1IWD.NETWORK(5)                Linux Connectivity                IWD.NETWORK(5)
2
3
4

NAME

6       iwd.network - Network configuration for wireless daemon
7

SYNOPSIS

9       Network configuration files .open, .psk and .8021x
10

DESCRIPTION

12       iwd  stores  information  on  known  networks, and reads information on
13       pre-provisioned networks, from small text configuration  files.   Those
14       files live in the state directory specified by the environment variable
15       $STATE_DIRECTORY, which is normally provided by systemd.   In  the  ab‐
16       sence of such an environment variable it defaults to $LIBDIR/iwd, which
17       normally is set to /var/lib/iwd.  You  can  create,  modify  or  remove
18       those  files.   iwd  monitors the directory for changes and will update
19       its state accordingly.  iwd will also modify these files in the  course
20       of network connections or as a result of D-Bus API invocations.
21

FILE FORMAT

23       The  syntax  is similar to that of GNOME keyfile syntax (which is based
24       on  the  format  defined  in  the  Desktop  Entry  Specification,   see
25       http://freedesktop.org/Standards/desktop-entry-spec).   The  recognized
26       groups as well as keys and values in each group  are  documented  here.
27       Defaults are written in bold.
28
29       For  completeness  we  include the description of the file syntax here.
30       This is the syntax that the ell library's l_settings class  implements.
31       The syntax is based on lines and lines are delimited by newline charac‐
32       ters.
33
34       Empty lines are ignored and whitespace at the beginning of  a  line  is
35       ignored.  Comment lines have # as their first non-whitespace character.
36
37       Key-value  lines  contain a setting key, an equal sign and the value of
38       the setting.  Whitespace preceding the  key,  the  equal  sign  or  the
39       value, is ignored.  The key must be a continuous string of alphanumeric
40       and underscore characters and minus signs only.  The  value  starts  at
41       the  first  non-whitespace  character after the first equal sign on the
42       line and ends at the end of the line and must  be  correctly  UTF-8-en‐
43       coded.  A  boolean  value  can be true or false but 0 or 1 are also al‐
44       lowed.  Integer values are written in base 10.  String values,  includ‐
45       ing  file paths and hexstrings, are written as is except for five char‐
46       acters that may be backslash-escaped: space, \t, \r, \n  and  backslash
47       itself.   The  latter three must be escaped.  A space character must be
48       escaped if it is the first character in the value string and is written
49       as \s.
50
51       Settings  are  interpreted depending on the group they are in.  A group
52       starts with a group header line and contains  all  settings  until  the
53       next  group's  header line.  A group header line contains a [ character
54       followed by the group name and a ] character.   Whitespace  is  allowed
55       before the [ and after the ].  A group name consists of printable char‐
56       acters other than [ and ].
57
58       If a group name starts with the @ sign, that group's content is handled
59       by  a  parser extension instead and does not cause the previous non-ex‐
60       tension group to end.  The  initial  @  sign  must  be  followed  by  a
61       non-empty  extension  name,  another @ sign and a group name as defined
62       above. The extension name consists of printable characters  other  than
63       @.  No  whitespace is allowed after the group header in this case.  The
64       extension payload syntax and length are  determined  by  the  extension
65       name.   Normal  parsing rules defined in this section resume at the end
66       of the payload and any settings after the end of the payload  are  han‐
67       dled as part of the previous non-extension group.
68
69       Currently  the  only extension supported is named pem and allows embed‐
70       ding the contents of a single RFC7468 PEM-formatted payload  or  a  se‐
71       quence  of  multiple  PEM  payloads.  The payload should start with the
72       -----BEGIN string on a line following the group  header  line  and  end
73       with  an -----END line as specified in the RFC.  Newline characters be‐
74       fore, between and after PEM payloads are included in the extension pay‐
75       load.  No other extra characters are allowed.
76

NAMING

78       File  names  are  based  on the network's SSID and security type: Open,
79       PSK-protected or 802.1x. The name consist of the encoding of  the  SSID
80       followed  by  .open,  .psk or .8021x.  The SSID appears verbatim in the
81       name if it contains only alphanumeric characters,  spaces,  underscores
82       or  minus  signs.  Otherwise it is encoded as an equal sign followed by
83       the lower-case hex encoding of the name.
84

