Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
WPA_CLI(8)		FreeBSD	System Manager's Manual		    WPA_CLI(8)

     wpa_cli --	text-based frontend program for	interacting with wpa_suppli-

     wpa_cli [-p path_to_ctrl_sockets] [-i ifname] [-hvB] [-a action_file]
	     [-P pid_file] [-g global_ctrl] [-G	ping_interval] command ...

     The wpa_cli utility is a text-based frontend program for interacting with
     wpa_supplicant(8).	 It is used to query current status, change configura-
     tion, trigger events, and request interactive user	input.

     The wpa_cli utility can show the current authentication status, selected
     security mode, dot11 and dot1x MIBs, etc.	In addition, wpa_cli can con-
     figure EAPOL state	machine	parameters and trigger events such as reasso-
     ciation and IEEE 802.1X logoff/logon.

     The wpa_cli utility provides an interface to supply authentication	infor-
     mation such as username and password when it is not provided in the
     wpa_supplicant.conf(5) configuration file.	 This can be used, for exam-
     ple, to implement one-time	passwords or generic token card	authentication
     where the authentication is based on a challenge-response that uses an
     external device for generating the	response.

     The wpa_cli utility supports two modes: interactive and command line.
     Both modes	share the same command set and the main	difference is in in-
     teractive mode providing access to	unsolicited messages (event messages,
     username/password requests).

     Interactive mode is started when wpa_cli is executed without any parame-
     ters on the command line.	Commands are then entered from the controlling
     terminal in response to the wpa_cli prompt.  In command line mode,	the
     same commands are entered as command line arguments.

     The control interface of wpa_supplicant(8)	can be configured to allow
     non-root user access by using the ctrl_interface_group parameter in the
     wpa_supplicant.conf(5) configuration file.	 This makes it possible	to run
     wpa_cli with a normal user	account.

     When wpa_supplicant(8) needs authentication parameters, such as username
     and password, that	are not	present	in the configuration file, it sends a
     request message to	all attached frontend programs,	e.g., wpa_cli in in-
     teractive mode.  The wpa_cli utility shows	these requests with a
     "CTRL-REQ-<type>-<id>:<text>" prefix, where <type>	is IDENTITY, PASSWORD,
     or	OTP (One-Time Password), <id> is a unique identifier for the current
     network, <text> is	a description of the request.  In the case of an OTP
     (One-Time Password) request, it includes the challenge from the authenti-
     cation server.

     A user must supply	wpa_supplicant(8) the needed parameters	in response to
     these requests.

     For example,

	   CTRL-REQ-PASSWORD-1:Password	needed for SSID	foobar
	   > password 1	mysecretpassword

	   Example request for generic token card challenge-response:

	   CTRL-REQ-OTP-2:Challenge 1235663 needed for SSID foobar
	   > otp 2 9876

     These options are available:

     -p	path
	     Control sockets path.  This should	match the ctrl_interface in
	     wpa_supplicant.conf(5).  The default path is

     -i	ifname
	     Interface to be configured.  By default, the first	interface
	     found in the socket path is used.

     -h	     Show help.

     -v	     Show version information.

     -B	     Run the daemon in the background.

     -a	action_file
	     Run in daemon mode, executing the action file based on events
	     from wpa_supplicant(8).

     -P	pid_file
	     PID file location.

     -g	global_ctrl
	     Use a global control interface to wpa_supplicant(8) rather	than
	     the default Unix domain sockets.

     -G	ping_interval
	     Wait "ping_interval" seconds before sending each ping to
	     wpa_supplicant(8).	 See the ping command.

	     See available commands in the next	section.

     These commands can	be supplied on the command line	or at a	prompt when
     operating interactively.

     status  Report the	current	WPA/EAPOL/EAP status for the current inter-

     ifname  Show the current interface	name.  The default interface is	the
	     first interface found in the socket path.

     ping    Ping the wpa_supplicant(8)	utility.  This command can be used to
	     test the status of	the wpa_supplicant(8) daemon.

     mib     Report MIB	variables (dot1x, dot11) for the current interface.

     help    Show usage	help.

     interface [ifname]
	     Show available interfaces and/or set the current interface	when
	     multiple interfaces are available.

     level debug_level
	     Change the	debugging level	in wpa_supplicant(8).  Larger numbers
	     generate more messages.

	     Display the full license for wpa_cli.

     logoff  Send the IEEE 802.1X EAPOL	state machine into the "logoff"	state.

     logon   Send the IEEE 802.1X EAPOL	state machine into the "logon" state.

     set [settings]
	     Set variables.  When no arguments are supplied, the known vari-
	     ables and their settings are displayed.

     pmksa   Show the contents of the PMKSA cache.

	     Force a reassociation to the current access point.

	     Force wpa_supplicant(8) to	re-read	its configuration file.

     preauthenticate BSSID
	     Force preauthentication of	the specified BSSID.

     identity network_id identity
	     Configure an identity for an SSID.

     password network_id password
	     Configure a password for an SSID.

     new_password network_id password
	     Change the	password for an	SSID.

     PIN network_id pin
	     Configure a PIN for an SSID.

     passphrase	network_id passphrase
	     Configure a private key passphrase	for an SSID.

     bssid network_id bssid
	     Set a preferred BSSID for an SSID

     blacklist [bssid |	clear]
	     Add a BSSID to the	blacklist.  When invoked without any extra ar-
	     guments, display the blacklist.  Specifying clear causes wpa_cli
	     to	clear the blacklist.

	     List configured networks.

     select_network network_id
	     Select a network and disable others.

     enable_network network_id
	     Enable a network.

     disable_network network_id
	     Disable a network.

	     Add a network.

     remove_network network_id
	     Remove a network.

     set_network [network_id variable value]
	     Set network variables.  Shows a list of variables when run	with-
	     out arguments.

     get_network network_id variable
	     Get network variables.

	     Disconnect	and wait for reassociate/reconnect command before con-

	     Similar to	reassociate, but only takes effect if already discon-

     scan    Request new BSS scan.

	     Get the latest BSS	scan results.  This command can	be invoked af-
	     ter running a BSS scan with scan.

     bss [idx |	bssid]
	     Get a detailed BSS	scan result for	the network identified by
	     "bssid" or	"idx".

     otp network_id password
	     Configure a one-time password for an SSID.

	     Force wpa_supplicant(8) to	terminate.

     interface_add ifname [confname driver ctrl_interface driver_param
	     Add a new interface with the given	parameters.

     interface_remove ifname
	     Remove the	interface.

	     List available interfaces.

     quit    Exit wpa_cli.

     wpa_supplicant.conf(5), wpa_supplicant(8)

     The wpa_cli utility first appeared	in FreeBSD 6.0.

     The wpa_cli utility was written by	Jouni Malinen <>.  This manual
     page is derived from the README and wpa_cli.c files included in the
     wpa_supplicant distribution.

FreeBSD	13.0		       January 24, 2017			  FreeBSD 13.0


Want to link to this manual page? Use this URL:

home | help