]>
Commit | Line | Data |
---|---|---|
1 | ##### hostapd configuration file ############################################## | |
2 | # Empty lines and lines starting with # are ignored | |
3 | ||
4 | # AP netdevice name (without 'ap' prefix, i.e., wlan0 uses wlan0ap for | |
5 | # management frames) | |
6 | interface=ath0 | |
7 | ||
8 | # Driver interface type (hostap/wired/madwifi/prism54; default: hostap) | |
9 | driver=madwifi | |
10 | ||
11 | # hostapd event logger configuration | |
12 | # | |
13 | # Two output method: syslog and stdout (only usable if not forking to | |
14 | # background). | |
15 | # | |
16 | # Module bitfield (ORed bitfield of modules that will be logged; -1 = all | |
17 | # modules): | |
18 | # bit 0 (1) = IEEE 802.11 | |
19 | # bit 1 (2) = IEEE 802.1X | |
20 | # bit 2 (4) = RADIUS | |
21 | # bit 3 (8) = WPA | |
22 | # bit 4 (16) = driver interface | |
23 | # bit 5 (32) = IAPP | |
24 | # | |
25 | # Levels (minimum value for logged events): | |
26 | # 0 = verbose debugging | |
27 | # 1 = debugging | |
28 | # 2 = informational messages | |
29 | # 3 = notification | |
30 | # 4 = warning | |
31 | # | |
32 | logger_syslog=-1 | |
33 | logger_syslog_level=2 | |
34 | logger_stdout=-1 | |
35 | logger_stdout_level=1 | |
36 | ||
37 | # Debugging: 0 = no, 1 = minimal, 2 = verbose, 3 = msg dumps, 4 = excessive | |
38 | debug=0 | |
39 | ||
40 | # Dump file for state information (on SIGUSR1) | |
41 | dump_file=/tmp/hostapd.dump | |
42 | ||
43 | # Interface for separate control program. If this is specified, hostapd | |
44 | # will create this directory and a UNIX domain socket for listening to requests | |
45 | # from external programs (CLI/GUI, etc.) for status information and | |
46 | # configuration. The socket file will be named based on the interface name, so | |
47 | # multiple hostapd processes/interfaces can be run at the same time if more | |
48 | # than one interface is used. | |
49 | # /var/run/hostapd is the recommended directory for sockets and by default, | |
50 | # hostapd_cli will use it when trying to connect with hostapd. | |
51 | ctrl_interface=/var/run/hostapd | |
52 | ||
53 | # Access control for the control interface can be configured by setting the | |
54 | # directory to allow only members of a group to use sockets. This way, it is | |
55 | # possible to run hostapd as root (since it needs to change network | |
56 | # configuration and open raw sockets) and still allow GUI/CLI components to be | |
57 | # run as non-root users. However, since the control interface can be used to | |
58 | # change the network configuration, this access needs to be protected in many | |
59 | # cases. By default, hostapd is configured to use gid 0 (root). If you | |
60 | # want to allow non-root users to use the contron interface, add a new group | |
61 | # and change this value to match with that group. Add users that should have | |
62 | # control interface access to this group. | |
63 | # | |
64 | # This variable can be a group name or gid. | |
65 | #ctrl_interface_group=wheel | |
66 | ctrl_interface_group=0 | |
67 | ||
68 | ||
69 | ##### IEEE 802.11 related configuration ####################################### | |
70 | ||
71 | # SSID to be used in IEEE 802.11 management frames | |
72 | ssid=IPFire | |
73 | ||
74 | # Station MAC address -based authentication | |
75 | # 0 = accept unless in deny list | |
76 | # 1 = deny unless in accept list | |
77 | # 2 = use external RADIUS server (accept/deny lists are searched first) | |
78 | macaddr_acl=0 | |
79 | ||
80 | # Accept/deny lists are read from separate files (containing list of | |
81 | # MAC addresses, one per line). Use absolute path name to make sure that the | |
82 | ||
83 | # files can be read on SIGHUP configuration reloads. | |
84 | #accept_mac_file=/etc/hostapd/hostapd.accept | |
85 | #deny_mac_file=/etc/hostapd/hostapd.deny | |
86 | ||
87 | # IEEE 802.11 specifies two authentication algorithms. hostapd can be | |
88 | # configured to allow both of these or only one. Open system authentication | |
89 | # should be used with IEEE 802.1X. | |
90 | # Bit fields of allowed authentication algorithms: | |
91 | # bit 0 = Open System Authentication | |
92 | # bit 1 = Shared Key Authentication (requires WEP) | |
93 | auth_algs=1 | |
94 | ||
95 | # Associate as a station to another AP while still acting as an AP on the same | |
96 | # channel. | |
97 | #assoc_ap_addr=00:12:34:56:78:9a | |
98 | ||
99 | ||
100 | ##### IEEE 802.1X (and IEEE 802.1aa/D4) related configuration ################# | |
101 | ||
102 | # Require IEEE 802.1X authorization | |
103 | #ieee8021x=0 | |
104 | ||
105 | # Use integrated EAP authenticator instead of external RADIUS authentication | |
