# wpa_supplicant not connecting [SOLVED]

## Tununias

Hi. Sorry if this is a redundant post or I don't give enough details. Thanks.

I'm using the X86 version on my old Dell desktop. I'm having trouble connecting to the internet with wpa_supplicant on the newly installed system. It will connect through the minimal cd though and I can chroot back into the system if I need to.

I have a Netgear G54 Wireless USB Adapter WG1111v3. lsusb gives me 

```
Bus 002 Device 003: ID 0846:4260 NetGear, Inc. WG111v3 54 Mbps Wireless [realtek RTL8187B]

Bus 002 Device 002: ID 0644:0200 TEAC Corp. All-In-One Multi-Card Reader CA200/B/S

Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

Bus 007 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

Bus 005 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

Bus 003 Device 003: ID 04d9:1702 Holtek Semiconductor, Inc. Keyboard LKS02

Bus 003 Device 002: ID 046d:c52f Logitech, Inc. Unifying Receiver

Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
```

I also have a Netgear wireless card. "Network controller: Broadcom Limited BCM4321 802.11b/g/n (rev 01)" but for the life of me couldn't get it working for a long time.

iwconfig gives me 

```
wlp0s29f7u3  IEEE 802.11  ESSID:off/any  

          Mode:Managed  Access Point: Not-Associated   Tx-Power=20 dBm   

          Retry short limit:7   RTS thr:off   Fragment thr:off

          Encryption key:off

          Power Management:off

          
```

 I used the > to output this to file and it cut out the others on the list that just says something like no extensions.

I made the wpa.conf file with wpa_passphrase. When I use wpa_supplicant, I get 

```
Successfully initialized wpa_supplicant

wlp0s29f7u3: Unsupported driver 'nl80211,wext'
```

I didn't use genkernel and configured the kernel manually. I didn't disable modules, but I set everything I found and added to be built into the kernel. I'm positive I have the USB adapter driver activated. I also have "cfg80211 - wireless configuration API" selected. I'm not sure if I'm missing something in the kernel or if something else is set up wrong.Last edited by Tununias on Sat Jun 23, 2018 12:38 pm; edited 1 time in total

----------

## khayyam

 *Tununias wrote:*   

> 
> 
> ```
> wlp0s29f7u3: Unsupported driver 'nl80211,wext'
> ```
> ...

 

Tununias ... you should probably supply '-Dnl80211', as wext is depreciated (though I'm fairly sure that's not the cause of your issue.)

What does the following show?

```
# egrep '(WEXT|(MAC|CFG|NL)80211)' /usr/src/linux/.config
```

best ... khay

----------

## Tununias

 *khayyam wrote:*   

>  *Tununias wrote:*   
> 
> ```
> wlp0s29f7u3: Unsupported driver 'nl80211,wext'
> ```
> ...

 

Yeah, I used "-Dnl80211,wext" according to one guide. It said it was fine to use multiple drivers. What I get for the egrep command is:

```
CONFIG_WEXT_CORE=y

CONFIG_WEXT_PROC=y

CONFIG_CFG80211=y

# CONFIG_NL80211_TESTMODE is not set

# CONFIG_CFG80211_DEVELPOER_WARNINGS is not set

CONFIG_CFG80211_DEFAULT_PS=y

# CONFIG_CFG80211_DEBUGS is not set

# CONFIG_CFG80211_INTERNAL_REGDB is not set

CONFIG_CFG80211_CRDA_SUPPORT=y

CONFIG_CFG80211_WEXT=y

CONFIG_MAC80211=y

CONFIG_MAC80211_HAS_RC=y

CONFIG_MAC80211_RC_MINSTREL=y

CONFIG_MAC80211_RC_MINSTREL_HT=y

# CONFIG_MAC80211_RC_MINSTREL_VHT is not set

CONFIG_MAC80211_RC_DEFAULT_MINSTREL=y

CONFIG_MAC80211_RC_DEFAULT="minstrel_ht"

CONFIG_MAC80211_MESH=y

CONFIG_MAC80211_LEDS=y

# CONFIG_MAC80211_DEBUGFS is not set

# CONFIG_MAC80211_MESSAGE_TRACING is not set

# CONFIG_MAC80211_DEBUG_MENU is not set

CONFIG_MAC80211_STA_HASH_MAX_SIZE=0

#CONFIG_MAC80211_HWSIM is not set
```

----------

## khayyam

Tununias ...

that seems in order, though I would set MAC80211_MESH=m. So, can we see 'emerge --info', version and useflags for  net-wireless/wpa_supplicant, your wpa_supplicant.conf (with psk obfuscated), and /etc/conf.d/net.

Also, have you tried to reproduce with another kernel?

best ... khay

----------

## Tununias

 *khayyam wrote:*   

> Tununias ...
> 
> that seems in order, though I would set MAC80211_MESH=m. So, can we see 'emerge --info', version and useflags for  net-wireless/wpa_supplicant, your wpa_supplicant.conf (with psk obfuscated), and /etc/conf.d/net.
> 
> Also, have you tried to reproduce with another kernel?
> ...

 

Just the kernel version I have downloaded and the one on the minimal cd. I can connect with the cd, but only if I get access to the internet before chrooting.

I used "emerge --info net-wireless/wpa_supplicant"

```
Portage 2.3.24 (python 3.5.5-final-0, default/linux/x86/17.0/desktop, gcc-6.4.0, glibc-2.25-r11, 4.9.95-gentoo i686)

=================================================================

                         System Settings

=================================================================

System uname: Linux-4.9.95-gentoo-i686-Intel-R-_Core-TM-2_CPU_6300_@_1.86GHz-with-gentoo-2.4.1

KiB Mem:     2059888 total,   1789608 free

KiB Swap:    4198396 total,   4198396 free

Timestamp of repository gentoo: Sat, 26 May 2018 04:00:01 +0000

Head commit of repository gentoo: c4895cc7013e2e7ba1745a6c3b029aa08cc5587a

sh bash 4.4_p12

ld GNU ld (Gentoo 2.29.1 p3) 2.29.1

app-shells/bash:          4.4_p12::gentoo

dev-lang/perl:            5.24.3-r1::gentoo

dev-lang/python:          2.7.14-r1::gentoo, 3.5.5::gentoo

dev-util/cmake:           3.9.6::gentoo

dev-util/pkgconfig:       0.29.2::gentoo

sys-apps/baselayout:      2.4.1-r2::gentoo

sys-apps/openrc:          0.34.11::gentoo

sys-apps/sandbox:         2.13::gentoo

sys-devel/autoconf:       2.13::gentoo, 2.69-r4::gentoo

sys-devel/automake:       1.15.1-r2::gentoo

sys-devel/binutils:       2.29.1-r1::gentoo

sys-devel/gcc:            6.4.0-r1::gentoo

sys-devel/gcc-config:     1.8-r1::gentoo

sys-devel/libtool:        2.4.6-r3::gentoo

sys-devel/make:           4.2.1::gentoo

sys-kernel/linux-headers: 4.13::gentoo (virtual/os-headers)

sys-libs/glibc:           2.25-r11::gentoo

Repositories:

gentoo

    location: /usr/portage

    sync-type: rsync

    sync-uri: rsync://rsync.gentoo.org/gentoo-portage

    priority: -1000

    sync-rsync-verify-metamanifest: no

    sync-rsync-extra-opts: 

ACCEPT_KEYWORDS="x86"

ACCEPT_LICENSE="* -@EULA"

CBUILD="i686-pc-linux-gnu"

CFLAGS="-O2 -march=native -pipe -fomit-frame-pointer"

CHOST="i686-pc-linux-gnu"

CONFIG_PROTECT="/etc"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-O2 -march=native -pipe -fomit-frame-pointer"

DISTDIR="/usr/portage/distfiles"

FCFLAGS="-O2 -march=i686 -pipe"

FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"

FFLAGS="-O2 -march=i686 -pipe"

GENTOO_MIRRORS="ftp://ftp.ussg.iu.edu/pub/linux/gentoo"

LANG="en_US"

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

MAKEOPTS="-j3"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"

PORTAGE_TMPDIR="/var/tmp"

USE="X a52 aac acl acpi alsa berkdb bluetooth branding bzip2 cairo cdda cdr cli consolekit crypt cups cxx dbus dri dts dvd dvdr emboss encode exif fam flac fortran gdbm gif glamor gpm gtk iconv ipv6 jpeg lcms ldap libnotify mad mng modules mp3 mp4 mpeg ncurses nls nptl ogg opengl openmp pam pango pcre pdf png policykit ppds qt3support qt5 readline sdl seccomp spell ssl startup-notification svg tcpd tiff truetype udev udisks unicode upower usb vorbis wxwidgets x264 x86 xattr xcb xml xv xvid zlib" ABI_X86="32" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon plan sheets stage words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6 php7-0" POSTGRES_TARGETS="postgres9_5" PYTHON_SINGLE_TARGET="python3_5" PYTHON_TARGETS="python2_7 python3_5" RUBY_TARGETS="ruby22 ruby23" USERLAND="GNU" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

=================================================================

                        Package Settings

=================================================================

net-wireless/wpa_supplicant-2.6-r6::gentoo was built with the following:

USE="ap dbus eap-sim eapol_test fasteap hs2-0 p2p privsep qt5 readline smartcard ssl tdls uncommon-eap-types wps -gnutls -libressl (-ps3) (-selinux) (-wimax)"

CFLAGS="-O2 -march=native -fomit-frame-pointer"

CXXFLAGS="-O2 -march=native -fomit-frame-pointer"

