| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> |
| <html> |
| <head> |
| <title>Linux WPA Supplicant (IEEE 802.1X, WPA, WPA2, RSN, IEEE 802.11i)</title> |
| <meta name="description" content="WPA Supplicant for Linux, BSD, and Windows (IEEE 802.1X, WPA, WPA2, RSN, IEEE 802.11i)"> |
| <meta name="keywords" content="WPA, WPA2, IEEE 802.11i, IEEE 802.1X, WPA Supplicant, wpa_supplicant, TKIP, CCMP, EAP-PEAP, EAP-TLS, EAP-TTLS, EAP-SIM, EAP-AKA, EAP-PSK, EAP-GTC, EAP-MSCHAPv2, EAP-MD5, EAP-FAST, EAP-PAX, EAP-IKEv2IEEE 802.1X Supplicant, IEEE 802.1aa, EAPOL, RSN, pre-authentication, PMKSA caching, BSD WPA Supplicant, FreeBSD WPA Supplicant, wireless, WinXP WPA Supplicant, EAP-TNC, TNCC, IF-IMC, IF-TNCCS, WPS"> |
| <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> |
| </head> |
| |
| <body> |
| <h2>Linux WPA/WPA2/IEEE 802.1X Supplicant</h2> |
| |
| <p>wpa_supplicant is a WPA Supplicant for Linux, BSD, Mac OS X, and |
| Windows with |
| support for WPA and WPA2 (IEEE 802.11i / RSN). It is suitable for both |
| desktop/laptop computers and embedded systems. Supplicant is the IEEE |
| 802.1X/WPA component that is used in the client stations. It |
| implements key negotiation with a WPA Authenticator and it controls |
| the roaming and IEEE 802.11 authentication/association of the wlan |
| driver.</p> |
| |
| <p>wpa_supplicant is designed to be a "daemon" program that runs in the |
| background and acts as the backend component controlling the wireless |
| connection. wpa_supplicant supports separate frontend programs and a |
| text-based frontend (wpa_cli) and a GUI (wpa_gui) are included with |
| wpa_supplicant.</p> |
| |
| <p>wpa_supplicant uses a flexible build configuration that can be used |
| to select which features are included. This allows minimal code size |
| (from ca. 50 kB binary for WPA/WPA2-Personal and 130 kB binary for |
| WPA/WPA2-Enterprise without debugging code to 450 kB with most |
| features and full debugging support; these example sizes are from a |
| build for x86 target).</p> |
| |
| |
| <h4>Supported WPA/IEEE 802.11i features</h4> |
| |
| <ul> |
| <li>WPA-PSK ("WPA-Personal")</li> |
| <li>WPA with EAP (e.g., with RADIUS authentication server) ("WPA-Enterprise")</li> |
| <li>key management for CCMP, TKIP, WEP104, WEP40</li> |
| <li>WPA and full IEEE 802.11i/RSN/WPA2</li> |
| <li>RSN: PMKSA caching, pre-authentication</li> |
| <li>IEEE 802.11r</li> |
| <li>IEEE 802.11w</li> |
| <li>Wi-Fi Protected Setup (WPS)</li> |
| </ul> |
| |
| <h4>Supported EAP methods (IEEE 802.1X Supplicant)</h4> |
| |
| <ul> |
| <li>EAP-TLS</li> |
| <li>EAP-PEAP/MSCHAPv2 (both PEAPv0 and PEAPv1)</li> |
| <li>EAP-PEAP/TLS (both PEAPv0 and PEAPv1)</li> |
| <li>EAP-PEAP/GTC (both PEAPv0 and PEAPv1)</li> |
| <li>EAP-PEAP/OTP (both PEAPv0 and PEAPv1)</li> |
| <li>EAP-PEAP/MD5-Challenge (both PEAPv0 and PEAPv1)</li> |
| <li>EAP-TTLS/EAP-MD5-Challenge</li> |
| <li>EAP-TTLS/EAP-GTC</li> |
| <li>EAP-TTLS/EAP-OTP</li> |
| <li>EAP-TTLS/EAP-MSCHAPv2</li> |
| <li>EAP-TTLS/EAP-TLS</li> |
| <li>EAP-TTLS/MSCHAPv2</li> |
| <li>EAP-TTLS/MSCHAP</li> |
| <li>EAP-TTLS/PAP</li> |
| <li>EAP-TTLS/CHAP</li> |
| <li>EAP-SIM</li> |
| <li>EAP-AKA</li> |
| <li>EAP-AKA'</li> |
| <li>EAP-PSK</li> |
| <li>EAP-FAST</li> |
| <li>EAP-PAX</li> |
| <li>EAP-SAKE</li> |
| <li>EAP-IKEv2</li> |
| <li>EAP-GPSK</li> |
| <li>LEAP (note: requires special support from the driver)</li> |
| </ul> |
| |
| <p>Following methods are also supported, but since they do not generate keying |
