Fact-checked by Grok 2 weeks ago

hostapd

hostapd is a user space daemon that implements access point management and servers, enabling the creation of hotspots and handling for wireless networks. It supports key protocols including for port-based network access control, , , and for secure wireless and encryption, (EAP) methods, and for remote authentication dial-in user service, allowing it to function as both an authenticator and a server. Developed by Jouni Malinen and initially released in 2002, hostapd is part of the broader hostap project, which also includes the for client-side , and it is licensed under the BSD license. The software operates on systems (primarily using the nl80211 driver interface with mac80211-based drivers, as well as legacy drivers like Host AP), as well as with the net80211 framework, providing a flexible backend for turning compatible hardware into access points without relying on proprietary firmware. Configuration is managed through a text-based file (typically hostapd.conf), which defines parameters like SSID, settings, and methods, while a (hostapd_cli) allows runtime control and monitoring of the daemon's operations. Hostapd's modular design includes an EAP server implementation compliant with RFC 3748, supporting various methods—some with keying material for /WEP integration—and it facilitates advanced features like per-BSS (Basic Service Set) data handling for multi-virtual interface setups. As an open-source tool, it has been widely adopted in systems, routers, and environments for prototyping and deploying secure infrastructures, with ongoing tracked through the hostap .

Overview

Purpose and Functionality

hostapd is a user-space daemon designed for access point and servers, implementing access point functions, including , , and other processing. This implementation occurs in the user space, allowing it to interface with kernel-level drivers to manage wireless operations without embedding AP-specific logic directly in the hardware firmware. A primary role of hostapd is to enable standard wireless network interface cards (NICs) to operate as access points or hotspots, provided the underlying drivers support access point () mode, such as mac80211-based drivers in . By handling the necessary protocols in software, hostapd eliminates the requirement for dedicated hardware or firmware, making it possible to repurpose commodity WLAN hardware for hotspot creation. hostapd serves as an authenticator for , managing port access entity (PAE) operations and supporting both client functionality to forward requests to external servers and integrated server operations for standalone . This dual capability allows it to enforce secure network access using protocols like EAP, ensuring encrypted connections via WPA/WPA2/WPA3 without relying on third-party infrastructure in all scenarios. Common use cases include deploying software-based Wi-Fi networks on general-purpose computers, such as turning a server or laptop into an access point for local connectivity in environments like home networks, educational settings, or temporary hotspots.

Supported Standards

hostapd provides core support for access point management, including processes such as beaconing, probing, and station association, enabling the implementation of access points across various amendments like 802.11a/b/g/n/ac/ax/be depending on the underlying hardware and driver capabilities. It implements for port-based network access control, facilitating authentication and key distribution in enterprise environments through the over LAN (EAPOL). For security, hostapd supports () using TKIP for personal and enterprise modes, based on IEEE 802.11i/ with CCMP ( in Counter mode with ) encryption, and incorporating enhanced protections against offline dictionary attacks. WPA3 support includes (SAE) for personal networks, configured via key management options like SAE and FT-SAE, which provide and resistance to brute-force attacks. The daemon also enables PMKSA (Pairwise Master Key Security Association) caching and opportunistic key caching to optimize re-authentication during handoffs, reducing latency in scenarios. Additionally, basic support for IEEE 802.11r (Fast Basic Service Set Transition) is available, allowing fast through mechanisms like over-the-air or over-the-DS transitions, configurable with mobility domain identifiers and FT key lifetimes. hostapd integrates an EAP server supporting multiple methods for , including EAP-TLS (certificate-based), EAP-PEAPv0/v1 (with inner methods like MSCHAPv2 or GTC), EAP-TTLSv0/v1 (with PAP, CHAP, MSCHAPv2, or EAP-MD5-Challenge), EAP-MSCHAPv2, EAP-SIM/AKA (for SIM-based ), EAP-pwd (password-based), and others such as EAP-MD5-Challenge, EAP-GTC, and EAP-IKEv2. These methods can operate with an internal EAP server or via external servers, where hostapd acts as a client or authenticator, encapsulating EAP packets for backend . For hardware integration on modern kernels, hostapd utilizes the nl80211 driver interface, which supports advanced features like high-throughput (HT), very high throughput (VHT), high efficiency (HE), and extremely high throughput (EHT) capabilities corresponding to 802.11n/ac/ax/be amendments (with preliminary EHT support as of version 2.11 in 2024). This interface handles mode operations for mac80211-based drivers, ensuring compatibility with contemporary wireless chipsets.

History

Development Origins

hostapd originated in 2002–2003 as part of the Host AP project, led by Jouni Malinen, to enable support for Prism2/2.5/3 cards on systems. The project addressed the absence of open-source tools capable of transforming standard machines into functional access points, particularly in an era when proprietary firmware and closed-source drivers dominated wireless networking. Initial development focused on integrating with the Host AP kernel driver for Prism chipsets, allowing user-space control over access point operations without deep kernel modifications. This effort was motivated by the growing need for secure, open wireless infrastructure amid vulnerabilities in early protocols like WEP, prompting the inclusion of and emerging support from the outset. hostapd was designed as a user-space daemon to handle authentication, association, and integration, decoupling these functions from kernel-level drivers to facilitate portability across different hardware, including early wireless stacks like MadWifi for Atheros-based cards. By emphasizing modularity, the software avoided heavy reliance on specific kernel versions, enabling broader adoption in the open-source community. From its inception, hostapd was released under a BSD license (with the advertising clause removed), promoting free redistribution and modification while aligning with the project's goal of fostering collaborative wireless development. Its initial implementation complemented the simultaneous development of in 2003, which provided client-side supplicant functionality; together, they formed a cohesive framework for / authentication, with hostapd serving as the authenticator relaying EAPOL frames. Early mailing list discussions from January 2003 highlight community interest in enhancing hostapd for forking and additional features, underscoring its rapid evolution within the Host AP ecosystem.

