wpa_supplicant is a WPA Supplicant for Linux, BSD, Mac OS X, andWindows withsupport for WPA and WPA2 (IEEE 802.11i / RSN). It is suitable for bothdesktop/laptop computers and embedded systems. Supplicant is the IEEE802.1X/WPA component that is used in the client stations. Itimplements key negotiation with a WPA Authenticator and it controlsthe roaming and IEEE 802.11 authentication/association of the wlandriver.
wpa_supplicant is designed to be a "daemon" program that runs in thebackground and acts as the backend component controlling the wirelessconnection. wpa_supplicant supports separate frontend programs and atext-based frontend (wpa_cli) and a GUI (wpa_gui) are included withwpa_supplicant.
wpa_supplicant uses a flexible build configuration that can be usedto select which features are included. This allows minimal code size(from ca. 50 kB binary for WPA/WPA2-Personal and 130 kB binary forWPA/WPA2-Enterprise without debugging code to 450 kB with mostfeatures and full debugging support; these example sizes are from abuild for x86 target).
wpa_supplicant was designed to be portable for different drivers andoperating systems. Hopefully, support for more wlan cards and OSes will beadded in the future. See developers' documentationfor more information about the design of wpa_supplicant and porting toother drivers.
Following steps are used when associating with an AP using WPA:wpa_supplicant requests the kernel driver to scan neighboring BSSeswpa_supplicant selects a BSS based on its configurationwpa_supplicant requests the kernel driver to associate with the chosen BSSif WPA-EAP: integrated IEEE 802.1X Supplicant completes EAP authentication with the authentication server (proxied by the Authenticator in the AP)If WPA-EAP: master key is received from the IEEE 802.1X SupplicantIf WPA-PSK: wpa_supplicant uses PSK as the master session keywpa_supplicant completes WPA 4-Way Handshake and Group Key Handshake with the Authenticator (AP). WPA2 has integrated the initial Group Key Handshake into the 4-Way Handshake.wpa_supplicant configures encryption keys for unicast and broadcastnormal data packets can be transmitted and receivedConfiguration filewpa_supplicant is configured using a text file that lists all acceptednetworks and security policies, including pre-shared keys. Seeexample configuration file,wpa_supplicant.conf,for detailed information about the configuration format and supportedfields. In addition, simpler example configurations are available forplaintext,static WEP,IEEE 802.1X with dynamic WEP (EAP-PEAP/MSCHAPv2),WPA-PSK/TKIP, andWPA2-EAP/CCMP (EAP-TLS).In addition, wpa_supplicant can use OpenSSL engine to avoid need forexposing private keys in the file system. This can be used for EAP-TLSauthentication with smartcards and TPM tokens.Example configuration for using openCryptokishows an example network block and related parameters for EAP-TLSauthentication using PKCS#11 TPM token.
Host AP mailing list can also be used for topics related towpa_supplicant. Since this list has a broader audience, your likelihoodof getting responses is higher. This list is recommended for generalquestions about wpa_supplicant and its development. In addition, Iwill send release notes to it whenever a new version is available.
wpa_supplicant is a cross-platform supplicant with support for WPA, WPA2 and WPA3 (IEEE 802.11i). It is suitable for desktops, laptops and embedded systems. It is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wireless driver.
Optionally, also install the official wpa_supplicant_guiAUR which provides wpa_gui, a graphical front-end for wpa_supplicant, or wpa-cuteAUR which is a fork from an earlier version of wpa_gui with a couple of fixes and improvements.
The first step to connect to an encrypted wireless network is having wpa_supplicant obtain authentication from a WPA authenticator. In order to do this, wpa_supplicant must be configured so that it will be able to submit the correct credentials to the authenticator.
In order to use wpa_cli, a control interface must be specified for wpa_supplicant, and it must be given the rights to update the configuration. Do this by creating a minimal configuration file:
This connection method allows quickly connecting to a network whose SSID is already known, making use of wpa_passphrase, a command line tool which generates the minimal configuration needed by wpa_supplicant. For example:
For networks of varying complexity, possibly employing extensive use of EAP, it will be useful to maintain a customised configuration file. For an overview of the configuration with examples, refer to wpa_supplicant.conf(5); for details on all the supported configuration parameters, refer to the example file /usr/share/doc/wpa_supplicant/wpa_supplicant.conf.
fast_reauth=1 and ap_scan=1 are the wpa_supplicant options active globally at the time of writing. Whether you need them, or other global options too for that matter, depends on the type of network to connect to. If you need other global options, simply copy them over to the file from /usr/share/doc/wpa_supplicant/wpa_supplicant.conf.
