| Key Name |
Value Type |
Default Value |
Value Description |
| name |
string |
802-1x |
The setting's name; these names are defined by the specification and cannot be changed after the object has been created. Each setting class has a name, and all objects of that class share the same name. |
| eap |
array of string |
|
The allowed EAP method to be used when authenticating to the network with 802.1x. Valid methods are: 'leap', 'md5', 'tls', 'peap', and 'ttls'. Each method requires different configuration using the properties of this setting; refer to wpa_supplicant documentation for the allowed combinations. |
| identity |
string |
|
Identity string for EAP authentication methods. Often the user's user or login name. |
| anonymous-identity |
string |
|
Anonymous identity string for EAP authentication methods. Used as the unencrypted identity with EAP types that support different tunneled identity like EAP-TTLS. |
| ca-cert |
byte array |
|
Contains the CA certificate if used by the EAP method specified in the 'eap' property. When set this property should be set to the certificate's DER encoded data. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended. |
| ca-path |
string |
|
UTF-8 encoded path to a directory containing PEM or DER formatted certificates to be added to the verification chain in addition to the certificate specified in the 'ca-cert' property. |
| client-cert |
byte array |
|
Contains the client certificate if used by the EAP method specified in the 'eap' property. When set this property should be set to the certificate's DER encoded data. |
| phase1-peapver |
string |
|
Forces which PEAP version is used when PEAP is set as the EAP method in 'eap' property. When unset, the version reported by the server will be used. Sometimes when using older RADIUS servers, it is necessary to force the client to use a particular PEAP version. To do so, this property may be set to '0' or '1; to force that specific PEAP version. |
| phase1-peaplabel |
string |
|
Forces use of the new PEAP label during key derivation. Some RADIUS servers may require forcing the new PEAP label to interoperate with PEAPv1. Set to '1' to force use of the new PEAP label. See the wpa_supplicant documentation for more details. |
| phase1-fast-provisioning |
string |
|
Enables or disables in-line provisioning of EAP-FAST credentials when FAST is specified as the EAP method in the #NMSetting8021x:eap property. Allowed values are '0' (disabled), '1' (allow unauthenticated provisioning), '2' (allow authenticated provisioning), and '3' (allow both authenticated and unauthenticated provisioning). See the wpa_supplicant documentation for more details. |
| phase2-auth |
string |
|
Specifies the allowed 'phase 2' inner non-EAP authentication methods when an EAP method that uses an inner TLS tunnel is specified in the 'eap' property. Recognized non-EAP phase2 methods are 'pap', 'chap', 'mschap', 'mschapv2', 'gtc', 'otp', 'md5', and 'tls'. Each 'phase 2' inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details. |
| phase2-autheap |
string |
|
Specifies the allowed 'phase 2' inner EAP-based authentication methods when an EAP method that uses an inner TLS tunnel is specified in the 'eap' property. Recognized EAP-based 'phase 2' methods are 'md5', 'mschapv2', 'otp', 'gtc', and 'tls'. Each 'phase 2' inner method requires specific parameters for successful authentication; see the wpa_supplicant documentation for more details. |
| phase2-ca-cert |
byte array |
|
Contains the CA certificate if used by the EAP method specified in the 'phase2-eap' or 'phase2-autheap' properties. When set this property should be set to the certificate's DER encoded data. This property can be unset even if the EAP method supports CA certificates, but this allows man-in-the-middle attacks and is NOT recommended. |
| phase2-ca-path |
string |
|
UTF-8 encoded path to a directory containing PEM or DER formatted certificates to be added to the verification chain in addition to the certificate specified in the 'phase2-ca-cert' property. |
| phase2-client-cert |
byte array |
|
Contains the 'phase 2' client certificate if used by the EAP method specified in the 'phase2-eap' or 'phase2-autheap' properties. When set this property should be set to the certificate's DER encoded data. |
