diff --git a/usr.sbin/wpa/hostapd/hostapd.conf.5 b/usr.sbin/wpa/hostapd/hostapd.conf.5 index 10be35652a5a..f2697844b4b4 100644 --- a/usr.sbin/wpa/hostapd/hostapd.conf.5 +++ b/usr.sbin/wpa/hostapd/hostapd.conf.5 @@ -1,5 +1,6 @@ -.\" $NetBSD: hostapd.conf.5,v 1.1 2006/04/12 15:37:07 rpaulo Exp $ +.\" $NetBSD: hostapd.conf.5,v 1.2 2006/08/04 20:32:47 rpaulo Exp $ .\" +.\" Copyright (c) 2006 Rui Paulo .\" Copyright (c) 2005 Sam Leffler .\" All rights reserved. .\" @@ -24,9 +25,10 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" +.\" Based on: .\" $FreeBSD: src/usr.sbin/wpa/hostapd/hostapd.conf.5,v 1.2 2005/06/27 06:40:43 ru Exp $ .\" -.Dd June 16, 2005 +.Dd August 4, 2006 .Dt HOSTAPD.CONF 5 .Os .Sh NAME @@ -35,10 +37,162 @@ .Xr hostapd 8 utility .Sh DESCRIPTION -This is a placeholder for a real manual page. +The +.Nm +utility +is an authenticator for IEEE 802.11 networks. +It provides full support for WPA/IEEE 802.11i and +can also act as an IEEE 802.1X Authenticator with a suitable +backend Authentication Server (typically +.Tn FreeRADIUS ). +.Pp +The configuration file consists of global parameters and domain +specific configuration: +.Bl -bullet -offset indent -compact +.It +IEEE 802.1X-2004 +.\" XXX not yet +.\" .It +.\" Integrated EAP server +.\" .It +.\" IEEE 802.11f - Inter-Access Point Protocol (IAPP) +.It +RADIUS client +.It +RADIUS authentication server +.It +WPA/IEEE 802.11i +.El +.Sh GLOBAL PARAMETERS +The following parameters are recognized: +.Bl -tag -width indent +.It Va interface +Interface name. +Should be set in +.Dq hostap +mode. +.It Va debug +Debugging mode: 0 = no, 1 = minimal, 2 = verbose, 3 = msg dumps, 4 = +excessive. +.It Va dump_file +Dump file for state information (on SIGUSR1). +.It Va ctrl_interface +The pathname of the directory in which +.Xr hostapd 8 +creates +.Ux +domain socket files for communication +with frontend programs such as +.Xr hostapd_cli 8 . +.It Va ctrl_interface_group +A group name or group ID to use in setting protection on the +control interface file. +This can be set to allow non-root users to access the +control interface files. +If no group is specified, the group ID of the control interface +is not modified and will, typically, be the +group ID of the directory in which the socket is created. +.El +.Sh IEEE 802.1X-2004 PARAMETERS +The following parameters are recognized: +.Bl -tag -width indent +.It Va ieee8021x +Require IEEE 802.1X authorization. +.It Va eap_message +Optional displayable message sent with EAP Request-Identity. +.It Va wep_key_len_broadcast +Key lengths for broadcast keys. +.It Va wep_key_len_unicast +Key lengths for unicast keys. +.It Va wep_rekey_period +Rekeying period in seconds. +.It Va eapol_key_index_workaround +EAPOL-Key index workaround (set bit7) for WinXP Supplicant. +.It Va eap_reauth_period +EAP reauthentication period in seconds. To disable reauthentication, +use +.Dq 0 . +.\" XXX not yet +.\" .It Va use_pae_group_addr +.El +.\" XXX not yet +.\" .Sh IEEE 802.11f - IAPP PARAMETERS +.\" The following parameters are recognized: +.\" .Bl -tag -width indent +.\" .It Va iapp_interface +.\" Interface to be used for IAPP broadcast packets +.\" .El +.Sh RADIUS CLIENT PARAMETERS +The following parameters are recognized: +.Bl -tag -width indent +.It Va own_ip_addr +The own IP address of the access point (used as NAS-IP-Address). +.It Va nas_identifier +Optional NAS-Identifier string for RADIUS messages. +.It Va auth_server_addr, auth_server_port, auth_server_shared_secret +RADIUS authentication server parameters. +Can be defined twice for secondary servers to be used if primary one +does not reply to RADIUS packets. +.It Va acct_server_addr, acct_server_port, acct_server_shared_secret +RADIUS accounting server parameters. +Can be defined twice for secondary servers to be used if primary one +does not reply to RADIUS packets. +.It Va radius_retry_primary_interval +Retry interval for trying to return to the primary RADIUS server (in +seconds). +.It Va radius_acct_interim_interval +Interim accounting update interval. +If this is set (larger than 0) and acct_server is configured, +.Xr hostapd 8 +will send interim accounting updates every N seconds. +.El +.Sh RADIUS AUTHENTICATION SERVER PARAMETERS +The following parameters are recognized: +.Bl -tag -width indent +.It Va radius_server_clients +File name of the RADIUS clients configuration for the RADIUS server. +If this is commented out, RADIUS server is disabled. +.It Va radius_server_auth_port +The UDP port number for the RADIUS authentication server. +.It Va radius_server_ipv6 +Use IPv6 with RADIUS server. +.El +.Sh WPA/IEEE 802.11i PARAMETERS +The following parameters are recognized: +.Bl -tag -width indent +.It Va wpa +Enable WPA. +Setting this variable configures the AP to require WPA (either +WPA-PSK or WPA-RADIUS/EAP based on other configuration). +.It Va wpa_psk, wpa_passphrase +WPA pre-shared keys for WPA-PSK. +This can be either entered as a 256-bit secret in hex format (64 hex +digits), wpa_psk, or as an ASCII passphrase (8..63 characters) that +will be converted to PSK. +This conversion uses SSID so the PSK changes when ASCII passphrase is +used and the SSID is changed. +.It Va wpa_psk_file +Optionally, WPA PSKs can be read from a separate text file (containing +list of (PSK,MAC address) pairs. +.It Va wpa_key_mgmt +Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). +.It Va wpa_pairwise +Set of accepted cipher suites (encryption algorithms) for pairwise keys +(unicast packets). See the example file for more information. +.It Va wpa_group_rekey +Time interval for rekeying GTK (broadcast/multicast encryption keys) in +seconds. +.It Va wpa_strict_rekey +Rekey GTK when any STA that possesses the current GTK is leaving the +BSS. +.It Va wpa_gmk_rekey +Time interval for rekeying GMK (master key used internally to generate GTKs +(in seconds). +.El .Sh SEE ALSO .Xr hostapd 8 , -.Xr hostapd_cli 8 +.Xr hostapd_cli 8 , +.Pa /usr/share/examples/hostapd/hostapd.conf .Sh HISTORY The .Nm