The pathname of the directory in which wpa_supplicant(8) creates Unix domain socket files for communication with frontend programs such as wpa_cli(8).
A group name or group ID to use in setting protection on the control interface file. This can be set to allow non-root users to access the control interface files. If no group is specified, the group ID of the control interface is not modified and will, typically, be the group ID of the directory in which the socket is created.
The IEEE 802.1x/EAPOL protocol version to use; either 1 (default) or 2. The wpa_supplicant(8) utility is implemented according to IEEE 802-1X-REV-d8 which defines EAPOL version to be 2. However, some access points do not work when presented with this version so by default wpa_supplicant(8) will announce that it is using EAPOL version 1. If version 2 must be announced for correct operation with an access point, this value may be set to 2.
Access point scanning and selection control; one of 0, 1 (default), or 2. Only setting 1 should be used with the wlan(4) module; the other settings are for use on other operating systems.
EAP fast re-authentication; either 1 (default) or 0. Control fast re-authentication support in EAP methods that support it.
Network name (as announced by the access point). An ASCII or hex string enclosed in quotation marks.
SSID scan technique; 0 (default) or 1. Technique 0 scans for the SSID using a broadcast Probe Request frame while 1 uses a directed Probe Request frame. Access points that cloak themselves by not broadcasting their SSID require technique 1, but beware that this scheme can cause scanning to take longer to complete.
Network BSSID (typically the MAC address of the access point).
The priority of a network when selecting among multiple networks; a higher value means a network is more desirable. By default networks have priority 0. When multiple networks with the same priority are considered for selection, other information such as security policy and signal strength are used to select one.
IEEE 802.11 operation mode; either 0 (infrastructure, default) or 1 (IBSS). Note that IBSS (adhoc) mode can only be used with key_mgmt set to NONE (plaintext and static WEP).
List of acceptable protocols; one or more of: WPA (IEEE 802.11i/D3.0) and RSN (IEEE 802.11i). WPA2 is another name for RSN. If not set this defaults to ""WPA RSN"".
List of acceptable key management protocols; one or more of: WPA-PSK (WPA pre-shared key), WPA-EAP (WPA using EAP authentication), IEEE8021X (IEEE 802.1x using EAP authentication and, optionally, dynamically generated WEP keys), NONE (plaintext or static WEP keys). If not set this defaults to ""WPA-PSK WPA-EAP"".
List of allowed IEEE 802.11 authentication algorithms; one or more of: OPEN (Open System authentication, required for WPA/WPA2), SHARED (Shared Key authentication), LEAP (LEAP/Network EAP). If not set automatic selection is used (Open System with LEAP enabled if LEAP is allowed as one of the EAP methods).
List of acceptable pairwise (unicast) ciphers for WPA; one or more of: CCMP (AES in Counter mode with CBC-MAC, RFC 3610, IEEE 802.11i/D7.0), TKIP (Temporal Key Integrity Protocol, IEEE 802.11i/D7.0), NONE (deprecated). If not set this defaults to ""CCMP TKIP"".
List of acceptable group (multicast) ciphers for WPA; one or more of: CCMP (AES in Counter mode with CBC-MAC, RFC 3610, IEEE 802.11i/D7.0), TKIP (Temporal Key Integrity Protocol, IEEE 802.11i/D7.0), WEP104 (WEP with 104-bit key), WEP40 (WEP with 40-bit key). If not set this defaults to ""CCMP TKIP WEP104 WEP40"".
WPA preshared key used in WPA-PSK mode. The key is specified as 64 hex digits or as an 8-63 character ASCII passphrase. ASCII passphrases are converted to a 256-bit key using the network SSID.
Dynamic WEP key usage for non-WPA mode, specified as a bit field. Bit 0 (1) forces dynamically generated unicast WEP keys to be used. Bit 1 (2) forces dynamically generated broadcast WEP keys to be used. By default this is set to 3 (use both).
