trunk/debian/README.modes

Modes of Operation in wpasupplicant for Debian
==============================================

The Debian wpasupplicant package provides two (2) convenient modes of operation
that are closely integrated to the core networking infrastructure; ifupdown.

Table of Contents
=================

1. Specifying the wpa_supplicant driver backend
        - Table of supported drivers
        - Common Driver Recommendations

2. Mode #1: Managed Mode
        - Examples
        - Table of Common Options
        - Important Notes About Managed Mode
        - How It Works

3. Mode #2: Roaming Mode
        - wpa_supplicant.conf
        - /etc/network/interfaces
        - Controlling the Roaming Daemon with wpa_action
        - Fine Tuning the Roaming Setup
        - The Logfile
        - Using External Mapping Scripts (e.g. guessnet)
        - /etc/network/interfaces with external mapping

4. Troubleshooting
        - Hidden ssids

5. Security Considerations
        - Configuration File Permissions


1. Specifying the wpa_supplicant driver backend
===============================================

The wext driver backend will be used for all interfaces that do not explicitly
set 'wpa-driver' to the driver type required for that device. Users of linux 
2.4 kernels, or 2.6 kernels less than 2.6.14 will be required to specify a
wpa-driver type.

Table of supported drivers
==========================

A summary of supported drivers follows:

Driver         Description
======         ===========
hostap         Host AP driver (Intersil Prism2/2.5/3)
madwifi        MADWIFI 802.11 support (Atheros, etc.)
atmel          ATMEL AT76C5XXx (USB, PCMCIA)
wext           Linux wireless extensions (generic)
ndiswrapper    Linux ndiswrapper
ipw            Intel ipw2100/2200 driver
wired          wired Ethernet driver
test           test driver

Common Driver Recommendations
=============================

The Intel Pro Wireless adapters (ipw2100, ipw2200 and ipw3945) all use the
'wext' backend, unless your kernel is older than 2.6.14.

Madwifi supports both the 'wext' and 'madwifi' driver backends. 'wext' is
preferred, however 'madwifi' may work better in some circumstances.

Ndiswrapper NO LONGER SUPPORTS the 'ndiswrapper' driver backend as of version
1.16. Therefore, 'wext' must be used unless you use an antiquated ndiswrapper
release.

Set the driver type in the interfaces(5) stanza for your device with the
'wpa-driver' option. For example:

iface eth0 inet dhcp
        wpa-driver wext
        . . . . . more options


2. Mode #1: Managed Mode
=======================

This mode provides the ability to establish a connection via wpa_supplicant to
one known network. It is similar to how the wireless-tools package works. Each
element required to establish the connection via wpa_supplicant is prefixed
with 'wpa-' and followed by the value that will be used for that element.

Examples
========

NOTE: the 'wpa-psk' value is only valid if:
        1) It is a plaintext (ascii) string between 8 and 63 characters in
           length
        2) It is a hexadecimal string of 64 characters

# Connect to access point of ssid 'NETBEER' with an encryption type of
# WPA-PSK/WPA2-PSK. It assumes the driver will use the 'wext' driver backend
# of wpa_supplicant because no wpa-driver option has been specified. 
# The passphrase is given as a ASCII (plaintext) string. DHCP is used to
# obtain a network address.
#
iface wlan0 inet dhcp
        wpa-ssid NETBEER
        # plaintext passphrase
        wpa-psk PlainTextSecret

# Connect to access point of ssid 'homezone' with an encryption type of
# WPA-PSK/WPA2-PSK, using the 'wext' driver backend of wpa_supplicant.
# The psk is given as an encoded hexadecimal string. DHCP is used to obtain
# a network address.
#
iface wlan0 inet dhcp
        wpa-driver wext
        wpa-ssid homezone
        # hexadecimal psk is encoded from a plaintext passphrase
        wpa-psk 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f

# Connect to access point of ssid 'HotSpot1' and bssid of '00:1a:2b:3c:4d:5e'
# with an encryption type of WPA-PSK/WPA2-PSK, using the the 'madwifi' driver
# backend of wpa_supplicant. The passphrase is given as a plaintext string.
# A static network address assignment is used.
#
iface ath0 inet static
        wpa-driver madwifi
        wpa-ssid HotSpot1
        wpa-bssid 00:1a:2b:3c:4d:5e
        # plaintext passphrase
        wpa-psk madhotspot
        wpa-key-mgmt WPA-PSK
        wpa-pairwise TKIP CCMP
        wpa-group TKIP CCMP
        wpa-proto WPA RSN
        # static ip settings
        address 192.168.0.100
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1

# User supplied wpa_supplicant.conf is used for eth1. All network information
# is contained within the user supplied wpa_supplicant.conf. No wpa-driver type
# is specified, so wext is used. DHCP is used to obtain a network address.
#
iface eth1 inet dhcp
        wpa-conf /path/to/wpa_supplicant.conf

Table of Common Options
=======================

A brief summary of common 'wpa-' options that may be used in the
/etc/network/interfaces stanza for a wireless device. See the
'Important Notes About Managed Mode' section for information about
valid and invalid 'wpa-' values.

