NAME
hostapd.conf —
configuration file for
hostapd(8) utility
DESCRIPTION
The
hostapd.conf utility is an authenticator for IEEE 802.11
networks. It provides full support for WPA/IEEE 802.11i and can also act as an
IEEE 802.1X Authenticator with a suitable backend Authentication Server
(typically FreeRADIUS).
The configuration file consists of global parameters and domain specific
configuration:
- IEEE 802.1X-2004
- RADIUS client
- RADIUS authentication
server
- WPA/IEEE 802.11i
GLOBAL PARAMETERS
The following parameters are recognized:
-
-
- interface
- Interface name. Should be set in “hostap”
mode.
-
-
- debug
- Debugging mode: 0 = no, 1 = minimal, 2 = verbose, 3 = msg
dumps, 4 = excessive.
-
-
- dump_file
- Dump file for state information (on SIGUSR1).
-
-
- ctrl_interface
- The pathname of the directory in which
hostapd(8) creates
UNIX domain socket files for communication with
frontend programs such as
hostapd_cli(8).
-
-
- ctrl_interface_group
- A group name or group ID to use in setting protection on
the control interface file. This can be set to allow non-root users to
access the control interface files. If no group is specified, the group ID
of the control interface is not modified and will, typically, be the group
ID of the directory in which the socket is created.
IEEE 802.1X-2004 PARAMETERS
The following parameters are recognized:
-
-
- ieee8021x
- Require IEEE 802.1X authorization.
-
-
- eap_message
- Optional displayable message sent with EAP
Request-Identity.
-
-
- wep_key_len_broadcast
- Key lengths for broadcast keys.
-
-
- wep_key_len_unicast
- Key lengths for unicast keys.
-
-
- wep_rekey_period
- Rekeying period in seconds.
-
-
- eapol_key_index_workaround
- EAPOL-Key index workaround (set bit7) for WinXP
Supplicant.
-
-
- eap_reauth_period
- EAP reauthentication period in seconds. To disable
reauthentication, use “0”.
RADIUS CLIENT PARAMETERS
The following parameters are recognized:
-
-
- own_ip_addr
- The own IP address of the access point (used as
NAS-IP-Address).
-
-
- nas_identifier
- Optional NAS-Identifier string for RADIUS messages.
-
-
- auth_server_addr,
auth_server_port,
auth_server_shared_secret
- RADIUS authentication server parameters. Can be defined
twice for secondary servers to be used if primary one does not reply to
RADIUS packets.
-
-
- acct_server_addr,
acct_server_port,
acct_server_shared_secret
- RADIUS accounting server parameters. Can be defined twice
for secondary servers to be used if primary one does not reply to RADIUS
packets.
-
-
- radius_retry_primary_interval
- Retry interval for trying to return to the primary RADIUS
server (in seconds).
-
-
- radius_acct_interim_interval
- Interim accounting update interval. If this is set (larger
than 0) and acct_server is configured,
hostapd(8) will send
interim accounting updates every N seconds.
RADIUS
AUTHENTICATION SERVER PARAMETERS
The following parameters are recognized:
-
-
- radius_server_clients
- File name of the RADIUS clients configuration for the
RADIUS server. If this is commented out, RADIUS server is disabled.
-
-
- radius_server_auth_port
- The UDP port number for the RADIUS authentication
server.
-
-
- radius_server_ipv6
- Use IPv6 with RADIUS server.
WPA/IEEE 802.11i PARAMETERS
The following parameters are recognized:
-
-
- wpa
- Enable WPA. Setting this variable configures the AP to
require WPA (either WPA-PSK or WPA-RADIUS/EAP based on other
configuration).
-
-
- wpa_psk,
wpa_passphrase
- WPA pre-shared keys for WPA-PSK. This can be either entered
as a 256-bit secret in hex format (64 hex digits), wpa_psk, or as an ASCII
passphrase (8..63 characters) that will be converted to PSK. This
conversion uses SSID so the PSK changes when ASCII passphrase is used and
the SSID is changed.
-
-
- wpa_psk_file
- Optionally, WPA PSKs can be read from a separate text file
(containing a list of (PSK,MAC address) pairs.
-
-
- wpa_key_mgmt
- Set of accepted key management algorithms (WPA-PSK,
WPA-EAP, or both).
-
-
- wpa_pairwise
- Set of accepted cipher suites (encryption algorithms) for
pairwise keys (unicast packets). See the example file for more
information.
-
-
- wpa_group_rekey
- Time interval for rekeying GTK (broadcast/multicast
encryption keys) in seconds.
-
-
- wpa_strict_rekey
- Rekey GTK when any STA that possesses the current GTK is
leaving the BSS.
-
-
- wpa_gmk_rekey
- Time interval for rekeying GMK (master key used internally
to generate GTKs (in seconds).
SEE ALSO
hostapd(8),
hostapd_cli(8),
/usr/share/examples/hostapd/hostapd.conf
HISTORY
The
hostapd.conf manual page and
hostapd(8) functionality first
appeared in
NetBSD 4.0.
AUTHORS
This manual page is derived from the
README and
hostapd.conf files in the
hostapd
distribution provided by
Jouni Malinen
<
jkmaline@cc.hut.fi>.