From d9f0fe830d1abea2966e0e12c20aacbcf5079f3d Mon Sep 17 00:00:00 2001 From: blshkv Date: Sun, 15 Oct 2017 17:45:37 +0800 Subject: [PATCH] hostapd: update wpe patch --- .../hostapd/files/hostapd-2.6-wpe.patch | 8 +- .../hostapd/files/hostapd-2.6-wpe.patch.orig | 3132 ----------------- ...stapd-2.6.ebuild => hostapd-2.6-r1.ebuild} | 6 +- 3 files changed, 6 insertions(+), 3140 deletions(-) rename net-wireless/hostapd/{hostapd-2.6.ebuild => hostapd-2.6-r1.ebuild} (97%) diff --git a/net-wireless/hostapd/files/hostapd-2.6-wpe.patch b/net-wireless/hostapd/files/hostapd-2.6-wpe.patch index 5080c98aa..472b17abf 100644 --- a/net-wireless/hostapd/files/hostapd-2.6-wpe.patch +++ b/net-wireless/hostapd/files/hostapd-2.6-wpe.patch @@ -111,10 +111,10 @@ diff -rupN hostapd-2.6/hostapd/hostapd-wpe.eap_user hostapd-2.6-wpe/hostapd/host +#"2"* AKA,TTLS,TLS,PEAP,SIM +#"3"* SIM,TTLS,TLS,PEAP,AKA +#"4"* AKA,TTLS,TLS,PEAP,SIM -+"5"* SIM,TTLS,TLS,PEAP,AKA -+"6"* AKA' -+"7"* AKA' -+"8"* AKA' ++#"5"* SIM,TTLS,TLS,PEAP,AKA ++#"6"* AKA' ++#"7"* AKA' ++#"8"* AKA' + +# Wildcard for all other identities +#* PEAP,TTLS,TLS,SIM,AKA diff --git a/net-wireless/hostapd/files/hostapd-2.6-wpe.patch.orig b/net-wireless/hostapd/files/hostapd-2.6-wpe.patch.orig index fa1f21e12..5080c98aa 100644 --- a/net-wireless/hostapd/files/hostapd-2.6-wpe.patch.orig +++ b/net-wireless/hostapd/files/hostapd-2.6-wpe.patch.orig @@ -1,1069 +1,3 @@ -diff -rupN hostapd-2.6/hostapd/certs/bootstrap hostapd-2.6-wpe/hostapd/certs/bootstrap ---- hostapd-2.6/hostapd/certs/bootstrap 1969-12-31 19:00:00.000000000 -0500 -+++ hostapd-2.6-wpe/hostapd/certs/bootstrap 2016-12-17 06:12:53.639984078 -0500 -@@ -0,0 +1,82 @@ -+#!/bin/sh -+# -+# This is a wrapper script to create default certificates when the -+# server first starts in debugging mode. Once the certificates have been -+# created, this file should be deleted. -+# -+# Ideally, this program should be run as part of the installation of any -+# binary package. The installation should also ensure that the permissions -+# and owners are correct for the files generated by this script. -+# -+# $Id: c9d939beac8d5bdc21ea1ff9233442f9ab933297 $ -+# -+umask 027 -+cd `dirname $0` -+ -+make -h > /dev/null 2>&1 -+ -+# -+# If we have a working "make", then use it. Otherwise, run the commands -+# manually. -+# -+if [ "$?" = "0" ]; then -+ make all -+ exit $? -+fi -+ -+# -+# The following commands were created by running "make -n", and edited -+# to remove the trailing backslash, and to add "exit 1" after the commands. -+# -+# Don't edit the following text. Instead, edit the Makefile, and -+# re-generate these commands. -+# -+if [ ! -f dh ]; then -+ openssl dhparam -out dh 1024 || exit 1 -+ if [ -e /dev/urandom ] ; then -+ ln -sf /dev/urandom random -+ else -+ date > ./random; -+ fi -+fi -+ -+if [ ! -f server.key ]; then -+ openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1 -+fi -+ -+if [ ! -f ca.key ]; then -+ openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1 -+fi -+ -+if [ ! -f index.txt ]; then -+ touch index.txt -+fi -+ -+if [ ! -f serial ]; then -+ echo '01' > serial -+fi -+ -+if [ ! -f server.crt ]; then -+ openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1 -+fi -+ -+if [ ! -f server.p12 ]; then -+ openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1 -+fi -+ -+if [ ! -f server.pem ]; then -+ openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1 -+ openssl verify -CAfile ca.pem server.pem || exit 1 -+fi -+ -+if [ ! -f ca.der ]; then -+ openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1 -+fi -+ -+if [ ! -f client.key ]; then -+ openssl req -new -out client.csr -keyout client.key -config ./client.cnf -+fi -+ -+if [ ! -f client.crt ]; then -+ openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf -+fi -diff -rupN hostapd-2.6/hostapd/certs/ca.cnf hostapd-2.6-wpe/hostapd/certs/ca.cnf ---- hostapd-2.6/hostapd/certs/ca.cnf 1969-12-31 19:00:00.000000000 -0500 -+++ hostapd-2.6-wpe/hostapd/certs/ca.cnf 2016-12-17 06:12:53.639984078 -0500 -@@ -0,0 +1,62 @@ -+[ ca ] -+default_ca = CA_default -+ -+[ CA_default ] -+dir = ./ -+certs = $dir -+crl_dir = $dir/crl -+database = $dir/index.txt -+new_certs_dir = $dir -+certificate = $dir/ca.pem -+serial = $dir/serial -+crl = $dir/crl.pem -+private_key = $dir/ca.key -+RANDFILE = $dir/.rand -+name_opt = ca_default -+cert_opt = ca_default -+default_days = 365 -+default_crl_days = 364 -+default_md = sha256 -+preserve = no -+policy = policy_match -+crlDistributionPoints = URI:http://www.example.org/example_ca.crl -+ -+[ policy_match ] -+countryName = match -+stateOrProvinceName = match -+organizationName = match -+organizationalUnitName = optional -+commonName = supplied -+emailAddress = optional -+ -+[ policy_anything ] -+countryName = optional -+stateOrProvinceName = optional -+localityName = optional -+organizationName = optional -+organizationalUnitName = optional -+commonName = supplied -+emailAddress = optional -+ -+[ req ] -+prompt = no -+distinguished_name = certificate_authority -+default_bits = 2048 -+input_password = whatever -+output_password = whatever -+x509_extensions = v3_ca -+ -+[certificate_authority] -+countryName = FR -+stateOrProvinceName = Radius -+localityName = Somewhere -+organizationName = Example Inc. -+emailAddress = admin@example.org -+commonName = "Example Certificate Authority" -+ -+[v3_ca] -+subjectKeyIdentifier = hash -+authorityKeyIdentifier = keyid:always,issuer:always -+basicConstraints = critical,CA:true -+crlDistributionPoints = URI:http://www.example.org/example_ca.crl -+ -diff -rupN hostapd-2.6/hostapd/certs/client.cnf hostapd-2.6-wpe/hostapd/certs/client.cnf ---- hostapd-2.6/hostapd/certs/client.cnf 1969-12-31 19:00:00.000000000 -0500 -+++ hostapd-2.6-wpe/hostapd/certs/client.cnf 2016-12-17 06:12:53.639984078 -0500 -@@ -0,0 +1,53 @@ -+[ ca ] -+default_ca = CA_default -+ -+[ CA_default ] -+dir = ./ -+certs = $dir -+crl_dir = $dir/crl -+database = $dir/index.txt -+new_certs_dir = $dir -+certificate = $dir/ca.pem -+serial = $dir/serial -+crl = $dir/crl.pem -+private_key = $dir/ca.key -+RANDFILE = $dir/.rand -+name_opt = ca_default -+cert_opt = ca_default -+default_days = 365 -+default_crl_days = 364 -+default_md = sha256 -+preserve = no -+policy = policy_match -+ -+[ policy_match ] -+countryName = match -+stateOrProvinceName = match -+organizationName = match -+organizationalUnitName = optional -+commonName = supplied -+emailAddress = optional -+ -+[ policy_anything ] -+countryName = optional -+stateOrProvinceName = optional -+localityName = optional -+organizationName = optional -+organizationalUnitName = optional -+commonName = supplied -+emailAddress = optional -+ -+[ req ] -+prompt = no -+distinguished_name = client -+default_bits = 2048 -+input_password = whatever -+output_password = whatever -+ -+[client] -+countryName = FR -+stateOrProvinceName = Radius -+localityName = Somewhere -+organizationName = Example Inc. -+emailAddress = user@example.org -+commonName = user@example.org -diff -rupN hostapd-2.6/hostapd/certs/demoCA/cacert.pem hostapd-2.6-wpe/hostapd/certs/demoCA/cacert.pem ---- hostapd-2.6/hostapd/certs/demoCA/cacert.pem 1969-12-31 19:00:00.000000000 -0500 -+++ hostapd-2.6-wpe/hostapd/certs/demoCA/cacert.pem 2016-12-17 06:12:53.639984078 -0500 -@@ -0,0 +1,22 @@ -+-----BEGIN CERTIFICATE----- -+MIIDtjCCAx+gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBnzELMAkGA1UEBhMCQ0Ex -+ETAPBgNVBAgTCFByb3ZpbmNlMRIwEAYDVQQHEwlTb21lIENpdHkxFTATBgNVBAoT -+DE9yZ2FuaXphdGlvbjESMBAGA1UECxMJbG9jYWxob3N0MRswGQYDVQQDExJDbGll -+bnQgY2VydGlmaWNhdGUxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFtcGxlLmNv -+bTAeFw0wNDAxMjUxMzI2MDdaFw0wNjAxMjQxMzI2MDdaMIGfMQswCQYDVQQGEwJD -+QTERMA8GA1UECBMIUHJvdmluY2UxEjAQBgNVBAcTCVNvbWUgQ2l0eTEVMBMGA1UE -+ChMMT3JnYW5pemF0aW9uMRIwEAYDVQQLEwlsb2NhbGhvc3QxGzAZBgNVBAMTEkNs -+aWVudCBjZXJ0aWZpY2F0ZTEhMB8GCSqGSIb3DQEJARYSY2xpZW50QGV4YW1wbGUu -+Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUxbGXJPFkrPH/sYnbHI+/ -+9PFDlup8sekPeNaUUXJTd4ld/lLMuZtB6A3etYsSepQ/T1jLxWKHgZL73G/s6fhx -+58Ew01z1GIgX6bEzJJ7dKhx10xBDrodVPOx6d+8mqn10KB25t34XxkRsXdmxiLQy -+UMoCKZY3IqEjpyawC0An/QIDAQABo4H/MIH8MB0GA1UdDgQWBBRo020+Hue8nVoF -+cCHDY9oTZdGt4zCBzAYDVR0jBIHEMIHBgBRo020+Hue8nVoFcCHDY9oTZdGt46GB -+paSBojCBnzELMAkGA1UEBhMCQ0ExETAPBgNVBAgTCFByb3ZpbmNlMRIwEAYDVQQH -+EwlTb21lIENpdHkxFTATBgNVBAoTDE9yZ2FuaXphdGlvbjESMBAGA1UECxMJbG9j -+YWxob3N0MRswGQYDVQQDExJDbGllbnQgY2VydGlmaWNhdGUxITAfBgkqhkiG9w0B -+CQEWEmNsaWVudEBleGFtcGxlLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 -+DQEBBAUAA4GBADPAC2ax5Xnvc6BnmCUtq41eVRH8AP0nbYDRL4NHd8Z0P9wnQ/yh -+UHcE5LwJeeT2CsOtnug+bzRzaSKdH3cim6LpgjWdpWMCSgAWPbptbJhsC60or4UT -+L/jw12UBvxt8Lf9ljOHmLAGZe25k4+jUNzNUzpkShHZRU5BjuFu8VIXF -+-----END CERTIFICATE----- -diff -rupN hostapd-2.6/hostapd/certs/Makefile hostapd-2.6-wpe/hostapd/certs/Makefile ---- hostapd-2.6/hostapd/certs/Makefile 1969-12-31 19:00:00.000000000 -0500 -+++ hostapd-2.6-wpe/hostapd/certs/Makefile 2016-12-17 06:12:53.643984078 -0500 -@@ -0,0 +1,145 @@ -+###################################################################### -+# -+# Make file to be installed in /etc/raddb/certs to enable -+# the easy creation of certificates. -+# -+# See the README file in this directory for more information. -+# -+# $Id: cc12464c6c7754aff2f0c8d6e116708c94ff2168 $ -+# -+###################################################################### -+ -+DH_KEY_SIZE = 2048 -+ -+# -+# Set the passwords -+# -+-include passwords.mk -+ -+###################################################################### -+# -+# Make the necessary files, but not client certificates. -+# -+###################################################################### -+.PHONY: all -+all: index.txt serial dh server ca client -+ -+.PHONY: client -+client: client.pem -+ -+.PHONY: ca -+ca: ca.der -+ -+.PHONY: server -+server: server.pem server.vrfy -+ -+.PHONY: verify -+verify: server.vrfy client.vrfy -+ -+passwords.mk: server.cnf ca.cnf client.cnf -+ @echo "PASSWORD_SERVER = '$(shell grep output_password server.cnf | sed 's/.*=//;s/^ *//')'" > $@ -+ @echo "PASSWORD_CA = '$(shell grep output_password ca.cnf | sed 's/.*=//;s/^ *//')'" >> $@ -+ @echo "PASSWORD_CLIENT = '$(shell grep output_password client.cnf | sed 's/.*=//;s/^ *//')'" >> $@ -+ @echo "USER_NAME = '$(shell grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//')'" >> $@ -+ @echo "CA_DEFAULT_DAYS = '$(shell grep default_days ca.cnf | sed 's/.*=//;s/^ *//')'" >> $@ -+ -+###################################################################### -+# -+# Diffie-Hellman parameters -+# -+###################################################################### -+dh: -+ openssl gendh -out dh -2 $(DH_KEY_SIZE) -+ -+###################################################################### -+# -+# Create a new self-signed CA certificate -+# -+###################################################################### -+ca.key ca.pem: ca.cnf -+ @[ -f index.txt ] || $(MAKE) index.txt -+ @[ -f serial ] || $(MAKE) serial -+ openssl req -new -x509 -keyout ca.key -out ca.pem \ -+ -days $(CA_DEFAULT_DAYS) -config ./ca.cnf -+ -+ca.der: ca.pem -+ openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der -+ -+###################################################################### -+# -+# Create a new server certificate, signed by the above CA. -+# -+###################################################################### -+server.csr server.key: server.cnf -+ openssl req -new -out server.csr -keyout server.key -config ./server.cnf -+ -+server.crt: server.csr ca.key ca.pem -+ openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf -+ -+server.p12: server.crt -+ openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) -+ -+server.pem: server.p12 -+ openssl pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) -+ -+.PHONY: server.vrfy -+server.vrfy: ca.pem -+ @openssl verify -CAfile ca.pem server.pem -+ -+###################################################################### -+# -+# Create a new client certificate, signed by the the above server -+# certificate. -+# -+###################################################################### -+client.csr client.key: client.cnf -+ openssl req -new -out client.csr -keyout client.key -config ./client.cnf -+ -+client.crt: client.csr ca.pem ca.key -+ openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf -+ -+client.p12: client.crt -+ openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) -+ -+client.pem: client.p12 -+ openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) -+ cp client.pem $(USER_NAME).pem -+ -+.PHONY: client.vrfy -+client.vrfy: ca.pem client.pem -+ c_rehash . -+ openssl verify -CApath . client.pem -+ -+###################################################################### -+# -+# Miscellaneous rules. -+# -+###################################################################### -+index.txt: -+ @touch index.txt -+ -+serial: -+ @echo '01' > serial -+ -+print: -+ openssl x509 -text -in server.crt -+ -+printca: -+ openssl x509 -text -in ca.pem -+ -+install: -+ install -d $(DESTDIR)/etc/hostapd-wpe -+ install -m 644 dh $(DESTDIR)/etc/hostapd-wpe -+ install -m 644 ca.pem $(DESTDIR)/etc/hostapd-wpe -+ install -m 644 server.pem $(DESTDIR)/etc/hostapd-wpe -+ install -m 644 server.key $(DESTDIR)/etc/hostapd-wpe -+ -+clean: -+ @rm -f *~ *old client.csr client.key client.crt client.p12 client.pem -+ -+# -+# Make a target that people won't run too often. -+# -+destroycerts: -+ rm -f *~ dh *.csr *.crt *.p12 *.der *.pem *.key index.txt* \ -+ serial* *\.0 *\.1 -diff -rupN hostapd-2.6/hostapd/certs/README hostapd-2.6-wpe/hostapd/certs/README ---- hostapd-2.6/hostapd/certs/README 1969-12-31 19:00:00.000000000 -0500 -+++ hostapd-2.6-wpe/hostapd/certs/README 2016-12-17 06:12:53.643984078 -0500 -@@ -0,0 +1,226 @@ -+ This directory contains scripts to create the server certificates. -+To make a set of default (i.e. test) certificates, simply type: -+ -+$ ./bootstrap -+ -+ The "openssl" command will be run against the sample configuration -+files included here, and will make a self-signed certificate authority -+(i.e. root CA), and a server certificate. This "root CA" should be -+installed on any client machine needing to do EAP-TLS, PEAP, or -+EAP-TTLS. -+ -+ The Microsoft "XP Extensions" will be automatically included in the -+server certificate. Without those extensions Windows clients will -+refuse to authenticate to FreeRADIUS. -+ -+ The root CA and the "XP Extensions" file also contain a crlDistributionPoints -+attribute. The latest release of Windows Phone needs this to be present -+for the handset to validate the RADIUS server certificate. The RADIUS -+server must have the URI defined but the CA need not have...however it -+is best practice for a CA to have a revocation URI. Note that whilst -+the Windows Mobile client cannot actually use the CRL when doing 802.1X -+it is recommended that the URI be an actual working URL and contain a -+revocation format file as there may be other OS behaviour at play and -+future OSes that may do something with that URI. -+ -+ In general, you should use self-signed certificates for 802.1x (EAP) -+authentication. When you list root CAs from other organisations in -+the "ca_file", you permit them to masquerade as you, to authenticate -+your users, and to issue client certificates for EAP-TLS. -+ -+ If FreeRADIUS was configured to use OpenSSL, then simply starting -+the server in root in debugging mode should also create test -+certificates, i.e.: -+ -+$ radiusd -X -+ -+ That will cause the EAP-TLS module to run the "bootstrap" script in -+this directory. The script will be executed only once, the first time -+the server has been installed on a particular machine. This bootstrap -+script SHOULD be run on installation of any pre-built binary package -+for your OS. In any case, the script will ensure that it is not run -+twice, and