wpa_supplicant
Wi-Fi Protected Access client and IEEE 802.1X supplicant
sudo wpa_supplicant [-BddfhKLqqsTtuvW] [-i ifname] [-c config_file]
[-D driver]
[-P PID_file] [-f output_file]
Start with sudo head -30 /etc/wpa_supplicant/wpa_supplicant
Some options have global scope.
Option groups for different interfaces must be separated by -N
filename
s should be full ie not relative.
-W Wait for a control interface monitor before starting.
| -B background.
| -P PID_file
| -d debugging messages(-dd even more).
| -q quite debugging verbosity (-qq even less).
| -t timestamp included in debug messages.
| -K keys (passwords, etc.)Included in debug output.
|
-s Log output to syslog instead of stdout. (if built with the CONFIG_DEBUG_SYSLOG
| -T Include tracing. (if built with the CONFIG_DEBUG_LINUX_TRACING
| -f output file Log output to instead of stdout. (if built with the CONFIG_DEBUG_FILE .)
|
-e entropy file to maintain its internal entropy store in over restarts.
| -g global ctrl_interface Path to global ctrl_interface socket. If specified, interface definitions may be omitted.
| -u Enable DBus control interface. If enabled, interface definitions may be omitted. (if built with CONFIG_DBUS
|
-N next interface definition
|
| -i ifname Interface.
| -c filename configuration file.
| -C ctrl_interface Path to ctrl_interface socket Not with -c
| -b br_ifname bridge interface name.
| -D driver can be multiple drivers: (example: nl80211,wext). See the available options.
| -p parameters for driver.
| -O override ctrl_interface Override the ctrl_interface parameter for new interfaces.
| -o override driver Override the driver parameter for new interfaces.
|
-L Show license (BSD).
| -v Show version. wpa_supplicant v2.6 ( On Raspberry Pi Stetch 1/14/20) NOT CONFIG_DEBUG_FILE
Copyright (c) 2003-2015, Jouni Malinen and contributors
| -h Help. Show a usage message.
| | | | | | | | | | | | | | | | | | | | | | | | | |
Driver backends that may be used with -D
(driver) see wpa_supplicant -h
.
wext Linux wireless extensions (generic).
wired wpa_supplicant wired Ethernet driver
roboswitch wpa_supplicant Broadcom switch driver
bsd BSD 802.11 support (Atheros, etc.).
ndis Windows NDIS driver.
Usage
On raspberry Pi:
> cat /etc/systemd/system/dbus-fi.w1.wpa_supplicant1.service
[Unit]
Description=WPA supplicant
Before=network.target
After=dbus.service
Wants=network.target
[Service]
Type=dbus
BusName=fi.w1.wpa_supplicant1
ExecStart=/sbin/wpa_supplicant -u -s -O /run/wpa_supplicant maybe add -d
# Enable DBus -^ ^ ^--Override the ctrl_interface
# '-- syslog
[Install]
WantedBy=multi-user.target
Alias=dbus-fi.w1.wpa_supplicant1.service
> sudo ls /run/wpa_supplicant
p2p-dev-wlan0 wlan0
The only syslog message is :
daemon.notice wpa_supplicant[304]: Successfully initialized wpa_supplicant
sudo wpa_supplicant -B -c/etc/wpa_supplicant.conf -i wlan0 # fork to background.
Start on foreground with debugging :
log=/tmp/wpa.`date +%y%m%d.%H%M`.log
sudo wpa_supplicant -d -c/etc/wpa_supplicant/wpa_supplicant.conf -i wlan0 > $log
If the specific driver wrapper is not known beforehand, it is possible to specify multiple comma separated driver wrappers on the
the first driver wrapper that is able to initialize the interface.
sudo wpa_supplicant -Dnl80211,wext -c/etc/wpa_supplicant.conf -iwlan0
Control multiple interfaces (radios) by running one process for each interface or
by running one process with a list of options.
Each interface is separated with -N
. Example:
sudo wpa_supplicant \
-c wpa1.conf -i wlan0 -D nl80211 \
-N \
-c wpa2.conf -i ath0 -D wext
Supported drivers
- Linux wireless extensions
- Wired Ethernet drivers Use ap_scan=0.
- BSD net80211 layer (e.g., Atheros driver); At the moment, this is for FreeBSD 6-CURRENT branch.