| material, they cannot be used with WPA or IEEE 802.1X WEP keying.</p> |
| |
| <ul> |
| <li>EAP-MD5-Challenge</li> |
| <li>EAP-MSCHAPv2</li> |
| <li>EAP-GTC</li> |
| <li>EAP-OTP</li> |
| <li>EAP-TNC (Trusted Network Connect; TNCC, IF-IMC, IF-T, IF-TNCCS)</li> |
| </ul> |
| |
| <p>More information about EAP methods and interoperability testing is |
| available in <a href="/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=wpa_supplicant/eap_testing.txt">eap_testing.txt</a>.</p> |
| |
| |
| <h4>Supported TLS/crypto libraries</h4> |
| |
| <ul> |
| <li>OpenSSL (default)</li> |
| <li>GnuTLS</li> |
| </ul> |
| |
| <h4>Internal TLS/crypto implementation (optional)</h4> |
| |
| <ul> |
| <li>can be used in place of an external TLS/crypto library</li> |
| <li>TLSv1</li> |
| <li>X.509 certificate processing</li> |
| <li>PKCS #1</li> |
| <li>ASN.1</li> |
| <li>RSA</li> |
| <li>bignum</li> |
| <li>minimal size (ca. 50 kB binary, parts of which are already needed for WPA; |
| TLSv1/X.509/ASN.1/RSA/bignum parts are about 25 kB on x86)</li> |
| </ul> |
| |
| <h4>Supported wireless cards/drivers</h4> |
| |
| <ul> |
| <li>Linux drivers that support nl80211/cfg80211 (most new drivers)</li> |
| <li>Linux drivers that support Linux Wireless Extensions v19 or newer with |
| WPA/WPA2 extensions</li> |
| <li><a href="http://hostap.epitest.fi/">Host AP driver for Prism2/2.5/3</a> (WPA and WPA2)</li> |
| <li><a href="http://www.linuxant.com/driverloader/">Linuxant DriverLoader</a> with Windows NDIS driver supporting WPA/WPA2</li> |
| <li><a href="http://www.agere.com/support/drivers/">Agere Systems Inc. Linux Driver</a> (Hermes-I/Hermes-II chipset) (WPA, but not WPA2)</li> |
| <li><a href="http://sourceforge.net/projects/madwifi/">madwifi (Atheros ar521x)</a></li> |
| <li><a href="http://atmelwlandriver.sourceforge.net/">ATMEL AT76C5XXx</a></li> |
| <li><a href="http://ndiswrapper.sourceforge.net/">Linux ndiswrapper</a></li> |
| <li>Broadcom wl.o driver</li> |
| <li><a href="http://sourceforge.net/projects/ipw2100/">Intel ipw2100</a></li> |
| <li><a href="http://sourceforge.net/projects/ipw2200/">Intel ipw2200</a></li> |
| <li>Wired Ethernet drivers</li> |
| <li>BSD net80211 layer (e.g., Atheros driver) (FreeBSD 6-CURRENT and NetBSD current)</li> |
| <li>Windows NDIS drivers (Windows; at least XP and 2000, others not tested)</li> |
| </ul> |
| |
| <p>wpa_supplicant was designed to be portable for different drivers and |
| operating systems. Hopefully, support for more wlan cards and OSes will be |
| added in the future. See <a href="devel/">developers' documentation</a> |
| for more information about the design of wpa_supplicant and porting to |
| other drivers.</p> |
| |
| <h3><a name="download">Download</a></h3> |
| |
| <p> |
| <b>wpa_supplicant</b><br> |
| Copyright (c) 2003-2009, Jouni Malinen <j@w1.fi> |
| and contributors. |
| </p> |
| |
| <p> |
| This program is free software; you can redistribute it and/or modify |
| it under the terms of the GNU General Public License version 2 as |
| published by the Free Software Foundation. See |
| <a href="/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=COPYING">COPYING</a> |
| for more details. |
| </p> |
| |
| <p>Alternatively, this software may be distributed, used, and modified |
| under the terms of BSD license. See <a href="/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=wpa_supplicant/README">README</a> |
| for more details.</p> |
| |
| <p> |
| <b>Please see |
