diff options
Diffstat (limited to 'contrib/wpa/hostapd/hostapd.conf')
| -rw-r--r-- | contrib/wpa/hostapd/hostapd.conf | 381 |
1 files changed, 360 insertions, 21 deletions
diff --git a/contrib/wpa/hostapd/hostapd.conf b/contrib/wpa/hostapd/hostapd.conf index ce3ecdddf157..3c2019f73048 100644 --- a/contrib/wpa/hostapd/hostapd.conf +++ b/contrib/wpa/hostapd/hostapd.conf @@ -41,7 +41,6 @@ interface=wlan0 # bit 2 (4) = RADIUS # bit 3 (8) = WPA # bit 4 (16) = driver interface -# bit 5 (32) = IAPP # bit 6 (64) = MLME # # Levels (minimum value for logged events): @@ -73,7 +72,7 @@ ctrl_interface=/var/run/hostapd # run as non-root users. However, since the control interface can be used to # change the network configuration, this access needs to be protected in many # cases. By default, hostapd is configured to use gid 0 (root). If you -# want to allow non-root users to use the contron interface, add a new group +# want to allow non-root users to use the control interface, add a new group # and change this value to match with that group. Add users that should have # control interface access to this group. # @@ -147,7 +146,8 @@ ssid=test # Operation mode (a = IEEE 802.11a (5 GHz), b = IEEE 802.11b (2.4 GHz), # g = IEEE 802.11g (2.4 GHz), ad = IEEE 802.11ad (60 GHz); a/g options are used # with IEEE 802.11n (HT), too, to specify band). For IEEE 802.11ac (VHT), this -# needs to be set to hw_mode=a. When using ACS (see channel parameter), a +# needs to be set to hw_mode=a. For IEEE 802.11ax (HE) on 6 GHz this needs +# to be set to hw_mode=a. When using ACS (see channel parameter), a # special value "any" can be used to indicate that any support band can be used. # This special case is currently supported only with drivers with which # offloaded ACS is used. @@ -164,8 +164,14 @@ hw_mode=g # which will enable the ACS survey based algorithm. channel=1 +# Global operating class (IEEE 802.11, Annex E, Table E-4) +# This option allows hostapd to specify the operating class of the channel +# configured with the channel parameter. channel and op_class together can +# uniquely identify channels across different bands, including the 6 GHz band. +#op_class=131 + # ACS tuning - Automatic Channel Selection -# See: http://wireless.kernel.org/en/users/Documentation/acs +# See: https://wireless.wiki.kernel.org/en/users/documentation/acs # # You can customize the ACS survey algorithm with following variables: # @@ -199,11 +205,30 @@ channel=1 #chanlist=100 104 108 112 116 #chanlist=1 6 11-13 +# Frequency list restriction. This option allows hostapd to select one of the +# provided frequencies when a frequency should be automatically selected. +# Frequency list can be provided as range using hyphen ('-') or individual +# frequencies can be specified by comma (',') separated values +# Default: all frequencies allowed in selected hw_mode +#freqlist=2437,5955,5975 +#freqlist=2437,5985-6105 + # Exclude DFS channels from ACS # This option can be used to exclude all DFS channels from the ACS channel list # in cases where the driver supports DFS channels. #acs_exclude_dfs=1 +# Include only preferred scan channels from 6 GHz band for ACS +# This option can be used to include only preferred scan channels in the 6 GHz +# band. This can be useful in particular for devices that operate only a 6 GHz +# BSS without a collocated 2.4/5 GHz BSS. +# Default behavior is to include all PSC and non-PSC channels. +#acs_exclude_6ghz_non_psc=1 + +# Set minimum permitted max TX power (in dBm) for ACS and DFS channel selection. +# (default 0, i.e., not constraint) +#min_tx_power=20 + # Beacon interval in kus (1.024 ms) (default: 