```

My wpa_supplicant.conf with psk changed to "**********" is:

[code:1:66c988c6b3]------> /usr/share/doc/wpa_supplicant-2.6-r6//wpa_supplicant.conf.bz2 <------

##### Example wpa_supplicant configuration file ###############################

#

# This file describes configuration file format and lists all available option.

# Please also take a look at simpler configuration examples in 'examples'

# subdirectory.

#

# Empty lines and lines starting with # are ignored

# NOTE! This file may contain password information and should probably be made

# readable only by root user on multiuser systems.

# Note: All file paths in this configuration file should use full (absolute,

# not relative to working directory) path in order to allow working directory

# to be changed. This can happen if wpa_supplicant is run in the background.

# Whether to allow wpa_supplicant to update (overwrite) configuration

#

# This option can be used to allow wpa_supplicant to overwrite configuration

# file whenever configuration is changed (e.g., new network block is added with

# wpa_cli or wpa_gui, or a password is changed). This is required for

# wpa_cli/wpa_gui to be able to store the configuration changes permanently.

# Please note that overwriting configuration file will remove the comments from

# it.

#update_config=1

# global configuration (shared by all network blocks)

#

# Parameters for the control interface. If this is specified, wpa_supplicant

# will open a control interface that is available for external programs to

# manage wpa_supplicant. The meaning of this string depends on which control

# interface mechanism is used. For all cases, the existence of this parameter

# in configuration is used to determine whether the control interface is

# enabled.

#

# For UNIX domain sockets (default on Linux and BSD): This is a directory that

# will be created for UNIX domain sockets for listening to requests from

# external programs (CLI/GUI, etc.) for status information and configuration.

# The socket file will be named based on the interface name, so multiple

# wpa_supplicant processes can be run at the same time if more than one

# interface is used.

# /var/run/wpa_supplicant is the recommended directory for sockets and by

# default, wpa_cli will use it when trying to connect with wpa_supplicant.

#

# Access control for the control interface can be configured by setting the

# directory to allow only members of a group to use sockets. This way, it is

# possible to run wpa_supplicant as root (since it needs to change network

# configuration and open raw sockets) and still allow GUI/CLI components to be

# run as non-root users. However, since the control interface can be used to

# change the network configuration, this access needs to be protected in many

# cases. By default, wpa_supplicant is configured to use gid 0 (root). If you

# want to allow non-root users to use the control interface, add a new group

# and change this value to match with that group. Add users that should have

# control interface access to this group. If this variable is commented out or

# not included in the configuration file, group will not be changed from the

# value it got by default when the directory or socket was created.

#

# When configuring both the directory and group, use following format:

# DIR=/var/run/wpa_supplicant GROUP=wheel

# DIR=/var/run/wpa_supplicant GROUP=0

# (group can be either group name or gid)

#

# For UDP connections (default on Windows): The value will be ignored. This

# variable is just used to select that the control interface is to be created.

# The value can be set to, e.g., udp (ctrl_interface=udp)

#

# For Windows Named Pipe: This value can be used to set the security descriptor

# for controlling access to the control interface. Security descriptor can be

# set using Security Descriptor String Format (see http://msdn.microsoft.com/

# library/default.asp?url=/library/en-us/secauthz/security/

# security_descriptor_string_format.asp). The descriptor string needs to be

# prefixed with SDDL=. For example, ctrl_interface=SDDL=D: would set an empty

# DACL (which will reject all connections). See README-Windows.txt for more

# information about SDDL string format.

#

ctrl_interface=/var/run/wpa_supplicant GROUP=wheel

#Make this file writeable for wpa_gui / wpa_cli

update_config=1

# IEEE 802.1X/EAPOL version

# wpa_supplicant is implemented based on IEEE Std 802.1X-2004 which defines

# EAPOL version 2. However, there are many APs that do not handle the new

# version number correctly (they seem to drop the frames completely). In order

# to make wpa_supplicant interoperate with these APs, the version number is set

# to 1 by default. This configuration value can be used to set it to the new

# version (2).

# Note: When using MACsec, eapol_version shall be set to 3, which is

# defined in IEEE Std 802.1X-2010.

eapol_version=1

# AP scanning/selection

# By default, wpa_supplicant requests driver to perform AP scanning and then

# uses the scan results to select a suitable AP. Another alternative is to

# allow the driver to take care of AP scanning and selection and use

# wpa_supplicant just to process EAPOL frames based on IEEE 802.11 association

# information from the driver.

# 1: wpa_supplicant initiates scanning and AP selection; if no APs matching to

#    the currently enabled networks are found, a new network (IBSS or AP mode

#    operation) may be initialized (if configured) (default)

# 0: driver takes care of scanning, AP selection, and IEEE 802.11 association

#    parameters (e.g., WPA IE generation); this mode can also be used with

#    non-WPA drivers when using IEEE 802.1X mode; do not try to associate with

#    APs (i.e., external program needs to control association). This mode must

#    also be used when using wired Ethernet drivers.

#    Note: macsec_qca driver is one type of Ethernet driver which implements

#    macsec feature.

# 2: like 0, but associate with APs using security policy and SSID (but not

#    BSSID); this can be used, e.g., with ndiswrapper and NDIS drivers to

#    enable operation with hidden SSIDs and optimized roaming; in this mode,

#    the network blocks in the configuration file are tried one by one until

#    the driver reports successful association; each network block should have

#    explicit security policy (i.e., only one option in the lists) for

#    key_mgmt, pairwise, group, proto variables

# Note: ap_scan=2 should not be used with the nl80211 driver interface (the

# current Linux interface). ap_scan=1 is optimized work working with nl80211.

# For finding networks using hidden SSID, scan_ssid=1 in the network block can

# be used with nl80211.

# When using IBSS or AP mode, ap_scan=2 mode can force the new network to be

# created immediately regardless of scan results. ap_scan=1 mode will first try

# to scan for existing networks and only if no matches with the enabled

# networks are found, a new IBSS or AP mode network is created.

ap_scan=1

