1IWD.NETWORK(5)                Linux Connectivity                IWD.NETWORK(5)
2
3
4

NAME

6       iwd.network - Network configuration for wireless daemon
7

SYNOPSIS

9       Network configuration files .open, .psk and .8021x
10

DESCRIPTION

12       iwd  stores  information  on  known  networks, and reads information on
13       pre-provisioned networks, from small text configuration  files.   Those
14       files live in the state directory specified by the environment variable
15       $STATE_DIRECTORY, which is normally provided by systemd.   In  the  ab‐
16       sence of such an environment variable it defaults to $LIBDIR/iwd, which
17       normally is set to /var/lib/iwd.  You  can  create,  modify  or  remove
18       those  files.   iwd  monitors the directory for changes and will update
19       its state accordingly.  iwd will also modify these files in the  course
20       of network connections or as a result of D-Bus API invocations.
21

FILE FORMAT

23       The  syntax  is similar to that of GNOME keyfile syntax (which is based
24       on  the  format  defined  in  the  Desktop  Entry  Specification,   see
25       http://freedesktop.org/Standards/desktop-entry-spec).   The  recognized
26       groups as well as keys and values in each group  are  documented  here.
27       Defaults are written in bold.
28
29       For  completeness  we  include the description of the file syntax here.
30       This is the syntax that the ell library's l_settings class  implements.
31       The syntax is based on lines and lines are delimited by newline charac‐
32       ters.
33
34       Empty lines are ignored and whitespace at the beginning of  a  line  is
35       ignored.  Comment lines have # as their first non-whitespace character.
36
37       Key-value  lines  contain a setting key, an equal sign and the value of
38       the setting.  Whitespace preceding the  key,  the  equal  sign  or  the
39       value, is ignored.  The key must be a continuous string of alphanumeric
40       and underscore characters and minus signs only.  The  value  starts  at
41       the  first  non-whitespace  character after the first equal sign on the
42       line and ends at the end of the line and must  be  correctly  UTF-8-en‐
43       coded.  A  boolean  value  can be true or false but 0 or 1 are also al‐
44       lowed.  Integer values are written in base 10.  String values,  includ‐
45       ing  file paths and hexstrings, are written as is except for five char‐
46       acters that may be backslash-escaped: space, \t, \r, \n  and  backslash
47       itself.   The  latter three must be escaped.  A space character must be
48       escaped if it is the first character in the value string and is written
49       as \s.
50
51       Settings  are  interpreted depending on the group they are in.  A group
52       starts with a group header line and contains  all  settings  until  the
53       next  group's  header line.  A group header line contains a [ character
54       followed by the group name and a ] character.   Whitespace  is  allowed
55       before the [ and after the ].  A group name consists of printable char‐
56       acters other than [ and ].
57
58       If a group name starts with the @ sign, that group's content is handled
59       by  a  parser extension instead and does not cause the previous non-ex‐
60       tension group to end.  The  initial  @  sign  must  be  followed  by  a
61       non-empty  extension  name,  another @ sign and a group name as defined
62       above. The extension name consists of printable characters  other  than
63       @.  No  whitespace is allowed after the group header in this case.  The
64       extension payload syntax and length are  determined  by  the  extension
65       name.   Normal  parsing rules defined in this section resume at the end
66       of the payload and any settings after the end of the payload  are  han‐
67       dled as part of the previous non-extension group.
68
69       Currently  the  only extension supported is named pem and allows embed‐
70       ding the contents of a single RFC7468 PEM-formatted payload  or  a  se‐
71       quence  of  multiple  PEM  payloads.  The payload should start with the
72       -----BEGIN string on a line following the group  header  line  and  end
73       with  an -----END line as specified in the RFC.  Newline characters be‐
74       fore, between and after PEM payloads are included in the extension pay‐
75       load.  No other extra characters are allowed.
76

NAMING

78       File  names  are  based  on the network's SSID and security type: Open,
79       PSK-protected or 802.1x. The name consist of the encoding of  the  SSID
80       followed  by  .open,  .psk or .8021x.  The SSID appears verbatim in the
81       name if it contains only alphanumeric characters,  spaces,  underscores
82       or  minus  signs.  Otherwise it is encoded as an equal sign followed by
83       the lower-case hex encoding of the name.
84

