[-D] ...]
options:
-B = run daemon in the background
-d = increase debugging verbosity (-dd even more)
-K = include keys (passwords, etc.) in debug output
-t = include timestamp in debug messages
-h = show this help text
-L = show license (GPL and BSD)
-q = decrease debugging verbosity (-qq even less)
-v = show version
-w = wait for interface to be added, if needed
-N = start describing new interface
drivers:
hostap = Host AP driver (Intersil Prism2/2.5/3) [default]
(this can also be used with Linuxant DriverLoader)
hermes = Agere Systems Inc. driver (Hermes-I/Hermes-II)
madwifi = MADWIFI 802.11 support (Atheros, etc.)
atmel = ATMEL AT76C5XXx (USB, PCMCIA)
wext = Linux wireless extensions (generic)
ndiswrapper = Linux ndiswrapper
broadcom = Broadcom wl.o driver
ipw = Intel ipw2100/2200 driver
wired = wpa_supplicant wired Ethernet driver
bsd = BSD 802.11 support (Atheros, etc.)
ndis = Windows NDIS driver
In most common cases, wpa_supplicant is started with
wpa_supplicant -Bw -c/etc/wpa_supplicant.conf -iwlan0
This makes the process fork into background and wait for the wlan0
interface if it is not available at startup time.
The easiest way to debug problems, and to get debug log for bug
reports, is to start wpa_supplicant on foreground with debugging
enabled:
wpa_supplicant -c/etc/wpa_supplicant.conf -iwlan0 -d
wpa_supplicant can control multiple interfaces (radios) either by
running one process for each interface separately or by running just
one process and list of options at command line. Each interface is
separated with -N argument. As an example, following command would
start wpa_supplicant for two interfaces:
wpa_supplicant \
-c wpa1.conf -i wlan0 -D hostap -N \
-c wpa2.conf -i ath0 -D madwifi
Configuration file
------------------
wpa_supplicant is configured using a text file that lists all accepted
networks and security policies, including pre-shared keys. See
example configuration file, wpa_supplicant.conf, for detailed
information about the configuration format and supported fields.
Changes to configuration file can be reloaded be sending SIGHUP signal
to wpa_supplicant (''killall -HUP wpa_supplicant''). Similarly,
reloading can be triggered with ''wpa_cli reconfigure'' command.
Configuration file can include one or more network blocks, e.g., one
for each used SSID. wpa_supplicant will automatically select the best
betwork based on the order of network blocks in the configuration
file, network security level (WPA/WPA2 is prefered), and signal
strength.
Example configuration files for some common configurations:
1) WPA-Personal (PSK) as home network and WPA-Enterprise with EAP-TLS as work
network
# allow frontend (e.g., wpa_cli) to be used by all users in ''wheel'' group
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
#
# home network; allow all valid ciphers
network={
ssid="home"
scan_ssid=1
key_mgmt=WPA-PSK
psk="very secret passphrase"
}
#
# work network; use EAP-TLS with WPA; allow only CCMP and TKIP ciphers
network={
ssid="work"
scan_ssid=1
key_mgmt=WPA-EAP
pairwise=CCMP TKIP
group=CCMP TKIP
eap=TLS
identity="user@example.com"
ca_cert="/etc/cert/ca.pem"
client_cert="/etc/cert/user.pem"
private_key="/etc/cert/user.prv"
private_key_passwd="password"
}
2) WPA-RADIUS/EAP-PEAP/MSCHAPv2 with RADIUS servers that use old peaplabel
(e.g., Funk Odyssey and SBR, Meetinghouse Aegis, Interlink RAD-Series)
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
network={
ssid="example"
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
identity="user@example.com"
password="foobar"
ca_cert="/etc/cert/ca.pem"
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}
3) EAP-TTLS/EAP-MD5-Challenge configuration with anonymous identity for the
unencrypted use. Real identity is sent only within an encrypted TLS tunnel.
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
network={
ssid="example"
scan_ssid=1
key_mgmt=WPA-EAP
eap=TTLS
identity="user@example.com"
anonymous_identity="anonymous@example.com"
password="foobar"
ca_cert="/etc/cert/ca.pem"
phase2="auth=MD5"
}
4) IEEE 802.1X (i.e., no WPA) with dynamic WEP keys (require both unicast and
broadcast); use EAP-TLS for authentication
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
network={
ssid="1x-test"
scan_ssid=1
key_mgmt=IEEE8021X
eap=TLS
identity="user@example.com"
ca_cert="/etc/cert/ca.pem"
client_cert="/etc/cert/user.pem"
private_key="/etc/cert/user.prv"
private_key_passwd="password"
eapol_flags=3
}
5) Catch all example that allows more or less all configuration modes. The
configuration options are used based on what security policy is used in the
selected SSID. This is mostly for testing and is not recommended for normal
use.
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
network={
ssid="example"
scan_ssid=1
key_mgmt=WPA-EAP WPA-PSK IEEE8021X NONE
pairwise=CCMP TKIP
group=CCMP TKIP WEP104 WEP40
psk="very secret passphrase"
eap=TTLS PEAP TLS
identity="user@example.com"
password="foobar"
ca_cert="/etc/cert/ca.pem"
client_cert="/etc/cert/user.pem"
private_key="/etc/cert/user.prv"
private_key_passwd="password"
phase1="peaplabel=0"
ca_cert2="/etc/cert/ca2.pem"
client_cert2="/etc/cer/user.pem"
private_key2="/etc/cer/user.prv"
private_key2_passwd="password"
}
6) Authentication for wired Ethernet. This can be used with ''wired'' interface
(-Dwired on command line).
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=0
network={
key_mgmt=IEEE8021X
eap=MD5
identity="user"
password="password"
eapol_flags=0
}