| password |
string |
|
Password used for EAP authentication methods. |
| private-key |
byte array |
|
Contains the private key when the 'eap' property is set to 'tls'. When using X.509 private keys, this property should be set to the keys's decrypted DER encoded data. When using PKCS#12 format private keys this property should be set to the PKCS#12 data (which is encrypted) and the 'private-key-password' property must be set to password used to decrypt the PKCS#12 certificate and key. |
| private-key-password |
string |
|
The password used to decrypt the private key specified in the 'private-key' property when the private key is a PKCS#12 format key. |
| phase2-private-key |
byte array |
|
Contains the private key when the 'phase2-eap' or 'phase2-autheap' properties are set to 'tls'. When using X.509 private keys, this property should be set to the keys's decrypted DER encoded data. When using PKCS#12 format private keys this property should be set to the PKCS#12 data (which is encrypted) and the 'phase2-private-key-password' property must be set to password used to decrypt the PKCS#12 certificate and key. |
| phase2-private-key-password |
string |
|
The password used to decrypt the private key specified in the 'phase2-private-key' property when the phase2 private key is a PKCS#12 format key. |
| system-ca-certs |
boolean |
FALSE |
When TRUE, overrides 'ca-path' and 'phase2-ca-path' properties using the system CA directory specified at configure time with the --system-ca-path switch. The certificates in this directory are added to the verification chain in addition to any certificates specified by the 'ca-cert' and 'phase2-ca-cert' properties. |
| Key Name |
Value Type |
Default Value |
Value Description |
| name |
string |
connection |
The setting's name; these names are defined by the specification and cannot be changed after the object has been created. Each setting class has a name, and all objects of that class share the same name. |
| id |
string |
|
User-readable connection identifier/name. Must be one or more characters and may change over the lifetime of the connection if the user decides to rename it. |
| uuid |
string |
|
Universally unique connection identifier. Must be in the format '2815492f-7e56-435e-b2e9-246bd7cdc664' (ie, contains only hexadecimal characters and '-'). The UUID should be assigned when the connection is created and never changed as long as the connection stilla pplies to the same network. For example, it should not be changed when the user changes the connection's 'id', but should be recreated when the WiFi SSID, mobile broadband network provider, or the connection type changes. |
| type |
string |
|
Base type of the connection. For hardware-dependent connections, should contain the setting name of the hardware-type specific setting (ie, '802-3-ethernet' or '802-11-wireless' or 'bluetooth', etc), and for non-hardware dependent connections like VPN or otherwise, should contain the setting name of that setting type (ie, 'vpn' or 'bridge', etc). |
| autoconnect |
boolean |
FALSE |
If TRUE, NetworkManager will activate this connection when its network resources are available. If FALSE, the connection must be manually activated by the user or some other mechanism. |
| timestamp |
uint64 |
0 |
Timestamp (in seconds since the Unix Epoch) that the connection was last successfully activated. Settings services should update the connection timestamp periodically when the connection is active to ensure that an active connection has the latest timestamp. |
| read-only |
boolean |
FALSE |
If TRUE, the connection is read-only and cannot be changed by the user or any other mechanism. This is normally set for system connections whose plugin cannot yet write updated connections back out. |
| Key Name |
Value Type |
Default Value |
Value Description |
| name |
string |
gsm |
The setting's name; these names are defined by the specification and cannot be changed after the object has been created. Each setting class has a name, and all objects of that class share the same name. |
| number |
string |
|
Number to dial when establishing a PPP data session with the GSM-based mobile broadband network. In most cases, leave the number blank and a number selecting the APN specified in the 'apn' property will be used automatically when required. |