Key Milestones

In 2004, hostapd integrated support for and WPA2, coinciding with the IEEE 802.11i standard's ratification on June 24, 2004, which formalized robust security mechanisms for wireless networks. This addition enabled hostapd to serve as an authenticator implementing the (Robust Security Network) features defined in the standard, marking a pivotal shift toward secure access point operations. By 2006, hostapd introduced an integrated EAP server implementation, allowing local processing of methods without relying solely on external servers, alongside enhancements to integration for improved authentication handling. These updates expanded hostapd's role in enterprise-grade 802.1X deployments, supporting methods like EAP-TLS and EAP-PEAP directly within the daemon. During the 2010s, hostapd transitioned to the nl80211 driver interface, enhancing compatibility with the kernel's mac80211 subsystem and enabling support for a wider array of hardware. This shift, initiated around 2010, facilitated better integration with modern chipsets and improved management of features like channel switching and frame handling. Preliminary support for WPA3, including () for personal mode, was added in 2018, aligning with the Alliance's certification program launch. From 2020 to 2024, hostapd saw iterative releases bolstering security and protocol features. Version 2.10, released on January 16, 2022, incorporated enhancements to , such as improved protections and options for sending SAE Confirm messages, alongside refinements to OWE (Opportunistic Wireless Encryption) key derivation. Version 2.11, released on July 20, 2024, addressed security vulnerabilities including explicit SSID protection in the 4-way handshake (mitigating CVE-2023-52424) and stricter validation of SAE rejected groups to prevent downgrades, while adding hardware offload support for drivers like those compatible with MT792x chipsets. Throughout its evolution, hostapd has been maintained under the w1.fi project by Jouni Malinen, with significant contributions from the Linux Wireless community via the hostap mailing list and git repository. This collaborative effort ensures ongoing alignment with emerging IEEE 802.11 amendments and kernel developments.

Implementations

Jouni Malinen's hostapd

Jouni Malinen's hostapd is the primary and actively maintained open-source implementation of a user-space daemon for IEEE 802.11 access points and authentication servers, developed by Jouni Malinen along with various contributors. Released under the BSD license, it provides robust support for managing wireless access points, including full IEEE 802.11 access point management capabilities. The latest stable release, version 2.11, was made available on July 20, 2024, incorporating ongoing enhancements tracked through detailed changelogs. Key features of this implementation include an integrated EAP and server for , support for WPA3-SAE () to enable secure password-based , and the ability to handle multi-BSS configurations for virtual access points on a single physical . It also accommodates vendor-specific elements in beacons and probe responses, allowing customization for proprietary hardware extensions. These features make it suitable for deploying enterprise-grade networks with advanced security protocols. In March 2025, a (CVE-2025-24912) was disclosed affecting packet processing, potentially allowing man-in-the-middle attacks to disrupt authentications; users are advised to update to patched versions. This version supports a wide range of drivers, particularly those based on nl80211 with the mac80211 framework, including ath9k and ath10k for Atheros/Qualcomm chipsets, iwlwifi for wireless adapters, and others like b43 for . It is compatible with multiple operating systems, such as , , , and , enabling deployment across diverse embedded and desktop environments. Active development continues through a public repository, with recent updates adding support for enhancements like the Device Provisioning Protocol (DPP) in Easy Connect, as seen in version 2.11. The project's official resources, including and , are hosted at w1.fi/hostapd.

OpenBSD's hostapd

OpenBSD's hostapd is a specialized user-space daemon developed by Reyk Floeter for enhancing management within the operating system. First introduced in OpenBSD 3.8 on November 1, 2005, its last stable release, version 3.9, arrived with OpenBSD 3.9 on May 1, 2006. Distributed under the BSD license as part of the OpenBSD base system, it emphasizes security through code auditing and minimalism. This implementation introduces unique features tailored for robust wireless environments, including enhanced roaming support via the Inter-Access Point Protocol (IAPP) defined in IEEE 802.11f. IAPP enables access points to exchange station association updates across an Extended Service Set (ESS), facilitating seamless handoffs for mobile clients in large-scale deployments, such as those spanning dozens of OpenBSD-based access points. Additionally, it provides advanced monitoring tools, such as event-based logging of station movements and beacon frames to detect rogue access points, along with frame injection capabilities using bpf(4) for debugging and basic wireless intrusion prevention, like sending deauthentication frames against unauthorized devices. These features include rate limiting for detection of abuse, such as logging events when more than 100 non-beacon management frames are received in 5 seconds to identify potential DoS attacks. Deeply integrated with 's net80211 kernel wireless stack, hostapd operates alongside drivers in Host AP mode, such as ath(4) for Atheros chipsets, to track station states and manage resources efficiently. While the broader wireless framework supports authentication and WPA encryption through kernel-level mechanisms like (8), this hostapd variant prioritizes roaming and monitoring over direct authentication handling and omits support for subsequent protocols like WPA3. Configurations leverage radiotap headers for detailed , including signal strength and transmission rates, to aid in network optimization. Documentation for OpenBSD's hostapd is comprehensively provided through system manual pages, including hostapd(8) for daemon operation and hostapd.conf(5) for configuration syntax, such as defining IAPP multicast interfaces or event rules for frame handling. Its inclusion in the base installation ensures audited, secure usage without external dependencies, promoting reliable deployment in environments prioritizing stability and minimal attack surface.