- Windows NDIS; requires WinPcap (http://winpcap.polito.it/). See README-Windows.txt
Architecture
wpa_supplicant
program that interacts with the network interface.
wpa_supplicant.conf
configuration file
wpa_cli
client program that provides a high-level interface to daemon.
wpa_passphrase
utility to construct wpa_supplicant.conf files including encrypted passwords.
Quick Start
- Make configuration file,
wpa_supplicant.conf
# ANY error here will prevent the wifi network from starting
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=US
network={
ssid="piland"
psk="secretPassword"
}
network={
ssid="homeRouter"
psk="verizonpass"
}
- Test by running with in foreground with debugging :
sudo wpa_supplicant -i wlan0 -c/etc/wpa_supplicant.conf -d
example output
example -dd output
sudo wpa_supplicant -iwlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf -d
- start in background without debugging:
sudo wpa_supplicant -iwlan0 -c/etc/wpa_supplicant.conf -B
With more than one driver interface in the build time configuration (.config)
, specify which interface to use by including -Ddriver name
.
Interface to PCMCIA-CS/CARDMRG
Changes to pcmcia-cs scripts to enable WPA support:
- Add
MODE="Managed"
and WPA="y"
to the network scheme in /etc/pcmcia/wireless.opts.
- Add this block to the end of start action handler in
/etc/pcmcia/wireless:
if [ "$WPA" = "y" -a -x /usr/local/bin/wpa_supplicant ]; then
/usr/local/bin/wpa_supplicant -B -c/etc/wpa_supplicant.conf -i$DEVICE
fi
- Add the following block to the end of stop action handler (may need to be separated from other actions)
in /etc/pcmcia/wireless:
if [ "$WPA" = "y" -a -x /usr/local/bin/wpa_supplicant ]; then
killall wpa_supplicant
fi
This will make cardmgr start wpa_supplicant
when the card is plugged in.
See
wpa_background(8)
http://w1.fi wpa_supplicant.conf ,
wpa_cli(8)
wpa_passphrase(8)
Unauthorized use of the network is much easier.
Unauthorized users can passively monitor a wireless network and capture all transmitted frames.
wpa_cli
WPA command line client
sudo wpa_cli [-p path to ctrl sockets] [-g path to global ctrl_interface socket] [-i ifname]
[ -hvB] [-a actionfile] [-P
pid file] [-G ping interval] [ command … ]
Interacts with wpa_supplicant
to query status, change configuration, trigger events and request interactive user input.
Shows the authentication status, selected security mode, dot11 and dot1x MIBs, etc.
Configure variables like EAPOL and trigger events like reassociation and IEEE 802.1X logoff/logon.
Request authentication information, like username and password, if these are not included in the configuration.
Implement, one-time-passwords or generic token card authentication where the authentication is based on a challenge-response that uses an external device for generating the response.
Configure to allow non-root user access (ctrl_interface GROUP=
in configuration file).
Interactive mode is started when invoked without command
Interactive authentication parameters request
When wpa_supplicant need authentication parameters, like username and password, not in the configuration file,
it sends a request message to all attached frontend programs, e.g., wpa_cli in interactive mode.
wpa_cli shows these requests with "CTRL-REQ-type-id:text" prefix.
type
is IDENTITY, PASSWORD, or OTP
(one-time-password)
id
is a unique identifier for the current network.
text
is description of the request.
In case of OTP
request, it includes the challenge from the authentication server.
The reply to these requests can be given with identity, password, and otp commands.id
needs to be copied from the matching request.
password and otp commands can be used regardless of whether the request was for PASSWORD or OTP.
The difference is that values given with password are remembered as long as wpa_supplicant is running whereas values
given with otp are used only once and then forgotten, i.e., wpa_supplicant will ask frontend for a new value for every use. This
can be used to implement one-time-password lists and generic token card -based authentication.