| username |
string |
|
Username used to authenticate with the network, if required. Note that many providers do not require a username or accept any username. |
| password |
string |
|
Password used to authenticate with the network, if required. Note that many providers do not require a password or accept any password. |
| apn |
string |
|
The GPRS Access Point Name specifying the APN used when establishing a data session with the GSM-based network. The APN often determines how the user will be billed for their network usage and whether the user has access to the Internet or just a provider-specific walled-garden, so it is important to use the correct APN for the user's mobile broadband plan. |
| network-id |
string |
|
The Network ID (GSM LAI format, ie MCC-MNC) to force specific network registration. If the Network ID is specified, NetworkManager will attempt to force the device to register only on the specified network. This can be used to ensure that the device does not roam when direct roaming control of the device is not otherwise possible. |
| network-type |
int32 |
0 |
Network preference to force the device to only use specific network technologies. The permitted values are: -1: any, 0: 3G only, 1: GPRS/EDGE only, 2: prefer 3G, and 3: prefer 2G. Note that not all devices allow network preference control. |
| band |
int32 |
0 |
Band (currently unused) |
| pin |
string |
|
If the SIM is locked with a PIN it must be unlocked before any other operations are requested. Specify the PIN here to allow operation of the device. |
| puk |
string |
|
If the PIN is incorrectly entered too many times, the PUK (PIN Unlock Code) is required before the device becomes operational. It's usually best not to enter the PUK due to the risk of completely locking your SIM by entering a wrong PUK too many times. |
| Key Name |
Value Type |
Default Value |
Value Description |
| name |
string |
ipv4 |
The setting's name; these names are defined by the specification and cannot be changed after the object has been created. Each setting class has a name, and all objects of that class share the same name. |
| method |
string |
|
IPv4 configuration method. If 'auto' is specified then the appropriate automatic method (DHCP, PPP, etc) is used for the interface and most other properties can be left unset. If 'link-local' is specified, then a link-local address in the 169.254/16 range will be assigned to the interface. If 'manual' is specified, static IP addressing is used and at least one IP address must be given in the 'addresses' property. If 'shared' is specified (indicating that this connection will provide network access to other computers) then the interface is assigned an address in the 10.42.x.1/24 range and a DHCP and forwarding DNS server are started, and the interface is NAT-ed to the current default network connection. This property must be set. |
| dns |
array of uint32 |
|
List of DNS servers (network byte order). For the 'auto' method, these DNS servers are appended to those (if any) returned by automatic configuration. DNS servers cannot be used with the 'shared' or 'link-local' methods as there is no usptream network. In all other methods, these DNS servers are used as the only DNS servers for this connection. |
| dns-search |
array of string |
|
List of DNS search domains. For the 'auto' method, these search domains are appended to those returned by automatic configuration. Search domains cannot be used with the 'shared' or 'link-local' methods as there is no upstream network. In all other methods, these search domains are used as the only search domains for this connection. |
| addresses |
array of array of uint32 |
|
Array of IPv4 address structures. Each IPv4 address structure is composed of 3 32-bit values; the first being the IPv4 address (network byte order), the second the prefix (1 - 32), and last the IPv4 gateway (network byte order). The gateway may be left as 0 if no gateway exists for that subnet. For the 'auto' method, given IP addresses are appended to those returned by automatic configuration. Addresses cannot be used with the 'shared' or 'link-local' methods as the interface is automatically assigned an address with these methods. |
| routes |
array of array of uint32 |
|