106 | # server | |
107 | #eap_authenticator=0 | |
108 | ||
109 | # Path for EAP authenticator user database | |
110 | #eap_user_file=/etc/hostapd/eap_user | |
111 | ||
112 | # CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS | |
113 | #ca_cert=/etc/hostapd/ca.pem | |
114 | ||
115 | # Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS | |
116 | #server_cert=/etc/hostapd/server.pem | |
117 | ||
118 | # Private key matching with the server certificate for EAP-TLS/PEAP/TTLS | |
119 | # This may point to the same file as server_cert if both certificate and key | |
120 | # are included in a single file. PKCS#12 (PFX) file (.p12/.pfx) can also be | |
121 | # used by commenting out server_cert and specifying the PFX file as the | |
122 | # private_key. | |
123 | #private_key=/etc/hostapd/server.prv | |
124 | ||
125 | # Passphrase for private key | |
126 | #private_key_passwd=secret passphrase | |
127 | ||
128 | # Configuration data for EAP-SIM database/authentication gateway interface. | |
129 | # This is a text string in implementation specific format. The example | |
130 | # implementation in eap_sim_db.c uses this as the file name for the GSM | |
131 | # authentication triplets. | |
132 | #eap_sim_db=/etc/hostapd/sim_db | |
133 | ||
134 | # Optional displayable message sent with EAP Request-Identity | |
135 | #eap_message=hello | |
136 | ||
137 | # WEP rekeying (disabled if key lengths are not set or are set to 0) | |
138 | # Key lengths for default/broadcast and individual/unicast keys: | |
139 | # 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits) | |
140 | # 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits) | |
141 | #wep_key_len_broadcast=5 | |
142 | #wep_key_len_unicast=5 | |
143 | # Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once) | |
144 | #wep_rekey_period=300 | |
145 | ||
146 | # EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if | |
147 | # only broadcast keys are used) | |
148 | #eapol_key_index_workaround=0 | |
149 | ||
150 | # EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable | |
151 | # reauthentication). | |
152 | #eap_reauth_period=3600 | |
153 | ||
154 | ||
155 | ##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) ####################### | |
156 | ||
157 | # Interface to be used for IAPP broadcast packets | |
158 | #iapp_interface=eth0 | |
159 | ||
160 | ||
161 | ##### RADIUS configuration #################################################### | |
162 | # for IEEE 802.1X with external Authentication Server, IEEE 802.11 | |
163 | # authentication with external ACL for MAC addresses, and accounting | |
164 | ||
165 | # The own IP address of the access point (used as NAS-IP-Address) | |
166 | #own_ip_addr=127.0.0.1 | |
167 | ||
168 | # Optional NAS-Identifier string for RADIUS messages. When used, this should be | |
169 | # a unique to the NAS within the scope of the RADIUS server. For example, a | |
170 | # fully qualified domain name can be used here. | |
171 | #nas_identifier=ap.example.com | |
172 | ||
173 | # RADIUS authentication server | |
174 | #auth_server_addr=127.0.0.1 | |
175 | #auth_server_port=1812 | |
176 | #auth_server_shared_secret=secret | |
177 | ||
178 | # RADIUS accounting server | |
179 | #acct_server_addr=127.0.0.1 | |
180 | #acct_server_port=1813 | |
181 | #acct_server_shared_secret=secret | |
182 | ||
183 | # Secondary RADIUS servers; to be used if primary one does not reply to | |
184 | # RADIUS packets. These are optional and there can be more than one secondary | |
185 | # server listed. | |
186 | #auth_server_addr=127.0.0.2 | |
187 | #auth_server_port=1812 | |
188 | #auth_server_shared_secret=secret2 | |
189 | # | |
190 | #acct_server_addr=127.0.0.2 | |
191 | #acct_server_port=1813 | |
192 | #acct_server_shared_secret=secret2 | |
193 | ||
194 | # Retry interval for trying to return to the primary RADIUS server (in | |
195 | # seconds). RADIUS client code will automatically try to use the next server | |
196 | # when the current server is not replying to requests. If this interval is set, | |
197 | # primary server will be retried after configured amount of time even if the | |
198 | # currently used secondary server is still working. | |
199 | #radius_retry_primary_interval=600 | |
200 | ||
201 | # Interim accounting update interval | |
202 | # If this is set (larger than 0) and acct_server is configured, hostapd will | |
203 | # send interim accounting updates every N seconds. Note: if set, this overrides | |
204 | # possible Acct-Interim-Interval attribute in Access-Accept message. Thus, this | |
205 | # value should not be configured in hostapd.conf, if RADIUS server is used to | |
206 | # control the interim interval. | |
