1.\" $NetBSD: hostapd.conf.5,v 1.1 2010/08/04 17:12:33 christos Exp $ 2.\" 3.\" Copyright (c) 2006 Rui Paulo 4.\" Copyright (c) 2005 Sam Leffler <sam@errno.com> 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" Based on: 29.\" $FreeBSD: src/usr.sbin/wpa/hostapd/hostapd.conf.5,v 1.2 2005/06/27 06:40:43 ru Exp $ 30.\" 31.Dd August 4, 2006 32.Dt HOSTAPD.CONF 5 33.Os 34.Sh NAME 35.Nm hostapd.conf 36.Nd configuration file for 37.Xr hostapd 8 38utility 39.Sh DESCRIPTION 40The 41.Nm 42utility 43is an authenticator for IEEE 802.11 networks. 44It provides full support for WPA/IEEE 802.11i and 45can also act as an IEEE 802.1X Authenticator with a suitable 46backend Authentication Server (typically 47.Tn FreeRADIUS ) . 48.Pp 49The configuration file consists of global parameters and domain 50specific configuration: 51.Bl -bullet -offset indent -compact 52.It 53IEEE 802.1X-2004 54.\" XXX not yet 55.\" .It 56.\" Integrated EAP server 57.\" .It 58.\" IEEE 802.11f - Inter-Access Point Protocol (IAPP) 59.It 60RADIUS client 61.It 62RADIUS authentication server 63.It 64WPA/IEEE 802.11i 65.El 66.Sh GLOBAL PARAMETERS 67The following parameters are recognized: 68.Bl -tag -width indent 69.It Va interface 70Interface name. 71Should be set in 72.Dq hostap 73mode. 74.It Va debug 75Debugging mode: 0 = no, 1 = minimal, 2 = verbose, 3 = msg dumps, 4 = 76excessive. 77.It Va dump_file 78Dump file for state information (on SIGUSR1). 79.It Va ctrl_interface 80The pathname of the directory in which 81.Xr hostapd 8 82creates 83.Ux 84domain socket files for communication 85with frontend programs such as 86.Xr hostapd_cli 8 . 87.It Va ctrl_interface_group 88A group name or group ID to use in setting protection on the 89control interface file. 90This can be set to allow non-root users to access the 91control interface files. 92If no group is specified, the group ID of the control interface 93is not modified and will, typically, be the 94group ID of the directory in which the socket is created. 95.El 96.Sh IEEE 802.1X-2004 PARAMETERS 97The following parameters are recognized: 98.Bl -tag -width indent 99.It Va ieee8021x 100Require IEEE 802.1X authorization. 101.It Va eap_message 102Optional displayable message sent with EAP Request-Identity. 103.It Va wep_key_len_broadcast 104Key lengths for broadcast keys. 105.It Va wep_key_len_unicast 106Key lengths for unicast keys. 107.It Va wep_rekey_period 108Rekeying period in seconds. 109.It Va eapol_key_index_workaround 110EAPOL-Key index workaround (set bit7) for WinXP Supplicant. 111.It Va eap_reauth_period 112EAP reauthentication period in seconds. 113To disable reauthentication, 114use 115.Dq 0 . 116.\" XXX not yet 117.\" .It Va use_pae_group_addr 118.El 119.\" XXX not yet 120.\" .Sh IEEE 802.11f - IAPP PARAMETERS 121.\" The following parameters are recognized: 122.\" .Bl -tag -width indent 123.\" .It Va iapp_interface 124.\" Interface to be used for IAPP broadcast packets 125.\" .El 126.Sh RADIUS CLIENT PARAMETERS 127The following parameters are recognized: 128.Bl -tag -width indent 129.It Va own_ip_addr 130The own IP address of the access point (used as NAS-IP-Address). 131.It Va nas_identifier 132Optional NAS-Identifier string for RADIUS messages. 133.It Va auth_server_addr , auth_server_port , auth_server_shared_secret 134RADIUS authentication server parameters. 135Can be defined twice for secondary servers to be used if primary one 136does not reply to RADIUS packets. 137.It Va acct_server_addr , acct_server_port , acct_server_shared_secret 138RADIUS accounting server parameters. 139Can be defined twice for secondary servers to be used if primary one 140does not reply to RADIUS packets. 141.It Va radius_retry_primary_interval 142Retry interval for trying to return to the primary RADIUS server (in 143seconds). 144.It Va radius_acct_interim_interval 145Interim accounting update interval. 146If this is set (larger than 0) and acct_server is configured, 147.Xr hostapd 8 148will send interim accounting updates every N seconds. 149.El 150.Sh RADIUS AUTHENTICATION SERVER PARAMETERS 151The following parameters are recognized: 152.Bl -tag -width indent 153.It Va radius_server_clients 154File name of the RADIUS clients configuration for the RADIUS server. 155If this is commented out, RADIUS server is disabled. 156.It Va radius_server_auth_port 157The UDP port number for the RADIUS authentication server. 158.It Va radius_server_ipv6 159Use IPv6 with RADIUS server. 160.El 161.Sh WPA/IEEE 802.11i PARAMETERS 162The following parameters are recognized: 163.Bl -tag -width indent 164.It Va wpa 165Enable WPA. 166Setting this variable configures the AP to require WPA (either 167WPA-PSK or WPA-RADIUS/EAP based on other configuration). 168.It Va wpa_psk , wpa_passphrase 169WPA pre-shared keys for WPA-PSK. 170This can be either entered as a 256-bit secret in hex format (64 hex 171digits), wpa_psk, or as an ASCII passphrase (8..63 characters) that 172will be converted to PSK. 173This conversion uses SSID so the PSK changes when ASCII passphrase is 174used and the SSID is changed. 175.It Va wpa_psk_file 176Optionally, WPA PSKs can be read from a separate text file (containing a 177list of (PSK,MAC address) pairs. 178.It Va wpa_key_mgmt 179Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). 180.It Va wpa_pairwise 181Set of accepted cipher suites (encryption algorithms) for pairwise keys 182(unicast packets). 183See the example file for more information. 184.It Va wpa_group_rekey 185Time interval for rekeying GTK (broadcast/multicast encryption keys) in 186seconds. 187.It Va wpa_strict_rekey 188Rekey GTK when any STA that possesses the current GTK is leaving the 189BSS. 190.It Va wpa_gmk_rekey 191Time interval for rekeying GMK (master key used internally to generate GTKs 192(in seconds). 193.El 194.Sh SEE ALSO 195.Xr hostapd 8 , 196.Xr hostapd_cli 8 , 197.Pa /usr/share/examples/hostapd/hostapd.conf 198.Sh HISTORY 199The 200.Nm 201manual page and 202.Xr hostapd 8 203functionality first appeared in 204.Nx 4.0 . 205.Sh AUTHORS 206This manual page is derived from the 207.Pa README 208and 209.Pa hostapd.conf 210files in the 211.Nm hostapd 212distribution provided by 213.An Jouni Malinen Aq jkmaline@cc.hut.fi . 214