summaryrefslogtreecommitdiff
path: root/data/templates/ethernet/wpa_supplicant.conf.j2
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates/ethernet/wpa_supplicant.conf.j2')
-rw-r--r--data/templates/ethernet/wpa_supplicant.conf.j276
1 files changed, 76 insertions, 0 deletions
diff --git a/data/templates/ethernet/wpa_supplicant.conf.j2 b/data/templates/ethernet/wpa_supplicant.conf.j2
new file mode 100644
index 0000000..6da2fa5
--- /dev/null
+++ b/data/templates/ethernet/wpa_supplicant.conf.j2
@@ -0,0 +1,76 @@
+### Autogenerated by interfaces_ethernet.py ###
+
+# see full documentation:
+# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
+
+# For UNIX domain sockets (default on Linux and BSD): This is a directory that
+# will be created for UNIX domain sockets for listening to requests from
+# external programs (CLI/GUI, etc.) for status information and configuration.
+# The socket file will be named based on the interface name, so multiple
+# wpa_supplicant processes can be run at the same time if more than one
+# interface is used.
+# /var/run/wpa_supplicant is the recommended directory for sockets and by
+# default, wpa_cli will use it when trying to connect with wpa_supplicant.
+ctrl_interface=/run/wpa_supplicant
+
+# IEEE 802.1X/EAPOL version
+# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines
+# EAPOL version 2. However, there are many APs that do not handle the new
+# version number correctly (they seem to drop the frames completely). In order
+# to make wpa_supplicant interoperate with these APs, the version number is set
+# to 1 by default. This configuration value can be used to set it to the new
+# version (2).
+# Note: When using MACsec, eapol_version shall be set to 3, which is
+# defined in IEEE Std 802.1X-2010.
+eapol_version=2
+
+# No need to scan for access points in EAPoL mode
+ap_scan=0
+
+# EAP fast re-authentication
+fast_reauth=1
+
+network={
+{% if eapol is vyos_defined %}
+{% if eapol.ca_certificate is vyos_defined %}
+ ca_cert="/run/wpa_supplicant/{{ ifname }}_ca.pem"
+{% endif %}
+ client_cert="/run/wpa_supplicant/{{ ifname }}_cert.pem"
+ private_key="/run/wpa_supplicant/{{ ifname }}_cert.key"
+{% endif %}
+
+ # list of accepted authenticated key management protocols
+ key_mgmt=IEEE8021X
+ eap=TLS
+
+{% if mac is vyos_defined %}
+ identity="{{ mac }}"
+{% else %}
+ identity="{{ hw_id }}"
+{% endif %}
+
+ # eapol_flags: IEEE 802.1X/EAPOL options (bit field)
+ # Dynamic WEP key required for non-WPA mode
+ # bit0 (1): require dynamically generated unicast WEP key
+ # bit1 (2): require dynamically generated broadcast WEP key
+ # (3) = require both keys; default)
+ # Note: When using wired authentication (including MACsec drivers),
+ # eapol_flags must be set to 0 for the authentication to be completed
+ # successfully.
+ eapol_flags=0
+
+ # For wired IEEE 802.1X authentication, "allow_canned_success=1" can be
+ # used to configure a mode that allows EAP-Success (and EAP-Failure) without
+ # going through authentication step. Some switches use such sequence when
+ # forcing the port to be authorized/unauthorized or as a fallback option if
+ # the authentication server is unreachable. By default, wpa_supplicant
+ # discards such frames to protect against potential attacks by rogue
+ # devices, but this option can be used to disable that protection for cases
+ # where the server/authenticator does not need to be authenticated.
+ #
+ # "tls_disable_tlsv1_0=0" is used to allow TLSv1 for compatibility with
+ # legacy networks. This follows the behavior of Debian's wpa_supplicant,
+ # which includes a custom patch for allowing TLSv1, but the patch currently
+ # does not work for VyOS' git builds of wpa_supplicant.
+ phase1="allow_canned_success=1 tls_disable_tlsv1_0=0"
+}