|  | wpa_supplicant for Windows | 
|  | ========================== | 
|  |  | 
|  | Copyright (c) 2003-2009, Jouni Malinen <j@w1.fi> and contributors | 
|  | All Rights Reserved. | 
|  |  | 
|  | This program is licensed under the BSD license (the one with | 
|  | advertisement clause removed). | 
|  |  | 
|  |  | 
|  | wpa_supplicant has support for being used as a WPA/WPA2/IEEE 802.1X | 
|  | Supplicant on Windows. The current port requires that WinPcap | 
|  | (http://winpcap.polito.it/) is installed for accessing packets and the | 
|  | driver interface. Both release versions 3.0 and 3.1 are supported. | 
|  |  | 
|  | The current port is still somewhat experimental. It has been tested | 
|  | mainly on Windows XP (SP2) with limited set of NDIS drivers. In | 
|  | addition, the current version has been reported to work with Windows | 
|  | 2000. | 
|  |  | 
|  | All security modes have been verified to work (at least complete | 
|  | authentication and successfully ping a wired host): | 
|  | - plaintext | 
|  | - static WEP / open system authentication | 
|  | - static WEP / shared key authentication | 
|  | - IEEE 802.1X with dynamic WEP keys | 
|  | - WPA-PSK, TKIP, CCMP, TKIP+CCMP | 
|  | - WPA-EAP, TKIP, CCMP, TKIP+CCMP | 
|  | - WPA2-PSK, TKIP, CCMP, TKIP+CCMP | 
|  | - WPA2-EAP, TKIP, CCMP, TKIP+CCMP | 
|  |  | 
|  |  | 
|  | Building wpa_supplicant with mingw | 
|  | ---------------------------------- | 
|  |  | 
|  | The default build setup for wpa_supplicant is to use MinGW and | 
|  | cross-compiling from Linux to MinGW/Windows. It should also be | 
|  | possible to build this under Windows using the MinGW tools, but that | 
|  | is not tested nor supported and is likely to require some changes to | 
|  | the Makefile unless cygwin is used. | 
|  |  | 
|  |  | 
|  | Building wpa_supplicant with MSVC | 
|  | --------------------------------- | 
|  |  | 
|  | wpa_supplicant can be built with Microsoft Visual C++ compiler. This | 
|  | has been tested with Microsoft Visual C++ Toolkit 2003 and Visual | 
|  | Studio 2005 using the included nmake.mak as a Makefile for nmake. IDE | 
|  | can also be used by creating a project that includes the files and | 
|  | defines mentioned in nmake.mak. Example VS2005 solution and project | 
|  | files are included in vs2005 subdirectory. This can be used as a | 
|  | starting point for building the programs with VS2005 IDE. Visual Studio | 
|  | 2008 Express Edition is also able to use these project files. | 
|  |  | 
|  | WinPcap development package is needed for the build and this can be | 
|  | downloaded from http://www.winpcap.org/install/bin/WpdPack_4_0_2.zip. The | 
|  | default nmake.mak expects this to be unpacked into C:\dev\WpdPack so | 
|  | that Include and Lib directories are in this directory. The files can be | 
|  | stored elsewhere as long as the WINPCAPDIR in nmake.mak is updated to | 
|  | match with the selected directory. In case a project file in the IDE is | 
|  | used, these Include and Lib directories need to be added to project | 
|  | properties as additional include/library directories. | 
|  |  | 
|  | OpenSSL source package can be downloaded from | 
|  | http://www.openssl.org/source/openssl-0.9.8i.tar.gz and built and | 
|  | installed following instructions in INSTALL.W32. Note that if EAP-FAST | 
|  | support will be included in the wpa_supplicant, OpenSSL needs to be | 
|  | patched to# support it openssl-0.9.8i-tls-extensions.patch. The example | 
|  | nmake.mak file expects OpenSSL to be installed into C:\dev\openssl, but | 
|  | this directory can be modified by changing OPENSSLDIR variable in | 
|  | nmake.mak. | 
|  |  | 
