Man Linux: Main Page and Category List


       wpa_supplicant   -  Wi-Fi  Protected  Access  client  and  IEEE  802.1X


       wpa_supplicant [ -BddfhKLqqtuvW ] [ -iifname ]  [  -cconfig  file  ]  [
       -Ddriver ] [ -PPID_file ] [ -foutput file ]


       Wireless  networks  do  not  require  physical  access  to  the network
       equipment in the same way as wired networks. This makes it  easier  for
       unauthorized  users  to  passively  monitor  a  network and capture all
       transmitted frames.  In addition, unauthorized use of  the  network  is
       much  easier.  In  many  cases,  this  can  happen  even without user’s
       explicit knowledge  since  the  wireless  LAN  adapter  may  have  been
       configured to automatically join any available network.

       Link-layer  encryption  can  be used to provide a layer of security for
       wireless networks. The original wireless  LAN  standard,  IEEE  802.11,
       included a simple encryption mechanism, WEP. However, that proved to be
       flawed in many areas and network protected with WEP cannot be  consider
       secure.  IEEE  802.1X authentication and frequently changed dynamic WEP
       keys can be used to improve the network security,  but  even  that  has
       inherited  security  issues due to the use of WEP for encryption. Wi-Fi
       Protected Access  and  IEEE  802.11i  amendment  to  the  wireless  LAN
       standard  introduce  a much improvement mechanism for securing wireless
       networks. IEEE 802.11i enabled networks that are using CCMP (encryption
       mechanism  based  on strong cryptographic algorithm AES) can finally be
       called secure used for applications which require efficient  protection
       against unauthorized access.

       wpa_supplicant  is  an  implementation of the WPA Supplicant component,
       i.e., the part that runs in the client stations. It implements WPA  key
       negotiation  with  a  WPA  Authenticator  and  EAP  authentication with
       Authentication Server. In addition, it controls the  roaming  and  IEEE
       802.11 authentication/association of the wireless LAN driver.

       wpa_supplicant  is  designed  to be a "daemon" program that runs in the
       background and acts as the backend component controlling  the  wireless
       connection.  wpa_supplicant  supports separate frontend programs and an
       example text-based frontend, wpa_cli, is included with  wpa_supplicant.

       Before  wpa_supplicant  can  do its work, the network interface must be
       available.  That means that the physical device  must  be  present  and
       enabled,  and the driver for the device must be loaded. The daemon will
       exit immediately if the device is not already available.

       After wpa_supplicant has configured the network  device,  higher  level
       configuration such as DHCP may proceed.  There are a variety of ways to
       integrate wpa_supplicant into a machine’s networking scripts, a few  of
       which are described in sections below.

       The following steps are used when associating with an AP using WPA:

       · wpa_supplicant requests the kernel driver to scan neighboring BSSes

       · wpa_supplicant selects a BSS based on its configuration

       · wpa_supplicant  requests  the  kernel  driver  to  associate with the
         chosen BSS

       · If  WPA-EAP:  integrated  IEEE  802.1X   Supplicant   completes   EAP
         authentication   with  the  authentication  server  (proxied  by  the
         Authenticator in the AP)

       · If WPA-EAP: master key is received from the IEEE 802.1X Supplicant

       · If WPA-PSK: wpa_supplicant uses PSK as the master session key

       · wpa_supplicant completes WPA 4-Way Handshake and Group Key  Handshake
         with the Authenticator (AP)

       · wpa_supplicant configures encryption keys for unicast and broadcast

       · normal data packets can be transmitted and received


       Supported WPA/IEEE 802.11i features:

       · WPA-PSK ("WPA-Personal")

       · WPA  with  EAP  (e.g.,  with  RADIUS  authentication  server)  ("WPA-
         Enterprise") Following authentication methods are supported  with  an
         integrate IEEE 802.1X Supplicant:

         · EAP-TLS

         · EAP-PEAP/MSCHAPv2 (both PEAPv0 and PEAPv1)

         · EAP-PEAP/TLS (both PEAPv0 and PEAPv1)

         · EAP-PEAP/GTC (both PEAPv0 and PEAPv1)

         · EAP-PEAP/OTP (both PEAPv0 and PEAPv1)

         · EAP-PEAP/MD5-Challenge (both PEAPv0 and PEAPv1)

         · EAP-TTLS/EAP-MD5-Challenge

         · EAP-TTLS/EAP-GTC

         · EAP-TTLS/EAP-OTP

         · EAP-TTLS/EAP-MSCHAPv2

         · EAP-TTLS/EAP-TLS

         · EAP-TTLS/MSCHAPv2

         · EAP-TTLS/MSCHAP

         · EAP-TTLS/PAP

         · EAP-TTLS/CHAP

         · EAP-SIM

         · EAP-AKA

         · EAP-PSK

         · EAP-PAX

         · LEAP  (note:  requires  special  support  from  the driver for IEEE
           802.11 authentication)