NOTE: ALL values are CASE SeNsItVe

Element        Example Value            Description
=======        =============            ===========
wpa-ssid       plaintextstring          sets the ssid of your network

wpa-bssid      00:1a:2b:3c:4d:5e        the bssid of your AP

wpa-psk        0123456789......         your preshared wpa key. Use
                                        wpa_passphrase(8) to generate your psk
                                        from a passphrase and ssid pair

wpa-key-mgmt   NONE, WPA-PSK, WPA-EAP,  list of accepted authenticated key
               IEEE8021X                management protocols

wpa-group      CCMP, TKIP, WEP104,      list of accepted group ciphers for WPA
               WEP40

wpa-pairwise   CCMP, TKIP, NONE         list of accepted pairwise ciphers for
                                        WPA

wpa-auth-alg   OPEN, SHARED, LEAP       list of allowed IEEE 802.11
                                        authentication algorithms

wpa-proto      WPA, RSN                 list of accepted protocols

wpa-identity   myplaintextname          administrator provided username
                                        (EAP authentication)

wpa-password   myplaintextpassword      your password (EAP authentication)

wpa-scan-ssid  0 or 1                   toggles scanning of ssid with specific
                                        Probe Request frames

wpa-ap-scan    0 or 1 or 2              adjusts the scanning logic of
                                        wpa_supplicant

The complete functionality of wpa_cli(8) should be implemented. Anything
missing is considered a bug and should be reported as such. Patches are always
welcome.

Important Notes About Managed Mode
==================================

Almost all 'wpa-' options require there is at least a ssid specified. Only a
handful of options have a global effect. These are: 'wpa-ap-scan' and
'wpa-preauthenticate'.

Any 'wpa-' option given for a device in the interfaces(5) file is sufficient to
trigger the wpa_supplicant daemon into action.

The wpasupplicant ifupdown script makes assumptions about the 'type' of input
that is valid for each option. For example, it assumes that some input is
plaintext and wraps quotation marks around the input before passing it on
to wpa_cli, which then adds the input to the network block being formed via
the wpa_supplicant ctrl_interface socket. Running ifup manually with the 
'--verbose' option will reveal all of the commands used to form the network
block via wpa_cli. If the value you used for any wpa-* option in
/etc/network/interfaces is surrounded by double quotes, than it has been
assumed to be of "plaintext" or "ascii" type input.

Some input is assumed to be a hexadecimal string (eg. wpa-wep-key*). The value
'type' of the wpa-psk option however, is determined via a simple check for more
than one non hexadecimal character.


How It Works
============

As mentioned earlier, each wpa_supplicant specific element is prefixed with
'wpa-'. Each element correlates to a property of wpa_supplicant described in
the wpa_supplicant.conf(5), wpa_supplicant(8) and wpa_cli(8) manpages. The
supplicant is launched without any pre-configuration whatsoever, and wpa_cli
forms a network configuration from the input provided by the 'wpa-*' lines.
Initially, wpa_supplicant/wpa_cli does not directly set the properties of the
device (like setting an essid with iwconfig, for example), rather it informs
the device of what access point is suitable to associate with. Once the device
has scanned the area, and found that the suitable access point is available for
use, these properties are set.

The scripts that do all the work are located at:

        /etc/wpa_supplicant/ifupdown.sh
        /etc/wpa_supplicant/functions.sh

ifupdown.sh is executed by run-parts, which in turn is invoked by ifupdown
during the 'pre-up', 'pre-down' and 'post-down' phases.

In the 'pre-up' phase, a wpa_supplicant daemon is launched followed by a series
of wpa_cli commands that set up a network configuration according to what
'wpa-' options were used in /etc/network/interfaces for the physical device.

If wpa-roam is used, a wpa_cli daemon is launched in the 'post-up' phase.

In the 'pre-down' phase, the wpa_cli daemon is terminated.

In the 'post-down' phase, the wpa_supplicant daemon is terminated.


3. Mode #2: Roaming Mode
========================

A self contained, simplistic roaming mechanism is provided by this package. It
is in the form of a wpa_cli action script, /sbin/wpa_action, and it assumes
control of ifupdown once activated. The wpa_action(8) manpage describes its
technical details in great depth.

To activate a roaming interface, adapt the following example interfaces(5)
stanza:

iface eth1 inet manual
        wpa-driver wext
        wpa-roam /path/to/wpa_supplicant.conf

Two daemons are spawned from the above example; wpa_supplicant and wpa_cli. It
is required to provide a wpa_supplicant.conf. A good starting point is provided
by an example configuration file:

        cp /usr/share/doc/wpasupplicant/examples/wpa_supplicant.conf.template \
                /etc/wpa_supplicant/wpa_supplicant.conf

NOTE: it is critical that the used wpa_supplicant.conf defines the location of
      the 'ctrl_interface' so that a communication socket is created for the 
      wpa_cli (wpa-roam daemon) to attach. The mentioned example conf file,
      wpa_supplicant.conf.template, has this set to a sane default.