# Whether to force passive scan for network connection

#

# By default, scans will send out Probe Request frames on channels that allow

# active scanning. This advertise the local station to the world. Normally this

# is fine, but users may wish to do passive scanning where the radio should only

# listen quietly for Beacon frames and not send any Probe Request frames. Actual

# functionality may be driver dependent.

#

# This parameter can be used to force only passive scanning to be used

# for network connection cases. It should be noted that this will slow

# down scan operations and reduce likelihood of finding the AP. In

# addition, some use cases will override this due to functional

# requirements, e.g., for finding an AP that uses hidden SSID

# (scan_ssid=1) or P2P device discovery.

#

# 0:  Do normal scans (allow active scans) (default)

# 1:  Do passive scans.

#passive_scan=0

# MPM residency

# By default, wpa_supplicant implements the mesh peering manager (MPM) for an

# open mesh. However, if the driver can implement the MPM, you may set this to

# 0 to use the driver version. When AMPE is enabled, the wpa_supplicant MPM is

# always used.

# 0: MPM lives in the driver

# 1: wpa_supplicant provides an MPM which handles peering (default)

#user_mpm=1

# Maximum number of peer links (0-255; default: 99)

# Maximum number of mesh peering currently maintained by the STA.

#max_peer_links=99

# Timeout in seconds to detect STA inactivity (default: 300 seconds)

#

# This timeout value is used in mesh STA to clean up inactive stations.

#mesh_max_inactivity=300

# cert_in_cb - Whether to include a peer certificate dump in events

# This controls whether peer certificates for authentication server and

# its certificate chain are included in EAP peer certificate events. This is

# enabled by default.

#cert_in_cb=1

# EAP fast re-authentication

# By default, fast re-authentication is enabled for all EAP methods that

# support it. This variable can be used to disable fast re-authentication.

# Normally, there is no need to disable this.

fast_reauth=1

# OpenSSL Engine support

# These options can be used to load OpenSSL engines in special or legacy

# modes.

# The two engines that are supported currently are shown below:

# They are both from the opensc project (http://www.opensc.org/)

# By default the PKCS#11 engine is loaded if the client_cert or

# private_key option appear to be a PKCS#11 URI, and these options

# should not need to be used explicitly.

# make the opensc engine available

#opensc_engine_path=/usr/lib/engine_opensc.so

# make the pkcs11 engine available

#pkcs11_engine_path=/usr/lib/engine_pkcs11.so

# configure the path to the pkcs11 module required by the pkcs11 engine

#pkcs11_module_path=/usr/lib/opensc-pkcs11.so

# OpenSSL cipher string

#

# This is an OpenSSL specific configuration option for configuring the default

# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default.

# See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation

# on cipher suite configuration. This is applicable only if wpa_supplicant is

# built to use OpenSSL.

#openssl_ciphers=DEFAULT:!EXP:!LOW

# Dynamic EAP methods

# If EAP methods were built dynamically as shared object files, they need to be

# loaded here before being used in the network blocks. By default, EAP methods

# are included statically in the build, so these lines are not needed

#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_tls.so

#load_dynamic_eap=/usr/lib/wpa_supplicant/eap_md5.so

# Driver interface parameters

# This field can be used to configure arbitrary driver interface parameters. The

# format is specific to the selected driver interface. This field is not used

# in most cases.

#driver_param="field=value"

# Country code

# The ISO/IEC alpha2 country code for the country in which this device is

# currently operating.

#country=US

# Maximum lifetime for PMKSA in seconds; default 43200

#dot11RSNAConfigPMKLifetime=43200

# Threshold for reauthentication (percentage of PMK lifetime); default 70

#dot11RSNAConfigPMKReauthThreshold=70

# Timeout for security association negotiation in seconds; default 60

#dot11RSNAConfigSATimeout=60

# Wi-Fi Protected Setup (WPS) parameters

# Universally Unique IDentifier (UUID; see RFC 4122) of the device

# If not configured, UUID will be generated based on the local MAC address.

#uuid=12345678-9abc-def0-1234-56789abcdef0

# Device Name

# User-friendly description of device; up to 32 octets encoded in UTF-8

#device_name=Wireless Client

# Manufacturer

# The manufacturer of the device (up to 64 ASCII characters)

#manufacturer=Company

# Model Name

# Model of the device (up to 32 ASCII characters)

#model_name=cmodel

# Model Number

# Additional device description (up to 32 ASCII characters)

#model_number=123

# Serial Number

# Serial number of the device (up to 32 characters)

#serial_number=12345

# Primary Device Type

# Used format: <categ>-<OUI>-<subcateg>

# categ = Category as an integer value

# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for

#       default WPS OUI

# subcateg = OUI-specific Sub Category as an integer value

# Examples:

#   1-0050F204-1 (Computer / PC)

#   1-0050F204-2 (Computer / Server)

#   5-0050F204-1 (Storage / NAS)

#   6-0050F204-1 (Network Infrastructure / AP)

#device_type=1-0050F204-1

# OS Version

# 4-octet operating system version number (hex string)

#os_version=01020300

# Config Methods

# List of the supported configuration methods

# Available methods: usba ethernet label display ext_nfc_token int_nfc_token

#	nfc_interface push_button keypad virtual_display physical_display

#	virtual_push_button physical_push_button

# For WSC 1.0:

#config_methods=label display push_button keypad

# For WSC 2.0:

#config_methods=label virtual_display virtual_push_button keypad

# Credential processing

#   0 = process received credentials internally (default)

#   1 = do not process received credentials; just pass them over ctrl_iface to

#	external program(s)

#   2 = process received credentials internally and pass them over ctrl_iface

#	to external program(s)

#wps_cred_processing=0

# Vendor attribute in WPS M1, e.g., Windows 7 Vertical Pairing

# The vendor attribute contents to be added in M1 (hex string)

#wps_vendor_ext_m1=000137100100020001

# NFC password token for WPS

# These parameters can be used to configure a fixed NFC password token for the

# station. This can be generated, e.g., with nfc_pw_token. When these

# parameters are used, the station is assumed to be deployed with a NFC tag

# that includes the matching NFC password token (e.g., written based on the

# NDEF record from nfc_pw_token).

#

#wps_nfc_dev_pw_id: Device Password ID (16..65535)