Array of IPv4 route structures. Each IPv4 route structure is composed of 4 32-bit values; the first being the destination IPv4 network or address (network byte order), the second the destination network or address prefix (1 - 32), the third being the next-hop (network byte order) if any, and the fourth being the route metric. For the 'auto' method, given IP routes are appended to those returned by automatic configuration. Routes cannot be used with the 'shared' or 'link-local' methods as there is no upstream network. |
| ignore-auto-routes |
boolean |
FALSE |
When the method is set to 'auto' and this property to TRUE, automatically configured routes are ignored and only routes specified in the 'routes' property, if any, are used. |
| ignore-auto-dns |
boolean |
FALSE |
When the method is set to 'auto' and this property to TRUE, automatically configured nameservers and search domains are ignored and only namservers and search domains specified in the 'dns' and 'dns-search' properties, if any, are used. |
| dhcp-client-id |
string |
|
A string sent to the DHCP server to identify the local machine which the DHCP server may use to cusomize the DHCP lease and options. |
| dhcp-hostname |
string |
|
A hostname to be sent to the DHCP server when acquiring a lease. Some DHCP servers use this hostname to update DNS databases, essentially providing a static hostname for the computer. |
| never-default |
boolean |
FALSE |
If TRUE, this connection will never be the default IPv4 connection, meaning it will never be assigned the default route by NetworkManager. |
| Key Name |
Value Type |
Default Value |
Value Description |
| name |
string |
ppp |
The setting's name; these names are defined by the specification and cannot be changed after the object has been created. Each setting class has a name, and all objects of that class share the same name. |
| noauth |
boolean |
FALSE |
If TRUE, do not require the other side (usually the PPP server) to authenticate itself to the client. If FALSE, require authentication from the remote side. In almost all cases, this should be TRUE. |
| refuse-eap |
boolean |
FALSE |
If TRUE, the EAP authentication method will not be used. |
| refuse-pap |
boolean |
FALSE |
If TRUE, the PAP authentication method will not be used. |
| refuse-chap |
boolean |
FALSE |
If TRUE, the CHAP authentication method will not be used. |
| refuse-mschap |
boolean |
FALSE |
If TRUE, the MSCHAP authentication method will not be used. |
| refuse-mschapv2 |
boolean |
FALSE |
If TRUE, the MSCHAPv2 authentication method will not be used. |
| nobsdcomp |
boolean |
FALSE |
If TRUE, BSD compression will not be requested. |
| nodeflate |
boolean |
FALSE |
If TRUE, 'deflate' compression will not be requested. |
| no-vj-comp |
boolean |
FALSE |
If TRUE, Van Jacobsen TCP header compression will not be requested. |
| require-mppe |
boolean |
FALSE |
If TRUE, MPPE (Microsoft Point-to-Point Encrpytion) will be required for the PPP session. If either 64-bit or 128-bit MPPE is not available the session will fail. Note that MPPE is not used on mobile broadband connections. |
| require-mppe-128 |
boolean |
FALSE |
If TRUE, 128-bit MPPE (Microsoft Point-to-Point Encrpytion) will be required for the PPP session, and the 'require-mppe' property must also be set to TRUE. If 128-bit MPPE is not available the session will fail. |
| mppe-stateful |
boolean |
FALSE |
If TRUE, stateful MPPE is used. See pppd documentation for more information on stateful MPPE. |
| crtscts |
boolean |
FALSE |
If TRUE, specify that pppd should set the serial port to use hardware flow control with RTS and CTS signals. This value should normally be set to FALSE. |
| baud |
uint32 |
0 |
If non-zero, instruct pppd to set the serial port to the specified baudrate. This value should normally be left as 0 to automatically choose the speed. |
| mru |
uint32 |
0 |
If non-zero, instruct pppd to request that the peer send packets no larger than the specified size. If non-zero, the MRU should be between 128 and 16384. |
| mtu |
uint32 |
0 |
If non-zero, instruct pppd to send packets no larger than the specified size. |
| lcp-echo-failure |
uint32 |
0 |
If non-zero, instruct pppd to presume the connection to the peer has failed if the specified number of LCP echo-requests go unanswered by the peer. The 'lcp-echo-interval' property must also be set to a non-zero value if this property is used. |