It is required to edit this configuration file, and add the network blocks for
all known networks. If you do not understand what this means, start reading the
wpa_supplicant.conf(5) manpage now.

For each network, you may specify a special option 'id_str'. It should be set to
a simple text string. This text string forms the basis for network profiling; it
correlates to a logical interface defined in the interfaces(5) file. When no
'id_str' is given for a network, wpa_action assumes it will use the 'default'
logical interface as fallback. The fallback interface can be chosen via the
'wpa-roam-default-iface' option.

So what does all this mean? Lets illustrate it with a small example taken from
the wpa_action(8) manpage.

wpa_supplicant.conf
===================
network={
        ssid="foo"
        # this id_str will notify /sbin/wpa_action to 'ifup uni'
        id_str="uni"
        key_mgmt=NONE
}

network={
        ssid="bar"
        # this id_str will notify /sbin/wpa_action to 'ifup home_static'
        id_str="home_static"
        psk=123456789...
}

network={
        ssid=""
        # no 'id_str' is given, /sbin/wpa_action will 'ifup default'
        key_mgmt=NONE
}

/etc/network/interfaces
=======================
# the roaming interface MUST use the manual inet method
# 'allow-hotplug' or 'auto' ensures the daemon starts automatically
allow-hotplug eth1
iface eth1 inet manual
        wpa-driver wext
        wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
 
# no id_str, 'default' is used as the fallback mapping target
iface default inet dhcp

# id_str="uni"
iface uni inet dhcp

# id_str="home_static"
iface home_static inet static
        address 192.168.0.20
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1

A logical interface is brought up via ifup, and taken down via ifdown, as
wpa_supplicant associates and de-associates with the network associated
to it by the 'id_str' option used in the wpa_supplicant.conf configuration file.

A log of /sbin/wpa_action's actions is created at /var/log/wpa_action.log,
please attach the log when reporting problems.

Controlling the Roaming Daemon with wpa_action
==============================================

Once the roaming daemon is started, it assumes control of ifupdown. That is;
wpa_cli calls ifup when wpa_supplicant has successfully associated with an
access point, and calls ifdown when the connection is lost or terminated.
While the roaming daemon is active, ifupdown should not be controlled directly
by manually issued commands, rather /sbin/wpa_action is supplied to stop and
reload the roaming daemon. For example, to stop the
romaing daemon on the device 'eth1':

        wpa_action eth1 stop

When it is required to update the roaming daemon with  a new networks details,
it can be done without stopping it. Edit the wpa_supplicant.conf file that is
being used by the daemon with the new networks details, add optional network
settings to /etc/network/interfaces that are specific to the new network
(linked by the 'id_str') and then 'reload' the daemon like so:

        wpa_action eth1 reload

For the complete technical details of what wpa_action can do, read the
wpa_action(8) manpage.

Fine Tuning the Roaming Setup
=============================

You may face situations where multiple known access points are in close
proximity. You can choose which one is preferred manually, with wpa_cli or
wpa_gui, or you can give each network its own priority. This is provided by the
'priority' option of wpa_supplicant.conf.

The Logfile
===========

All activity of the roaming dameon is logged to /var/log/wpa_action.log. The
following information is logged:

        * time and date
        * interface name and action event
        * values of enviromental variables (WPA_ID, WPA_ID_STR, WPA_CTRL_DIR)
        * ifupdown command executed
        * wpa_cli status (based on WPA-PSK network, may display different info)
                - bssid
                - ssid
                - id
                - id_str
                - pairwise_cipher
                - group_cipher
                - key_mgmt
                - wpa_state
                - ip_address

Using External Mapping Scripts (e.g. guessnet)
==============================================

In addition to the internal mapping of logical interfaces via 'id_str',
wpa_action can call external mapping scripts. A mapping script should return
the name of the logical interface which should be brought up. Any mapping
script that works from ifupdowns mapping mechanism (see man interfaces) should
also work when called from wpa_action. 

To call a mapping script add a line 'wpa-mapping-script name-of-the-script' to 
the interfaces stanza of the physical roaming device. (You may have to specify
the absolute path to the mapping script.)

The contents of lines starting with wpa-map are passed to stdin of the mapping 
script. Since ifupdown allows only one wpa-map line you can append any number
to wpa-map for additional lines. For example:

iface wlan0 inet manual
        wpa-driver wext
        wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
        wpa-mapping-script guessnet-ifupdown
        wpa-map0 home
        wpa-map1 work
        wpa-map2 school
        # ... additional wpa-mapX lines as required


By default the mapping script will only be used when no 'id_str' is available
for the current network. If you want to completely disable 'id_str' matching
and use only an external mapping script, use the
'wpa-mapping-script-priority 1' option to override default behaviour.

