a399b7655a1d835aa8606c2b29e4e777baac8635zf#pragma ident "%Z%%M% %I% %E% SMI"
a399b7655a1d835aa8606c2b29e4e777baac8635zfWPA Supplicant
a399b7655a1d835aa8606c2b29e4e777baac8635zf==============
a399b7655a1d835aa8606c2b29e4e777baac8635zfCopyright (c) 2003-2004, Jouni Malinen <jkmaline@cc.hut.fi>
a399b7655a1d835aa8606c2b29e4e777baac8635zfAll Rights Reserved.
a399b7655a1d835aa8606c2b29e4e777baac8635zfSun elects to license this software under the BSD license.
a399b7655a1d835aa8606c2b29e4e777baac8635zfBSD license:
a399b7655a1d835aa8606c2b29e4e777baac8635zfRedistribution and use in source and binary forms, with or without
a399b7655a1d835aa8606c2b29e4e777baac8635zfmodification, are permitted provided that the following conditions are
a399b7655a1d835aa8606c2b29e4e777baac8635zf1. Redistributions of source code must retain the above copyright
a399b7655a1d835aa8606c2b29e4e777baac8635zf notice, this list of conditions and the following disclaimer.
a399b7655a1d835aa8606c2b29e4e777baac8635zf2. Redistributions in binary form must reproduce the above copyright
a399b7655a1d835aa8606c2b29e4e777baac8635zf notice, this list of conditions and the following disclaimer in the
a399b7655a1d835aa8606c2b29e4e777baac8635zf documentation and/or other materials provided with the distribution.
a399b7655a1d835aa8606c2b29e4e777baac8635zf3. Neither the name(s) of the above-listed copyright holder(s) nor the
a399b7655a1d835aa8606c2b29e4e777baac8635zf names of its contributors may be used to endorse or promote products
a399b7655a1d835aa8606c2b29e4e777baac8635zf derived from this software without specific prior written permission.
a399b7655a1d835aa8606c2b29e4e777baac8635zfTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
a399b7655a1d835aa8606c2b29e4e777baac8635zf"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
a399b7655a1d835aa8606c2b29e4e777baac8635zfLIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
a399b7655a1d835aa8606c2b29e4e777baac8635zfA PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
a399b7655a1d835aa8606c2b29e4e777baac8635zfOWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
a399b7655a1d835aa8606c2b29e4e777baac8635zfSPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
a399b7655a1d835aa8606c2b29e4e777baac8635zfLIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
a399b7655a1d835aa8606c2b29e4e777baac8635zfDATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
a399b7655a1d835aa8606c2b29e4e777baac8635zfTHEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
a399b7655a1d835aa8606c2b29e4e777baac8635zf(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
a399b7655a1d835aa8606c2b29e4e777baac8635zfOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
a399b7655a1d835aa8606c2b29e4e777baac8635zfSupported WPA/IEEE 802.11i features:
a399b7655a1d835aa8606c2b29e4e777baac8635zf- WPA-PSK ("WPA-Personal")
a399b7655a1d835aa8606c2b29e4e777baac8635zf- WPA with EAP (e.g., with RADIUS authentication server) ("WPA-Enterprise")
a399b7655a1d835aa8606c2b29e4e777baac8635zf Following authentication methods are supported with an integrate IEEE 802.1X
a399b7655a1d835aa8606c2b29e4e777baac8635zf Supplicant:
a399b7655a1d835aa8606c2b29e4e777baac8635zf * EAP-PEAP/MSCHAPv2 (both PEAPv0 and PEAPv1)
a399b7655a1d835aa8606c2b29e4e777baac8635zf * EAP-PEAP/TLS (both PEAPv0 and PEAPv1)
a399b7655a1d835aa8606c2b29e4e777baac8635zf * EAP-PEAP/GTC (both PEAPv0 and PEAPv1)
a399b7655a1d835aa8606c2b29e4e777baac8635zf * EAP-PEAP/OTP (both PEAPv0 and PEAPv1)
a399b7655a1d835aa8606c2b29e4e777baac8635zf * EAP-PEAP/MD5-Challenge (both PEAPv0 and PEAPv1)
a399b7655a1d835aa8606c2b29e4e777baac8635zf * LEAP (note: only with WEP keys, i.e., not for WPA; in addition, LEAP
a399b7655a1d835aa8606c2b29e4e777baac8635zf requires special support from the driver for IEEE 802.11
a399b7655a1d835aa8606c2b29e4e777baac8635zf authentication)
a399b7655a1d835aa8606c2b29e4e777baac8635zf (following methods are supported, but since they do not generate keying
a399b7655a1d835aa8606c2b29e4e777baac8635zf material, they cannot be used with WPA or IEEE 802.1X WEP keying)
a399b7655a1d835aa8606c2b29e4e777baac8635zf * EAP-MD5-Challenge
a399b7655a1d835aa8606c2b29e4e777baac8635zf * EAP-MSCHAPv2
a399b7655a1d835aa8606c2b29e4e777baac8635zf Alternatively, an external program, e.g., Xsupplicant, can be used for EAP
a399b7655a1d835aa8606c2b29e4e777baac8635zf authentication.
a399b7655a1d835aa8606c2b29e4e777baac8635zf- key management for CCMP, TKIP, WEP104, WEP40
a399b7655a1d835aa8606c2b29e4e777baac8635zf- RSN/WPA2 (IEEE 802.11i)
a399b7655a1d835aa8606c2b29e4e777baac8635zf * pre-authentication
a399b7655a1d835aa8606c2b29e4e777baac8635zf * PMKSA caching
a399b7655a1d835aa8606c2b29e4e777baac8635zfRequirements
a399b7655a1d835aa8606c2b29e4e777baac8635zf------------
a399b7655a1d835aa8606c2b29e4e777baac8635zfCurrent hardware/software requirements:
a399b7655a1d835aa8606c2b29e4e777baac8635zf- Linux Wireless Extensions v15 or newer
a399b7655a1d835aa8606c2b29e4e777baac8635zf Host AP driver for Prism2/2.5/3 (development snapshot/v0.2.x)
a399b7655a1d835aa8606c2b29e4e777baac8635zf in Managed mode ('iwconfig wlan0 mode managed'). Please note that
a399b7655a1d835aa8606c2b29e4e777baac8635zf station firmware version needs to be 1.7.0 or newer to work in
a399b7655a1d835aa8606c2b29e4e777baac8635zf Linuxant DriverLoader (http://www.linuxant.com/driverloader/)
a399b7655a1d835aa8606c2b29e4e777baac8635zf with Windows NDIS driver for your wlan card supporting WPA.
a399b7655a1d835aa8606c2b29e4e777baac8635zf Agere Systems Inc. Linux Driver
a399b7655a1d835aa8606c2b29e4e777baac8635zf Please note that the driver interface file (driver_hermes.c) and
a399b7655a1d835aa8606c2b29e4e777baac8635zf hardware specific include files are not included in the
a399b7655a1d835aa8606c2b29e4e777baac8635zf wpa_supplicant distribution. You will need to copy these from the
a399b7655a1d835aa8606c2b29e4e777baac8635zf source package of the Agere driver.
a399b7655a1d835aa8606c2b29e4e777baac8635zf madwifi driver for cards based on Atheros chip set (ar521x)
a399b7655a1d835aa8606c2b29e4e777baac8635zf Please note that you will need to modify the wpa_supplicant Makefile
a399b7655a1d835aa8606c2b29e4e777baac8635zf to use correct path for madwifi driver root directory
a399b7655a1d835aa8606c2b29e4e777baac8635zf (CFLAGS += -I../madwifi/wpa line in Makefile).
a399b7655a1d835aa8606c2b29e4e777baac8635zf ATMEL AT76C5XXx driver for USB and PCMCIA cards
a399b7655a1d835aa8606c2b29e4e777baac8635zf Linux ndiswrapper (http://ndiswrapper.sourceforge.net/) with
a399b7655a1d835aa8606c2b29e4e777baac8635zf Windows NDIS driver.
a399b7655a1d835aa8606c2b29e4e777baac8635zf In theory, any driver that supports Linux wireless extensions can be
a399b7655a1d835aa8606c2b29e4e777baac8635zf used with IEEE 802.1X (i.e., not WPA) when using ap_scan=0 option in
a399b7655a1d835aa8606c2b29e4e777baac8635zf configuration file.
a399b7655a1d835aa8606c2b29e4e777baac8635zfwpa_supplicant was designed to be portable for different drivers and
a399b7655a1d835aa8606c2b29e4e777baac8635zfoperating systems. Hopefully, support for more wlan cards will be
a399b7655a1d835aa8606c2b29e4e777baac8635zfadded in the future. See developer.txt for more information about the
a399b7655a1d835aa8606c2b29e4e777baac8635zfdesign of wpa_supplicant and porting to other drivers. One main goal
a399b7655a1d835aa8606c2b29e4e777baac8635zfis to add full WPA/WPA2 support to Linux wireless extensions to allow
a399b7655a1d835aa8606c2b29e4e777baac8635zfnew drivers to be supported without having to implement new
a399b7655a1d835aa8606c2b29e4e777baac8635zfdriver-specific interface code in wpa_supplicant.
a399b7655a1d835aa8606c2b29e4e777baac8635zfOptional libraries for layer2 packet processing:
a399b7655a1d835aa8606c2b29e4e777baac8635zf- libpcap (tested with 0.7.2, most relatively recent versions assumed to work,
a399b7655a1d835aa8606c2b29e4e777baac8635zf this is likely to be available with most distributions,
a399b7655a1d835aa8606c2b29e4e777baac8635zf- libdnet (tested with v1.4, most versions assumed to work,
a399b7655a1d835aa8606c2b29e4e777baac8635zfThese libraries are _not_ used in the default build. Instead, internal
a399b7655a1d835aa8606c2b29e4e777baac8635zfLinux specific implementation is used. libpcap/libdnet are more
a399b7655a1d835aa8606c2b29e4e777baac8635zfportable and they can be used by modifying Makefile (define
a399b7655a1d835aa8606c2b29e4e777baac8635zfUSE_DNET_PCAP and link with these libraries).
a399b7655a1d835aa8606c2b29e4e777baac8635zfOptional libraries for EAP-TLS, EAP-PEAP, and EAP-TTLS:
a399b7655a1d835aa8606c2b29e4e777baac8635zf- openssl (tested with 0.9.7c and 0.9.7d, assumed to work with most
a399b7655a1d835aa8606c2b29e4e777baac8635zf relatively recent versions; this is likely to be available with most
a399b7655a1d835aa8606c2b29e4e777baac8635zf distributions, http://www.openssl.org/)
a399b7655a1d835aa8606c2b29e4e777baac8635zfThis library is only needed when EAP-TLS, EAP-PEAP, or EAP-TTLS
a399b7655a1d835aa8606c2b29e4e777baac8635zfsupport is enabled. WPA-PSK mode does not require this or EAPOL/EAP
a399b7655a1d835aa8606c2b29e4e777baac8635zfimplementation. A configuration file, .config, for compilation is
a399b7655a1d835aa8606c2b29e4e777baac8635zfneeded to enable IEEE 802.1X/EAPOL and EAP methods. Note that EAP-MD5,
a399b7655a1d835aa8606c2b29e4e777baac8635zfEAP-GTC, EAP-OTP, and EAP-MSCHAPV2 cannot be used alone with WPA, so
a399b7655a1d835aa8606c2b29e4e777baac8635zfthey should only be enabled if testing the EAPOL/EAP state
a399b7655a1d835aa8606c2b29e4e777baac8635zfmachines. However, there can be used as inner authentication
a399b7655a1d835aa8606c2b29e4e777baac8635zfalgorithms with EAP-PEAP and EAP-TTLS.
a399b7655a1d835aa8606c2b29e4e777baac8635zfSee Building and installing section below for more detailed
a399b7655a1d835aa8606c2b29e4e777baac8635zfinformation about the wpa_supplicant build time configuration.
a399b7655a1d835aa8606c2b29e4e777baac8635zfThe original security mechanism of IEEE 802.11 standard was not
a399b7655a1d835aa8606c2b29e4e777baac8635zfdesigned to be strong and has proved to be insufficient for most
a399b7655a1d835aa8606c2b29e4e777baac8635zfnetworks that require some kind of security. Task group I (Security)
a399b7655a1d835aa8606c2b29e4e777baac8635zfof IEEE 802.11 working group (http://www.ieee802.org/11/) has worked
a399b7655a1d835aa8606c2b29e4e777baac8635zfto address the flaws of the base standard and has in practice
a399b7655a1d835aa8606c2b29e4e777baac8635zfcompleted its work in May 2004. The IEEE 802.11i amendment to the IEEE
a399b7655a1d835aa8606c2b29e4e777baac8635zf802.11 standard was approved in June 2004 and this amendment is likely
a399b7655a1d835aa8606c2b29e4e777baac8635zfto be published in July 2004.
a399b7655a1d835aa8606c2b29e4e777baac8635zfWi-Fi Alliance (http://www.wi-fi.org/) used a draft version of the
a399b7655a1d835aa8606c2b29e4e777baac8635zfIEEE 802.11i work (draft 3.0) to define a subset of the security
a399b7655a1d835aa8606c2b29e4e777baac8635zfenhancements that can be implemented with existing wlan hardware. This
a399b7655a1d835aa8606c2b29e4e777baac8635zfis called Wi-Fi Protected Access<TM> (WPA). This has now become a
a399b7655a1d835aa8606c2b29e4e777baac8635zfmandatory component of interoperability testing and certification done
a399b7655a1d835aa8606c2b29e4e777baac8635zfby Wi-Fi Alliance. Wi-Fi provides information about WPA at its web
a399b7655a1d835aa8606c2b29e4e777baac8635zfsite (http://www.wi-fi.org/OpenSection/protected_access.asp).
