|
 |
7a6af9 |
.\" Manpage for hostapd.conf.
|
|
|
7a6af9 |
.\" Original scrape of https://www.daemon-systems.org/man/hostapd.conf.5.html
|
|
|
7a6af9 |
.\" Contact linville@redhat.com to correct errors or typos.
|
|
|
7a6af9 |
.TH hostapd.conf 5 "10 Feb 2021" "1.0" "hostapd.conf man page"
|
|
|
7a6af9 |
.SH NAME
|
|
|
7a6af9 |
hostapd.conf \- configuration file for hostapd(8) utility
|
|
|
7a6af9 |
.SH DESCRIPTION
|
|
|
7a6af9 |
The hostapd.conf utility is an authenticator for IEEE 802.11 networks.
|
|
|
7a6af9 |
It provides full support for WPA/IEEE 802.11i and can also act as an IEEE
|
|
|
7a6af9 |
802.1X Authenticator with a suitable backend Authentication Server
|
|
|
7a6af9 |
(typically FreeRADIUS).
|
|
|
7a6af9 |
The configuration file consists of global parameters and domain specific
|
|
|
7a6af9 |
configuration:
|
|
|
7a6af9 |
.P
|
|
|
7a6af9 |
\(bu IEEE 802.1X-2004
|
|
|
7a6af9 |
.P
|
|
|
7a6af9 |
\(bu RADIUS client
|
|
|
7a6af9 |
.P
|
|
|
7a6af9 |
\(bu RADIUS authentication server
|
|
|
7a6af9 |
.P
|
|
|
7a6af9 |
\(bu WPA/IEEE 802.11i
|
|
|
7a6af9 |
.SH GLOBAL PARAMETERS
|
|
|
7a6af9 |
The following parameters are recognized:
|
|
|
7a6af9 |
.SS interface
|
|
|
7a6af9 |
Interface name. Should be set in "hostap" mode.
|
|
|
7a6af9 |
.SS debug
|
|
|
7a6af9 |
Debugging mode: 0 = no, 1 = minimal, 2 = verbose, 3 = msg dumps,
|
|
|
7a6af9 |
4 = excessive.
|
|
|
7a6af9 |
.SS dump_file
|
|
|
7a6af9 |
Dump file for state information (on SIGUSR1).
|
|
|
7a6af9 |
.SS ctrl_interface
|
|
|
7a6af9 |
The pathname of the directory in which hostapd(8) creates UNIX
|
|
|
7a6af9 |
domain socket files for communication with frontend programs such
|
|
|
7a6af9 |
as hostapd_cli(8).
|
|
|
7a6af9 |
.SS ctrl_interface_group
|
|
|
7a6af9 |
A group name or group ID to use in setting protection on the
|
|
|
7a6af9 |
control interface file. This can be set to allow non-root users
|
|
|
7a6af9 |
to access the control interface files. If no group is specified,
|
|
|
7a6af9 |
the group ID of the control interface is not modified and will,
|
|
|
7a6af9 |
typically, be the group ID of the directory in which the socket
|
|
|
7a6af9 |
is created.
|
|
|
7a6af9 |
.SH IEEE 802.1X-2004 PARAMETERS
|
|
|
7a6af9 |
The following parameters are recognized:
|
|
|
7a6af9 |
.SS ieee8021x
|
|
|
7a6af9 |
Require IEEE 802.1X authorization.
|
|
|
7a6af9 |
.SS eap_message
|
|
|
7a6af9 |
Optional displayable message sent with EAP Request-Identity.
|
|
|
7a6af9 |
.SS wep_key_len_broadcast
|
|
|
7a6af9 |
Key lengths for broadcast keys.
|
|
|
7a6af9 |
.SS wep_key_len_unicast
|
|
|
7a6af9 |
Key lengths for unicast keys.
|
|
|
7a6af9 |
.SS wep_rekey_period
|
|
|
7a6af9 |
Rekeying period in seconds.
|
|
|
7a6af9 |
.SS eapol_key_index_workaround
|
|
|
7a6af9 |
EAPOL-Key index workaround (set bit7) for WinXP Supplicant.
|
|
|
7a6af9 |
.SS eap_reauth_period
|
|
|
7a6af9 |
EAP reauthentication period in seconds. To disable
|
|
|
7a6af9 |
reauthentication, use "0".
|
|
|
7a6af9 |
.SH RADIUS CLIENT PARAMETERS
|
|
|
7a6af9 |
The following parameters are recognized:
|
|
|
7a6af9 |
.SS own_ip_addr
|
|
|
7a6af9 |
The own IP address of the access point (used as NAS-IP-Address).
|
|
|
7a6af9 |
.SS nas_identifier
|
|
|
7a6af9 |
Optional NAS-Identifier string for RADIUS messages.