| lcp-echo-interval |
uint32 |
0 |
If non-zero, instruct pppd to send an LCP echo-request frame to the peer every n seconds (where n is the specified value). Note that some PPP peers will respond to echo requests and some will not, and it is not possible to autodetect this. |
| Key Name |
Value Type |
Default Value |
Value Description |
| name |
string |
802-3-ethernet |
The setting's name; these names are defined by the specification and cannot be changed after the object has been created. Each setting class has a name, and all objects of that class share the same name. |
| port |
string |
|
Specific port type to use if multiple the device supports multiple attachment methods. One of 'tp' (Twisted Pair), 'aui' (Attachment Unit Interface), 'bnc' (Thin Ethernet) or 'mii' (Media Independent Interface. If the device supports only one port type, this setting is ignored. |
| speed |
uint32 |
0 |
If non-zero, request that the device use only the specified speed. In Mbit/s, ie 100 == 100Mbit/s. |
| duplex |
string |
|
If specified, request that the device only use the specified duplex mode. Either 'half' or 'full'. |
| auto-negotiate |
boolean |
FALSE |
If TRUE, allow auto-negotiation of port speed and duplex mode. If FALSE, do not allow auto-negotiation,in which case the 'speed' and 'duplex' properties should be set. |
| mac-address |
byte array |
|
If specified, this connection will only apply to the ethernet device whose MAC address matches. This property does not change the MAC address of the device (known as MAC spoofing). |
| mtu |
uint32 |
0 |
If non-zero, only transmit packets of the specified size or smaller, breaking larger packets up into multiple Ethernet frames. |
| Key Name |
Value Type |
Default Value |
Value Description |
| name |
string |
802-11-wireless |
The setting's name; these names are defined by the specification and cannot be changed after the object has been created. Each setting class has a name, and all objects of that class share the same name. |
| ssid |
byte array |
|
SSID of the WiFi network. Must be specified. |
| mode |
string |
|
WiFi network mode; one of 'infrastructure' or 'adhoc'. If blank, infrastructure is assumed. |
| band |
string |
|
802.11 frequency band of the network. One of 'a' for 5GHz 802.11a or 'bg' for 2.4GHz 802.11. This will lock associations to the WiFi network to the specific band, i.e. if 'a' is specified, the device will not associate with the same network in the 2.4GHz band even if the network's settings are compatible. This setting depends on specific driver capability and may not work with all drivers. |
| channel |
uint32 |
0 |
Wireless channel to use for the WiFi connection. The device will only join (or create for Ad-Hoc networks) a WiFi network on the specified channel. Because channel numbers overlap between bands, this property also requires the 'band' property to be set. |
| bssid |
byte array |
|
If specified, directs the device to only associate with the given access point. This capability is highly driver dependent and not supported by all devices. Note: this property does not control the BSSID used when creating an Ad-Hoc network and is unlikely to in the future. |
| rate |
uint32 |
0 |
If non-zero, directs the device to only use the specified bitrate for communication with the access point. Units are in Kb/s, ie 5500 = 5.5 Mbit/s. This property is highly driver dependent and not all devices support setting a static bitrate. |
| tx-power |
uint32 |
0 |
If non-zero, directs the device to use the specified transmit power. Units are dBm. This property is highly driver dependent and not all devices support setting a static transmit power. |
| mac-address |
byte array |
|
If specified, this connection will only apply to the WiFi device whose MAC address matches. This property does not change the MAC address of the device (known as MAC spoofing). |
| mtu |
uint32 |
0 |
If non-zero, only transmit packets of the specified size or smaller, breaking larger packets up into multiple Ethernet frames. |
| seen-bssids |
array of string |
|
