1hostapd.conf(5)              hostapd.conf man page             hostapd.conf(5)
2
3
4

NAME

6       hostapd.conf - configuration file for hostapd(8) utility
7

DESCRIPTION

9       The  hostapd.conf utility is an authenticator for IEEE 802.11 networks.
10       It provides full support for WPA/IEEE 802.11i and can also  act  as  an
11       IEEE 802.1X Authenticator with a suitable backend Authentication Server
12       (typically FreeRADIUS).  The configuration file consists of global  pa‐
13       rameters and domain specific configuration:
14
15       • IEEE 802.1X-2004
16
17       • RADIUS client
18
19       • RADIUS authentication server
20
21       • WPA/IEEE 802.11i
22

GLOBAL PARAMETERS

24       The following parameters are recognized:
25
26   interface
27       Interface name.  Should be set in "hostap" mode.
28
29   debug
30       Debugging  mode:  0  = no, 1 = minimal, 2 = verbose, 3 = msg dumps, 4 =
31       excessive.
32
33   dump_file
34       Dump file for state information (on SIGUSR1).
35
36   ctrl_interface
37       The pathname of the directory in which hostapd(8) creates  UNIX  domain
38       socket   files   for  communication  with  frontend  programs  such  as
39       hostapd_cli(8).
40
41   ctrl_interface_group
42       A group name or group ID to use in setting protection  on  the  control
43       interface  file.  This can be set to allow non-root users to access the
44       control interface files.  If no group is specified, the group ID of the
45       control  interface is not modified and will, typically, be the group ID
46       of the directory in which the socket is created.
47

IEEE 802.1X-2004 PARAMETERS

49       The following parameters are recognized:
50
51   ieee8021x
52       Require IEEE 802.1X authorization.
53
54   eap_message
55       Optional displayable message sent with EAP Request-Identity.
56
57   wep_key_len_broadcast
58       Key lengths for broadcast keys.
59
60   wep_key_len_unicast
61       Key lengths for unicast keys.
62
63   wep_rekey_period
64       Rekeying period in seconds.
65
66   eapol_key_index_workaround
67       EAPOL-Key index workaround (set bit7) for WinXP Supplicant.
68
69   eap_reauth_period
70       EAP reauthentication period in seconds.  To  disable  reauthentication,
71       use "0".
72

RADIUS CLIENT PARAMETERS

74       The following parameters are recognized:
75
76   own_ip_addr
77       The own IP address of the access point (used as NAS-IP-Address).
78
79   nas_identifier
80       Optional NAS-Identifier string for RADIUS messages.
81
82   auth_server_addr, auth_server_port, auth_server_shared_secret
83       RADIUS authentication server parameters.  Can be defined twice for sec‐
84       ondary servers to be used if primary one does not reply to RADIUS pack‐
85       ets.
86
87   acct_server_addr, acct_server_port, acct_server_shared_secret
88       RADIUS  accounting  server  parameters.   Can be defined twice for sec‐
89       ondary servers to be used if primary one does not reply to RADIUS pack‐
90       ets.
91
92   radius_retry_primary_interval
93       Retry  interval  for  trying to return to the primary RADIUS server (in
94       seconds).
95
96   radius_acct_interim_interval
97       Interim accounting update interval.  If this is set (larger than 0) and
98       acct_server  is configured, hostapd(8) will send interim accounting up‐
99       dates every N seconds.
100

RADIUS AUTHENTICATION SERVER PARAMETERS

102       The following parameters are recognized:
103
104   radius_server_clients
105       File name of the RADIUS clients configuration for  the  RADIUS  server.
106       If this is commented out, RADIUS server is disabled.
107
108   radius_server_auth_port
109       The UDP port number for the RADIUS authentication server.
110
111   radius_server_ipv6
112       Use IPv6 with RADIUS server.
113

WPA/IEEE 802.11i PARAMETERS

115       The following parameters are recognized:
116
117   wpa
118       Enable  WPA.   Setting  this  variable configures the AP to require WPA
119       (either WPA-PSK or WPA-RADIUS/EAP based on other configuration).
120
121   wpa_psk, wpa_passphrase
122       WPA pre-shared keys for WPA-PSK.  This  can  be  either  entered  as  a
123       256-bit  secret  in hex format (64 hex digits), wpa_psk, or as an ASCII
124       passphrase (8..63 characters) that will be converted to PSK.  This con‐
125       version  uses SSID so the PSK changes when ASCII passphrase is used and
126       the SSID is changed.
127
128   wpa_psk_file
129       Optionally, WPA PSKs can be read from a separate text file  (containing
130       a list of (PSK,MAC address) pairs.
131
132   wpa_key_mgmt
133       Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both).
134
135   wpa_pairwise
136       Set of accepted cipher suites (encryption algorithms) for pairwise keys
137       (unicast packets).  See the example file for more information.
138
139   wpa_group_rekey
140       Time interval for rekeying GTK (broadcast/multicast encryption keys) in
141       seconds.
142
143   wpa_strict_rekey
144       Rekey  GTK  when  any STA that possesses the current GTK is leaving the
145       BSS.
146
147   wpa_gmk_rekey
148       Time interval for rekeying GMK (master key used internally to  generate
149       GTKs (in seconds).
150

SEE ALSO

152       hostapd(8), hostapd_cli(8), /usr/share/examples/hostapd/hostapd.conf
153

HISTORY

155       The  hostapd.conf  manual  page  and hostapd(8) functionality first ap‐
156       peared in NetBSD 4.0.
157

AUTHORS

159       This manual page is derived from the README and hostapd.conf  files  in
160       the   hostapd   distribution   provided   by   Jouni   Malinen   <jkma‐
161       line@cc.hut.fi>.
162
163
164
1651.0                               10 Feb 2021                  hostapd.conf(5)
Impressum