a399b7655a1d835aa8606c2b29e4e777baac8635zfIEEE 802.11 standard defined wired equivalent privacy (WEP) algorithm
a399b7655a1d835aa8606c2b29e4e777baac8635zffor protecting wireless networks. WEP uses RC4 with 40-bit keys,
a399b7655a1d835aa8606c2b29e4e777baac8635zf24-bit initialization vector (IV), and CRC32 to protect against packet
a399b7655a1d835aa8606c2b29e4e777baac8635zfforgery. All these choice have proved to be insufficient: key space is
a399b7655a1d835aa8606c2b29e4e777baac8635zftoo small against current attacks, RC4 key scheduling is insufficient
a399b7655a1d835aa8606c2b29e4e777baac8635zf(beginning of the pseudorandom stream should be skipped), IV space is
a399b7655a1d835aa8606c2b29e4e777baac8635zftoo small and IV reuse makes attacks easier, there is no replay
a399b7655a1d835aa8606c2b29e4e777baac8635zfprotection, and non-keyed authentication does not protect against bit
a399b7655a1d835aa8606c2b29e4e777baac8635zfflipping packet data.
a399b7655a1d835aa8606c2b29e4e777baac8635zfWPA is an intermediate solution for the security issues. It uses
a399b7655a1d835aa8606c2b29e4e777baac8635zftemporal key integrity protocol (TKIP) to replace WEP. TKIP is a
a399b7655a1d835aa8606c2b29e4e777baac8635zfcompromise on strong security and possibility to use existing
a399b7655a1d835aa8606c2b29e4e777baac8635zfhardware. It still uses RC4 for the encryption like WEP, but with
a399b7655a1d835aa8606c2b29e4e777baac8635zfper-packet RC4 keys. In addition, it implements replay protection,
a399b7655a1d835aa8606c2b29e4e777baac8635zfkeyed packet authentication mechanism (Michael MIC).
a399b7655a1d835aa8606c2b29e4e777baac8635zfKeys can be managed using two different mechanisms. WPA can either use
a399b7655a1d835aa8606c2b29e4e777baac8635zfan external authentication server (e.g., RADIUS) and EAP just like
a399b7655a1d835aa8606c2b29e4e777baac8635zfIEEE 802.1X is using or pre-shared keys without need for additional
a399b7655a1d835aa8606c2b29e4e777baac8635zfservers. Wi-Fi calls these "WPA-Enterprise" and "WPA-Personal",
a399b7655a1d835aa8606c2b29e4e777baac8635zfrespectively. Both mechanisms will generate a master session key for
a399b7655a1d835aa8606c2b29e4e777baac8635zfthe Authenticator (AP) and Supplicant (client station).
a399b7655a1d835aa8606c2b29e4e777baac8635zfWPA implements a new key handshake (4-Way Handshake and Group Key
a399b7655a1d835aa8606c2b29e4e777baac8635zfHandshake) for generating and exchanging data encryption keys between
a399b7655a1d835aa8606c2b29e4e777baac8635zfthe Authenticator and Supplicant. This handshake is also used to
a399b7655a1d835aa8606c2b29e4e777baac8635zfverify that both Authenticator and Supplicant know the master session
a399b7655a1d835aa8606c2b29e4e777baac8635zfkey. These handshakes are identical regardless of the selected key
a399b7655a1d835aa8606c2b29e4e777baac8635zfmanagement mechanism (only the method for generating master session
a399b7655a1d835aa8606c2b29e4e777baac8635zfkey changes).
a399b7655a1d835aa8606c2b29e4e777baac8635zfIEEE 802.11i / WPA2
a399b7655a1d835aa8606c2b29e4e777baac8635zf-------------------
a399b7655a1d835aa8606c2b29e4e777baac8635zfThe design for parts of IEEE 802.11i that were not included in WPA has
a399b7655a1d835aa8606c2b29e4e777baac8635zffinished (May 2004) and this amendment to IEEE 802.11 was approved in
a399b7655a1d835aa8606c2b29e4e777baac8635zfJune 2004. Wi-Fi Alliance is using the final IEEE 802.11i as a new
a399b7655a1d835aa8606c2b29e4e777baac8635zfversion of WPA called WPA2. This includes, e.g., support for more
a399b7655a1d835aa8606c2b29e4e777baac8635zfrobust encryption algorithm (CCMP: AES in Counter mode with CBC-MAC)
a399b7655a1d835aa8606c2b29e4e777baac8635zfto replace TKIP and optimizations for handoff (reduced number of
a399b7655a1d835aa8606c2b29e4e777baac8635zfmessages in initial key handshake, pre-authentication, key caching).
a399b7655a1d835aa8606c2b29e4e777baac8635zfSome wireless LAN vendors are already providing support for CCMP in
a399b7655a1d835aa8606c2b29e4e777baac8635zftheir WPA products. There is no "official" interoperability
a399b7655a1d835aa8606c2b29e4e777baac8635zfcertification for CCMP and/or mixed modes using both TKIP and CCMP, so
a399b7655a1d835aa8606c2b29e4e777baac8635zfsome interoperability issues can be expected even though many
a399b7655a1d835aa8606c2b29e4e777baac8635zfcombinations seem to be working with equipment from different vendors.
a399b7655a1d835aa8606c2b29e4e777baac8635zfCertification for WPA2 is likely to start during the second half of
a399b7655a1d835aa8606c2b29e4e777baac8635zfwpa_supplicant
a399b7655a1d835aa8606c2b29e4e777baac8635zf--------------
a399b7655a1d835aa8606c2b29e4e777baac8635zfwpa_supplicant is an implementation of the WPA Supplicant component,
a399b7655a1d835aa8606c2b29e4e777baac8635zfi.e., the part that runs in the client stations. It implements WPA key
a399b7655a1d835aa8606c2b29e4e777baac8635zfnegotiation with a WPA Authenticator and EAP authentication with
a399b7655a1d835aa8606c2b29e4e777baac8635zfAuthentication Server. In addition, it controls the roaming and IEEE
a399b7655a1d835aa8606c2b29e4e777baac8635zf802.11 authentication/association of the wlan driver.
a399b7655a1d835aa8606c2b29e4e777baac8635zfwpa_supplicant is designed to be a "daemon" program that runs in the
a399b7655a1d835aa8606c2b29e4e777baac8635zfbackground and acts as the backend component controlling the wireless
a399b7655a1d835aa8606c2b29e4e777baac8635zfconnection. wpa_supplicant supports separate frontend programs and an
a399b7655a1d835aa8606c2b29e4e777baac8635zfexample text-based frontend, wpa_cli, is included with wpa_supplicant.