SETTINGS

86       The settings below are split into several  sections  and  grouped  into
87       broad  categories.   Each category has a group associated with it which
88       is given at the beginning of each  sub-section.   Recognized  keys  and
89       valid values are listed following the group definition.
90
91   General Settings
92       The group [Settings] contains general settings.
93
94               ┌────────────────────────┬────────────────────────────┐
95               │AutoConnect             │ Values: true, false        │
96               │                        │                            │
97               │                        │ Whether the network can be │
98               │                        │ connected to automatically │
99               ├────────────────────────┼────────────────────────────┤
100               │Hidden                  │ Values: true, false        
101               │                        │                            │
102               │                        │ Whether  the  network   is │
103               │                        │ hidden, i.e. its SSID must │
104               │                        │ be included in  an  active │
105               │                        │ scan request               │
106               ├────────────────────────┼────────────────────────────┤
107               │AlwaysRandomizeAddress  │ Values: true, false        
108               │                        │                            │
109               │                        │ If  enabled,  the  MAC ad‐ │
110               │                        │ dress will be  fully  ran‐ │
111               │                        │ domized  on  each  connec‐ │
112               │                        │ tion.  This option is only │
113               │                        │ used if [General].Address‐ │
114               │                        │ Randomization  is  set  to │
115               │                        │ 'network'. See iwd.config. │
116               │                        │ This setting should not be │
117               │                        │ used  with  [Settings].Ad‐ │
118               │                        │ dressOverride, if both are │
119               │                        │ set  AddressOverride  will │
120               │                        │ be used.                   │
121               └────────────────────────┴────────────────────────────┘
122
123
124
125
126
127
128
129
130
131
132
133               │AddressOverride         │ MAC address string         │
134               │                        │                            │
135               │                        │ Override the  MAC  address │
136               │                        │ used   for  connecting  to │
137               │                        │ this network. This  option │
138               │                        │ is   only  used  if  [Gen‐ │
139               │                        │ eral].AddressRandomization │
140               │                        │ is  set  to 'network'. See │
141               │                        │ iwd.config.  This  setting │
142               │                        │ should  not  be  used with │
143               │                        │ [Settings].AlwaysRandom‐   │
144               │                        │ izeAddress,  if  both  are │
145               │                        │ set  AddressOverride  will │
146               │                        │ be used.                   │
147               ├────────────────────────┼────────────────────────────┤
148               │TransitionDisable       │ Values: true, false        
149               │                        │                            │
150               │                        │ If  enabled,  the  use  of │
151               │                        │ TKIP pairwise  cipher  and │
152               │                        │ connections  without  Man‐ │
153               │                        │ agement  Frame  Protection │
154               │                        │ are disallowed.  This will │
155               │                        │ make certain legacy access │
156               │                        │ points   unavailable   for │
157               │                        │ use.  Additional  security │
158               │                        │ hardening  can also be ap‐ │
159               │                        │ plied   via   the    [Set‐ │
160               │                        │ tings].DisabledTransition‐ │
161               │                        │ Modes setting.             │
162               │                        │                            │
163               │                        │ Properly configured Access │
164               │                        │ Points  will typically up‐ │
165               │                        │ date this  setting  appro‐ │
166               │                        │ priately   via  Transition │
167               │                        │ Disable indications.  User │
168               │                        │ customization    of   this │
169               │                        │ value  is  thus  typically │
170               │                        │ not required.              │
171               └────────────────────────┴────────────────────────────┘
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199               │DisabledTransitionModes │ Comma-separated   list  of │
200               │                        │ disabled transition modes: │
201               │                        │                            │
202               │                        │        • personal          │
203               │                        │                            │
204               │                        │        • enterprise        │
205               │                        │                            │
206               │                        │        • open              │
207               │                        │                            │
208               │                        │        If 'personal'  mode │
209               │                        │        is  disabled,  then │
210               │                        │        legacy    WPA2-Per‐ │
211               │                        │        sonal access points │
212               │                        │        are    no    longer │
213               │                        │        available   to   be │
214               │                        │        connected   to   or │
215               │                        │        roamed   to.   Only │
216               │                        │        access points  uti‐ │
