| Main index | Section 8 | Options |
The wpa_cli utility can show the current authentication status, selected security mode, dot11 and dot1x MIBs, etc. In addition, wpa_cli can configure EAPOL state machine parameters and trigger events such as reassociation and IEEE 802.1X logoff/logon.
The wpa_cli utility provides an interface to supply authentication information such as username and password when it is not provided in the wpa_supplicant.conf(5) configuration file. This can be used, for example, to implement one-time passwords or generic token card authentication where the authentication is based on a challenge-response that uses an external device for generating the response.
The wpa_cli utility supports two modes: interactive and command line. Both modes share the same command set and the main difference is in interactive mode providing access to unsolicited messages (event messages, username/password requests).
Interactive mode is started when wpa_cli is executed without any parameters on the command line. Commands are then entered from the controlling terminal in response to the wpa_cli prompt. In command line mode, the same commands are entered as command line arguments.
The control interface of wpa_supplicant(8) can be configured to allow non-root user access by using the ctrl_interface_group parameter in the wpa_supplicant.conf(5) configuration file. This makes it possible to run wpa_cli with a normal user account.
A user must supply wpa_supplicant(8) the needed parameters in response to these requests.
For example,
CTRL-REQ-PASSWORD-1:Password needed for SSID foobar > password 1 mysecretpasswordExample request for generic token card challenge-response:
CTRL-REQ-OTP-2:Challenge 1235663 needed for SSID foobar > otp 2 9876
| | |
| Control sockets path. This should match the ctrl_interface in wpa_supplicant.conf(5). The default path is /var/run/wpa_supplicant. | |
| | |
| Interface to be configured. By default, the first interface found in the socket path is used. | |
| | |
| Show help. | |
| | |
| Show version information. | |
| | |
| Run the daemon in the background. | |
| | |
| Run in daemon mode, executing the action file based on events from wpa_supplicant(8). | |
| | |
| PID file location. | |
| | |
| Use a global control interface to wpa_supplicant(8) rather than the default Unix domain sockets. | |
| | |
| Wait "ping_interval" seconds before sending each ping to wpa_supplicant(8). See the ping command. | |
| command | |
| See available commands in the next section. | |
| status | |
| Report the current WPA/EAPOL/EAP status for the current interface. | |
| ifname | |
| Show the current interface name. The default interface is the first interface found in the socket path. | |
| ping | Ping the wpa_supplicant(8) utility. This command can be used to test the status of the wpa_supplicant(8) daemon. |
| mib | Report MIB variables (dot1x, dot11) for the current interface. |
| help | Show usage help. |
| interface [ifname] | |
| Show available interfaces and/or set the current interface when multiple interfaces are available. | |
| level debug_level | |
| Change the debugging level in wpa_supplicant(8). Larger numbers generate more messages. | |
| license | |
| Display the full license for wpa_cli. | |
| logoff | |
| Send the IEEE 802.1X EAPOL state machine into the "logoff" state. | |
| logon | Send the IEEE 802.1X EAPOL state machine into the "logon" state. |
| set [settings] | |
| Set variables. When no arguments are supplied, the known variables and their settings are displayed. | |
| pmksa | Show the contents of the PMKSA cache. |
| reassociate | |
| Force a reassociation to the current access point. | |
| reconfigure | |
| Force wpa_supplicant(8) to re-read its configuration file. | |
| preauthenticate BSSID | |
| Force preauthentication of the specified BSSID. | |
| identity network_id identity | |
| Configure an identity for an SSID. | |
| password network_id password | |
| Configure a password for an SSID. | |
| new_password network_id password | |
| Change the password for an SSID. | |
| PIN network_id pin | |
| Configure a PIN for an SSID. | |
| passphrase network_id passphrase | |
| Configure a private key passphrase for an SSID. | |
| bssid network_id bssid | |
| Set a preferred BSSID for an SSID | |
| blacklist [bssid | clear] | |
| Add a BSSID to the blacklist. When invoked without any extra arguments, display the blacklist. Specifying clear causes wpa_cli to clear the blacklist. | |
| list_networks | |
| List configured networks. | |
| select_network network_id | |
| Select a network and disable others. | |
| enable_network network_id | |
| Enable a network. | |
| disable_network network_id | |
| Disable a network. | |
| add_network | |
| Add a network. | |
| remove_network network_id | |
| Remove a network. | |
| set_network [network_id variable value] | |
| Set network variables. Shows a list of variables when run without arguments. | |
| get_network network_id variable | |
| Get network variables. | |
| disconnect | |
| Disconnect and wait for reassociate/reconnect command before connecting. | |
| reconnect | |
| Similar to reassociate, but only takes effect if already disconnected. | |
| scan | Request new BSS scan. |
| scan_results | |
| Get the latest BSS scan results. This command can be invoked after running a BSS scan with scan. | |
| bss [idx | bssid] | |
| Get a detailed BSS scan result for the network identified by "bssid" or "idx". | |
| otp network_id password | |
| Configure a one-time password for an SSID. | |
| terminate | |
| Force wpa_supplicant(8) to terminate. | |
| interface_add ifname [confname driver ctrl_interface driver_param bridge_name] | |
| Add a new interface with the given parameters. | |
| interface_remove ifname | |
| Remove the interface. | |
| interface_list | |
| List available interfaces. | |
| quit | Exit wpa_cli. |
| WPA_CLI (8) | January 24, 2017 |
| Main index | Section 8 | Options |
Please direct any comments about this manual page service to Ben Bullock. Privacy policy.
| “ | A child of 5 could understand this! Fetch me a child of 5. | ” |