a399b7655a1d835aa8606c2b29e4e777baac8635zfFollowing steps are used when associating with an AP using WPA:
a399b7655a1d835aa8606c2b29e4e777baac8635zf- wpa_supplicant requests the kernel driver to scan neighboring BSSes
a399b7655a1d835aa8606c2b29e4e777baac8635zf- wpa_supplicant selects a BSS based on its configuration
a399b7655a1d835aa8606c2b29e4e777baac8635zf- wpa_supplicant requests the kernel driver to associate with the chosen
a399b7655a1d835aa8606c2b29e4e777baac8635zf- If WPA-EAP: integrated IEEE 802.1X Supplicant or external Xsupplicant
a399b7655a1d835aa8606c2b29e4e777baac8635zf completes EAP authentication with the authentication server (proxied
a399b7655a1d835aa8606c2b29e4e777baac8635zf by the Authenticator in the AP)
a399b7655a1d835aa8606c2b29e4e777baac8635zf- If WPA-EAP: master key is received from the IEEE 802.1X Supplicant
a399b7655a1d835aa8606c2b29e4e777baac8635zf- If WPA-PSK: wpa_supplicant uses PSK as the master session key
a399b7655a1d835aa8606c2b29e4e777baac8635zf- wpa_supplicant completes WPA 4-Way Handshake and Group Key Handshake
a399b7655a1d835aa8606c2b29e4e777baac8635zf with the Authenticator (AP)
a399b7655a1d835aa8606c2b29e4e777baac8635zf- wpa_supplicant configures encryption keys for unicast and broadcast
a399b7655a1d835aa8606c2b29e4e777baac8635zf- normal data packets can be transmitted and received
a399b7655a1d835aa8606c2b29e4e777baac8635zfBuilding and installing
a399b7655a1d835aa8606c2b29e4e777baac8635zf-----------------------
a399b7655a1d835aa8606c2b29e4e777baac8635zfIn order to be able to build wpa_supplicant, you will first need to
a399b7655a1d835aa8606c2b29e4e777baac8635zfselect which parts of it will be included. This is done by creating a
a399b7655a1d835aa8606c2b29e4e777baac8635zfbuild time configuration file, .config, in the wpa_supplicant root
a399b7655a1d835aa8606c2b29e4e777baac8635zfdirectory. Configuration options are text lines using following
a399b7655a1d835aa8606c2b29e4e777baac8635zfformat: CONFIG_<option>=y. Lines starting with # are considered
a399b7655a1d835aa8606c2b29e4e777baac8635zfcomments and are ignored.
a399b7655a1d835aa8606c2b29e4e777baac8635zfThe build time configuration can be used to select only the needed
a399b7655a1d835aa8606c2b29e4e777baac8635zffeatures and limit the binary size and requirements for external
a399b7655a1d835aa8606c2b29e4e777baac8635zflibraries. The main configuration parts are the selection of which
a399b7655a1d835aa8606c2b29e4e777baac8635zfdriver interfaces (e.g., hostap, madwifi, ..) and which authentication
a399b7655a1d835aa8606c2b29e4e777baac8635zfmethods (e.g., EAP-TLS, EAP-PEAP, ..) are included.
a399b7655a1d835aa8606c2b29e4e777baac8635zfFollowing build time configuration options are used to control IEEE
a399b7655a1d835aa8606c2b29e4e777baac8635zf802.1X/EAPOL and EAP state machines and all EAP methods. Including
a399b7655a1d835aa8606c2b29e4e777baac8635zfTLS, PEAP, or TTLS will require linking wpa_supplicant with openssl
a399b7655a1d835aa8606c2b29e4e777baac8635zflibrary for TLS implementation.
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_IEEE8021X_EAPOL=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_EAP_MD5=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_MSCHAPV2=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_EAP_TLS=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_EAP_PEAP=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_EAP_TTLS=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_EAP_GTC=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_EAP_OTP=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_EAP_SIM=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_EAP_LEAP=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfFollowing option can be used to include GSM SIM/USIM interface for GSM
a399b7655a1d835aa8606c2b29e4e777baac8635zfauthentication algorithm (for EAP-SIM). This requires pcsc-lite
a399b7655a1d835aa8606c2b29e4e777baac8635zf(http://www.linuxnet.com/) for smart card access.
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_PCSC=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfFollowing options can be added to .config to select which driver
a399b7655a1d835aa8606c2b29e4e777baac8635zfinterfaces are included. Prism54.org driver is not yet complete and
a399b7655a1d835aa8606c2b29e4e777baac8635zfHermes driver interface needs to be downloaded from Agere (see above).
a399b7655a1d835aa8606c2b29e4e777baac8635zfMost Linux driver need to include CONFIG_WIRELESS_EXTENSION.
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_WIRELESS_EXTENSION=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_DRIVER_HOSTAP=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_DRIVER_PRISM54=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_DRIVER_HERMES=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_DRIVER_MADWIFI=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_DRIVER_ATMEL=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_DRIVER_WEXT=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_DRIVER_NDISWRAPPER=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfFollowing example includes all features and driver interfaces that are
a399b7655a1d835aa8606c2b29e4e777baac8635zfincluded in the wpa_supplicant package:
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_DRIVER_HOSTAP=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_DRIVER_PRISM54=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_DRIVER_HERMES=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_DRIVER_MADWIFI=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_DRIVER_ATMEL=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_DRIVER_WEXT=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_DRIVER_NDISWRAPPER=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_WIRELESS_EXTENSION=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_IEEE8021X_EAPOL=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_EAP_MD5=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_MSCHAPV2=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_EAP_TLS=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_EAP_PEAP=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_EAP_TTLS=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_EAP_GTC=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_EAP_OTP=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_EAP_SIM=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_EAP_LEAP=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfCONFIG_PCSC=y
a399b7655a1d835aa8606c2b29e4e777baac8635zfEAP-PEAP and EAP-TTLS will automatically include configured EAP
a399b7655a1d835aa8606c2b29e4e777baac8635zfmethods (MD5, OTP, GTC, MSCHAPV2) for inner authentication selection.
a399b7655a1d835aa8606c2b29e4e777baac8635zfAfter you have created a configuration file, you can build
a399b7655a1d835aa8606c2b29e4e777baac8635zfwpa_supplicant and wpa_cli with 'make' command. You may then install
a399b7655a1d835aa8606c2b29e4e777baac8635zfthe binaries to a suitable system directory, e.g., /usr/local/bin.
a399b7655a1d835aa8606c2b29e4e777baac8635zfExample commands:
a399b7655a1d835aa8606c2b29e4e777baac8635zf# build wpa_supplicant and wpa_cli
a399b7655a1d835aa8606c2b29e4e777baac8635zf# install binaries (this may need root privileges)
a399b7655a1d835aa8606c2b29e4e777baac8635zfcp wpa_cli wpa_supplicant /usr/local/bin
a399b7655a1d835aa8606c2b29e4e777baac8635zfYou will need to make a configuration file, e.g.,
a399b7655a1d835aa8606c2b29e4e777baac8635zf/etc/wpa_supplicant.conf, with network configuration for the networks
a399b7655a1d835aa8606c2b29e4e777baac8635zfyou are going to use. Configuration file section below includes
a399b7655a1d835aa8606c2b29e4e777baac8635zfexplanation fo the configuration file format and includes various
a399b7655a1d835aa8606c2b29e4e777baac8635zfexamples. Once the configuration is ready, you can test whether the
a399b7655a1d835aa8606c2b29e4e777baac8635zfconfiguration work by first running wpa_supplicant with following
a399b7655a1d835aa8606c2b29e4e777baac8635zfcommand to start it on foreground with debugging enabled:
a399b7655a1d835aa8606c2b29e4e777baac8635zfwpa_supplicant -iwlan0 -c/etc/wpa_supplicant.conf -d
a399b7655a1d835aa8606c2b29e4e777baac8635zfAssuming everything goes fine, you can start using following command
a399b7655a1d835aa8606c2b29e4e777baac8635zfto start wpa_supplicant on background without debugging:
a399b7655a1d835aa8606c2b29e4e777baac8635zfwpa_supplicant -iwlan0 -c/etc/wpa_supplicant.conf -B
a399b7655a1d835aa8606c2b29e4e777baac8635zfPlease note that if you included more than one driver interface in the
a399b7655a1d835aa8606c2b29e4e777baac8635zfbuild time configuration (.config), you may need to specify which
a399b7655a1d835aa8606c2b29e4e777baac8635zfinterface to use by including -D<driver name> option on the command
a399b7655a1d835aa8606c2b29e4e777baac8635zfline. See following section for more details on command line options
a399b7655a1d835aa8606c2b29e4e777baac8635zffor wpa_supplicant.