SETTINGS

86       The settings below are split into several  sections  and  grouped  into
87       broad  categories.   Each category has a group associated with it which
88       is given at the beginning of each  sub-section.   Recognized  keys  and
89       valid values are listed following the group definition.
90
91   General Settings
92       The group [Settings] contains general settings.
93
94               ┌────────────────────────┬────────────────────────────┐
95               │AutoConnect             │ Values: true, false        │
96               │                        │                            │
97               │                        │ Whether the network can be │
98               │                        │ connected to automatically │
99               ├────────────────────────┼────────────────────────────┤
100               │Hidden                  │ Values: true, false        
101               │                        │                            │
102               │                        │ Whether  the  network   is │
103               │                        │ hidden, i.e. its SSID must │
104               │                        │ be included in  an  active │
105               │                        │ scan request               │
106               ├────────────────────────┼────────────────────────────┤
107               │AlwaysRandomizeAddress  │ Values: true, false        
108               │                        │                            │
109               │                        │ If  enabled,  the  MAC ad‐ │
110               │                        │ dress will be  fully  ran‐ │
111               │                        │ domized  on  each  connec‐ │
112               │                        │ tion.  This option is only │
113               │                        │ used if [General].Address‐ │
114               │                        │ Randomization  is  set  to │
115               │                        │ 'network'. See iwd.config. │
116               │                        │ This setting should not be │
117               │                        │ used  with  [Settings].Ad‐ │
118               │                        │ dressOverride, if both are │
119               │                        │ set  AddressOverride  will │
120               │                        │ be used.                   │
121               └────────────────────────┴────────────────────────────┘
122
123
124
125
126
127
128
129
130
131
132
133               │AddressOverride         │ MAC address string         │
134               │                        │                            │
135               │                        │ Override the  MAC  address │
136               │                        │ used   for  connecting  to │
137               │                        │ this network. This  option │
138               │                        │ is   only  used  if  [Gen‐ │
139               │                        │ eral].AddressRandomization │
140               │                        │ is  set  to 'network'. See │
141               │                        │ iwd.config.  This  setting │
142               │                        │ should  not  be  used with │
143               │                        │ [Settings].AlwaysRandom‐   │
144               │                        │ izeAddress,  if  both  are │
145               │                        │ set  AddressOverride  will │
146               │                        │ be used.                   │
147               ├────────────────────────┼────────────────────────────┤
148               │TransitionDisable       │ Values: true, false        
149               │                        │                            │
150               │                        │ If  enabled,  the  use  of │
151               │                        │ TKIP pairwise  cipher  and │
152               │                        │ connections  without  Man‐ │
153               │                        │ agement  Frame  Protection │
154               │                        │ are disallowed.  This will │
155               │                        │ make certain legacy access │
156               │                        │ points   unavailable   for │
157               │                        │ use.  Additional  security │
158               │                        │ hardening  can also be ap‐ │
159               │                        │ plied   via   the    [Set‐ │
160               │                        │ tings].DisabledTransition‐ │
161               │                        │ Modes setting.             │
162               │                        │                            │
163               │                        │ Properly configured Access │
164               │                        │ Points  will typically up‐ │
165               │                        │ date this  setting  appro‐ │
166               │                        │ priately   via  Transition │
167               │                        │ Disable indications.  User │
168               │                        │ customization    of   this │
169               │                        │ value  is  thus  typically │
170               │                        │ not required.              │
171               └────────────────────────┴────────────────────────────┘
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199               │DisabledTransitionModes │ Comma-separated   list  of │
200               │                        │ disabled transition modes: │
201               │                        │                            │
202               │                        │        • personal          │
203               │                        │                            │
204               │                        │        • enterprise        │
205               │                        │                            │
206               │                        │        • open              │
207               │                        │                            │
208               │                        │        If 'personal'  mode │
209               │                        │        is  disabled,  then │
210               │                        │        legacy    WPA2-Per‐ │
211               │                        │        sonal access points │
212               │                        │        are    no    longer │
213               │                        │        available   to   be │
214               │                        │        connected   to   or │
215               │                        │        roamed   to.   Only │
216               │                        │        access points  uti‐ │
217               │                        │        lizing    WPA3-Per‐ │
218               │                        │        sonal will be  con‐ │
219               │                        │        sidered.            │
220               │                        │                            │
221               │                        │        If     'enterprise' │
222               │                        │        mode  is  disabled, │
223               │                        │        then         legacy │
224               │                        │        WPA2-Enterprise ac‐ │
