.\" Manpage for hostapd.conf.
.\" Original scrape of https://www.daemon-systems.org/man/hostapd.conf.5.html
.\" Contact linville@redhat.com to correct errors or typos.
.TH hostapd.conf 5 "10 Feb 2021" "1.0" "hostapd.conf man page"
.SH NAME
hostapd.conf \- configuration file for hostapd(8) utility
.SH DESCRIPTION
The hostapd.conf utility is an authenticator for IEEE 802.11 networks.
It provides full support for WPA/IEEE 802.11i and can also act as an IEEE
802.1X Authenticator with a suitable backend Authentication Server
(typically FreeRADIUS).
The configuration file consists of global parameters and domain specific
configuration:
.P
\(bu IEEE 802.1X-2004
.P
\(bu RADIUS client
.P
\(bu RADIUS authentication server
.P
\(bu WPA/IEEE 802.11i
.SH GLOBAL PARAMETERS
The following parameters are recognized:
.SS interface
Interface name. Should be set in "hostap" mode.
.SS debug
Debugging mode: 0 = no, 1 = minimal, 2 = verbose, 3 = msg dumps,
4 = excessive.
.SS dump_file
Dump file for state information (on SIGUSR1).
.SS ctrl_interface
The pathname of the directory in which hostapd(8) creates UNIX
domain socket files for communication with frontend programs such
as hostapd_cli(8).
.SS ctrl_interface_group
A group name or group ID to use in setting protection on the
control interface file. This can be set to allow non-root users
to access the control interface files. If no group is specified,
the group ID of the control interface is not modified and will,
typically, be the group ID of the directory in which the socket
is created.
.SH IEEE 802.1X-2004 PARAMETERS
The following parameters are recognized:
.SS ieee8021x
Require IEEE 802.1X authorization.
.SS eap_message
Optional displayable message sent with EAP Request-Identity.
.SS wep_key_len_broadcast
Key lengths for broadcast keys.
.SS wep_key_len_unicast
Key lengths for unicast keys.
.SS wep_rekey_period
Rekeying period in seconds.
.SS eapol_key_index_workaround
EAPOL-Key index workaround (set bit7) for WinXP Supplicant.
.SS eap_reauth_period
EAP reauthentication period in seconds. To disable
reauthentication, use "0".
.SH RADIUS CLIENT PARAMETERS
The following parameters are recognized:
.SS own_ip_addr
The own IP address of the access point (used as NAS-IP-Address).
.SS nas_identifier
Optional NAS-Identifier string for RADIUS messages.
.SS auth_server_addr, auth_server_port, auth_server_shared_secret
RADIUS authentication server parameters. Can be defined twice
for secondary servers to be used if primary one does not reply to
RADIUS packets.
.SS acct_server_addr, acct_server_port, acct_server_shared_secret
RADIUS accounting server parameters. Can be defined twice for
secondary servers to be used if primary one does not reply to
RADIUS packets.
.SS radius_retry_primary_interval
Retry interval for trying to return to the primary RADIUS server
(in seconds).
.SS radius_acct_interim_interval
Interim accounting update interval. If this is set (larger than
0) and acct_server is configured, hostapd(8) will send interim
accounting updates every N seconds.
.SH RADIUS AUTHENTICATION SERVER PARAMETERS
The following parameters are recognized:
.SS radius_server_clients
File name of the RADIUS clients configuration for the RADIUS
server. If this is commented out, RADIUS server is disabled.
.SS radius_server_auth_port
The UDP port number for the RADIUS authentication server.
.SS radius_server_ipv6
Use IPv6 with RADIUS server.
.SH WPA/IEEE 802.11i PARAMETERS
The following parameters are recognized:
.SS wpa
Enable WPA. Setting this variable configures the AP to require
WPA (either WPA-PSK or WPA-RADIUS/EAP based on other
configuration).
.SS wpa_psk, wpa_passphrase
WPA pre-shared keys for WPA-PSK. This can be either entered as a
256-bit secret in hex format (64 hex digits), wpa_psk, or as an
ASCII passphrase (8..63 characters) that will be converted to
PSK. This conversion uses SSID so the PSK changes when ASCII
passphrase is used and the SSID is changed.
.SS wpa_psk_file
Optionally, WPA PSKs can be read from a separate text file
(containing a list of (PSK,MAC address) pairs.
.SS wpa_key_mgmt
Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or
both).
.SS wpa_pairwise
Set of accepted cipher suites (encryption algorithms) for
pairwise keys (unicast packets). See the example file for more
information.
.SS wpa_group_rekey
Time interval for rekeying GTK (broadcast/multicast encryption
keys) in seconds.
.SS wpa_strict_rekey
Rekey GTK when any STA that possesses the current GTK is leaving
the BSS.
.SS wpa_gmk_rekey
Time interval for rekeying GMK (master key used internally to
generate GTKs (in seconds).
.SH SEE ALSO
hostapd(8), hostapd_cli(8), /usr/share/examples/hostapd/hostapd.conf
.SH HISTORY
The hostapd.conf manual page and hostapd(8) functionality first appeared
in NetBSD 4.0.
.SH AUTHORS
This manual page is derived from the README and hostapd.conf files in the
hostapd distribution provided by Jouni Malinen <jkmaline@cc.hut.fi>.