The hostapd.conf utility is an authenticator for IEEE
  802.11 networks. It provides full support for WPA/IEEE 802.11i and can also
  act as an IEEE 802.1X Authenticator with a suitable backend Authentication
  Server (typically FreeRADIUS).
The configuration file consists of global parameters and domain
    specific configuration:
  - IEEE 802.1X-2004
- RADIUS client
- RADIUS authentication server
- WPA/IEEE 802.11i
The following parameters are recognized:
  - interface
- Interface name. Should be set in “hostap” mode.
- debug
- Debugging mode: 0 = no, 1 = minimal, 2 = verbose, 3 = msg dumps, 4 =
      excessive.
- dump_file
- Dump file for state information (on SIGUSR1).
- ctrl_interface
- The pathname of the directory in which
      hostapd(8) creates
      UNIX domain socket files for communication with
      frontend programs such as
      hostapd_cli(8).
- ctrl_interface_group
- A group name or group ID to use in setting protection on the control
      interface file. This can be set to allow non-root users to access the
      control interface files. If no group is specified, the group ID of the
      control interface is not modified and will, typically, be the group ID of
      the directory in which the socket is created.
The following parameters are recognized:
  - ieee8021x
- Require IEEE 802.1X authorization.
- eap_message
- Optional displayable message sent with EAP Request-Identity.
- wep_key_len_broadcast
- Key lengths for broadcast keys.
- wep_key_len_unicast
- Key lengths for unicast keys.
- wep_rekey_period
- Rekeying period in seconds.
- eapol_key_index_workaround
- EAPOL-Key index workaround (set bit7) for WinXP Supplicant.
- eap_reauth_period
- EAP reauthentication period in seconds. To disable reauthentication, use
      “0”.
The following parameters are recognized:
  - own_ip_addr
- The own IP address of the access point (used as NAS-IP-Address).
- nas_identifier
- Optional NAS-Identifier string for RADIUS messages.
- auth_server_addr,
    auth_server_port,
    auth_server_shared_secret
- RADIUS authentication server parameters. Can be defined twice for
      secondary servers to be used if primary one does not reply to RADIUS
      packets.
- acct_server_addr,
    acct_server_port,
    acct_server_shared_secret
- RADIUS accounting server parameters. Can be defined twice for secondary
      servers to be used if primary one does not reply to RADIUS packets.
- radius_retry_primary_interval
- Retry interval for trying to return to the primary RADIUS server (in
      seconds).
- radius_acct_interim_interval
- Interim accounting update interval. If this is set (larger than 0) and
      acct_server is configured,
      hostapd(8) will send
      interim accounting updates every N seconds.
The following parameters are recognized:
  - radius_server_clients
- File name of the RADIUS clients configuration for the RADIUS server. If
      this is commented out, RADIUS server is disabled.
- radius_server_auth_port
- The UDP port number for the RADIUS authentication server.
- radius_server_ipv6
- Use IPv6 with RADIUS server.
The following parameters are recognized:
  - wpa
- Enable WPA. Setting this variable configures the AP to require WPA (either
      WPA-PSK or WPA-RADIUS/EAP based on other configuration).
- wpa_psk, wpa_passphrase
- WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit
      secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase
      (8..63 characters) that will be converted to PSK. This conversion uses
      SSID so the PSK changes when ASCII passphrase is used and the SSID is
      changed.
- wpa_psk_file
- Optionally, WPA PSKs can be read from a separate text file (containing a
      list of (PSK,MAC address) pairs.
- wpa_key_mgmt
- Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or
    both).
- wpa_pairwise
- Set of accepted cipher suites (encryption algorithms) for pairwise keys
      (unicast packets). See the example file for more information.
- wpa_group_rekey
- Time interval for rekeying GTK (broadcast/multicast encryption keys) in
      seconds.
- wpa_strict_rekey
- Rekey GTK when any STA that possesses the current GTK is leaving the
    BSS.
- wpa_gmk_rekey
- Time interval for rekeying GMK (master key used internally to generate
      GTKs (in seconds).
Thehostapd.conf manual page and
  hostapd(8) functionality first
  appeared in NetBSD 4.0.
This manual page is derived from the README and
  hostapd.conf files in the
  hostapd distribution provided by
  Jouni Malinen
  <jkmaline@cc.hut.fi>.