Devicescape's hostapd

Devicescape's hostapd was a GPL-licensed of the original hostapd software, developed by Devicescape Software, Inc. as part of their efforts to build an open-source stack for . Based closely on early versions of Jouni Malinen's , it integrated with Devicescape's proprietary Linux wireless driver stack to enable access point functionality, including support for authentication and management features tailored to their Universal Wireless Platform (UWP). Launched around 2006–2007 amid Devicescape's commercial push into wireless networking solutions, the project aimed to provide a complete open-source AP implementation compatible with wireless extensions, supporting chipsets from vendors like Atheros, , and Marvell. The operated under version 2, with no independent stable releases issued; instead, key components such as the Devicescape-specific driver interface were contributed upstream to the main hostapd repository. The project's website, devicescape.org, is now inactive. Development on the fork ceased by the late 2000s, as evidenced by the 2007 upstream integration and renaming of the Devicescape driver to the more general nl80211 interface, reflecting a shift in focus toward Devicescape's commercial products like Wi-Fi offload and analytics services. The company experienced limited adoption of its open-source contributions due to the rapid evolution of Linux wireless subsystems, and the fork lacks support for modern features such as WPA3 or contemporary drivers. Devicescape itself was acquired by Pareteum Corporation in 2019; Pareteum filed for Chapter 11 bankruptcy in 2022, further marking the end of any potential revival for the project.

Configuration and Usage

Configuration File Structure

The hostapd configuration file, typically named hostapd.conf and located at /etc/hostapd/hostapd.conf in many distributions, uses an INI-style format consisting of key-value pairs separated by equals signs, with comments prefixed by # and sections delineated by comment headers such as ##### [IEEE 802.11](/page/IEEE_802.11) related configuration #####. Empty lines and commented lines are ignored, allowing for flexible organization of parameters into logical groups without strict section brackets. Core global parameters define the overall setup for the access point. The interface parameter specifies the network device name, such as wlan0, which can be overridden via the command-line -i option. The driver parameter selects the interface type for hardware control, with common values including nl80211 for Linux mac80211 drivers or hostap as the default. Additional foundational settings include country_code, which sets the ISO/IEC 3166-1 regulatory domain (e.g., US) to enforce local channel and power limits, and ctrl_interface, which defines the path for the UNIX domain socket (default: /var/run/hostapd) to enable external control via tools like hostapd_cli. Parameters related to the Basic Service Set (BSS) configure the wireless network specifics, often following the global settings in the file. The ssid parameter sets the network identifier, supporting formats like plain text (e.g., ssid=MyNetwork), double-quoted strings, or hexdump representations. The hw_mode specifies the operational frequency band, such as g for 2.4 GHz 802.11g or a for 5 GHz 802.11a, with a default of b if unset. The channel parameter assigns the operating channel number (e.g., channel=6), defaulting to 0 (unset), and may integrate with automatic channel selection if the CONFIG_ACS build option is enabled. Security parameters enable authentication and encryption protocols within the BSS section. The wpa parameter activates WPA modes as a bitfield (bit 0 for WPA, bit 1 for WPA2/RSN), such as wpa=2 for WPA2 only, with WPA disabled by default. For pre-shared key authentication, wpa_passphrase provides an ASCII string of 8-63 characters (e.g., wpa_passphrase=MySecurePass). The rsn_pairwise parameter defines cipher suites for unicast encryption under RSN, such as CCMP for AES-based protection, defaulting to the value of wpa_pairwise if unspecified. For enterprise authentication, eap_server=1 enables the integrated EAP server, requiring a companion eap_user_file for the user database. Advanced parameters extend functionality for specialized deployments. The multi_ap parameter configures Multi-AP coordination (0 for disabled, 1 for backhaul , 2 for fronthaul, 3 for both), defaulting to 0 and supporting virtual instances. Management frame protection is handled by ieee80211w, with values of 0 (disabled), 1 (optional), or 2 (required), defaulting to 0 to prevent deauthentication attacks. For multiple SSIDs, additional configurations are added using bss=<interface_name> sections, each with their own ssid and security settings. 
# Example minimal hostapd.conf for WPA2-PSK on 2.4 GHz
interface=wlan0
driver=nl80211
country_code=US
ctrl_interface=/var/run/hostapd

