WPA_CLI(8) NetBSD System Manager's Manual WPA_CLI(8)
wpa_cli -- text-based frontend program for interacting with wpa_suppli- cant
The wpa_cli utility is a text-based frontend program for interacting with wpa_supplicant(8). It is used to query current status, change configura- tion, trigger events, and request interactive user input. The wpa_cli utility can show the current authentication status, selected security mode, dot11 and dot1x MIBs, etc. In addition, wpa_cli can con- figure EAPOL state machine parameters and trigger events such as reasso- ciation and IEEE 802.1X logoff/logon. The wpa_cli utility provides an interface to supply authentication infor- mation such as username and password when it is not provided in the wpa_supplicant.conf(5) configuration file. This can be used, for exam- ple, to implement one-time passwords or generic token card authentication where the authentication is based on a challenge-response that uses an external device for generating the response. The wpa_cli utility supports two modes: interactive and command line. Both modes share the same command set and the main difference is that in interactive mode, wpa_cli provides access to unsolicited messages (event messages, username/password requests). Interactive mode is started when wpa_cli is executed without any parame- ters on the command line. Commands are then entered from the controlling terminal in response to the wpa_cli prompt. In command line mode, the same commands are entered as command line arguments. The control interface of wpa_supplicant(8) can be configured to allow non-root user access by using the ctrl_interface_group parameter in the wpa_supplicant.conf(5) configuration file. This makes it possible to run wpa_cli with a normal user account.
When wpa_supplicant(8) needs authentication parameters, such as username and password, that are not present in the configuration file, it sends a request message to all attached frontend programs, e.g., wpa_cli in interactive mode. The wpa_cli utility shows these requests with a ``CTRL-REQ-<type>-<id>:<text>'' prefix, where <type> is IDENTITY, PASSWORD, or OTP (one-time password), <id> is a unique identifier for the current network, and <text> is description of the request. In the case of a OTP (One Time Password) request, it includes the challenge from the authentication server. A user must supply wpa_supplicant(8) the needed parameters in response to these requests. For example, CTRL-REQ-PASSWORD-1:Password needed for SSID foobar > password 1 mysecretpassword Example request for generic token card challenge-response: CTRL-REQ-OTP-2:Challenge 1235663 needed for SSID foobar > otp 2 9876
The following commands may be supplied on the command line or at a prompt when operating interactively. status Report the current WPA/EAPOL/EAP status for the current inter- face. mib Report MIB variables (dot1x, dot11) for the current interface. help Show usage help. status Get current WPA/EAPOL/EAP status. add_network Add a network. Returns a number to be used in set_network com- mands. set_network network_id ssid my_ssid_name Make network_id use the SSID my_ssid_name. set_network network_id psk my_ssid_password Make network_id use the password my_ssid_password enable_network network_id Begin using the network at network_id. list_network List the networks configured. scan Begin a scan of nearby APs. Results can be obtained with scan_results. interface [ifname] Show available interfaces and/or set the current interface when multiple are available. level debug_level Change the debugging level in wpa_supplicant(8). Larger numbers generate more messages. license Display the full license for wpa_cli. logoff Send the IEEE 802.1X EAPOL state machine into the ``logoff'' state. logon Send the IEEE 802.1X EAPOL state machine into the ``logon'' state. set [settings] Set variables. When no arguments are supplied, the known vari- ables and their settings are displayed. pmksa Show the contents of the PMKSA cache. reassociate Force a reassociation to the current access point. reconfigure Force wpa_supplicant(8) to re-read its configuration file. preauthenticate BSSID Force preauthentication of the specified BSSID. identity network_id identity Configure an identity for an SSID. password network_id password Configure a password for an SSID. otp network_id password Configure a one-time password for an SSID. terminate Force wpa_supplicant(8) to terminate. quit Exit wpa_cli.
wpa_supplicant.conf(5), wpa_passphrase(8), wpa_supplicant(8)
A sample run of discovering and connecting to a network with SSID "MyWifiNetwork" and with a password "MyWifiPassword". If wpa_supplicant isn't already running, start it with the command service wpa_supplicant onestart. Find the network scan scan_results 17:07:08.868: bssid / frequency / signal level / flags / ssid 14:aa:ff:ee:aa:cc 2437 187 [WPA-PSK-CCMP+TKIP][ESS] MyWifiNetwork 44:ee:ff:bb:33:33 2452 168 [WPA2-PSK-CCMP][ESS] SomeOtherNetwork Now, let's create a network and configure it. add_network 17:08:13.047: 1 That means the new network_id we should use is 1. set_network 1 ssid "MyWifiNetwork" set_network 1 psk "MyWifiPassword" enable_network 1 After this point, you should be connected, but no IP address is config- ured. You will likely want to configure the address using dhcpcd(8).
The wpa_cli utility first appeared in NetBSD 4.0.
The wpa_cli utility was written by Jouni Malinen <firstname.lastname@example.org>. This manual page is derived from the README file included in the wpa_supplicant distribution. NetBSD 9.0 June 19, 2019 NetBSD 9.0
You can also request any man page by name and (optionally) by section: