1 <!doctype refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
4 <refentrytitle>wpa_supplicant.conf</refentrytitle>
5 <manvolnum>5</manvolnum>
8 <refname>wpa_supplicant.conf</refname>
9 <refpurpose>configuration file for wpa_supplicant</refpurpose>
12 <title>Overview</title>
14 <para><command>wpa_supplicant</command> is configured using a text
15 file that lists all accepted networks and security policies,
16 including pre-shared keys. See the example configuration file,
17 probably in <command>/usr/share/doc/wpa_supplicant/</command>, for
18 detailed information about the configuration format and supported
21 <para>All file paths in this configuration file should use full
22 (absolute, not relative to working directory) path in order to allow
23 working directory to be changed. This can happen if wpa_supplicant is
24 run in the background.</para>
26 <para>Changes to configuration file can be reloaded be sending
27 SIGHUP signal to <command>wpa_supplicant</command> ('killall -HUP
28 wpa_supplicant'). Similarly, reloading can be triggered with
29 the <emphasis>wpa_cli reconfigure</emphasis> command.</para>
31 <para>Configuration file can include one or more network blocks,
32 e.g., one for each used SSID. wpa_supplicant will automatically
33 select the best network based on the order of network blocks in
34 the configuration file, network security level (WPA/WPA2 is
35 preferred), and signal strength.</para>
39 <title>Quick Examples</title>
44 <para>WPA-Personal (PSK) as home network and WPA-Enterprise with
45 EAP-TLS as work network.</para>
47 <blockquote><programlisting>
48 # allow frontend (e.g., wpa_cli) to be used by all users in 'wheel' group
49 ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
51 # home network; allow all valid ciphers
56 psk="very secret passphrase"
59 # work network; use EAP-TLS with WPA; allow only CCMP and TKIP ciphers
67 identity="user@example.com"
68 ca_cert="/etc/cert/ca.pem"
69 client_cert="/etc/cert/user.pem"
70 private_key="/etc/cert/user.prv"
71 private_key_passwd="password"
73 </programlisting></blockquote>
77 <para>WPA-RADIUS/EAP-PEAP/MSCHAPv2 with RADIUS servers that
78 use old peaplabel (e.g., Funk Odyssey and SBR, Meetinghouse
79 Aegis, Interlink RAD-Series)</para>
81 <blockquote><programlisting>
82 ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
88 identity="user@example.com"
90 ca_cert="/etc/cert/ca.pem"
92 phase2="auth=MSCHAPV2"
94 </programlisting></blockquote>
98 <para>EAP-TTLS/EAP-MD5-Challenge configuration with anonymous
99 identity for the unencrypted use. Real identity is sent only
100 within an encrypted TLS tunnel.</para>
103 <blockquote><programlisting>
104 ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
110 identity="user@example.com"
111 anonymous_identity="anonymous@example.com"
113 ca_cert="/etc/cert/ca.pem"
116 </programlisting></blockquote>
121 <para>IEEE 802.1X (i.e., no WPA) with dynamic WEP keys
122 (require both unicast and broadcast); use EAP-TLS for
123 authentication</para>
125 <blockquote><programlisting>
126 ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
132 identity="user@example.com"
133 ca_cert="/etc/cert/ca.pem"
134 client_cert="/etc/cert/user.pem"
135 private_key="/etc/cert/user.prv"
136 private_key_passwd="password"
139 </programlisting></blockquote>
144 <para>Catch all example that allows more or less all
145 configuration modes. The configuration options are used based
146 on what security policy is used in the selected SSID. This is
147 mostly for testing and is not recommended for normal
150 <blockquote><programlisting>
151 ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
155 key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
157 group=CCMP TKIP WEP104 WEP40
158 psk="very secret passphrase"
160 identity="user@example.com"
162 ca_cert="/etc/cert/ca.pem"
163 client_cert="/etc/cert/user.pem"
164 private_key="/etc/cert/user.prv"
165 private_key_passwd="password"
167 ca_cert2="/etc/cert/ca2.pem"
168 client_cert2="/etc/cer/user.pem"
169 private_key2="/etc/cer/user.prv"
170 private_key2_passwd="password"
172 </programlisting></blockquote>
176 <para>Authentication for wired Ethernet. This can be used with
177 <emphasis>wired</emphasis> or <emphasis>roboswitch</emphasis> interface
178 (-Dwired or -Droboswitch on command line).</para>
180 <blockquote><programlisting>
181 ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
190 </programlisting></blockquote>
200 <title>Certificates</title>
202 <para>Some EAP authentication methods require use of
203 certificates. EAP-TLS uses both server side and client
204 certificates whereas EAP-PEAP and EAP-TTLS only require the server
205 side certificate. When client certificate is used, a matching
206 private key file has to also be included in configuration. If the
207 private key uses a passphrase, this has to be configured in
208 wpa_supplicant.conf ("private_key_passwd").</para>
210 <para>wpa_supplicant supports X.509 certificates in PEM and DER
211 formats. User certificate and private key can be included in the
214 <para>If the user certificate and private key is received in
215 PKCS#12/PFX format, they need to be converted to suitable PEM/DER
216 format for wpa_supplicant. This can be done, e.g., with following
218 <blockquote><programlisting>
219 # convert client certificate and private key to PEM format
220 openssl pkcs12 -in example.pfx -out user.pem -clcerts
221 # convert CA certificate (if included in PFX file) to PEM format
222 openssl pkcs12 -in example.pfx -out ca.pem -cacerts -nokeys
223 </programlisting></blockquote>
227 <title>See Also</title>
230 <refentrytitle>wpa_supplicant</refentrytitle>
231 <manvolnum>8</manvolnum>
234 <refentrytitle>openssl</refentrytitle>
235 <manvolnum>1</manvolnum>
projects / mech_eap.orig / blob