225               │                        │        cess  points are no │
226               │                        │        longer available to │
227               │                        │        be  connected to or │
228               │                        │        roamed to.          │
229               │                        │                            │
230               │                        │        If 'open'  mode  is │
231               │                        │        disabled,      then │
232               │                        │        non-OWE enabled ac‐ │
233               │                        │        cess   points  will │
234               │                        │        not  be   connected │
235               │                        │        to.                 │
236               │                        │                            │
237               │                        │        Properly configured │
238               │                        │        Access Points  will │
239               │                        │        typically    update │
240               │                        │        this setting appro‐ │
241               │                        │        priately  via Tran‐ │
242               │                        │        sition Disable  in‐ │
243               │                        │        dications.     User │
244               │                        │        customization    of │
245               │                        │        this  value is thus │
246               │                        │        typically  not  re‐ │
247               │                        │        quired.             │
248               └────────────────────────┴────────────────────────────┘
249
250   Network Authentication Settings
251       The group [Security] contains settings for Wi-Fi security and authenti‐
252       cation configuration. This group can be encrypted by  enabling  System‐
253       dEncrypt, see iwd.config for details on this option. If this section is
254       encrypted (only contains EncryptedSalt/EncryptedSecurity) it should not
255       be  modified.  Modifying  these  values will result in the inability to
256       connect to that network.
257
258
259
260
261
262
263
264
265      ┌───────────────────────────┬────────────────────────────────────────────┐
266      │Passphrase                 │ 8..63 character string                     │
267      │                           │                                            │
268      │                           │ Passphrase to be used when                 │
269      │                           │ connecting to WPA-Personal                 │
270      │                           │ networks.   Required  when                 │
271      │                           │ connecting   to  WPA3-Per‐                 │
272      │                           │ sonal   (SAE)    networks.                 │
273      │                           │ Also  required if the Pre‐
274      │                           │ SharedKey is not provided.                 │
275      │                           │ If  not  provided  in set‐                 │
276      │                           │ tings, the agent  will  be                 │
277      │                           │ asked  for  the passphrase                 │
278      │                           │ at connection time.                        │
279      ├───────────────────────────┼────────────────────────────────────────────┤
280      │PreSharedKey               │ 64 character hex string                    │
281      │                           │                                            │
282      │                           │ Processed  passphrase  for                 │
283      │                           │ this  network  in the form                 │
284      │                           │ of a hex-encoded  32  byte                 │
285      │                           │ pre-shared  key.   Must be                 │
286      │                           │ provided if Passphrase  is                 │
287      │                           │ omitted.                                   │
288      ├───────────────────────────┼────────────────────────────────────────────┤
289      │EAP-Method                 │ one of the following meth‐                 │
290      │                           │ ods:                                       │
291      │                           │                                            │
292      │                           │ AKA, AKA', MSCHAPV2, PEAP,                 │
293      │                           │ PWD, SIM, TLS, TTLS.                       │
294      │                           │                                            │
295      │                           │ The  following  additional                 │
296      │                           │ methods  are  allowed   as                 │
297      │                           │ TTLS/PEAP inner methods:                   │
298      │                           │                                            │
299      │                           │ GTC, MD5.                                  │
300      ├───────────────────────────┼────────────────────────────────────────────┤
301      │EAP-Identity               │ string                                     │
302      │                           │                                            │
303      │                           │ Identity  string transmit‐                 │
304      │                           │ ted in plaintext.  Depend‐                 │
305      │                           │ ing  on  the  EAP  method,                 │
306      │                           │ this value can be optional                 │
307      │                           │ or  mandatory.   GTC, MD5,                 │
308      │                           │ MSCHAPV2, PWD  require  an                 │
309      │                           │ identity,  so  if not pro‐                 │
310      │                           │ vided, the agent  will  be                 │
311      │                           │ asked for it at connection                 │
312      │                           │ time.  TLS  based  methods                 │
313      │                           │ (PEAP,  TLS,  TTLS)  might                 │
314      │                           │ still require an EAP-Iden‐
315      │                           │ tity  to be set, depending                 │
316      │                           │ on the RADIUS server  con‐                 │
317      │                           │ figuration.                                │
318      ├───────────────────────────┼────────────────────────────────────────────┤
319      │EAP-Password               │ string                                     │
320      │                           │                                            │
321      │                           │ Password  to  be  provided                 │
322      │                           │ for WPA-Enterprise authen‐                 │
323      │                           │ tication.    If  not  pro‐                 │
324      │                           │ vided, the agent  will  be                 │
