1# $NetBSD: hostapd.conf,v 1.1 2006/04/30 13:52:35 rpaulo Exp $ 2# 3# hostapd example configuration file (adapted for NetBSD) 4# 5# Empty lines and lines starting with # are ignored 6 7# Interface name. Should be set in ``hostap'' mode. 8interface=if0 9 10# hostapd event logger configuration 11# 12# Two output method: syslog and stdout (only usable if not forking to 13# background). 14# 15# Module bitfield (ORed bitfield of modules that will be logged; -1 = all 16# modules): 17# bit 0 (1) = IEEE 802.11 18# bit 1 (2) = IEEE 802.1X 19# bit 2 (4) = RADIUS 20# bit 3 (8) = WPA 21# bit 4 (16) = driver interface 22# bit 5 (32) = IAPP 23# 24# Levels (minimum value for logged events): 25# 0 = verbose debugging 26# 1 = debugging 27# 2 = informational messages 28# 3 = notification 29# 4 = warning 30# 31logger_syslog=-1 32logger_syslog_level=2 33logger_stdout=-1 34logger_stdout_level=2 35 36# Debugging: 0 = no, 1 = minimal, 2 = verbose, 3 = msg dumps, 4 = excessive 37debug=0 38 39# Dump file for state information (on SIGUSR1) 40dump_file=/tmp/hostapd.dump 41 42# Interface for separate control program. If this is specified, hostapd 43# will create this directory and a UNIX domain socket for listening to requests 44# from external programs (CLI/GUI, etc.) for status information and 45# configuration. The socket file will be named based on the interface name, so 46# multiple hostapd processes/interfaces can be run at the same time if more 47# than one interface is used. 48# /var/run/hostapd is the recommended directory for sockets and by default, 49# hostapd_cli will use it when trying to connect with hostapd. 50ctrl_interface=/var/run/hostapd 51 52# Access control for the control interface can be configured by setting the 53# directory to allow only members of a group to use sockets. This way, it is 54# possible to run hostapd as root (since it needs to change network 55# configuration and open raw sockets) and still allow GUI/CLI components to be 56# run as non-root users. However, since the control interface can be used to 57# change the network configuration, this access needs to be protected in many 58# cases. By default, hostapd is configured to use gid 0 (root). If you 59# want to allow non-root users to use the contron interface, add a new group 60# and change this value to match with that group. Add users that should have 61# control interface access to this group. 62# 63# This variable can be a group name or gid. 64ctrl_interface_group=wheel 65 66 67##### IEEE 802.11 related configuration ####################################### 68 69# SSID to be used in IEEE 802.11 management frames 70ssid=NetBSD 71 72# Station MAC address -based authentication 73# 0 = accept unless in deny list 74# 1 = deny unless in accept list 75# 2 = use external RADIUS server (accept/deny lists are searched first) 76macaddr_acl=0 77 78# Accept/deny lists are read from separate files (containing list of 79# MAC addresses, one per line). Use absolute path name to make sure that the 80# files can be read on SIGHUP configuration reloads. 81#accept_mac_file=/etc/hostapd.accept 82#deny_mac_file=/etc/hostapd.deny 83 84# IEEE 802.11 specifies two authentication algorithms. hostapd can be 85# configured to allow both of these or only one. Open system authentication 86# should be used with IEEE 802.1X. 87# Bit fields of allowed authentication algorithms: 88# bit 0 = Open System Authentication 89# bit 1 = Shared Key Authentication (requires WEP) 90auth_algs=3 91 92# Associate as a station to another AP while still acting as an AP on the same 93# channel. 94#assoc_ap_addr=00:12:34:56:78:9a 95 96 97##### IEEE 802.1X-2004 related configuration ################################## 98 99# Require IEEE 802.1X authorization 100#ieee8021x=1 101 102# Optional displayable message sent with EAP Request-Identity. The first \0 103# in this string will be converted to ASCII-0 (nul). This can be used to 104# separate network info (comma separated list of attribute=value pairs); see, 105# e.g., draft-adrangi-eap-network-discovery-07.txt. 106#eap_message=hello 107#eap_message=hello\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com 108 109# WEP rekeying (disabled if key lengths are not set or are set to 0) 110# Key lengths for default/broadcast and individual/unicast keys: 111# 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits) 112# 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits) 113#wep_key_len_broadcast=5 114#wep_key_len_unicast=5 115# Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once) 116#wep_rekey_period=300 117 118# EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if 119# only broadcast keys are used) 120#eapol_key_index_workaround=0 121 122# EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable 123# reauthentication). 