List of acceptable EAP methods; one or more of: MD5 (EAP-MD5, cannot be used with WPA, used only as a Phase 2 method with EAP-PEAP or EAP-TTLS), MSCHAPV2 (EAP-MSCHAPV2, cannot be used with WPA; used only as a Phase 2 method with EAP-PEAP or EAP-TTLS), OTP (EAP-OTP, cannot be used with WPA; used only as a Phase 2 metod with EAP-PEAP or EAP-TTLS), GTC (EAP-GTC, cannot be used with WPA; used only as a Phase 2 metod with EAP-PEAP or EAP-TTLS), TLS (EAP-TLS, client and server certificate), PEAP (EAP-PEAP, with tunneled EAP authentication), TTLS (EAP-TTLS, with tunneled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 authentication). If not set this defaults to all available methods compiled in to wpa_supplicant(8). Note that by default wpa_supplicant(8) is not compiled with EAP support; see make.conf(5) for the ENABLE_WPA_SUPPLICANT_EAPOL configuration variable.
Identity string for EAP.
Anonymous identity string for EAP (to be used as the unencrypted identity with EAP types that support different tunneled identities; e.g. EAP-TTLS).
Password string for EAP.
Pathname to CA certificate file. This file can have one or more trusted CA certificates. If ca_cert is not included, server certificates will not be verified (not recommended).
Pathname to client certificate file (PEM/DER).
Pathname to a client private key file (PEM/DER/PFX). When a PKCS#12/PFX file is used, then client_cert should not be specified as both the private key and certificate will be read from PKCS#12 file.
Password for any private key file.
Pathname to a file holding DH/DSA parameters (in PEM format). This file holds parameters for an ephemeral DH key exchange. In most cases, the default RSA authentication does not use this configuration. However, it is possible to set up RSA to use an ephemeral DH key exchange. In addition, ciphers with DSA keys always use ephemeral DH keys. This can be used to achieve forward secrecy. If the dh_file is in DSA parameters format, it will be automatically converted into DH params.
Substring to be matched against the subject of the authentication server certificate. If this string is set, the server certificate is only accepted if it contains this string in the subject. The subject string is in following format:
Phase1 (outer authentication, i.e., TLS tunnel) parameters (string with field-value pairs, e.g., "peapver=0" or ""peapver=1 peaplabel=1"").
can be used to force which PEAP version (0 or 1) is used.
can be used to force new label, ""client PEAP encryption"", to be used during key derivation when PEAPv1 or newer. Most existing PEAPv1 implementations seem to be using the old label, ""client EAP encryption"", and wpa_supplicant(8) is now using that as the default value. Some servers, e.g., Radiator, may require peaplabel=1 configuration to interoperate with PEAPv1; see eap_testing.txt for more details.
can be used to terminate PEAP authentication on tunneled EAP-Success. This is required with some RADIUS servers that implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g., Lucent NavisRadius v4.4.0 with PEAP in ""IETF Draft 5"" mode).
can be used to force wpa_supplicant(8) to include TLS Message Length field in all TLS messages even if they are not fragmented.
can be used to configure EAP-SIM to require three challenges (by default, it accepts 2 or 3)
option enables in-line provisioning of EAP-FAST credentials (PAC).
phase2: Phase2 (inner authentication with TLS tunnel) parameters (string with field-value pairs, e.g., ""auth=MSCHAPV2"" for EAP-PEAP or ""autheap=MSCHAPV2 autheap=MD5"" for EAP-TTLS).
Like ca_cert but for EAP inner Phase 2.
Like client_cert but for EAP inner Phase 2.
Like private_key but for EAP inner Phase 2.
Like private_key_passwd but for EAP inner Phase 2.
Like dh_file but for EAP inner Phase 2.
Like subject_match but for EAP inner Phase 2.
16-byte pre-shared key in hex format for use with EAP-PSK.
User NAI for use with EAP-PSK.
Authentication Server NAI for use with EAP-PSK.
Pathname to the file to use for PAC entries with EAP-FAST. The wpa_supplicant(8) utility must be able to create this file and write updates to it when PAC is being provisioned or refreshed.
Enable/disable EAP workarounds for various interoperability issues with misbehaving authentication servers. By default these workarounds are enabled. String EAP conformance can be configured by setting this to 0.
WPA-RADIUS/EAP-PEAP/MSCHAPv2 with RADIUS servers that use old peaplabel (e.g., Funk Odyssey and SBR, Meetinghouse Aegis, Interlink RAD-Series):
EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the unencrypted use. Real identity is sent only within an encrypted TLS tunnel.