NAME
wpa_cli —
text-based frontend program for
interacting with wpa_supplicant
SYNOPSIS
wpa_cli |
[commands] |
DESCRIPTION
The wpa_cli utility is a text-based
frontend program for interacting with
wpa_supplicant(8). It is used to query current status, change
configuration, trigger events, and request interactive user input.
The wpa_cli utility can show the current
authentication status, selected security mode, dot11 and dot1x MIBs, etc. In
addition, wpa_cli can configure EAPOL state machine
parameters and trigger events such as reassociation and IEEE 802.1X
logoff/logon.
The wpa_cli utility provides an interface
to supply authentication information such as username and password when it
is not provided in the
wpa_supplicant.conf(5) configuration file. This can be used,
for example, to implement one-time passwords or generic token card
authentication where the authentication is based on a challenge-response
that uses an external device for generating the response.
The wpa_cli utility supports two modes:
interactive and command line. Both modes share the same command set and the
main difference is that in interactive mode, wpa_cli
provides access to unsolicited messages (event messages, username/password
requests).
Interactive mode is started when wpa_cli
is executed without any parameters on the command line. Commands are then
entered from the controlling terminal in response to the
wpa_cli prompt. In command line mode, the same
commands are entered as command line arguments.
The control interface of
wpa_supplicant(8) can be configured to allow non-root user
access by using the ctrl_interface_group parameter in
the
wpa_supplicant.conf(5) configuration file. This makes it
possible to run wpa_cli with a normal user
account.
AUTHENTICATION PARAMETERS
When
wpa_supplicant(8) needs authentication parameters, such as
username and password, that are not present in the configuration file, it
sends a request message to all attached frontend programs, e.g.,
wpa_cli in interactive mode. The
wpa_cli utility shows these requests with a
“CTRL-REQ-⟨type⟩-⟨id⟩:⟨text⟩”
prefix, where ⟨type⟩ is
IDENTITY, PASSWORD, or
OTP (one-time password),
⟨id⟩ is a unique identifier for the
current network, and ⟨text⟩ is
description of the request. In the case of a OTP
(One Time Password) request, it includes the challenge from the
authentication server.
A user must supply wpa_supplicant(8) the needed parameters in response to these requests.
For example,
CTRL-REQ-PASSWORD-1:Password needed for SSID foobar > password 1 mysecretpassword Example request for generic token card challenge-response: CTRL-REQ-OTP-2:Challenge 1235663 needed for SSID foobar > otp 2 9876
COMMANDS
The following commands may be supplied on the command line or at a prompt when operating interactively.
status- Report the current WPA/EAPOL/EAP status for the current interface.
mib- Report MIB variables (dot1x, dot11) for the current interface.
help- Show usage help.
status- Get current WPA/EAPOL/EAP status.
add_network- Add a network. Returns a number to be used in set_network commands.
set_networknetwork_id ssid my_ssid_name- Make network_id use the SSID my_ssid_name.
set_networknetwork_id psk my_ssid_password- Make network_id use the password my_ssid_password
enable_networknetwork_id- Begin using the network at network_id.
list_network- List the networks configured.
scan- Begin a scan of nearby APs. Results can be obtained with
scan_results. interface[ifname]- Show available interfaces and/or set the current interface when multiple are available.
leveldebug_level- Change the debugging level in wpa_supplicant(8). Larger numbers generate more messages.
license- Display the full license for
wpa_cli. logoff- Send the IEEE 802.1X EAPOL state machine into the “logoff” state.
logon- Send the IEEE 802.1X EAPOL state machine into the “logon” state.
set[settings]- Set variables. When no arguments are supplied, the known variables and their settings are displayed.
pmksa- Show the contents of the PMKSA cache.
reassociate- Force a reassociation to the current access point.
reconfigure- Force wpa_supplicant(8) to re-read its configuration file.
preauthenticateBSSID- Force preauthentication of the specified BSSID.
identitynetwork_id identity- Configure an identity for an SSID.
passwordnetwork_id password- Configure a password for an SSID.
otpnetwork_id password- Configure a one-time password for an SSID.
terminate- Force wpa_supplicant(8) to terminate.
quit- Exit
wpa_cli.
SEE ALSO
wpa_supplicant.conf(5), wpa_passphrase(8), wpa_supplicant(8)
EXAMPLES
A sample run of discovering and connecting to a network with SSID "MyWifiNetwork" and with a password "MyWifiPassword".
If wpa_supplicant isn't already running, start it with the command
service wpa_supplicant onestart.
Find the network
scanscan_results17:07:08.868: bssid / frequency / signal level / flags / ssid 14:aa:ff:ee:aa:cc 2437 187 [WPA-PSK-CCMP+TKIP][ESS] MyWifiNetwork 44:ee:ff:bb:33:33 2452 168 [WPA2-PSK-CCMP][ESS] SomeOtherNetwork
Now, let's create a network and configure it.
add_network
17:08:13.047: 1That means the new network_id we should use is 1.
set_network 1 ssid "MyWifiNetwork"set_network 1 psk "MyWifiPassword"enable_network 1
After this point, you should be connected, but no IP address is configured. You will likely want to configure the address using dhcpcd(8).
HISTORY
The wpa_cli utility first appeared in
NetBSD 4.0.
AUTHORS
The wpa_cli utility was written by
Jouni Malinen
<jkmaline@cc.hut.fi>.
This manual page is derived from the README file
included in the wpa_supplicant distribution.