|  | If you do not need EAP-FAST support, you may also be able to use Win32 | 
|  | binary installation package of OpenSSL from | 
|  | http://www.slproweb.com/products/Win32OpenSSL.html instead of building | 
|  | the library yourself. In this case, you will need to copy Include and | 
|  | Lib directories in suitable directory, e.g., C:\dev\openssl for the | 
|  | default nmake.mak. Copy {Win32OpenSSLRoot}\include into | 
|  | C:\dev\openssl\include and make C:\dev\openssl\lib subdirectory with | 
|  | files from {Win32OpenSSLRoot}\VC (i.e., libeay*.lib and ssleay*.lib). | 
|  | This will end up using dynamically linked OpenSSL (i.e., .dll files are | 
|  | needed) for it. Alternative, you can copy files from | 
|  | {Win32OpenSSLRoot}\VC\static to create a static build (no OpenSSL .dll | 
|  | files needed). | 
|  |  | 
|  |  | 
|  | Building wpa_supplicant for cygwin | 
|  | ---------------------------------- | 
|  |  | 
|  | wpa_supplicant can be built for cygwin by installing the needed | 
|  | development packages for cygwin. This includes things like compiler, | 
|  | make, openssl development package, etc. In addition, developer's pack | 
|  | for WinPcap (WPdpack.zip) from | 
|  | http://winpcap.polito.it/install/default.htm is needed. | 
|  |  | 
|  | .config file should enable only one driver interface, | 
|  | CONFIG_DRIVER_NDIS. In addition, include directories may need to be | 
|  | added to match the system. An example configuration is available in | 
|  | defconfig. The library and include files for WinPcap will either need | 
|  | to be installed in compiler/linker default directories or their | 
|  | location will need to be adding to .config when building | 
|  | wpa_supplicant. | 
|  |  | 
|  | Othen than this, the build should be more or less identical to Linux | 
|  | version, i.e., just run make after having created .config file. An | 
|  | additional tool, win_if_list.exe, can be built by running "make | 
|  | win_if_list". | 
|  |  | 
|  |  | 
|  | Building wpa_gui | 
|  | ---------------- | 
|  |  | 
|  | wpa_gui uses Qt application framework from Trolltech. It can be built | 
|  | with the open source version of Qt4 and MinGW. Following commands can | 
|  | be used to build the binary in the Qt 4 Command Prompt: | 
|  |  | 
|  | # go to the root directory of wpa_supplicant source code | 
|  | cd wpa_gui-qt4 | 
|  | qmake -o Makefile wpa_gui.pro | 
|  | make | 
|  | # the wpa_gui.exe binary is created into 'release' subdirectory | 
|  |  | 
|  |  | 
|  | Using wpa_supplicant for Windows | 
|  | -------------------------------- | 
|  |  | 
|  | wpa_supplicant, wpa_cli, and wpa_gui behave more or less identically to | 
|  | Linux version, so instructions in README and example wpa_supplicant.conf | 
|  | should be applicable for most parts. In addition, there is another | 
|  | version of wpa_supplicant, wpasvc.exe, which can be used as a Windows | 
|  | service and which reads its configuration from registry instead of | 
|  | text file. | 
|  |  | 
|  | When using access points in "hidden SSID" mode, ap_scan=2 mode need to | 
|  | be used (see wpa_supplicant.conf for more information). | 
|  |  | 
|  | Windows NDIS/WinPcap uses quite long interface names, so some care | 
|  | will be needed when starting wpa_supplicant. Alternatively, the | 
|  | adapter description can be used as the interface name which may be | 
|  | easier since it is usually in more human-readable | 
|  | format. win_if_list.exe can be used to find out the proper interface | 
|  | name. | 
|  |  | 
|  | Example steps in starting up wpa_supplicant: | 
|  |  | 
|  | # win_if_list.exe | 
|  | ifname: \Device\NPF_GenericNdisWanAdapter | 
