367          EAP-TLS-CACert=/certs/ca-cert.pem
368          EAP-TLS-ServerDomainMask=*.domain.com
369
370   TTLS + PAP
371          [Security]
372          EAP-Method=TTLS
373          EAP-Identity=open@identity.com
374          EAP-TTLS-CACert=/certs/ca-cert.pem
375          EAP-TTLS-Phase2-Method=Tunneled-PAP
376          EAP-TTLS-Phase2-Identity=username
377          EAP-TTLS-Phase2-Password=password
378          EAP-TTLS-ServerDomainMask=*.domain.com
379
380   PEAP + MSCHAPv2
381          [Security]
382          EAP-Method=PEAP
383          EAP-Identity=open@identity.com
384          EAP-PEAP-CACert=/certs/ca-cert.pem
385          EAP-PEAP-Phase2-Method=MSCHAPV2
386          EAP-PEAP-Phase2-Identity=username
387          EAP-PEAP-Phase2-Password=password
388          EAP-PEAP-ServerDomainMask=*.domain.com
389

SEE ALSO

391       iwd(8), iwd.config(5)
392

AUTHOR

394       Marcel     Holtmann      <marcel@holtmann.org>,      Denis      Kenzior
395       <denkenz@gmail.com>,  Andrew  Zaborowski <andrew.zaborowski@intel.com>,
396       Tim  Kourt  <tim.a.kourt@linux.intel.com>,  James   Prestwood   <prest‐
397       woj@gmail.com>
398
400       2013-2019 Intel Corporation
401
402
403
404
405iwd                            22 September 2019                IWD.NETWORK(5)
Impressum