124#eap_reauth_period=3600 125 126# Use PAE group address (01:80:c2:00:00:03) instead of individual target 127# address when sending EAPOL frames with driver=wired. This is the most common 128# mechanism used in wired authentication, but it also requires that the port 129# is only used by one station. 130#use_pae_group_addr=1 131 132##### Integrated EAP server ################################################### 133 134# Optionally, hostapd can be configured to use an integrated EAP server 135# to process EAP authentication locally without need for an external RADIUS 136# server. This functionality can be used both as a local authentication server 137# for IEEE 802.1X/EAPOL and as a RADIUS server for other devices. 138 139# Use integrated EAP server instead of external RADIUS authentication 140# server. This is also needed if hostapd is configured to act as a RADIUS 141# authentication server. 142#eap_server=0 143 144# Path for EAP server user database 145#eap_user_file=/etc/hostapd.eap_user 146 147# CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS 148#ca_cert=/etc/hostapd.ca.pem 149 150# Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS 151#server_cert=/etc/hostapd.server.pem 152 153# Private key matching with the server certificate for EAP-TLS/PEAP/TTLS 154# This may point to the same file as server_cert if both certificate and key 155# are included in a single file. PKCS#12 (PFX) file (.p12/.pfx) can also be 156# used by commenting out server_cert and specifying the PFX file as the 157# private_key. 158#private_key=/etc/hostapd.server.prv 159 160# Passphrase for private key 161#private_key_passwd=secret passphrase 162 163# Enable CRL verification. 164# Note: hostapd does not yet support CRL downloading based on CDP. Thus, a 165# valid CRL signed by the CA is required to be included in the ca_cert file. 166# This can be done by using PEM format for CA certificate and CRL and 167# concatenating these into one file. Whenever CRL changes, hostapd needs to be 168# restarted to take the new CRL into use. 169# 0 = do not verify CRLs (default) 170# 1 = check the CRL of the user certificate 171# 2 = check all CRLs in the certificate path 172#check_crl=1 173 174# Configuration data for EAP-SIM database/authentication gateway interface. 175# This is a text string in implementation specific format. The example 176# implementation in eap_sim_db.c uses this as the file name for the GSM 177# authentication triplets. 178#eap_sim_db=/etc/hostapd.sim_db 179 180 181##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) ####################### 182 183# Interface to be used for IAPP broadcast packets 184#iapp_interface=if1 185 186 187##### RADIUS client configuration ############################################# 188# for IEEE 802.1X with external Authentication Server, IEEE 802.11 189# authentication with external ACL for MAC addresses, and accounting 190 191# The own IP address of the access point (used as NAS-IP-Address) 192#own_ip_addr=127.0.0.1 193 194# Optional NAS-Identifier string for RADIUS messages. When used, this should be 195# a unique to the NAS within the scope of the RADIUS server. For example, a 196# fully qualified domain name can be used here. 197#nas_identifier=ap.example.com 198 199# RADIUS authentication server 200#auth_server_addr=127.0.0.1 201#auth_server_port=1812 202#auth_server_shared_secret=secret 203 204# RADIUS accounting server 205#acct_server_addr=127.0.0.1 206#acct_server_port=1813 207#acct_server_shared_secret=secret 208 209# Secondary RADIUS servers; to be used if primary one does not reply to 210# RADIUS packets. These are optional and there can be more than one secondary 211# server listed. 212#auth_server_addr=127.0.0.2 213#auth_server_port=1812 214#auth_server_shared_secret=secret2 215# 216#acct_server_addr=127.0.0.2 217#acct_server_port=1813 218#acct_server_shared_secret=secret2 219 220# Retry interval for trying to return to the primary RADIUS server (in 221# seconds). RADIUS client code will automatically try to use the next server 222# when the current server is not replying to requests. If this interval is set, 223# primary server will be retried after configured amount of time even if the 224# currently used secondary server is still working. 