wpa_supplicant

Wi-Fi Protected Access client and IEEE 802.1X supplicant

sudo wpa_supplicant [-BddfhKLqqsTtuvW] [-i ifname] [-c config_file] [-D driver]
                     [-P PID_file] [-f output_file]

Start with sudo head -30 /etc/wpa_supplicant/wpa_supplicant

Some options have global scope.
Option groups for different interfaces must be separated by -N
filenames should be full ie not relative.

-W Wait for a control interface monitor before starting.
-B background.
-P PID_file
-d debugging messages(-dd even more).
-q quite debugging verbosity (-qq even less).
-t timestamp included in debug messages.
-K keys (passwords, etc.)Included in debug output.
-s Log output to syslog instead of stdout. (if built with the CONFIG_DEBUG_SYSLOG
-T Include tracing. (if built with the CONFIG_DEBUG_LINUX_TRACING
-f output file Log output to instead of stdout. (if built with the CONFIG_DEBUG_FILE .)
-e entropy file to maintain its internal entropy store in over restarts.
-g global ctrl_interface Path to global ctrl_interface socket. If specified, interface definitions may be omitted.
-u Enable DBus control interface. If enabled, interface definitions may be omitted. (if built with CONFIG_DBUS
-N next interface definition
-i ifname Interface.
-c filename configuration file.
-C ctrl_interface Path to ctrl_interface socket Not with -c
-b br_ifname bridge interface name.
-D driver can be multiple drivers: (example: nl80211,wext). See the available options.
-p parameters for driver.
-O override ctrl_interface Override the ctrl_interface parameter for new interfaces.
-o override driver Override the driver parameter for new interfaces.
-L Show license (BSD).
-v Show version.
wpa_supplicant v2.6 ( On Raspberry Pi Stetch 1/14/20) NOT CONFIG_DEBUG_FILE
Copyright (c) 2003-2015, Jouni Malinen  and contributors
-h Help. Show a usage message.

Driver backends that may be used with -D (driver) see wpa_supplicant -h.

       wext       Linux wireless extensions (generic).  
       wired      wpa_supplicant wired Ethernet driver 
       roboswitch wpa_supplicant Broadcom switch driver 
       bsd        BSD 802.11 support (Atheros, etc.).  
       ndis       Windows NDIS driver.

Usage

On raspberry Pi:
 > cat /etc/systemd/system/dbus-fi.w1.wpa_supplicant1.service
  [Unit]
  Description=WPA supplicant
  Before=network.target
  After=dbus.service
  Wants=network.target
  
  [Service]
  Type=dbus
  BusName=fi.w1.wpa_supplicant1
  ExecStart=/sbin/wpa_supplicant -u -s -O       /run/wpa_supplicant   maybe add -d 
#                   Enable DBus -^  ^  ^--Override the ctrl_interface
#                                   '-- syslog
  
  [Install]
  WantedBy=multi-user.target
  Alias=dbus-fi.w1.wpa_supplicant1.service 

> sudo ls  /run/wpa_supplicant 
p2p-dev-wlan0 wlan0
The only syslog message is :
daemon.notice wpa_supplicant[304]: Successfully initialized wpa_supplicant
 sudo wpa_supplicant -B -c/etc/wpa_supplicant.conf -i wlan0 # fork to background.
Start on foreground with debugging :
log=/tmp/wpa.`date +%y%m%d.%H%M`.log
sudo wpa_supplicant -d -c/etc/wpa_supplicant/wpa_supplicant.conf -i wlan0 > $log 
If the specific driver wrapper is not known beforehand, it is possible to specify multiple comma separated driver wrappers on the the first driver wrapper that is able to initialize the interface.
 sudo wpa_supplicant -Dnl80211,wext -c/etc/wpa_supplicant.conf -iwlan0
Control multiple interfaces (radios) by running one process for each interface or
by running one process with a list of options.
Each interface is separated with -N. Example:
 
sudo wpa_supplicant \
     -c wpa1.conf -i wlan0 -D nl80211 \
     -N \
     -c wpa2.conf -i ath0 -D wext