207 | # This value should not be less 600 (10 minutes) and must not be less than | |
208 | # 60 (1 minute). | |
209 | #radius_acct_interim_interval=600 | |
210 | ||
211 | # hostapd can be used as a RADIUS authentication server for other hosts. This | |
212 | # requires that the integrated EAP authenticator is also enabled and both | |
213 | # authentication services are sharing the same configuration. | |
214 | ||
215 | # File name of the RADIUS clients configuration for the RADIUS server. If this | |
216 | # commented out, RADIUS server is disabled. | |
217 | #radius_server_clients=/etc/hostapd/radius_clients | |
218 | ||
219 | # The UDP port number for the RADIUS authentication server | |
220 | #radius_server_auth_port=1812 | |
221 | ||
222 | ||
223 | ##### WPA/IEEE 802.11i configuration ########################################## | |
224 | ||
225 | # Enable WPA. Setting this variable configures the AP to require WPA (either | |
226 | # WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either | |
227 | # wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK. | |
228 | # For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys), | |
229 | # RADIUS authentication server must be configured, and WPA-EAP must be included | |
230 | # in wpa_key_mgmt. | |
231 | # This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0) | |
232 | # and/or WPA2 (full IEEE 802.11i/RSN): | |
233 | # bit0 = WPA | |
234 | # bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled) | |
235 | wpa=1 | |
236 | ||
237 | # WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit | |
238 | # secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase | |
239 | # (8..63 characters) that will be converted to PSK. This conversion uses SSID | |
240 | # so the PSK changes when ASCII passphrase is used and the SSID is changed. | |
241 | # wpa_psk (dot11RSNAConfigPSKValue) | |
242 | # wpa_passphrase (dot11RSNAConfigPSKPassPhrase) | |
243 | #wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef | |
244 | wpa_passphrase=yoursecretpassphrase | |
245 | ||
246 | # Optionally, WPA PSKs can be read from a separate text file (containing list | |
247 | # of (PSK,MAC address) pairs. This allows more than one PSK to be configured. | |
248 | # Use absolute path name to make sure that the files can be read on SIGHUP | |
249 | # configuration reloads. | |
250 | #wpa_psk_file=/etc/hostapd/wpa_psk | |
251 | ||
252 | # Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The | |
253 | # entries are separated with a space. | |
254 | # (dot11RSNAConfigAuthenticationSuitesTable) | |
255 | #wpa_key_mgmt=WPA-PSK WPA-EAP | |
256 | wpa_key_mgmt=WPA-PSK | |
257 | ||
258 | # Set of accepted cipher suites (encryption algorithms) for pairwise keys | |
259 | # (unicast packets). This is a space separated list of algorithms: | |
260 | ||
261 | # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] | |
262 | # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] | |
263 | # Group cipher suite (encryption algorithm for broadcast and multicast frames) | |
264 | # is automatically selected based on this configuration. If only CCMP is | |
265 | # allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise, | |
266 | # TKIP will be used as the group cipher. | |
267 | # (dot11RSNAConfigPairwiseCiphersTable) | |
268 | wpa_pairwise=TKIP CCMP | |
269 | ||
270 | # Time interval for rekeying GTK (broadcast/multicast encryption keys) in | |
271 | # seconds. (dot11RSNAConfigGroupRekeyTime) | |
272 | #wpa_group_rekey=600 | |
273 | ||
274 | # Rekey GTK when any STA that possesses the current GTK is leaving the BSS. | |
275 | # (dot11RSNAConfigGroupRekeyStrict) | |
276 | #wpa_strict_rekey=1 | |
277 | ||
278 | # Time interval for rekeying GMK (master key used internally to generate GTKs | |
279 | # (in seconds). | |
280 | #wpa_gmk_rekey=86400 | |
281 | ||
282 | # Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up | |
283 | # roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN | |
284 | # authentication and key handshake before actually associating with a new AP. | |
285 | # (dot11RSNAPreauthenticationEnabled) | |
286 | #rsn_preauth=1 | |
287 | # | |
288 | # Space separated list of interfaces from which pre-authentication frames are | |
289 | # accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all | |
290 | # interface that are used for connections to other APs. This could include | |
291 | # wired interfaces and WDS links. The normal wireless data interface towards | |
292 | # associated stations (e.g., wlan0) should not be added, since | |
293 | # pre-authentication is only used with APs other than the currently associated | |
294 | # one. | |
295 | #rsn_preauth_interfaces=eth0 |