         · (following methods are supported, but since they  do  not  generate
           keying  material,  they  cannot be used with WPA or IEEE 802.1X WEP

         · EAP-MD5-Challenge

         · EAP-MSCHAPv2

         · EAP-GTC

         · EAP-OTP

       · key management for CCMP, TKIP, WEP104, WEP40

       · RSN/WPA2 (IEEE 802.11i)

         · pre-authentication

         · PMKSA caching


       A summary of available driver backends is below. Support  for  each  of
       the  driver  backends  is  chosen at wpa_supplicant compile time. For a
       list of supported driver backends that may be used with the  -D  option
       on   your   system,   refer   to  the  help  output  of  wpa_supplicant
       (wpa_supplicant -h).

       hostap (default) Host AP driver  (Intersil  Prism2/2.5/3).   (this  can
              also be used with Linuxant DriverLoader).

       hermes Agere Systems Inc. driver (Hermes-I/Hermes-II).

              MADWIFI 802.11 support (Atheros, etc.).

       atmel  ATMEL AT76C5XXx (USB, PCMCIA).

       wext   Linux wireless extensions (generic).

              Linux ndiswrapper.

              Broadcom wl.o driver.

       ipw    Intel ipw2100/2200 driver.

       wired  wpa_supplicant wired Ethernet driver

              wpa_supplicant Broadcom switch driver

       bsd    BSD 802.11 support (Atheros, etc.).

       ndis   Windows NDIS driver.


       Most  command  line  options  have  global  scope.  Some  are given per
       interface, and are only valid if at least one -i option  is  specified,
       otherwise  they’re ignored. Option groups for different interfaces must
       be separated by -N option.

       -b br_ifname
              Optional bridge interface name. (Per interface)

       -B     Run daemon in the background.

       -c filename
              Path to configuration file. (Per interface)

       -C ctrl_interface
              Path to ctrl_interface socket (Per interface. Only used if -c is

       -i ifname
              Interface to listen on. Multiple instances of this option can be
              present, one per interface, separated by -N option (see  below).

       -d     Increase debugging verbosity (-dd even more).

       -D driver
              Driver to use. (Per interface, see the available options below.)

       -f output file
              Log output to specified file instead of stdout.

       -g global ctrl_interface
              Path to global ctrl_interface socket.  If  specified,  interface
              definitions may be omitted.

       -K     Include keys (passwords, etc.) in debug output.

       -t     Include timestamp in debug messages.

       -h     Help.  Show a usage message.

       -L     Show license (GPL and BSD).

       -p     Driver parameters. (Per interface)

       -P PID_file
              Path to PID file.

       -q     Decrease debugging verbosity (-qq even less).

       -u     Enabled   DBus   control   interface.   If   enabled,  interface
              definitions may be omitted.

       -v     Show version.

       -W     Wait for a control interface monitor before starting.

       -N     Start describing new interface.


       In most common cases, wpa_supplicant is started with:

              wpa_supplicant -B -c/etc/wpa_supplicant.conf -iwlan0

       This makes the process fork into background.

       The easiest way to debug  problems,  and  to  get  debug  log  for  bug
       reports,  is  to  start  wpa_supplicant  on  foreground  with debugging

              wpa_supplicant -c/etc/wpa_supplicant.conf -iwlan0 -d

       wpa_supplicant can  control  multiple  interfaces  (radios)  either  by
       running  one  process  for each interface separately or by running just
       one process and list of options at  command  line.  Each  interface  is
       separated  with  -N  argument.  As  an example, following command would
       start wpa_supplicant for two interfaces:

              wpa_supplicant \
                   -c wpa1.conf -i wlan0 -D hostap -N \
                   -c wpa2.conf -i ath0 -D madwifi


       Current hardware/software requirements:

       · Linux kernel 2.4.x or 2.6.x with Linux  Wireless  Extensions  v15  or

       · FreeBSD 6-CURRENT

       · Microsoft  Windows  with WinPcap (at least WinXP, may work with other


       Host AP driver for Prism2/2.5/3 (development snapshot/v0.2.x)
              ( Driver needs to be  set  in  Managed
              mode  (iwconfig  wlan0  mode managed).  Please note that station
              firmware version needs to be 1.7.0 or newer to work in WPA mode.

       Linuxant DriverLoader
              ( with Windows NDIS driver
              for your wlan card supporting WPA.