a399b7655a1d835aa8606c2b29e4e777baac8635zfCommand line options
a399b7655a1d835aa8606c2b29e4e777baac8635zf--------------------
a399b7655a1d835aa8606c2b29e4e777baac8635zf wpa_supplicant [-BddehLqqvw] -i<ifname> -c<config file> [-D<driver>]
a399b7655a1d835aa8606c2b29e4e777baac8635zf -B = run daemon in the background
a399b7655a1d835aa8606c2b29e4e777baac8635zf -d = increase debugging verbosity (-dd even more)
a399b7655a1d835aa8606c2b29e4e777baac8635zf -e = use external IEEE 802.1X Supplicant (e.g., xsupplicant)
a399b7655a1d835aa8606c2b29e4e777baac8635zf (this disables the internal Supplicant)
a399b7655a1d835aa8606c2b29e4e777baac8635zf -h = show this help text
a399b7655a1d835aa8606c2b29e4e777baac8635zf -L = show license (GPL and BSD)
a399b7655a1d835aa8606c2b29e4e777baac8635zf -q = decrease debugging verbosity (-qq even less)
a399b7655a1d835aa8606c2b29e4e777baac8635zf -v = show version
a399b7655a1d835aa8606c2b29e4e777baac8635zf -w = wait for interface to be added, if needed
a399b7655a1d835aa8606c2b29e4e777baac8635zf hostap = Host AP driver (Intersil Prism2/2.5/3) [default]
a399b7655a1d835aa8606c2b29e4e777baac8635zf (this can also be used with Linuxant DriverLoader)
a399b7655a1d835aa8606c2b29e4e777baac8635zf prism54 = Prism54.org driver (Intersil Prism GT/Duette/Indigo)
a399b7655a1d835aa8606c2b29e4e777baac8635zf not yet fully implemented
a399b7655a1d835aa8606c2b29e4e777baac8635zf hermes = Agere Systems Inc. driver (Hermes-I/Hermes-II)
a399b7655a1d835aa8606c2b29e4e777baac8635zf madwifi = MADWIFI 802.11 support (Atheros, etc.)
a399b7655a1d835aa8606c2b29e4e777baac8635zf atmel = ATMEL AT76C5XXx (USB, PCMCIA)
a399b7655a1d835aa8606c2b29e4e777baac8635zf wext = Linux wireless extensions (generic)
a399b7655a1d835aa8606c2b29e4e777baac8635zf ndiswrapper = Linux ndiswrapper
a399b7655a1d835aa8606c2b29e4e777baac8635zfIn most common cases, wpa_supplicant is started with
a399b7655a1d835aa8606c2b29e4e777baac8635zfwpa_supplicant -Bw -c/etc/wpa_supplicant.conf -iwlan0
a399b7655a1d835aa8606c2b29e4e777baac8635zfThis makes the process fork into background and wait for the wlan0
a399b7655a1d835aa8606c2b29e4e777baac8635zfinterface if it is not available at startup time.
a399b7655a1d835aa8606c2b29e4e777baac8635zfConfiguration file
a399b7655a1d835aa8606c2b29e4e777baac8635zf------------------
a399b7655a1d835aa8606c2b29e4e777baac8635zfwpa_supplicant is configured using a text file that lists all accepted
a399b7655a1d835aa8606c2b29e4e777baac8635zfnetworks and security policies, including pre-shared keys. See
a399b7655a1d835aa8606c2b29e4e777baac8635zfexample configuration file, wpa_supplicant.conf, for detailed
a399b7655a1d835aa8606c2b29e4e777baac8635zfinformation about the configuration format and supported fields.
a399b7655a1d835aa8606c2b29e4e777baac8635zfChanges to configuration file can be reloaded be sending SIGHUP signal
a399b7655a1d835aa8606c2b29e4e777baac8635zfto wpa_supplicant ('killall -HUP wpa_supplicant'). Similarily,
a399b7655a1d835aa8606c2b29e4e777baac8635zfreloading can be triggered with 'wpa_cli reconfigure' command.
a399b7655a1d835aa8606c2b29e4e777baac8635zfConfiguration file can include one or more network blocks, e.g., one
a399b7655a1d835aa8606c2b29e4e777baac8635zffor each used SSID. wpa_supplicant will automatically select the best
a399b7655a1d835aa8606c2b29e4e777baac8635zfbetwork based on the order of network blocks in the configuration
a399b7655a1d835aa8606c2b29e4e777baac8635zffile, network security level (WPA/WPA2 is prefered), and signal
a399b7655a1d835aa8606c2b29e4e777baac8635zfExample configuration files for some common configurations:
a399b7655a1d835aa8606c2b29e4e777baac8635zf1) WPA-Personal (PSK) as home network and WPA-Enterprise with EAP-TLS as work
a399b7655a1d835aa8606c2b29e4e777baac8635zf# allow frontend (e.g., wpa_cli) to be used by all users in 'wheel' group
a399b7655a1d835aa8606c2b29e4e777baac8635zfctrl_interface_group=wheel
a399b7655a1d835aa8606c2b29e4e777baac8635zf# home network; allow all valid ciphers
a399b7655a1d835aa8606c2b29e4e777baac8635zf ssid="home"
a399b7655a1d835aa8606c2b29e4e777baac8635zf scan_ssid=1
a399b7655a1d835aa8606c2b29e4e777baac8635zf key_mgmt=WPA-PSK
a399b7655a1d835aa8606c2b29e4e777baac8635zf psk="very secret passphrase"
a399b7655a1d835aa8606c2b29e4e777baac8635zf# work network; use EAP-TLS with WPA; allow only CCMP and TKIP ciphers
a399b7655a1d835aa8606c2b29e4e777baac8635zf ssid="work"
a399b7655a1d835aa8606c2b29e4e777baac8635zf scan_ssid=1
a399b7655a1d835aa8606c2b29e4e777baac8635zf key_mgmt=WPA-EAP
a399b7655a1d835aa8606c2b29e4e777baac8635zf pairwise=CCMP TKIP
a399b7655a1d835aa8606c2b29e4e777baac8635zf group=CCMP TKIP
a399b7655a1d835aa8606c2b29e4e777baac8635zf identity="user@example.com"
a399b7655a1d835aa8606c2b29e4e777baac8635zf client_cert="/etc/cert/user.pem"
a399b7655a1d835aa8606c2b29e4e777baac8635zf private_key="/etc/cert/user.prv"
a399b7655a1d835aa8606c2b29e4e777baac8635zf private_key_passwd="password"
a399b7655a1d835aa8606c2b29e4e777baac8635zf2) WPA-RADIUS/EAP-PEAP/MSCHAPv2 with RADIUS servers that use old peaplabel
a399b7655a1d835aa8606c2b29e4e777baac8635zf (e.g., Funk Odyssey and SBR, Meetinghouse Aegis, Interlink RAD-Series)
a399b7655a1d835aa8606c2b29e4e777baac8635zfctrl_interface_group=wheel
a399b7655a1d835aa8606c2b29e4e777baac8635zf ssid="example"
a399b7655a1d835aa8606c2b29e4e777baac8635zf scan_ssid=1
a399b7655a1d835aa8606c2b29e4e777baac8635zf key_mgmt=WPA-EAP
a399b7655a1d835aa8606c2b29e4e777baac8635zf identity="user@example.com"
a399b7655a1d835aa8606c2b29e4e777baac8635zf password="foobar"
a399b7655a1d835aa8606c2b29e4e777baac8635zf phase1="peaplabel=0"
a399b7655a1d835aa8606c2b29e4e777baac8635zf phase2="auth=MSCHAPV2"
a399b7655a1d835aa8606c2b29e4e777baac8635zf3) EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the
a399b7655a1d835aa8606c2b29e4e777baac8635zf unencrypted use. Real identity is sent only within an encrypted TLS tunnel.
