Wi-Fi Protected Access client and IEEE 802.1X supplicant

sudo wpa_supplicant [ -BddfhKLqqsTtuvW ] [ -i ifname ] [ -c config file ] [ -D driver ] [ -P PID_file ] [ -f output file ]

Some options have global scope.
Option groups for different interfaces must be separated by -N
filenames should be full ie not relative.

-W Wait for a control interface monitor before starting.
-B background.
-P PID_file
-d debugging messages(-dd even more).
-q quite debugging verbosity (-qq even less).
-t timestamp included in debug messages.
-K keys (passwords, etc.)Included in debug output.
-s Log output to syslog instead of stdout. (if built with the CONFIG_DEBUG_SYSLOG
-T Log output to tracing in addition . (if built with the CONFIG_DEBUG_LINUX_TRACING
-f output file Log output to instead of stdout. (if built with the CONFIG_DEBUG_FILE .)
-e entropy file to maintain its internal entropy store in over restarts.
-g global ctrl_interface Path to global ctrl_interface socket. If specified, interface definitions may be omitted.
-u Enable DBus control interface. If enabled, interface definitions may be omitted. (if built with CONFIG_DBUS
-N new interface description follows
-i ifname Interface.
-c filename configuration file.
-C ctrl_interface Path to ctrl_interface socket Not with -c
-O override ctrl_interface Override the ctrl_interface parameter for new interfaces.
-b br_ifname bridge interface name.
-D driver can be multiple drivers: (example: nl80211,wext). See the available options.
-p parameters for driver.
-o override driver Override the driver parameter for new interfaces.
-L Show license (BSD).
-v Show version.
wpa_supplicant v2.6 ( On Raspberry Pi Stetch 1/14/20) NOT CONFIG_DEBUG_FILE
Copyright (c) 2003-2015, Jouni Malinen  and contributors
-h Help. Show a usage message.

Driver backends that may be used with -D (driver) see wpa_supplicant -h.

       wext       Linux wireless extensions (generic).  
       wired      wpa_supplicant wired Ethernet driver 
       roboswitch wpa_supplicant Broadcom switch driver 
       bsd        BSD 802.11 support (Atheros, etc.).  
       ndis       Windows NDIS driver.


On raspberry Pi:
  Description=WPA supplicant
  ExecStart=/sbin/wpa_supplicant -u -s -O /run/wpa_supplicant   maybe add -d 

p2p-dev-wlan0 wlan0 are empty

Only syslog message is :
daemon.notice wpa_supplicant[304]: Successfully initialized wpa_supplicant

sudo wpa_supplicant -B -c/etc/wpa_supplicant.conf -i wlan0 # fork into background.
Start on foreground with debugging :
log=/tmp/wpa.`date +%y%m%d.%H%M`.log
sudo wpa_supplicant -d -c/etc/wpa_supplicant/wpa_supplicant.conf -i wlan0 > $log
If the specific driver wrapper is not known beforehand, it is possible to specify multiple comma separated driver wrappers on the the first driver wrapper that is able to initialize the interface.
sudo wpa_supplicant -Dnl80211,wext -c/etc/wpa_supplicant.conf -iwlan0
Control multiple interfaces (radios) either by running one process for each interface separately or by running just one process and list of options.
Each interface is separated with -N. Example:
sudo wpa_supplicant \
     -c wpa1.conf -i wlan0 -D nl80211 \
     -N \
     -c wpa2.conf -i ath0 -D wext




  1. Make configuration file, wpa_supplicant.conf
    # ANY error here will prevent the wifi network from starting

    ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev


  2. Test by running with in foreground with debugging :
    sudo wpa_supplicant -i wlan0 -c/etc/wpa_supplicant.conf -d
    example output
    example -dd output
    sudo wpa_supplicant -iwlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf -d
  3. start in background without debugging:
    sudo wpa_supplicant -iwlan0 -c/etc/wpa_supplicant.conf -B
With more than one driver interface in the build time configuration (.config), specify which interface to use by including -Ddriver name.


Changes to pcmcia-cs scripts can be used to enable WPA support:
  1. Add MODE="Managed" and WPA="y" to the network scheme in /etc/pcmcia/wireless.opts.
  2. Add this block to the end of start action handler in /etc/pcmcia/wireless:
    if [ "$WPA" = "y" -a -x /usr/local/bin/wpa_supplicant ]; then
                      /usr/local/bin/wpa_supplicant -B -c/etc/wpa_supplicant.conf -i$DEVICE
  3. Add the following block to the end of stop action handler (may need to be separated from other actions)
    in /etc/pcmcia/wireless:
    if [ "$WPA" = "y" -a -x /usr/local/bin/wpa_supplicant ]; then
                      killall wpa_supplicant
This will make cardmgr start wpa_supplicant when the card is plugged in.


wpa_background(8) http://w1.fi wpa_supplicant.conf , wpa_cli(8) wpa_passphrase(8)

Unauthorized use of the network is much easier.
Unauthorized users can passively monitor a wireless network and capture all transmitted frames.


WPA command line client

sudo wpa_cli [-p path to ctrl sockets] [-g path to global ctrl_interface socket] [-i ifname]
          [ -hvB] [-a actionfile] [-P pid file] [-G ping interval] [ command]

Interacts with wpa_supplicant to query current status, change configuration, trigger events, and request interactive user input.