ssid=MyAP
hw_mode=g
channel=6
wpa=2
wpa_passphrase=secretpass
rsn_pairwise=CCMP
ieee80211w=1
```[](https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf)

### Basic Setup Examples

To deploy a basic hostapd-based access point, begin by preparing the wireless interface on a Linux system supporting the nl80211 driver, such as those using mac80211-compatible hardware like ath9k chips. First, create a virtual AP interface from the physical one (e.g., wlan0) using the iw tool: `iw dev wlan0 interface add ap0 type __ap`. Next, bring the interface up and assign it an IP address, for example: `ifconfig ap0 up 192.168.1.1 netmask 255.255.255.0`.[](https://w1.fi/hostapd/)

For a minimal open SSID configuration on the 2.4 GHz band using channel 6, create a configuration file such as `/etc/hostapd/hostapd.conf` with the following essential parameters:
interface=ap0 driver=nl80211 ssid=OpenAP hw_mode=g channel=6 

This setup enables an open wireless network without encryption, suitable for testing or non-sensitive environments.[](https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf) To start the access point, run the hostapd daemon with the configuration file: `hostapd /etc/hostapd/hostapd.conf`.

For a more secure WPA2-PSK setup, extend the minimal [configuration](/page/Configuration) by adding WPA2 parameters, including a [passphrase](/page/Passphrase) (8-63 characters) and pairwise ciphers like CCMP for [AES](/page/AES) encryption. Update the `/etc/hostapd/hostapd.conf` file as follows:
interface=ap0 driver=nl80211 ssid=WPA2AP hw_mode=g channel=6 wpa=2 wpa_passphrase=your_secure_passphrase wpa_key_mgmt=WPA-PSK wpa_pairwise=CCMP 

This [configuration](/page/Configuration) enforces WPA2-Personal [authentication](/page/Authentication) with pre-shared key security.[](https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf) Launch it using the same command: `hostapd /etc/hostapd/hostapd.conf`.

To troubleshoot issues during setup, such as failure to start the AP or association problems, enable debug mode by running `hostapd -d /etc/hostapd/hostapd.conf`, which outputs verbose logs to the console for identifying errors like driver incompatibilities or channel conflicts. Additionally, ensure no conflicts with [network management](/page/Network_management) services by stopping [NetworkManager](/page/NetworkManager) if active: `systemctl stop NetworkManager`, as it may interfere with manual interface control. For persistent logging, add `logger_syslog=-1` and `logger_syslog_level=2` to the [configuration file](/page/Configuration_file) and monitor system logs via [syslog](/page/Syslog).

## Integrations and Related Software

### Relation to wpa_supplicant

hostapd and [wpa_supplicant](/page/Wpa_supplicant) are developed as complementary components within the same open-source project led by Jouni Malinen, with [wpa_supplicant](/page/Wpa_supplicant) managing client-side [Wi-Fi](/page/Wi-Fi) authentication and association, while hostapd handles server-side operations for access points, including [IEEE 802.1X](/page/IEEE_802.1X)/[WPA](/page/WPA)/EAP authenticator functions.[](https://w1.fi/)[](https://w1.fi/wpa_supplicant/devel/)

Both tools are compiled from a shared source tree in the hostap [Git](/page/Git) repository, enabling unified builds that include either or both daemons depending on [configuration](/page/Configuration) flags.[](https://w1.fi/wpa_supplicant/devel/) The [configuration](/page/Configuration) files, hostapd.conf and wpa_supplicant.conf, exhibit structural similarities, particularly in sections defining EAP methods, such as shared parameters for certificates, TLS sessions, and user databases, which facilitate consistent implementation of [authentication](/page/Authentication) protocols across client and server roles.[](https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf)

A common use case involves deploying both on a single machine for testing internal networks, where virtual wireless interfaces allow hostapd to operate as the access point and [wpa_supplicant](/page/Wpa_supplicant) as the connecting client, simulating end-to-end [Wi-Fi](/page/Wi-Fi) interactions without additional hardware.

These tools share enhancements for modern security features, including support for WPA3 protocols like [SAE](/page/SAE) ([Simultaneous Authentication of Equals](/page/Simultaneous_Authentication_of_Equals)) and Protected Management Frames (PMF) to mitigate certain attack vectors, as well as integration with the mac80211_hwsim kernel module for simulating radio environments during development and testing.[](https://w1.fi/wpa_supplicant/)[](https://lists.infradead.org/pipermail/hostap/2016-October/036430.html)

### Use in Operating Systems and Distributions

hostapd is widely packaged and utilized in major [Linux](/page/Linux) distributions for creating wireless access points. In [Ubuntu](/page/Ubuntu), it is available through the official repositories and can be installed via the `apt` [package manager](/page/Package_manager), enabling users to set up [hotspot](/page/Hotspot)s with integration to tools like [NetworkManager](/page/NetworkManager) or direct [systemd](/page/Systemd) service management.[](https://www.cyberciti.biz/faq/debian-ubuntu-linux-setting-wireless-access-point/) Similarly, [Arch Linux](/page/Arch_Linux) includes hostapd in its core repositories, where it is documented for software access point configurations, often paired with [systemd](/page/Systemd) for automated [hotspot](/page/Hotspot) startup.[](https://wiki.archlinux.org/title/Software_access_point) Gentoo provides hostapd via the Portage system, allowing customization through USE flags for features like full dynamic [VLAN](/page/VLAN) support, and it is commonly deployed with [OpenRC](/page/OpenRC) or [systemd](/page/Systemd) for persistent [Wi-Fi](/page/Wi-Fi) services.[](https://wiki.gentoo.org/wiki/Hostapd)