If the mapping script returns an empty string wpa_action will fallback to using
the 'default' interface, unless an alternative is defined by the
'wpa-roam-default-iface' option.

Below is an advanced example, using guessnet-ifupdown as the external mapping
script.

/etc/network/interfaces with external mapping
=============================================

allow-hotplug wlan0
iface wlan0 inet manual
        wpa-driver wext
        wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
        wpa-roam-default-iface default-wparoam
        wpa-mapping-script guessnet-ifupdown
        wpa-map default: default-guessnet
        wpa-map0 home_static
        wpa-map1 work_static

# school can only be chosen via 'id_str' matching
iface school inet dhcp
        # resolvconf
        dns-nameservers 11.22.33.44 55.66.77.88

iface home_static inet static
        address 192.168.0.20
        netmask 255.255.255.0
        network 192.168.0.0
        broadcast 192.168.0.255
        gateway 192.168.0.1
        test peer address 192.168.0.1 mac 00:01:02:03:04:05

iface work_static inet static
        address 192.168.3.200
        netmask 255.255.255.0
        network 192.168.3.0
        broadcast 192.168.3.255
        gateway 192.168.3.1
        test peer address 192.168.3.1 mac 00:01:02:03:04:05

iface default-guessnet inet dhcp

iface default-wparoam inet dhcp

In this example wpa_action will use guessnet for the selection of a suitable
logical interface only when no 'id_str' option has been provided for the
current network in the provided wpa_supplicant.conf.

The 'wpa-map' lines provide guessnet with the logical interfaces that are to be
tested as well as the default interface to be used when all tests fail. The
'test' lines of each logical interface are used by guessnet to determine if
we are actually connected to that network. For instance, guessnet will choose
the logical interface 'home_static' if there's a device with an IP address of
192.168.0.1 and MAC of 00:01:02:03:04:05 on the current network. If all tests
fail, the 'default-guessnet' interface will be configured.

Please, read the guessnet(8) manpage for more information.


4. Troubleshooting
==================

In order to debug connection, association and authentication problems,
we suggest starting `wpa_cli -i <interface>` in a different shell, before
starting the interface. Use the command 'level 0' first, to get all
debug messages. Then use `ifup --verbose <interface>` to get verbose debug
messages from the script starting wpasupplicant.

Hidden ssids
============

For reference, see #358137 [0]. In order to be able to associate to hidden
ssids, please try to set the option 'ap_scan=1' in the global section, and 
'scan_ssid=1' in your network block section of your wpa_supplicant.conf file.
If you are using the managed mode, you can do so by these stanzas:

iface eth1 inet dhcp
        wpa-ap-scan 1
        wpa-scan-ssid 1
        # ... additional options for your setup

According to #368770 [1], association can take a very long time under certain
circumstances. In some cases, setting the parameter 'ap_scan=2' in the
config file, (or using a 'wpa-ap-scan 2' stanza, which is equivalent) can
greatly help to speed up association. Please note that setting ap_scan to the
value of 2 also requires that all networks have a precisely defined security
policy for for key_mgmt, pairwise, group and proto network policy variables.

[0] http://bugs.debian.org/358137
[1] http://bugs.debian.org/368770


5. Security Considerations
==========================

Configuration File Permissions
==============================
It is important to keep PSK's and other sensitive information concerning your
network settings private, therefore ensure that important configuration files
containing such data are only readable by their owner. For example:

        chmod 0600 /etc/network/interfaces
        # substitute the path of your wpa_supplicant.conf file
        chmod 0600 /etc/wpa_supplicant/wpa_supplicant.conf