325      │                           │ asked  for the password at                 │
326      │                           │ connection time.  Required                 │
327      │                           │ by:  GTC,  MD5,  MSCHAPV2,                 │
328      │                           │ PWD.                                       │
329      └───────────────────────────┴────────────────────────────────────────────┘
330
331      │EAP-Password-Hash          │ hex string                                 │
332      │                           │                                            │
333      │                           │ Some EAP methods  can  ac‐                 │
334      │                           │ cept  a pre-hashed version                 │
335      │                           │ of  the   password.    For                 │
336      │                           │ MSCHAPV2,  a  MD4  hash of                 │
337      │                           │ the password can be  given                 │
338      │                           │ here.                                      │
339      ├───────────────────────────┼────────────────────────────────────────────┤
340      │EAP-TLS-CACert,            │ absolute  file path or em‐                 │
341      │EAP-TTLS-CACert,           │ bedded pem                                 │
342      │EAP-PEAP-CACert            │                                            │
343      │                           │ Path  to  a  PEM-formatted                 │
344      │                           │ X.509   root   certificate                 │
345      │                           │ list to use for trust ver‐                 │
346      │                           │ ification of the authenti‐                 │
347      │                           │ cator.   The   authentica‐                 │
348      │                           │ tor's server's certificate                 │
349      │                           │ chain must be verified  by                 │
350      │                           │ at  least  one  CA  in the                 │
351      │                           │ list for  the  authentica‐                 │
352      │                           │ tion to succeed.  If omit‐                 │
353      │                           │ ted, then  authenticator's                 │
354      │                           │ certificate chain will not                 │
355      │                           │ be  verified  (not  recom‐                 │
356      │                           │ mended.)                                   │
357      ├───────────────────────────┼────────────────────────────────────────────┤
358      │EAP-TLS-ClientCert         │ absolute  file path or em‐                 │
359      │                           │ bedded pem                                 │
360      │                           │                                            │
361      │                           │ Path to the  client  X.509                 │
362      │                           │ certificate or certificate                 │
363      │                           │ chain to  send  on  server                 │
364      │                           │ request.                                   │
365      ├───────────────────────────┼────────────────────────────────────────────┤
366      │EAP-TLS-ClientKey          │ absolute  file path or em‐                 │
367      │                           │ bedded pem                                 │
368      │                           │                                            │
369      │                           │ Path to the client private                 │
370      │                           │ key  corresponding  to the                 │
371      │                           │ public  key  provided   in                 │
372      │                           │ EAP-TLS-ClientCert.    The                 │
373      │                           │ recommended   format    is                 │
374      │                           │ PKCS#8 PEM.                                │
375      ├───────────────────────────┼────────────────────────────────────────────┤
376      │EAP-TLS-ClientKeyBundle    │ absolute file path                         │
377      │                           │                                            │
378      │                           │ As   an   alternative   to                 │
379      │                           │ EAP-TLS-ClientCert     and                 │
380      │                           │ EAP-TLS-ClientKey  IWD can                 │
381      │                           │ load both the  certificate                 │
382      │                           │ and the private key from a                 │
383      │                           │ container file pointed  by                 │
384      │                           │ this  setting.  The recom‐                 │
385      │                           │ mended format  is  PKCS#12                 │
386      │                           │ when this is used.                         │
387      └───────────────────────────┴────────────────────────────────────────────┘
388
389
390
391
392
393
394
395
396
397      │EAP-TLS-                   │ string                                     │
398      │ClientKeyPassphrase        │                                            │
399      │                           │ Decryption   key  for  the                 │
400      │                           │ client  key  files.   This                 │
401      │                           │ should be used if the cer‐                 │
402      │                           │ tificate  or  the  private                 │
403      │                           │ key in the files mentioned                 │
404      │                           │ above is encrypted.   When                 │
405      │                           │ not  given,  the  agent is                 │
406      │                           │ asked for  the  passphrase                 │
407      │                           │ at connection time.                        │
408      ├───────────────────────────┼────────────────────────────────────────────┤
409      │EAP-TLS-ServerDomainMask,  │ string                                     │
410      │EAP-TTLS-ServerDomainMask, │                                            │
411      │EAP-PEAP-ServerDomainMask  │ A   mask  for  the  domain                 │
412      │                           │ names  contained  in   the                 │
413      │                           │ server's  certificate.  At                 │
414      │                           │ least one  of  the  domain                 │
415      │                           │ names  present in the cer‐                 │
416      │                           │ tificate's Subject  Alter‐                 │
417      │                           │ native   Name  extension's                 │
418      │                           │ DNS  Name  fields  or  the                 │
419      │                           │ Common  Name  has to match                 │
420      │                           │ at least one mask, or  au‐                 │
421      │                           │ thentication   will  fail.                 │