A list of BSSIDs (each BSSID formatted as a MAC address like '00:11:22:33:44:55') that have been detected as part of the WiFI network. The settings service will usually populate this property by periodically asking NetworkManager what the device's current AP is while connected to the network (or monitoring the device's 'active-ap' property) and adding the current AP's BSSID to this list. This list helps NetworkManager find hidden APs by matching up scan results with the BSSIDs in this list. |
| security |
string |
|
If the wireless connection has any security restrictions, like 802.1x, WEP, or WPA, set this property to '802-11-wireless-security' and ensure the connection contains a valid 802-11-wireless-security setting. |
| Key Name |
Value Type |
Default Value |
Value Description |
| name |
string |
802-11-wireless-security |
The setting's name; these names are defined by the specification and cannot be changed after the object has been created. Each setting class has a name, and all objects of that class share the same name. |
| key-mgmt |
string |
|
Key management used for the connection. One of 'none' (WEP), 'ieee8021x' (Dynamic WEP), 'wpa-none' (WPA-PSK Ad-Hoc), 'wpa-psk' (infrastructure WPA-PSK), or 'wpa-eap' (WPA-Enterprise). This property must be set for any WiFi connection that uses security. |
| wep-tx-keyidx |
uint32 |
0 |
When static WEP is used (ie, key-mgmt = 'none') and a non-default WEP key index is used by the AP, put that WEP key index here. Valid values are 0 (default key) through 3. Note that some consumer access points (like the Linksys WRT54G) number the keys 1 - 4. |
| auth-alg |
string |
|
When WEP is used (ie, key-mgmt = 'none' or 'ieee8021x') indicate the 802.11 authentication algorithm required by the AP here. One of 'open' for Open System, 'shared' for Shared Key, or 'leap' for Cisco LEAP. When using Cisco LEAP (ie, key-mgmt = 'ieee8021x' and auth-alg = 'leap') the 'leap-username' and 'leap-password' properties must be specified. |
| proto |
array of string |
|
List of strings specifying the allowed WPA protocol versions to use. Each element may be one 'wpa' (allow WPA) or 'rsn' (allow WPA2/RSN). If not specified, both WPA and RSN connections are allowed. |
| pairwise |
array of string |
|
If specified, will only connect to WPA networks that provide the specified pairwise encryption capabilities. Each element may be one of 'wep40', 'wep104', 'tkip', or 'ccmp'. |
| group |
array of string |
|
If specified, will only connect to WPA networks that provide the specified group/multicast encryption capabilities. Each element may be one of 'wep40', 'wep104', 'tkip', or 'ccmp'. |
| leap-username |
string |
|
The login username for legacy LEAP connections (ie, key-mgmt = 'ieee8021x' and auth-alg = 'leap'). |
| wep-key0 |
string |
|
Index 0 WEP key. This is the WEP key used in most networks. See the 'wep-key-type' property for a description of how this key is interpreted. |
| wep-key1 |
string |
|
Index 1 WEP key. This WEP index is not used by most networks. See the 'wep-key-type' property for a description of how this key is interpreted. |
| wep-key2 |
string |
|
Index 2 WEP key. This WEP index is not used by most networks. See the 'wep-key-type' property for a description of how this key is interpreted. |
| wep-key3 |
string |
|
Index 3 WEP key. This WEP index is not used by most networks. See the 'wep-key-type' property for a description of how this key is interpreted. |
| psk |
string |
|
Pre-Shared-Key for WPA networks. If the key is 64-characters long, it must contain only hexadecimal characters and is interpreted as a hexadecimal WPA key. Otherwise, the key must be between 8 and 63 ASCII characters (as specified in the 802.11i standard) and is interpreted as a WPA passphrase, and is hashed to derive the actual WPA-PSK used when connecting to the WiFi network. |
| leap-password |
string |
|
The login password for legacy LEAP connections (ie, key-mgmt = 'ieee8021x' and auth-alg = 'leap'). |
| wep-key-type |
uint32 |
0 |
Controls the interpretation of WEP keys. Allowed values are 1 (interpret WEP keys as hexadecimal or ASCII keys) or 2 (interpret WEP keys as WEP Passphrases). If set to 1 and the keys are hexadecimal, they must be either 10 or 26 characters in length. If set to 1 and the keys are ASCII keys, they must be either 5 or 13 characters in length. If set to 2, the passphrase is hashed using the de-facto MD5 method to derive the actual WEP key. |