By default, /etc/network/interfaces is world readable, and thus unsuitable for
containing secret keys and passwords.
1	Modes of Operation in wpasupplicant for Debian
2	==============================================
3
4	The Debian wpasupplicant package provides two (2) convenient modes of operation
5	that are closely integrated to the core networking infrastructure; ifupdown.
6
7	Table of Contents
8	=================
9
10	1. Specifying the wpa_supplicant driver backend
11	- Table of supported drivers
12	- Common Driver Recommendations
13
14	2. Mode #1: Managed Mode
15	- Examples
16	- Table of Common Options
17	- Important Notes About Managed Mode
18	- How It Works
19
20	3. Mode #2: Roaming Mode
21	- wpa_supplicant.conf
22	- /etc/network/interfaces
23	- Controlling the Roaming Daemon with wpa_action
24	- Fine Tuning the Roaming Setup
25	- The Logfile
26	- Using External Mapping Scripts (e.g. guessnet)
27	- /etc/network/interfaces with external mapping
28
29	4. Troubleshooting
30	- Hidden ssids
31
32	5. Security Considerations
33	- Configuration File Permissions
34
35
36	1. Specifying the wpa_supplicant driver backend
37	===============================================
38
39	The wext driver backend will be used for all interfaces that do not explicitly
40	set 'wpa-driver' to the driver type required for that device. Users of linux
41	2.4 kernels, or 2.6 kernels less than 2.6.14 will be required to specify a
42	wpa-driver type.
43
44	Table of supported drivers
45	==========================
46
47	A summary of supported drivers follows:
48
49	Driver Description
50	====== ===========
51	hostap Host AP driver (Intersil Prism2/2.5/3)
52	madwifi MADWIFI 802.11 support (Atheros, etc.)
53	atmel ATMEL AT76C5XXx (USB, PCMCIA)
54	wext Linux wireless extensions (generic)
55	ndiswrapper Linux ndiswrapper
56	ipw Intel ipw2100/2200 driver
57	wired wired Ethernet driver
58	test test driver
59
60	Common Driver Recommendations
61	=============================
62
63	The Intel Pro Wireless adapters (ipw2100, ipw2200 and ipw3945) all use the
64	'wext' backend, unless your kernel is older than 2.6.14.
65
66	Madwifi supports both the 'wext' and 'madwifi' driver backends. 'wext' is
67	preferred, however 'madwifi' may work better in some circumstances.
68
69	Ndiswrapper NO LONGER SUPPORTS the 'ndiswrapper' driver backend as of version
70	1.16. Therefore, 'wext' must be used unless you use an antiquated ndiswrapper
71	release.
72
73	Set the driver type in the interfaces(5) stanza for your device with the
74	'wpa-driver' option. For example:
75
76	iface eth0 inet dhcp
77	wpa-driver wext
78	. . . . . more options
79
80
81	2. Mode #1: Managed Mode
82	=======================
83
84	This mode provides the ability to establish a connection via wpa_supplicant to
85	one known network. It is similar to how the wireless-tools package works. Each
86	element required to establish the connection via wpa_supplicant is prefixed
87	with 'wpa-' and followed by the value that will be used for that element.
88
89	Examples
90	========
91
92	NOTE: the 'wpa-psk' value is only valid if:
93	1) It is a plaintext (ascii) string between 8 and 63 characters in
94	length
95	2) It is a hexadecimal string of 64 characters
96
97	# Connect to access point of ssid 'NETBEER' with an encryption type of
98	# WPA-PSK/WPA2-PSK. It assumes the driver will use the 'wext' driver backend
99	# of wpa_supplicant because no wpa-driver option has been specified.
100	# The passphrase is given as a ASCII (plaintext) string. DHCP is used to
101	# obtain a network address.
102	#
103	iface wlan0 inet dhcp
104	wpa-ssid NETBEER
105	# plaintext passphrase
106	wpa-psk PlainTextSecret
107
108	# Connect to access point of ssid 'homezone' with an encryption type of
109	# WPA-PSK/WPA2-PSK, using the 'wext' driver backend of wpa_supplicant.
110	# The psk is given as an encoded hexadecimal string. DHCP is used to obtain
111	# a network address.
112	#
113	iface wlan0 inet dhcp
114	wpa-driver wext
115	wpa-ssid homezone
116	# hexadecimal psk is encoded from a plaintext passphrase
117	wpa-psk 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
118
119	# Connect to access point of ssid 'HotSpot1' and bssid of '00:1a:2b:3c:4d:5e'
120	# with an encryption type of WPA-PSK/WPA2-PSK, using the the 'madwifi' driver
121	# backend of wpa_supplicant. The passphrase is given as a plaintext string.
122	# A static network address assignment is used.
123	#
124	iface ath0 inet static
125	wpa-driver madwifi
126	wpa-ssid HotSpot1
127	wpa-bssid 00:1a:2b:3c:4d:5e
128	# plaintext passphrase
129	wpa-psk madhotspot
130	wpa-key-mgmt WPA-PSK
131	wpa-pairwise TKIP CCMP
132	wpa-group TKIP CCMP
133	wpa-proto WPA RSN
134	# static ip settings
135	address 192.168.0.100
136	netmask 255.255.255.0
137	network 192.168.0.0
138	broadcast 192.168.0.255
139	gateway 192.168.0.1
140
141	# User supplied wpa_supplicant.conf is used for eth1. All network information
142	# is contained within the user supplied wpa_supplicant.conf. No wpa-driver type
143	# is specified, so wext is used. DHCP is used to obtain a network address.
144	#
145	iface eth1 inet dhcp
146	wpa-conf /path/to/wpa_supplicant.conf
147
148	Table of Common Options
149	=======================
150