217               │                        │        lizing    WPA3-Per‐ │
218               │                        │        sonal will be  con‐ │
219               │                        │        sidered.            │
220               │                        │                            │
221               │                        │        If     'enterprise' │
222               │                        │        mode  is  disabled, │
223               │                        │        then         legacy │
224               │                        │        WPA2-Enterprise ac‐ │
225               │                        │        cess  points are no │
226               │                        │        longer available to │
227               │                        │        be  connected to or │
228               │                        │        roamed to.          │
229               │                        │                            │
230               │                        │        If 'open'  mode  is │
231               │                        │        disabled,      then │
232               │                        │        non-OWE enabled ac‐ │
233               │                        │        cess   points  will │
234               │                        │        not  be   connected │
235               │                        │        to.                 │
236               │                        │                            │
237               │                        │        Properly configured │
238               │                        │        Access Points  will │
239               │                        │        typically    update │
240               │                        │        this setting appro‐ │
241               │                        │        priately  via Tran‐ │
242               │                        │        sition Disable  in‐ │
243               │                        │        dications.     User │
244               │                        │        customization    of │
245               │                        │        this  value is thus │
246               │                        │        typically  not  re‐ │
247               │                        │        quired.             │
248               └────────────────────────┴────────────────────────────┘
249
250   Network Authentication Settings
251       The group [Security] contains settings for Wi-Fi security and authenti‐
252       cation configuration. This group can be encrypted by  enabling  System‐
253       dEncrypt, see iwd.config for details on this option. If this section is
254       encrypted (only contains EncryptedSalt/EncryptedSecurity) it should not
255       be  modified.  Modifying  these  values will result in the inability to
256       connect to that network.
257
258
259
260
261
262
263
264
265    ┌───────────────────────────────┬────────────────────────────────────────────┐
266    │Passphrase                     │ 8..63 character string                     │
267    │                               │                                            │
268    │                               │ Passphrase to be used when                 │
269    │                               │ connecting to WPA-Personal                 │
270    │                               │ networks.   Required  when                 │
271    │                               │ connecting   to  WPA3-Per‐                 │
272    │                               │ sonal   (SAE)    networks.                 │
273    │                               │ Also  required if the Pre‐
274    │                               │ SharedKey is not provided.                 │
275    │                               │ If  not  provided  in set‐                 │
276    │                               │ tings, the agent  will  be                 │
277    │                               │ asked  for  the passphrase                 │
278    │                               │ at connection time.                        │
279    ├───────────────────────────────┼────────────────────────────────────────────┤
280    │PreSharedKey                   │ 64 character hex string                    │
281    │                               │                                            │
282    │                               │ Processed  passphrase  for                 │
283    │                               │ this  network  in the form                 │
284    │                               │ of a hex-encoded  32  byte                 │
285    │                               │ pre-shared  key.   Must be                 │
286    │                               │ provided if Passphrase  is                 │
287    │                               │ omitted.                                   │
288    ├───────────────────────────────┼────────────────────────────────────────────┤
289    │EAP-Method                     │ one of the following meth‐                 │
290    │                               │ ods:                                       │
291    │                               │                                            │
292    │                               │ AKA, AKA', MSCHAPV2, PEAP,                 │
293    │                               │ PWD, SIM, TLS, TTLS.                       │
294    │                               │                                            │
295    │                               │ The  following  additional                 │
296    │                               │ methods  are  allowed   as                 │
297    │                               │ TTLS/PEAP inner methods:                   │
298    │                               │                                            │
299    │                               │ GTC, MD5.                                  │
300    ├───────────────────────────────┼────────────────────────────────────────────┤
301    │EAP-Identity                   │ string                                     │
302    │                               │                                            │
303    │                               │ Identity  string transmit‐                 │
304    │                               │ ted in plaintext.  Depend‐                 │
305    │                               │ ing  on  the  EAP  method,                 │
306    │                               │ this value can be optional                 │
307    │                               │ or  mandatory.   GTC, MD5,                 │
308    │                               │ MSCHAPV2, PWD  require  an                 │
309    │                               │ identity,  so  if not pro‐                 │
310    │                               │ vided, the agent  will  be                 │