422      │                           │ Multiple  masks   can   be                 │
423      │                           │ given  separated  by semi‐                 │
424      │                           │ colons.   The  masks   are                 │
425      │                           │ split into segments at the                 │
426      │                           │ dots.  Each segment has to                 │
427      │                           │ match   its  corresponding                 │
428      │                           │ label in the domain  name.                 │
429      │                           │ An asterisk segment in the                 │
430      │                           │ mask  matches  any  label.                 │
431      │                           │ An asterisk segment at the                 │
432      │                           │ beginning  of   the   mask                 │
433      │                           │ matches  one  or more con‐                 │
434      │                           │ secutive labels  from  the                 │
435      │                           │ beginning  of  the  domain                 │
436      │                           │ string.                                    │
437      ├───────────────────────────┼────────────────────────────────────────────┤
438      │EAP-TTLS-Phase2-Method     │ The following values are allowed:          │
439      │                           │   Tunneled-CHAP,                           │
440      │                           │   Tunneled-MSCHAP,                         │
441      │                           │   Tunneled-MSCHAPv2,                       │
442      │                           │   Tunneled-PAP or                          │
443      │                           │   a valid EAP method name (see EAP-Method) │
444      │                           │                                            │
445      │                           │                                            │
446      │                           │ Phase   2   authentication                 │
447      │                           │ method  for EAP-TTLS.  Can                 │
448      │                           │ be  either  one   of   the                 │
449      │                           │ TTLS-specific      non-EAP                 │
450      │                           │ methods  (Tunneled-*),  or                 │
451      │                           │ any  EAP method documented                 │
452      │                           │ here.  The  following  two                 │
453      │                           │ settings  are  used if any                 │
454      │                           │ of the non-EAP methods  is                 │
455      │                           │ used.                                      │
456      ├───────────────────────────┼────────────────────────────────────────────┤
457      │EAP-TTLS-Phase2-Identity   │ The  secure  identity/username  string for │
458      │                           │ the TTLS non-EAP Phase 2 methods.  If  not │
459      │                           │ provided  iwd  will  request a username at │
460      │                           │ connection time.                           │
461      └───────────────────────────┴────────────────────────────────────────────┘
462
463      │EAP-TTLS-Phase2-Password   │ Password string for the TTLS non-EAP Phase │
464      │                           │ 2  methods.  If  not provided IWD will re‐ │
465      │                           │ quest a passphrase at connection time.     │
466      ├───────────────────────────┼────────────────────────────────────────────┤
467      │EAP-TTLS-Phase2-*          │ Any settings to be used for the inner  EAP │
468      │                           │ method    if    one   was   specified   as │
469      │                           │ EAP-TTLS-Phase2-Method,  rather   than   a │
470      │                           │ TTLS-specific     method.    The    prefix │
471      │                           │ EAP-TTLS-Phase2- replaces the EAP-  prefix │
472      │                           │ in the setting keys and their usage is un‐ │
473      │                           │ changed.  Since the inner method's negoti‐ │
474      │                           │ ation  is  encrypted,  a  secure  identity │
475      │                           │ string can be provided.                    │
476      ├───────────────────────────┼────────────────────────────────────────────┤
477      │EAP-PEAP-Phase2-*          │ Any settings to be used for the inner  EAP │
478      │                           │ method  with EAP-PEAP as the outer method. │
479      │                           │ The prefix EAP-PEAP-Phase2-  replaces  the │
480      │                           │ EAP-  prefix in the setting keys and their │
481      │                           │ usage  is  unchanged.  Since   the   inner │
482      │                           │ method's  negotiation  is encrypted, a se‐ │
483      │                           │ cure identity string can be provided.      │
484      └───────────────────────────┴────────────────────────────────────────────┘
485
486   Network Configuration Settings
487       The group [IPv4] contains settings  for  Internet  Protocol  version  4
488       (IPv4) network configuration with the static addresses.
489
490                     ┌─────────────┬────────────────────────────┐
491                     │Address      │ IPv4 address string        │
492                     │             │                            │
493                     │             │ The  IPv4  address  to as‐ │
494                     │             │ sign. This  field  is  re‐
495                     │             │ quired for the static con‐ │
496                     │             │ figuration.                │
497                     ├─────────────┼────────────────────────────┤
498                     │Gateway      │ IPv4 address string        │
499                     │             │                            │
500                     │             │ The IPv4  address  of  the │
501                     │             │ gateway   (router).   This │
502                     │             │ field is required for  the │
503                     │             │ static configuration.      │
504                     ├─────────────┼────────────────────────────┤
505                     │DNS          │ IPv4  address string list, │
506                     │             │ space delimited            │
507                     │             │                            │
508                     │             │ The  IPv4  address(es)  of │
509                     │             │ the   Domain  Name  System │
510                     │             │ (DNS). This field  is  op‐
511                     │             │ tional. DNS setting can be │
512                     │             │ used to override  the  DNS │
513                     │             │ entries  received from the │
514                     │             │ DHCP server.               │
515                     ├─────────────┼────────────────────────────┤
516                     │Netmask      │ IPv4 address string        │
517                     │             │                            │