225#radius_retry_primary_interval=600 226 227 228# Interim accounting update interval 229# If this is set (larger than 0) and acct_server is configured, hostapd will 230# send interim accounting updates every N seconds. Note: if set, this overrides 231# possible Acct-Interim-Interval attribute in Access-Accept message. Thus, this 232# value should not be configured in hostapd.conf, if RADIUS server is used to 233# control the interim interval. 234# This value should not be less 600 (10 minutes) and must not be less than 235# 60 (1 minute). 236#radius_acct_interim_interval=600 237 238 239##### RADIUS authentication server configuration ############################## 240 241# hostapd can be used as a RADIUS authentication server for other hosts. This 242# requires that the integrated EAP authenticator is also enabled and both 243# authentication services are sharing the same configuration. 244 245# File name of the RADIUS clients configuration for the RADIUS server. If this 246# commented out, RADIUS server is disabled. 247#radius_server_clients=/etc/hostapd.radius_clients 248 249# The UDP port number for the RADIUS authentication server 250#radius_server_auth_port=1812 251 252# Use IPv6 with RADIUS server (IPv4 will also be supported using IPv6 API) 253#radius_server_ipv6=1 254 255 256##### WPA/IEEE 802.11i configuration ########################################## 257 258# Enable WPA. Setting this variable configures the AP to require WPA (either 259# WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either 260# wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK. 261# For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys), 262# RADIUS authentication server must be configured, and WPA-EAP must be included 263# in wpa_key_mgmt. 264# This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0) 265# and/or WPA2 (full IEEE 802.11i/RSN): 266# bit0 = WPA 267# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled) 268#wpa=1 269 270# WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit 271# secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase 272# (8..63 characters) that will be converted to PSK. This conversion uses SSID 273# so the PSK changes when ASCII passphrase is used and the SSID is changed. 274# wpa_psk (dot11RSNAConfigPSKValue) 275# wpa_passphrase (dot11RSNAConfigPSKPassPhrase) 276#wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef 277#wpa_passphrase=secret passphrase 278 279# Optionally, WPA PSKs can be read from a separate text file (containing list 280# of (PSK,MAC address) pairs. This allows more than one PSK to be configured. 281# Use absolute path name to make sure that the files can be read on SIGHUP 282# configuration reloads. 283#wpa_psk_file=/etc/hostapd.wpa_psk 284 285# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The 286# entries are separated with a space. 287# (dot11RSNAConfigAuthenticationSuitesTable) 288#wpa_key_mgmt=WPA-PSK WPA-EAP 289 290# Set of accepted cipher suites (encryption algorithms) for pairwise keys 291# (unicast packets). This is a space separated list of algorithms: 292# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 293# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 294# Group cipher suite (encryption algorithm for broadcast and multicast frames) 295# is automatically selected based on this configuration. If only CCMP is 296# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise, 297# TKIP will be used as the group cipher. 298# (dot11RSNAConfigPairwiseCiphersTable) 299#wpa_pairwise=TKIP CCMP 300 301# Time interval for rekeying GTK (broadcast/multicast encryption keys) in 302# seconds. (dot11RSNAConfigGroupRekeyTime) 303#wpa_group_rekey=600 304 305# Rekey GTK when any STA that possesses the current GTK is leaving the BSS. 306# (dot11RSNAConfigGroupRekeyStrict) 307#wpa_strict_rekey=1 308 309# Time interval for rekeying GMK (master key used internally to generate GTKs 310# (in seconds). 311#wpa_gmk_rekey=86400 312 313# Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up 314# roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN 315# authentication and key handshake before actually associating with a new AP. 316# (dot11RSNAPreauthenticationEnabled) 317#rsn_preauth=1 318# 319# Space separated list of interfaces from which pre-authentication frames are 320# accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all 321# interface that are used for connections to other APs. This could include 322# wired interfaces and WDS links. The normal wireless data interface towards 323# associated stations (e.g., wlan0) should not be added, since 324# pre-authentication is only used with APs other than the currently associated 325# one. 326#rsn_preauth_interfaces=eth0 327