#wps_nfc_dh_pubkey: Hexdump of DH Public Key

#wps_nfc_dh_privkey: Hexdump of DH Private Key

#wps_nfc_dev_pw: Hexdump of Device Password

# Priority for the networks added through WPS

# This priority value will be set to each network profile that is added

# by executing the WPS protocol.

#wps_priority=0

# Maximum number of BSS entries to keep in memory

# Default: 200

# This can be used to limit memory use on the BSS entries (cached scan

# results). A larger value may be needed in environments that have huge number

# of APs when using ap_scan=1 mode.

#bss_max_count=200

# Automatic scan

# This is an optional set of parameters for automatic scanning

# within an interface in following format:

#autoscan=<autoscan module name>:<module parameters>

# autoscan is like bgscan but on disconnected or inactive state.

# For instance, on exponential module parameters would be <base>:<limit>

#autoscan=exponential:3:300

# Which means a delay between scans on a base exponential of 3,

# up to the limit of 300 seconds (3, 9, 27 ... 300)

# For periodic module, parameters would be <fixed interval>

#autoscan=periodic:30

# So a delay of 30 seconds will be applied between each scan.

# Note: If sched_scan_plans are configured and supported by the driver,

# autoscan is ignored.

# filter_ssids - SSID-based scan result filtering

# 0 = do not filter scan results (default)

# 1 = only include configured SSIDs in scan results/BSS table

#filter_ssids=0

# Password (and passphrase, etc.) backend for external storage

# format: <backend name>[:<optional backend parameters>]

#ext_password_backend=test:pw1=password|pw2=testing

# Disable P2P functionality

# p2p_disabled=1

# Timeout in seconds to detect STA inactivity (default: 300 seconds)

#

# This timeout value is used in P2P GO mode to clean up

# inactive stations.

#p2p_go_max_inactivity=300

# Passphrase length (8..63) for P2P GO

#

# This parameter controls the length of the random passphrase that is

# generated at the GO. Default: 8.

#p2p_passphrase_len=8

# Extra delay between concurrent P2P search iterations

#

# This value adds extra delay in milliseconds between concurrent search

# iterations to make p2p_find friendlier to concurrent operations by avoiding

# it from taking 100% of radio resources. The default value is 500 ms.

#p2p_search_delay=500

# Opportunistic Key Caching (also known as Proactive Key Caching) default

# This parameter can be used to set the default behavior for the

# proactive_key_caching parameter. By default, OKC is disabled unless enabled

# with the global okc=1 parameter or with the per-network

# proactive_key_caching=1 parameter. With okc=1, OKC is enabled by default, but

# can be disabled with per-network proactive_key_caching=0 parameter.

#okc=0

# Protected Management Frames default

# This parameter can be used to set the default behavior for the ieee80211w

# parameter for RSN networks. By default, PMF is disabled unless enabled with

# the global pmf=1/2 parameter or with the per-network ieee80211w=1/2 parameter.

# With pmf=1/2, PMF is enabled/required by default, but can be disabled with the

# per-network ieee80211w parameter. This global default value does not apply

# for non-RSN networks (key_mgmt=NONE) since PMF is available only when using

# RSN.

#pmf=0

# Enabled SAE finite cyclic groups in preference order

# By default (if this parameter is not set), the mandatory group 19 (ECC group

# defined over a 256-bit prime order field) is preferred, but other groups are

# also enabled. If this parameter is set, the groups will be tried in the

# indicated order. The group values are listed in the IANA registry:

# http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9

#sae_groups=21 20 19 26 25

# Default value for DTIM period (if not overridden in network block)

#dtim_period=2

# Default value for Beacon interval (if not overridden in network block)

#beacon_int=100

# Additional vendor specific elements for Beacon and Probe Response frames

# This parameter can be used to add additional vendor specific element(s) into

# the end of the Beacon and Probe Response frames. The format for these

# element(s) is a hexdump of the raw information elements (id+len+payload for

# one or more elements). This is used in AP and P2P GO modes.

#ap_vendor_elements=dd0411223301

# Ignore scan results older than request

#

# The driver may have a cache of scan results that makes it return

# information that is older than our scan trigger. This parameter can

# be used to configure such old information to be ignored instead of

# allowing it to update the internal BSS table.

#ignore_old_scan_res=0

# scan_cur_freq: Whether to scan only the current frequency

# 0:  Scan all available frequencies. (Default)

# 1:  Scan current operating frequency if another VIF on the same radio

#     is already associated.

# MAC address policy default

# 0 = use permanent MAC address

# 1 = use random MAC address for each ESS connection

# 2 = like 1, but maintain OUI (with local admin bit set)

#

# By default, permanent MAC address is used unless policy is changed by

# the per-network mac_addr parameter. Global mac_addr=1 can be used to

# change this default behavior.

#mac_addr=0

# Lifetime of random MAC address in seconds (default: 60)

#rand_addr_lifetime=60

# MAC address policy for pre-association operations (scanning, ANQP)

# 0 = use permanent MAC address

# 1 = use random MAC address

# 2 = like 1, but maintain OUI (with local admin bit set)

#preassoc_mac_addr=0

# Interworking (IEEE 802.11u)

# Enable Interworking

# interworking=1

# Homogenous ESS identifier

# If this is set, scans will be used to request response only from BSSes

# belonging to the specified Homogeneous ESS. This is used only if interworking

# is enabled.

# hessid=00:11:22:33:44:55

# Automatic network selection behavior

# 0 = do not automatically go through Interworking network selection

#     (i.e., require explicit interworking_select command for this; default)

# 1 = perform Interworking network selection if one or more

#     credentials have been configured and scan did not find a

#     matching network block

#auto_interworking=0

# GAS Address3 field behavior

# 0 = P2P specification (Address3 = AP BSSID); default

# 1 = IEEE 802.11 standard compliant (Address3 = Wildcard BSSID when

#     sent to not-associated AP; if associated, AP BSSID)

#gas_address3=0

# Publish fine timing measurement (FTM) responder functionality in

# the Extended Capabilities element bit 70.

# Controls whether FTM responder functionality will be published by AP/STA.

# Note that actual FTM responder operation is managed outside wpa_supplicant.

# 0 = Do not publish; default

# 1 = Publish

#ftm_responder=0

# Publish fine timing measurement (FTM) initiator functionality in

# the Extended Capabilities element bit 71.

# Controls whether FTM initiator functionality will be published by AP/STA.

# Note that actual FTM initiator operation is managed outside wpa_supplicant.

# 0 = Do not publish; default

# 1 = Publish

#ftm_initiator=0