that it does not over-write any existing certificates. -+ -+ If you already have CA and server certificates, rename (or delete) -+this directory, and create a new "certs" directory containing your -+certificates. Note that the "make install" command will NOT -+over-write your existing "raddb/certs" directory, which means that the -+"bootstrap" command will not be run. -+ -+ -+ NEW INSTALLATIONS OF FREERADIUS -+ -+ -+ We suggest that new installations use the test certificates for -+initial tests, and then create real certificates to use for normal -+user authentication. See the instructions below for how to create the -+various certificates. The old test certificates can be deleted by -+running the following command: -+ -+$ rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt* -+ -+ Then, follow the instructions below for creating real certificates. -+ -+ Once the final certificates have been created, you can delete the -+"bootstrap" command from this directory, and delete the -+"make_cert_command" configuration from the "tls" sub-section of -+eap.conf. -+ -+ If you do not want to enable EAP-TLS, PEAP, or EAP-TTLS, then delete -+the relevant sub-sections from the "eap.conf" file. -+ -+ -+ MAKING A ROOT CERTIFICATE -+ -+ -+$ vi ca.cnf -+ -+ Edit the "input_password" and "output_password" fields to be the -+ password for the CA certificate. -+ -+ Edit the [certificate_authority] section to have the correct values -+ for your country, state, etc. -+ -+$ make ca.pem -+ -+ This step creates the CA certificate. -+ -+$ make ca.der -+ -+ This step creates the DER format of the self-signed certificate, -+ which is can be imported into Windows. -+ -+ -+ MAKING A SERVER CERTIFICATE -+ -+ -+$ vi server.cnf -+ -+ Edit the "input_password" and "output_password" fields to be the -+ password for the server certificate. -+ -+ Edit the [server] section to have the correct values for your -+ country, state, etc. Be sure that the commonName field here is -+ different from the commonName for the CA certificate. -+ -+$ make server.pem -+ -+ This step creates the server certificate. -+ -+ If you have an existing certificate authority, and wish to create a -+ certificate signing request for the server certificate, edit -+ server.cnf as above, and type the following command. -+ -+$ make server.csr -+ -+ You will have to ensure that the certificate contains the XP -+ extensions needed by Microsoft clients. -+ -+ -+ MAKING A CLIENT CERTIFICATE -+ -+ -+ Client certificates are used by EAP-TLS, and optionally by EAP-TTLS -+and PEAP. The following steps outline how to create a client -+certificate that is signed by the server certificate created above. -+You will have to have the password for the server certificate in the -+"input_password" and "output_password" fields of the server.cnf file. -+ -+ -+$ vi client.cnf -+ -+ Edit the "input_password" and "output_password" fields to be the -+ password for the client certificate. You will have to give these -+ passwords to the end user who will be using the certificates. -+ -+ Edit the [client] section to have the correct values for your -+ country, state, etc. Be sure that the commonName field here is -+ the User-Name that will be used for logins! -+ -+$ make client.pem -+ -+ The users certificate will be in "emailAddress.pem", -+ i.e. "user@example.com.pem". -+ -+ To create another client certificate, just repeat the steps for -+ making a client certificate, being sure to enter a different login -+ name for "commonName", and a different password. -+ -+ -+ PERFORMANCE -+ -+ -+ EAP performance for EAP-TLS, TTLS, and PEAP is dominated by SSL -+ calculations. That is, a normal system can handle PAP -+ authentication at a rate of 10k packets/s. However, SSL involves -+ RSA calculations, which are very expensive. To benchmark your system, -+ do: -+ -+$ openssl speed rsa -+ -+ or -+ -+$ openssl speed rsa2048 -+ -+ to test 2048 bit keys. -+ -+ A 1GHz system will likely do 30 calculations/s. A 2GHz system may -+ do 50 calculations/s, or more. That number is also the number of -+ authentications/s that can be done for EAP-TLS (or TTLS, or PEAP). -+ -+ -+ COMPATIBILITY -+ -+The certificates created using this method are known to be compatible -+with ALL operating systems. Some common issues are: -+ -+ - Windows requires certain OIDs in the certificates. If it doesn't -+ see them, it will stop doing EAP. The most visible effect is -+ that the client starts EAP, gets a few Access-Challenge packets, -+ and then a little while later re-starts EAP. If this happens, see -+ the FAQ, and the comments in raddb/eap.conf for how to fix it. -+ -+ - Windows requires the root certificates to be on the client PC. -+ If it doesn't have them, you will see the same issue as above. -+ -+ - Windows XP post SP2 has a bug where it has problems with -+ certificate chains. i.e. if the server certificate is an -+ intermediate one, and not a root one, then authentication will -+ silently fail, as above. -+ -+ - Some versions of Windows CE cannot handle 4K RSA certificates. -+ They will (again) silently fail, as above. -+ -+ - In none of these cases will Windows give the end user any -+ reasonable error message describing what went wrong. This leads -+ people to blame the RADIUS server. That blame is misplaced. -+ -+ - Certificate chains of more than 64K bytes are known to not work. -+ This is a problem in FreeRADIUS. However, most clients cannot -+ handle 64K certificate chains. Most Access Points will shut down -+ the EAP session after about 50 round trips, while 64K certificate -+ chains will take about 60 round trips. So don't use large -+ certificate chains. They will only work after everyone upgrade -+ everything in the network. -+ -+ - All other operating systems are known to work with EAP and -+ FreeRADIUS. This includes Linux, *BSD, Mac OS X, Solaris, -+ Symbian, along with all known embedded systems, phones, WiFi -+ devices, etc. -+ -+ - Someone needs to ask Microsoft to please stop making life hard for -+ their customers. -+ -+ -+ SECURITY CONSIDERATIONS -+ -+The default certificate configuration files uses MD5 for message -+digests, to maintain compatibility with network equipment that -+supports only this algorithm. -+ -+MD5 has known weaknesses and is discouraged in favour of SHA1 (see -+http://www.kb.cert.org/vuls/id/836068 for details). If your network -+equipment supports the SHA1 signature algorithm, we recommend that you -+change the "ca.cnf", "server.cnf", and "client.cnf" files to specify -+the use of SHA1 for the certificates. To do this, change the -+'default_md' entry in those files from 'md5' to 'sha1'. -diff -rupN hostapd-2.6/hostapd/certs/README.wpe hostapd-2.6-wpe/hostapd/certs/README.wpe ---- hostapd-2.6/hostapd/certs/README.wpe 1969-12-31 19:00:00.000000000 -0500 -+++ hostapd-2.6-wpe/hostapd/certs/README.wpe 2016-12-17 06:12:53.643984078 -0500 -@@ -0,0 +1,13 @@ -+# Certificate creation for Hostapd-WPE # -+######################################## -+ -+Usage: -+ -+make clean -+./bootstrap -+make install -+ -+Notes: -+- Windows 10 (and possibly any Windows starting from Vista) will fail EAP -+ if certificates signed with MD5 are used. -+- Generated certificates used a SHA256 signature. -diff -rupN hostapd-2.6/hostapd/certs/server.cnf hostapd-2.6-wpe/hostapd/certs/server.cnf ---- hostapd-2.6/hostapd/certs/server.cnf 1969-12-31 19:00:00.000000000 -0500 -+++ hostapd-2.6-wpe/hostapd/certs/server.cnf 2016-12-17 06:12:53.643984078 -0500 -@@ -0,0 +1,54 @@ -+[ ca ] -+default_ca = CA_default -+ -+[ CA_default ] -+dir = ./ -+certs = $dir -+crl_dir = $dir/crl -+database = $dir/index.txt -+new_certs_dir = $dir -+certificate = $dir/server.pem -+serial = $dir/serial -+crl = $dir/crl.pem -+private_key = $dir/server.key -+RANDFILE = $dir/.rand -+name_opt = ca_default -+cert_opt = ca_default -+default_days = 60 -+default_crl_days = 30 -+default_md = sha256 -+preserve = no -+policy = policy_match -+ -+[ policy_match ] -+countryName = match -+stateOrProvinceName = match -+organizationName = match -+organizationalUnitName = optional -+commonName = supplied -+emailAddress = optional -+ -+[ policy_anything ] -+countryName = optional -+stateOrProvinceName = optional -+localityName = optional -+organizationName = optional -+organizationalUnitName = optional -+commonName = supplied -+emailAddress = optional -+ -+[ req ] -+prompt = no -+distinguished_name = server -+default_bits = 2048 -+input_password = whatever -+output_password = whatever -+ -+[server] -+countryName = FR -+stateOrProvinceName = Radius -+localityName = Somewhere -+organizationName = Example Inc. -+emailAddress = admin@example.org -+commonName = "Example Server Certificate" -+ -diff -rupN hostapd-2.6/hostapd/certs/xpextensions hostapd-2.6-wpe/hostapd/certs/xpextensions ---- hostapd-2.6/hostapd/certs/xpextensions 1969-12-31 19:00:00.000000000 -0500 -+++ hostapd-2.6-wpe/hostapd/certs/xpextensions 2016-12-17 06:12:53.643984078 -0500 -@@ -0,0 +1,24 @@ -+# -+# File containing the OIDs required for Windows. -+# -+# http://support.microsoft.com/kb/814394/en-us -+# -+[ xpclient_ext] -+extendedKeyUsage = 1.3.6.1.5.5.7.3.2 -+crlDistributionPoints = URI:http://www.example.com/example_ca.crl -+ -+[ xpserver_ext] -+extendedKeyUsage = 1.3.6.1.5.5.7.3.1 -+crlDistributionPoints = URI:http://www.example.com/example_ca.crl -+ -+# -+# Add this to the PKCS#7 keybag attributes holding the client's private key -+# for machine authentication. -+# -+# the presence of this OID tells Windows XP that the cert is intended -+# for use by the computer itself, and not by an end-user. -+# -+# The other solution is to use Microsoft's web certificate server -+# to generate these certs. -+# -+# 1.3.6.1.4.1.311.17.2 -diff -rupN hostapd-2.6/hostapd/.config hostapd-2.6-wpe/hostapd/.config ---- hostapd-2.6/hostapd/.config 1969-12-31 19:00:00.000000000 -0500 -+++ hostapd-2.6-wpe/hostapd/.config 2016-12-17 06:12:53.647984078 -0500 -@@ -0,0 +1,345 @@ -+# Wireless Pawn Edition HostAPd configuration file -+# -+# This file lists the configuration options that are used when building the -+# hostapd binary. All lines starting with # are ignored. Configuration option -+# lines must be commented out complete, if they are not to be included, i.e., -+# just setting VARIABLE=n is not disabling that variable. -+# -+# This file is included in Makefile, so variables like CFLAGS and LIBS can also -+# be modified from here. In most cass, these lines should use += in order not -+# to override previous values of the variables. -+ -+# Driver interface for Host AP driver -+CONFIG_DRIVER_HOSTAP=y -+ -+# Driver interface for wired authenticator -+CONFIG_DRIVER_WIRED=y -+ -+# Driver interface for drivers using the nl80211 kernel interface -+CONFIG_DRIVER_NL80211=y -+ -+# QCA vendor extensions to nl80211 -+CONFIG_DRIVER_NL80211_QCA=y -+ -+# driver_nl80211.c requires libnl. If you are compiling it yourself -+# you may need to point hostapd to your version of libnl. -+# -+#CFLAGS += -I$ -+#LIBS += -L$ -+ -+# Use libnl v2.0 (or 3.0) libraries. -+#CONFIG_LIBNL20=y -+ -+# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored) -+CONFIG_LIBNL32=y -+ -+ -+# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) -+#CONFIG_DRIVER_BSD=y -+#CFLAGS += -I/usr/local/include -+#LIBS += -L/usr/local/lib -+#LIBS_p += -L/usr/local/lib -+#LIBS_c += -L/usr/local/lib -+ -+# Driver interface for no driver (e.g., RADIUS server only) -+#CONFIG_DRIVER_NONE=y -+ -+# IEEE 802.11F/IAPP -+CONFIG_IAPP=y -+ -+# WPA2/IEEE 802.11i RSN pre-authentication -+CONFIG_RSN_PREAUTH=y -+ -+# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS) -+CONFIG_PEERKEY=y -+ -+# IEEE 802.11w (management frame protection) -+CONFIG_IEEE80211W=y -+ -+# Integrated EAP server -+CONFIG_EAP=y -+ -+# EAP Re-authentication Protocol (ERP) in integrated EAP server -+CONFIG_ERP=y -+ -+# EAP-MD5 for the integrated EAP server -+CONFIG_EAP_MD5=y -+ -+# EAP-TLS for the integrated EAP server -+CONFIG_EAP_TLS=y -+ -+# EAP-MSCHAPv2 for the integrated EAP server -+CONFIG_EAP_MSCHAPV2=y -+ -+# EAP-PEAP for the integrated EAP server -+CONFIG_EAP_PEAP=y -+ -+# EAP-GTC for the integrated EAP server -+CONFIG_EAP_GTC=y -+ -+# EAP-TTLS for the integrated EAP server -+CONFIG_EAP_TTLS=y -+ -+# EAP-SIM for the integrated EAP server -+CONFIG_EAP_SIM=y -+ -+# EAP-AKA for the integrated EAP server -+CONFIG_EAP_AKA=y -+ -+# EAP-AKA' for the integrated EAP server -+# This requires CONFIG_EAP_AKA to be enabled, too. -+CONFIG_EAP_AKA_PRIME=y -+ -+# EAP-PAX for the integrated EAP server -+CONFIG_EAP_PAX=y -+ -+# EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK) -+CONFIG_EAP_PSK=y -+ -+# EAP-pwd for the integrated EAP server (secure authentication with a password) -+CONFIG_EAP_PWD=y -+ -+# EAP-SAKE for the integrated EAP server -+CONFIG_EAP_SAKE=y -+ -+# EAP-GPSK for the integrated EAP server -+CONFIG_EAP_GPSK=y -+# Include support for optional SHA256 cipher suite in EAP-GPSK -+CONFIG_EAP_GPSK_SHA256=y -+ -+# EAP-FAST for the integrated EAP server -+# Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed -+# for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g., -+# with openssl-0.9.8x-tls-extensions.patch, to add the needed functions. -+CONFIG_EAP_FAST=y -+ -+# Wi-Fi Protected Setup (WPS) -+CONFIG_WPS=y -+# Enable UPnP support for external WPS Registrars -+CONFIG_WPS_UPNP=y -+# Enable WPS support with NFC config method -+CONFIG_WPS_NFC=y -+ -+# EAP-IKEv2 -+CONFIG_EAP_IKEV2=y -+ -+# Trusted Network Connect (EAP-TNC) -+CONFIG_EAP_TNC=y -+ -+# EAP-EKE for the integrated EAP server -+#CONFIG_EAP_EKE=y -+ -+# PKCS#12 (PFX) support (used to read private key and certificate file from -+# a file that usually has extension .p12 or .pfx) -+CONFIG_PKCS12=y -+ -+# RADIUS authentication server. This provides access to the integrated EAP -+# server from external hosts using RADIUS. -+CONFIG_RADIUS_SERVER=y -+ -+# Build IPv6 support for RADIUS operations -+CONFIG_IPV6=y -+ -+# IEEE Std 802.11r-2008 (Fast BSS Transition) -+CONFIG_IEEE80211R=y -+ -+# Use the hostapd's IEEE 802.11 authentication (ACL), but without -+# the IEEE 802.11 Management capability (e.g., FreeBSD/net80211) -+CONFIG_DRIVER_RADIUS_ACL=y -+ -+# IEEE 802.11n (High Throughput) support -+CONFIG_IEEE80211N=y -+ -+# Wireless Network Management (IEEE Std 802.11v-2011) -+# Note: This is experimental and not complete implementation. -+CONFIG_WNM=y -+ -+# IEEE 802.11ac (Very High Throughput) support -+CONFIG_IEEE80211AC=y -+ -+# Remove debugging code that is printing out debug messages to stdout. -+# This can be used to reduce the size of the hostapd considerably if debugging -+# code is not needed. -+#CONFIG_NO_STDOUT_DEBUG=y -+ -+# Add support for writing debug log to a file: -f /tmp/hostapd.log -+# Disabled by default. -+#CONFIG_DEBUG_FILE=y -+ -+# Add support for sending all debug messages (regardless of debug verbosity) -+# to the Linux kernel tracing facility. This helps debug the entire stack by -+# making it easy to record everything happening from the driver up into the -+# same file, e.g., using trace-cmd. -+#CONFIG_DEBUG_LINUX_TRACING=y -+ -+# Remove support for RADIUS accounting -+#CONFIG_NO_ACCOUNTING=y -+ -+# Remove support for RADIUS -+#CONFIG_NO_RADIUS=y -+ -+# Remove support for VLANs -+#CONFIG_NO_VLAN=y -+ -+# Enable support for fully dynamic VLANs. This enables hostapd to -+# automatically create bridge and VLAN interfaces if necessary. -+#CONFIG_FULL_DYNAMIC_VLAN=y -+ -+# Use netlink-based kernel API for VLAN operations instead of ioctl() -+# Note: This requires libnl 3.1 or newer. -+#CONFIG_VLAN_NETLINK=y -+ -+# Remove support for dumping internal state through control interface commands -+# This can be used to reduce binary size at the cost of disabling a debugging -+# option. -+#CONFIG_NO_DUMP_STATE=y -+ -+# Enable tracing code for developer debugging -+# This tracks use of memory