151	A brief summary of common 'wpa-' options that may be used in the
152	/etc/network/interfaces stanza for a wireless device. See the
153	'Important Notes About Managed Mode' section for information about
154	valid and invalid 'wpa-' values.
155
156	NOTE: ALL values are CASE SeNsItVe
157
158	Element Example Value Description
159	======= ============= ===========
160	wpa-ssid plaintextstring sets the ssid of your network
161
162	wpa-bssid 00:1a:2b:3c:4d:5e the bssid of your AP
163
164	wpa-psk 0123456789...... your preshared wpa key. Use
165	wpa_passphrase(8) to generate your psk
166	from a passphrase and ssid pair
167
168	wpa-key-mgmt NONE, WPA-PSK, WPA-EAP, list of accepted authenticated key
169	IEEE8021X management protocols
170
171	wpa-group CCMP, TKIP, WEP104, list of accepted group ciphers for WPA
172	WEP40
173
174	wpa-pairwise CCMP, TKIP, NONE list of accepted pairwise ciphers for
175	WPA
176
177	wpa-auth-alg OPEN, SHARED, LEAP list of allowed IEEE 802.11
178	authentication algorithms
179
180	wpa-proto WPA, RSN list of accepted protocols
181
182	wpa-identity myplaintextname administrator provided username
183	(EAP authentication)
184
185	wpa-password myplaintextpassword your password (EAP authentication)
186
187	wpa-scan-ssid 0 or 1 toggles scanning of ssid with specific
188	Probe Request frames
189
190	wpa-ap-scan 0 or 1 or 2 adjusts the scanning logic of
191	wpa_supplicant
192
193	The complete functionality of wpa_cli(8) should be implemented. Anything
194	missing is considered a bug and should be reported as such. Patches are always
195	welcome.
196
197	Important Notes About Managed Mode
198	==================================
199
200	Almost all 'wpa-' options require there is at least a ssid specified. Only a
201	handful of options have a global effect. These are: 'wpa-ap-scan' and
202	'wpa-preauthenticate'.
203
204	Any 'wpa-' option given for a device in the interfaces(5) file is sufficient to
205	trigger the wpa_supplicant daemon into action.
206
207	The wpasupplicant ifupdown script makes assumptions about the 'type' of input
208	that is valid for each option. For example, it assumes that some input is
209	plaintext and wraps quotation marks around the input before passing it on
210	to wpa_cli, which then adds the input to the network block being formed via
211	the wpa_supplicant ctrl_interface socket. Running ifup manually with the
212	'--verbose' option will reveal all of the commands used to form the network
213	block via wpa_cli. If the value you used for any wpa-* option in
214	/etc/network/interfaces is surrounded by double quotes, than it has been
215	assumed to be of "plaintext" or "ascii" type input.
216
217	Some input is assumed to be a hexadecimal string (eg. wpa-wep-key*). The value
218	'type' of the wpa-psk option however, is determined via a simple check for more
219	than one non hexadecimal character.
220
221
222	How It Works
223	============
224
225	As mentioned earlier, each wpa_supplicant specific element is prefixed with
226	'wpa-'. Each element correlates to a property of wpa_supplicant described in
227	the wpa_supplicant.conf(5), wpa_supplicant(8) and wpa_cli(8) manpages. The
228	supplicant is launched without any pre-configuration whatsoever, and wpa_cli
229	forms a network configuration from the input provided by the 'wpa-*' lines.
230	Initially, wpa_supplicant/wpa_cli does not directly set the properties of the
231	device (like setting an essid with iwconfig, for example), rather it informs
232	the device of what access point is suitable to associate with. Once the device
233	has scanned the area, and found that the suitable access point is available for
234	use, these properties are set.
235
236	The scripts that do all the work are located at:
237
238	/etc/wpa_supplicant/ifupdown.sh
239	/etc/wpa_supplicant/functions.sh
240
241	ifupdown.sh is executed by run-parts, which in turn is invoked by ifupdown
242	during the 'pre-up', 'pre-down' and 'post-down' phases.
243
244	In the 'pre-up' phase, a wpa_supplicant daemon is launched followed by a series
245	of wpa_cli commands that set up a network configuration according to what
246	'wpa-' options were used in /etc/network/interfaces for the physical device.
247
248	If wpa-roam is used, a wpa_cli daemon is launched in the 'post-up' phase.
249
250	In the 'pre-down' phase, the wpa_cli daemon is terminated.
251
252	In the 'post-down' phase, the wpa_supplicant daemon is terminated.
253
254
255	3. Mode #2: Roaming Mode
256	========================
257
258	A self contained, simplistic roaming mechanism is provided by this package. It
259	is in the form of a wpa_cli action script, /sbin/wpa_action, and it assumes
260	control of ifupdown once activated. The wpa_action(8) manpage describes its
261	technical details in great depth.
262
263	To activate a roaming interface, adapt the following example interfaces(5)
264	stanza:
265
266	iface eth1 inet manual
267	wpa-driver wext
268	wpa-roam /path/to/wpa_supplicant.conf
269
270	Two daemons are spawned from the above example; wpa_supplicant and wpa_cli. It
271	is required to provide a wpa_supplicant.conf. A good starting point is provided
272	by an example configuration file:
273
274	cp /usr/share/doc/wpasupplicant/examples/wpa_supplicant.conf.template \