# credential block

#

# Each credential used for automatic network selection is configured as a set

# of parameters that are compared to the information advertised by the APs when

# interworking_select and interworking_connect commands are used.

#

# credential fields:

#

# temporary: Whether this credential is temporary and not to be saved

#

# priority: Priority group

#	By default, all networks and credentials get the same priority group

#	(0). This field can be used to give higher priority for credentials

#	(and similarly in struct wpa_ssid for network blocks) to change the

#	Interworking automatic networking selection behavior. The matching

#	network (based on either an enabled network block or a credential)

#	with the highest priority value will be selected.

#

# pcsc: Use PC/SC and SIM/USIM card

#

# realm: Home Realm for Interworking

#

# username: Username for Interworking network selection

#

# password: Password for Interworking network selection

#

# ca_cert: CA certificate for Interworking network selection

#

# client_cert: File path to client certificate file (PEM/DER)

#	This field is used with Interworking networking selection for a case

#	where client certificate/private key is used for authentication

#	(EAP-TLS). Full path to the file should be used since working

#	directory may change when wpa_supplicant is run in the background.

#

#	Certificates from PKCS#11 tokens can be referenced by a PKCS#11 URI.

#

#	For example: private_key="pkcs11:manufacturer=piv_II;id=%01"

#

#	Alternatively, a named configuration blob can be used by setting

#	this to blob://blob_name.

#

# private_key: File path to client private key file (PEM/DER/PFX)

#	When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be

#	commented out. Both the private key and certificate will be read

#	from the PKCS#12 file in this case. Full path to the file should be

#	used since working directory may change when wpa_supplicant is run

#	in the background.

#

#	Keys in PKCS#11 tokens can be referenced by a PKCS#11 URI.

#	For example: private_key="pkcs11:manufacturer=piv_II;id=%01"

#

#	Windows certificate store can be used by leaving client_cert out and

#	configuring private_key in one of the following formats:

#

#	cert://substring_to_match

#

#	hash://certificate_thumbprint_in_hex

#

#	For example: private_key="hash://63093aa9c47f56ae88334c7b65a4"

#

#	Note that when running wpa_supplicant as an application, the user

#	certificate store (My user account) is used, whereas computer store

#	(Computer account) is used when running wpasvc as a service.

#

#	Alternatively, a named configuration blob can be used by setting

#	this to blob://blob_name.

#

# private_key_passwd: Password for private key file

#

# imsi: IMSI in <MCC> | <MNC> | '-' | <MSIN> format

#

# milenage: Milenage parameters for SIM/USIM simulator in <Ki>:<OPc>:<SQN>

#	format

#

# domain: Home service provider FQDN(s)

#	This is used to compare against the Domain Name List to figure out

#	whether the AP is operated by the Home SP. Multiple domain entries can

#	be used to configure alternative FQDNs that will be considered home

#	networks.

#

# roaming_consortium: Roaming Consortium OI

#	If roaming_consortium_len is non-zero, this field contains the

#	Roaming Consortium OI that can be used to determine which access

#	points support authentication with this credential. This is an

#	alternative to the use of the realm parameter. When using Roaming

#	Consortium to match the network, the EAP parameters need to be

#	pre-configured with the credential since the NAI Realm information

#	may not be available or fetched.

#

# eap: Pre-configured EAP method

#	This optional field can be used to specify which EAP method will be

#	used with this credential. If not set, the EAP method is selected

#	automatically based on ANQP information (e.g., NAI Realm).

#

# phase1: Pre-configure Phase 1 (outer authentication) parameters

#	This optional field is used with like the 'eap' parameter.

#

# phase2: Pre-configure Phase 2 (inner authentication) parameters

#	This optional field is used with like the 'eap' parameter.

#

# excluded_ssid: Excluded SSID

#	This optional field can be used to excluded specific SSID(s) from

#	matching with the network. Multiple entries can be used to specify more

#	than one SSID.

#

# roaming_partner: Roaming partner information

#	This optional field can be used to configure preferences between roaming

#	partners. The field is a string in following format:

#	<FQDN>,<0/1 exact match>,<priority>,<* or country code>

#	(non-exact match means any subdomain matches the entry; priority is in

#	0..255 range with 0 being the highest priority)

#

# update_identifier: PPS MO ID

#	(Hotspot 2.0 PerProviderSubscription/UpdateIdentifier)

#

# provisioning_sp: FQDN of the SP that provisioned the credential

#	This optional field can be used to keep track of the SP that provisioned

#	the credential to find the PPS MO (./Wi-Fi/<provisioning_sp>).

#

# Minimum backhaul threshold (PPS/<X+>/Policy/MinBackhauldThreshold/*)

#	These fields can be used to specify minimum download/upload backhaul

#	bandwidth that is preferred for the credential. This constraint is

#	ignored if the AP does not advertise WAN Metrics information or if the

#	limit would prevent any connection. Values are in kilobits per second.

# min_dl_bandwidth_home

# min_ul_bandwidth_home

# min_dl_bandwidth_roaming

# min_ul_bandwidth_roaming

#

# max_bss_load: Maximum BSS Load Channel Utilization (1..255)

#	(PPS/<X+>/Policy/MaximumBSSLoadValue)

#	This value is used as the maximum channel utilization for network

#	selection purposes for home networks. If the AP does not advertise

#	BSS Load or if the limit would prevent any connection, this constraint

#	will be ignored.

#

# req_conn_capab: Required connection capability

#	(PPS/<X+>/Policy/RequiredProtoPortTuple)

#	This value is used to configure set of required protocol/port pairs that

#	a roaming network shall support (include explicitly in Connection

#	Capability ANQP element). This constraint is ignored if the AP does not

#	advertise Connection Capability or if this constraint would prevent any

#	network connection. This policy is not used in home networks.

#	Format: <protocol>[:<comma-separated list of ports]

#	Multiple entries can be used to list multiple requirements.

#	For example, number of common TCP protocols:

#	req_conn_capab=6,22,80,443

#	For example, IPSec/IKE:

#	req_conn_capab=17:500

#	req_conn_capab=50

#

# ocsp: Whether to use/require OCSP to check server certificate

#	0 = do not use OCSP stapling (TLS certificate status extension)

#	1 = try to use OCSP stapling, but not require response

#	2 = require valid OCSP stapling response

#	3 = require valid OCSP stapling response for all not-trusted

#	    certificates in the server certificate chain

#

# sim_num: Identifier for which SIM to use in multi-SIM devices

#

# for example:

#

#cred={

#	realm="example.com"

#	username="user@example.com"

#	password="password"

#	ca_cert="/etc/wpa_supplicant/ca.pem"

#	domain="example.com"

#}

#

#cred={

#	imsi="310026-000000000"

#	milenage="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82"

#}

#

#cred={

#	realm="example.com"

#	username="user"

#	password="password"

#	ca_cert="/etc/wpa_supplicant/ca.pem"

#	domain="example.com"

#	roaming_consortium=223344

#	eap=TTLS

#	phase2="auth=MSCHAPV2"

#}

# Hotspot 2.0

# hs20=1

# Scheduled scan plans

#

# A space delimited list of scan plans. Each scan plan specifies the scan

# interval and number of iterations, delimited by a colon. The last scan plan

# will run infinitely and thus must specify only the interval and not the number

# of iterations.

#

# The driver advertises the maximum number of scan plans supported. If more scan

# plans than supported are configured, only the first ones are set (up to the

# maximum supported). The last scan plan that specifies only the interval is

# always set as the last plan.

#

# If the scan interval or the number of iterations for a scan plan exceeds the

# maximum supported, it will be set to the maximum supported value.

#

# Format:

# sched_scan_plans=<interval:iterations> <interval:iterations> ... <interval>

#

# Example:

# sched_scan_plans=10:100 20:200 30

# Multi Band Operation (MBO) non-preferred channels

# A space delimited list of non-preferred channels where each channel is a colon

# delimited list of values.

# Format:

# non_pref_chan=<oper_class>:<chan>:<preference>:<reason>

# Example:

# non_pref_chan="81:5:10:2 81:1:0:2 81:9:0:2"

# MBO Cellular Data Capabilities

# 1 = Cellular data connection available

# 2 = Cellular data connection not available

# 3 = Not cellular capable (default)

#mbo_cell_capa=3