allocations and other registrations and reports -+# incorrect use with a backtrace of call (or allocation) location. -+#CONFIG_WPA_TRACE=y -+# For BSD, comment out these. -+#LIBS += -lexecinfo -+#LIBS_p += -lexecinfo -+#LIBS_c += -lexecinfo -+ -+# Use libbfd to get more details for developer debugging -+# This enables use of libbfd to get more detailed symbols for the backtraces -+# generated by CONFIG_WPA_TRACE=y. -+#CONFIG_WPA_TRACE_BFD=y -+# For BSD, comment out these. -+#LIBS += -lbfd -liberty -lz -+#LIBS_p += -lbfd -liberty -lz -+#LIBS_c += -lbfd -liberty -lz -+ -+# hostapd depends on strong random number generation being available from the -+# operating system. os_get_random() function is used to fetch random data when -+# needed, e.g., for key generation. On Linux and BSD systems, this works by -+# reading /dev/urandom. It should be noted that the OS entropy pool needs to be -+# properly initialized before hostapd is started. This is important especially -+# on embedded devices that do not have a hardware random number generator and -+# may by default start up with minimal entropy available for random number -+# generation. -+# -+# As a safety net, hostapd is by default trying to internally collect -+# additional entropy for generating random data to mix in with the data -+# fetched from the OS. This by itself is not considered to be very strong, but -+# it may help in cases where the system pool is not initialized properly. -+# However, it is very strongly recommended that the system pool is initialized -+# with enough entropy either by using hardware assisted random number -+# generator or by storing state over device reboots. -+# -+# hostapd can be configured to maintain its own entropy store over restarts to -+# enhance random number generation. This is not perfect, but it is much more -+# secure than using the same sequence of random numbers after every reboot. -+# This can be enabled with -e command line option. The specified -+# file needs to be readable and writable by hostapd. -+# -+# If the os_get_random() is known to provide strong random data (e.g., on -+# Linux/BSD, the board in question is known to have reliable source of random -+# data from /dev/urandom), the internal hostapd random pool can be disabled. -+# This will save some in binary size and CPU use. However, this should only be -+# considered for builds that are known to be used on devices that meet the -+# requirements described above. -+#CONFIG_NO_RANDOM_POOL=y -+ -+# Should we use poll instead of select? Select is used by default. -+#CONFIG_ELOOP_POLL=y -+ -+# Should we use epoll instead of select? Select is used by default. -+#CONFIG_ELOOP_EPOLL=y -+ -+# Should we use kqueue instead of select? Select is used by default. -+#CONFIG_ELOOP_KQUEUE=y -+ -+# Select TLS implementation -+# openssl = OpenSSL (default) -+# gnutls = GnuTLS -+# internal = Internal TLSv1 implementation (experimental) -+# none = Empty template -+#CONFIG_TLS=openssl -+ -+# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1) -+# can be enabled to get a stronger construction of messages when block ciphers -+# are used. -+CONFIG_TLSV11=y -+ -+# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2) -+# can be enabled to enable use of stronger crypto algorithms. -+CONFIG_TLSV12=y -+ -+# If CONFIG_TLS=internal is used, additional library and include paths are -+# needed for LibTomMath. Alternatively, an integrated, minimal version of -+# LibTomMath can be used. See beginning of libtommath.c for details on benefits -+# and drawbacks of this option. -+#CONFIG_INTERNAL_LIBTOMMATH=y -+#ifndef CONFIG_INTERNAL_LIBTOMMATH -+#LTM_PATH=/usr/src/libtommath-0.39 -+#CFLAGS += -I$(LTM_PATH) -+#LIBS += -L$(LTM_PATH) -+#LIBS_p += -L$(LTM_PATH) -+#endif -+# At the cost of about 4 kB of additional binary size, the internal LibTomMath -+# can be configured to include faster routines for exptmod, sqr, and div to -+# speed up DH and RSA calculation considerably -+CONFIG_INTERNAL_LIBTOMMATH_FAST=y -+ -+# Interworking (IEEE 802.11u) -+# This can be used to enable functionality to improve interworking with -+# external networks. -+CONFIG_INTERWORKING=y -+ -+# Hotspot 2.0 -+CONFIG_HS20=y -+ -+# Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file -+CONFIG_SQLITE=y -+ -+# Enable Fast Session Transfer (FST) -+CONFIG_FST=y -+ -+# Enable CLI commands for FST testing -+#CONFIG_FST_TEST=y -+ -+# Testing options -+# This can be used to enable some testing options (see also the example -+# configuration file) that are really useful only for testing clients that -+# connect to this hostapd. These options allow, for example, to drop a -+# certain percentage of probe requests or auth/(re)assoc frames. -+# -+#CONFIG_TESTING_OPTIONS=y -+ -+# Automatic Channel Selection -+# This will allow hostapd to pick the channel automatically when channel is set -+# to "acs_survey" or "0". Eventually, other ACS algorithms can be added in -+# similar way. -+# -+# Automatic selection is currently only done through initialization, later on -+# we hope to do background checks to keep us moving to more ideal channels as -+# time goes by. ACS is currently only supported through the nl80211 driver and -+# your driver must have survey dump capability that is filled by the driver -+# during scanning. -+# -+# You can customize the ACS survey algorithm with the hostapd.conf variable -+# acs_num_scans. -+# -+# Supported ACS drivers: -+# * ath9k -+# * ath5k -+# * ath10k -+# -+# For more details refer to: -+# http://wireless.kernel.org/en/users/Documentation/acs -+# -+CONFIG_ACS=y -+ -+# Multiband Operation support -+# These extentions facilitate efficient use of multiple frequency bands -+# available to the AP and the devices that may associate with it. -+CONFIG_MBO=y -+ -+# Client Taxonomy -+# Has the AP retain the Probe Request and (Re)Association Request frames from -+# a client, from which a signature can be produced which can identify the model -+# of client device like "Nexus 6P" or "iPhone 5s". -+CONFIG_TAXONOMY=y diff -rupN hostapd-2.6/hostapd/config_file.c hostapd-2.6-wpe/hostapd/config_file.c --- hostapd-2.6/hostapd/config_file.c 2016-10-02 14:51:11.000000000 -0400 +++ hostapd-2.6-wpe/hostapd/config_file.c 2016-12-17 06:12:53.647984078 -0500 @@ -1097,2072 +31,6 @@ diff -rupN hostapd-2.6/hostapd/config_file.c hostapd-2.6-wpe/hostapd/config_file #ifdef EAP_SERVER } else if (os_strcmp(buf, "eap_authenticator") == 0) { bss->eap_server = atoi(pos); -diff -rupN hostapd-2.6/hostapd/defconfig hostapd-2.6-wpe/hostapd/defconfig ---- hostapd-2.6/hostapd/defconfig 2016-10-02 14:51:11.000000000 -0400 -+++ hostapd-2.6-wpe/hostapd/defconfig 2016-12-17 06:12:53.947984072 -0500 -@@ -148,14 +148,14 @@ CONFIG_IPV6=y - #CONFIG_DRIVER_RADIUS_ACL=y - - # IEEE 802.11n (High Throughput) support --#CONFIG_IEEE80211N=y -+CONFIG_IEEE80211N=y - - # Wireless Network Management (IEEE Std 802.11v-2011) - # Note: This is experimental and not complete implementation. - #CONFIG_WNM=y - - # IEEE 802.11ac (Very High Throughput) support --#CONFIG_IEEE80211AC=y -+CONFIG_IEEE80211AC=y - - # Remove debugging code that is printing out debug messages to stdout. - # This can be used to reduce the size of the hostapd considerably if debugging -diff -rupN hostapd-2.6/hostapd/hostapd-wpe.conf hostapd-2.6-wpe/hostapd/hostapd-wpe.conf ---- hostapd-2.6/hostapd/hostapd-wpe.conf 1969-12-31 19:00:00.000000000 -0500 -+++ hostapd-2.6-wpe/hostapd/hostapd-wpe.conf 2016-12-17 06:12:53.947984072 -0500 -@@ -0,0 +1,2042 @@ -+# Configuration file for hostapd-wpe -+ -+# Interface - Probably wlan0 for 802.11, eth0 for wired -+interface=wlan0 -+ -+# May have to change these depending on build location -+eap_user_file=/etc/hostapd-wpe/hostapd-wpe.eap_user -+ca_cert=/etc/hostapd-wpe/ca.pem -+server_cert=/etc/hostapd-wpe/server.pem -+private_key=/etc/hostapd-wpe/server.key -+private_key_passwd=whatever -+dh_file=/etc/hostapd-wpe/dh -+ -+# 802.11 Options -+ssid=hostapd-wpe -+channel=1 -+ -+# WPE Options - Dont need to change these to make it all work -+# -+# wpe_logfile=somefile # (Default: ./hostapd-wpe.log) -+# wpe_hb_send_before_handshake=0 # Heartbleed True/False (Default: 1) -+# wpe_hb_send_before_appdata=0 # Heartbleed True/False (Default: 0) -+# wpe_hb_send_after_appdata=0 # Heartbleed True/False (Default: 0) -+# wpe_hb_payload_size=0 # Heartbleed 0-65535 (Default: 50000) -+# wpe_hb_num_repeats=0 # Heartbleed 0-65535 (Default: 1) -+# wpe_hb_num_tries=0 # Heartbleed 0-65535 (Default: 1) -+ -+ -+# Dont mess with unless you know what you're doing -+eap_server=1 -+eap_fast_a_id=101112131415161718191a1b1c1d1e1f -+eap_fast_a_id_info=hostapd-wpe -+eap_fast_prov=3 -+ieee8021x=1 -+pac_key_lifetime=604800 -+pac_key_refresh_time=86400 -+pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f -+wpa=2 -+wpa_key_mgmt=WPA-EAP -+wpa_pairwise=CCMP -+rsn_pairwise=CCMP -+ -+############################################################################## -+# Everything below this line is pretty much the standard hostapd.conf -+############################################################################### -+ -+##### hostapd configuration file ############################################## -+# Empty lines and lines starting with # are ignored -+ -+# AP netdevice name (without 'ap' postfix, i.e., wlan0 uses wlan0ap for -+# management frames with the Host AP driver); wlan0 with many nl80211 drivers -+# Note: This attribute can be overridden by the values supplied with the '-i' -+# command line parameter. -+#interface=wlan0 -+ -+# In case of atheros and nl80211 driver interfaces, an additional -+# configuration parameter, bridge, may be used to notify hostapd if the -+# interface is included in a bridge. This parameter is not used with Host AP -+# driver. If the bridge parameter is not set, the drivers will automatically -+# figure out the bridge interface (assuming sysfs is enabled and mounted to -+# /sys) and this parameter may not be needed. -+# -+# For nl80211, this parameter can be used to request the AP interface to be -+# added to the bridge automatically (brctl may refuse to do this before hostapd -+# has been started to change the interface mode). If needed, the bridge -+# interface is also created. -+#bridge=br0 -+ -+# Driver interface type (hostap/wired/none/nl80211/bsd); -+# default: hostap). nl80211 is used with all Linux mac80211 drivers. -+# Use driver=none if building hostapd as a standalone RADIUS server that does -+# not control any wireless/wired driver. -+# driver=hostap -+ -+# Driver interface parameters (mainly for development testing use) -+# driver_params= -+ -+# hostapd event logger configuration -+# -+# Two output method: syslog and stdout (only usable if not forking to -+# background). -+# -+# Module bitfield (ORed bitfield of modules that will be logged; -1 = all -+# modules): -+# bit 0 (1) = IEEE 802.11 -+# bit 1 (2) = IEEE 802.1X -+# bit 2 (4) = RADIUS -+# bit 3 (8) = WPA -+# bit 4 (16) = driver interface -+# bit 5 (32) = IAPP -+# bit 6 (64) = MLME -+# -+# Levels (minimum value for logged events): -+# 0 = verbose debugging -+# 1 = debugging -+# 2 = informational messages -+# 3 = notification -+# 4 = warning -+# -+logger_syslog=-1 -+logger_syslog_level=2 -+logger_stdout=-1 -+logger_stdout_level=2 -+ -+# Interface for separate control program. If this is specified, hostapd -+# will create this directory and a UNIX domain socket for listening to requests -+# from external programs (CLI/GUI, etc.) for status information and -+# configuration. The socket file will be named based on the interface name, so -+# multiple hostapd processes/interfaces can be run at the same time if more -+# than one interface is used. -+# /var/run/hostapd is the recommended directory for sockets and by default, -+# hostapd_cli will use it when trying to connect with hostapd. -+ctrl_interface=/var/run/hostapd -+ -+# Access control for the control interface can be configured by setting the -+# directory to allow only members of a group to use sockets. This way, it is -+# possible to run hostapd as root (since it needs to change network -+# configuration and open raw sockets) and still allow GUI/CLI components to be -+# run as non-root users. However, since the control interface can be used to -+# change the network configuration, this access needs to be protected in many -+# cases. By default, hostapd is configured to use gid 0 (root). If you -+# want to allow non-root users to use the contron interface, add a new group -+# and change this value to match with that group. Add users that should have -+# control interface access to this group. -+# -+# This variable can be a group name or gid. -+#ctrl_interface_group=wheel -+ctrl_interface_group=0 -+ -+ -+##### IEEE 802.11 related configuration ####################################### -+ -+# SSID to be used in IEEE 802.11 management frames -+#ssid=test -+# Alternative formats for configuring SSID -+# (double quoted string, hexdump, printf-escaped string) -+#ssid2="test" -+#ssid2=74657374 -+#ssid2=P"hello\nthere" -+ -+# UTF-8 SSID: Whether the SSID is to be interpreted using UTF-8 encoding -+#utf8_ssid=1 -+ -+# Country code (ISO/IEC 3166-1). Used to set regulatory domain. -+# Set as needed to indicate country in which device is operating. -+# This can limit available channels and transmit power. -+#country_code=US -+ -+# Enable IEEE 802.11d. This advertises the country_code and the set of allowed -+# channels and transmit power levels based on the regulatory limits. The -+# country_code setting must be configured with the correct country for -+# IEEE 802.11d functions. -+# (default: 0 = disabled) -+#ieee80211d=1 -+ -+# Enable IEEE 802.11h. This enables radar detection and DFS support if -+# available. DFS support is required on outdoor 5 GHz channels in most countries -+# of the world. This can be used only with ieee80211d=1. -+# (default: 0 = disabled) -+#ieee80211h=1 -+ -+# Add Power Constraint element to Beacon and Probe Response frames -+# This config option adds Power Constraint element when applicable and Country -+# element is added. Power Constraint element is required by Transmit Power -+# Control. This can be used only with ieee80211d=1. -+# Valid values are 0..255. -+#local_pwr_constraint=3 -+ -+# Set Spectrum Management subfield in the Capability Information field. -+# This config option forces the Spectrum Management bit to be set. When this -+# option is not set, the value of the Spectrum Management bit depends on whether -+# DFS or TPC is required by regulatory authorities. This can be used only with -+# ieee80211d=1 and local_pwr_constraint configured. -+#spectrum_mgmt_required=1 -+ -+# Operation mode (a = IEEE 802.11a (5 GHz), b = IEEE 802.11b (2.4 GHz), -+# g = IEEE 802.11g (2.4 GHz), ad = IEEE 802.11ad (60 GHz); a/g options are used -+# with IEEE 802.11n (HT), too, to specify band). For IEEE 802.11ac (VHT), this -+# needs to be set to hw_mode=a. When using ACS (see channel parameter), a -+# special value "any" can be used to indicate that any support band can be used. -+# This special case is currently supported only with drivers with which -+# offloaded ACS is used. -+# Default: IEEE 802.11b -+hw_mode=g -+ -+# Channel number (IEEE 802.11) -+# (default: 0, i.e., not set) -+# Please note that some drivers do not use this value from hostapd and the -+# channel will need to be configured separately with iwconfig. -+# -+# If CONFIG_ACS build option is enabled, the channel can be selected -+# automatically at run time by setting channel=acs_survey or channel=0, both of -+# which will enable the ACS survey based algorithm. -+#channel=1 -+ -+# ACS tuning - Automatic Channel Selection -+# See: http://wireless.kernel.org/en/users/Documentation/acs -+# -+# You can customize the ACS survey algorithm with following variables: -+# -+# acs_num_scans requirement is 1..100 - number of scans to be performed that -+# are