| <a href="/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=wpa_supplicant/README">README</a> |
| for the current documentation.</b><br> |
| <a href="/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=wpa_supplicant/README-Windows.txt">README-Windows.txt</a> |
| has some more information about the Windows port of wpa_supplicant.</p> |
| |
| |
| <ul> |
| <li><a href="../releases.html">Release graph</a></li> |
| <li>Latest stable release: |
| <ul> |
| <li><a href="../releases/wpa_supplicant-0.6.9.tar.gz">wpa_supplicant-0.6.9.tar.gz</a> (source code for all versions)</li> |
| <li><a href="../releases/wpa_supplicant-0.6.9.exe">wpa_supplicant-0.6.9.exe</a> (binary installer for Windows)</li> |
| <li><a href="../releases/wpa_supplicant-windows-bin-0.6.9.zip">wpa_supplicant-windows-bin-0.6.9.zip</a> (binaries for Windows)</li> |
| <li><a href="qt4/wpa_gui-qt433-windows-dll.zip">wpa_gui-qt433-windows-dll.zip</a> (Qt4 libraries from wpa_gui/Windows)</li> |
| </ul> |
| <li>Latest development release: |
| <ul> |
| <li><a href="../releases/wpa_supplicant-0.7.0.tar.gz">wpa_supplicant-0.7.0.tar.gz</a> (source code for all versions)</li> |
| <li><a href="../releases/wpa_supplicant-0.7.0.exe">wpa_supplicant-0.7.0.exe</a> (binary installer for Windows)</li> |
| <li><a href="../releases/wpa_supplicant-windows-bin-0.7.0.zip">wpa_supplicant-windows-bin-0.7.0.zip</a> (binaries for Windows)</li> |
| </ul> |
| <li>ChangeLog: |
| <ul> |
| <li><a href="/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=wpa_supplicant/ChangeLog">development branch</a></li> |
| <li><a href="/gitweb/gitweb.cgi?p=hostap-06.git;a=blob_plain;f=wpa_supplicant/ChangeLog">stable branch</a></li> |
| </ul> |
| <li><a href="../releases/">Old releases</a></li> |
| <li><a href="http://lists.shmoo.com/mailman/listinfo/hostap">Mailing list</a></li> |
| <li><a href="http://lists.shmoo.com/pipermail/hostap/">New mailing list archives</a></li> |
| <li><a href="/gitweb/gitweb.cgi">Web interface to GIT repository (0.6.x and newer)</a></li> |
| <li><a href="/cgi-bin/viewcvs.cgi/hostap/">Web interface to CVS repository (0.5.x and older)</a></li> |
| <li><a href="../releases/snapshots/">Snapshot releases from all active branches</a> |
| <li><a href="../cvs.html">GIT and read-only anonymous CVS access (pserver)</a></li> |
| <li><a href="../bugz/">Bug and feature request tracking</a></li> |
| <li><a href="devel/">Developers' documentation for wpa_supplicant 0.6.x</a></li> |
| <li><a href="wpa_gui.html">wpa_gui screenshots</a></li> |
| </ul> |
| |
| <h3>WPA</h3> |
| |
| <p>The original security mechanism of IEEE 802.11 standard was not |
| designed to be strong and has proven to be insufficient for most |
| networks that require some kind of security. Task group I (Security) |
| of <a href="http://www.ieee802.org/11/">IEEE 802.11 working group</a> |
| has worked to address the flaws of the base standard and in |
| practice completed its work in May 2004. The IEEE 802.11i amendment to |
| the IEEE 802.11 standard was approved in June 2004 and published in |
| July 2004.</p> |
| |
| <p><a href="http://www.wi-fi.org/">Wi-Fi Alliance</a> used a draft |
| version of the IEEE 802.11i work (draft 3.0) to define a subset of the |
| security enhancements that can be implemented with existing wlan |
| hardware. This is called Wi-Fi Protected Access (WPA). This has |
| now become a mandatory component of interoperability testing and |
| certification done by Wi-Fi Alliance. Wi-Fi has |
| <a href="http://www.wi-fi.org/OpenSection/protected_access.asp">information |