# network block

#

# Each network (usually AP's sharing the same SSID) is configured as a separate

# block in this configuration file. The network blocks are in preference order

# (the first match is used).

#

# network block fields:

#

# disabled:

#	0 = this network can be used (default)

#	1 = this network block is disabled (can be enabled through ctrl_iface,

#	    e.g., with wpa_cli or wpa_gui)

#

# id_str: Network identifier string for external scripts. This value is passed

#	to external action script through wpa_cli as WPA_ID_STR environment

#	variable to make it easier to do network specific configuration.

#

# ssid: SSID (mandatory); network name in one of the optional formats:

#	- an ASCII string with double quotation

#	- a hex string (two characters per octet of SSID)

#	- a printf-escaped ASCII string P"<escaped string>"

#

# scan_ssid:

#	0 = do not scan this SSID with specific Probe Request frames (default)

#	1 = scan with SSID-specific Probe Request frames (this can be used to

#	    find APs that do not accept broadcast SSID or use multiple SSIDs;

#	    this will add latency to scanning, so enable this only when needed)

#

# bssid: BSSID (optional); if set, this network block is used only when

#	associating with the AP using the configured BSSID

#

# priority: priority group (integer)

# By default, all networks will get same priority group (0). If some of the

# networks are more desirable, this field can be used to change the order in

# which wpa_supplicant goes through the networks when selecting a BSS. The

# priority groups will be iterated in decreasing priority (i.e., the larger the

# priority value, the sooner the network is matched against the scan results).

# Within each priority group, networks will be selected based on security

# policy, signal strength, etc.

# Please note that AP scanning with scan_ssid=1 and ap_scan=2 mode are not

# using this priority to select the order for scanning. Instead, they try the

# networks in the order that used in the configuration file.

#

# mode: IEEE 802.11 operation mode

# 0 = infrastructure (Managed) mode, i.e., associate with an AP (default)

# 1 = IBSS (ad-hoc, peer-to-peer)

# 2 = AP (access point)

# Note: IBSS can only be used with key_mgmt NONE (plaintext and static WEP) and

# WPA-PSK (with proto=RSN). In addition, key_mgmt=WPA-NONE (fixed group key

# TKIP/CCMP) is available for backwards compatibility, but its use is

# deprecated. WPA-None requires following network block options:

# proto=WPA, key_mgmt=WPA-NONE, pairwise=NONE, group=TKIP (or CCMP, but not

# both), and psk must also be set.

#

# frequency: Channel frequency in megahertz (MHz) for IBSS, e.g.,

# 2412 = IEEE 802.11b/g channel 1. This value is used to configure the initial

# channel for IBSS (adhoc) networks. It is ignored in the infrastructure mode.

# In addition, this value is only used by the station that creates the IBSS. If

# an IBSS network with the configured SSID is already present, the frequency of

# the network will be used instead of this configured value.

#

# pbss: Whether to use PBSS. Relevant to IEEE 802.11ad networks only.

# 0 = do not use PBSS

# 1 = use PBSS

# 2 = don't care (not allowed in AP mode)

# Used together with mode configuration. When mode is AP, it means to start a

# PCP instead of a regular AP. When mode is infrastructure it means connect

# to a PCP instead of AP. In this mode you can also specify 2 (don't care)

# which means connect to either PCP or AP.

# P2P_GO and P2P_GROUP_FORMATION modes must use PBSS in IEEE 802.11ad network.

# For more details, see IEEE Std 802.11ad-2012.

#

# scan_freq: List of frequencies to scan

# Space-separated list of frequencies in MHz to scan when searching for this

# BSS. If the subset of channels used by the network is known, this option can

# be used to optimize scanning to not occur on channels that the network does

# not use. Example: scan_freq=2412 2437 2462

#

# freq_list: Array of allowed frequencies

# Space-separated list of frequencies in MHz to allow for selecting the BSS. If

# set, scan results that do not match any of the specified frequencies are not

# considered when selecting a BSS.

#

# This can also be set on the outside of the network block. In this case,

# it limits the frequencies that will be scanned.

#

# bgscan: Background scanning

# wpa_supplicant behavior for background scanning can be specified by

# configuring a bgscan module. These modules are responsible for requesting

# background scans for the purpose of roaming within an ESS (i.e., within a

# single network block with all the APs using the same SSID). The bgscan

# parameter uses following format: "<bgscan module name>:<module parameters>"

# Following bgscan modules are available:

# simple - Periodic background scans based on signal strength

# bgscan="simple:<short bgscan interval in seconds>:<signal strength threshold>:

# <long interval>"

# bgscan="simple:30:-45:300"

# learn - Learn channels used by the network and try to avoid bgscans on other

# channels (experimental)

# bgscan="learn:<short bgscan interval in seconds>:<signal strength threshold>:

# <long interval>[:<database file name>]"

# bgscan="learn:30:-45:300:/etc/wpa_supplicant/network1.bgscan"

# Explicitly disable bgscan by setting

# bgscan=""

#

# This option can also be set outside of all network blocks for the bgscan

# parameter to apply for all the networks that have no specific bgscan

# parameter.

#

# proto: list of accepted protocols

# WPA = WPA/IEEE 802.11i/D3.0

# RSN = WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN)

# If not set, this defaults to: WPA RSN

#

# key_mgmt: list of accepted authenticated key management protocols

# WPA-PSK = WPA pre-shared key (this requires 'psk' field)

# WPA-EAP = WPA using EAP authentication

# IEEE8021X = IEEE 802.1X using EAP authentication and (optionally) dynamically

#	generated WEP keys

# NONE = WPA is not used; plaintext or static WEP could be used

# WPA-NONE = WPA-None for IBSS (deprecated; use proto=RSN key_mgmt=WPA-PSK

#	instead)

# FT-PSK = Fast BSS Transition (IEEE 802.11r) with pre-shared key

# FT-EAP = Fast BSS Transition (IEEE 802.11r) with EAP authentication

# WPA-PSK-SHA256 = Like WPA-PSK but using stronger SHA256-based algorithms

# WPA-EAP-SHA256 = Like WPA-EAP but using stronger SHA256-based algorithms

# SAE = Simultaneous authentication of equals; pre-shared key/password -based

#	authentication with stronger security than WPA-PSK especially when using

#	not that strong password

# FT-SAE = SAE with FT

# WPA-EAP-SUITE-B = Suite B 128-bit level

# WPA-EAP-SUITE-B-192 = Suite B 192-bit level

# OSEN = Hotspot 2.0 Rel 2 online signup connection

# If not set, this defaults to: WPA-PSK WPA-EAP

#

# ieee80211w: whether management frame protection is enabled

# 0 = disabled (default unless changed with the global pmf parameter)

# 1 = optional

# 2 = required

# The most common configuration options for this based on the PMF (protected

# management frames) certification program are:

# PMF enabled: ieee80211w=1 and key_mgmt=WPA-EAP WPA-EAP-SHA256

# PMF required: ieee80211w=2 and key_mgmt=WPA-EAP-SHA256

# (and similarly for WPA-PSK and WPA-WPSK-SHA256 if WPA2-Personal is used)

#

# auth_alg: list of allowed IEEE 802.11 authentication algorithms

# OPEN = Open System authentication (required for WPA/WPA2)

# SHARED = Shared Key authentication (requires static WEP keys)

# LEAP = LEAP/Network EAP (only used with LEAP)

# If not set, automatic selection is used (Open System with LEAP enabled if

# LEAP is allowed as one of the EAP methods).

#

# pairwise: list of accepted pairwise (unicast) ciphers for WPA

# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]

# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]

# NONE = Use only Group Keys (deprecated, should not be included if APs support

#	pairwise keys)

# If not set, this defaults to: CCMP TKIP

#

# group: list of accepted group (broadcast/multicast) ciphers for WPA

# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]

# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]