100; range 15..65535) beacon_int=100 @@ -258,6 +283,8 @@ fragm_threshold=-1 # beacon_rate=ht:<HT MCS> # VHT: # beacon_rate=vht:<VHT MCS> +# HE: +# beacon_rate=he:<HE MCS> # # For example, beacon_rate=10 for 1 Mbps or beacon_rate=60 for 6 Mbps (OFDM). #beacon_rate=10 @@ -550,6 +577,10 @@ wmm_ac_vo_acm=0 # Default: 1 (enabled) #broadcast_deauth=1 +# Get notifications for received Management frames on control interface +# Default: 0 (disabled) +#notify_mgmt_frames=0 + ##### IEEE 802.11n related configuration ###################################### # ieee80211n: Whether IEEE 802.11n (HT) is enabled @@ -559,6 +590,9 @@ wmm_ac_vo_acm=0 # Note: hw_mode=g (2.4 GHz) and hw_mode=a (5 GHz) is used to specify the band. #ieee80211n=1 +# disable_11n: Boolean (0/1) to disable HT for a specific BSS +#disable_11n=0 + # ht_capab: HT capabilities (list of flags) # LDPC coding capability: [LDPC] = supported # Supported channel width set: [HT40-] = both 20 MHz and 40 MHz with secondary @@ -577,8 +611,6 @@ wmm_ac_vo_acm=0 # channels if needed or creation of 40 MHz channel maybe rejected based # on overlapping BSSes. These changes are done automatically when hostapd # is setting up the 40 MHz channel. -# Spatial Multiplexing (SM) Power Save: [SMPS-STATIC] or [SMPS-DYNAMIC] -# (SMPS disabled if neither is set) # HT-greenfield: [GF] (disabled if not set) # Short GI for 20 MHz: [SHORT-GI-20] (disabled if not set) # Short GI for 40 MHz: [SHORT-GI-40] (disabled if not set) @@ -613,6 +645,9 @@ wmm_ac_vo_acm=0 # Note: hw_mode=a is used to specify that 5 GHz band is used with VHT. #ieee80211ac=1 +# disable_11ac: Boolean (0/1) to disable VHT for a specific BSS +#disable_11ac=0 + # vht_capab: VHT capabilities (list of flags) # # vht_max_mpdu_len: [MAX-MPDU-7991] [MAX-MPDU-11454] @@ -767,6 +802,9 @@ wmm_ac_vo_acm=0 # 1 = enabled #ieee80211ax=1 +# disable_11ax: Boolean (0/1) to disable HE for a specific BSS +#disable_11ax=0 + #he_su_beamformer: HE single user beamformer support # 0 = not supported (default) # 1 = supported @@ -785,6 +823,9 @@ wmm_ac_vo_acm=0 # he_bss_color: BSS color (1-63) #he_bss_color=1 +# he_bss_color_partial: BSS color AID equation +#he_bss_color_partial=0 + #he_default_pe_duration: The duration of PE field in an HE PPDU in us # Possible values are 0 us (default), 4 us, 8 us, 12 us, and 16 us #he_default_pe_duration=0 @@ -794,12 +835,32 @@ wmm_ac_vo_acm=0 # 1 = required #he_twt_required=0 +#he_twt_responder: Whether TWT (HE) responder is enabled +# 0 = disabled +# 1 = enabled if supported by the driver (default) +#he_twt_responder=1 + #he_rts_threshold: Duration of STA transmission # 0 = not set (default) # unsigned integer = duration in units of 16 us #he_rts_threshold=0 +#he_er_su_disable: Disable 242-tone HE ER SU PPDU reception by the AP +# 0 = enable reception (default) +# 1 = disable reception +#he_er_su_disable=0 + # HE operating channel information; see matching vht_* parameters for details. +# he_oper_centr_freq_seg0_idx field is used to indicate center frequency of 80 +# and 160 MHz bandwidth operation. In 80+80 MHz operation, it is the center +# frequency of the lower frequency segment. he_oper_centr_freq_seg1_idx field +# is used only with 80+80 MHz bandwidth operation and it is used to transmit +# the center frequency of the second segment. +# On the 6 GHz band the center freq calculation starts from 5.950 GHz offset. +# For example idx=3 would result in 5965 MHz center frequency. In addition, +# he_oper_chwidth is ignored, and the channel width is derived from the +# configured operating class or center frequency indexes (see +# IEEE P802.11ax/D6.1 Annex E, Table E-4). #he_oper_chwidth #he_oper_centr_freq_seg0_idx #he_oper_centr_freq_seg1_idx @@ -835,10 +896,82 @@ wmm_ac_vo_acm=0 #he_mu_edca_ac_vo_timer=255 # Spatial Reuse Parameter Set +# +# SR Control field value +# B0 = PSR Disallowed +# B1 = Non-SRG OBSS PD SR Disallowed +# B2 = Non-SRG Offset Present +# B3 = SRG Information Present +# B4 = HESIGA_Spatial_reuse_value15_allowed #he_spr_sr_control +# +# Non-SRG OBSS PD Max Offset (included if he_spr_sr_control B2=1) #he_spr_non_srg_obss_pd_max_offset + +# SRG OBSS PD Min Offset (included if he_spr_sr_control B3=1) #he_spr_srg_obss_pd_min_offset +# +# SRG OBSS PD Max Offset (included if he_spr_sr_control B3=1) #he_spr_srg_obss_pd_max_offset +# +# SPR SRG BSS Color (included if he_spr_sr_control B3=1) +# This config represents SRG BSS Color Bitmap field of Spatial Reuse Parameter +# Set element that indicates the BSS color values used by members of the +# SRG of which the transmitting STA is a member. The value is in range of 0-63. +#he_spr_srg_bss_colors=1 2 10 63 +# +# SPR SRG Partial BSSID (included if he_spr_sr_control B3=1) +# This config represents SRG Partial BSSID Bitmap field of Spatial Reuse +# Parameter Set element that indicates the Partial BSSID values used by members +# of the SRG of which the transmitting STA is a member. The value range +# corresponds to one of the 64 possible values of BSSID[39:44], where the lowest +# numbered bit corresponds to Partial BSSID value 0 and the highest numbered bit +# corresponds to Partial BSSID value 63. +#he_spr_srg_partial_bssid=0 1 3 63 +# +#he_6ghz_max_mpdu: Maximum MPDU Length of HE 6 GHz band capabilities. +# Indicates maximum MPDU length +# 0 = 3895 octets +# 1 = 7991 octets +# 2 = 11454 octets (default) +#he_6ghz_max_mpdu=2 +# +#he_6ghz_max_ampdu_len_exp: Maximum A-MPDU Length Exponent of HE 6 GHz band +# capabilities. Indicates the maximum length of A-MPDU pre-EOF padding that +# the STA can receive. This field is an integer in the range of 0 to 7. +# The length defined by this field is equal to +# 2 pow(13 + Maximum A-MPDU Length Exponent) -1 octets +# 0 = AMPDU length of 8k +# 1 = AMPDU length of 16k +# 2 = AMPDU length of 32k +# 3 = AMPDU length of 65k +# 4 = AMPDU length of 131k +# 5 = AMPDU length of 262k +# 6 = AMPDU length of 524k +# 7 = AMPDU length of 1048k (default) +#he_6ghz_max_ampdu_len_exp=7 +# +#he_6ghz_rx_ant_pat: Rx Antenna Pattern Consistency of HE 6 GHz capability. +# Indicates the possibility of Rx antenna pattern change +# 0 = Rx antenna pattern might change during the lifetime of an association +# 1 = Rx antenna pattern does not change during the lifetime of an association +# (default) +#he_6ghz_rx_ant_pat=1 +# +#he_6ghz_tx_ant_pat: Tx Antenna Pattern Consistency of HE 6 GHz capability. +# Indicates the possibility of Tx antenna pattern change +# 0 = Tx antenna pattern might change during the lifetime of an association +# 1 = Tx antenna pattern does not change during the lifetime of an association +# (default) +#he_6ghz_tx_ant_pat=1 + +# Unsolicited broadcast Probe Response transmission settings +# This is for the 6 GHz band only. If the interval is set to a non-zero value, +# the AP schedules unsolicited broadcast Probe Response frames to be +# transmitted for in-band discovery. Refer to +# IEEE P802.11ax/D8.0 26.17.2.3.2, AP behavior for fast passive scanning. +# Valid range: 0..20 TUs; default is 0 (disabled) +#unsol_bcast_probe_resp_interval=0 ##### IEEE 802.1X-2004 related configuration ################################## @@ -877,6 +1010,8 @@ eapol_key_index_workaround=0 # EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable # reauthentication). +# Note: Reauthentications may enforce a disconnection, check the related +# parameter wpa_deny_ptk0_rekey for details. #eap_reauth_period=3600 # Use PAE group address (01:80:c2:00:00:03) instead of individual target @@ -1012,7 +1147,7 @@ eap_server=0 #check_crl=1 # Specify whether to ignore certificate CRL validity time mismatches with -# errors X509_V_ERR_CERT_HAS_EXPIRED and X509_V_ERR_CERT_NOT_YET_VALID. +# errors X509_V_ERR_CRL_HAS_EXPIRED and X509_V_ERR_CRL_NOT_YET_VALID. # # 0 = ignore errors # 1 = do not ignore errors (default) @@ -1081,6 +1216,12 @@ eap_server=0 # [ENABLE-TLSv1.3] = enable TLSv1.3 (experimental - disabled by default) #tls_flags=[flag1][flag2]... +# Maximum number of EAP message rounds with data (default: 100) +#max_auth_rounds=100 + +# Maximum number of short EAP message rounds (default: 50) +#max_auth_rounds_short=50 + # Cached OCSP stapling response (DER encoded) # If set, this file is sent as a certificate status response by the EAP server # if the EAP peer requests certificate status in the ClientHello message. @@ -1167,7 +1308,7 @@ eap_server=0 # should be unique across all issuing servers. In theory, this is a variable # length field, but due to some existing implementations requiring A-ID to be # 16 octets in length, it is strongly recommended to use that length for the -# field to provid interoperability with deployed peer implementations. This +# field to provide interoperability with deployed peer implementations. This # field is configured in hex format. #eap_fast_a_id=101112131415161718191a1b1c1d1e1f @@ -1194,6 +1335,8 @@ eap_server=0 # EAP-TEAP authentication type # 0 = inner EAP (default) # 1 = Basic-Password-Auth +# 2 = Do not require Phase 2 authentication if client can be authenticated +# during Phase 1 #eap_teap_auth=0 # EAP-TEAP authentication behavior when using PAC @@ -1201,6 +1344,20 @@ eap_server=0 # 1 = skip inner authentication (inner EAP/Basic-Password-Auth) #eap_teap_pac_no_inner=0 +# EAP-TEAP behavior with Result TLV +# 0 = include with Intermediate-Result TLV (default) +# 1 = send in a separate message (for testing purposes) +#eap_teap_separate_result=0 + +# EAP-TEAP identities +# 0 = allow any identity type (default) +# 1 = require user identity +# 2 = require machine identity +# 3 = request user identity; accept either user or machine identity +# 4 = request machine identity; accept either user or machine identity +# 5 = require both user and machine identity +#eap_teap_id=0 + # EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND # (default: 0 = disabled). #eap_sim_aka_result_ind=1 @@ -1223,11 +1380,6 @@ eap_server=0 # Whether to enable ERP on the EAP server. #eap_server_erp=1 -##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) ####################### - -# Interface to be used for IAPP broadcast packets -#iapp_interface=eth0 - ##### RADIUS client configuration ############################################# # for IEEE 802.1X with external Authentication Server, IEEE 802.11 @@ -1261,6 +1413,12 @@ own_ip_addr=127.0.0.1 # used, e.g., when the device has multiple IP addresses. #radius_client_addr=127.0.0.1 +# RADIUS client forced local interface. Helps run properly with VRF +# Default is none set which allows the network stack to pick the appropriate +# interface automatically. +# Example below binds to eth0 +#radius_client_dev=eth0 + # RADIUS authentication server #auth_server_addr=127.0.0.1 #auth_server_port=1812 @@ -1466,6 +1624,17 @@ own_ip_addr=127.0.0.1 # wpa_key_mgmt=SAE for WPA3-Personal instead of wpa_key_mgmt=WPA-PSK). #wpa=2 +# Extended Key ID support for Individually Addressed frames +# +# Extended Key ID allows to rekey