311    │                               │ asked for it at connection                 │
312    │                               │ time.  TLS  based  methods                 │
313    │                               │ (PEAP,  TLS,  TTLS)  might                 │
314    │                               │ still require an EAP-Iden‐
315    │                               │ tity  to be set, depending                 │
316    │                               │ on the RADIUS server  con‐                 │
317    │                               │ figuration.                                │
318    ├───────────────────────────────┼────────────────────────────────────────────┤
319    │EAP-Password                   │ string                                     │
320    │                               │                                            │
321    │                               │ Password  to  be  provided                 │
322    │                               │ for WPA-Enterprise authen‐                 │
323    │                               │ tication.    If  not  pro‐                 │
324    │                               │ vided, the agent  will  be                 │
325    │                               │ asked  for the password at                 │
326    │                               │ connection time.  Required                 │
327    │                               │ by:  GTC,  MD5,  MSCHAPV2,                 │
328    │                               │ PWD.                                       │
329    └───────────────────────────────┴────────────────────────────────────────────┘
330
331    │EAP-Password-Hash              │ hex string                                 │
332    │                               │                                            │
333    │                               │ Some EAP methods  can  ac‐                 │
334    │                               │ cept  a pre-hashed version                 │
335    │                               │ of  the   password.    For                 │
336    │                               │ MSCHAPV2,  a  MD4  hash of                 │
337    │                               │ the password can be  given                 │
338    │                               │ here.                                      │
339    ├───────────────────────────────┼────────────────────────────────────────────┤
340    │EAP-TLS-CACert,                │ absolute  file path or em‐                 │
341    │EAP-TTLS-CACert,               │ bedded pem                                 │
342    │EAP-PEAP-CACert                │                                            │
343    │                               │ Path  to  a  PEM-formatted                 │
344    │                               │ X.509   root   certificate                 │
345    │                               │ list to use for trust ver‐                 │
346    │                               │ ification of the authenti‐                 │
347    │                               │ cator.   The   authentica‐                 │
348    │                               │ tor's server's certificate                 │
349    │                               │ chain must be verified  by                 │
350    │                               │ at  least  one  CA  in the                 │
351    │                               │ list for  the  authentica‐                 │
352    │                               │ tion to succeed.  If omit‐                 │
353    │                               │ ted, then  authenticator's                 │
354    │                               │ certificate chain will not                 │
355    │                               │ be  verified  (not  recom‐                 │
356    │                               │ mended.)                                   │
357    ├───────────────────────────────┼────────────────────────────────────────────┤
358    │EAP-TLS-ClientCert             │ absolute  file path or em‐                 │
359    │                               │ bedded pem                                 │
360    │                               │                                            │
361    │                               │ Path to the  client  X.509                 │
362    │                               │ certificate or certificate                 │
363    │                               │ chain to  send  on  server                 │
364    │                               │ request.                                   │
365    ├───────────────────────────────┼────────────────────────────────────────────┤
366    │EAP-TLS-ClientKey              │ absolute  file path or em‐                 │
367    │                               │ bedded pem                                 │
368    │                               │                                            │
369    │                               │ Path to the client private                 │
370    │                               │ key  corresponding  to the                 │
371    │                               │ public  key  provided   in                 │
372    │                               │ EAP-TLS-ClientCert.    The                 │
373    │                               │ recommended   format    is                 │
374    │                               │ PKCS#8 PEM.                                │
375    ├───────────────────────────────┼────────────────────────────────────────────┤
376    │EAP-TLS-ClientKeyBundle        │ absolute file path                         │
377    │                               │                                            │
378    │                               │ As   an   alternative   to                 │
379    │                               │ EAP-TLS-ClientCert     and                 │
380    │                               │ EAP-TLS-ClientKey  IWD can                 │
381    │                               │ load both the  certificate                 │
382    │                               │ and the private key from a                 │
383    │                               │ container file pointed  by                 │
384    │                               │ this  setting.  The recom‐                 │
385    │                               │ mended format  is  PKCS#12                 │
386    │                               │ when this is used.                         │
387    └───────────────────────────────┴────────────────────────────────────────────┘
388
389
390
391
392
393
394
395
396
397    │EAP-TLS-                       │ string                                     │
398    │ClientKeyPassphrase            │                                            │