a399b7655a1d835aa8606c2b29e4e777baac8635zfctrl_interface_group=wheel
a399b7655a1d835aa8606c2b29e4e777baac8635zf ssid="example"
a399b7655a1d835aa8606c2b29e4e777baac8635zf scan_ssid=1
a399b7655a1d835aa8606c2b29e4e777baac8635zf key_mgmt=WPA-EAP
a399b7655a1d835aa8606c2b29e4e777baac8635zf identity="user@example.com"
a399b7655a1d835aa8606c2b29e4e777baac8635zf anonymous_identity="anonymous@example.com"
a399b7655a1d835aa8606c2b29e4e777baac8635zf password="foobar"
a399b7655a1d835aa8606c2b29e4e777baac8635zf phase2="auth=MD5"
a399b7655a1d835aa8606c2b29e4e777baac8635zf4) IEEE 802.1X (i.e., no WPA) with dynamic WEP keys (require both unicast and
a399b7655a1d835aa8606c2b29e4e777baac8635zf broadcast); use EAP-TLS for authentication
a399b7655a1d835aa8606c2b29e4e777baac8635zfctrl_interface_group=wheel
a399b7655a1d835aa8606c2b29e4e777baac8635zf ssid="1x-test"
a399b7655a1d835aa8606c2b29e4e777baac8635zf scan_ssid=1
a399b7655a1d835aa8606c2b29e4e777baac8635zf key_mgmt=IEEE8021X
a399b7655a1d835aa8606c2b29e4e777baac8635zf identity="user@example.com"
a399b7655a1d835aa8606c2b29e4e777baac8635zf client_cert="/etc/cert/user.pem"
a399b7655a1d835aa8606c2b29e4e777baac8635zf private_key="/etc/cert/user.prv"
a399b7655a1d835aa8606c2b29e4e777baac8635zf private_key_passwd="password"
a399b7655a1d835aa8606c2b29e4e777baac8635zf eapol_flags=3
a399b7655a1d835aa8606c2b29e4e777baac8635zf5) Catch all example that allows more or less all configuration modes. The
a399b7655a1d835aa8606c2b29e4e777baac8635zf configuration options are used based on what security policy is used in the
a399b7655a1d835aa8606c2b29e4e777baac8635zf selected SSID. This is mostly for testing and is not recommended for normal
a399b7655a1d835aa8606c2b29e4e777baac8635zfctrl_interface_group=wheel
a399b7655a1d835aa8606c2b29e4e777baac8635zf ssid="example"
a399b7655a1d835aa8606c2b29e4e777baac8635zf scan_ssid=1
a399b7655a1d835aa8606c2b29e4e777baac8635zf key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
a399b7655a1d835aa8606c2b29e4e777baac8635zf pairwise=CCMP TKIP
a399b7655a1d835aa8606c2b29e4e777baac8635zf group=CCMP TKIP WEP104 WEP40
a399b7655a1d835aa8606c2b29e4e777baac8635zf psk="very secret passphrase"
a399b7655a1d835aa8606c2b29e4e777baac8635zf eap=TTLS PEAP TLS
a399b7655a1d835aa8606c2b29e4e777baac8635zf identity="user@example.com"
a399b7655a1d835aa8606c2b29e4e777baac8635zf password="foobar"
a399b7655a1d835aa8606c2b29e4e777baac8635zf client_cert="/etc/cert/user.pem"
a399b7655a1d835aa8606c2b29e4e777baac8635zf private_key="/etc/cert/user.prv"
a399b7655a1d835aa8606c2b29e4e777baac8635zf private_key_passwd="password"
a399b7655a1d835aa8606c2b29e4e777baac8635zf phase1="peaplabel=0"
a399b7655a1d835aa8606c2b29e4e777baac8635zf client_cert2="/etc/cer/user.pem"
a399b7655a1d835aa8606c2b29e4e777baac8635zf private_key2="/etc/cer/user.prv"
a399b7655a1d835aa8606c2b29e4e777baac8635zf private_key2_passwd="password"
a399b7655a1d835aa8606c2b29e4e777baac8635zfCertificates
a399b7655a1d835aa8606c2b29e4e777baac8635zf------------
a399b7655a1d835aa8606c2b29e4e777baac8635zfSome EAP authentication methods require use of certificates. EAP-TLS
a399b7655a1d835aa8606c2b29e4e777baac8635zfuses both server side and client certificates whereas EAP-PEAP and
a399b7655a1d835aa8606c2b29e4e777baac8635zfEAP-TTLS only require the server side certificate. When client
a399b7655a1d835aa8606c2b29e4e777baac8635zfcertificate is used, a matching private key file has to also be
a399b7655a1d835aa8606c2b29e4e777baac8635zfincluded in configuration. If the private key uses a passphrase, this
a399b7655a1d835aa8606c2b29e4e777baac8635zfhas to be configured in wpa_supplicant.conf ("private_key_passwd").
a399b7655a1d835aa8606c2b29e4e777baac8635zfwpa_supplicant supports X.509 certificates in PEM and DER
a399b7655a1d835aa8606c2b29e4e777baac8635zfformats. User certificate and private key can be included in the same
a399b7655a1d835aa8606c2b29e4e777baac8635zfIf the user certificate and private key is received in PKCS#12/PFX
a399b7655a1d835aa8606c2b29e4e777baac8635zfformat, they need to be converted to suitable PEM/DER format for
a399b7655a1d835aa8606c2b29e4e777baac8635zfwpa_supplicant. This can be done, e.g., with following commands:
a399b7655a1d835aa8606c2b29e4e777baac8635zf# convert client certificate and private key to PEM format
a399b7655a1d835aa8606c2b29e4e777baac8635zf# convert CA certificate (if included in PFX file) to PEM format
a399b7655a1d835aa8606c2b29e4e777baac8635zfopenssl pkcs12 -in example.pfx -out ca.pem -cacerts -nokeys
a399b7655a1d835aa8606c2b29e4e777baac8635zfwpa_cli is a text-based frontend program for interacting with
a399b7655a1d835aa8606c2b29e4e777baac8635zfwpa_supplicant. It is used to query current status, change
a399b7655a1d835aa8606c2b29e4e777baac8635zfconfiguration, trigger events, and request interactive user input.
