wpa_supplicant.sgml

IEEE802.11 a/b/g 客户端应用程序源代码

<!doctype refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">

<refentry>
  <refmeta>
    <refentrytitle>wpa_supplicant</refentrytitle>
    <manvolnum>8</manvolnum>
  </refmeta>
  <refnamediv>
    <refname>wpa_supplicant</refname>
    <refpurpose>Wi-Fi Protected Access client and IEEE 802.1X supplicant</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
      <command>wpa_supplicant</command>
      <arg>-BddfhKLqqtuvW</arg>
      <arg>-i<replaceable>ifname</replaceable></arg>
      <arg>-c<replaceable>config file</replaceable></arg>
      <arg>-D<replaceable>driver</replaceable></arg>
      <arg>-P<replaceable>PID_file</replaceable></arg>
      <arg>-f<replaceable>output file</replaceable></arg>
    </cmdsynopsis>
  </refsynopsisdiv>
  <refsect1>
    <title>Overview</title>

    <para>
    Wireless networks do not require physical access to the network equipment
    in the same way as wired networks. This makes it easier for unauthorized
    users to passively monitor a network and capture all transmitted frames.
    In addition, unauthorized use of the network is much easier. In many cases,
    this can happen even without user's explicit knowledge since the wireless
    LAN adapter may have been configured to automatically join any available
    network.
    </para>

    <para>
    Link-layer encryption can be used to provide a layer of security for
    wireless networks. The original wireless LAN standard, IEEE 802.11,
    included a simple encryption mechanism, WEP. However, that proved to
    be flawed in many areas and network protected with WEP cannot be consider
    secure. IEEE 802.1X authentication and frequently changed dynamic WEP keys
    can be used to improve the network security, but even that has inherited
    security issues due to the use of WEP for encryption. Wi-Fi Protected
    Access and IEEE 802.11i amendment to the wireless LAN standard introduce
    a much improvement mechanism for securing wireless networks. IEEE 802.11i
    enabled networks that are using CCMP (encryption mechanism based on strong
    cryptographic algorithm AES) can finally be called secure used for
    applications which require efficient protection against unauthorized
    access.
    </para>

    <para><command>wpa_supplicant</command> is an implementation of
    the WPA Supplicant component, i.e., the part that runs in the
    client stations. It implements WPA key negotiation with a WPA
    Authenticator and EAP authentication with Authentication
    Server. In addition, it controls the roaming and IEEE 802.11
    authentication/association of the wireless LAN driver.</para>

    <para><command>wpa_supplicant</command> is designed to be a
    "daemon" program that runs in the background and acts as the
    backend component controlling the wireless
    connection. <command>wpa_supplicant</command> supports separate
    frontend programs and an example text-based frontend,
    <command>wpa_cli</command>, is included with
    wpa_supplicant.</para>

    <para>Before wpa_supplicant can do its work, the network interface
    must be available.  That means that the physical device must be
    present and enabled, and the driver for the device must have be
    loaded. The daemon will exit immediately if the device is not already
    available.</para>

    <para>After <command>wpa_supplicant</command> has configured the
    network device, higher level configuration such as DHCP may
    proceed.  There are a variety of ways to integrate wpa_supplicant
    into a machine's networking scripts, a few of which are described
    in sections below.</para>

    <para>The following steps are used when associating with an AP
    using WPA:</para>

    <itemizedlist>
      <listitem>
	<para><command>wpa_supplicant</command> requests the kernel
	driver to scan neighboring BSSes</para>
      </listitem>

      <listitem>
	<para><command>wpa_supplicant</command> selects a BSS based on
	its configuration</para>
      </listitem>

      <listitem>
	<para><command>wpa_supplicant</command> requests the kernel
        driver to associate with the chosen BSS</para>
      </listitem>

      <listitem>
	<para>If WPA-EAP: integrated IEEE 802.1X Supplicant
        completes EAP authentication with the
        authentication server (proxied by the Authenticator in the
        AP)</para>
      </listitem>

      <listitem>
	<para>If WPA-EAP: master key is received from the IEEE 802.1X
	Supplicant</para>
      </listitem>

      <listitem>
	<para>If WPA-PSK: <command>wpa_supplicant</command> uses PSK
	as the master session key</para>
      </listitem>

      <listitem>
	<para><command>wpa_supplicant</command> completes WPA 4-Way
        Handshake and Group Key Handshake with the Authenticator
        (AP)</para>
      </listitem>

      <listitem>
	<para><command>wpa_supplicant</command> configures encryption
	keys for unicast and broadcast</para>
      </listitem>

      <listitem>
	<para>normal data packets can be transmitted and received</para>
      </listitem>
    </itemizedlist>
  </refsect1>

  <refsect1>
    <title>Supported Features</title>
    <para>Supported WPA/IEEE 802.11i features:</para>
    <itemizedlist>
      <listitem>
	<para>WPA-PSK ("WPA-Personal")</para>
      </listitem>

      <listitem>
	<para>WPA with EAP (e.g., with RADIUS authentication server)
       ("WPA-Enterprise") Following authentication methods are
       supported with an integrate IEEE 802.1X Supplicant:</para>

	<itemizedlist>
	  <listitem>
	    <para>EAP-TLS</para>
	  </listitem>
	</itemizedlist>

	<itemizedlist>
	  <listitem>
	    <para>EAP-PEAP/MSCHAPv2 (both PEAPv0 and PEAPv1)</para>
	  </listitem>


	  <listitem>
	    <para>EAP-PEAP/TLS (both PEAPv0 and PEAPv1)</para>
	  </listitem>