399    │                               │ Decryption   key  for  the                 │
400    │                               │ client  key  files.   This                 │
401    │                               │ should be used if the cer‐                 │
402    │                               │ tificate  or  the  private                 │
403    │                               │ key in the files mentioned                 │
404    │                               │ above is encrypted.   When                 │
405    │                               │ not  given,  the  agent is                 │
406    │                               │ asked for  the  passphrase                 │
407    │                               │ at connection time.                        │
408    ├───────────────────────────────┼────────────────────────────────────────────┤
409    │EAP-TLS-ServerDomainMask,      │ string                                     │
410    │EAP-TTLS-ServerDomainMask,     │                                            │
411    │EAP-PEAP-ServerDomainMask      │ A   mask  for  the  domain                 │
412    │                               │ names  contained  in   the                 │
413    │                               │ server's  certificate.  At                 │
414    │                               │ least one  of  the  domain                 │
415    │                               │ names  present in the cer‐                 │
416    │                               │ tificate's Subject  Alter‐                 │
417    │                               │ native   Name  extension's                 │
418    │                               │ DNS  Name  fields  or  the                 │
419    │                               │ Common  Name  has to match                 │
420    │                               │ at least one mask, or  au‐                 │
421    │                               │ thentication   will  fail.                 │
422    │                               │ Multiple  masks   can   be                 │
423    │                               │ given  separated  by semi‐                 │
424    │                               │ colons.   The  masks   are                 │
425    │                               │ split into segments at the                 │
426    │                               │ dots.  Each segment has to                 │
427    │                               │ match   its  corresponding                 │
428    │                               │ label in the domain  name.                 │
429    │                               │ An asterisk segment in the                 │
430    │                               │ mask  matches  any  label.                 │
431    │                               │ An asterisk segment at the                 │
432    │                               │ beginning  of   the   mask                 │
433    │                               │ matches  one  or more con‐                 │
434    │                               │ secutive labels  from  the                 │
435    │                               │ beginning  of  the  domain                 │
436    │                               │ string.                                    │
437    └───────────────────────────────┴────────────────────────────────────────────┘
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463    │EAP-TLS-FastReauthentication,  │ Values: true, false                        │
464    │EAP-TTLS-FastReauthentication, │                                            │
465    │EAP-PEAP-FastReauthentication, │ Controls whether TLS  ses‐                 │
466    │                               │ sion  caching for EAP-TLS,                 │
467    │                               │ EAP-TTLS and  EAP-PEAP  is                 │
468    │                               │ used.    This  allows  for                 │
469    │                               │ faster  re-connections  to                 │
470    │                               │ EAP-Enterprise  based net‐                 │
471    │                               │ works.                                     │
472    │                               │                                            │
473    │                               │ Some  network  authentica‐                 │
474    │                               │ tors  may be misconfigured                 │
475    │                               │ in a way that TLS  session                 │
476    │                               │ resumption  is allowed but                 │
477    │                               │ actually   attempting   it                 │
478    │                               │ will  cause the EAP method                 │
479    │                               │ to fail or time  out.   In                 │
480    │                               │ that  case,  assuming  the                 │
481    │                               │ credentials and other set‐                 │
482    │                               │ tings  are  correct, every                 │
483    │                               │ other  connection  attempt                 │
484    │                               │ will  fail as sessions are                 │
485    │                               │ cached  and  forgotten  in                 │
486    │                               │ alternating attempts.  Use                 │
487    │                               │ this  setting  to  disable                 │
488    │                               │ caching for this network.                  │
489    ├───────────────────────────────┼────────────────────────────────────────────┤
490    │EAP-TTLS-Phase2-Method         │ The following values are allowed:          │
491    │                               │   Tunneled-CHAP,                           │
492    │                               │   Tunneled-MSCHAP,                         │
493    │                               │   Tunneled-MSCHAPv2,                       │
494    │                               │   Tunneled-PAP or                          │
495    │                               │   a valid EAP method name (see EAP-Method) │
496    │                               │                                            │
497    │                               │                                            │
498    │                               │ Phase   2   authentication                 │
499    │                               │ method for EAP-TTLS.   Can                 │
500    │                               │ be   either   one  of  the                 │
501    │                               │ TTLS-specific      non-EAP                 │
502    │                               │ methods  (Tunneled-*),  or                 │