Supported drivers

Architecture

Quick Start

  1. Make configuration file, wpa_supplicant.conf
    #           ANY error here will prevent the wifi network from starting 
    ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
    update_config=1
    country=US
    
    network={
        ssid="piland"
        psk="secretPassword"
    }
    network={
        ssid="homeRouter"
        psk="verizonpass"
    } 
  2. Test by running with in foreground with debugging :
    sudo wpa_supplicant -i wlan0 -c/etc/wpa_supplicant.conf -d
    example output
    example -dd output
    sudo wpa_supplicant -iwlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf -d
  3. start in background without debugging:
    sudo wpa_supplicant -iwlan0 -c/etc/wpa_supplicant.conf -B
With more than one driver interface in the build time configuration (.config), specify which interface to use by including -Ddriver name.

Interface to PCMCIA-CS/CARDMRG

Changes to pcmcia-cs scripts to enable WPA support:
  1. Add MODE="Managed" and WPA="y" to the network scheme in /etc/pcmcia/wireless.opts.
  2. Add this block to the end of start action handler in /etc/pcmcia/wireless:
    if [ "$WPA" = "y" -a -x /usr/local/bin/wpa_supplicant ]; then
                      /usr/local/bin/wpa_supplicant -B -c/etc/wpa_supplicant.conf -i$DEVICE
                  fi
  3. Add the following block to the end of stop action handler (may need to be separated from other actions)
    in /etc/pcmcia/wireless:
    if [ "$WPA" = "y" -a -x /usr/local/bin/wpa_supplicant ]; then
                      killall wpa_supplicant
                  fi
This will make cardmgr start wpa_supplicant when the card is plugged in.

See

wpa_background(8) http://w1.fi wpa_supplicant.conf , wpa_cli(8) wpa_passphrase(8)

Unauthorized use of the network is much easier.
Unauthorized users can passively monitor a wireless network and capture all transmitted frames.


wpa_cli

WPA command line client

sudo wpa_cli [-p path to ctrl sockets] [-g path to global ctrl_interface socket] [-i ifname]
          [ -hvB] [-a actionfile] [-P pid file] [-G ping interval] [ command]

Interacts with wpa_supplicant to query status, change configuration, trigger events and request interactive user input.
Shows the authentication status, selected security mode, dot11 and dot1x MIBs, etc.
Configure variables like EAPOL and trigger events like reassociation and IEEE 802.1X logoff/logon.
Request authentication information, like username and password, if these are not included in the configuration.
Implement, one-time-passwords or generic token card authentication where the authentication is based on a challenge-response that uses an external device for generating the response.
Configure to allow non-root user access (ctrl_interface GROUP= in configuration file).

Interactive mode is started when invoked without command

Interactive authentication parameters request

When wpa_supplicant need authentication parameters, like username and password, not in the configuration file, it sends a request message to all attached frontend programs, e.g., wpa_cli in interactive mode.
wpa_cli shows these requests with "CTRL-REQ-type-id:text" prefix. In case of OTP request, it includes the challenge from the authentication server.

The reply to these requests can be given with identity, password, and otp commands.id needs to be copied from the matching request.
password and otp commands can be used regardless of whether the request was for PASSWORD or OTP. The difference is that values given with password are remembered as long as wpa_supplicant is running whereas values given with otp are used only once and then forgotten, i.e., wpa_supplicant will ask frontend for a new value for every use. This can be used to implement one-time-password lists and generic token card -based authentication.

