summaryrefslogtreecommitdiff
path: root/data/templates/wifi/wpa_supplicant.conf.j2
blob: 04088e1add2c6de0245829b2626a08ab66b9f063 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
### Autogenerated by interfaces_wireless.py ###

# see full documentation:
# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf

network={
    # ssid: SSID (mandatory); network name in one of the optional formats:
    #   - an ASCII string with double quotation
    #   - a hex string (two characters per octet of SSID)
    #   - a printf-escaped ASCII string P"<escaped string>"
    #
    ssid="{{ ssid }}"

    # scan_ssid:
    #   0 = do not scan this SSID with specific Probe Request frames (default)
    #   1 = scan with SSID-specific Probe Request frames (this can be used to
    #       find APs that do not accept broadcast SSID or use multiple SSIDs;
    #       this will add latency to scanning, so enable this only when needed)
    scan_ssid=1

{% if security.wpa.passphrase is vyos_defined %}
    # ieee80211w: whether management frame protection is enabled
    # 0 = disabled (default unless changed with the global pmf parameter)
    # 1 = optional
    # 2 = required
    # The most common configuration options for this based on the PMF (protected
    # management frames) certification program are:
    # PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256
    # PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256
    # (and similarly for WPA-PSK and WPA-PSK-SHA256 if WPA2-Personal is used)
    # WPA3-Personal-only mode: ieee80211w=2 and key_mgmt=SAE
    ieee80211w=1

    # key_mgmt: list of accepted authenticated key management protocols
    # WPA-PSK = WPA pre-shared key (this requires 'psk' field)
    # WPA-EAP = WPA using EAP authentication
    # IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically
    #	generated WEP keys
    # NONE = WPA is not used; plaintext or static WEP could be used
    # WPA-NONE = WPA-None for IBSS (deprecated; use proto=RSN key_mgmt=WPA-PSK
    #	instead)
    # FT-PSK = Fast BSS Transition (IEEE 802.11r) with pre-shared key
    # FT-EAP = Fast BSS Transition (IEEE 802.11r) with EAP authentication
    # FT-EAP-SHA384 = Fast BSS Transition (IEEE 802.11r) with EAP authentication
    #	and using SHA384
    # WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms
    # WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms
    # SAE = Simultaneous authentication of equals; pre-shared key/password -based
    #	authentication with stronger security than WPA-PSK especially when using
    #	not that strong password; a.k.a. WPA3-Personal
    # FT-SAE = SAE with FT
    # WPA-EAP-SUITE-B = Suite B 128-bit level
    # WPA-EAP-SUITE-B-192 = Suite B 192-bit level
    # OSEN = Hotspot 2.0 Rel 2 online signup connection
    # FILS-SHA256 = Fast Initial Link Setup with SHA256
    # FILS-SHA384 = Fast Initial Link Setup with SHA384
    # FT-FILS-SHA256 = FT and Fast Initial Link Setup with SHA256
    # FT-FILS-SHA384 = FT and Fast Initial Link Setup with SHA384
    # OWE = Opportunistic Wireless Encryption (a.k.a. Enhanced Open)
    # DPP = Device Provisioning Protocol
    # If not set, this defaults to: WPA-PSK WPA-EAP
{%     if security.wpa.mode is vyos_defined('wpa3') %}
    key_mgmt=SAE
{%     elif security.wpa.username is vyos_defined %}
    key_mgmt=WPA-EAP WPA-EAP-SHA256
{%     else %}
    key_mgmt=WPA-PSK WPA-PSK-SHA256
{%     endif %}

    # psk: WPA preshared key; 256-bit pre-shared key
    # The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e.,
    # 32 bytes or as an ASCII passphrase (in which case, the real PSK will be
    # generated using the passphrase and SSID). ASCII passphrase must be between
    # 8 and 63 characters (inclusive). ext:<name of external PSK field> format can
    # be used to indicate that the PSK/passphrase is stored in external storage.
    # This field is not needed, if WPA-EAP is used.
    # Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys
    # from ASCII passphrase. This process uses lot of CPU and wpa_supplicant
    # startup and reconfiguration time can be optimized by generating the PSK only
    # only when the passphrase or SSID has actually changed.
{%     if security.wpa.username is vyos_defined %}
    identity="{{ security.wpa.username }}"
    password="{{ security.wpa.passphrase }}"
    phase2="auth=MSCHAPV2"
    eap=PEAP
{%     elif security.wpa.username is not vyos_defined %}
    psk="{{ security.wpa.passphrase }}"
{%     else %}
    key_mgmt=NONE
{%     endif %}
{% endif %}
{% if bssid is vyos_defined %}
    bssid={{ bssid }}
{% endif %}
}