503    │                               │ any EAP method  documented                 │
504    │                               │ here.   The  following two                 │
505    │                               │ settings are used  if  any                 │
506    │                               │ of  the non-EAP methods is                 │
507    │                               │ used.                                      │
508    ├───────────────────────────────┼────────────────────────────────────────────┤
509    │EAP-TTLS-Phase2-Identity       │ The secure  identity/username  string  for │
510    │                               │ the  TTLS non-EAP Phase 2 methods.  If not │
511    │                               │ provided iwd will request  a  username  at │
512    │                               │ connection time.                           │
513    ├───────────────────────────────┼────────────────────────────────────────────┤
514    │EAP-TTLS-Phase2-Password       │ Password string for the TTLS non-EAP Phase │
515    │                               │ 2 methods. If not provided  IWD  will  re‐ │
516    │                               │ quest a passphrase at connection time.     │
517    ├───────────────────────────────┼────────────────────────────────────────────┤
518    │EAP-TTLS-Phase2-*              │ Any  settings to be used for the inner EAP │
519    │                               │ method   if   one   was    specified    as │
520    │                               │ EAP-TTLS-Phase2-Method,   rather   than  a │
521    │                               │ TTLS-specific    method.    The     prefix │
522    │                               │ EAP-TTLS-Phase2-  replaces the EAP- prefix │
523    │                               │ in the setting keys and their usage is un‐ │
524    │                               │ changed.  Since the inner method's negoti‐ │
525    │                               │ ation  is  encrypted,  a  secure  identity │
526    │                               │ string can be provided.                    │
527    └───────────────────────────────┴────────────────────────────────────────────┘
528
529    │EAP-PEAP-Phase2-*              │ Any  settings to be used for the inner EAP │
530    │                               │ method with EAP-PEAP as the outer  method. │
531    │                               │ The  prefix  EAP-PEAP-Phase2- replaces the │
532    │                               │ EAP- prefix in the setting keys and  their │
533    │                               │ usage   is   unchanged.  Since  the  inner │
534    │                               │ method's negotiation is encrypted,  a  se‐ │
535    │                               │ cure identity string can be provided.      │
536    └───────────────────────────────┴────────────────────────────────────────────┘
537
538   Network Configuration Settings
539       The  group  [Network] contains general network settings and any network
540       specific overrides for global defaults defined in the main iwd configu‐
541       ration file.
542
543                     ┌─────────────┬────────────────────────────┐
544                     │MulticastDNS │ Values:  true,  false, re‐ │
545                     │             │ solve                      │
546                     │             │                            │
547                     │             │ Configures  multicast  DNS │
548                     │             │ for  this  network. If not │
549                     │             │ specified,     systemd-re‐ │
550                     │             │ solved's   default   value │
551                     │             │ will   remain   untouched. │
552                     │             │ See  man 5 systemd.network 
553                     │             │ for details.               │
554                     │             │                            │
555                     │             │ Only applies when  NameRe‐ 
556                     │             │ solvingService=systemd.    │
557                     └─────────────┴────────────────────────────┘
558
559       The  group  [IPv4]  contains  settings  for Internet Protocol version 4
560       (IPv4) network configuration with the static addresses.
561
562                     ┌─────────────┬────────────────────────────┐
563                     │Address      │ IPv4 address string        │
564                     │             │                            │
565                     │             │ The IPv4  address  to  as‐ │
566                     │             │ sign.  This  field  is re‐
567                     │             │ quired for the static con‐ │
568                     │             │ figuration.                │
569                     ├─────────────┼────────────────────────────┤
570                     │Gateway      │ IPv4 address string        │
571                     │             │                            │
572                     │             │ The  IPv4  address  of the │
573                     │             │ gateway   (router).   This │
574                     │             │ field  is required for the │
575                     │             │ static configuration.      │
576                     ├─────────────┼────────────────────────────┤
577                     │DNS          │ IPv4 address string  list, │
578                     │             │ space delimited            │
579                     │             │                            │
580                     │             │ The  IPv4  address(es)  of │
581                     │             │ the  Domain  Name   System │
582                     │             │ (DNS).  This  field is op‐
583                     │             │ tional. DNS setting can be │
584                     │             │ used  to  override the DNS │
585                     │             │ entries received from  the │
586                     │             │ DHCP server.               │
587                     └─────────────┴────────────────────────────┘
588
589
590
591
592
593
594
595                     │Netmask      │ IPv4 address string        │
596                     │             │                            │
597                     │             │ The  IPv4  address  of the │
598                     │             │ subnet. This field is  op‐
599                     │             │ tional.  255.255.255.0  is │
600                     │             │ used as default Netmask.   │
601                     ├─────────────┼────────────────────────────┤
602                     │Broadcast    │ IPv4 address string        │
603                     │             │                            │
604                     │             │ The  IPv4  address  to  be │