# WEP104 = WEP (Wired Equivalent Privacy) with 104-bit key

# WEP40 = WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11]

# If not set, this defaults to: CCMP TKIP WEP104 WEP40

#

# psk: WPA preshared key; 256-bit pre-shared key

# The key used in WPA-PSK mode can be entered either as 64 hex-digits, i.e.,

# 32 bytes or as an ASCII passphrase (in which case, the real PSK will be

# generated using the passphrase and SSID). ASCII passphrase must be between

# 8 and 63 characters (inclusive). ext:<name of external PSK field> format can

# be used to indicate that the PSK/passphrase is stored in external storage.

# This field is not needed, if WPA-EAP is used.

# Note: Separate tool, wpa_passphrase, can be used to generate 256-bit keys

# from ASCII passphrase. This process uses lot of CPU and wpa_supplicant

# startup and reconfiguration time can be optimized by generating the PSK only

# only when the passphrase or SSID has actually changed.

#

# mem_only_psk: Whether to keep PSK/passphrase only in memory

# 0 = allow psk/passphrase to be stored to the configuration file

# 1 = do not store psk/passphrase to the configuration file

#mem_only_psk=0

#

# eapol_flags: IEEE 802.1X/EAPOL options (bit field)

# Dynamic WEP key required for non-WPA mode

# bit0 (1): require dynamically generated unicast WEP key

# bit1 (2): require dynamically generated broadcast WEP key

# 	(3 = require both keys; default)

# Note: When using wired authentication (including macsec_qca driver),

# eapol_flags must be set to 0 for the authentication to be completed

# successfully.

#

# macsec_policy: IEEE 802.1X/MACsec options

# This determines how sessions are secured with MACsec. It is currently

# applicable only when using the macsec_qca driver interface.

# 0: MACsec not in use (default)

# 1: MACsec enabled - Should secure, accept key server's advice to

#    determine whether to use a secure session or not.

#

# mixed_cell: This option can be used to configure whether so called mixed

# cells, i.e., networks that use both plaintext and encryption in the same

# SSID, are allowed when selecting a BSS from scan results.

# 0 = disabled (default)

# 1 = enabled

#

# proactive_key_caching:

# Enable/disable opportunistic PMKSA caching for WPA2.

# 0 = disabled (default unless changed with the global okc parameter)

# 1 = enabled

#

# wep_key0..3: Static WEP key (ASCII in double quotation, e.g. "abcde" or

# hex without quotation, e.g., 0102030405)

# wep_tx_keyidx: Default WEP key index (TX) (0..3)

#

# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e DLS) is

# allowed. This is only used with RSN/WPA2.

# 0 = disabled (default)

# 1 = enabled

#peerkey=1

#

# wpa_ptk_rekey: Maximum lifetime for PTK in seconds. This can be used to

# enforce rekeying of PTK to mitigate some attacks against TKIP deficiencies.

#

# group_rekey: Group rekeying time in seconds. This value, if non-zero, is used

# as the dot11RSNAConfigGroupRekeyTime parameter when operating in

# Authenticator role in IBSS.

#

# Following fields are only used with internal EAP implementation.

# eap: space-separated list of accepted EAP methods

#	MD5 = EAP-MD5 (insecure and does not generate keying material ->

#			cannot be used with WPA; to be used as a Phase 2 method

#			with EAP-PEAP or EAP-TTLS)

#       MSCHAPV2 = EAP-MSCHAPv2 (cannot be used separately with WPA; to be used

#		as a Phase 2 method with EAP-PEAP or EAP-TTLS)

#       OTP = EAP-OTP (cannot be used separately with WPA; to be used

#		as a Phase 2 method with EAP-PEAP or EAP-TTLS)

#       GTC = EAP-GTC (cannot be used separately with WPA; to be used

#		as a Phase 2 method with EAP-PEAP or EAP-TTLS)

#	TLS = EAP-TLS (client and server certificate)

#	PEAP = EAP-PEAP (with tunnelled EAP authentication)

#	TTLS = EAP-TTLS (with tunnelled EAP or PAP/CHAP/MSCHAP/MSCHAPV2

#			 authentication)

#	If not set, all compiled in methods are allowed.

#

# identity: Identity string for EAP

#	This field is also used to configure user NAI for

#	EAP-PSK/PAX/SAKE/GPSK.

# anonymous_identity: Anonymous identity string for EAP (to be used as the

#	unencrypted identity with EAP types that support different tunnelled

#	identity, e.g., EAP-TTLS). This field can also be used with

#	EAP-SIM/AKA/AKA' to store the pseudonym identity.

# password: Password string for EAP. This field can include either the

#	plaintext password (using ASCII or hex string) or a NtPasswordHash

#	(16-byte MD4 hash of password) in hash:<32 hex digits> format.

#	NtPasswordHash can only be used when the password is for MSCHAPv2 or

#	MSCHAP (EAP-MSCHAPv2, EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP).

#	EAP-PSK (128-bit PSK), EAP-PAX (128-bit PSK), and EAP-SAKE (256-bit

#	PSK) is also configured using this field. For EAP-GPSK, this is a

#	variable length PSK. ext:<name of external password field> format can

#	be used to indicate that the password is stored in external storage.

# ca_cert: File path to CA certificate file (PEM/DER). This file can have one

#	or more trusted CA certificates. If ca_cert and ca_path are not

#	included, server certificate will not be verified. This is insecure and

#	a trusted CA certificate should always be configured when using

#	EAP-TLS/TTLS/PEAP. Full path should be used since working directory may

#	change when wpa_supplicant is run in the background.

#

#	Alternatively, this can be used to only perform matching of the server

#	certificate (SHA-256 hash of the DER encoded X.509 certificate). In

#	this case, the possible CA certificates in the server certificate chain

#	are ignored and only the server certificate is verified. This is

#	configured with the following format:

#	hash:://server/sha256/cert_hash_in_hex

#	For example: "hash://server/sha256/

#	5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"

#

#	On Windows, trusted CA certificates can be loaded from the system

#	certificate store by setting this to cert_store://<name>, e.g.,

#	ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".

#	Note that when running wpa_supplicant as an application, the user

#	certificate store (My user account) is used, whereas computer store

#	(Computer account) is used when running wpasvc as a service.

# ca_path: Directory path for CA certificate files (PEM). This path may

#	contain multiple CA certificates in OpenSSL format. Common use for this

#	is to point to system trusted CA list which is often installed into

#	directory like /etc/ssl/certs. If configured, these certificates are

#	added to the list of trusted CAs. ca_cert may also be included in that

#	case, but it is not required.

# client_cert: File path to client certificate file (PEM/DER)

#	Full path should be used since working directory may change when

#	wpa_supplicant is run in the background.

#	Alternatively, a named configuration blob can be used by setting this

#	to blob://<blob name>.

# private_key: File path to client private key file (PEM/DER/PFX)

#	When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be

#	commented out. Both the private key and certificate will be read from

#	the PKCS#12 file in this case. Full path should be used since working

#	directory may change when wpa_supplicant is run in the background.

#	Windows certificate store can be used by leaving client_cert out and

#	configuring private_key in one of the following formats:

#	cert://substring_to_match

#	hash://certificate_thumbprint_in_hex

#	for example: private_key="hash://63093aa9c47f56ae88334c7b65a4"

#	Note that when running wpa_supplicant as an application, the user

#	certificate store (My user account) is used, whereas computer store

#	(Computer account) is used when running wpasvc as a service.

#	Alternatively, a named configuration blob can be used by setting this

#	to blob://<blob name>.

# private_key_passwd: Password for private key file (if left out, this will be

#	asked through control interface)

# dh_file: File path to DH/DSA parameters file (in PEM format)

#	This is an optional configuration file for setting parameters for an

#	ephemeral DH key exchange. In most cases, the default RSA

#	authentication does not use this configuration. However, it is possible

#	setup RSA to use ephemeral DH key exchange. In addition, ciphers with

#	DSA keys always use ephemeral DH keys. This can be used to achieve

#	forward secrecy. If the file is in DSA parameters format, it will be

#	automatically converted into DH params.

# subject_match: Substring to be matched against the subject of the

#	authentication server certificate. If this string is set, the server

#	certificate is only accepted if it contains this string in the subject.

#	The subject string is in following format:

#	/C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com

#	Note: Since this is a substring match, this cannot be used securely to

#	do a suffix match against a possible domain name in the CN entry. For

#	such a use case, domain_suffix_match or domain_match should be used

#	instead.

# altsubject_match: Semicolon separated string of entries to be matched against

#	the alternative subject name of the authentication server certificate.

#	If this string is set, the server certificate is only accepted if it

#	contains one of the entries in an alternative subject name extension.

