diff options
Diffstat (limited to 'contrib/wpa/wpa_supplicant/wpa_supplicant.conf')
-rw-r--r-- | contrib/wpa/wpa_supplicant/wpa_supplicant.conf | 196 |
1 files changed, 178 insertions, 18 deletions
diff --git a/contrib/wpa/wpa_supplicant/wpa_supplicant.conf b/contrib/wpa/wpa_supplicant/wpa_supplicant.conf index f12b7b6c8ee9..e3ae77114680 100644 --- a/contrib/wpa/wpa_supplicant/wpa_supplicant.conf +++ b/contrib/wpa/wpa_supplicant/wpa_supplicant.conf @@ -1,7 +1,5 @@ ##### Example wpa_supplicant configuration file ############################### # -# ***** Please check wpa_supplicant.conf(5) for details on these options ***** -# # This file describes configuration file format and lists all available option. # Please also take a look at simpler configuration examples in 'examples' # subdirectory. @@ -61,6 +59,19 @@ # DIR=/var/run/wpa_supplicant GROUP=0 # (group can be either group name or gid) # +# For UDP connections (default on Windows): The value will be ignored. This +# variable is just used to select that the control interface is to be created. +# The value can be set to, e.g., udp (ctrl_interface=udp) +# +# For Windows Named Pipe: This value can be used to set the security descriptor +# for controlling access to the control interface. Security descriptor can be +# set using Security Descriptor String Format (see http://msdn.microsoft.com/ +# library/default.asp?url=/library/en-us/secauthz/security/ +# security_descriptor_string_format.asp). The descriptor string needs to be +# prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty +# DACL (which will reject all connections). See README-Windows.txt for more +# information about SDDL string format. +# ctrl_interface=/var/run/wpa_supplicant # IEEE 802.1X/EAPOL version @@ -83,11 +94,8 @@ eapol_version=1 # 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to # the currently enabled networks are found, a new network (IBSS or AP mode # operation) may be initialized (if configured) (default) -# 0: driver takes care of scanning, AP selection, and IEEE 802.11 association -# parameters (e.g., WPA IE generation); this mode can also be used with -# non-WPA drivers when using IEEE 802.1X mode; do not try to associate with -# APs (i.e., external program needs to control association). This mode must -# also be used when using wired Ethernet drivers (including MACsec). +# 0: This mode must only be used when using wired Ethernet drivers +# (including MACsec). # 2: like 0, but associate with APs using security policy and SSID (but not # BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to # enable operation with hidden SSIDs and optimized roaming; in this mode, @@ -95,9 +103,10 @@ eapol_version=1 # the driver reports successful association; each network block should have # explicit security policy (i.e., only one option in the lists) for # key_mgmt, pairwise, group, proto variables -# -# For use in FreeBSD with the wlan module ap_scan must be set to 1. -# +# Note: ap_scan=0/2 should not be used with the nl80211 driver interface (the +# current Linux interface). ap_scan=1 is the only option working with nl80211. +# For finding networks using hidden SSID, scan_ssid=1 in the network block can +# be used with nl80211. # When using IBSS or AP mode, ap_scan=2 mode can force the new network to be # created immediately regardless of scan results. ap_scan=1 mode will first try # to scan for existing networks and only if no matches with the enabled @@ -299,6 +308,26 @@ fast_reauth=1 # by executing the WPS protocol. #wps_priority=0 +# Device Provisioning Protocol (DPP) parameters +# +# How to process DPP configuration +# 0 = report received configuration to an external program for +# processing; do not generate any network profile internally (default) +# 1 = report received configuration to an external program and generate +# a network profile internally, but do not automatically connect +# to the created (disabled) profile; the network profile id is +# reported to external programs +# 2 = report received configuration to an external program, generate +# a network profile internally, try to connect to the created +# profile automatically +#dpp_config_processing=0 +# +# Name for Enrollee's DPP Configuration Request +#dpp_name=Test +# +# MUD URL for Enrollee's DPP Configuration Request (optional) +#dpp_mud_url=https://example.com/mud + # Maximum number of BSS entries to keep in memory # Default: 200 # This can be used to limit memory use on the BSS entries (cached scan @@ -337,7 +366,14 @@ fast_reauth=1 # Password (and passphrase, etc.) backend for external storage # format: <backend name>[:<optional backend parameters>] +# Test backend which stores passwords in memory. Should only be used for +# development purposes. #ext_password_backend=test:pw1=password|pw2=testing +# File-based backend which reads passwords from a file. The parameter +# identifies the file to read passwords from. The password file follows the +# format of wpa_supplicant.conf and accepts simple `key=passphrase` formatted +# passwords. +#ext_password_backend=file:/path/to/passwords.conf # Disable P2P functionality @@ -393,6 +429,16 @@ fast_reauth=1 # since all implementations are required to support group 19. #sae_groups=19 20 