a399b7655a1d835aa8606c2b29e4e777baac8635zfwpa_cli can show the current authentication status, selected security
a399b7655a1d835aa8606c2b29e4e777baac8635zfmode, dot11 and dot1x MIBs, etc. In addition, it can configuring some
a399b7655a1d835aa8606c2b29e4e777baac8635zfvariables like EAPOL state machine parameters and trigger events like
a399b7655a1d835aa8606c2b29e4e777baac8635zfreassociation and IEEE 802.1X logoff/logon. wpa_cli provides a user
a399b7655a1d835aa8606c2b29e4e777baac8635zfinterface to request authentication information, like username and
a399b7655a1d835aa8606c2b29e4e777baac8635zfpassword, if these are not included in the configuration. This can be
a399b7655a1d835aa8606c2b29e4e777baac8635zfused to implement, e.g., one-time-passwords or generic token card
a399b7655a1d835aa8606c2b29e4e777baac8635zfauthentication where the authentication is based on a
a399b7655a1d835aa8606c2b29e4e777baac8635zfchallenge-response that uses an external device for generating the
a399b7655a1d835aa8606c2b29e4e777baac8635zfThe control interface of wpa_supplicant can be configured to allow
a399b7655a1d835aa8606c2b29e4e777baac8635zfnon-root user access (ctrl_interface_group in the configuration
a399b7655a1d835aa8606c2b29e4e777baac8635zffile). This makes it possible to run wpa_cli with a normal user
a399b7655a1d835aa8606c2b29e4e777baac8635zfwpa_cli supports two modes: interactive and command line. Both modes
a399b7655a1d835aa8606c2b29e4e777baac8635zfshare the same command set and the main difference is in interactive
a399b7655a1d835aa8606c2b29e4e777baac8635zfmode providing access to unsolicited messages (event messages,
a399b7655a1d835aa8606c2b29e4e777baac8635zfInteractive mode is started when wpa_cli is executed without including
a399b7655a1d835aa8606c2b29e4e777baac8635zfthe command as a command line parameter. Commands are then entered on
a399b7655a1d835aa8606c2b29e4e777baac8635zfthe wpa_cli prompt. In command line mode, the same commands are
a399b7655a1d835aa8606c2b29e4e777baac8635zfentered as command line arguments for wpa_cli.
a399b7655a1d835aa8606c2b29e4e777baac8635zfInteractive authentication parameters request
a399b7655a1d835aa8606c2b29e4e777baac8635zfWhen wpa_supplicant need authentication parameters, like username and
a399b7655a1d835aa8606c2b29e4e777baac8635zfpassword, which are not present in the configuration file, it sends a
a399b7655a1d835aa8606c2b29e4e777baac8635zfrequest message to all attached frontend programs, e.g., wpa_cli in
a399b7655a1d835aa8606c2b29e4e777baac8635zfinteractive mode. wpa_cli shows these requests with
a399b7655a1d835aa8606c2b29e4e777baac8635zf"CTRL-REQ-<type>-<id>:<text>" prefix. <type> is IDENTITY, PASSWORD, or
a399b7655a1d835aa8606c2b29e4e777baac8635zfOTP (one-time-password). <id> is a unique identifier for the current
a399b7655a1d835aa8606c2b29e4e777baac8635zfnetwork. <text> is description of the request. In case of OTP request,
a399b7655a1d835aa8606c2b29e4e777baac8635zfit includes the challenge from the authentication server.
a399b7655a1d835aa8606c2b29e4e777baac8635zfThe reply to these requests can be given with 'identity', 'password',
a399b7655a1d835aa8606c2b29e4e777baac8635zfand 'otp' commands. <id> needs to be copied from the the matching
a399b7655a1d835aa8606c2b29e4e777baac8635zfrequest. 'password' and 'otp' commands can be used regardless of
a399b7655a1d835aa8606c2b29e4e777baac8635zfwhether the request was for PASSWORD or OTP. The main difference
a399b7655a1d835aa8606c2b29e4e777baac8635zfbetween these two commands is that values given with 'password' are
a399b7655a1d835aa8606c2b29e4e777baac8635zfremembered as long as wpa_supplicant is running whereas values given
a399b7655a1d835aa8606c2b29e4e777baac8635zfwith 'otp' are used only once and then forgotten, i.e., wpa_supplicant
a399b7655a1d835aa8606c2b29e4e777baac8635zfwill ask frontend for a new value for every use. This can be used to
a399b7655a1d835aa8606c2b29e4e777baac8635zfimplement one-time-password lists and generic token card -based
a399b7655a1d835aa8606c2b29e4e777baac8635zfauthentication.
a399b7655a1d835aa8606c2b29e4e777baac8635zfExample request for password and a matching reply:
a399b7655a1d835aa8606c2b29e4e777baac8635zfCTRL-REQ-PASSWORD-1:Password needed for SSID foobar
a399b7655a1d835aa8606c2b29e4e777baac8635zf> password 1 mysecretpassword
a399b7655a1d835aa8606c2b29e4e777baac8635zfExample request for generic token card challenge-response:
a399b7655a1d835aa8606c2b29e4e777baac8635zfCTRL-REQ-OTP-2:Challenge 1235663 needed for SSID foobar
a399b7655a1d835aa8606c2b29e4e777baac8635zf> otp 2 9876
a399b7655a1d835aa8606c2b29e4e777baac8635zfwpa_cli commands
a399b7655a1d835aa8606c2b29e4e777baac8635zf status = get current WPA/EAPOL/EAP status
a399b7655a1d835aa8606c2b29e4e777baac8635zf mib = get MIB variables (dot1x, dot11)
a399b7655a1d835aa8606c2b29e4e777baac8635zf help = show this usage help
a399b7655a1d835aa8606c2b29e4e777baac8635zf interface [ifname] = show interfaces/select interface
a399b7655a1d835aa8606c2b29e4e777baac8635zf level <debug level> = change debug level
a399b7655a1d835aa8606c2b29e4e777baac8635zf license = show full wpa_cli license
a399b7655a1d835aa8606c2b29e4e777baac8635zf logoff = IEEE 802.1X EAPOL state machine logoff
a399b7655a1d835aa8606c2b29e4e777baac8635zf logon = IEEE 802.1X EAPOL state machine logon
a399b7655a1d835aa8606c2b29e4e777baac8635zf set = set variables (shows list of variables when run without arguments)
a399b7655a1d835aa8606c2b29e4e777baac8635zf pmksa = show PMKSA cache
a399b7655a1d835aa8606c2b29e4e777baac8635zf reassociate = force reassociation
a399b7655a1d835aa8606c2b29e4e777baac8635zf reconfigure = force wpa_supplicant to re-read its configuration file
a399b7655a1d835aa8606c2b29e4e777baac8635zf preauthenticate <BSSID> = force preauthentication
a399b7655a1d835aa8606c2b29e4e777baac8635zf identity <network id> <identity> = configure identity for an SSID
a399b7655a1d835aa8606c2b29e4e777baac8635zf password <network id> <password> = configure password for an SSID
a399b7655a1d835aa8606c2b29e4e777baac8635zf otp <network id> <password> = configure one-time-password for an SSID
a399b7655a1d835aa8606c2b29e4e777baac8635zf quit = exit wpa_cli
a399b7655a1d835aa8606c2b29e4e777baac8635zfIntegrating with pcmcia-cs/cardmgr scripts
a399b7655a1d835aa8606c2b29e4e777baac8635zf------------------------------------------
a399b7655a1d835aa8606c2b29e4e777baac8635zfwpa_supplicant needs to be running when using a wireless network with
a399b7655a1d835aa8606c2b29e4e777baac8635zfWPA. It can be started either from system startup scripts or from
a399b7655a1d835aa8606c2b29e4e777baac8635zfpcmcia-cs/cardmgr scripts (when using PC Cards). WPA handshake must be
a399b7655a1d835aa8606c2b29e4e777baac8635zfcompleted before data frames can be exchanged, so wpa_supplicant
a399b7655a1d835aa8606c2b29e4e777baac8635zfshould be started before DHCP client.