|
|
|
7a6af9 |
.SS auth_server_addr, auth_server_port, auth_server_shared_secret
|
|
|
7a6af9 |
RADIUS authentication server parameters. Can be defined twice
|
|
|
7a6af9 |
for secondary servers to be used if primary one does not reply to
|
|
|
7a6af9 |
RADIUS packets.
|
|
|
7a6af9 |
.SS acct_server_addr, acct_server_port, acct_server_shared_secret
|
|
|
7a6af9 |
RADIUS accounting server parameters. Can be defined twice for
|
|
|
7a6af9 |
secondary servers to be used if primary one does not reply to
|
|
|
7a6af9 |
RADIUS packets.
|
|
|
7a6af9 |
.SS radius_retry_primary_interval
|
|
|
7a6af9 |
Retry interval for trying to return to the primary RADIUS server
|
|
|
7a6af9 |
(in seconds).
|
|
|
7a6af9 |
.SS radius_acct_interim_interval
|
|
|
7a6af9 |
Interim accounting update interval. If this is set (larger than
|
|
|
7a6af9 |
0) and acct_server is configured, hostapd(8) will send interim
|
|
|
7a6af9 |
accounting updates every N seconds.
|
|
|
7a6af9 |
.SH RADIUS AUTHENTICATION SERVER PARAMETERS
|
|
|
7a6af9 |
The following parameters are recognized:
|
|
|
7a6af9 |
.SS radius_server_clients
|
|
|
7a6af9 |
File name of the RADIUS clients configuration for the RADIUS
|
|
|
7a6af9 |
server. If this is commented out, RADIUS server is disabled.
|
|
|
7a6af9 |
.SS radius_server_auth_port
|
|
|
7a6af9 |
The UDP port number for the RADIUS authentication server.
|
|
|
7a6af9 |
.SS radius_server_ipv6
|
|
|
7a6af9 |
Use IPv6 with RADIUS server.
|
|
|
7a6af9 |
.SH WPA/IEEE 802.11i PARAMETERS
|
|
|
7a6af9 |
The following parameters are recognized:
|
|
|
7a6af9 |
.SS wpa
|
|
|
7a6af9 |
Enable WPA. Setting this variable configures the AP to require
|
|
|
7a6af9 |
WPA (either WPA-PSK or WPA-RADIUS/EAP based on other
|
|
|
7a6af9 |
configuration).
|
|
|
7a6af9 |
.SS wpa_psk, wpa_passphrase
|
|
|
7a6af9 |
WPA pre-shared keys for WPA-PSK. This can be either entered as a
|
|
|
7a6af9 |
256-bit secret in hex format (64 hex digits), wpa_psk, or as an
|
|
|
7a6af9 |
ASCII passphrase (8..63 characters) that will be converted to
|
|
|
7a6af9 |
PSK. This conversion uses SSID so the PSK changes when ASCII
|
|
|
7a6af9 |
passphrase is used and the SSID is changed.
|
|
|
7a6af9 |
.SS wpa_psk_file
|
|
|
7a6af9 |
Optionally, WPA PSKs can be read from a separate text file
|
|
|
7a6af9 |
(containing a list of (PSK,MAC address) pairs.
|
|
|
7a6af9 |
.SS wpa_key_mgmt
|
|
|
7a6af9 |
Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or
|
|
|
7a6af9 |
both).
|
|
|
7a6af9 |
.SS wpa_pairwise
|
|
|
7a6af9 |
Set of accepted cipher suites (encryption algorithms) for
|
|
|
7a6af9 |
pairwise keys (unicast packets). See the example file for more
|
|
|
7a6af9 |
information.
|
|
|
7a6af9 |
.SS wpa_group_rekey
|
|
|
7a6af9 |
Time interval for rekeying GTK (broadcast/multicast encryption
|
|
|
7a6af9 |
keys) in seconds.
|
|
|
7a6af9 |
.SS wpa_strict_rekey
|
|
|
7a6af9 |
Rekey GTK when any STA that possesses the current GTK is leaving
|
|
|
7a6af9 |
the BSS.
|
|
|
7a6af9 |
.SS wpa_gmk_rekey
|
|
|
7a6af9 |
Time interval for rekeying GMK (master key used internally to
|
|
|
7a6af9 |
generate GTKs (in seconds).
|
|
|
7a6af9 |
.SH SEE ALSO
|
|
|
7a6af9 |
hostapd(8), hostapd_cli(8), /usr/share/examples/hostapd/hostapd.conf
|
|
|
7a6af9 |
.SH HISTORY
|
|
|
7a6af9 |
The hostapd.conf manual page and hostapd(8) functionality first appeared
|
|
|
7a6af9 |
in NetBSD 4.0.
|
|
|
7a6af9 |
.SH AUTHORS
|
|
|
7a6af9 |
This manual page is derived from the README and hostapd.conf files in the
|
|
|
7a6af9 |
hostapd distribution provided by Jouni Malinen <jkmaline@cc.hut.fi>.
|