Shows the current authentication status, selected security mode, dot11 and dot1x MIBs, etc.
Can configure some variables like EAPOL state machine parameters and trigger events like reassociation and IEEE 802.1X logoff/logon.

Provides a user interface to request authentication information, like username and password, if these are not included in the configuration. This can be used to implement, one-time-passwords or generic token card authentication where the authentication is based on a challenge-response that uses an external device for generating the response.

The control interface of wpa_supplicant can be configured to allow non-root user access (ctrl_interface GROUP= parameter in the configuration file). This makes it possible to run wpa_cli with a normal user account.

Interactive mode is started when invoked without command

Interactive authentication parameters request

When wpa_supplicant need authentication parameters, like username and password, not in the configuration file, it sends a request message to all attached frontend programs, e.g., wpa_cli in interactive mode.
wpa_cli shows these requests with "CTRL-REQ-type-id:text" prefix. In case of OTP request, it includes the challenge from the authentication server.

The reply to these requests can be given with identity, password, and otp commands.id needs to be copied from the matching request.
password and otp commands can be used regardless of whether the request was for PASSWORD or OTP. The difference is that values given with password are remembered as long as wpa_supplicant is running whereas values given with otp are used only once and then forgotten, i.e., wpa_supplicant will ask frontend for a new value for every use. This can be used to implement one-time-password lists and generic token card -based authentication.

Example request for password and a matching reply:
CTRL-REQ-PASSWORD-1:Password needed for SSID foobar > password 1 mysecretpassword

Example request for generic token card challenge-response:
CTRL-REQ-OTP-2:Challenge 1235663 needed for SSID foobar > otp 2 9876


-p path Change the path where control sockets should be found.
-g control socket path Connect to the global control socket at the indicated path rather than an interface-specific control socket.
-i ifname Specify the interface that is being configured. By default, choose the first interface found with a control socket in the socket path.
-h Help.
-v version
-B background as a daemon
-a file Run in daemon mode executing the action file based on events from wpa_supplicant.
file will be executed with the first argument set to interface name and second to "CONNECTED" or "DISCONNECTED" depending on the event. This can be used to execute networking tools required to configure the interface. Environmental variables :
  • $WPA_CTRL_DIR contains the absolute path to the ctrl_interface socket.
  • $WPA_ID contains the unique network_id identifier assigned to the active network,
  • $WPA_ID_STR contains the content of the id_str option.
-P file Set the location of the PID file.
-G ping interval Set the interval (in seconds) at which wpa_cli pings the supplicant.
command Run a command.
list_networks list configured networks
> list_n
network id / ssid / bssid / flags
0   disabled    any 
1   bslguest    any 
2   BTHub6CF3G  any
status get current WPA/EAPOL/EAP status
> status
mib get MIB variables (dot11, dot1x)
> mib
₦ := dot11RSNA ₦OptionImplemented=TRUE ₦PreauthenticationImplemented=TRUE ₦Enabled=FALSE ₦PreauthenticationEnabled=FALSE ₦ConfigVersion=1 ₦ConfigPairwiseKeysSupported=5 ₦ConfigGroupCipherSize=0 ₦ConfigPMKLifetime=43200 ₦ConfigPMKReauthThreshold=70 ₦ConfigNumberOfPTKSAReplayCounters=1 ₦ConfigSATimeout=60 ₦AuthenticationSuiteSelected=00-00-00-0 ₦PairwiseCipherSelected=00-00-00-0 ₦GroupCipherSelected=00-00-00-0 ₦PMKIDUsed= ₦AuthenticationSuiteRequested=00-00-00-0 ₦PairwiseCipherRequested=00-00-00-0 ₦GroupCipherRequested=00-00-00-0 ₦ConfigNumberOfGTKSAReplayCounters=0 ₦4WayHandshakeFailures=0 ℕ = dot1xSupp ℕPaeState=1 ℕHeldPeriod=60 ℕAuthPeriod=30 ℕStartPeriod=30 ℕMaxStart=3 ℕSuppControlledPortStatus=Unauthorized ℕBackendPaeState=1 ℕEapolFramesRx=0 ℕEapolFramesTx=0 ℕEapolStartFramesTx=0 ℕEapolLogoffFramesTx=0 ℕEapolRespFramesTx=0 ℕEapolReqIdFramesRx=0 ℕEapolReqFramesRx=0 ℕInvalidEapolFramesRx=0 ℕEapLengthErrorFramesRx=0 ℕLastEapolFrameVersion=0 ℕLastEapolFrameSource=00:00:00:00:00:00
interface [ifname] show interfaces/select interface
> interface
Available interfaces:

level debug level
logoff IEEE 802.1X EAPOL state machine logoff
logon IEEE 802.1X EAPOL state machine logon
set set variables (shows list of variables when run without arguments)
pmksa show PMKSA cache
> pmksa
Index / AA / PMKID / expiration (in seconds) / opportunistic

reconfigure re-read configuration file
preauthenticate BSSID force preauthentication
identity networID identity configure identity for an SSID
password networkD password configure password for an SSID
pin networkID pin configure pin for an SSID
otp networkID password configure one-time-password for an SSID
bssid networkID BSSID set preferred BSSID for an SSID
license show full wpa_cli license
help show this usage help


See Raspberry Pi as Access Point

Host Access Point configuration at hostapd.conf Minimaly

ssid=RuuviCollector   1.1