1WPA_SUPPLICANT.CONF(5)                                  WPA_SUPPLICANT.CONF(5)
2
3
4

NAME

6       wpa_supplicant.conf - configuration file for wpa_supplicant
7

OVERVIEW

9       wpa_supplicant  is configured using a text file that lists all accepted
10       networks and security policies,  including  pre-shared  keys.  See  the
11       example configuration file, probably in /usr/share/doc/wpa_supplicant/,
12       for detailed information about the configuration format  and  supported
13       fields.
14
15       All  file  paths  in this configuration file should use full (absolute,
16       not relative to working directory)  path  in  order  to  allow  working
17       directory  to  be  changed. This can happen if wpa_supplicant is run in
18       the background.
19
20       Changes to configuration file can be reloaded be sending SIGHUP  signal
21       to wpa_supplicant ('killall -HUP wpa_supplicant'). Similarly, reloading
22       can be triggered with the wpa_cli reconfigure command.
23
24       Configuration file can include one or more network  blocks,  e.g.,  one
25       for  each  used SSID. wpa_supplicant will automatically select the best
26       network based on the order of network blocks in the configuration file,
27       network security level (WPA/WPA2 is preferred), and signal strength.
28

QUICK EXAMPLES

30       1.     WPA-Personal  (PSK) as home network and WPA-Enterprise with EAP-
31              TLS as work network.
32
33
34              # allow frontend (e.g., wpa_cli) to be used by all users in 'wheel' group
35              ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
36              #
37              # home network; allow all valid ciphers
38              network={
39                   ssid="home"
40                   scan_ssid=1
41                   key_mgmt=WPA-PSK
42                   psk="very secret passphrase"
43              }
44              #
45              # work network; use EAP-TLS with WPA; allow only CCMP and TKIP ciphers
46              network={
47                   ssid="work"
48                   scan_ssid=1
49                   key_mgmt=WPA-EAP
50                   pairwise=CCMP TKIP
51                   group=CCMP TKIP
52                   eap=TLS
53                   identity="user@example.com"
54                   ca_cert="/etc/cert/ca.pem"
55                   client_cert="/etc/cert/user.pem"
56                   private_key="/etc/cert/user.prv"
57                   private_key_passwd="password"
58              }
59
60
61
62       2.     WPA-RADIUS/EAP-PEAP/MSCHAPv2 with RADIUS servers  that  use  old
63              peaplabel  (e.g.,  Funk  Odyssey  and  SBR,  Meetinghouse Aegis,
64              Interlink RAD-Series)
65
66
67              ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
68              network={
69                   ssid="example"
70                   scan_ssid=1
71                   key_mgmt=WPA-EAP
72                   eap=PEAP
73                   identity="user@example.com"
74                   password="foobar"
75                   ca_cert="/etc/cert/ca.pem"
76                   phase1="peaplabel=0"
77                   phase2="auth=MSCHAPV2"
78              }
79
80
81
82       3.     EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity
83              for  the  unencrypted  use. Real identity is sent only within an
84              encrypted TLS tunnel.
85
86
87              ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
88              network={
89                   ssid="example"
90                   scan_ssid=1
91                   key_mgmt=WPA-EAP
92                   eap=TTLS
93                   identity="user@example.com"
94                   anonymous_identity="anonymous@example.com"
95                   password="foobar"
96                   ca_cert="/etc/cert/ca.pem"
97                   phase2="auth=MD5"
98              }
99
100
101
102       4.     IEEE 802.1X (i.e., no WPA) with dynamic WEP keys  (require  both
103              unicast and broadcast); use EAP-TLS for authentication
104
105
106              ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
107              network={
108                   ssid="1x-test"
109                   scan_ssid=1
110                   key_mgmt=IEEE8021X
111                   eap=TLS
112                   identity="user@example.com"
113                   ca_cert="/etc/cert/ca.pem"
114                   client_cert="/etc/cert/user.pem"
115                   private_key="/etc/cert/user.prv"
116                   private_key_passwd="password"
117                   eapol_flags=3
118              }
119
120
121
122       5.     Catch  all  example  that  allows more or less all configuration
123              modes. The configuration options are used based on what security
124              policy  is used in the selected SSID. This is mostly for testing
125              and is not recommended for normal use.
126
127
128              ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
129              network={
130                   ssid="example"
131                   scan_ssid=1
132                   key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
133                   pairwise=CCMP TKIP
134                   group=CCMP TKIP WEP104 WEP40
135                   psk="very secret passphrase"
136                   eap=TTLS PEAP TLS
137                   identity="user@example.com"
138                   password="foobar"
139                   ca_cert="/etc/cert/ca.pem"
140                   client_cert="/etc/cert/user.pem"
141                   private_key="/etc/cert/user.prv"
142                   private_key_passwd="password"
143                   phase1="peaplabel=0"
144                   ca_cert2="/etc/cert/ca2.pem"
145                   client_cert2="/etc/cer/user.pem"
146                   private_key2="/etc/cer/user.prv"
147                   private_key2_passwd="password"
148              }
149
150
151
152       6.     Authentication for wired Ethernet. This can be used  with  wired
153              or  roboswitch  interface  (-Dwired  or  -Droboswitch on command
154              line).
155
156
157              ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
158              ap_scan=0
159              network={
160                   key_mgmt=IEEE8021X
161                   eap=MD5
162                   identity="user"
163                   password="password"
164                   eapol_flags=0
165              }
166
167
168

CERTIFICATES

170       Some EAP authentication methods require use  of  certificates.  EAP-TLS
171       uses both server side and client certificates whereas EAP-PEAP and EAP-
172       TTLS only require the server side certificate. When client  certificate
173       is used, a matching private key file has to also be included in config‐
174       uration. If the private key uses a passphrase, this has to  be  config‐
175       ured in wpa_supplicant.conf ("private_key_passwd").
176
177       wpa_supplicant supports X.509 certificates in PEM and DER formats. User
178       certificate and private key can be included in the same file.
179
180       If the user certificate and private key is received in PKCS#12/PFX for‐
181       mat,  they need to be converted to suitable PEM/DER format for wpa_sup‐
182       plicant. This can be done, e.g., with following commands:
183
184
185              # convert client certificate and private key to PEM format
186              openssl pkcs12 -in example.pfx -out user.pem -clcerts
187              # convert CA certificate (if included in PFX file) to PEM format
188              openssl pkcs12 -in example.pfx -out ca.pem -cacerts -nokeys
189
190
191

SEE ALSO

193       wpa_supplicant(8) openssl(1)
194
195
196
197                                 01 March 2021          WPA_SUPPLICANT.CONF(5)
Impressum