PTK keys without the impacts the "normal" +# PTK rekeying with only a single Key ID 0 has. It can only be used when the +# driver supports it and RSN/WPA2 is used with a CCMP/GCMP pairwise cipher. +# +# 0 = force off, i.e., use only Key ID 0 (default) +# 1 = enable and use Extended Key ID support when possible +# 2 = identical to 1 but start with Key ID 1 when possible +#extended_key_id=0 + # WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit # secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase # (8..63 characters) that will be converted to PSK. This conversion uses SSID @@ -1566,8 +1735,26 @@ own_ip_addr=127.0.0.1 # Maximum lifetime for PTK in seconds. This can be used to enforce rekeying of # PTK to mitigate some attacks against TKIP deficiencies. +# Warning: PTK rekeying is buggy with many drivers/devices and with such +# devices, the only secure method to rekey the PTK without Extended Key ID +# support requires a disconnection. Check the related parameter +# wpa_deny_ptk0_rekey for details. #wpa_ptk_rekey=600 +# Workaround for PTK rekey issues +# +# PTK0 rekeys (rekeying the PTK without "Extended Key ID for Individually +# Addressed Frames") can degrade the security and stability with some cards. +# To avoid such issues hostapd can replace those PTK rekeys (including EAP +# reauthentications) with disconnects. +# +# Available options: +# 0 = always rekey when configured/instructed (default) +# 1 = only rekey when the local driver is explicitly indicating it can perform +# this operation without issues +# 2 = never allow PTK0 rekeys +#wpa_deny_ptk0_rekey=0 + # The number of times EAPOL-Key Message 1/4 and Message 3/4 in the RSN 4-Way # Handshake are retried per 4-Way Handshake attempt. # (dot11RSNAConfigPairwiseUpdateCount) @@ -1618,6 +1805,12 @@ own_ip_addr=127.0.0.1 # 1 = optional # 2 = required #ieee80211w=0 +# The most common configuration options for this based on the PMF (protected +# management frames) certification program are: +# PMF enabled: ieee80211w=1 and wpa_key_mgmt=WPA-EAP WPA-EAP-SHA256 +# PMF required: ieee80211w=2 and wpa_key_mgmt=WPA-EAP-SHA256 +# (and similarly for WPA-PSK and WPA-PSK-SHA256 if WPA2-Personal is used) +# WPA3-Personal-only mode: ieee80211w=2 and wpa_key_mgmt=SAE # Group management cipher suite # Default: AES-128-CMAC (BIP) @@ -1630,6 +1823,13 @@ own_ip_addr=127.0.0.1 # available in deployed devices. #group_mgmt_cipher=AES-128-CMAC +# Beacon Protection (management frame protection for Beacon frames) +# This depends on management frame protection being enabled (ieee80211w != 0) +# and beacon protection support indication from the driver. +# 0 = disabled (default) +# 1 = enabled +#beacon_prot=0 + # Association SA Query maximum timeout (in TU = 1.024 ms; for MFP) # (maximum time to wait for a SA Query response) # dot11AssociationSAQueryMaximumTimeout, 1...4294967295 @@ -1641,10 +1841,26 @@ own_ip_addr=127.0.0.1 #assoc_sa_query_retry_timeout=201 # ocv: Operating Channel Validation -# This is a countermeasure against multi-channel man-in-the-middle attacks. +# This is a countermeasure against multi-channel on-path attacks. +# Enabling this depends on the driver's support for OCV when the driver SME is +# used. If hostapd SME is used, this will be enabled just based on this +# configuration. # Enabling this automatically also enables ieee80211w, if not yet enabled. # 0 = disabled (default) # 1 = enabled +# 2 = enabled in workaround mode - Allow STA that claims OCV capability to +# connect even if the STA doesn't send OCI or negotiate PMF. This +# workaround is to improve interoperability with legacy STAs which are +# wrongly