Linux for Wireless Engineers: How to Control WPA Supplicant

By March 27, 2019Linux

WPA supplicant is used to implement security protocols for wireless networks. In a previous blog post I explained how to use it on a WiFi network for different authentication methods. In this post, I will show you how to use a utility to monitor and control WPA supplicant on Linux.

The utility in question is wpa_cli. “cli” stands for Command Line Utility, and as the name suggests, it helps you to interact with the WPA supplicant process through the command line.


If you install WPA supplicant, then wpa_cli will be installed as well:

apt-get install wpasupplicant

Something that may be confusing about the installation is that the package name, ‘wpasupplicant’, doesn’t contain any hyphens or other punctuation marks. However, the command that corresponds to the package is wpa_supplicant. So, don’t try to install WPA supplicant with “apt-get install wpa_supplicant.”

WPA Supplicant Launch

The WPA supplicant process is usually launched on boot or when you connect an interface to the network. A common way to do that is to have the WPA supplicant command in the file “/etc/network/interfaces” as follows:

auto wlan0
allow-hotplug wlan0
iface wlan0 inet dhcp
      wpa-ssid netbeez-enterprise-wireless
      pre-up wpa_supplicant -B -Dwext,nl80211 -i wlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf -f /var/log/wpa_supplicant.log
      post-down wpa_cli -i wlan0 terminate

This is the stanza that controls the wireless interface wlan0. It specifies that before wlan0 is brought up (pre-up), the wpa_supplicant process needs to be launched with the following options:

-B: put the wpa_supplicant process in the background

-Dwext,nl80211: used the Wireless Extension or nl80211 WiFi drivers

-i wlan0: apply these to interface wlan0

-c/etc/wpa_supplicant/wpa_supplicant.conf: the configuration file that has the WiFi credential and authentications method

-f /var/log/wpa_supplicant.log: the log file

The post-down command uses the wpa_cli command to terminate the wpa_supplicant process.

With this set up, whenever we bring the wlan0 interface up the wpa_supplicant process will be launched, and when we bring it down, it will be terminated. However, sometimes we need to interact with the background wpa_supplicant during runtime. Here is how to do it with wpa_cli.


If you just type “wpa_cli” you will get into the interactive mode of the utility:$ wpa_cli
wpa_cli v2.4
Copyright (c) 2004-2015, Jouni Malinen <> and contributors

This software may be distributed under the terms of the BSD license.
See README for more details.

Selected interface 'wlan0'

Interactive mode

This means that you have a session that you can just use to issue commands without having to repeat “wpa_cli” all of the time. As you can see, I didn’t specify the interface that I wanted to use – this is why wpa_cli informed me that it will be applying all following commands to interface “wlan0,” which is the correct one. Alternatively you can explicitly specify the interface with “wpa_cli -i wlan0.”

The benefit of using interactive mode is that you will see log messages from the wpa_supplicant process printed in the session (instead of monitoring the log file /var/log/netbeez/wpa_supplicant.log). For example, a few seconds after I started the interactive wpa_cli, a few events occurred, and I could see the following:

Interactive mode

<3>CTRL-EVENT-SSID-REENABLED id=0 ssid="netbeez"
<3>Trying to associate with 38:3b:c8:3e:d4:3a (SSID='netbeez' freq=5180 MHz)
<3>CTRL-EVENT-SSID-TEMP-DISABLED id=0 ssid="netbeez" auth_failures=4 duration=60 reason=CONN_FAILED

If you only want to send a one-off command, you can use the following syntax at its most basic form:

wpa_cli command

For example, if I want to get the status of the interface:$ wpa_cli status
Selected interface 'wlan0'

If you type “help” you will get a list of more than 150 options, since wpa_cli gives you the ability to control all aspects of a WPA configuration. I am referring you to the help menu for more details. Here we’ll review just a few of these options.


Let’s say wlan0 is up and running, but you made a change in the wpa_supplicant.conf file and by hardcoded the bssid as follows:$ cat /etc/wpa_supplicant/wpa_supplicant.conf

You can ask wpa_supplicant to reread the configuration file and reconnected by issuing the reconfigure command:$ wpa_cli reconfigure
Selected interface 'wlan0'

With the “OK” wpa_cli informs us that the command was received successfully by wpa_supplicant. At this point your interface will try to reassociate with the specific AP.


If you want to force the reassociation of the interface you can issue the reassociate command as follows:$ wpa_cli reassociate
Selected interface 'wlan0'

Log Level

The wpa_supplicant logs information and error messages in the file specified with the “-f” option shown above. It also gives you the option to specify the verbosity of the logs. You can do that when you launch the process by using the “-d” option as follows:

pre-up wpa_supplicant -B -Dwext,nl80211 -i wlan0 -c/etc/wpa_supplicant/wpa_supplicant.conf -f /var/log/wpa_supplicant.log -d

You can increase it even more if you add “-dd”

wpa_cli gives you the ability to change that during runtime. Here is how the command looks:$ wpa_cli log_level DEBUG
Selected interface 'wlan0'

The available levels, in order of increasing verbosity are: ERROR, WARNING, INFO, DEBUG, MSGDUMP, EXCESSIVE. The default level is INFO.

I noticed that for wpa_cli version 2.4 the manual page is wrong and it says that the option to set the verbosity is “level” and not “log_level.” In addition, I had to look at the source code of wpa_cli to find the available levels since they are not documented anywhere else.

wpa_cli is a very nifty utility that helps you interact with the wpa_supplicant process without having to stop and restart it all the time. It’s handy and a good idea to keep it in your arsenal if you are interested in WiFi on Linux.