518                     │             │ The IPv4  address  of  the │
519                     │             │ subnet.  This field is op‐
520                     │             │ tional.  255.255.255.0  is │
521                     │             │ used as default Netmask.   │
522                     └─────────────┴────────────────────────────┘
523
524
525
526
527
528
529                     │Broadcast    │ IPv4 address string        │
530                     │             │                            │
531                     │             │ The  IPv4  address  to  be │
532                     │             │ used  for  the  broadcast. │
533                     │             │ This field is optional.    │
534                     ├─────────────┼────────────────────────────┤
535                     │DomainName   │ string                     │
536                     │             │                            │
537                     │             │ The DomainName is the name │
538                     │             │ of the local Internet  do‐ │
539                     │             │ main.  This  field  is op‐
540                     │             │ tional. DomainName setting │
541                     │             │ can  be  used  to override │
542                     │             │ the DomainName  value  ob‐ │
543                     │             │ tained   from   the   DHCP │
544                     │             │ server.                    │
545                     ├─────────────┼────────────────────────────┤
546                     │SendHostname │ Values: true, false        
547                     │             │                            │
548                     │             │ Configures DHCP to include │
549                     │             │ the  hostname  in  the re‐ │
550                     │             │ quest.  This  setting   is │
551                     │             │ disabled by default.       │
552                     └─────────────┴────────────────────────────┘
553
554       The  group  [IPv6]  contains  settings  for Internet Protocol version 6
555       (IPv6) network configuration.
556
557                      ┌───────────┬────────────────────────────┐
558                      │Enabled    │ Boolean                    │
559                      │           │                            │
560                      │           │ Whether  IPv6  is  enabled │
561                      │           │ for  this network.  If not │
562                      │           │ provided, then the  global │
563                      │           │ default  provided by [Net‐ │
564                      │           │ work].EnableIPv6   setting │
565                      │           │ will  be used.  If IPv6 is │
566                      │           │ disabled, then  the  'dis‐ │
567                      │           │ able_ipv6'    setting   in │
568                      │           │ sysfs will be set to 1 and │
569                      │           │ no   IPv6   addresses   or │
570                      │           │ routes will be created for │
571                      │           │ this network.              │
572                      ├───────────┼────────────────────────────┤
573                      │Address    │ IPv6 address string        │
574                      │           │                            │
575                      │           │ The  IPv6  address  to as‐ │
576                      │           │ sign. This  field  is  re‐
577                      │           │ quired for the static con‐ │
578                      │           │ figuration.   The   recog‐ │
579                      │           │ nized  format is according │
580                      │           │ to inet_pton  followed  by │
581                      │           │ '/' and prefix length.  If │
582                      │           │ prefix length is  omitted, │
583                      │           │ then 128 is assumed.       │
584                      ├───────────┼────────────────────────────┤
585                      │Gateway    │ IPv6 address string        │
586                      │           │                            │
587                      │           │ The  IPv6  address  of the │
588                      │           │ gateway   (router).   This │
589                      │           │ field  is required for the │
590                      │           │ static configuration.      │
591                      └───────────┴────────────────────────────┘
592
593
594
595                      │DNS        │ IPv6 address string  list, │
596                      │           │ space delimited            │
597                      │           │                            │
598                      │           │ The  IPv6  address(es)  of │
599                      │           │ the  Domain  Name   System │
600                      │           │ (DNS).  This  field is op‐
601                      │           │ tional. DNS setting can be │
602                      │           │ used  to  override the DNS │
603                      │           │ entries received from  the │
604                      │           │ DHCPv6   server   or   via │
605                      │           │ Router Advertisements.     │
606                      ├───────────┼────────────────────────────┤
607                      │DomainName │ string                     │
608                      │           │                            │
609                      │           │ The DomainName is the name │
610                      │           │ of  the local Internet do‐ │
611                      │           │ main. This  field  is  op‐
612                      │           │ tional. DomainName setting │
613                      │           │ can be  used  to  override │
614                      │           │ the  DomainName  value ob‐ │
615                      │           │ tained  from  the   DHCPv6 │
616                      │           │ server  or  via Router Ad‐ │
617                      │           │ vertisements.              │
618                      └───────────┴────────────────────────────┘
619
620   Embedded PEMs
621       Rather than including an absolute path to a PEM file (for  certificates
622       and  keys), the PEM itself can be included inside the settings file and
623       referenced directly. This allows IEEE 802.1x network provisioning using
624       a  single  file  without  any references to certificates or keys on the
625       system.
626
627       An embedded PEM can appear anywhere in the settings file using the fol‐
628       lowing format (in this example the PEM is named 'my_ca_cert'):
629
630          [@pem@my_ca_cert]
631          ----- BEGIN CERTIFICATE -----
632          <PEM data>
633          ----- END CERTIFICATE -----
634
635       After  this  special  group tag it's as simple as pasting in a PEM file
636       including the BEGIN/END tags. Now 'my_ca_cert' can be used to reference
637       the  certificate  elsewhere in the settings file by prefixing the value
638       with 'embed:'
639
640       EAP-TLS-CACert=embed:my_ca_cert
641
642       This is not limited to CA  Certificates  either.  Client  certificates,
643       client keys (encrypted or not), and certificate chains can be included.
644