#	altSubjectName string is in following format: TYPE:VALUE

#	Example: EMAIL:server@example.com

#	Example: DNS:server.example.com;DNS:server2.example.com

#	Following types are supported: EMAIL, DNS, URI

# domain_suffix_match: Constraint for server domain name. If set, this FQDN is

#	used as a suffix match requirement for the AAA server certificate in

#	SubjectAltName dNSName element(s). If a matching dNSName is found, this

#	constraint is met. If no dNSName values are present, this constraint is

#	matched against SubjectName CN using same suffix match comparison.

#

#	Suffix match here means that the host/domain name is compared one label

#	at a time starting from the top-level domain and all the labels in

#	domain_suffix_match shall be included in the certificate. The

#	certificate may include additional sub-level labels in addition to the

#	required labels.

#

#	For example, domain_suffix_match=example.com would match

#	test.example.com but would not match test-example.com.

# domain_match: Constraint for server domain name

#	If set, this FQDN is used as a full match requirement for the

#	server certificate in SubjectAltName dNSName element(s). If a

#	matching dNSName is found, this constraint is met. If no dNSName

#	values are present, this constraint is matched against SubjectName CN

#	using same full match comparison. This behavior is similar to

#	domain_suffix_match, but has the requirement of a full match, i.e.,

#	no subdomains or wildcard matches are allowed. Case-insensitive

#	comparison is used, so "Example.com" matches "example.com", but would

#	not match "test.Example.com".

# phase1: Phase1 (outer authentication, i.e., TLS tunnel) parameters

#	(string with field-value pairs, e.g., "peapver=0" or

#	"peapver=1 peaplabel=1")

#	'peapver' can be used to force which PEAP version (0 or 1) is used.

#	'peaplabel=1' can be used to force new label, "client PEAP encryption",

#	to be used during key derivation when PEAPv1 or newer. Most existing

#	PEAPv1 implementation seem to be using the old label, "client EAP

#	encryption", and wpa_supplicant is now using that as the default value.

#	Some servers, e.g., Radiator, may require peaplabel=1 configuration to

#	interoperate with PEAPv1; see eap_testing.txt for more details.

#	'peap_outer_success=0' can be used to terminate PEAP authentication on

#	tunneled EAP-Success. This is required with some RADIUS servers that

#	implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,

#	Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode)

#	include_tls_length=1 can be used to force wpa_supplicant to include

#	TLS Message Length field in all TLS messages even if they are not

#	fragmented.

#	sim_min_num_chal=3 can be used to configure EAP-SIM to require three

#	challenges (by default, it accepts 2 or 3)

#	result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use

#	protected result indication.

#	'crypto_binding' option can be used to control PEAPv0 cryptobinding

#	behavior:

#	 * 0 = do not use cryptobinding (default)

#	 * 1 = use cryptobinding if server supports it

#	 * 2 = require cryptobinding

#	EAP-WSC (WPS) uses following options: pin=<Device Password> or

#	pbc=1.

#

#	For wired IEEE 802.1X authentication, "allow_canned_success=1" can be

#	used to configure a mode that allows EAP-Success (and EAP-Failure)

#	without going through authentication step. Some switches use such

#	sequence when forcing the port to be authorized/unauthorized or as a

#	fallback option if the authentication server is unreachable. By default,

#	wpa_supplicant discards such frames to protect against potential attacks

#	by rogue devices, but this option can be used to disable that protection

#	for cases where the server/authenticator does not need to be

#	authenticated.

# phase2: Phase2 (inner authentication with TLS tunnel) parameters

#	(string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or

#	"autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS). "mschapv2_retry=0" can be

#	used to disable MSCHAPv2 password retry in authentication failure cases.

#

# TLS-based methods can use the following parameters to control TLS behavior

# (these are normally in the phase1 parameter, but can be used also in the

# phase2 parameter when EAP-TLS is used within the inner tunnel):

# tls_allow_md5=1 - allow MD5-based certificate signatures (depending on the

#	TLS library, these may be disabled by default to enforce stronger

#	security)

# tls_disable_time_checks=1 - ignore certificate validity time (this requests

#	the TLS library to accept certificates even if they are not currently

#	valid, i.e., have expired or have not yet become valid; this should be

#	used only for testing purposes)

# tls_disable_session_ticket=1 - disable TLS Session Ticket extension

# tls_disable_session_ticket=0 - allow TLS Session Ticket extension to be used

#	Note: If not set, this is automatically set to 1 for EAP-TLS/PEAP/TTLS

#	as a workaround for broken authentication server implementations unless

#	EAP workarounds are disabled with eap_workaround=0.

#	For EAP-FAST, this must be set to 0 (or left unconfigured for the

#	default value to be used automatically).

# tls_disable_tlsv1_0=1 - disable use of TLSv1.0

# tls_disable_tlsv1_1=1 - disable use of TLSv1.1 (a workaround for AAA servers

#	that have issues interoperating with updated TLS version)

# tls_disable_tlsv1_2=1 - disable use of TLSv1.2 (a workaround for AAA servers

#	that have issues interoperating with updated TLS version)

# tls_ext_cert_check=0 - No external server certificate validation (default)

# tls_ext_cert_check=1 - External server certificate validation enabled; this

#	requires an external program doing validation of server certificate

#	chain when receiving CTRL-RSP-EXT_CERT_CHECK event from the control

#	interface and report the result of the validation with

#	CTRL-RSP_EXT_CERT_CHECK.

#

# Following certificate/private key fields are used in inner Phase2

# authentication when using EAP-TTLS or EAP-PEAP.

# ca_cert2: File path to CA certificate file. This file can have one or more

#	trusted CA certificates. If ca_cert2 and ca_path2 are not included,

#	server certificate will not be verified. This is insecure and a trusted

#	CA certificate should always be configured.

# ca_path2: Directory path for CA certificate files (PEM)

# client_cert2: File path to client certificate file

# private_key2: File path to client private key file

# private_key2_passwd: Password for private key file

# dh_file2: File path to DH/DSA parameters file (in PEM format)

# subject_match2: Substring to be matched against the subject of the

#	authentication server certificate. See subject_match for more details.

# altsubject_match2: Semicolon separated string of entries to be matched

#	against the alternative subject name of the authentication server

#	certificate. See altsubject_match documentation for more details.

# domain_suffix_match2: Constraint for server domain name. See

#	domain_suffix_match for more details.

#

# fragment_size: Maximum EAP fragment size in bytes (def

----------

## Tununias

It was cut off... I don't know if there is a better way of posting it. Also I did not have a /etc/conf.d/net file.

----------

## khayyam

 *Tununias wrote:*   

> Just the kernel version I have downloaded and the one on the minimal cd. I can connect with the cd, but only if I get access to the internet before chrooting.

 

Tununias ... not sure what you mean by "the kernel version I have downloaded", but as far as accessing network from the chroot you need to cp /etc/resolv.conf to {chroot}/etc/resolv.conf.

 *Tununias wrote:*   

> net-wireless/wpa_supplicant-2.6-r6::gentoo was built with the following:
> 
> USE="ap dbus eap-sim eapol_test fasteap hs2-0 p2p privsep qt5 readline smartcard ssl tdls uncommon-eap-types wps -gnutls -libressl (-ps3) (-selinux) (-wimax)"

 

disable 'USE=privsep' ... and you most probably don't want USE="ap eapol_test p2p smartcard tdls uncommon-eap-types wps" (as a general rule, only enable those useflags you know you need, or are +IUSE).

The wpa_supplicant.conf is mostly noise, because commented, it looks ok however, and as I expect you plan on using wpa_gui (as USE="qt" is enabled) the 'network' stanza's will be created when you connect.

HTH & best ... khay

----------

## Tununias

Sorry about the late reply. My work week started the next day and I didn't get a chance to do anything.

Thank you. I did what you said and "-" out those unnecessary USE tags in /etc/portage/package.use/wpa_supplicant. I rebuilt it with emerge and everything connects just fine now. 

 :Very Happy: 

----------

## khayyam

 *Tununias wrote:*   

> Sorry about the late reply. My work week started the next day and I didn't get a chance to do anything. Thank you. I did what you said and "-" out those unnecessary USE tags in /etc/portage/package.use/wpa_supplicant. I rebuilt it with emerge and everything connects just fine now. 

 

Tununias ... no problem, I generally don't wait with bated breath in anticipation of a reply ;) ... anyhow, you're welcome, please edit the first post and add '[SOLVED]' to the subject line.

best ... khay

----------