In BSD variants, hostapd integrates seamlessly with native wireless stacks. FreeBSD offers hostapd through its ports collection, supporting the net80211 framework for [IEEE 802.11](/page/IEEE_802.11) access point management and authentication.[](https://www.freshports.org/net/hostapd/) [DragonFly BSD](/page/DragonFly_BSD) inherits similar net80211 compatibility, making hostapd available via dports (net/hostapd).[](https://www.dragonflybsd.org/release44/)

For mobile and embedded environments, [Android](/page/Android) bundles hostapd in the [Android Open Source Project](/page/AOSP) (AOSP) to support [Wi-Fi](/page/Wi-Fi) tethering and access point modes, interfacing with the framework's [HAL](/page/Hal) for vendor-specific drivers. [QNX](/page/QNX) incorporates hostapd as a utility for real-time embedded systems, providing [IEEE 802.11](/page/IEEE_802.11) AP and [RADIUS](/page/RADIUS) authentication capabilities in automotive and industrial applications.[](https://www.qnx.com/developers/docs/8.0/com.qnx.doc.neutrino.utilities/topic/h/hostapd.html)

Practical deployments highlight hostapd's versatility. LibreMesh, an OpenWrt-based framework for community mesh networks, relies on hostapd to manage access points and mesh interfaces across distributed nodes.[](https://blog.freifunk.net/2025/07/15/virtual-wifi-in-libremesh-real-virtual-mesh-midterm-project-update/) In [Raspberry Pi OS](/page/Raspberry_Pi_OS), hostapd is used to configure [IoT](/page/IOT) devices as wireless access points, often in conjunction with [dnsmasq](/page/Dnsmasq) for DHCP services in [home automation](/page/Home_automation) setups.[](https://pimylifeup.com/raspberry-pi-wireless-access-point/) Additionally, hostapd maintains compatibility with [Linux kernel](/page/Linux_kernel) modules like cfg80211, ensuring broad support for modern wireless hardware in these ecosystems. As of 2024, version 2.11 of hostapd, which includes support for [Wi-Fi](/page/Wi-Fi) Easy Connect (DPP release 3), is integrated in distributions such as [OpenWrt](/page/OpenWrt) and [Android](/page/Android).[](https://w1.fi/hostapd/files/hostapd-2.11.tar.gz)

## Security and Developments

### Supported Security Protocols

hostapd implements support for the Wi-Fi Protected Access (WPA) and [WPA2](/page/Wi-Fi_Protected_Access) protocols, enabling both Personal ([pre-shared key](/page/Pre-shared_key), PSK) and [Enterprise](/page/Enterprise) (802.1X/EAP-based) authentication modes. In Personal mode, [WPA](/page/WPA) uses the [Temporal Key Integrity Protocol](/page/Temporal_Key_Integrity_Protocol) (TKIP) for pairwise and group ciphers, providing per-packet [RC4](/page/RC4) encryption with Michael message integrity checks and replay protection. [WPA2](/page/Wi-Fi_Protected_Access), aligned with IEEE 802.11i, employs the Counter Mode Cipher Block Chaining [Message Authentication Code](/page/Message_authentication_code) Protocol (CCMP) based on [AES](/page/AES) for enhanced security, supporting pre-authentication and Pairwise Master Key [Security Association](/page/Security_association) (PMKSA) caching to optimize [roaming](/page/Roaming). Transition modes allow mixed [WPA](/page/WPA)/[WPA2](/page/Wi-Fi_Protected_Access) environments to accommodate legacy clients, while [WPA2](/page/Wi-Fi_Protected_Access)/WPA3 transitions are enabled using wpa=2 and wpa_key_mgmt including both WPA-PSK and [SAE](/page/SAE), for example.[](https://w1.fi/hostapd/)[](https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf)

WPA3 extends [security](/page/Security) with [Simultaneous Authentication of Equals](/page/Simultaneous_Authentication_of_Equals) (SAE) for Personal mode, replacing PSK to mitigate offline dictionary attacks through a dragonfly key exchange, using [elliptic curve](/page/Elliptic_curve) Diffie-Hellman groups specified in `sae_groups`. For open networks, Enhanced Open mode integrates Opportunistic [Wireless](/page/Wireless) [Encryption](/page/Encryption) (OWE), providing per-client pairwise [encryption](/page/Encryption) without [authentication](/page/Authentication) via Diffie-Hellman [key](/page/Key) [derivation](/page/Derivation), enabled through `owe_groups` and transition SSID parameters to facilitate [migration](/page/Migration) from legacy open networks. WPA3-Enterprise supports a 192-bit [security](/page/Security) suite (Suite B) for high-assurance environments, incorporating stronger ciphers like GCMP-256 and requiring Management Frame Protection, activated via `wpa_key_mgmt=WPA-EAP-SUITE-B-192`. These features ensure [forward secrecy](/page/Forward_secrecy) and protection against downgrade attacks when `transition_disable` bits are set appropriately.[](https://w1.fi/hostapd/)[](https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf)