| about WPA</a> at its web site.</p> |
| |
| <p>IEEE 802.11 standard defined wired equivalent privacy (WEP) algorithm |
| for protecting wireless networks. WEP uses RC4 with 40-bit keys, |
| 24-bit initialization vector (IV), and CRC32 to protect against packet |
| forgery. All these choices have proven to be insufficient: key space is |
| too small against current attacks, RC4 key scheduling is insufficient |
| (beginning of the pseudorandom stream should be skipped), IV space is |
| too small and IV reuse makes attacks easier, there is no replay |
| protection, and non-keyed authentication does not protect against bit |
| flipping packet data.</p> |
| |
| <p>WPA is an intermediate solution for the security issues. It uses |
| Temporal Key Integrity Protocol (TKIP) to replace WEP. TKIP is a |
| compromise on strong security and possibility to use existing |
| hardware. It still uses RC4 for the encryption like WEP, but with |
| per-packet RC4 keys. In addition, it implements replay protection, |
| keyed packet authentication mechanism (Michael MIC).</p> |
| |
| <p>Keys can be managed using two different mechanisms. WPA can either use |
| an external authentication server (e.g., RADIUS) and EAP just like |
| IEEE 802.1X is using or pre-shared keys without need for additional |
| servers. Wi-Fi calls these "WPA-Enterprise" and "WPA-Personal", |
| respectively. Both mechanisms will generate a master session key for |
| the Authenticator (AP) and Supplicant (client station).</p> |
| |
| <p>WPA implements a new key handshake (4-Way Handshake and Group Key |
| Handshake) for generating and exchanging data encryption keys between |
| the Authenticator and Supplicant. This handshake is also used to |
| verify that both Authenticator and Supplicant know the master session |
| key. These handshakes are identical regardless of the selected key |
| management mechanism (only the method for generating master session |
| key changes).</p> |
| |
| |
| <h3>IEEE 802.11i / RSN / WPA2</h3> |
| |
| <p>The design for parts of IEEE 802.11i that were not included in WPA |
| has finished (May 2004) and this amendment to IEEE 802.11 was approved |
| in June 2004. Wi-Fi Alliance is using the final IEEE 802.11i as a new |
| version of WPA called WPA2. This included, e.g., support for more |
| robust encryption algorithm (CCMP: AES in Counter mode with CBC-MAC) |
| to replace TKIP, optimizations for handoff (reduced number of messages |
| in initial key handshake, pre-authentication, and PMKSA caching).</p> |
| |
| <h3>Using wpa_supplicant</h3> |
| |
| <p>Following steps are used when associating with an AP using WPA:<p> |
| <ul> |
| <li>wpa_supplicant requests the kernel driver to scan neighboring BSSes</li> |
| <li>wpa_supplicant selects a BSS based on its configuration</li> |
| <li>wpa_supplicant requests the kernel driver to associate with the chosen |
| BSS</li> |
| <li>if WPA-EAP: integrated IEEE 802.1X Supplicant completes EAP |
| authentication with the authentication server (proxied by the |
| Authenticator in the AP)</li> |
| <li>If WPA-EAP: master key is received from the IEEE 802.1X Supplicant</li> |
| <li>If WPA-PSK: wpa_supplicant uses PSK as the master session key</li> |
| <li>wpa_supplicant completes WPA 4-Way Handshake and Group Key Handshake |
| with the Authenticator (AP). WPA2 has integrated the initial Group Key |
| Handshake into the 4-Way Handshake.</li> |
| <li>wpa_supplicant configures encryption keys for unicast and broadcast</li> |