Example request for password and a matching reply:
CTRL-REQ-PASSWORD-1:Password needed for SSID foobar > password 1 mysecretpassword
Example request for generic token card challenge-response:
CTRL-REQ-OTP-2:Challenge 1235663 needed for SSID foobar > otp 2 9876
Command Arguments
-p path path for control sockets
| -g control socket path Connect to the global control socket at the indicated path rather than an interface-specific control socket.
| -i ifname
interface that is being configured. By default, first interface found with a control socket in the
socket path.
on pi93graf:
sudo wpa_cli
Selected interface 'p2p-dev-wlan0'
| -B background as a daemon
| -a file
Run in daemon mode executing the action file based on events from wpa_supplicant.
file will be executed
with the first argument set to interface name and second to "CONNECTED" or "DISCONNECTED" depending on the event. This
can be used to execute networking tools required to configure the interface.
Environmental variables :
$WPA_CTRL_DIR contains the absolute path to the ctrl_interface socket.
$WPA_ID contains the unique network_id identifier assigned to the active network,
$WPA_ID_STR contains the content of the id_str option.
-P file location of the PID file.
| -G ping interval interval (in seconds) at which wpa_cli pings the supplicant.
| command Run a command.
| -h Help.
| -v version
| | | | | | | | | | | |
Commands
list_networks list configured networks> list_n
network id / ssid / bssid / flags
0 disabled any
1 bslguest any
2 BTHub6CF3G any
status get current WPA/EAPOL/EAP status > status
wpa_state=DISCONNECTED
p2p_device_address=1a:90:4a:ab:c6:49
address=1a:90:4a:ab:c6:49
uuid=f66228b0-4709-59dd-9de6-10ba7bec9f9f
| mib get MIB variables (dot11, dot1x) > mib
₦ := dot11RSNA
₦OptionImplemented=TRUE
₦PreauthenticationImplemented=TRUE
₦Enabled=FALSE
₦PreauthenticationEnabled=FALSE
₦ConfigVersion=1
₦ConfigPairwiseKeysSupported=5
₦ConfigGroupCipherSize=0
₦ConfigPMKLifetime=43200
₦ConfigPMKReauthThreshold=70
₦ConfigNumberOfPTKSAReplayCounters=1
₦ConfigSATimeout=60
₦PairwiseCipherSelected=00-00-00-0
₦GroupCipherSelected=00-00-00-0
₦PMKIDUsed=
₦PairwiseCipherRequested=00-00-00-0
₦GroupCipherRequested=00-00-00-0
₦ConfigNumberOfGTKSAReplayCounters=0
₦4WayHandshakeFailures=0
₦AuthenticationSuiteSelected=00-00-00-0
₦AuthenticationSuiteRequested=00-00-00-0
|
ℕ = dot1xSupp
ℕPaeState=1
ℕHeldPeriod=60
ℕAuthPeriod=30
ℕStartPeriod=30
ℕMaxStart=3
ℕSuppControlledPortStatus=Unauthorized
ℕBackendPaeState=1
ℕEapolFramesRx=0
ℕEapolFramesTx=0
ℕEapolStartFramesTx=0
ℕEapolLogoffFramesTx=0
ℕEapolRespFramesTx=0
ℕEapolReqIdFramesRx=0
ℕEapolReqFramesRx=0
ℕInvalidEapolFramesRx=0
ℕEapLengthErrorFramesRx=0
ℕLastEapolFrameVersion=0
ℕLastEapolFrameSource=00:00:00:00:00:00
|
| set set variables (shows list of variables when run without arguments)
| interface [ifname] show interfaces/select interface
> interface
Available interfaces:
p2p-dev-wlan0
wlan0
| level debug level |
| logoff IEEE 802.1X EAPOL state machine logoff
| logon IEEE 802.1X EAPOL state machine logon
| pmksa show PMKSA cache > pmksa
Index / AA / PMKID / expiration (in seconds) / opportunistic
| reassociate
| reconfigure re-read configuration file
| preauthenticate BSSID force preauthentication
| identity ID configure identity for an SSID
| password pw configure password for an SSID
| pin pin configure pin for an SSID
| otp password configure one-time-password for an SSID
| bssid BSSID set preferred BSSID for an SSID
| license show full wpa_cli license
| help show this usage help
| terminate
| quit
| | | | | | | | | | | | | | | | | | | | | |
See
Raspberry Pi as Access Point
Host Access Point configuration at hostapd.conf
Minimalyinterface=wlan0
driver=nl80211
ssid=RuuviCollector 1.1
channel=1
auth_algs=1
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
wpa_passphrase=ruuvibe***