As an IEEE 802.1X authenticator, hostapd integrates an internal EAP server supporting methods such as EAP-TLS for certificate-based mutual [authentication](/page/Authentication), EAP-TTLS and EAP-PEAP for tunneled credential exchange with inner methods like MSCHAPv2 or [PAP](/page/PAP), and EAP-SIM/EAP-AKA for SIM-based mobile [authentication](/page/Authentication). Configuration involves enabling `ieee8021x=1` and specifying EAP user databases via `eap_user_file`, with TLS support requiring certificate paths like `ca_cert` and `server_cert`. For external [authentication](/page/Authentication), hostapd acts as a [RADIUS](/page/RADIUS) client, forwarding EAP messages to servers defined by `auth_server_addr` and shared secrets, enabling scalable enterprise deployments.[](https://w1.fi/hostapd/)[](https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf)[](https://w1.fi/cgit/hostap/plain/hostapd/eap_testing.txt)

Additional security features include Management Frame Protection (MFP, IEEE 802.11w), which safeguards against [forgery](/page/Forgery) of disassociation and deauthentication frames using AES-128-CMAC, configurable as optional (`ieee80211w=1`) or required (`ieee80211w=2`) with `group_mgmt_cipher`. Client blacklisting occurs dynamically for stations exceeding authentication failure thresholds or violating policies, managed internally or via [RADIUS](/page/RADIUS) attributes. Session timeouts enforce reauthentication at intervals set by `eap_reauth_period` (default 3600 seconds) or inactivity limits via `ap_max_inactivity`, ensuring periodic key refresh and access revocation.[](https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf)[](https://w1.fi/hostapd/)

### Recent Updates and Vulnerabilities

In July 2024, the hostapd project released version 2.11, introducing preliminary support for [IEEE 802.11be](/page/IEEE_802.11be) (Wi-Fi 7) features, including enhancements to extremely high throughput (EHT) capabilities that enable better compatibility with modern hardware such as Intel's BE200 and MediaTek's MT792x chipsets through underlying [Linux kernel](/page/Linux_kernel) drivers like iwlwifi and mt76.[](https://lists.infradead.org/pipermail/hostap/2024-July/042847.html) This update also included various fixes for IEEE 802.11ax ([Wi-Fi 6](/page/Wi-Fi_6)) operations, improving stability for high-density environments and [multi-user MIMO](/page/Multi-user_MIMO) configurations. Additionally, Android's integration of hostapd has advanced Wi-Fi 7 support, with version 2.11 patches aligning with Android's multi-link operation (MLO) features to facilitate seamless device provisioning and enhanced throughput on compatible platforms.[](https://source.android.com/docs/core/connect/wifi-7)

Security vulnerabilities have prompted several critical patches in recent years. In March 2025, [Ubuntu](/page/Ubuntu) issued USN-7317-1, addressing side-channel attacks in hostapd and [wpa_supplicant](/page/Wpa_supplicant) arising from cache access patterns that could expose sensitive information, including private cryptographic keys, over the network.[](https://ubuntu.com/security/notices/USN-7317-1) Additionally, in March 2025, CVE-2025-24912 was disclosed, where hostapd fails to properly process crafted [RADIUS](/page/RADIUS) packets, enabling a man-in-the-middle attacker to cause authentication failures and denial of service. Patches have been provided for affected distributions.[](https://nvd.nist.gov/vuln/detail/CVE-2025-24912) Earlier, in 2024, hostapd fixed issues related to [Simultaneous Authentication of Equals](/page/Simultaneous_Authentication_of_Equals) (SAE) denial-of-service (DoS) risks through stricter validation of rejected groups in SAE Hash-to-Element (H2E) exchanges and improved downgrade protection during group key handshakes, mitigating potential attacks that could disrupt [authentication](/page/Authentication).[](https://w1.fi/security/) These fixes were detailed in advisories 2024-1 and 2024-2 from the project maintainers, emphasizing [RADIUS](/page/RADIUS) protocol forgery prevention and SAE enhancements to bolster WPA3 robustness.[](https://w1.fi/security/2024-1/hostapd-and-radius-protocol-forgery-attacks.txt)

Community contributions have focused on expanding hostapd's capabilities for emerging standards. Updates to the [Linux](/page/Linux) kernel's [wireless](/page/Wireless) [documentation](/page/Documentation) in 2024-2025 have incorporated guidance on hostapd's [integration](/page/Integration) with cfg80211 for advanced features, ensuring better [interoperability](/page/Interoperability) with diverse [hardware](/page/Hardware).[](https://wireless.docs.kernel.org/en/latest/en/users/documentation/hostapd.html) Ongoing patches and contributions have strengthened support for 6 GHz operations under IEEE 802.11ax, including improved channel availability confirmation (CAC) and automatic channel selection (ACS) for [Wi-Fi](/page/Wi-Fi) 6E deployments, addressing [regulatory compliance](/page/Regulatory_compliance) and performance in unlicensed spectrum bands.

Looking ahead, hostapd's development emphasizes enhanced Device Provisioning Protocol (DPP) features for secure onboarding, with version 2.11 adding support for DPP Release 3, which allows dynamic configurator parameters during [bootstrapping](/page/Bootstrapping) to simplify [IoT](/page/IOT) device integration without manual credential entry. In community forks like LibreMesh, extensions to hostapd enable advanced [mesh networking](/page/Mesh_networking) protocols, such as virtual Wi-Fi interfaces for simulated environments and improved 802.11s peering with SAE authentication, supporting scalable deployments in OpenWrt-based community networks as demonstrated in 2025 [Google Summer of Code](/page/Google_Summer_of_Code) projects.[](https://blog.freifunk.net/2025/07/15/virtual-wifi-in-libremesh-real-virtual-mesh-midterm-project-update/)[](https://github.com/libremesh/lime-packages)

References

  1. [1]
    IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS ... - hostapd
    Aug 10, 2008 · hostapd is a user space daemon for access point and authentication servers. It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/ ...
  2. [2]
    Developers' documentation for hostapd
    hostapd includes IEEE 802.11 access point management (authentication / association), IEEE 802.1X/WPA/WPA2 Authenticator, EAP server, and RADIUS authentication ...
  3. [3]
    Control interface - hostapd
    hostapd implements a control interface that can be used by external programs to control the operations of the hostapd daemon and to get status information and ...
  4. [4]
    EAP server implementation - hostapd
    Extensible Authentication Protocol (EAP) is an authentication framework defined in RFC 3748. hostapd uses a separate code module for EAP server implementation.<|control11|><|separator|>
  5. [5]
    https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf
  6. [6]
    IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/WPA3/EAP ... - hostapd
    Jan 12, 2013 · hostapd is a user space daemon for access point and authentication servers. It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/WPA3/EAP ...
  7. [7]
    Developers' documentation for hostapd
    The design goal for hostapd was to use hardware, driver, and OS independent, portable C code for all WPA functionality. The source code is divided into separate ...
  8. [8]
    hostapd Linux documentation page - The Linux Kernel Archives
    hostapd is an IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator. This page is dedicated to the Linux documentation of its implementation and use.
  9. [9]
    hostap default config - hostapd and wpa_supplicant
    No information is available for this page. · Learn why
  10. [10]
    Host AP Linux driver for Intersil Prism2/2.5/3 wireless LAN cards and ...
    Aug 10, 2008 · This project includes three main components: Host AP - Linux driver for Prism2/2.5/3; hostapd - user space daemon for access points, including, ...
  11. [11]
    Host AP Linux driver for Intersil Prism2/2.5/3 wireless LAN cards
    Jan 12, 2013 · Copyright (c) 2002-2005, Jouni Malinen <j@w1.fi> and contributors. Note! Host AP driver was added into the main kernel tree in Linux v2.6.14.Missing: initial 2003 Prism MadWifi
  12. [12]
    [PDF] hostapd-devel.pdf
    Dec 31, 2006 · hostapd includes IEEE 802.11 access point management (authentication / association), IEEE. 802.1X/WPA/WPA2 Authenticator, EAP server, ...
  13. [13]
    Linux WPA Supplicant (IEEE 802.1X, WPA, WPA2, RSN, IEEE 802.11i)
    Aug 10, 2008 · wpa_supplicant supports separate frontend programs and a text-based frontend (wpa_cli) and a GUI (wpa_gui) are included with wpa_supplicant.Missing: hostapd | Show results with:hostapd
  14. [14]
    hostapd forking and enhancements
    Jan 7, 2003 · hostapd forking and enhancements. Sergio ... hostap-admin at shmoo.com [mailto:hostap-admin at shmoo.com] > On Behalf Of Jouni Malinen ...
  15. [15]
    IEEE 802.11, The Working Group Setting the Standards for Wireless ...
    IEEE Std P802.11bf-2025 · WLAN Sensing · 2025-09-26 ; IEEE Std P802.11bk-2025 · 320 MHz Positioning · 2025-09-05 ; IEEE Std P802.11be-2024 · Extremely High Throughput ...
  16. [16]
    https://web.mit.edu/freebsd/head/contrib/wpa/hosta...
    ... WPA2 mode (some deployed stations use WPA ... 0 * Add channel selection support in hostapd. See hostapd.conf. * Add support for IEEE 802.11v Time Advertisement ...
  17. [17]
    Topic: hostapd causes kernel panic, reboot - OpenWrt Forum Archive
    Feb 13, 2006 · # Use integrated EAP server instead of external RADIUS authentication # server. This is also needed if hostapd is configured to act as a RADIUS<|control11|><|separator|>
  18. [18]
    https://w1.fi/releases/hostapd-2.11.tar.gz
  19. [19]
    hostapd/wpa_supplicant - new release v2.10 - Mailing Lists
    Jan 16, 2022 · New versions of wpa_supplicant and hostapd were just released and are now available from https://w1.fi/. This release follows the v2.x style.hostapd/wpa_supplicant - new release v2.11hostapd-2.10: Invalid country_code '00'More results from lists.infradead.org
  20. [20]
    https://nvd.nist.gov/vuln/detail/CVE-2025-24912
  21. [21]
    hostapd/wpa_supplicant - new release v2.11 - Mailing Lists
    Jul 20, 2024 · New versions of wpa_supplicant and hostapd were just released and are now available from https://w1.fi/. This release follows the v2.x style.hostapd/wpa_supplicant - new release v2.10 - Mailing Listshostapd AX Client Association Issue w/ 6GHz 320MHz APMore results from lists.infradead.org
  22. [22]
    https://www.openbsd.org/innovations.html
  23. [23]
    http://man.openbsd.org/hostapd.8
  24. [24]
    hostapd and wpa_supplicant
    Nov 11, 2023 · This project includes two main components: hostapd - user space daemon for access points, including, e.g., IEEE 802.1X/WPA/EAP Authenticator for ...Old releases · Hostapd: IEEE 802.11 AP... · Linux WPA Supplicant (IEEE...Missing: changelog | Show results with:changelog<|control11|><|separator|>
  25. [25]
    hostapd-version - QNX
    The current version supports Linux (Host AP, madwifi) and FreeBSD (net80211). The utility runs in the background and acts as the backend component for ...Missing: Android | Show results with:Android
  26. [26]
    Innovations - OpenBSD
    Imported March 29, 2005 and first released with OpenBSD 3.8. hostapd(8): Written by Reyk Flöter. Imported May 26, 2005 and first released with OpenBSD 3.8.Missing: history | Show results with:history
