Updated: 2022/Sep/29
Please read Privacy Policy. It's for your privacy.
WPA_CLI(8) System Manager's Manual WPA_CLI(8)
NAME
wpa_cli - text-based frontend program for interacting with wpa_supplicant
SYNOPSIS
wpa_cli [commands]
DESCRIPTION
The wpa_cli utility is a text-based frontend program for interacting with
wpa_supplicant(8). It is used to query current status, change
configuration, trigger events, and request interactive user input.
The wpa_cli utility can show the current authentication status, selected
security mode, dot11 and dot1x MIBs, etc. In addition, wpa_cli can
configure EAPOL state machine parameters and trigger events such as
reassociation and IEEE 802.1X logoff/logon.
The wpa_cli utility provides an interface to supply authentication
information such as username and password when it is not provided in the
wpa_supplicant.conf(5) configuration file. This can be used, for
example, to implement one-time passwords or generic token card
authentication where the authentication is based on a challenge-response
that uses an external device for generating the response.
The wpa_cli utility supports two modes: interactive and command line.
Both modes share the same command set and the main difference is that in
interactive mode, wpa_cli provides access to unsolicited messages (event
messages, username/password requests).
Interactive mode is started when wpa_cli is executed without any
parameters on the command line. Commands are then entered from the
controlling terminal in response to the wpa_cli prompt. In command line
mode, the same commands are entered as command line arguments.
The control interface of wpa_supplicant(8) can be configured to allow
non-root user access by using the ctrl_interface_group parameter in the
wpa_supplicant.conf(5) configuration file. This makes it possible to run
wpa_cli with a normal user account.
AUTHENTICATION PARAMETERS
When wpa_supplicant(8) needs authentication parameters, such as username
and password, that are not present in the configuration file, it sends a
request message to all attached frontend programs, e.g., wpa_cli in
interactive mode. The wpa_cli utility shows these requests with a
"CTRL-REQ-<type>-<id>:<text>" prefix, where <type> is IDENTITY, PASSWORD,
or OTP (one-time password), <id> is a unique identifier for the current
network, and <text> is description of the request. In the case of a OTP
(One Time Password) request, it includes the challenge from the
authentication server.
A user must supply wpa_supplicant(8) the needed parameters in response to
these requests.
For example,
CTRL-REQ-PASSWORD-1:Password needed for SSID foobar
> password 1 mysecretpassword
Example request for generic token card challenge-response:
CTRL-REQ-OTP-2:Challenge 1235663 needed for SSID foobar
> otp 2 9876
COMMANDS
The following commands may be supplied on the command line or at a prompt
when operating interactively.
status Report the current WPA/EAPOL/EAP status for the current
interface.
mib Report MIB variables (dot1x, dot11) for the current interface.
help Show usage help.
status Get current WPA/EAPOL/EAP status.
add_network
Add a network. Returns a number to be used in set_network
commands.
set_network network_id ssid my_ssid_name
Make network_id use the SSID my_ssid_name.
set_network network_id psk my_ssid_password
Make network_id use the password my_ssid_password
enable_network network_id
Begin using the network at network_id.
list_network
List the networks configured.
scan Begin a scan of nearby APs. Results can be obtained with
scan_results.
interface [ifname]
Show available interfaces and/or set the current interface when
multiple are available.
level debug_level
Change the debugging level in wpa_supplicant(8). Larger numbers
generate more messages.
license
Display the full license for wpa_cli.
logoff Send the IEEE 802.1X EAPOL state machine into the "logoff" state.
logon Send the IEEE 802.1X EAPOL state machine into the "logon" state.
set [settings]
Set variables. When no arguments are supplied, the known
variables and their settings are displayed.
pmksa Show the contents of the PMKSA cache.
reassociate
Force a reassociation to the current access point.
reconfigure
Force wpa_supplicant(8) to re-read its configuration file.
preauthenticate BSSID
Force preauthentication of the specified BSSID.
identity network_id identity
Configure an identity for an SSID.
password network_id password
Configure a password for an SSID.
otp network_id password
Configure a one-time password for an SSID.
terminate
Force wpa_supplicant(8) to terminate.
quit Exit wpa_cli.
SEE ALSO
wpa_supplicant.conf(5), wpa_passphrase(8), wpa_supplicant(8)
EXAMPLES
A sample run of discovering and connecting to a network with SSID
"MyWifiNetwork" and with a password "MyWifiPassword".
If wpa_supplicant isn't already running, start it with the command
service wpa_supplicant onestart.
Find the network
scan
scan_results
17:07:08.868: bssid / frequency / signal level / flags / ssid
14:aa:ff:ee:aa:cc 2437 187 [WPA-PSK-CCMP+TKIP][ESS] MyWifiNetwork
44:ee:ff:bb:33:33 2452 168 [WPA2-PSK-CCMP][ESS] SomeOtherNetwork
Now, let's create a network and configure it.
add_network
17:08:13.047: 1
That means the new network_id we should use is 1.
set_network 1 ssid "MyWifiNetwork"
set_network 1 psk "MyWifiPassword"
enable_network 1
After this point, you should be connected, but no IP address is
configured. You will likely want to configure the address using
dhcpcd(8).
HISTORY
The wpa_cli utility first appeared in NetBSD 4.0.
AUTHORS
The wpa_cli utility was written by Jouni Malinen <jkmaline@cc.hut.fi>.
This manual page is derived from the README file included in the
wpa_supplicant distribution.
NetBSD 10.99 June 19, 2019 NetBSD 10.99