21 +# SAE mechanism for PWE derivation +# 0 = hunting-and-pecking loop only (default without password identifier) +# 1 = hash-to-element only (default with password identifier) +# 2 = both hunting-and-pecking loop and hash-to-element enabled +# Note: The default value is likely to change from 0 to 2 once the new +# hash-to-element mechanism has received more interoperability testing. +# When using SAE password identifier, the hash-to-element mechanism is used +# regardless of the sae_pwe parameter value. +#sae_pwe=0 + # Default value for DTIM period (if not overridden in network block) #dtim_period=2 @@ -419,6 +465,9 @@ fast_reauth=1 # 1: Scan current operating frequency if another VIF on the same radio # is already associated. +# Seconds to consider old scan results valid for association (default: 5) +#scan_res_valid_for_connect=5 + # MAC address policy default # 0 = use permanent MAC address # 1 = use random MAC address for each ESS connection @@ -442,6 +491,11 @@ fast_reauth=1 # 0 = use permanent MAC address # 1 = use random MAC address # 2 = like 1, but maintain OUI (with local admin bit set) +# Note that this setting is ignored when a specific MAC address is needed for +# a full protocol exchange that includes GAS, e.g., when going through a DPP +# exchange that exposes the configured interface address as part of the DP +# Public Action frame exchanges before using GAS. That same address is then used +# during the GAS exchange as well to avoid breaking the protocol expectations. #gas_rand_mac_addr=0 # Lifetime of GAS random MAC address in seconds (default: 60) @@ -482,7 +536,7 @@ fast_reauth=1 #go_venue_group=7 #go_venue_type=1 -# Homogenous ESS identifier +# Homogeneous ESS identifier # If this is set, scans will be used to request response only from BSSes # belonging to the specified Homogeneous ESS. This is used only if interworking # is enabled. @@ -763,6 +817,11 @@ fast_reauth=1 # Set BIT(1) to Enable OCE in STA-CFON mode #oce=1 +# Extended Key ID support for Individually Addressed frames +# 0 = force off: Do not use Extended Key ID (default) +# 1 = auto: Activate Extended Key ID support if the driver supports it +#extended_key_id=0 + # network block # # Each network (usually AP's sharing the same SSID) is configured as a separate @@ -788,12 +847,22 @@ fast_reauth=1 # scan_ssid: # 0 = do not scan this SSID with specific Probe Request frames (default) # 1 = scan with SSID-specific Probe Request frames (this can be used to -# find APs that hide (do not broadcast) SSID or use multiple SSIDs; +# find APs that do not accept broadcast SSID or use multiple SSIDs; # this will add latency to scanning, so enable this only when needed) # # bssid: BSSID (optional); if set, this network block is used only when # associating with the AP using the configured BSSID # +# ignore_broadcast_ssid: SSID broadcast behavior +# Send empty SSID in beacons and ignore probe request frames that do not +# specify full SSID, i.e., require stations to know SSID. +# default: disabled (0) +# 1 = send empty (length=0) SSID in beacon and ignore probe request for +# broadcast SSID +# 2 = clear SSID (ASCII 0), but keep the original length (this may be required +# with some clients that do not support empty SSID) and ignore probe +# requests for broadcast SSID +# # priority: priority group (integer) # By default, all networks will get same priority group (0). If some of the # networks are more desirable, this field can be used to change the order in @@ -804,7 +873,7 @@ fast_reauth=1 # policy, signal strength, etc. # Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not # using this priority to select the order for scanning. Instead, they try the -# networks in the order that they are listed in the configuration file. +# networks in the order that used in the configuration file. # # mode: IEEE 802.11 operation mode # 0 = infrastructure (Managed) mode, i.e., associate with an AP (default) @@ -915,13 +984,15 @@ fast_reauth=1 # management frames) certification program are: # PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256 # PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256 -# (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used) +# (and similarly for WPA-PSK and WPA-PSK-SHA256 if WPA2-Personal is used) +# WPA3-Personal-only mode: ieee80211w=2 and key_mgmt=SAE # # ocv: whether operating channel validation is enabled # This is a countermeasure against multi-channel man-in-the-middle attacks. # Enabling this automatically also enables ieee80211w, if not yet enabled. # 0 = disabled (default) -# 1 = enabled +# 1 = enabled if wpa_supplicant's SME in use. Otherwise enabled only when the +# driver indicates support for operating channel validation. #ocv=1 # # auth_alg: list of allowed IEEE 802.11 authentication algorithms @@ -1061,6 +1132,18 @@ fast_reauth=1 # wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to # enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies. # +# wpa_deny_ptk0_rekey: Workaround for PTK rekey issues +# PTK0 rekeys (using only one Key ID value for pairwise keys) can degrade the +# security and stability with some cards. +# To avoid the issues wpa_supplicant can replace those PTK rekeys (including +# EAP