a399b7655a1d835aa8606c2b29e4e777baac8635zfCommand line option '-w' can be used if wpa_supplicant is started
a399b7655a1d835aa8606c2b29e4e777baac8635zfbefore the wireless LAN interface is present (e.g., before inserting
a399b7655a1d835aa8606c2b29e4e777baac8635zfthe PC Card) or is not yet up.
a399b7655a1d835aa8606c2b29e4e777baac8635zfFor example, following small changes to pcmcia-cs scripts can be used
a399b7655a1d835aa8606c2b29e4e777baac8635zfto enable WPA support:
a399b7655a1d835aa8606c2b29e4e777baac8635zfAdd MODE="Managed" and WPA="y" to the network scheme in
a399b7655a1d835aa8606c2b29e4e777baac8635zfAdd the following block to the end of 'start' action handler in
a399b7655a1d835aa8606c2b29e4e777baac8635zf if [ "$WPA" = "y" -a -x /usr/local/bin/wpa_supplicant ]; then
a399b7655a1d835aa8606c2b29e4e777baac8635zf /usr/local/bin/wpa_supplicant -Bw -c/etc/wpa_supplicant.conf \
a399b7655a1d835aa8606c2b29e4e777baac8635zfAdd the following block to the end of 'stop' action handler (may need
a399b7655a1d835aa8606c2b29e4e777baac8635zfto be separated from other actions) in /etc/pcmcia/wireless:
a399b7655a1d835aa8606c2b29e4e777baac8635zf if [ "$WPA" = "y" -a -x /usr/local/bin/wpa_supplicant ]; then
a399b7655a1d835aa8606c2b29e4e777baac8635zf killall wpa_supplicant
a399b7655a1d835aa8606c2b29e4e777baac8635zfThis will make cardmgr start wpa_supplicant when the card is plugged
a399b7655a1d835aa8606c2b29e4e777baac8635zfin. wpa_supplicant will wait until the interface is set up--either
a399b7655a1d835aa8606c2b29e4e777baac8635zfwhen a static IP address is configured or when DHCP client is
a399b7655a1d835aa8606c2b29e4e777baac8635zfstarted--and will then negotiate keys with the AP.
a399b7655a1d835aa8606c2b29e4e777baac8635zfOptional integration with Xsupplicant
a399b7655a1d835aa8606c2b29e4e777baac8635zf-------------------------------------
a399b7655a1d835aa8606c2b29e4e777baac8635zfwpa_supplicant has an integrated IEEE 802.1X Supplicant that supports
a399b7655a1d835aa8606c2b29e4e777baac8635zfmost commonly used EAP methods. In addition, wpa_supplicant has an
a399b7655a1d835aa8606c2b29e4e777baac8635zfexperimental interface for integrating it with Xsupplicant
a399b7655a1d835aa8606c2b29e4e777baac8635zf(http://www.open1x.org/) for the WPA with EAP authentication.
a399b7655a1d835aa8606c2b29e4e777baac8635zfXsupplicant needs to be modified to send master session key to
a399b7655a1d835aa8606c2b29e4e777baac8635zfwpa_supplicant after successful EAP authentication. The included patch
a399b7655a1d835aa8606c2b29e4e777baac8635zf(xsupplicant.patch) shows the changes needed. This was merged into
a399b7655a1d835aa8606c2b29e4e777baac8635zfxsupplicant CVS on February 6, 2004, so any snapshot after that should
a399b7655a1d835aa8606c2b29e4e777baac8635zfhave the needed functionality already included.
a399b7655a1d835aa8606c2b29e4e777baac8635zfWhen using WPA-EAP, both wpa_supplicant and Xsupplicant must be
a399b7655a1d835aa8606c2b29e4e777baac8635zfconfigured with the network security policy. See Xsupplicant documents
a399b7655a1d835aa8606c2b29e4e777baac8635zffor information about its configuration. Please also note, that a new
a399b7655a1d835aa8606c2b29e4e777baac8635zfcommand line option -W (enable WPA; added by xsupplicant.patch) must
a399b7655a1d835aa8606c2b29e4e777baac8635zfbe used when starting xsupplicant.
a399b7655a1d835aa8606c2b29e4e777baac8635zfExample configuration for xsupplicant:
a399b7655a1d835aa8606c2b29e4e777baac8635zfnetwork_list = all
a399b7655a1d835aa8606c2b29e4e777baac8635zfdefault_netname = jkm
a399b7655a1d835aa8606c2b29e4e777baac8635zf type = wireless
a399b7655a1d835aa8606c2b29e4e777baac8635zf allow_types = eap_peap
a399b7655a1d835aa8606c2b29e4e777baac8635zf identity = <BEGIN_ID>jkm<END_ID>
a399b7655a1d835aa8606c2b29e4e777baac8635zf eap-peap {
a399b7655a1d835aa8606c2b29e4e777baac8635zf random_file = /dev/urandom
a399b7655a1d835aa8606c2b29e4e777baac8635zf chunk_size = 1398
a399b7655a1d835aa8606c2b29e4e777baac8635zf allow_types = eap_mschapv2
a399b7655a1d835aa8606c2b29e4e777baac8635zf eap-mschapv2 {
a399b7655a1d835aa8606c2b29e4e777baac8635zf username = <BEGIN_UNAME>jkm<END_UNAME>
a399b7655a1d835aa8606c2b29e4e777baac8635zf password = <BEGIN_PASS>jkm<END_PASS>
a399b7655a1d835aa8606c2b29e4e777baac8635zfExample configuration for wpa_supplicant:
a399b7655a1d835aa8606c2b29e4e777baac8635zf ssid="jkm"
a399b7655a1d835aa8606c2b29e4e777baac8635zf key_mgmt=WPA-EAP
a399b7655a1d835aa8606c2b29e4e777baac8635zfBoth wpa_supplicant and xsupplicant need to be started. Please remember
a399b7655a1d835aa8606c2b29e4e777baac8635zfto add '-W' option for xsupplicant in order to provide keying material
a399b7655a1d835aa8606c2b29e4e777baac8635zffor wpa_supplicant and '-e' option for wpa_supplicant to disable internal
a399b7655a1d835aa8606c2b29e4e777baac8635zfIEEE 802.1X implementation.
a399b7655a1d835aa8606c2b29e4e777baac8635zfwpa_supplicant -iwlan0 -cwpa_supplicant.conf -e
a399b7655a1d835aa8606c2b29e4e777baac8635zfxsupplicant -iwlan0 -cxsupplicant.conf -W