copying reserved bits of RSN capabilities from the AP's +# RSNE into (Re)Association Request frames. When this configuration is +# enabled, the AP considers STA is OCV capable only when the STA indicates +# MFP capability in (Re)Association Request frames and sends OCI in +# EAPOL-Key msg 2/4/FT Reassociation Request frame/FILS (Re)Association +# Request frame; otherwise, the AP disables OCV for the current connection +# with the STA. Enabling this workaround mode reduced OCV protection to +# some extend since it allows misbehavior to go through. As such, this +# should be enabled only if interoperability with misbehaving STAs is +# needed. #ocv=1 # disable_pmksa_caching: Disable PMKSA caching @@ -1676,7 +1892,7 @@ own_ip_addr=127.0.0.1 # be followed by optional peer MAC address (dot11RSNAConfigPasswordPeerMac) and # by optional password identifier (dot11RSNAConfigPasswordIdentifier). In # addition, an optional VLAN ID specification can be used to bind the station -# to the specified VLAN whenver the specific SAE password entry is used. +# to the specified VLAN whenever the specific SAE password entry is used. # # If the peer MAC address is not included or is set to the wildcard address # (ff:ff:ff:ff:ff:ff), the entry is available for any station to use. If a @@ -1691,7 +1907,8 @@ own_ip_addr=127.0.0.1 # special meaning of removing all previously added entries. # # sae_password uses the following encoding: -#<password/credential>[|mac=<peer mac>][|vlanid=<VLAN ID>][|id=<identifier>] +#<password/credential>[|mac=<peer mac>][|vlanid=<VLAN ID>] +#[|pk=<m:ECPrivateKey-base64>][|id=<identifier>] # Examples: #sae_password=secret #sae_password=really secret|mac=ff:ff:ff:ff:ff:ff @@ -1701,10 +1918,11 @@ own_ip_addr=127.0.0.1 # SAE threshold for anti-clogging mechanism (dot11RSNASAEAntiCloggingThreshold) # This parameter defines how many open SAE instances can be in progress at the # same time before the anti-clogging mechanism is taken into use. -#sae_anti_clogging_threshold=5 +#sae_anti_clogging_threshold=5 (deprecated) +#anti_clogging_threshold=5 # Maximum number of SAE synchronization errors (dot11RSNASAESync) -# The offending SAe peer will be disconnected if more than this many +# The offending SAE peer will be disconnected if more than this many # synchronization errors happen. #sae_sync=5 @@ -1729,6 +1947,23 @@ own_ip_addr=127.0.0.1 # MFP while SAE stations are required to negotiate MFP if sae_require_mfp=1. #sae_require_mfp=0 +# SAE Confirm behavior +# By default, AP will send out only SAE Commit message in response to a received +# SAE Commit message. This parameter can be set to 1 to override that behavior +# to send both SAE Commit and SAE Confirm messages without waiting for the STA +# to send its SAE Confirm message first. +#sae_confirm_immediate=0 + +# SAE mechanism for PWE derivation +# 0 = hunting-and-pecking loop only (default without password identifier) +# 1 = hash-to-element only (default with password identifier) +# 2 = both hunting-and-pecking loop and hash-to-element enabled +# Note: The default value is likely to change from 0 to 2 once the new +# hash-to-element mechanism has received more interoperability testing. +# When using SAE password identifier, the hash-to-element mechanism is used +# regardless of the sae_pwe parameter value. +#sae_pwe=0 + # FILS Cache Identifier (16-bit value in hexdump format) #fils_cache_id=0011 @@ -1753,6 +1988,19 @@ own_ip_addr=127.0.0.1 # http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-10 #owe_groups=19 20 21 +# OWE PTK derivation workaround +# Initial OWE implementation used SHA256 when deriving the PTK for all OWE +# groups. This was supposed to change to SHA384 for group 20 and SHA512 for +# group 21. This parameter can be used to enable workaround for interoperability +# with stations that use SHA256 with groups 20 and 21. By default (0) only the +# appropriate hash function is accepted. When workaround is enabled (1), the +# appropriate hash function is tried first and if that fails, SHA256-based PTK +# derivation is attempted. This workaround can result in reduced security for +# groups 20 and 21, but is required for interoperability with older +# implementations. There is no impact to group 19 behavior. The workaround is +# disabled by default and can be enabled by uncommenting the following line. +#owe_ptk_workaround=1 + # OWE transition mode configuration # Pointer to the matching open/OWE BSS #owe_transition_bssid=<bssid> @@ -1790,6 +2038,45 @@ own_ip_addr=127.0.0.1 # default: 30 TUs (= 30.72 milliseconds) #fils_hlp_wait_time=30 +# FILS Discovery frame transmission minimum and maximum interval settings. +# If fils_discovery_max_interval is non-zero, the AP enables FILS Discovery +# frame transmission. These values use TUs as the unit and have allowed range +# of 0-10000. fils_discovery_min_interval defaults to 20. +#fils_discovery_min_interval=20 +#fils_discovery_max_interval=0 + +# Transition Disable indication +# The AP can notify authenticated stations to disable transition mode in their +# network profiles when the network has completed transition steps, i.e., once +# sufficiently large number of APs in the ESS have been updated to support the +# more secure alternative. When this indication is used, the stations are +# expected to automatically disable transition mode and less secure security +# options. This includes use of WEP, TKIP (including use of TKIP as the group +# cipher), and connections without PMF. +# Bitmap bits: +# bit 0 (0x01): WPA3-Personal (i.e., disable WPA2-Personal = WPA-PSK and only +# allow SAE to be used) +# bit 1 (0x02): SAE-PK (disable SAE without use of SAE-PK) +# bit 2 (0x04): WPA3-Enterprise (move to requiring PMF) +# bit 3 (0x08): Enhanced Open (disable use of open network; require OWE) +# (default: 0 = do not include Transition Disable KDE) +#transition_disable=0x01 + +# PASN ECDH groups +# PASN implementations are required to support group 19 (NIST P-256). If this +# parameter is not set, only group 19 is supported by default. This +# configuration parameter can be used to specify a limited set of allowed +# groups. The group values are listed in the IANA registry: +# http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-10 +#pasn_groups=19 20 21 + +# PASN comeback after time in TUs +# In case the AP is temporarily unable to handle a PASN authentication exchange +# due to a too large number of parallel operations, this value indicates to the +# peer after how many TUs it can try the PASN exchange again. +# (default: 10 TUs) +#pasn_comeback_after=10 + ##### IEEE 802.11r configuration ############################################## # Mobility Domain identifier (dot11FTMobilityDomainID, MDID) @@ -1833,7 +2120,7 @@ own_ip_addr=127.0.0.1 # Wildcard entry: # Upon receiving a response from R0KH, it will be added to this list, so # subsequent requests won't be broadcast. If R0KH does not reply, it will be -# blacklisted. +# temporarily blocked (see rkh_neg_timeout). #r0kh=ff:ff:ff:ff:ff:ff * 00112233445566778899aabbccddeeff # List of R1KHs in the same Mobility Domain @@ -1889,7 +2176,7 @@ own_ip_addr=127.0.0.1 #ft_psk_generate_local=0 ##### Neighbor table ########################################################## -# Maximum number of entries kept in AP