WPA command-line client for interacting with wpa_supplicant


wpa_cli-version  [-p path to ctrl sockets] 
                [-i ifname] 
                [-hvB] [-a action file] 
                [-P pid file] [-g global ctrl[command ... ]

Runs on:

QNX Neutrino


-p path
Change the path where control sockets should be found.
-i ifname
Specify the interface that is being configured. By default, choose the first interface found with a control socket in the socket path.
Help. Show a usage message.
Show version information.
Run as a daemon in the background.
-a file
Run in daemon mode executing the action file based on events from wpa_supplicant. The specified file will be executed with the first argument set to the interface name, and the second to CONNECT or DISCONNECT, depending on the event.
-P file
Set the location of the PID file.
Run a command; see Supported commands,” below.


The wpa_cli utility is a text-based front-end program for interacting with wpa_supplicant. You can use it to query the current status, change the configuration, trigger events, and request interactive user input.

The number in the wpa_cli utility name indicates the wpa_supplicant version it supports. For example, wpa_cli-2.5 supports version 2.5.

The default path is /var/run/wpa_supplicant-version. The default interface is the first interface found in the socket path.

The wpa_cli utility can show the current authentication status, selected security mode, dot11 and dot1x MIBs, etc. In addition, it can configure some variables like EAPOL state machine parameters and trigger events like reassociation and IEEE 802.1X logoff/logon.

The wpa_cli utility provides a user interface to request authentication information, such as user name and password, if these aren't included in the configuration. You can use this to implement, for example, one-time passwords or generic token card authentication where the authentication is based on a challenge-response that uses an external device for generating the response.

You can configure the control interface of wpa_supplicant to allow non-root user access (ctrl_interface_group in the configuration file). This makes it possible to run wpa_cli with a normal user account.

The wpa_cli utility supports interactive and command-line modes. Both modes share the same command set, and the main difference is in interactive mode providing access to unsolicited messages (event messages, user name/password requests).

If you don't specify a command when you start wpa_cli, the utility goes into interactive mode. You then enter commands at the wpa_cli prompt.

Supported commands

The wpa_cli utility currently supports the following commands:

Add a network.
bssid network_id BSSID
Set the preferred BSSID for an SSID.
disable_network network_id
Disable a network.
Disconnect and wait for a reassociate command before connecting.
enable_network network_id
Enable a network.
get_capability eap | pairwise | group | key_mgmt | proto | auth_alg
Get capabilities.
get_network network_id variable
Get network variables.
Display usage information.
identity network_id identity
Configure the identity for an SSID.
interface [ifname]
Show interfaces or select the specified interface.
level debug_level
Change the debugging level.
Show the full wpa_cli license.
List the configured networks.
IEEE 802.1X EAPOL state machine logoff.
IEEE 802.1X EAPOL state machine logon.
Get MIB variables (dot1x, dot11).
otp network_id password
Configure a one-time password for an SSID.
passphrase network_id passphrase
Configure a private key passphrase for an SSID.
password network_id password
Configure a password for an SSID.
pin network_id pin
Configure a pin for an SSID.
Show the PMKSA cache.
preauthenticate BSSID
Force preauthentication.
Exit wpa_cli.
Force a reassociation.
Force wpa_supplicant to reread its configuration file.
remove_network network_id
Remove a network.
Save the current configuration.
Request a new BSS scan.
Get the latest scan results.
select_network network_id
Select a network (disable others).
set [variable value]
Set variables (shows list of variables when run without arguments).
set_network network_id variable value
Set network variables (shows list of variables when run without arguments).
Terminate wpa_supplicant.

Interactive authentication parameters request

When wpa_supplicant needs authentication parameters (for example, a username and password, which are not contained in the configuration file), it sends a request message to all attached front-end programs (for example, wpa_cli) in interactive mode.

The wpa_cli utility shows these requests with "CTRL-REQ-type-id:text" prefix.

IDENTITY, PASSWORD, or OTP (one-time-password).
A unique identifier for the current network.
A description of the request. In the case of an OTP request, it includes the challenge from the authentication server.

The reply to these requests can be given with identity, password, and otp commands. The id needs to be copied from the matching request. The password and otp commands can be used regardless of whether the request was for PASSWORD or OTP.

The main difference between these two commands is that values given with password are remembered as long as the wpa_supplicant utility is running whereas values given with otp are used only once and then forgotten. The wpa_supplicant utility will ask the front end for a new value for every use. This behavior can be used to implement one-time-password lists and generic token card-based authentication


The following example is a request for a password and a matching reply:

CTRL-REQ-PASSWORD-1:Password needed for SSID foobar

> password 1 mysecretpassword

The following example is a request for a generic token card challenge-response:

CTRL-REQ-OTP-2:Challenge 1235663 needed for SSID foobar

> otp 2 9876