used to trigger survey data gathering of an underlying device driver. -+# Scans are passive and typically take a little over 100ms (depending on the -+# driver) on each available channel for given hw_mode. Increasing this value -+# means sacrificing startup time and gathering more data wrt channel -+# interference that may help choosing a better channel. This can also help fine -+# tune the ACS scan time in case a driver has different scan dwell times. -+# -+# acs_chan_bias is a space-separated list of : pairs. It can be -+# used to increase (or decrease) the likelihood of a specific channel to be -+# selected by the ACS algorithm. The total interference factor for each channel -+# gets multiplied by the specified bias value before finding the channel with -+# the lowest value. In other words, values between 0.0 and 1.0 can be used to -+# make a channel more likely to be picked while values larger than 1.0 make the -+# specified channel less likely to be picked. This can be used, e.g., to prefer -+# the commonly used 2.4 GHz band channels 1, 6, and 11 (which is the default -+# behavior on 2.4 GHz band if no acs_chan_bias parameter is specified). -+# -+# Defaults: -+#acs_num_scans=5 -+#acs_chan_bias=1:0.8 6:0.8 11:0.8 -+ -+# Channel list restriction. This option allows hostapd to select one of the -+# provided channels when a channel should be automatically selected. -+# Channel list can be provided as range using hyphen ('-') or individual -+# channels can be specified by space (' ') separated values -+# Default: all channels allowed in selected hw_mode -+#chanlist=100 104 108 112 116 -+#chanlist=1 6 11-13 -+ -+# Beacon interval in kus (1.024 ms) (default: 100; range 15..65535) -+beacon_int=100 -+ -+# DTIM (delivery traffic information message) period (range 1..255): -+# number of beacons between DTIMs (1 = every beacon includes DTIM element) -+# (default: 2) -+dtim_period=2 -+ -+# Maximum number of stations allowed in station table. New stations will be -+# rejected after the station table is full. IEEE 802.11 has a limit of 2007 -+# different association IDs, so this number should not be larger than that. -+# (default: 2007) -+max_num_sta=255 -+ -+# RTS/CTS threshold; -1 = disabled (default); range -1..65535 -+# If this field is not included in hostapd.conf, hostapd will not control -+# RTS threshold and 'iwconfig wlan# rts ' can be used to set it. -+rts_threshold=-1 -+ -+# Fragmentation threshold; -1 = disabled (default); range -1, 256..2346 -+# If this field is not included in hostapd.conf, hostapd will not control -+# fragmentation threshold and 'iwconfig wlan# frag ' can be used to set -+# it. -+fragm_threshold=-1 -+ -+# Rate configuration -+# Default is to enable all rates supported by the hardware. This configuration -+# item allows this list be filtered so that only the listed rates will be left -+# in the list. If the list is empty, all rates are used. This list can have -+# entries that are not in the list of rates the hardware supports (such entries -+# are ignored). The entries in this list are in 100 kbps, i.e., 11 Mbps = 110. -+# If this item is present, at least one rate have to be matching with the rates -+# hardware supports. -+# default: use the most common supported rate setting for the selected -+# hw_mode (i.e., this line can be removed from configuration file in most -+# cases) -+#supported_rates=10 20 55 110 60 90 120 180 240 360 480 540 -+ -+# Basic rate set configuration -+# List of rates (in 100 kbps) that are included in the basic rate set. -+# If this item is not included, usually reasonable default set is used. -+#basic_rates=10 20 -+#basic_rates=10 20 55 110 -+#basic_rates=60 120 240 -+ -+# Short Preamble -+# This parameter can be used to enable optional use of short preamble for -+# frames sent at 2 Mbps, 5.5 Mbps, and 11 Mbps to improve network performance. -+# This applies only to IEEE 802.11b-compatible networks and this should only be -+# enabled if the local hardware supports use of short preamble. If any of the -+# associated STAs do not support short preamble, use of short preamble will be -+# disabled (and enabled when such STAs disassociate) dynamically. -+# 0 = do not allow use of short preamble (default) -+# 1 = allow use of short preamble -+#preamble=1 -+ -+# Station MAC address -based authentication -+# Please note that this kind of access control requires a driver that uses -+# hostapd to take care of management frame processing and as such, this can be -+# used with driver=hostap or driver=nl80211, but not with driver=atheros. -+# 0 = accept unless in deny list -+# 1 = deny unless in accept list -+# 2 = use external RADIUS server (accept/deny lists are searched first) -+macaddr_acl=0 -+ -+# Accept/deny lists are read from separate files (containing list of -+# MAC addresses, one per line). Use absolute path name to make sure that the -+# files can be read on SIGHUP configuration reloads. -+#accept_mac_file=/etc/hostapd.accept -+#deny_mac_file=/etc/hostapd.deny -+ -+# IEEE 802.11 specifies two authentication algorithms. hostapd can be -+# configured to allow both of these or only one. Open system authentication -+# should be used with IEEE 802.1X. -+# Bit fields of allowed authentication algorithms: -+# bit 0 = Open System Authentication -+# bit 1 = Shared Key Authentication (requires WEP) -+auth_algs=3 -+ -+# Send empty SSID in beacons and ignore probe request frames that do not -+# specify full SSID, i.e., require stations to know SSID. -+# default: disabled (0) -+# 1 = send empty (length=0) SSID in beacon and ignore probe request for -+# broadcast SSID -+# 2 = clear SSID (ASCII 0), but keep the original length (this may be required -+# with some clients that do not support empty SSID) and ignore probe -+# requests for broadcast SSID -+ignore_broadcast_ssid=0 -+ -+# Do not reply to broadcast Probe Request frames from unassociated STA if there -+# is no room for additional stations (max_num_sta). This can be used to -+# discourage a STA from trying to associate with this AP if the association -+# would be rejected due to maximum STA limit. -+# Default: 0 (disabled) -+#no_probe_resp_if_max_sta=0 -+ -+# Additional vendor specific elements for Beacon and Probe Response frames -+# This parameter can be used to add additional vendor specific element(s) into -+# the end of the Beacon and Probe Response frames. The format for these -+# element(s) is a hexdump of the raw information elements (id+len+payload for -+# one or more elements) -+#vendor_elements=dd0411223301 -+ -+# Additional vendor specific elements for (Re)Association Response frames -+# This parameter can be used to add additional vendor specific element(s) into -+# the end of the (Re)Association Response frames. The format for these -+# element(s) is a hexdump of the raw information elements (id+len+payload for -+# one or more elements) -+#assocresp_elements=dd0411223301 -+ -+# TX queue parameters (EDCF / bursting) -+# tx_queue__ -+# queues: data0, data1, data2, data3, after_beacon, beacon -+# (data0 is the highest priority queue) -+# parameters: -+# aifs: AIFS (default 2) -+# cwmin: cwMin (1, 3, 7, 15, 31, 63, 127, 255, 511, 1023, 2047, 4095, 8191, -+# 16383, 32767) -+# cwmax: cwMax (same values as cwMin, cwMax >= cwMin) -+# burst: maximum length (in milliseconds with precision of up to 0.1 ms) for -+# bursting -+# -+# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e): -+# These parameters are used by the access point when transmitting frames -+# to the clients. -+# -+# Low priority / AC_BK = background -+#tx_queue_data3_aifs=7 -+#tx_queue_data3_cwmin=15 -+#tx_queue_data3_cwmax=1023 -+#tx_queue_data3_burst=0 -+# Note: for IEEE 802.11b mode: cWmin=31 cWmax=1023 burst=0 -+# -+# Normal priority / AC_BE = best effort -+#tx_queue_data2_aifs=3 -+#tx_queue_data2_cwmin=15 -+#tx_queue_data2_cwmax=63 -+#tx_queue_data2_burst=0 -+# Note: for IEEE 802.11b mode: cWmin=31 cWmax=127 burst=0 -+# -+# High priority / AC_VI = video -+#tx_queue_data1_aifs=1 -+#tx_queue_data1_cwmin=7 -+#tx_queue_data1_cwmax=15 -+#tx_queue_data1_burst=3.0 -+# Note: for IEEE 802.11b mode: cWmin=15 cWmax=31 burst=6.0 -+# -+# Highest priority / AC_VO = voice -+#tx_queue_data0_aifs=1 -+#tx_queue_data0_cwmin=3 -+#tx_queue_data0_cwmax=7 -+#tx_queue_data0_burst=1.5 -+# Note: for IEEE 802.11b mode: cWmin=7 cWmax=15 burst=3.3 -+ -+# 802.1D Tag (= UP) to AC mappings -+# WMM specifies following mapping of data frames to different ACs. This mapping -+# can be configured using Linux QoS/tc and sch_pktpri.o module. -+# 802.1D Tag 802.1D Designation Access Category WMM Designation -+# 1 BK AC_BK Background -+# 2 - AC_BK Background -+# 0 BE AC_BE Best Effort -+# 3 EE AC_BE Best Effort -+# 4 CL AC_VI Video -+# 5 VI AC_VI Video -+# 6 VO AC_VO Voice -+# 7 NC AC_VO Voice -+# Data frames with no priority information: AC_BE -+# Management frames: AC_VO -+# PS-Poll frames: AC_BE -+ -+# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e): -+# for 802.11a or 802.11g networks -+# These parameters are sent to WMM clients when they associate. -+# The parameters will be used by WMM clients for frames transmitted to the -+# access point. -+# -+# note - txop_limit is in units of 32microseconds -+# note - acm is admission control mandatory flag. 0 = admission control not -+# required, 1 = mandatory -+# note - Here cwMin and cmMax are in exponent form. The actual cw value used -+# will be (2^n)-1 where n is the value given here. The allowed range for these -+# wmm_ac_??_{cwmin,cwmax} is 0..15 with cwmax >= cwmin. -+# -+wmm_enabled=1 -+# -+# WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD] -+# Enable this flag if U-APSD supported outside hostapd (eg., Firmware/driver) -+#uapsd_advertisement_enabled=1 -+# -+# Low priority / AC_BK = background -+wmm_ac_bk_cwmin=4 -+wmm_ac_bk_cwmax=10 -+wmm_ac_bk_aifs=7 -+wmm_ac_bk_txop_limit=0 -+wmm_ac_bk_acm=0 -+# Note: for IEEE 802.11b mode: cWmin=5 cWmax=10 -+# -+# Normal priority / AC_BE = best effort -+wmm_ac_be_aifs=3 -+wmm_ac_be_cwmin=4 -+wmm_ac_be_cwmax=10 -+wmm_ac_be_txop_limit=0 -+wmm_ac_be_acm=0 -+# Note: for IEEE 802.11b mode: cWmin=5 cWmax=7 -+# -+# High priority / AC_VI = video -+wmm_ac_vi_aifs=2 -+wmm_ac_vi_cwmin=3 -+wmm_ac_vi_cwmax=4 -+wmm_ac_vi_txop_limit=94 -+wmm_ac_vi_acm=0 -+# Note: for IEEE 802.11b mode: cWmin=4 cWmax=5 txop_limit=188 -+# -+# Highest priority / AC_VO = voice -+wmm_ac_vo_aifs=2 -+wmm_ac_vo_cwmin=2 -+wmm_ac_vo_cwmax=3 -+wmm_ac_vo_txop_limit=47 -+wmm_ac_vo_acm=0 -+# Note: for IEEE 802.11b mode: cWmin=3 cWmax=4 burst=102 -+ -+# Static WEP key configuration -+# -+# The key number to use when transmitting. -+# It must be between 0 and 3, and the corresponding key must be set. -+# default: not set -+#wep_default_key=0 -+# The WEP keys to use. -+# A key may be a quoted string or unquoted hexadecimal digits. -+# The key length should be 5, 13, or 16 characters, or 10, 26, or 32 -+# digits, depending on whether 40-bit (64-bit), 104-bit (128-bit), or -+# 128-bit (152-bit) WEP is used. -+# Only the default key must be supplied; the others are optional. -+# default: not set -+#wep_key0=123456789a -+#wep_key1="vwxyz" -+#wep_key2=0102030405060708090a0b0c0d -+#wep_key3=".2.4.6.8.0.23" -+ -+# Station inactivity limit -+# -+# If a station does not send anything in ap_max_inactivity seconds, an -+# empty data frame is sent to it in order to verify whether it is -+# still in range. If this frame is not ACKed, the station will be -+# disassociated and then deauthenticated. This feature is used to -+# clear station table of old entries when the STAs move out of the -+# range. -+# -+# The station can associate again with the AP if it is still in range; -+# this inactivity poll is just used as a nicer way of verifying -+# inactivity; i.e., client will not report broken connection because -+# disassociation frame is not sent immediately without first polling -+# the STA with a data frame. -+# default: 300 (i.e., 5 minutes) -+#ap_max_inactivity=300 -+# -+# The inactivity polling can be disabled to disconnect stations based on -+# inactivity timeout so that idle stations are more likely to be disconnected -+# even if they are still in range of the AP. This can be done by setting -+# skip_inactivity_poll to 1 (default 0). -+#skip_inactivity_poll=0 -+ -+# Disassociate stations based on excessive transmission failures or other -+# indications of connection loss. This depends on the driver capabilities and -+# may not be available with all drivers. -+#disassoc_low_ack=1 -+ -+# Maximum allowed Listen Interval (how many Beacon periods STAs are allowed to -+# remain asleep). Default: 65535 (no limit apart from field size) -+#max_listen_interval=100 -+ -+# WDS (4-address frame) mode with per-station virtual interfaces -+# (only supported with driver=nl80211) -+# This mode allows associated stations to use 4-address frames to allow layer 2 -+# bridging to be used. -+#wds_sta=1 -+ -+# If bridge parameter is set, the WDS STA interface will be added to the same -+# bridge by default. This can be overridden with the wds_bridge parameter to -+# use a separate bridge. -+#wds_bridge=wds-br0 -+ -+# Start the AP with beaconing disabled by default. -+#start_disabled=0 -+ -+# Client isolation can be used to prevent low-level bridging of frames between -+# associated stations in the BSS. By default, this bridging is allowed. -+#ap_isolate=1 -+ -+# BSS Load update period (in BUs) -+# This field is used to enable and configure adding a BSS Load element into -+# Beacon and Probe Response frames. -+#bss_load_update_period=50 -+ -+# Fixed BSS Load value for testing purposes -+# This field can be used to configure hostapd to add a fixed BSS Load element -+# into Beacon and Probe Response frames for testing purposes. The format is -+# :: -+#bss_load_test=12:80:20000 -+ -+##### IEEE 802.11n related configuration ###################################### -+ -+# ieee80211n: Whether IEEE 802.11n (HT) is enabled -+# 0 = disabled (default) -+# 1 = enabled -+# Note: You will also need to enable WMM for full HT functionality. -+# Note: hw_mode=g (2.4 GHz) and hw_mode=a (5 GHz) is used to specify the band. -+#ieee80211n=1 -+ -+# ht_capab: HT capabilities (list of flags) -+# LDPC coding capability: [LDPC] = supported -+# Supported channel width set: [HT40-] = both 20 MHz and 40 MHz with secondary -+# channel below the primary channel; [HT40+] = both 20 MHz and 40 MHz -+# with secondary channel above the primary channel -+# (20 MHz only if neither is set) -+# Note: There are limits on which channels can be used with HT40- and -+# HT40+. Following table shows the channels that may be available for -+# HT40- and HT40+ use per IEEE 802.11n Annex J: -+# freq HT40- HT40+ -+# 2.4 GHz 5-13 1-7 (1-9 in Europe/Japan) -+# 5 GHz 40,48,56,64 36,44,52,60 -+# (depending on the location, not all of these channels may be available -+# for use) -+# Please note that 40 MHz channels may switch their primary and secondary -+# channels if needed or creation of 40 MHz channel maybe rejected based -+# on overlapping BSSes. These changes are done automatically when hostapd -+# is setting up the 40 MHz channel. -+# Spatial Multiplexing (SM) Power Save: [SMPS-STATIC] or [SMPS-DYNAMIC] -+# (SMPS disabled if neither is set) -+# HT-greenfield: [GF] (disabled if not set) -+# Short GI for 20 MHz: [SHORT-GI-20] (disabled if not set) -+# Short GI for 40 MHz: [SHORT-GI-40] (disabled if not set) -+# Tx STBC: [TX-STBC] (disabled if not set) -+# Rx STBC: [RX-STBC1] (one spatial stream), [RX-STBC12] (one or two spatial -+# streams), or [RX-STBC123] (one, two, or three spatial streams); Rx STBC -+# disabled if none of these set -+# HT-delayed Block Ack: [DELAYED-BA] (disabled if not set) -+# Maximum A-MSDU length: [MAX-AMSDU-7935] for 7935 octets (3839 octets if not -+# set) -+# DSSS/CCK Mode in 40 MHz: [DSSS_CCK-40] = allowed (not allowed if not set) -+# 40 MHz