Created
July 9, 2020 01:36
-
-
Save s0lst1c3/7c2ec461fc04c7af4ae9edd5b1554095 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Source: https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf | |
| ##### IEEE 802.1X-2004 related configuration ################################## | |
| # Require IEEE 802.1X authorization | |
| #ieee8021x=1 | |
| # IEEE 802.1X/EAPOL version | |
| # hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL | |
| # version 2. However, there are many client implementations that do not handle | |
| # the new version number correctly (they seem to drop the frames completely). | |
| # In order to make hostapd interoperate with these clients, the version number | |
| # can be set to the older version (1) with this configuration value. | |
| # Note: When using MACsec, eapol_version shall be set to 3, which is | |
| # defined in IEEE Std 802.1X-2010. | |
| #eapol_version=2 | |
| # Optional displayable message sent with EAP Request-Identity. The first \0 | |
| # in this string will be converted to ASCII-0 (nul). This can be used to | |
| # separate network info (comma separated list of attribute=value pairs); see, | |
| # e.g., RFC 4284. | |
| #eap_message=hello | |
| #eap_message=hello\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com | |
| # WEP rekeying (disabled if key lengths are not set or are set to 0) | |
| # Key lengths for default/broadcast and individual/unicast keys: | |
| # 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits) | |
| # 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits) | |
| #wep_key_len_broadcast=5 | |
| #wep_key_len_unicast=5 | |
| # Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once) | |
| #wep_rekey_period=300 | |
| # EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if | |
| # only broadcast keys are used) | |
| eapol_key_index_workaround=0 | |
| # EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable | |
| # reauthentication). | |
| # Note: Reauthentications may enforce a disconnection, check the related | |
| # parameter wpa_deny_ptk0_rekey for details. | |
| #eap_reauth_period=3600 | |
| # Use PAE group address (01:80:c2:00:00:03) instead of individual target | |
| # address when sending EAPOL frames with driver=wired. This is the most common | |
| # mechanism used in wired authentication, but it also requires that the port | |
| # is only used by one station. | |
| #use_pae_group_addr=1 | |
| # EAP Re-authentication Protocol (ERP) authenticator (RFC 6696) | |
| # | |
| # Whether to initiate EAP authentication with EAP-Initiate/Re-auth-Start before | |
| # EAP-Identity/Request | |
| #erp_send_reauth_start=1 | |
| # | |
| # Domain name for EAP-Initiate/Re-auth-Start. Omitted from the message if not | |
| # set (no local ER server). This is also used by the integrated EAP server if | |
| # ERP is enabled (eap_server_erp=1). | |
| #erp_domain=example.com | |
| ##### MACsec ################################################################## | |
| # macsec_policy: IEEE 802.1X/MACsec options | |
| # This determines how sessions are secured with MACsec (only for MACsec | |
| # drivers). | |
| # 0: MACsec not in use (default) | |
| # 1: MACsec enabled - Should secure, accept key server's advice to | |
| # determine whether to use a secure session or not. | |
| # | |
| # macsec_integ_only: IEEE 802.1X/MACsec transmit mode | |
| # This setting applies only when MACsec is in use, i.e., | |
| # - macsec_policy is enabled | |
| # - the key server has decided to enable MACsec | |
| # 0: Encrypt traffic (default) | |
| # 1: Integrity only | |
| # | |
| # macsec_replay_protect: IEEE 802.1X/MACsec replay protection | |
| # This setting applies only when MACsec is in use, i.e., | |
| # - macsec_policy is enabled | |
| # - the key server has decided to enable MACsec | |
| # 0: Replay protection disabled (default) | |
| # 1: Replay protection enabled | |
| # | |
| # macsec_replay_window: IEEE 802.1X/MACsec replay protection window | |
| # This determines a window in which replay is tolerated, to allow receipt | |
| # of frames that have been misordered by the network. | |
| # This setting applies only when MACsec replay protection active, i.e., | |
| # - macsec_replay_protect is enabled | |
| # - the key server has decided to enable MACsec | |
| # 0: No replay window, strict check (default) | |
| # 1..2^32-1: number of packets that could be misordered | |
| # | |
| # macsec_port: IEEE 802.1X/MACsec port | |
| # Port component of the SCI | |
| # Range: 1-65534 (default: 1) | |
| # | |
| # mka_priority (Priority of MKA Actor) | |
| # Range: 0..255 (default: 255) | |
| # | |
| # mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode | |
| # This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair. | |
| # In this mode, instances of hostapd can act as MACsec peers. The peer | |
| # with lower priority will become the key server and start distributing SAKs. | |
| # mka_cak (CAK = Secure Connectivity Association Key) takes a 16-byte (128-bit) | |
| # hex-string (32 hex-digits) or a 32-byte (256-bit) hex-string (64 hex-digits) | |
| # mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string | |
| # (2..64 hex-digits) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment