### Autogenerated by interfaces_ethernet.py ###

# see full documentation:
# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf

# For UNIX domain sockets (default on Linux and BSD): This is a directory that
# will be created for UNIX domain sockets for listening to requests from
# external programs (CLI/GUI, etc.) for status information and configuration.
# The socket file will be named based on the interface name, so multiple
# wpa_supplicant processes can be run at the same time if more than one
# interface is used.
# /var/run/wpa_supplicant is the recommended directory for sockets and by
# default, wpa_cli will use it when trying to connect with wpa_supplicant.
ctrl_interface=/run/wpa_supplicant

# IEEE 802.1X/EAPOL version
# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines
# EAPOL version 2. However, there are many APs that do not handle the new
# version number correctly (they seem to drop the frames completely). In order
# to make wpa_supplicant interoperate with these APs, the version number is set
# to 1 by default. This configuration value can be used to set it to the new
# version (2).
# Note: When using MACsec, eapol_version shall be set to 3, which is
# defined in IEEE Std 802.1X-2010.
eapol_version=2

# No need to scan for access points in EAPoL mode
ap_scan=0

# EAP fast re-authentication
fast_reauth=1

network={
{% if eapol is vyos_defined %}
{%     if eapol.ca_certificate is vyos_defined %}
    ca_cert="/run/wpa_supplicant/{{ ifname }}_ca.pem"
{%     endif %}
    client_cert="/run/wpa_supplicant/{{ ifname }}_cert.pem"
    private_key="/run/wpa_supplicant/{{ ifname }}_cert.key"
{% endif %}

    # list of accepted authenticated key management protocols
    key_mgmt=IEEE8021X
    eap=TLS

{% if mac is vyos_defined %}
    identity="{{ mac }}"
{% else %}
    identity="{{ hw_id }}"
{% endif %}

    # eapol_flags: IEEE 802.1X/EAPOL options (bit field)
    # Dynamic WEP key required for non-WPA mode
    # bit0 (1): require dynamically generated unicast WEP key
    # bit1 (2): require dynamically generated broadcast WEP key
    #      (3) = require both keys; default)
    # Note: When using wired authentication (including MACsec drivers),
    # eapol_flags must be set to 0 for the authentication to be completed
    # successfully.
    eapol_flags=0

    # For wired IEEE 802.1X authentication, "allow_canned_success=1" can be
    # used to configure a mode that allows EAP-Success (and EAP-Failure) without
    # going through authentication step. Some switches use such sequence when
    # forcing the port to be authorized/unauthorized or as a fallback option if
    # the authentication server is unreachable. By default, wpa_supplicant
    # discards such frames to protect against potential attacks by rogue
    # devices, but this option can be used to disable that protection for cases
    # where the server/authenticator does not need to be authenticated.
    #
    # "tls_disable_tlsv1_0=0" is used to allow TLSv1 for compatibility with
    # legacy networks. This follows the behavior of Debian's wpa_supplicant,
    # which includes a custom patch for allowing TLSv1, but the patch currently
    # does not work for VyOS' git builds of wpa_supplicant.
    phase1="allow_canned_success=1 tls_disable_tlsv1_0=0"
}