605                     │             │ used  for  the  broadcast. │
606                     │             │ This field is optional.    │
607                     ├─────────────┼────────────────────────────┤
608                     │DomainName   │ string                     │
609                     │             │                            │
610                     │             │ The DomainName is the name │
611                     │             │ of  the local Internet do‐ │
612                     │             │ main. This  field  is  op‐
613                     │             │ tional. DomainName setting │
614                     │             │ can be  used  to  override │
615                     │             │ the  DomainName  value ob‐ │
616                     │             │ tained   from   the   DHCP │
617                     │             │ server.                    │
618                     ├─────────────┼────────────────────────────┤
619                     │SendHostname │ Values: true, false        
620                     │             │                            │
621                     │             │ Configures DHCP to include │
622                     │             │ the hostname  in  the  re‐ │
623                     │             │ quest.   This  setting  is │
624                     │             │ disabled by default.       │
625                     └─────────────┴────────────────────────────┘
626
627       The group [IPv6] contains settings  for  Internet  Protocol  version  6
628       (IPv6) network configuration.
629
630                      ┌───────────┬────────────────────────────┐
631                      │Enabled    │ Boolean                    │
632                      │           │                            │
633                      │           │ Whether  IPv6  is  enabled │
634                      │           │ for this network.  If  not │
635                      │           │ provided,  then the global │
636                      │           │ default provided by  [Net‐ │
637                      │           │ work].EnableIPv6   setting │
638                      │           │ will be used.  If IPv6  is │
639                      │           │ disabled,  then  the 'dis‐ │
640                      │           │ able_ipv6'   setting    in │
641                      │           │ sysfs will be set to 1 and │
642                      │           │ no   IPv6   addresses   or │
643                      │           │ routes will be created for │
644                      │           │ this network.              │
645                      ├───────────┼────────────────────────────┤
646                      │Address    │ IPv6 address string        │
647                      │           │                            │
648                      │           │ The IPv6  address  to  as‐ │
649                      │           │ sign.  This  field  is re‐
650                      │           │ quired for the static con‐ │
651                      │           │ figuration.    The  recog‐ │
652                      │           │ nized format is  according │
653                      │           │ to  inet_pton  followed by │
654                      │           │ '/' and prefix length.  If │
655                      │           │ prefix  length is omitted, │
656                      │           │ then 128 is assumed.       │
657                      └───────────┴────────────────────────────┘
658
659
660
661                      │Gateway    │ IPv6 address string        │
662                      │           │                            │
663                      │           │ The IPv6  address  of  the │
664                      │           │ gateway   (router).   This │
665                      │           │ field is required for  the │
666                      │           │ static configuration.      │
667                      ├───────────┼────────────────────────────┤
668                      │DNS        │ IPv6  address string list, │
669                      │           │ space delimited            │
670                      │           │                            │
671                      │           │ The  IPv6  address(es)  of │
672                      │           │ the   Domain  Name  System │
673                      │           │ (DNS). This field  is  op‐
674                      │           │ tional. DNS setting can be │
675                      │           │ used to override  the  DNS │
676                      │           │ entries  received from the │
677                      │           │ DHCPv6   server   or   via │
678                      │           │ Router Advertisements.     │
679                      ├───────────┼────────────────────────────┤
680                      │DomainName │ string                     │
681                      │           │                            │
682                      │           │ The DomainName is the name │
683                      │           │ of the local Internet  do‐ │
684                      │           │ main.  This  field  is op‐
685                      │           │ tional. DomainName setting │
686                      │           │ can  be  used  to override │
687                      │           │ the DomainName  value  ob‐ │
688                      │           │ tained   from  the  DHCPv6 │
689                      │           │ server or via  Router  Ad‐ │
690                      │           │ vertisements.              │
691                      └───────────┴────────────────────────────┘
692
693   Embedded PEMs
694       Rather  than including an absolute path to a PEM file (for certificates
695       and keys), the PEM itself can be included inside the settings file  and
696       referenced directly. This allows IEEE 802.1x network provisioning using
697       a single file without any references to certificates  or  keys  on  the
698       system.
699
700       An embedded PEM can appear anywhere in the settings file using the fol‐
701       lowing format (in this example the PEM is named 'my_ca_cert'):
702
703          [@pem@my_ca_cert]
704          ----- BEGIN CERTIFICATE -----
705          <PEM data>
706          ----- END CERTIFICATE -----
707
708       After this special group tag it's as simple as pasting in  a  PEM  file
709       including the BEGIN/END tags. Now 'my_ca_cert' can be used to reference
710       the certificate elsewhere in the settings file by prefixing  the  value
711       with 'embed:'
712
713       EAP-TLS-CACert=embed:my_ca_cert
714
715       This  is  not  limited  to CA Certificates either. Client certificates,
716       client keys (encrypted or not), and certificate chains can be included.
717