table (either for neigbor table or for +# Maximum number of entries kept in AP table (either for neighbor table or for # detecting Overlapping Legacy BSS Condition). The oldest entry will be # removed when adding a new entry that would make the list grow over this # limit. Note! WFA certification for IEEE 802.11g requires that OLBC is @@ -2143,6 +2430,13 @@ own_ip_addr=127.0.0.1 #wps_nfc_dh_privkey: Hexdump of DH Private Key #wps_nfc_dev_pw: Hexdump of Device Password +# Application Extension attribute for Beacon and Probe Response frames +# This parameter can be used to add application extension into WPS IE. The +# contents of this parameter starts with 16-octet (32 hexdump characters) of +# UUID to identify the specific application and that is followed by the actual +# application specific data. +#wps_application_ext=<hexdump> + ##### Wi-Fi Direct (P2P) ###################################################### # Enable P2P Device management @@ -2151,6 +2445,31 @@ own_ip_addr=127.0.0.1 # Allow cross connection #allow_cross_connection=1 +##### Device Provisioning Protocol (DPP) ###################################### + +# Name for Enrollee's DPP Configuration Request +#dpp_name=Test + +# MUD URL for Enrollee's DPP Configuration Request (optional) +#dpp_mud_url=https://example.com/mud + +#dpp_connector +#dpp_netaccesskey +#dpp_netaccesskey_expiry +#dpp_csign +#dpp_controller + +# Configurator Connectivity indication +# 0: no Configurator is currently connected (default) +# 1: advertise that a Configurator is available +#dpp_configurator_connectivity=0 + +# DPP PFS +# 0: allow PFS to be used or not used (default) +# 1: require PFS to be used (note: not compatible with DPP R1) +# 2: do not allow PFS to be used +#dpp_pfs=0 + #### TDLS (IEEE 802.11z-2010) ################################################# # Prohibit use of TDLS in this BSS @@ -2531,7 +2850,7 @@ own_ip_addr=127.0.0.1 # Default is 0 = OCE disabled #oce=0 -# RSSI-based assocition rejection +# RSSI-based association rejection # # Reject STA association if RSSI is below given threshold (in dBm) # Allowed range: -60 to -90 dBm; default = 0 (rejection disabled) @@ -2546,6 +2865,10 @@ own_ip_addr=127.0.0.1 # threshold (range: 0..255, default=30). #rssi_reject_assoc_timeout=30 +# Ignore Probe Request frames if RSSI is below given threshold (in dBm) +# Allowed range: -60 to -90 dBm; default = 0 (rejection disabled) +#rssi_ignore_probe_request=-75 + ##### Fast Session Transfer (FST) support ##################################### # # The options in this section are only available when the build configuration @@ -2602,6 +2925,9 @@ own_ip_addr=127.0.0.1 # that allows sending of such data. Default: 0. #stationary_ap=0 +# Enable reduced neighbor reporting (RNR) +#rnr=0 + ##### Airtime policy configuration ########################################### # Set the airtime policy operating mode: @@ -2638,6 +2964,19 @@ own_ip_addr=127.0.0.1 # airtime. #airtime_bss_limit=1 +##### EDMG support ############################################################ +# +# Enable EDMG capability for AP mode in the 60 GHz band. Default value is false. +# To configure channel bonding for an EDMG AP use edmg_channel below. +# If enable_edmg is set and edmg_channel is not set, EDMG CB1 will be +# configured. +#enable_edmg=1 +# +# Configure channel bonding for AP mode in the 60 GHz band. +# This parameter is relevant only if enable_edmg is set. +# Default value is 0 (no channel bonding). +#edmg_channel=9 + ##### TESTING OPTIONS ######################################################### # # The options in this section are only available when the build configuration |