EXAMPLES

646       The following are some examples of common configurations
647
648   Open Network (Hidden)
649          [Settings]
650          Hidden=true
651
652   Pre-Shared Key (PSK)
653          [Security]
654          Passphrase=secret123
655
656   PWD
657          [Security]
658          EAP-Method=PWD
659          EAP-Identity=user@domain.com
660          EAP-Password=secret123
661
662   TLS
663          [Security]
664          EAP-Method=TLS
665          EAP-TLS-ClientCert=/certs/client-cert.pem
666          EAP-TLS-ClientKey=/certs/client-key.pem
667          EAP-TLS-CACert=/certs/ca-cert.pem
668          EAP-TLS-ServerDomainMask=*.domain.com
669
670   TTLS + PAP
671          [Security]
672          EAP-Method=TTLS
673          EAP-Identity=open@identity.com
674          EAP-TTLS-CACert=/certs/ca-cert.pem
675          EAP-TTLS-Phase2-Method=Tunneled-PAP
676          EAP-TTLS-Phase2-Identity=username
677          EAP-TTLS-Phase2-Password=password
678          EAP-TTLS-ServerDomainMask=*.domain.com
679
680   PEAP + MSCHAPv2
681          [Security]
682          EAP-Method=PEAP
683          EAP-Identity=open@identity.com
684          EAP-PEAP-CACert=/certs/ca-cert.pem
685          EAP-PEAP-Phase2-Method=MSCHAPV2
686          EAP-PEAP-Phase2-Identity=username
687          EAP-PEAP-Phase2-Password=password
688          EAP-PEAP-ServerDomainMask=*.domain.com
689

SEE ALSO

691       iwd(8), iwd.config(5)
692

AUTHOR

694       Marcel      Holtmann      <marcel@holtmann.org>,      Denis     Kenzior
695       <denkenz@gmail.com>, Andrew  Zaborowski  <andrew.zaborowski@intel.com>,
696       Tim   Kourt   <tim.a.kourt@linux.intel.com>,  James  Prestwood  <prest‐
697       woj@gmail.com>
698
700       2013-2019 Intel Corporation
701
702
703
704
705iwd                            22 September 2019                IWD.NETWORK(5)
Impressum