EXAMPLES

719       The following are some examples of common configurations
720
721   Open Network (Hidden)
722          [Settings]
723          Hidden=true
724
725   Pre-Shared Key (PSK)
726          [Security]
727          Passphrase=secret123
728
729   PWD
730          [Security]
731          EAP-Method=PWD
732          EAP-Identity=user@domain.com
733          EAP-Password=secret123
734
735   TLS
736          [Security]
737          EAP-Method=TLS
738          EAP-TLS-ClientCert=/certs/client-cert.pem
739          EAP-TLS-ClientKey=/certs/client-key.pem
740          EAP-TLS-CACert=/certs/ca-cert.pem
741          EAP-TLS-ServerDomainMask=*.domain.com
742
743   TTLS + PAP
744          [Security]
745          EAP-Method=TTLS
746          EAP-Identity=open@identity.com
747          EAP-TTLS-CACert=/certs/ca-cert.pem
748          EAP-TTLS-Phase2-Method=Tunneled-PAP
749          EAP-TTLS-Phase2-Identity=username
750          EAP-TTLS-Phase2-Password=password
751          EAP-TTLS-ServerDomainMask=*.domain.com
752
753   PEAP + MSCHAPv2
754          [Security]
755          EAP-Method=PEAP
756          EAP-Identity=open@identity.com
757          EAP-PEAP-CACert=/certs/ca-cert.pem
758          EAP-PEAP-Phase2-Method=MSCHAPV2
759          EAP-PEAP-Phase2-Identity=username
760          EAP-PEAP-Phase2-Password=password
761          EAP-PEAP-ServerDomainMask=*.domain.com
762

SEE ALSO

764       iwd(8), iwd.config(5)
765

AUTHOR

767       Marcel     Holtmann      <marcel@holtmann.org>,      Denis      Kenzior
768       <denkenz@gmail.com>,  Andrew  Zaborowski <andrew.zaborowski@intel.com>,
769       Tim  Kourt  <tim.a.kourt@linux.intel.com>,  James   Prestwood   <prest‐
770       woj@gmail.com>
771
773       2013-2019 Intel Corporation
774
775
776
777
778iwd                            22 September 2019                IWD.NETWORK(5)
Impressum