	  <listitem>
	    <para>EAP-PEAP/GTC (both PEAPv0 and PEAPv1)</para>
	  </listitem>

	  <listitem>
	    <para>EAP-PEAP/OTP (both PEAPv0 and PEAPv1)</para>
	  </listitem>

	  <listitem>
	    <para>EAP-PEAP/MD5-Challenge (both PEAPv0 and PEAPv1)</para>
	  </listitem>

	  <listitem>
	    <para>EAP-TTLS/EAP-MD5-Challenge</para>
	  </listitem>

	  <listitem>
	    <para>EAP-TTLS/EAP-GTC</para>
	  </listitem>

          <listitem><para>EAP-TTLS/EAP-OTP</para></listitem>

          <listitem><para>EAP-TTLS/EAP-MSCHAPv2</para></listitem>

          <listitem><para>EAP-TTLS/EAP-TLS</para></listitem>

          <listitem><para>EAP-TTLS/MSCHAPv2</para></listitem>

          <listitem><para>EAP-TTLS/MSCHAP</para></listitem>

          <listitem><para>EAP-TTLS/PAP</para></listitem>

          <listitem><para>EAP-TTLS/CHAP</para></listitem>

          <listitem><para>EAP-SIM</para></listitem>

          <listitem><para>EAP-AKA</para></listitem>

          <listitem><para>EAP-PSK</para></listitem>

          <listitem><para>EAP-PAX</para></listitem>

          <listitem><para>LEAP (note: requires special support from
          the driver for IEEE 802.11 authentication)</para></listitem>

          <listitem><para>(following methods are supported, but since
          they do not generate keying material, they cannot be used
          with WPA or IEEE 802.1X WEP keying)</para></listitem>

          <listitem><para>EAP-MD5-Challenge </para></listitem>

          <listitem><para>EAP-MSCHAPv2</para></listitem>

          <listitem><para>EAP-GTC</para></listitem>

          <listitem><para>EAP-OTP</para></listitem>
	</itemizedlist>
      </listitem>

      <listitem>
	<para>key management for CCMP, TKIP, WEP104, WEP40</para>
      </listitem>

      <listitem>
	<para>RSN/WPA2 (IEEE 802.11i)</para>
	<itemizedlist>
	  <listitem>
	    <para>pre-authentication</para>
	  </listitem>

	  <listitem>
	    <para>PMKSA caching</para>
	  </listitem>
	</itemizedlist>
      </listitem>
    </itemizedlist>
  </refsect1>

  <refsect1>
    <title>Available Drivers</title>
    <para>A summary of available driver backends is below. Support for each
    of the driver backends is chosen at wpa_supplicant compile time. For a
    list of supported driver backends that may be used with the -D option on
    your system, refer to the help output of wpa_supplicant
    (<emphasis>wpa_supplicant -h</emphasis>).</para>

    <variablelist>
      <varlistentry>
	<term>hostap</term>
	<listitem>
	  <para>(default) Host AP driver (Intersil Prism2/2.5/3).
  	  (this can also be used with Linuxant DriverLoader).</para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>hermes</term>
	<listitem>
	  <para>Agere Systems Inc. driver (Hermes-I/Hermes-II).</para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>madwifi</term>
	<listitem>
	  <para>MADWIFI 802.11 support (Atheros, etc.).</para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>atmel</term>
	<listitem>
	  <para>ATMEL AT76C5XXx (USB, PCMCIA).</para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>wext</term>
	<listitem>
	  <para>Linux wireless extensions (generic).</para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>ndiswrapper</term>
	<listitem>
	  <para>Linux ndiswrapper.</para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>broadcom</term>
	<listitem>
	  <para>Broadcom wl.o driver.</para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>ipw</term>
	<listitem>
	  <para>Intel ipw2100/2200 driver.</para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>wired</term>
	<listitem>
	  <para>wpa_supplicant wired Ethernet driver</para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>bsd</term>
	<listitem>
	  <para>BSD 802.11 support (Atheros, etc.).</para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>ndis</term>
	<listitem>
	  <para>Windows NDIS driver.</para>
	</listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>Command Line Options</title>
    <para>Most command line options have global scope. Some are given per
    interface, and are only valid if at least one <option>-i</option> option
    is specified, otherwise they're ignored. Option groups for different
    interfaces must be separated by <option>-N</option> option.</para>
    <variablelist>
      <varlistentry>
	<term>-b br_ifname</term>
	<listitem>
	  <para>Optional bridge interface name. (Per interface)</para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>-B</term>
	<listitem>
	  <para>Run daemon in the background.</para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>-c filename</term>
	<listitem>
	  <para>Path to configuration file. (Per interface)</para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>-C ctrl_interface</term>
	<listitem>
	  <para>Path to ctrl_interface socket (Per interface. Only used if
		  <option>-c</option> is not).</para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>-i ifname</term>
	<listitem>
	  <para>Interface to listen on. Multiple instances of this option can
	  be present, one per interface, separated by <option>-N</option>
	  option (see below).</para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>-d</term>
	<listitem>
	  <para>Increase debugging verbosity (<option>-dd</option> even
		  more).</para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>-D driver</term>
	<listitem>
	  <para>Driver to use. (Per interface, see the available options
		  below.)</para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>-f output file</term>
	<listitem>
	  <para>Log output to specified file instead of stdout.</para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>-g global ctrl_interface</term>
	<listitem>
	  <para>Path to global ctrl_interface socket. If specified, interface
	  definitions may be omitted.</para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>-K</term>
	<listitem>