intolerant [40-INTOLERANT] (not advertised if not set) -+# L-SIG TXOP protection support: [LSIG-TXOP-PROT] (disabled if not set) -+#ht_capab=[HT40-][SHORT-GI-20][SHORT-GI-40] -+ -+# Require stations to support HT PHY (reject association if they do not) -+#require_ht=1 -+ -+# If set non-zero, require stations to perform scans of overlapping -+# channels to test for stations which would be affected by 40 MHz traffic. -+# This parameter sets the interval in seconds between these scans. Setting this -+# to non-zero allows 2.4 GHz band AP to move dynamically to a 40 MHz channel if -+# no co-existence issues with neighboring devices are found. -+#obss_interval=0 -+ -+##### IEEE 802.11ac related configuration ##################################### -+ -+# ieee80211ac: Whether IEEE 802.11ac (VHT) is enabled -+# 0 = disabled (default) -+# 1 = enabled -+# Note: You will also need to enable WMM for full VHT functionality. -+# Note: hw_mode=a is used to specify that 5 GHz band is used with VHT. -+#ieee80211ac=1 -+ -+# vht_capab: VHT capabilities (list of flags) -+# -+# vht_max_mpdu_len: [MAX-MPDU-7991] [MAX-MPDU-11454] -+# Indicates maximum MPDU length -+# 0 = 3895 octets (default) -+# 1 = 7991 octets -+# 2 = 11454 octets -+# 3 = reserved -+# -+# supported_chan_width: [VHT160] [VHT160-80PLUS80] -+# Indicates supported Channel widths -+# 0 = 160 MHz & 80+80 channel widths are not supported (default) -+# 1 = 160 MHz channel width is supported -+# 2 = 160 MHz & 80+80 channel widths are supported -+# 3 = reserved -+# -+# Rx LDPC coding capability: [RXLDPC] -+# Indicates support for receiving LDPC coded pkts -+# 0 = Not supported (default) -+# 1 = Supported -+# -+# Short GI for 80 MHz: [SHORT-GI-80] -+# Indicates short GI support for reception of packets transmitted with TXVECTOR -+# params format equal to VHT and CBW = 80Mhz -+# 0 = Not supported (default) -+# 1 = Supported -+# -+# Short GI for 160 MHz: [SHORT-GI-160] -+# Indicates short GI support for reception of packets transmitted with TXVECTOR -+# params format equal to VHT and CBW = 160Mhz -+# 0 = Not supported (default) -+# 1 = Supported -+# -+# Tx STBC: [TX-STBC-2BY1] -+# Indicates support for the transmission of at least 2x1 STBC -+# 0 = Not supported (default) -+# 1 = Supported -+# -+# Rx STBC: [RX-STBC-1] [RX-STBC-12] [RX-STBC-123] [RX-STBC-1234] -+# Indicates support for the reception of PPDUs using STBC -+# 0 = Not supported (default) -+# 1 = support of one spatial stream -+# 2 = support of one and two spatial streams -+# 3 = support of one, two and three spatial streams -+# 4 = support of one, two, three and four spatial streams -+# 5,6,7 = reserved -+# -+# SU Beamformer Capable: [SU-BEAMFORMER] -+# Indicates support for operation as a single user beamformer -+# 0 = Not supported (default) -+# 1 = Supported -+# -+# SU Beamformee Capable: [SU-BEAMFORMEE] -+# Indicates support for operation as a single user beamformee -+# 0 = Not supported (default) -+# 1 = Supported -+# -+# Compressed Steering Number of Beamformer Antennas Supported: -+# [BF-ANTENNA-2] [BF-ANTENNA-3] [BF-ANTENNA-4] -+# Beamformee's capability indicating the maximum number of beamformer -+# antennas the beamformee can support when sending compressed beamforming -+# feedback -+# If SU beamformer capable, set to maximum value minus 1 -+# else reserved (default) -+# -+# Number of Sounding Dimensions: -+# [SOUNDING-DIMENSION-2] [SOUNDING-DIMENSION-3] [SOUNDING-DIMENSION-4] -+# Beamformer's capability indicating the maximum value of the NUM_STS parameter -+# in the TXVECTOR of a VHT NDP -+# If SU beamformer capable, set to maximum value minus 1 -+# else reserved (default) -+# -+# MU Beamformer Capable: [MU-BEAMFORMER] -+# Indicates support for operation as an MU beamformer -+# 0 = Not supported or sent by Non-AP STA (default) -+# 1 = Supported -+# -+# VHT TXOP PS: [VHT-TXOP-PS] -+# Indicates whether or not the AP supports VHT TXOP Power Save Mode -+# or whether or not the STA is in VHT TXOP Power Save mode -+# 0 = VHT AP doesn't support VHT TXOP PS mode (OR) VHT STA not in VHT TXOP PS -+# mode -+# 1 = VHT AP supports VHT TXOP PS mode (OR) VHT STA is in VHT TXOP power save -+# mode -+# -+# +HTC-VHT Capable: [HTC-VHT] -+# Indicates whether or not the STA supports receiving a VHT variant HT Control -+# field. -+# 0 = Not supported (default) -+# 1 = supported -+# -+# Maximum A-MPDU Length Exponent: [MAX-A-MPDU-LEN-EXP0]..[MAX-A-MPDU-LEN-EXP7] -+# Indicates the maximum length of A-MPDU pre-EOF padding that the STA can recv -+# This field is an integer in the range of 0 to 7. -+# The length defined by this field is equal to -+# 2 pow(13 + Maximum A-MPDU Length Exponent) -1 octets -+# -+# VHT Link Adaptation Capable: [VHT-LINK-ADAPT2] [VHT-LINK-ADAPT3] -+# Indicates whether or not the STA supports link adaptation using VHT variant -+# HT Control field -+# If +HTC-VHTcapable is 1 -+# 0 = (no feedback) if the STA does not provide VHT MFB (default) -+# 1 = reserved -+# 2 = (Unsolicited) if the STA provides only unsolicited VHT MFB -+# 3 = (Both) if the STA can provide VHT MFB in response to VHT MRQ and if the -+# STA provides unsolicited VHT MFB -+# Reserved if +HTC-VHTcapable is 0 -+# -+# Rx Antenna Pattern Consistency: [RX-ANTENNA-PATTERN] -+# Indicates the possibility of Rx antenna pattern change -+# 0 = Rx antenna pattern might change during the lifetime of an association -+# 1 = Rx antenna pattern does not change during the lifetime of an association -+# -+# Tx Antenna Pattern Consistency: [TX-ANTENNA-PATTERN] -+# Indicates the possibility of Tx antenna pattern change -+# 0 = Tx antenna pattern might change during the lifetime of an association -+# 1 = Tx antenna pattern does not change during the lifetime of an association -+#vht_capab=[SHORT-GI-80][HTC-VHT] -+# -+# Require stations to support VHT PHY (reject association if they do not) -+#require_vht=1 -+ -+# 0 = 20 or 40 MHz operating Channel width -+# 1 = 80 MHz channel width -+# 2 = 160 MHz channel width -+# 3 = 80+80 MHz channel width -+#vht_oper_chwidth=1 -+# -+# center freq = 5 GHz + (5 * index) -+# So index 42 gives center freq 5.210 GHz -+# which is channel 42 in 5G band -+# -+#vht_oper_centr_freq_seg0_idx=42 -+# -+# center freq = 5 GHz + (5 * index) -+# So index 159 gives center freq 5.795 GHz -+# which is channel 159 in 5G band -+# -+#vht_oper_centr_freq_seg1_idx=159 -+ -+# Workaround to use station's nsts capability in (Re)Association Response frame -+# This may be needed with some deployed devices as an interoperability -+# workaround for beamforming if the AP's capability is greater than the -+# station's capability. This is disabled by default and can be enabled by -+# setting use_sta_nsts=1. -+#use_sta_nsts=0 -+ -+##### IEEE 802.1X-2004 related configuration ################################## -+ -+# Require IEEE 802.1X authorization -+#ieee8021x=1 -+ -+# IEEE 802.1X/EAPOL version -+# hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL -+# version 2. However, there are many client implementations that do not handle -+# the new version number correctly (they seem to drop the frames completely). -+# In order to make hostapd interoperate with these clients, the version number -+# can be set to the older version (1) with this configuration value. -+#eapol_version=2 -+ -+# Optional displayable message sent with EAP Request-Identity. The first \0 -+# in this string will be converted to ASCII-0 (nul). This can be used to -+# separate network info (comma separated list of attribute=value pairs); see, -+# e.g., RFC 4284. -+#eap_message=hello -+#eap_message=hello\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com -+ -+# WEP rekeying (disabled if key lengths are not set or are set to 0) -+# Key lengths for default/broadcast and individual/unicast keys: -+# 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits) -+# 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits) -+#wep_key_len_broadcast=5 -+#wep_key_len_unicast=5 -+# Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once) -+#wep_rekey_period=300 -+ -+# EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if -+# only broadcast keys are used) -+eapol_key_index_workaround=0 -+ -+# EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable -+# reauthentication). -+#eap_reauth_period=3600 -+ -+# Use PAE group address (01:80:c2:00:00:03) instead of individual target -+# address when sending EAPOL frames with driver=wired. This is the most common -+# mechanism used in wired authentication, but it also requires that the port -+# is only used by one station. -+#use_pae_group_addr=1 -+ -+# EAP Re-authentication Protocol (ERP) authenticator (RFC 6696) -+# -+# Whether to initiate EAP authentication with EAP-Initiate/Re-auth-Start before -+# EAP-Identity/Request -+#erp_send_reauth_start=1 -+# -+# Domain name for EAP-Initiate/Re-auth-Start. Omitted from the message if not -+# set (no local ER server). This is also used by the integrated EAP server if -+# ERP is enabled (eap_server_erp=1). -+#erp_domain=example.com -+ -+##### Integrated EAP server ################################################### -+ -+# Optionally, hostapd can be configured to use an integrated EAP server -+# to process EAP authentication locally without need for an external RADIUS -+# server. This functionality can be used both as a local authentication server -+# for IEEE 802.1X/EAPOL and as a RADIUS server for other devices. -+ -+# Use integrated EAP server instead of external RADIUS authentication -+# server. This is also needed if hostapd is configured to act as a RADIUS -+# authentication server. -+#eap_server=0 -+ -+# Path for EAP server user database -+# If SQLite support is included, this can be set to "sqlite:/path/to/sqlite.db" -+# to use SQLite database instead of a text file. -+#eap_user_file=/etc/hostapd.eap_user -+ -+# CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS -+#ca_cert=/etc/hostapd.ca.pem -+ -+# Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS -+#server_cert=/etc/hostapd.server.pem -+ -+# Private key matching with the server certificate for EAP-TLS/PEAP/TTLS -+# This may point to the same file as server_cert if both certificate and key -+# are included in a single file. PKCS#12 (PFX) file (.p12/.pfx) can also be -+# used by commenting out server_cert and specifying the PFX file as the -+# private_key. -+#private_key=/etc/hostapd.server.prv -+ -+# Passphrase for private key -+#private_key_passwd=secret passphrase -+ -+# Server identity -+# EAP methods that provide mechanism for authenticated server identity delivery -+# use this value. If not set, "hostapd" is used as a default. -+#server_id=server.example.com -+ -+# Enable CRL verification. -+# Note: hostapd does not yet support CRL downloading based on CDP. Thus, a -+# valid CRL signed by the CA is required to be included in the ca_cert file. -+# This can be done by using PEM format for CA certificate and CRL and -+# concatenating these into one file. Whenever CRL changes, hostapd needs to be -+# restarted to take the new CRL into use. -+# 0 = do not verify CRLs (default) -+# 1 = check the CRL of the user certificate -+# 2 = check all CRLs in the certificate path -+#check_crl=1 -+ -+# TLS Session Lifetime in seconds -+# This can be used to allow TLS sessions to be cached and resumed with an -+# abbreviated handshake when using EAP-TLS/TTLS/PEAP. -+# (default: 0 = session caching and resumption disabled) -+#tls_session_lifetime=3600 -+ -+# Cached OCSP stapling response (DER encoded) -+# If set, this file is sent as a certificate status response by the EAP server -+# if the EAP peer requests certificate status in the ClientHello message. -+# This cache file can be updated, e.g., by running following command -+# periodically to get an update from the OCSP responder: -+# openssl ocsp \ -+# -no_nonce \ -+# -CAfile /etc/hostapd.ca.pem \ -+# -issuer /etc/hostapd.ca.pem \ -+# -cert /etc/hostapd.server.pem \ -+# -url http://ocsp.example.com:8888/ \ -+# -respout /tmp/ocsp-cache.der -+#ocsp_stapling_response=/tmp/ocsp-cache.der -+ -+# Cached OCSP stapling response list (DER encoded OCSPResponseList) -+# This is similar to ocsp_stapling_response, but the extended version defined in -+# RFC 6961 to allow multiple OCSP responses to be provided. -+#ocsp_stapling_response_multi=/tmp/ocsp-multi-cache.der -+ -+# dh_file: File path to DH/DSA parameters file (in PEM format) -+# This is an optional configuration file for setting parameters for an -+# ephemeral DH key exchange. In most cases, the default RSA authentication does -+# not use this configuration. However, it is possible setup RSA to use -+# ephemeral DH key exchange. In addition, ciphers with DSA keys always use -+# ephemeral DH keys. This can be used to achieve forward secrecy. If the file -+# is in DSA parameters format, it will be automatically converted into DH -+# params. This parameter is required if anonymous EAP-FAST is used. -+# You can generate DH parameters file with OpenSSL, e.g., -+# "openssl dhparam -out /etc/hostapd.dh.pem 2048" -+#dh_file=/etc/hostapd.dh.pem -+ -+# OpenSSL cipher string -+# -+# This is an OpenSSL specific configuration option for configuring the default -+# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default. -+# See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation -+# on cipher suite configuration. This is applicable only if hostapd is built to -+# use OpenSSL. -+#openssl_ciphers=DEFAULT:!EXP:!LOW -+ -+# Fragment size for EAP methods -+#fragment_size=1400 -+ -+# Finite cyclic group for EAP-pwd. Number maps to group of domain parameters -+# using the IANA repository for IKE (RFC 2409). -+#pwd_group=19 -+ -+# Configuration data for EAP-SIM database/authentication gateway interface. -+# This is a text string in implementation specific format. The example -+# implementation in eap_sim_db.c uses this as the UNIX domain socket name for -+# the HLR/AuC gateway (e.g., hlr_auc_gw). In this case, the path uses "unix:" -+# prefix. If hostapd is built with SQLite support (CONFIG_SQLITE=y in .config), -+# database file can be described with an optional db= parameter. -+#eap_sim_db=unix:/tmp/hlr_auc_gw.sock -+#eap_sim_db=unix:/tmp/hlr_auc_gw.sock db=/tmp/hostapd.db -+ -+# EAP-SIM DB request timeout -+# This parameter sets the maximum time to wait for a database request response. -+# The parameter value is in seconds. -+#eap_sim_db_timeout=1 -+ -+# Encryption key for EAP-FAST PAC-Opaque values. This key must be a secret, -+# random value. It is configured as a 16-octet value in hex format. It can be -+# generated, e.g., with the following command: -+# od -tx1 -v -N16 /dev/random | colrm 1 8 | tr -d ' ' -+#pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f -+ -+# EAP-FAST authority identity (A-ID) -+# A-ID indicates the identity of the authority that issues PACs. The A-ID -+# should be unique across all issuing servers. In theory, this is a variable -+# length field, but due to some existing implementations requiring A-ID to be -+# 16 octets in length, it is strongly recommended to use that length for the -+# field to provid interoperability with deployed peer implementations. This -+# field is configured in hex format. -+#eap_fast_a_id=101112131415161718191a1b1c1d1e1f -+ -+# EAP-FAST authority identifier information (A-ID-Info) -+# This is a user-friendly name for the A-ID. For example, the enterprise name -+# and server name in a human-readable format. This field is encoded as UTF-8. -+#eap_fast_a_id_info=test server -+ -+# Enable/disable different EAP-FAST provisioning modes: -+#0 = provisioning disabled -+#1 = only anonymous provisioning allowed -+#2 = only authenticated provisioning allowed -+#3 = both provisioning modes allowed (default) -+#eap_fast_prov=3 -+ -+# EAP-FAST PAC-Key lifetime in seconds (hard limit) -+#pac_key_lifetime=604800 -+ -+# EAP-FAST PAC-Key refresh time in seconds (soft limit on remaining hard -+# limit). The server will generate a new PAC-Key when this number of seconds -+# (or fewer) of the lifetime remains. -+#pac_key_refresh_time=86400 -+ -+# EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND -+# (default: 0 = disabled). -+#eap_sim_aka_result_ind=1 -+ -+# Trusted Network Connect (TNC) -+# If enabled, TNC validation will be required before the peer is allowed to -+# connect. Note: This is only used with EAP-TTLS and EAP-FAST. If any other -+# EAP method is enabled, the peer will be allowed to connect without TNC. -+#tnc=1 -+ -+# EAP Re-authentication Protocol (ERP) - RFC 6696 -+# -+# Whether to enable ERP on the EAP server. -+#eap_server_erp=1 -+ -+##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) ####################### -+ -+# Interface to be used for IAPP broadcast packets -+#iapp_interface=eth0 -+ -+ -+##### RADIUS client configuration ############################################# -+# for IEEE 802.1X with external Authentication Server, IEEE 802.11 -+# authentication with external ACL for MAC addresses, and accounting -+ -+# The own IP address of the access point (used as NAS-IP-Address) -+own_ip_addr=127.0.0.1 -+ -+# NAS-Identifier string for RADIUS messages. When used, this should be unique -+# to the NAS within the scope of the RADIUS server. Please note that hostapd -+# uses a separate RADIUS client for each BSS and as such, a unique -+# nas_identifier value should be configured separately for each BSS. This is -+# particularly important for cases where RADIUS accounting is used -+# (Accounting-On/Off messages are interpreted as clearing all ongoing sessions -+# and that may get interpreted as applying to all BSSes if the same -+# NAS-Identifier value is used.) For example, a fully qualified domain name -+# prefixed with a unique identifier of the BSS (e.g., BSSID) can be used here. -+# -+# When using IEEE 802.11r, nas_identifier must be set and must be between 1 and -+# 48 octets long. -+# -+# It is mandatory to configure either own_ip_addr or nas_identifier to be -+# compliant with the RADIUS protocol. When using RADIUS accounting, it is -+# strongly recommended that nas_identifier is set to a unique value for each -+# BSS. -+#nas_identifier=ap.example.com -+ -+# RADIUS client forced local IP address for the access point -+# Normally the local IP address is determined automatically based on configured -+# IP addresses, but this field can be used to force a specific address to be -+# used, e.g., when the device has multiple IP addresses. -+#radius_client_addr=127.0.0.1 -+ -+# RADIUS authentication server -+#auth_server_addr=127.0.0.1 -+#auth_server_port=1812 -+#auth_server_shared_secret=secret -+ -+# RADIUS accounting server -+#acct_server_addr=127.0.0.1 -+#acct_server_port=1813 -+#acct_server_shared_secret=secret -+ -+# Secondary RADIUS servers; to be used if primary one does not reply to -+# RADIUS packets. These are optional and there can be more than one secondary -+# server listed. -+#auth_server_addr=127.0.0.2 -+#auth_server_port=1812 -+#auth_server_shared_secret=secret2 -+# -+#acct_server_addr=127.0.0.2 -+#acct_server_port=1813 -+#acct_server_shared_secret=secret2 -+ -+# Retry interval for trying to return to the primary RADIUS server (in -+# seconds). RADIUS client code will automatically try to use the next server -+# when the current server is not replying to requests. If this interval is set, -+# primary server will be retried after configured amount of time even if the -+# currently used secondary server is still working. -+#radius_retry_primary_interval=600 -+ -+ -+# Interim accounting update interval -+# If this is set (larger than 0) and acct_server is configured, hostapd will -+# send interim accounting updates every N seconds. Note: if set, this overrides -+# possible Acct-Interim-Interval attribute in Access-Accept message. Thus, this -+# value should not be configured in hostapd.conf, if RADIUS server is used to -+# control the interim interval. -+# This value should not be less 600 (10 minutes) and must not be less than -+# 60 (1 minute). -+#radius_acct_interim_interval=600 -+ -+# Request Chargeable-User-Identity (RFC 4372) -+# This parameter can be used to configure hostapd to request CUI from the -+# RADIUS server by including Chargeable-User-Identity attribute into -+# Access-Request packets. -+#radius_request_cui=1 -+ -+# Dynamic VLAN mode; allow RADIUS authentication server to decide which VLAN -+# is used for the stations. This information is parsed from following RADIUS -+# attributes based on RFC 3580 and RFC 2868: Tunnel-Type (value 13 = VLAN), -+# Tunnel-Medium-Type (value 6 = IEEE 802), Tunnel-Private-Group-ID (value -+# VLANID as a string). Optionally, the local MAC ACL list (accept_mac_file) can -+# be used to set static client MAC address to VLAN ID mapping. -+# 0 = disabled (default) -+# 1 = option; use default interface if RADIUS server does not include VLAN ID -+# 2 = required; reject authentication if RADIUS server does not include VLAN ID -+#dynamic_vlan=0 -+ -+# Per-Station AP_VLAN interface mode -+# If enabled, each station is assigned its own AP_VLAN interface. -+# This implies per-station group keying and ebtables filtering of inter-STA -+# traffic (when passed through the AP). -+# If the sta is not assigned to any VLAN, then its AP_VLAN interface will be -+# added to the bridge given by the "bridge" configuration option (see above). -+# Otherwise, it will be added to the per-VLAN bridge. -+# 0 = disabled (default) -+# 1 = enabled -+#per_sta_vif=0 -+ -+# VLAN interface list for dynamic VLAN mode is read from a separate text file. -+# This list is used to map VLAN ID from the RADIUS server to a network -+# interface. Each station is bound to one interface in the same way as with -+# multiple BSSIDs or SSIDs. Each line in this text file is defining a new -+# interface and the line must include VLAN ID and interface name separated by -+# white space (space or tab). -+# If no entries are provided by this file, the station is statically mapped -+# to . interfaces. -+#vlan_file=/etc/hostapd.vlan -+ -+# Interface where 802.1q tagged packets should appear when a RADIUS server is -+# used to determine which VLAN a station is on. hostapd creates a bridge for -+# each VLAN. Then hostapd adds a VLAN interface (associated with the interface -+# indicated by 'vlan_tagged_interface') and the appropriate wireless interface -+# to the bridge. -+#vlan_tagged_interface=eth0 -+ -+# Bridge (prefix) to add the wifi and the tagged interface to. This gets the -+# VLAN ID appended. It defaults to brvlan%d if no tagged interface is given -+# and br%s.%d if a tagged interface is given, provided %s = tagged interface -+# and %d = VLAN ID. -+#vlan_bridge=brvlan -+ -+# When hostapd creates a VLAN interface on vlan_tagged_interfaces, it needs -+# to know how to name it. -+# 0 = vlan, e.g., vlan1 -+# 1 = ., e.g. eth0.1 -+#vlan_naming=0 -+ -+# Arbitrary RADIUS attributes can be added into Access-Request and -+# Accounting-Request packets by specifying the contents of the attributes with -+# the following configuration parameters. There can be multiple of these to -+# add multiple attributes. These parameters can also be used to override some -+# of the attributes added automatically by hostapd. -+# Format: [:] -+# attr_id: RADIUS attribute type (e.g., 26 = Vendor-Specific) -+# syntax: s = string (UTF-8), d = integer, x = octet string -+# value: attribute value in format indicated by the syntax -+# If syntax and value parts are omitted, a null value (single 0x00 octet) is -+# used. -+# -+# Additional Access-Request attributes -+# radius_auth_req_attr=[:] -+# Examples: -+# Operator-Name = "Operator" -+#radius_auth_req_attr=126:s:Operator -+# Service-Type = Framed (2) -+#radius_auth_req_attr=6:d:2 -+# Connect-Info = "testing" (this overrides the automatically generated value) -+#radius_auth_req_attr=77:s:testing -+# Same Connect-Info value set as a hexdump -+#radius_auth_req_attr=77:x:74657374696e67 -+ -+# -+# Additional Accounting-Request attributes -+# radius_acct_req_attr=[:] -+# Examples: -+# Operator-Name = "Operator" -+#radius_acct_req_attr=126:s:Operator -+ -+# Dynamic Authorization Extensions (RFC 5176) -+# This mechanism can be used to allow dynamic changes to user session based on -+# commands from a RADIUS server (or some other disconnect client that has the -+# needed session information). For example, Disconnect message can be used to -+# request an associated station to be disconnected. -+# -+# This is disabled by default. Set radius_das_port to non-zero UDP port -+# number to enable. -+#radius_das_port=3799 -+# -+# DAS client (the host that can send Disconnect/CoA requests) and shared secret -+#radius_das_client=192.168.1.123 shared secret here -+# -+# DAS Event-Timestamp time window in seconds -+#radius_das_time_window=300 -+# -+# DAS require Event-Timestamp -+#radius_das_require_event_timestamp=1 -+# -+# DAS require Message-Authenticator -+#radius_das_require_message_authenticator=1 -+ -+##### RADIUS authentication server configuration ############################## -+ -+# hostapd can be used as a RADIUS authentication server for other hosts. This -+# requires that the integrated EAP server is also enabled and both -+# authentication services are sharing the same configuration. -+ -+# File name of the RADIUS clients configuration for the RADIUS server. If this -+# commented out, RADIUS server is disabled. -+#radius_server_clients=/etc/hostapd.radius_clients -+ -+# The UDP port number for the RADIUS authentication server -+#radius_server_auth_port=1812 -+ -+# The UDP port number for the RADIUS accounting server -+# Commenting this out or setting this to 0 can be used to disable RADIUS -+# accounting while still enabling RADIUS authentication. -+#radius_server_acct_port=1813 -+ -+# Use IPv6 with RADIUS server (IPv4 will also be supported using IPv6 API) -+#radius_server_ipv6=1 -+ -+ -+##### WPA/IEEE 802.11i configuration ########################################## -+ -+# Enable WPA. Setting this variable configures the AP to require WPA (either -+# WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either -+# wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK. -+# Instead of wpa_psk / wpa_passphrase, wpa_psk_radius might suffice. -+# For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys), -+# RADIUS authentication server must be configured, and WPA-EAP must be included -+# in wpa_key_mgmt. -+# This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0) -+# and/or WPA2 (full IEEE 802.11i/RSN): -+# bit0 = WPA -+# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled) -+#wpa=1 -+ -+# WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit -+# secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase -+# (8..63 characters) that will be converted to PSK. This conversion uses SSID -+# so the PSK changes when ASCII passphrase is used and the SSID is changed. -+# wpa_psk (dot11RSNAConfigPSKValue) -+# wpa_passphrase (dot11RSNAConfigPSKPassPhrase) -+#wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef -+#wpa_passphrase=secret passphrase -+ -+# Optionally, WPA PSKs can be read from a separate text file (containing list -+# of (PSK,MAC address) pairs. This allows more than one PSK to be configured. -+# Use absolute path name to make sure that the files can be read on SIGHUP -+# configuration reloads. -+#wpa_psk_file=/etc/hostapd.wpa_psk -+ -+# Optionally, WPA passphrase can be received from RADIUS authentication server -+# This requires macaddr_acl to be set to 2 (RADIUS) -+# 0 = disabled (default) -+# 1 = optional; use default passphrase/psk if RADIUS server does not include -+# Tunnel-Password -+# 2 = required; reject authentication if RADIUS server does not include -+# Tunnel-Password -+#wpa_psk_radius=0 -+ -+# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The -+# entries are separated with a space. WPA-PSK-SHA256 and WPA-EAP-SHA256 can be -+# added to enable SHA256-based stronger algorithms. -+# (dot11RSNAConfigAuthenticationSuitesTable) -+#wpa_key_mgmt=WPA-PSK WPA-EAP -+ -+# Set of accepted cipher suites (encryption algorithms) for pairwise keys -+# (unicast packets). This is a space separated list of algorithms: -+# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] -+# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] -+# Group cipher suite (encryption algorithm for broadcast and multicast frames) -+# is automatically selected based on this configuration. If only CCMP is -+# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise, -+# TKIP will be used as the group cipher. -+# (dot11RSNAConfigPairwiseCiphersTable) -+# Pairwise cipher for WPA (v1) (default: TKIP) -+#wpa_pairwise=TKIP CCMP -+# Pairwise cipher for RSN/WPA2 (default: use wpa_pairwise value) -+#rsn_pairwise=CCMP -+ -+# Time interval for rekeying GTK (broadcast/multicast encryption keys) in -+# seconds. (dot11RSNAConfigGroupRekeyTime) -+#wpa_group_rekey=600 -+ -+# Rekey GTK when any STA that possesses the current GTK is leaving the BSS. -+# (dot11RSNAConfigGroupRekeyStrict) -+#wpa_strict_rekey=1 -+ -+# Time interval for rekeying GMK (master key used internally to generate GTKs -+# (in seconds). -+#wpa_gmk_rekey=86400 -+ -+# Maximum lifetime for PTK in seconds. This can be used to enforce rekeying of -+# PTK to mitigate some attacks against TKIP deficiencies. -+#wpa_ptk_rekey=600 -+ -+# Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up -+# roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN -+# authentication and key handshake before actually associating with a new AP. -+# (dot11RSNAPreauthenticationEnabled) -+#rsn_preauth=1 -+# -+# Space separated list of interfaces from which pre-authentication frames are -+# accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all -+# interface that are used for connections to other APs. This could include -+# wired interfaces and WDS links. The normal wireless data interface towards -+# associated stations (e.g., wlan0) should not be added, since -+# pre-authentication is only used with APs other than the currently associated -+# one. -+#rsn_preauth_interfaces=eth0 -+ -+# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e) is -+# allowed. This is only used with RSN/WPA2. -+# 0 = disabled (default) -+# 1 = enabled -+#peerkey=1 -+ -+# ieee80211w: Whether management frame protection (MFP) is enabled -+# 0 = disabled (default) -+# 1 = optional -+# 2 = required -+#ieee80211w=0 -+ -+# Group management cipher suite -+# Default: AES-128-CMAC (BIP) -+# Other options (depending on driver support): -+# BIP-GMAC-128 -+# BIP-GMAC-256 -+# BIP-CMAC-256 -+# Note: All the stations connecting to the BSS will also need to support the -+# selected cipher. The default AES-128-CMAC is the only option that is commonly -+# available in deployed devices. -+#group_mgmt_cipher=AES-128-CMAC -+ -+# Association SA Query maximum timeout (in TU = 1.024 ms; for MFP) -+# (maximum time to wait for a SA Query response) -+# dot11AssociationSAQueryMaximumTimeout, 1...4294967295 -+#assoc_sa_query_max_timeout=1000 -+ -+# Association SA Query retry timeout (in TU = 1.024 ms; for MFP) -+# (time between two subsequent SA Query requests) -+# dot11AssociationSAQueryRetryTimeout, 1...4294967295 -+#assoc_sa_query_retry_timeout=201 -+ -+# disable_pmksa_caching: Disable PMKSA caching -+# This parameter can be used to disable caching of PMKSA created through EAP -+# authentication. RSN preauthentication may still end up using PMKSA caching if -+# it is enabled (rsn_preauth=1). -+# 0 = PMKSA caching enabled (default) -+# 1 = PMKSA caching disabled -+#disable_pmksa_caching=0 -+ -+# okc: Opportunistic Key Caching (aka Proactive Key Caching) -+# Allow PMK cache to be shared opportunistically among configured interfaces -+# and BSSes (i.e., all configurations within a single hostapd process). -+# 0 = disabled (default) -+# 1 = enabled -+#okc=1 -+ -+# SAE threshold for anti-clogging mechanism (dot11RSNASAEAntiCloggingThreshold) -+# This parameter defines how many open SAE instances can be in progress at the -+# same time before the anti-clogging mechanism is taken into use. -+#sae_anti_clogging_threshold=5 -+ -+# Enabled SAE finite cyclic groups -+# SAE implementation are required to support group 19 (ECC group defined over a -+# 256-bit prime order field). All groups that are supported by the -+# implementation are enabled by default. This configuration parameter can be -+# used to specify a limited set of allowed groups. The group values are listed -+# in the IANA registry: -+# http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9 -+#sae_groups=19 20 21 25 26 -+ -+##### IEEE 802.11r configuration ############################################## -+ -+# Mobility Domain identifier (dot11FTMobilityDomainID, MDID) -+# MDID is used to indicate a group of APs (within an ESS, i.e., sharing the -+# same SSID) between which a STA can use Fast BSS Transition. -+# 2-octet identifier as a hex string. -+#mobility_domain=a1b2 -+ -+# PMK-R0 Key Holder identifier (dot11FTR0KeyHolderID) -+# 1 to 48 octet identifier. -+# This is configured with nas_identifier (see RADIUS client section above). -+ -+# Default lifetime of the PMK-RO in minutes; range 1..65535 -+# (dot11FTR0KeyLifetime) -+#r0_key_lifetime=10000 -+ -+# PMK-R1 Key Holder identifier (dot11FTR1KeyHolderID) -+# 6-octet identifier as a hex string. -+# Defaults to BSSID. -+#r1_key_holder=000102030405 -+ -+# Reassociation deadline in time units (TUs / 1.024 ms; range 1000..65535) -+# (dot11FTReassociationDeadline) -+#reassociation_deadline=1000 -+ -+# List of R0KHs in the same Mobility Domain -+# format: <128-bit key as hex string> -+# This list is used to map R0KH-ID (NAS Identifier) to a destination MAC -+# address when requesting PMK-R1 key from the R0KH that the STA used during the -+# Initial Mobility Domain Association. -+#r0kh=02:01:02:03:04:05 r0kh-1.example.com 000102030405060708090a0b0c0d0e0f -+#r0kh=02:01:02:03:04:06 r0kh-2.example.com 00112233445566778899aabbccddeeff -+# And so on.. One line per R0KH. -+ -+# List of R1KHs in the same Mobility Domain -+# format: <128-bit key as hex string> -+# This list is used to map R1KH-ID to a destination MAC address when sending -+# PMK-R1 key from the R0KH. This is also the list of authorized R1KHs in the MD -+# that can request PMK-R1 keys. -+#r1kh=02:01:02:03:04:05 02:11:22:33:44:55 000102030405060708090a0b0c0d0e0f -+#r1kh=02:01:02:03:04:06 02:11:22:33:44:66 00112233445566778899aabbccddeeff -+# And so on.. One line per R1KH. -+ -+# Whether PMK-R1 push is enabled at R0KH -+# 0 = do not push PMK-R1 to all configured R1KHs (default) -+# 1 = push PMK-R1 to all configured R1KHs whenever a new PMK-R0 is derived -+#pmk_r1_push=1 -+ -+# Whether to enable FT-over-DS -+# 0 = FT-over-DS disabled -+# 1 = FT-over-DS enabled (default) -+#ft_over_ds=1 -+ -+##### Neighbor table ########################################################## -+# Maximum number of entries kept in AP table (either for neigbor table or for -+# detecting Overlapping Legacy BSS Condition). The oldest entry will be -+# removed when adding a new entry that would make the list grow over this -+# limit. Note! WFA certification for IEEE 802.11g requires that OLBC is -+# enabled, so this field should not be set to 0 when using IEEE 802.11g. -+# default: 255 -+#ap_table_max_size=255 -+ -+# Number of seconds of no frames received after which entries may be deleted -+# from the AP table. Since passive scanning is not usually performed frequently -+# this should not be set to very small value. In addition, there is no -+# guarantee that every scan cycle will receive beacon frames from the -+# neighboring APs. -+# default: 60 -+#ap_table_expiration_time=3600 -+ -+# Maximum number of stations to track on the operating channel -+# This can be used to detect dualband capable stations before they have -+# associated, e.g., to provide guidance on which colocated BSS to use. -+# Default: 0 (disabled) -+#track_sta_max_num=100 -+ -+# Maximum age of a station tracking entry in seconds -+# Default: 180 -+#track_sta_max_age=180 -+ -+# Do not reply to group-addressed Probe Request from a station that was seen on -+# another radio. -+# Default: Disabled -+# -+# This can be used with enabled track_sta_max_num configuration on another -+# interface controlled by the same hostapd process to restrict Probe Request -+# frame handling from replying to group-addressed Probe Request frames from a -+# station that has been detected to be capable of operating on another band, -+# e.g., to try to reduce likelihood of the station selecting a 2.4 GHz BSS when -+# the AP operates both a 2.4 GHz and 5 GHz BSS concurrently. -+# -+# Note: Enabling this can cause connectivity issues and increase latency for -+# discovering the AP. -+#no_probe_resp_if_seen_on=wlan1 -+ -+# Reject authentication from a station that was seen on another radio. -+# Default: Disabled -+# -+# This can be used with enabled track_sta_max_num configuration on another -+# interface controlled by the same hostapd process to reject authentication -+# attempts from a station that has been detected to be capable of operating on -+# another band, e.g., to try to reduce likelihood of the station selecting a -+# 2.4 GHz BSS when the AP operates both a 2.4 GHz and 5 GHz BSS concurrently. -+# -+# Note: Enabling this can cause connectivity issues and increase latency for -+# connecting with the AP. -+#no_auth_if_seen_on=wlan1 -+ -+##### Wi-Fi Protected Setup (WPS) ############################################# -+ -+# WPS state -+# 0 = WPS disabled (default) -+# 1 = WPS enabled, not configured -+# 2 = WPS enabled, configured -+#wps_state=2 -+ -+# Whether to manage this interface independently from other WPS interfaces -+# By default, a single hostapd process applies WPS operations to all configured -+# interfaces. This parameter can be used to disable that behavior for a subset -+# of interfaces. If this is set to non-zero for an interface, WPS commands -+# issued on that interface do not apply to other interfaces and WPS operations -+# performed on other interfaces do not affect this interface. -+#wps_independent=0 -+ -+# AP can be configured into a locked state where new WPS Registrar are not -+# accepted, but previously authorized Registrars (including the internal one) -+# can continue to add new Enrollees. -+#ap_setup_locked=1 -+ -+# Universally Unique IDentifier (UUID; see RFC 4122) of the device -+# This value is used as the UUID for the internal WPS Registrar. If the AP -+# is also using UPnP, this value should be set to the device's UPnP UUID. -+# If not configured, UUID will be generated based on the local MAC address. -+#uuid=12345678-9abc-def0-1234-56789abcdef0 -+ -+# Note: If wpa_psk_file is set, WPS is used to generate random, per-device PSKs -+# that will be appended to the wpa_psk_file. If wpa_psk_file is not set, the -+# default PSK (wpa_psk/wpa_passphrase) will be delivered to Enrollees. Use of -+# per-device PSKs is recommended as the more secure option (i.e., make sure to -+# set wpa_psk_file when using WPS with WPA-PSK). -+ -+# When an Enrollee requests access to the network with PIN method, the Enrollee -+# PIN will need to be entered for the Registrar. PIN request notifications are -+# sent to hostapd ctrl_iface monitor. In addition, they can be written to a -+# text file that could be used, e.g., to populate the AP administration UI with -+# pending PIN requests. If the following variable is set, the PIN requests will -+# be written to the configured file. -+#wps_pin_requests=/var/run/hostapd_wps_pin_requests -+ -+# Device Name -+# User-friendly description of device; up to 32 octets encoded in UTF-8 -+#device_name=Wireless AP -+ -+# Manufacturer -+# The manufacturer of the device (up to 64 ASCII characters) -+#manufacturer=Company -+ -+# Model Name -+# Model of the device (up to 32 ASCII characters) -+#model_name=WAP -+ -+# Model Number -+# Additional device description (up to 32 ASCII characters) -+#model_number=123 -+ -+# Serial Number -+# Serial number of the device (up to 32 characters) -+#serial_number=12345 -+ -+# Primary Device Type -+# Used format: -- -+# categ = Category as an integer value -+# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for -+# default WPS OUI -+# subcateg = OUI-specific Sub Category as an integer value -+# Examples: -+# 1-0050F204-1 (Computer / PC) -+# 1-0050F204-2 (Computer / Server) -+# 5-0050F204-1 (Storage / NAS) -+# 6-0050F204-1 (Network Infrastructure / AP) -+#device_type=6-0050F204-1 -+ -+# OS Version -+# 4-octet operating system version number (hex string) -+#os_version=01020300 -+ -+# Config Methods -+# List of the supported configuration methods -+# Available methods: usba ethernet label display ext_nfc_token int_nfc_token -+# nfc_interface push_button keypad virtual_display physical_display -+# virtual_push_button physical_push_button -+#config_methods=label virtual_display virtual_push_button keypad -+ -+# WPS capability discovery workaround for PBC with Windows 7 -+# Windows 7 uses incorrect way of figuring out AP's WPS capabilities by acting -+# as a Registrar and using M1 from the AP. The config methods attribute in that -+# message is supposed to indicate only the configuration method supported by -+# the AP in Enrollee role, i.e., to add an external Registrar. For that case, -+# PBC shall not be used and as such, the PushButton config method is removed -+# from M1 by default. If pbc_in_m1=1 is included in the configuration file, -+# the PushButton config method is left in M1 (if included in config_methods -+# parameter) to allow Windows 7 to use PBC instead of PIN (e.g., from a label -+# in the AP). -+#pbc_in_m1=1 -+ -+# Static access point PIN for initial configuration and adding Registrars -+# If not set, hostapd will not allow external WPS Registrars to control the -+# access point. The AP PIN can also be set at runtime with hostapd_cli -+# wps_ap_pin command. Use of temporary (enabled by user action) and random -+# AP PIN is much more secure than configuring a static AP PIN here. As such, -+# use of the ap_pin parameter is not recommended if the AP device has means for -+# displaying a random PIN. -+#ap_pin=12345670 -+ -+# Skip building of automatic WPS credential -+# This can be used to allow the automatically generated Credential attribute to -+# be replaced with pre-configured Credential(s). -+#skip_cred_build=1 -+ -+# Additional Credential attribute(s) -+# This option can be used to add pre-configured Credential attributes into M8 -+# message when acting as a Registrar. If skip_cred_build=1, this data will also -+# be able to override the Credential attribute that would have otherwise been -+# automatically generated based on network configuration. This configuration -+# option points to an external file that much contain the WPS Credential -+# attribute(s) as binary data. -+#extra_cred=hostapd.cred -+ -+# Credential processing -+# 0 = process received credentials internally (default) -+# 1 = do not process received credentials; just pass them over ctrl_iface to -+# external program(s) -+# 2 = process received credentials internally and pass them over ctrl_iface -+# to external program(s) -+# Note: With wps_cred_processing=1, skip_cred_build should be set to 1 and -+# extra_cred be used to provide the Credential data for Enrollees. -+# -+# wps_cred_processing=1 will disabled automatic updates of hostapd.conf file -+# both for Credential processing and for marking AP Setup Locked based on -+# validation failures of AP PIN. An external program is responsible on updating -+# the configuration appropriately in this case. -+#wps_cred_processing=0 -+ -+# AP Settings Attributes for M7 -+# By default, hostapd generates the AP Settings Attributes for M7 based on the -+# current configuration. It is possible to override this by providing a file -+# with pre-configured attributes. This is similar to extra_cred file format, -+# but the AP Settings attributes are not encapsulated in a Credential -+# attribute. -+#ap_settings=hostapd.ap_settings -+ -+# WPS UPnP interface -+# If set, support for external Registrars is enabled. -+#upnp_iface=br0 -+ -+# Friendly Name (required for UPnP) -+# Short description for end use. Should be less than 64 characters. -+#friendly_name=WPS Access Point -+ -+# Manufacturer URL (optional for UPnP) -+#manufacturer_url=http://www.example.com/ -+ -+# Model Description (recommended for UPnP) -+# Long description for end user. Should be less than 128 characters. -+#model_description=Wireless Access Point -+ -+# Model URL (optional for UPnP) -+#model_url=http://www.example.com/model/ -+ -+# Universal Product Code (optional for UPnP) -+# 12-digit, all-numeric code that identifies the consumer package. -+#upc=123456789012 -+ -+# WPS RF Bands (a = 5G, b = 2.4G, g = 2.4G, ag = dual band, ad = 60 GHz) -+# This value should be set according to RF band(s) supported by the AP if -+# hw_mode is not set. For dual band dual concurrent devices, this needs to be -+# set to ag to allow both RF bands to be advertized. -+#wps_rf_bands=ag -+ -+# NFC password token for WPS -+# These parameters can be used to configure a fixed NFC password token for the -+# AP. This can be generated, e.g., with nfc_pw_token from wpa_supplicant. When -+# these parameters are used, the AP is assumed to be deployed with a NFC tag -+# that includes the matching NFC password token (e.g., written based on the -+# NDEF record from nfc_pw_token). -+# -+#wps_nfc_dev_pw_id: Device Password ID (16..65535) -+#wps_nfc_dh_pubkey: Hexdump of DH Public Key -+#wps_nfc_dh_privkey: Hexdump of DH Private Key -+#wps_nfc_dev_pw: Hexdump of Device Password -+ -+##### Wi-Fi Direct (P2P) ###################################################### -+ -+# Enable P2P Device management -+#manage_p2p=1 -+ -+# Allow cross connection -+#allow_cross_connection=1 -+ -+#### TDLS (IEEE 802.11z-2010) ################################################# -+ -+# Prohibit use of TDLS in this BSS -+#tdls_prohibit=1 -+ -+# Prohibit use of TDLS Channel Switching in this BSS -+#tdls_prohibit_chan_switch=1 -+ -+##### IEEE 802.11v-2011 ####################################################### -+ -+# Time advertisement -+# 0 = disabled (default) -+# 2 = UTC time at which the TSF timer is 0 -+#time_advertisement=2 -+ -+# Local time zone as specified in 8.3 of IEEE Std 1003.1-2004: -+# stdoffset[dst[offset][,start[/time],end[/time]]] -+#time_zone=EST5 -+ -+# WNM-Sleep Mode (extended sleep mode for stations) -+# 0 = disabled (default) -+# 1 = enabled (allow stations to use WNM-Sleep Mode) -+#wnm_sleep_mode=1 -+ -+# BSS Transition Management -+# 0 = disabled (default) -+# 1 = enabled -+#bss_transition=1 -+ -+# Proxy ARP -+# 0 = disabled (default) -+# 1 = enabled -+#proxy_arp=1 -+ -+# IPv6 Neighbor Advertisement multicast-to-unicast conversion -+# This can be used with Proxy ARP to allow multicast NAs to be forwarded to -+# associated STAs using link layer unicast delivery. -+# 0 = disabled (default) -+# 1 = enabled -+#na_mcast_to_ucast=0 -+ -+##### IEEE 802.11u-2011 ####################################################### -+ -+# Enable Interworking service -+#interworking=1 -+ -+# Access Network Type -+# 0 = Private network -+# 1 = Private network with guest access -+# 2 = Chargeable public network -+# 3 = Free public network -+# 4 = Personal device network -+# 5 = Emergency services only network -+# 14 = Test or experimental -+# 15 = Wildcard -+#access_network_type=0 -+ -+# Whether the network provides connectivity to the Internet -+# 0 = Unspecified -+# 1 = Network provides connectivity to the Internet -+#internet=1 -+ -+# Additional Step Required for Access -+# Note: This is only used with open network, i.e., ASRA shall ne set to 0 