wpasupplicant and multiple/hidden SSIDs

Dan Williams dcbw at redhat.com
Fri Dec 7 14:12:36 EST 2007

On Fri, 2007-12-07 at 10:47 -0800, Dave Hansen wrote:
> I have a particularly nasty set of access points at work.  I think it's
> all intentional, but it causes pains for wpasupplicant.  The APs
> advertise an unencrypted "COMPANYVISITOR" network, but are also capable
> of WPA when you associate with the "COMPANY" SSID.  Also, I do not think
> they start to advertise WPA/RSN IE in their beacon frame until after you
> explicitly set the SSID.  The only reason I know this is that
> wpasupplicant wouldn't try to associate with them using my wpa-enabled
> config entry even when I tried to force it.
> ap_scan=2 works just fine for these.  But, I'd also like to use the
> same .conf file at home and I'd prefer not to fiddle with it whenever I
> move back and forth.  ap_scan=2 sadly won't search for multiple SSIDs:
> it simply uses the first one.

This just won't work then.  ap_scan=2 is required for use with hidden
networks, and you can't switch between ap_scan=1 and ap_scan=2 on the
fly unless you're talking to the supplicant with wpa_cli or the D-Bus
control interface.  You probably want something like NetworkManager or
some other automatic tool that handles these things transparently.

> I've hacked a little "scan_ssid=2" option into my version of
> wpasupplicant, but I've now realized that I hacked it in pretty badly.
> Would adding something like 'advertised_ssid="VISITOR"' option be useful
> functionality to anyone else?  It would separate the SSID for which we
> scan from the one with which we actually try to associate.  

Not really, since that's a completely different network in reality.
That also confuses the purpose of network blocks unnecessarily.

> Any ideas on how to solve this nicely?  Could we have ap_scan=2 timeout
> after it fails to authenticate?  Or, have a select set of SSIDs that get
> ap_scan=2 behavior while not extending it to all SSIDs?

Yeah, the problem is that the ap_scan stuff just isn't granular enough
when you're using the config file format, or when you're letting
wpa_supplicant alone handle the roaming.

What you _really_ want is ap_scan=1 + scan_ssid=1 in your network block.
Try that.  If your driver supports specific SSID scanning, it'll
probably work for you.  If your driver doesn't then you probably need to
get a better network card or find a good driver :)  Any driver based on
mac80211, or the ipw2200, or the hostap driver will work with
scan_ssid=1.  Most others, probably not.


More information about the HostAP mailing list