       Agere Systems Inc. Linux Driver
              (  Please  note  that  the
              driver  interface  file  (driver_hermes.c) and hardware specific
              include  files  are   not   included   in   the   wpa_supplicant
              distribution.  You  will  need  to  copy  these  from the source
              package of the Agere driver.

       madwifi driver for cards based on Atheros chip set (ar521x)
              ( Please note that  you
              will  need  to modify the wpa_supplicant .config file to use the
              correct path for the madwifi driver root  directory  (CFLAGS  +=
              -I../madwifi/wpa line in example defconfig).

       ATMEL AT76C5XXx driver for USB and PCMCIA cards

       Linux ndiswrapper
              (  with Windows NDIS driver.

       Broadcom wl.o driver
              This is a generic  Linux  driver  for  Broadcom  IEEE  802.11a/g
              cards.   However,  it is proprietary driver that is not publicly
              available except for couple of exceptions, mainly Broadcom-based
              APs/wireless  routers  that  use Linux. The driver binary can be
              downloaded,     e.g.,     from     Linksys     support      site
              ( for Linksys WRT54G. The
              GPL tarball includes cross-compiler and the needed header  file,
              wlioctl.h, for compiling wpa_supplicant.  This driver support in
              wpa_supplicant is expected to work also with other devices based
              on  Broadcom  driver  (assuming  the driver includes client mode

        Intel ipw2100 driver

       Intel ipw2200 driver

       Linux wireless extensions
              In theory, any driver that supports  Linux  wireless  extensions
              can  be  used  with  IEEE  802.1X  (i.e.,  not  WPA)  when using
              ap_scan=0 option in configuration file.

       Wired Ethernet drivers
              Use ap_scan=0.

       BSD net80211 layer (e.g., Atheros driver)
              At the moment, this is for FreeBSD 6-CURRENT branch.

       Windows NDIS
              The     current     Windows      port      requires      WinPcap
              (   See  README-Windows.txt  for more

       wpa_supplicant was designed to be portable for  different  drivers  and
       operating systems. Hopefully, support for more wlan cards and OSes will
       be added in the future. See developer.txt for  more  information  about
       the  design  of  wpa_supplicant  and porting to other drivers. One main
       goal is to add full WPA/WPA2 support to Linux  wireless  extensions  to
       allow  new  drivers  to  be  supported  without having to implement new
       driver-specific interface code in wpa_supplicant.


       The wpa_supplicant system consists of the following components:

              the configuration file describing all  networks  that  the  user
              wants the computer to connect to.

              the  program that directly interacts with the network interface.

              the client program that provides a high-level interface  to  the
              functionality of the daemon.

              a  utility  needed  to  construct wpa_supplicant.conf files that
              include encrypted passwords.


       First, make a configuration file, e.g.  /etc/wpa_supplicant.conf,  that
       describes    the    networks    you    are    interested    in.     See
       wpa_supplicant.conf(5) for details.

       Once the configuration is ready, you can test whether the configuration
       works  by  running wpa_supplicant with following command to start it on
       foreground with debugging enabled:

              wpa_supplicant -iwlan0 -c/etc/wpa_supplicant.conf -d

       Assuming everything goes fine, you can start using following command to
       start wpa_supplicant on background without debugging:

              wpa_supplicant -iwlan0 -c/etc/wpa_supplicant.conf -B

       Please  note that if you included more than one driver interface in the
       build time configuration (.config),  you  may  need  to  specify  which
       interface  to  use  by  including -D<driver name> option on the command


       For example, following small changes to pcmcia-cs scripts can  be  used
       to enable WPA support:

       Add   MODE="Managed"   and   WPA="y"   to   the   network   scheme   in

       Add the  following  block  to  the  end  of  start  action  handler  in

              if [ "$WPA" = "y" -a -x /usr/local/bin/wpa_supplicant ]; then
                  /usr/local/bin/wpa_supplicant -B -c/etc/wpa_supplicant.conf -i$DEVICE

       Add  the following block to the end of stop action handler (may need to
       be separated from other actions) in /etc/pcmcia/wireless:

              if [ "$WPA" = "y" -a -x /usr/local/bin/wpa_supplicant ]; then
                  killall wpa_supplicant

       This will make cardmgr start wpa_supplicant when the  card  is  plugged


       wpa_background(8) wpa_supplicant.conf(5) wpa_cli(8) wpa_passphrase(8)


       wpa_supplicant  is copyright (c) 2003-2007, Jouni Malinen <> and
       contributors.  All Rights Reserved.

       This program is dual-licensed under both the  GPL  version  2  and  BSD
       license. Either license may be used at your option.

                                12 January 2010