  27. [27]
    hostapd(8) - OpenBSD manual pages
    DESCRIPTION. hostapd is a daemon which allows communication between different 802.11 wireless access points running in Host AP mode.
  28. [28]
    Proactive wireless networks with hostapd(8)
    ### Summary of Features from https://undeadly.org/cgi?action=article;sid=20051008150710
  29. [29]
    hostapd.conf(5) - OpenBSD manual pages
    The hostapd(8) program was written by Reyk Floeter <reyk@openbsd.org>. CAVEATS. IP Roaming requires statically assigned IP addresses of stations and does not ...
  30. [30]
    OpenBSD FAQ: Networking
    The following cards support Host-based Access Point (HostAP) mode, permitting them to be used as a wireless access point: acx(4) - TI ACX100/ACX111; ath(4) - ...Missing: hostapd | Show results with:hostapd
  31. [31]
    The 2006 Wireless Networking Summit - LWN.net
    Apr 10, 2006 · In developing it offerings, Devicescape created its own, Linux-based 802.11 stack with a number of nice features - including good softmac and ...
  32. [32]
    Summary Info on Current Status for 802.11 Devicescape Stack
    Apr 16, 2006 · Basic stat/info dump to /proc; A simple rate control algorithm; Interface for HostAPd. Devicescape stack is accessible from ​http://kernel.org ...
  33. [33]
    hostapd/wme.c File Reference
    Copyright 2005-2006, Devicescape Software, Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General ...
  34. [34]
    [PATCH] hostapd: rename driver_devicescape to driver_nl80211
    Dec 24, 2007 · c 2007-12-24 11:51:55.000000000 +0100 @@ -1,5 +1,6 @@ /* - * hostapd / Kernel driver communication with Devicescape IEEE 802.11 stack + * ...hostapd + vlans - which version of hostapd is documented?![PATCH 2/4] use netlink to create vlan interface - Mailing ListsMore results from lists.infradead.org
  35. [35]
    Pareteum Acquires Mobile Engagement Solutions Provider ...
    May 8, 2019 · Pareteum Acquires Mobile Engagement Solutions Provider Devicescape · Acquisition enhances Pareteum Cloud Platform and Smart Network with targeted ...
  36. [36]
    Hostapd - Gentoo Wiki
    May 18, 2024 · Hostapd (Host access point daemon) is a user space software access point capable of turning normal network interface cards into access points and ...
  37. [37]
    Developers' documentation for wpa_supplicant and hostapd
    The goal of this documentation and comments in the source code is to give enough information for other developers to understand how wpa_supplicant and ...
  38. [38]
    Linux WPA/WPA2/WPA3/IEEE 802.1X Supplicant
    Jan 12, 2013 · wpa_supplicant is a WPA Supplicant for Linux, BSD, Mac OS X, and Windows with support for WPA, WPA2 (IEEE 802.11i / RSN), and WPA3.Supported Eap Methods (ieee... · Download · WpaMissing: hostapd | Show results with:hostapd
  39. [39]
    https://lists.infradead.org/pipermail/hostap/2016-October/036430.html
  40. [40]
    Debian / Ubuntu Linux: Setup Wireless Access Point (WAP ... - nixCraft
    Mar 25, 2024 · You need to use hostapd server as access point and authentication servers. It implements IEEE 802.11 access point management, IEEE 802.1X/WPA/WPA2/EAP ...
  41. [41]
    Software access point - ArchWiki
    Aug 6, 2025 · You will need to have wireless-regdb installed and have your country code set to make frequencies allowed in your country available for hostapd.
  42. [42]
    FreshPorts -- net/hostapd: IEEE 802.11 AP, IEEE 802.1X/WPA ...
    Feb 12, 2011 · net/hostapd: Upgrade version 2.2 => 2.3 While upgrading to the latest version released last week: * Rebase .config file on latest sample ...<|control11|><|separator|>
  43. [43]
    Virtual wifi in LibreMesh : real virtual mesh ! midterm project update
    Jul 15, 2025 · In the end mac80211_hwsim provides an excellent tool to test different wifi configuration, enabling it in a LibreMesh build is pretty straight ...
  44. [44]
    Raspberry Pi Wireless Access Point - Pi My Life Up
    May 31, 2024 · This tutorial will show you how to set up a Wi-Fi access point using your Raspberry Pi. A wireless access point sometimes goes by “hotspot”, but it is ...<|control11|><|separator|>
  45. [45]
    https://w1.fi/cgit/hostap/plain/hostapd/eap_testing.txt
  46. [46]
    Wi-Fi 7 | Android Open Source Project
    Android supports the Wi-Fi 7 (IEEE 802.11be) standard. This page describes Android Wi-Fi 7 features, including baseline and multi-link operation (MLO).Missing: 2024 | Show results with:2024
  47. [47]
    USN-7317-1: wpa_supplicant and hostapd vulnerabilities - Ubuntu
    wpa_supplicant and hostapd were vulnerable to side channel attacks due to the cache access patterns. An attacker could possibly use this issue to obtain ...
  48. [48]
    hostapd and wpa_supplicant security advisories
    2014-1: wpa_cli and hostapd_cli action script execution vulnerability ; 2015-1: wpa_supplicant P2P SSID processing vulnerability ; 2015-2: WPS UPnP vulnerability ...
  49. [49]
    hostapd-and-radius-protocol-forgery-attacks.txt
    Jul 9, 2024 · Depending on configuration, hostapd can act as a RADIUS client or a RADIUS server. The main use case of a Wi-Fi access point with WPA3- ...Missing: DoS | Show results with:DoS
  50. [50]
    libremesh/lime-packages - GitHub
    LibreMesh project includes the development of several tools used for deploying libre/free mesh networks. The firmware (the main piece) will allow simple ...Libremesh Packages · Building A Firmware Image On... · With DockerMissing: hostapd extensions 2024<|control11|><|separator|>