|  | description: Generic NdisWan adapter | 
|  |  | 
|  | ifname: \Device\NPF_{769E012B-FD17-4935-A5E3-8090C38E25D2} | 
|  | description: Atheros Wireless Network Adapter (Microsoft's Packet Scheduler) | 
|  |  | 
|  | ifname: \Device\NPF_{732546E7-E26C-48E3-9871-7537B020A211} | 
|  | description: Intel 8255x-based Integrated Fast Ethernet (Microsoft's Packet Scheduler) | 
|  |  | 
|  |  | 
|  | Since the example configuration used Atheros WLAN card, the middle one | 
|  | is the correct interface in this case. The interface name for -i | 
|  | command line option is the full string following "ifname:" (the | 
|  | "\Device\NPF_" prefix can be removed). In other words, wpa_supplicant | 
|  | would be started with the following command: | 
|  |  | 
|  | # wpa_supplicant.exe -i'{769E012B-FD17-4935-A5E3-8090C38E25D2}' -c wpa_supplicant.conf -d | 
|  |  | 
|  | -d optional enables some more debugging (use -dd for even more, if | 
|  | needed). It can be left out if debugging information is not needed. | 
|  |  | 
|  | With the alternative mechanism for selecting the interface, this | 
|  | command has identical results in this case: | 
|  |  | 
|  | # wpa_supplicant.exe -iAtheros -c wpa_supplicant.conf -d | 
|  |  | 
|  |  | 
|  | Simple configuration example for WPA-PSK: | 
|  |  | 
|  | #ap_scan=2 | 
|  | ctrl_interface= | 
|  | network={ | 
|  | ssid="test" | 
|  | key_mgmt=WPA-PSK | 
|  | proto=WPA | 
|  | pairwise=TKIP | 
|  | psk="secret passphrase" | 
|  | } | 
|  |  | 
|  | (remove '#' from the comment out ap_scan line to enable mode in which | 
|  | wpa_supplicant tries to associate with the SSID without doing | 
|  | scanning; this allows APs with hidden SSIDs to be used) | 
|  |  | 
|  |  | 
|  | wpa_cli.exe and wpa_gui.exe can be used to interact with the | 
|  | wpa_supplicant.exe program in the same way as with Linux. Note that | 
|  | ctrl_interface is using UNIX domain sockets when built for cygwin, but | 
|  | the native build for Windows uses named pipes and the contents of the | 
|  | ctrl_interface configuration item is used to control access to the | 
|  | interface. Anyway, this variable has to be included in the configuration | 
|  | to enable the control interface. | 
|  |  | 
|  |  | 
|  | Example SDDL string formats: | 
|  |  | 
|  | (local admins group has permission, but nobody else): | 
|  |  | 
|  | ctrl_interface=SDDL=D:(A;;GA;;;BA) | 
|  |  | 
|  | ("A" == "access allowed", "GA" == GENERIC_ALL == all permissions, and | 
|  | "BA" == "builtin administrators" == the local admins.  The empty fields | 
|  | are for flags and object GUIDs, none of which should be required in this | 
|  | case.) | 
|  |  | 
|  | (local admins and the local "power users" group have permissions, | 
|  | but nobody else): | 
|  |  | 
|  | ctrl_interface=SDDL=D:(A;;GA;;;BA)(A;;GA;;;PU) | 
|  |  | 
|  | (One ACCESS_ALLOWED ACE for GENERIC_ALL for builtin administrators, and | 
|  | one ACCESS_ALLOWED ACE for GENERIC_ALL for power users.) | 
|  |  | 
|  | (close to wide open, but you have to be a valid user on | 
|  | the machine): | 
|  |  | 
|  | ctrl_interface=SDDL=D:(A;;GA;;;AU) | 
|  |  | 
|  | (One ACCESS_ALLOWED ACE for GENERIC_ALL for the "authenticated users" | 
|  | group.) | 
|  |  | 
|  | This one would allow absolutely everyone (including anonymous | 
|  | users) -- this is *not* recommended, since named pipes can be attached | 
|  | to from anywhere on the network (i.e. there's no "this machine only" | 
|  | like there is with 127.0.0.1 sockets): | 
|  |  | 
|  | ctrl_interface=SDDL=D:(A;;GA;;;BU)(A;;GA;;;AN) | 
|  |  | 
|  | (BU == "builtin users", "AN" == "anonymous") | 
|  |  | 