Example request for password and a matching reply:

CTRL-REQ-PASSWORD-1:Password needed for SSID foobar > password 1 mysecretpassword
Example request for generic token card challenge-response:
CTRL-REQ-OTP-2:Challenge 1235663 needed for SSID foobar > otp 2 9876

Command Arguments

-p path path for control sockets
-g control socket path Connect to the global control socket at the indicated path rather than an interface-specific control socket.
-i ifname interface that is being configured. By default, first interface found with a control socket in the socket path. on pi93graf:
sudo wpa_cli
Selected interface 'p2p-dev-wlan0'
-B background as a daemon
-a file Run in daemon mode executing the action file based on events from wpa_supplicant.
file will be executed with the first argument set to interface name and second to "CONNECTED" or "DISCONNECTED" depending on the event. This can be used to execute networking tools required to configure the interface. Environmental variables :
  • $WPA_CTRL_DIR contains the absolute path to the ctrl_interface socket.
  • $WPA_ID contains the unique network_id identifier assigned to the active network,
  • $WPA_ID_STR contains the content of the id_str option.
-P file location of the PID file.
-G ping interval interval (in seconds) at which wpa_cli pings the supplicant.
command Run a command.
-h Help.
-v version

Commands

list_networks list configured networks
> list_n
network id / ssid / bssid / flags
0   disabled    any 
1   bslguest    any 
2   BTHub6CF3G  any
       
status get current WPA/EAPOL/EAP status
> status
wpa_state=DISCONNECTED
p2p_device_address=1a:90:4a:ab:c6:49
address=1a:90:4a:ab:c6:49
uuid=f66228b0-4709-59dd-9de6-10ba7bec9f9f
mib get MIB variables (dot11, dot1x)
> mib
₦ := dot11RSNA ₦OptionImplemented=TRUE ₦PreauthenticationImplemented=TRUE ₦Enabled=FALSE ₦PreauthenticationEnabled=FALSE ₦ConfigVersion=1 ₦ConfigPairwiseKeysSupported=5 ₦ConfigGroupCipherSize=0 ₦ConfigPMKLifetime=43200 ₦ConfigPMKReauthThreshold=70 ₦ConfigNumberOfPTKSAReplayCounters=1 ₦ConfigSATimeout=60 ₦PairwiseCipherSelected=00-00-00-0 ₦GroupCipherSelected=00-00-00-0 ₦PMKIDUsed= ₦PairwiseCipherRequested=00-00-00-0 ₦GroupCipherRequested=00-00-00-0 ₦ConfigNumberOfGTKSAReplayCounters=0 ₦4WayHandshakeFailures=0 ₦AuthenticationSuiteSelected=00-00-00-0 ₦AuthenticationSuiteRequested=00-00-00-0 ℕ = dot1xSupp ℕPaeState=1 ℕHeldPeriod=60 ℕAuthPeriod=30 ℕStartPeriod=30 ℕMaxStart=3 ℕSuppControlledPortStatus=Unauthorized ℕBackendPaeState=1 ℕEapolFramesRx=0 ℕEapolFramesTx=0 ℕEapolStartFramesTx=0 ℕEapolLogoffFramesTx=0 ℕEapolRespFramesTx=0 ℕEapolReqIdFramesRx=0 ℕEapolReqFramesRx=0 ℕInvalidEapolFramesRx=0 ℕEapLengthErrorFramesRx=0 ℕLastEapolFrameVersion=0 ℕLastEapolFrameSource=00:00:00:00:00:00
set set variables (shows list of variables when run without arguments)
interface [ifname] show interfaces/select interface
> interface
Available interfaces:
p2p-dev-wlan0
wlan0
level debug level
logoff IEEE 802.1X EAPOL state machine logoff
logon IEEE 802.1X EAPOL state machine logon
pmksa show PMKSA cache
> pmksa
Index / AA / PMKID / expiration (in seconds) / opportunistic
reassociate
reconfigure re-read configuration file
preauthenticate BSSID force preauthentication
identity ID configure identity for an SSID
password pw configure password for an SSID
pin pin configure pin for an SSID
otp password configure one-time-password for an SSID
bssid BSSID set preferred BSSID for an SSID
license show full wpa_cli license
help show this usage help
terminate
quit

wpa_supplicant.config

See

Raspberry Pi as Access Point

Host Access Point configuration at hostapd.conf Minimaly

interface=wlan0
driver=nl80211
ssid=RuuviCollector   1.1
channel=1
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
wpa_passphrase=ruuvibe***