reauthentications) with fast reconnects. +# +# Available options: +# 0 = always rekey when configured/instructed (default) +# 1 = only rekey when the local driver is explicitly indicating it can perform +# this operation without issues +# 2 = never allow problematic PTK0 rekeys +# # group_rekey: Group rekeying time in seconds. This value, if non-zero, is used # as the dot11RSNAConfigGroupRekeyTime parameter when operating in # Authenticator role in IBSS, or in AP and mesh modes. @@ -1311,6 +1394,12 @@ fast_reauth=1 # certificate. See altsubject_match documentation for more details. # domain_suffix_match2: Constraint for server domain name. See # domain_suffix_match for more details. +# ocsp2: See ocsp for more details. +# +# Separate machine credentials can be configured for EAP-TEAP Phase 2 with +# "machine_" prefix (e.g., "machine_identity") in the configuration parameters. +# See the parameters without that prefix for more details on the meaning and +# format of each such parameter. # # fragment_size: Maximum EAP fragment size in bytes (default 1398). # This value limits the fragment size for EAP methods that support @@ -1398,6 +1487,67 @@ fast_reauth=1 # 1-65535 = DH Group to use for FILS PFS #fils_dh_group=0 +# DPP PFS +# 0: allow PFS to be used or not used (default) +# 1: require PFS to be used (note: not compatible with DPP R1) +# 2: do not allow PFS to be used +#dpp_pfs=0 + +# Whether beacon protection is enabled +# This depends on management frame protection (ieee80211w) being enabled and +# beacon protection support indication from the driver. +# 0 = disabled (default) +# 1 = enabled +#beacon_prot=0 + +# OWE DH Group +# 0: use default (19) first and then try all supported groups one by one if AP +# rejects the selected group +# 1-65535: DH Group to use for OWE +# Groups 19 (NIST P-256), 20 (NIST P-384), and 21 (NIST P-521) are +# currently supported. +#owe_group=0 + +# OWE-only mode (disable transition mode) +# 0: enable transition mode (allow connection to either OWE or open BSS) +# 1 = disable transition mode (allow connection only with OWE) +#owe_only=0 + +# OWE PTK derivation workaround +# Initial OWE implementation used SHA256 when deriving the PTK for all +# OWE groups. This was supposed to change to SHA384 for group 20 and +# SHA512 for group 21. This parameter can be used to enable older +# behavior mainly for testing purposes. There is no impact to group 19 +# behavior, but if enabled, this will make group 20 and 21 cases use +# SHA256-based PTK derivation which will not work with the updated +# OWE implementation on the AP side. +#owe_ptk_workaround=0 + +# Transition Disable indication +# The AP can notify authenticated stations to disable transition mode +# in their network profiles when the network has completed transition +# steps, i.e., once sufficiently large number of APs in the ESS have +# been updated to support the more secure alternative. When this +# indication is used, the stations are expected to automatically +# disable transition mode and less secure security options. This +# includes use of WEP, TKIP (including use of TKIP as the group +# cipher), and connections without PMF. +# Bitmap bits: +# bit 0 (0x01): WPA3-Personal (i.e., disable WPA2-Personal = WPA-PSK +# and only allow SAE to be used) +# bit 1 (0x02): SAE-PK (disable SAE without use of SAE-PK) +# bit 2 (0x04): WPA3-Enterprise (move to requiring PMF) +# bit 3 (0x08): Enhanced Open (disable use of open network; require +# OWE) + +# SAE-PK mode +# 0: automatic SAE/SAE-PK selection based on password; enable +# transition mode (allow SAE authentication without SAE-PK) +# 1: SAE-PK only (disable transition mode; allow SAE authentication +# only with SAE-PK) +# 2: disable SAE-PK (allow SAE authentication only without SAE-PK) +#sae_pk=0 + # MAC address policy # 0 = use permanent MAC address # 1 = use random MAC address for each ESS connection @@ -1510,6 +1660,16 @@ fast_reauth=1 # Set to 1 to disable BSS transition management #disable_btm=0 +# Enable EDMG capability in STA/AP mode, default value is false +#enable_edmg=1 + +# This value is used to configure the channel bonding feature. +# Default value is 0. +# Relevant only if enable_edmg is true +# In AP mode it defines the EDMG channel to use for AP operation. +# In STA mode it defines the EDMG channel for connection (if supported by AP). +#edmg_channel=9 + # Example blocks: # Simple case: WPA-PSK, PSK as an ASCII passphrase, allow all valid ciphers @@ -1860,12 +2020,12 @@ network={ key_mgmt=NONE } -# Example configuration blacklisting two APs - these will be ignored +# Example configuration ignoring two APs - these will be ignored # for this network. network={ ssid="example" psk="very secret passphrase" - bssid_blacklist=02:11:22:33:44:55 02:22:aa:44:55:66 + bssid_ignore=02:11:22:33:44:55 02:22:aa:44:55:66 } # Example configuration limiting AP selection to a specific set of APs; @@ -1873,7 +2033,7 @@ network={ network={ ssid="example" psk="very secret passphrase" - bssid_whitelist=02:55:ae:bc:00:00/ff:ff:ff:ff:00:00 00:00:77:66:55:44/00:00:ff:ff:ff:ff + bssid_accept=02:55:ae:bc:00:00/ff:ff:ff:ff:00:00 00:00:77:66:55:44/00:00:ff:ff:ff:ff } # Example config file that will only scan on channel 36. |