| <li>normal data packets can be transmitted and received</li> |
| </ul> |
| |
| <h4>Configuration file</h4> |
| |
| <p>wpa_supplicant is configured using a text file that lists all accepted |
| networks and security policies, including pre-shared keys. See |
| example configuration file, |
| <a href="/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=wpa_supplicant/wpa_supplicant.conf">wpa_supplicant.conf</a>, |
| for detailed information about the configuration format and supported |
| fields. In addition, simpler example configurations are available for |
| <a href="/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=wpa_supplicant/examples/plaintext.conf">plaintext</a>, |
| <a href="/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=wpa_supplicant/examples/wep.conf">static WEP</a>, |
| <a href="/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=wpa_supplicant/examples/ieee8021x.conf">IEEE 802.1X with dynamic WEP (EAP-PEAP/MSCHAPv2)</a>, |
| <a href="/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=wpa_supplicant/examples/wpa-psk-tkip.conf">WPA-PSK/TKIP</a>, and |
| <a href="/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=wpa_supplicant/examples/wpa2-eap-ccmp.conf">WPA2-EAP/CCMP (EAP-TLS)</a>. |
| In addition, wpa_supplicant can use OpenSSL engine to avoid need for |
| exposing private keys in the file system. This can be used for EAP-TLS |
| authentication with smartcards and TPM tokens. |
| <a href="/gitweb/gitweb.cgi?p=hostap.git;a=blob_plain;f=wpa_supplicant/examples/openCryptoki.conf">Example configuration for using openCryptoki</a> |
| shows an example network block and related parameters for EAP-TLS |
| authentication using PKCS#11 TPM token. |
| </p> |
| |
| <h3>Feedback, comments, mailing list</h3> |
| |
| <p> |
| Any comments, reports on success/failure, ideas for further |
| improvement, feature requests, etc. are welcome at j@w1.fi. |
| Please note, that I often receive more email than I have time to answer. |
| Unfortunately, some messages may not get a reply, but I'll try to go |
| through my mail whenever time permits. |
| </p> |
| |
| <p>Host AP mailing list can also be used for topics related to |
| wpa_supplicant. Since this list has a broader audience, your likelyhood |
| of getting responses is higher. This list is recommended for general |
| questions about wpa_supplicant and its development. In addition, I |
| will send release notes to it whenever a new version is available. |
| </p> |
| |
| <p> |
| The mailing list information and web archive is at <a |
| href="http://lists.shmoo.com/mailman/listinfo/hostap">http://lists.shmoo.com/mailman/listinfo/hostap</a>. |
| Messages to hostap@shmoo.com will be delivered to the |
| subscribers. Please note, that due to large number of spam and virus |
| messages sent to the list address, the list is configured to accept |
| messages only from subscribed addresses. Messages from unsubscribed addresses |
| may be accepted manually, but their delivery will be delayed. |
| </p> |
| |
| <p> |
| If you want to make sure your bug report of feature request does not |
| get lost, please report it through the bug tracking system as |
| <a href="../bugz/enter_bug.cgi">a new |
| bug/feature request</a>. |
| </p> |
| |
| <hr> |
| <div> |
| <address><a href="mailto:j@w1.fi">Jouni Malinen</a></address> |
| <!-- Created: Sat May 22 21:41:58 PDT 2004 --> |
| <!-- hhmts start --> |
| Last modified: Sat Nov 21 22:47:39 EET 2009 |
| <!-- hhmts end --> |
| </div> |
| </body> |
| </html> |