if -+# RSN is used. -+#asra=0 -+ -+# Emergency services reachable -+#esr=0 -+ -+# Unauthenticated emergency service accessible -+#uesa=0 -+ -+# Venue Info (optional) -+# The available values are defined in IEEE Std 802.11u-2011, 7.3.1.34. -+# Example values (group,type): -+# 0,0 = Unspecified -+# 1,7 = Convention Center -+# 1,13 = Coffee Shop -+# 2,0 = Unspecified Business -+# 7,1 Private Residence -+#venue_group=7 -+#venue_type=1 -+ -+# Homogeneous ESS identifier (optional; dot11HESSID) -+# If set, this shall be identifical to one of the BSSIDs in the homogeneous -+# ESS and this shall be set to the same value across all BSSs in homogeneous -+# ESS. -+#hessid=02:03:04:05:06:07 -+ -+# Roaming Consortium List -+# Arbitrary number of Roaming Consortium OIs can be configured with each line -+# adding a new OI to the list. The first three entries are available through -+# Beacon and Probe Response frames. Any additional entry will be available only -+# through ANQP queries. Each OI is between 3 and 15 octets and is configured as -+# a hexstring. -+#roaming_consortium=021122 -+#roaming_consortium=2233445566 -+ -+# Venue Name information -+# This parameter can be used to configure one or more Venue Name Duples for -+# Venue Name ANQP information. Each entry has a two or three character language -+# code (ISO-639) separated by colon from the venue name string. -+# Note that venue_group and venue_type have to be set for Venue Name -+# information to be complete. -+#venue_name=eng:Example venue -+#venue_name=fin:Esimerkkipaikka -+# Alternative format for language:value strings: -+# (double quoted string, printf-escaped string) -+#venue_name=P"eng:Example\nvenue" -+ -+# Network Authentication Type -+# This parameter indicates what type of network authentication is used in the -+# network. -+# format: [redirect URL] -+# Network Authentication Type Indicator values: -+# 00 = Acceptance of terms and conditions -+# 01 = On-line enrollment supported -+# 02 = http/https redirection -+# 03 = DNS redirection -+#network_auth_type=00 -+#network_auth_type=02http://www.example.com/redirect/me/here/ -+ -+# IP Address Type Availability -+# format: <1-octet encoded value as hex str> -+# (ipv4_type & 0x3f) << 2 | (ipv6_type & 0x3) -+# ipv4_type: -+# 0 = Address type not available -+# 1 = Public IPv4 address available -+# 2 = Port-restricted IPv4 address available -+# 3 = Single NATed private IPv4 address available -+# 4 = Double NATed private IPv4 address available -+# 5 = Port-restricted IPv4 address and single NATed IPv4 address available -+# 6 = Port-restricted IPv4 address and double NATed IPv4 address available -+# 7 = Availability of the address type is not known -+# ipv6_type: -+# 0 = Address type not available -+# 1 = Address type available -+# 2 = Availability of the address type not known -+#ipaddr_type_availability=14 -+ -+# Domain Name -+# format: [,] -+#domain_name=example.com,another.example.com,yet-another.example.com -+ -+# 3GPP Cellular Network information -+# format: [;][;...] -+#anqp_3gpp_cell_net=244,91;310,026;234,56 -+ -+# NAI Realm information -+# One or more realm can be advertised. Each nai_realm line adds a new realm to -+# the set. These parameters provide information for stations using Interworking -+# network selection to allow automatic connection to a network based on -+# credentials. -+# format: ,[,][,][,...] -+# encoding: -+# 0 = Realm formatted in accordance with IETF RFC 4282 -+# 1 = UTF-8 formatted character string that is not formatted in -+# accordance with IETF RFC 4282 -+# NAI Realm(s): Semi-colon delimited NAI Realm(s) -+# EAP Method: [:<[AuthParam1:Val1]>][<[AuthParam2:Val2]>][...] -+# EAP Method types, see: -+# http://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml#eap-numbers-4 -+# AuthParam (Table 8-188 in IEEE Std 802.11-2012): -+# ID 2 = Non-EAP Inner Authentication Type -+# 1 = PAP, 2 = CHAP, 3 = MSCHAP, 4 = MSCHAPV2 -+# ID 3 = Inner authentication EAP Method Type -+# ID 5 = Credential Type -+# 1 = SIM, 2 = USIM, 3 = NFC Secure Element, 4 = Hardware Token, -+# 5 = Softoken, 6 = Certificate, 7 = username/password, 9 = Anonymous, -+# 10 = Vendor Specific -+#nai_realm=0,example.com;example.net -+# EAP methods EAP-TLS with certificate and EAP-TTLS/MSCHAPv2 with -+# username/password -+#nai_realm=0,example.org,13[5:6],21[2:4][5:7] -+ -+# Arbitrary ANQP-element configuration -+# Additional ANQP-elements with arbitrary values can be defined by specifying -+# their contents in raw format as a hexdump of the payload. Note that these -+# values will override ANQP-element contents that may have been specified in the -+# more higher layer configuration parameters listed above. -+# format: anqp_elem=: -+# For example, AP Geospatial Location ANQP-element with unknown location: -+#anqp_elem=265:0000 -+# For example, AP Civic Location ANQP-element with unknown location: -+#anqp_elem=266:000000 -+ -+# GAS Address 3 behavior -+# 0 = P2P specification (Address3 = AP BSSID) workaround enabled by default -+# based on GAS request Address3 -+# 1 = IEEE 802.11 standard compliant regardless of GAS request Address3 -+# 2 = Force non-compliant behavior (Address3 = AP BSSID for all cases) -+#gas_address3=0 -+ -+# QoS Map Set configuration -+# -+# Comma delimited QoS Map Set in decimal values -+# (see IEEE Std 802.11-2012, 8.4.2.97) -+# -+# format: -+# [,],... -+# -+# There can be up to 21 optional DSCP Exceptions which are pairs of DSCP Value -+# (0..63 or 255) and User Priority (0..7). This is followed by eight DSCP Range -+# descriptions with DSCP Low Value and DSCP High Value pairs (0..63 or 255) for -+# each UP starting from 0. If both low and high value are set to 255, the -+# corresponding UP is not used. -+# -+# default: not set -+#qos_map_set=53,2,22,6,8,15,0,7,255,255,16,31,32,39,255,255,40,47,255,255 -+ -+##### Hotspot 2.0 ############################################################# -+ -+# Enable Hotspot 2.0 support -+#hs20=1 -+ -+# Disable Downstream Group-Addressed Forwarding (DGAF) -+# This can be used to configure a network where no group-addressed frames are -+# allowed. The AP will not forward any group-address frames to the stations and -+# random GTKs are issued for each station to prevent associated stations from -+# forging such frames to other stations in the BSS. -+#disable_dgaf=1 -+ -+# OSU Server-Only Authenticated L2 Encryption Network -+#osen=1 -+ -+# ANQP Domain ID (0..65535) -+# An identifier for a set of APs in an ESS that share the same common ANQP -+# information. 0 = Some of the ANQP information is unique to this AP (default). -+#anqp_domain_id=1234 -+ -+# Deauthentication request timeout -+# If the RADIUS server indicates that the station is not allowed to connect to -+# the BSS/ESS, the AP can allow the station some time to download a -+# notification page (URL included in the message). This parameter sets that -+# timeout in seconds. -+#hs20_deauth_req_timeout=60 -+ -+# Operator Friendly Name -+# This parameter can be used to configure one or more Operator Friendly Name -+# Duples. Each entry has a two or three character language code (ISO-639) -+# separated by colon from the operator friendly name string. -+#hs20_oper_friendly_name=eng:Example operator -+#hs20_oper_friendly_name=fin:Esimerkkioperaattori -+ -+# Connection Capability -+# This can be used to advertise what type of IP traffic can be sent through the -+# hotspot (e.g., due to firewall allowing/blocking protocols/ports). -+# format: :: -+# IP Protocol: 1 = ICMP, 6 = TCP, 17 = UDP -+# Port Number: 0..65535 -+# Status: 0 = Closed, 1 = Open, 2 = Unknown -+# Each hs20_conn_capab line is added to the list of advertised tuples. -+#hs20_conn_capab=1:0:2 -+#hs20_conn_capab=6:22:1 -+#hs20_conn_capab=17:5060:0 -+ -+# WAN Metrics -+# format: :
:
    :
    :
      : -+# WAN Info: B0-B1: Link Status, B2: Symmetric Link, B3: At Capabity -+# (encoded as two hex digits) -+# Link Status: 1 = Link up, 2 = Link down, 3 = Link in test state -+# Downlink Speed: Estimate of WAN backhaul link current downlink speed in kbps; -+# 1..4294967295; 0 = unknown -+# Uplink Speed: Estimate of WAN backhaul link current uplink speed in kbps -+# 1..4294967295; 0 = unknown -+# Downlink Load: Current load of downlink WAN connection (scaled to 255 = 100%) -+# Uplink Load: Current load of uplink WAN connection (scaled to 255 = 100%) -+# Load Measurement Duration: Duration for measuring downlink/uplink load in -+# tenths of a second (1..65535); 0 if load cannot be determined -+#hs20_wan_metrics=01:8000:1000:80:240:3000 -+ -+# Operating Class Indication -+# List of operating classes the BSSes in this ESS use. The Global operating -+# classes in Table E-4 of IEEE Std 802.11-2012 Annex E define the values that -+# can be used in this. -+# format: hexdump of operating class octets -+# for example, operating classes 81 (2.4 GHz channels 1-13) and 115 (5 GHz -+# channels 36-48): -+#hs20_operating_class=5173 -+ -+# OSU icons -+# ::::: -+#hs20_icon=32:32:eng:image/png:icon32:/tmp/icon32.png -+#hs20_icon=64:64:eng:image/png:icon64:/tmp/icon64.png -+ -+# OSU SSID (see ssid2 for format description) -+# This is the SSID used for all OSU connections to all the listed OSU Providers. -+#osu_ssid="example" -+ -+# OSU Providers -+# One or more sets of following parameter. Each OSU provider is started by the -+# mandatory osu_server_uri item. The other parameters add information for the -+# last added OSU provider. -+# -+#osu_server_uri=https://example.com/osu/ -+#osu_friendly_name=eng:Example operator -+#osu_friendly_name=fin:Esimerkkipalveluntarjoaja -+#osu_nai=anonymous@example.com -+#osu_method_list=1 0 -+#osu_icon=icon32 -+#osu_icon=icon64 -+#osu_service_desc=eng:Example services -+#osu_service_desc=fin:Esimerkkipalveluja -+# -+#osu_server_uri=... -+ -+##### Fast Session Transfer (FST) support ##################################### -+# -+# The options in this section are only available when the build configuration -+# option CONFIG_FST is set while compiling hostapd. They allow this interface -+# to be a part of FST setup. -+# -+# FST is the transfer of a session from a channel to another channel, in the -+# same or different frequency bands. -+# -+# For detals, see IEEE Std 802.11ad-2012. -+ -+# Identifier of an FST Group the interface belongs to. -+#fst_group_id=bond0 -+ -+# Interface priority within the FST Group. -+# Announcing a higher priority for an interface means declaring it more -+# preferable for FST switch. -+# fst_priority is in 1..255 range with 1 being the lowest priority. -+#fst_priority=100 -+ -+# Default LLT value for this interface in milliseconds. The value used in case -+# no value provided during session setup. Default is 50 ms. -+# fst_llt is in 1..4294967 range (due to spec limitation, see 10.32.2.2 -+# Transitioning between states). -+#fst_llt=100 -+ -+##### Radio measurements / location ########################################### -+ -+# The content of a LCI measurement subelement -+#lci= -+ -+# The content of a location civic measurement subelement -+#civic= -+ -+# Enable neighbor report via radio measurements -+#rrm_neighbor_report=1 -+ -+# Publish fine timing measurement (FTM) responder functionality -+# This parameter only controls publishing via Extended Capabilities element. -+# Actual functionality is managed outside hostapd. -+#ftm_responder=0 -+ -+# Publish fine timing measurement (FTM) initiator functionality -+# This parameter only controls publishing via Extended Capabilities element. -+# Actual functionality is managed outside hostapd. -+#ftm_initiator=0 -+ -+##### TESTING OPTIONS ######################################################### -+# -+# The options in this section are only available when the build configuration -+# option CONFIG_TESTING_OPTIONS is set while compiling hostapd. They allow -+# testing some scenarios that are otherwise difficult to reproduce. -+# -+# Ignore probe requests sent to hostapd with the given probability, must be a -+# floating point number in the range [0, 1). -+#ignore_probe_probability=0.0 -+# -+# Ignore authentication frames with the given probability -+#ignore_auth_probability=0.0 -+# -+# Ignore association requests with the given probability -+#ignore_assoc_probability=0.0 -+# -+# Ignore reassociation requests with the given probability -+#ignore_reassoc_probability=0.0 -+# -+# Corrupt Key MIC in GTK rekey EAPOL-Key frames with the given probability -+#corrupt_gtk_rekey_mic_probability=0.0 -+# -+# Include only ECSA IE without CSA IE where possible -+# (channel switch operating class is needed) -+#ecsa_ie_only=0 -+ -+##### Multiple BSSID support ################################################## -+# -+# Above configuration is using the default interface (wlan#, or multi-SSID VLAN -+# interfaces). Other BSSIDs can be added by using separator 'bss' with -+# default interface name to be allocated for the data packets of the new BSS. -+# -+# hostapd will generate BSSID mask based on the BSSIDs that are -+# configured. hostapd will verify that dev_addr & MASK == dev_addr. If this is -+# not the case, the MAC address of the radio must be changed before starting -+# hostapd (ifconfig wlan0 hw ether ). If a BSSID is configured for -+# every secondary BSS, this limitation is not applied at hostapd and other -+# masks may be used if the driver supports them (e.g., swap the locally -+# administered bit) -+# -+# BSSIDs are assigned in order to each BSS, unless an explicit BSSID is -+# specified using the 'bssid' parameter. -+# If an explicit BSSID is specified, it must be chosen such that it: -+# - results in a valid MASK that covers it and the dev_addr -+# - is not the same as the MAC address of the radio -+# - is not the same as any other explicitly specified BSSID -+# -+# Alternatively, the 'use_driver_iface_addr' parameter can be used to request -+# hostapd to use the driver auto-generated interface address (e.g., to use the -+# exact MAC addresses allocated to the device). -+# -+# Not all drivers support multiple BSSes. The exact mechanism for determining -+# the driver capabilities is driver specific. With the current (i.e., a recent -+# kernel) drivers using nl80211, this information can be checked with "iw list" -+# (search for "valid interface combinations"). -+# -+# Please note that hostapd uses some of the values configured for the first BSS -+# as the defaults for the following BSSes. However, it is recommended that all -+# BSSes include explicit configuration of all relevant configuration items. -+# -+#bss=wlan0_0 -+#ssid=test2 -+# most of the above items can be used here (apart from radio interface specific -+# items, like channel) -+ -+#bss=wlan0_1 -+#bssid=00:13:10:95:fe:0b -+# ... diff -rupN hostapd-2.6/hostapd/hostapd-wpe.eap_user hostapd-2.6-wpe/hostapd/hostapd-wpe.eap_user --- hostapd-2.6/hostapd/hostapd-wpe.eap_user 1969-12-31 19:00:00.000000000 -0500 +++ hostapd-2.6-wpe/hostapd/hostapd-wpe.eap_user 2016-12-17 06:12:53.947984072 -0500 diff --git a/net-wireless/hostapd/hostapd-2.6.ebuild b/net-wireless/hostapd/hostapd-2.6-r1.ebuild similarity index 97% rename from net-wireless/hostapd/hostapd-2.6.ebuild rename to net-wireless/hostapd/hostapd-2.6-r1.ebuild index 8f2ddd63a..66e5a85bb 100644 --- a/net-wireless/hostapd/hostapd-2.6.ebuild +++ b/net-wireless/hostapd/hostapd-2.6-r1.ebuild @@ -5,15 +5,13 @@ EAPI="6" inherit toolchain-funcs eutils systemd -# bogus commit to force manifest regeneration #596462 - DESCRIPTION="IEEE 802.11 wireless LAN Host AP daemon" -HOMEPAGE="http://hostap.epitest.fi" +HOMEPAGE="https://github.com/aircrack-ng/aircrack-ng/tree/master/patches/wpe/hostapd-wpe" SRC_URI="http://hostap.epitest.fi/releases/${P}.tar.gz" LICENSE="|| ( GPL-2 BSD )" SLOT="0" -KEYWORDS="amd64 ~arm ~mips ~ppc x86" +KEYWORDS="amd64 ~arm ~mips ppc x86" IUSE="ipv6 logwatch netlink sqlite +ssl +wpe karma_cli +wps +crda" REQUIRED_USE="^^ ( wpe karma_cli )"