Alternatively, wpa_cli set can be used to see options' status or set new ones. Multiple network blocks may be appended to this configuration: the supplicant will handle association to and roaming between all of them. The strongest signal defined with a network block usually is connected to by default, one may define priority= to influence behaviour. For example to auto-connect to any unsecured network as a fallback with the lowest priority:
Once you have finished the configuration file, you can optionally use it as a system-wide or per-interface default configuration by naming it according to the paths listed in #At boot (systemd). This also applies if you use additional network manager tools, which may rely on the paths (for example Dhcpcd#10-wpa_supplicant).
wpa_cli can run in daemon mode and execute a specified script based on events from wpa_supplicant. Two events are supported: CONNECTED and DISCONNECTED. Some environment variables are available to the script, see wpa_cli(8) for details.
When connected to a wireless network with multiple access points, wpa_supplicant is typically responsible for roaming between access points. Choosing a new access point requires wpa_supplicant to perform a scan of available networks, which causes a brief interruption in connectivity to the current access point while the wireless radio scans other frequencies. After a scan, if wpa_supplicant detects a closer access point (BSSID) in the current network (SSID), in terms of signal strength (RSSI), it will re-associate to the closer access point.
The default configuration of wpa_supplicant has relatively timid roaming: it will rescan only when the association to the current access point is lost. This means that, if a client moves far away from its current access point, but not far enough to completely lose signal, the client will keep using the weak signal instead of roaming to a closer access point.
The above example will cause wpa_supplicant to scan every 30 seconds when the signal is weak (below -70), and every 3600 seconds otherwise. bgscan can be specified either in specific network blocks or globally for all networks.
In order to determine why you are unable to connect to an access point you can run wpa_supplicant with the -d flag for debug messages, wait a couple seconds then look for lines that list SSIDs and the reason they were not connected to. For example:
If the command works to connect, and the user wishes to use systemd to manage the wireless connection, it is necessary to edit the wpa_supplicant@.service unit provided by the package and modify the ExecStart line accordingly:
When you use wireless to connect to network shares you might have the problem that the shutdown takes a very long time. That is because systemd runs against a 3 minute timeout. The reason is that WPA supplicant is shut down too early, i.e. before systemd tries to unmount the share(s). A bug report suggests a work-around by editing the wpa_supplicant@.service as follows:
wpa_supplicant may not work properly if directly passed via stdin particularly long or complex passphrases which include special characters. This may lead to errors such as failed 4-way WPA handshake, PSK may be wrong when launching wpa_supplicant.
In some instances it was found that storing the passphrase cleartext in the psk key of the wpa_supplicant.conf network block gave positive results (see ). However, this approach is rather insecure. Using wpa_cli to create this file instead of manually writing it gives the best results most of the time and therefore is the recommended way to proceed.
NOTE: This method to setup WiFi must be completed before you boot this card for the first time. This is the point at which the system checks for the wpa_supplicant.conf file. If you have already booted the card you will need to re-write with a fresh image and continue.
I have a steam age router. It did not work for me until I expanded the network section. I discovered what to put in there by setting up WiFi manually on the Pi, with a monitor, keyboard and mouse physically connected. I then stole the extra lines from /etc/wpa_supplicant/wpa_supplicant.conf.
Unofficial site devoted to the Raspberry Pi credit card sized computer offering tutorials, guides, resources,scripts and downloads. We hope to help everyone get the most out of their Pi by providing clear, simple articles on configuring, programming and operating it.
wpa_supplicant has support for being used as a WPA/WPA2/IEEE 802.1X Supplicant on Windows. The current port requires that WinPcap ( ) is installed for accessing packets and the driver interface. Both release versions 3.0 and 3.1 are supported. 2b1af7f3a8