275	/etc/wpa_supplicant/wpa_supplicant.conf
276
277	NOTE: it is critical that the used wpa_supplicant.conf defines the location of
278	the 'ctrl_interface' so that a communication socket is created for the
279	wpa_cli (wpa-roam daemon) to attach. The mentioned example conf file,
280	wpa_supplicant.conf.template, has this set to a sane default.
281
282	It is required to edit this configuration file, and add the network blocks for
283	all known networks. If you do not understand what this means, start reading the
284	wpa_supplicant.conf(5) manpage now.
285
286	For each network, you may specify a special option 'id_str'. It should be set to
287	a simple text string. This text string forms the basis for network profiling; it
288	correlates to a logical interface defined in the interfaces(5) file. When no
289	'id_str' is given for a network, wpa_action assumes it will use the 'default'
290	logical interface as fallback. The fallback interface can be chosen via the
291	'wpa-roam-default-iface' option.
292
293	So what does all this mean? Lets illustrate it with a small example taken from
294	the wpa_action(8) manpage.
295
296	wpa_supplicant.conf
297	===================
298	network={
299	ssid="foo"
300	# this id_str will notify /sbin/wpa_action to 'ifup uni'
301	id_str="uni"
302	key_mgmt=NONE
303	}
304
305	network={
306	ssid="bar"
307	# this id_str will notify /sbin/wpa_action to 'ifup home_static'
308	id_str="home_static"
309	psk=123456789...
310	}
311
312	network={
313	ssid=""
314	# no 'id_str' is given, /sbin/wpa_action will 'ifup default'
315	key_mgmt=NONE
316	}
317
318	/etc/network/interfaces
319	=======================
320	# the roaming interface MUST use the manual inet method
321	# 'allow-hotplug' or 'auto' ensures the daemon starts automatically
322	allow-hotplug eth1
323	iface eth1 inet manual
324	wpa-driver wext
325	wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
326
327	# no id_str, 'default' is used as the fallback mapping target
328	iface default inet dhcp
329
330	# id_str="uni"
331	iface uni inet dhcp
332
333	# id_str="home_static"
334	iface home_static inet static
335	address 192.168.0.20
336	netmask 255.255.255.0
337	network 192.168.0.0
338	broadcast 192.168.0.255
339	gateway 192.168.0.1
340
341	A logical interface is brought up via ifup, and taken down via ifdown, as
342	wpa_supplicant associates and de-associates with the network associated
343	to it by the 'id_str' option used in the wpa_supplicant.conf configuration file.
344
345	A log of /sbin/wpa_action's actions is created at /var/log/wpa_action.log,
346	please attach the log when reporting problems.
347
348	Controlling the Roaming Daemon with wpa_action
349	==============================================
350
351	Once the roaming daemon is started, it assumes control of ifupdown. That is;
352	wpa_cli calls ifup when wpa_supplicant has successfully associated with an
353	access point, and calls ifdown when the connection is lost or terminated.
354	While the roaming daemon is active, ifupdown should not be controlled directly
355	by manually issued commands, rather /sbin/wpa_action is supplied to stop and
356	reload the roaming daemon. For example, to stop the
357	romaing daemon on the device 'eth1':
358
359	wpa_action eth1 stop
360
361	When it is required to update the roaming daemon with a new networks details,
362	it can be done without stopping it. Edit the wpa_supplicant.conf file that is
363	being used by the daemon with the new networks details, add optional network
364	settings to /etc/network/interfaces that are specific to the new network
365	(linked by the 'id_str') and then 'reload' the daemon like so:
366
367	wpa_action eth1 reload
368
369	For the complete technical details of what wpa_action can do, read the
370	wpa_action(8) manpage.
371
372	Fine Tuning the Roaming Setup
373	=============================
374
375	You may face situations where multiple known access points are in close
376	proximity. You can choose which one is preferred manually, with wpa_cli or
377	wpa_gui, or you can give each network its own priority. This is provided by the
378	'priority' option of wpa_supplicant.conf.
379
380	The Logfile
381	===========
382
383	All activity of the roaming dameon is logged to /var/log/wpa_action.log. The
384	following information is logged:
385
386	* time and date
387	* interface name and action event
388	* values of enviromental variables (WPA_ID, WPA_ID_STR, WPA_CTRL_DIR)
389	* ifupdown command executed
390	* wpa_cli status (based on WPA-PSK network, may display different info)
391	- bssid
392	- ssid
393	- id
394	- id_str
395	- pairwise_cipher
396	- group_cipher
397	- key_mgmt
398	- wpa_state
399	- ip_address
400
401	Using External Mapping Scripts (e.g. guessnet)
402	==============================================
403
404	In addition to the internal mapping of logical interfaces via 'id_str',
405	wpa_action can call external mapping scripts. A mapping script should return
406	the name of the logical interface which should be brought up. Any mapping
407	script that works from ifupdowns mapping mechanism (see man interfaces) should
408	also work when called from wpa_action.
409
410	To call a mapping script add a line 'wpa-mapping-script name-of-the-script' to
411	the interfaces stanza of the physical roaming device. (You may have to specify
412	the absolute path to the mapping script.)
413
414	The contents of lines starting with wpa-map are passed to stdin of the mapping
415	script. Since ifupdown allows only one wpa-map line you can append any number
416	to wpa-map for additional lines. For example:
417
418	iface wlan0 inet manual
419	wpa-driver wext
420	wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
421	wpa-mapping-script guessnet-ifupdown
422	wpa-map0 home
423	wpa-map1 work
424	wpa-map2 school
425	# ... additional wpa-mapX lines as required
426
427
428	By default the mapping script will only be used when no 'id_str' is available
429	for the current network. If you want to completely disable 'id_str' matching
430	and use only an external mapping script, use the
431	'wpa-mapping-script-priority 1' option to override default behaviour.
432
433	If the mapping script returns an empty string wpa_action will fallback to using
434	the 'default' interface, unless an alternative is defined by the
435	'wpa-roam-default-iface' option.
436
437	Below is an advanced example, using guessnet-ifupdown as the external mapping
438	script.
439
440	/etc/network/interfaces with external mapping
441	=============================================
442
443	allow-hotplug wlan0
444	iface wlan0 inet manual
445	wpa-driver wext
446	wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
447	wpa-roam-default-iface default-wparoam
448	wpa-mapping-script guessnet-ifupdown
449	wpa-map default: default-guessnet
450	wpa-map0 home_static
451	wpa-map1 work_static
452
453	# school can only be chosen via 'id_str' matching
454	iface school inet dhcp
455	# resolvconf
456	dns-nameservers 11.22.33.44 55.66.77.88
457
458	iface home_static inet static
459	address 192.168.0.20
460	netmask 255.255.255.0
461	network 192.168.0.0
462	broadcast 192.168.0.255
463	gateway 192.168.0.1
464	test peer address 192.168.0.1 mac 00:01:02:03:04:05
465
466	iface work_static inet static
467	address 192.168.3.200
468	netmask 255.255.255.0
469	network 192.168.3.0
470	broadcast 192.168.3.255
471	gateway 192.168.3.1
472	test peer address 192.168.3.1 mac 00:01:02:03:04:05
473
474	iface default-guessnet inet dhcp
475
476	iface default-wparoam inet dhcp
477
478	In this example wpa_action will use guessnet for the selection of a suitable
479	logical interface only when no 'id_str' option has been provided for the
480	current network in the provided wpa_supplicant.conf.
481
482	The 'wpa-map' lines provide guessnet with the logical interfaces that are to be
483	tested as well as the default interface to be used when all tests fail. The
484	'test' lines of each logical interface are used by guessnet to determine if
485	we are actually connected to that network. For instance, guessnet will choose
486	the logical interface 'home_static' if there's a device with an IP address of
487	192.168.0.1 and MAC of 00:01:02:03:04:05 on the current network. If all tests
488	fail, the 'default-guessnet' interface will be configured.
489
490	Please, read the guessnet(8) manpage for more information.
491
492
493	4. Troubleshooting
494	==================
495
496	In order to debug connection, association and authentication problems,
497	we suggest starting `wpa_cli -i <interface>` in a different shell, before
498	starting the interface. Use the command 'level 0' first, to get all
499	debug messages. Then use `ifup --verbose <interface>` to get verbose debug
500	messages from the script starting wpasupplicant.
501
502	Hidden ssids
503	============
504
505	For reference, see #358137 [0]. In order to be able to associate to hidden
506	ssids, please try to set the option 'ap_scan=1' in the global section, and
507	'scan_ssid=1' in your network block section of your wpa_supplicant.conf file.
508	If you are using the managed mode, you can do so by these stanzas:
509
510	iface eth1 inet dhcp
511	wpa-ap-scan 1
512	wpa-scan-ssid 1
513	# ... additional options for your setup
514
515	According to #368770 [1], association can take a very long time under certain
516	circumstances. In some cases, setting the parameter 'ap_scan=2' in the
517	config file, (or using a 'wpa-ap-scan 2' stanza, which is equivalent) can
518	greatly help to speed up association. Please note that setting ap_scan to the
519	value of 2 also requires that all networks have a precisely defined security
520	policy for for key_mgmt, pairwise, group and proto network policy variables.
521
522	[0] http://bugs.debian.org/358137
523	[1] http://bugs.debian.org/368770
524
525
526	5. Security Considerations
527	==========================
528
529	Configuration File Permissions
530	==============================
531	It is important to keep PSK's and other sensitive information concerning your
532	network settings private, therefore ensure that important configuration files
533	containing such data are only readable by their owner. For example:
534
535	chmod 0600 /etc/network/interfaces
536	# substitute the path of your wpa_supplicant.conf file
537	chmod 0600 /etc/wpa_supplicant/wpa_supplicant.conf
538
539	By default, /etc/network/interfaces is world readable, and thus unsuitable for
540	containing secret keys and passwords.