|  | See also [1] for the format of ACEs, and [2] for the possible strings | 
|  | that can be used for principal names. | 
|  |  | 
|  | [1] | 
|  | http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/ace_strings.asp | 
|  | [2] | 
|  | http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/sid_strings.asp | 
|  |  | 
|  |  | 
|  | Starting wpa_supplicant as a Windows service (wpasvc.exe) | 
|  | --------------------------------------------------------- | 
|  |  | 
|  | wpa_supplicant can be started as a Windows service by using wpasvc.exe | 
|  | program that is alternative build of wpa_supplicant.exe. Most of the | 
|  | core functionality of wpasvc.exe is identical to wpa_supplicant.exe, | 
|  | but it is using Windows registry for configuration information instead | 
|  | of a text file and command line parameters. In addition, it can be | 
|  | registered as a service that can be started automatically or manually | 
|  | like any other Windows service. | 
|  |  | 
|  | The root of wpa_supplicant configuration in registry is | 
|  | HKEY_LOCAL_MACHINE\SOFTWARE\wpa_supplicant. This level includes global | 
|  | parameters and a 'interfaces' subkey with all the interface configuration | 
|  | (adapter to confname mapping). Each such mapping is a subkey that has | 
|  | 'adapter', 'config', and 'ctrl_interface' values. | 
|  |  | 
|  | This program can be run either as a normal command line application, | 
|  | e.g., for debugging, with 'wpasvc.exe app' or as a Windows service. | 
|  | Service need to be registered with 'wpasvc.exe reg <full path to | 
|  | wpasvc.exe>'. Alternatively, 'wpasvc.exe reg' can be used to register | 
|  | the service with the current location of wpasvc.exe. After this, wpasvc | 
|  | can be started like any other Windows service (e.g., 'net start wpasvc') | 
|  | or it can be configured to start automatically through the Services tool | 
|  | in administrative tasks. The service can be unregistered with | 
|  | 'wpasvc.exe unreg'. | 
|  |  | 
|  | If the service is set to start during system bootup to make the | 
|  | network connection available before any user has logged in, there may | 
|  | be a long (half a minute or so) delay in starting up wpa_supplicant | 
|  | due to WinPcap needing a driver called "Network Monitor Driver" which | 
|  | is started by default on demand. | 
|  |  | 
|  | To speed up wpa_supplicant start during system bootup, "Network | 
|  | Monitor Driver" can be configured to be started sooner by setting its | 
|  | startup type to System instead of the default Demand. To do this, open | 
|  | up Device Manager, select Show Hidden Devices, expand the "Non | 
|  | Plug-and-Play devices" branch, double click "Network Monitor Driver", | 
|  | go to the Driver tab, and change the Demand setting to System instead. | 
|  |  | 
|  | Configuration data is in HKEY_LOCAL_MACHINE\SOFTWARE\wpa_supplicant\configs | 
|  | key. Each configuration profile has its own key under this. In terms of text | 
|  | files, each profile would map to a separate text file with possibly multiple | 
|  | networks. Under each profile, there is a networks key that lists all | 
|  | networks as a subkey. Each network has set of values in the same way as | 
|  | network block in the configuration file. In addition, blobs subkey has | 
|  | possible blobs as values. | 
|  |  | 
|  | HKEY_LOCAL_MACHINE\SOFTWARE\wpa_supplicant\configs\test\networks\0000 | 
|  | ssid="example" | 
|  | key_mgmt=WPA-PSK | 
|  |  | 
|  | See win_example.reg for an example on how to setup wpasvc.exe | 
|  | parameters in registry. It can also be imported to registry as a | 
|  | starting point for the configuration. |