1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
### Autogenerated by interfaces_ethernet.py ###
# see full documentation:
# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
# For UNIX domain sockets (default on Linux and BSD): This is a directory that
# will be created for UNIX domain sockets for listening to requests from
# external programs (CLI/GUI, etc.) for status information and configuration.
# The socket file will be named based on the interface name, so multiple
# wpa_supplicant processes can be run at the same time if more than one
# interface is used.
# /var/run/wpa_supplicant is the recommended directory for sockets and by
# default, wpa_cli will use it when trying to connect with wpa_supplicant.
ctrl_interface=/run/wpa_supplicant
# IEEE 802.1X/EAPOL version
# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines
# EAPOL version 2. However, there are many APs that do not handle the new
# version number correctly (they seem to drop the frames completely). In order
# to make wpa_supplicant interoperate with these APs, the version number is set
# to 1 by default. This configuration value can be used to set it to the new
# version (2).
# Note: When using MACsec, eapol_version shall be set to 3, which is
# defined in IEEE Std 802.1X-2010.
eapol_version=2
# No need to scan for access points in EAPoL mode
ap_scan=0
# EAP fast re-authentication
fast_reauth=1
network={
{% if eapol is vyos_defined %}
{% if eapol.ca_certificate is vyos_defined %}
ca_cert="/run/wpa_supplicant/{{ ifname }}_ca.pem"
{% endif %}
client_cert="/run/wpa_supplicant/{{ ifname }}_cert.pem"
private_key="/run/wpa_supplicant/{{ ifname }}_cert.key"
{% endif %}
# list of accepted authenticated key management protocols
key_mgmt=IEEE8021X
eap=TLS
{% if mac is vyos_defined %}
identity="{{ mac }}"
{% else %}
identity="{{ hw_id }}"
{% endif %}
# eapol_flags: IEEE 802.1X/EAPOL options (bit field)
# Dynamic WEP key required for non-WPA mode
# bit0 (1): require dynamically generated unicast WEP key
# bit1 (2): require dynamically generated broadcast WEP key
# (3) = require both keys; default)
# Note: When using wired authentication (including MACsec drivers),
# eapol_flags must be set to 0 for the authentication to be completed
# successfully.
eapol_flags=0
# For wired IEEE 802.1X authentication, "allow_canned_success=1" can be
# used to configure a mode that allows EAP-Success (and EAP-Failure) without
# going through authentication step. Some switches use such sequence when
# forcing the port to be authorized/unauthorized or as a fallback option if
# the authentication server is unreachable. By default, wpa_supplicant
# discards such frames to protect against potential attacks by rogue
# devices, but this option can be used to disable that protection for cases
# where the server/authenticator does not need to be authenticated.
#
# "tls_disable_tlsv1_0=0" is used to allow TLSv1 for compatibility with
# legacy networks. This follows the behavior of Debian's wpa_supplicant,
# which includes a custom patch for allowing TLSv1, but the patch currently
# does not work for VyOS' git builds of wpa_supplicant.
phase1="allow_canned_success=1 tls_disable_tlsv1_0=0"
}
|
