1
.\" This manpage has been automatically generated by docbook2man
2
.\" from a DocBook document. This tool can be found at:
3
.\" <http://shell.ipoline.com/~elmert/comp/docbook2X/>
4
.\" Please send any bug reports, improvements, comments, patches,
5
.\" etc. to Steve Cheng <steve@ggi-project.org>.
6
.TH "WPA_SUPPLICANT.CONF" "5" "22 February 2008" "" ""
9
wpa_supplicant.conf \- configuration file for wpa_supplicant
12
\fBwpa_supplicant\fR is configured using a text
13
file that lists all accepted networks and security policies,
14
including pre-shared keys. See the example configuration file,
15
probably in \fB/usr/share/doc/wpa_supplicant/\fR, for
16
detailed information about the configuration format and supported
19
All file paths in this configuration file should use full
20
(absolute, not relative to working directory) path in order to allow
21
working directory to be changed. This can happen if wpa_supplicant is
22
run in the background.
24
Changes to configuration file can be reloaded be sending
25
SIGHUP signal to \fBwpa_supplicant\fR ('killall -HUP
26
wpa_supplicant'). Similarly, reloading can be triggered with
27
the 'wpa_cli reconfigure' command.
29
Configuration file can include one or more network blocks,
30
e.g., one for each used SSID. wpa_supplicant will automatically
31
select the best network based on the order of network blocks in
32
the configuration file, network security level (WPA/WPA2 is
33
preferred), and signal strength.
37
WPA-Personal (PSK) as home network and WPA-Enterprise with
38
EAP-TLS as work network.
43
# allow frontend (e.g., wpa_cli) to be used by all users in 'wheel' group
44
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
46
# home network; allow all valid ciphers
51
psk="very secret passphrase"
54
# work network; use EAP-TLS with WPA; allow only CCMP and TKIP ciphers
62
identity="user@example.com"
63
ca_cert="/etc/cert/ca.pem"
64
client_cert="/etc/cert/user.pem"
65
private_key="/etc/cert/user.prv"
66
private_key_passwd="password"
72
WPA-RADIUS/EAP-PEAP/MSCHAPv2 with RADIUS servers that
73
use old peaplabel (e.g., Funk Odyssey and SBR, Meetinghouse
74
Aegis, Interlink RAD-Series)
79
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
85
identity="user@example.com"
87
ca_cert="/etc/cert/ca.pem"
89
phase2="auth=MSCHAPV2"
95
EAP-TTLS/EAP-MD5-Challenge configuration with anonymous
96
identity for the unencrypted use. Real identity is sent only
97
within an encrypted TLS tunnel.
102
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
108
identity="user@example.com"
109
anonymous_identity="anonymous@example.com"
111
ca_cert="/etc/cert/ca.pem"
118
IEEE 802.1X (i.e., no WPA) with dynamic WEP keys
119
(require both unicast and broadcast); use EAP-TLS for
125
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
131
identity="user@example.com"
132
ca_cert="/etc/cert/ca.pem"
133
client_cert="/etc/cert/user.pem"
134
private_key="/etc/cert/user.prv"
135
private_key_passwd="password"
142
Catch all example that allows more or less all
143
configuration modes. The configuration options are used based
144
on what security policy is used in the selected SSID. This is
145
mostly for testing and is not recommended for normal
151
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
155
key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
157
group=CCMP TKIP WEP104 WEP40
158
psk="very secret passphrase"
160
identity="user@example.com"
162
ca_cert="/etc/cert/ca.pem"
163
client_cert="/etc/cert/user.pem"
164
private_key="/etc/cert/user.prv"
165
private_key_passwd="password"
167
ca_cert2="/etc/cert/ca2.pem"
168
client_cert2="/etc/cer/user.pem"
169
private_key2="/etc/cer/user.prv"
170
private_key2_passwd="password"
176
Authentication for wired Ethernet. This can be used with
177
'wired' interface (-Dwired on command line).
182
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
195
Some EAP authentication methods require use of
196
certificates. EAP-TLS uses both server side and client
197
certificates whereas EAP-PEAP and EAP-TTLS only require the server
198
side certificate. When client certificate is used, a matching
199
private key file has to also be included in configuration. If the
200
private key uses a passphrase, this has to be configured in
201
wpa_supplicant.conf ("private_key_passwd").
203
wpa_supplicant supports X.509 certificates in PEM and DER
204
formats. User certificate and private key can be included in the
207
If the user certificate and private key is received in
208
PKCS#12/PFX format, they need to be converted to suitable PEM/DER
209
format for wpa_supplicant. This can be done, e.g., with following
215
# convert client certificate and private key to PEM format
216
openssl pkcs12 -in example.pfx -out user.pem -clcerts
217
# convert CA certificate (if included in PFX file) to PEM format
218
openssl pkcs12 -in example.pfx -out ca.pem -cacerts -nokeys
223
\fBwpa_supplicant\fR(8)