5 <link rel="stylesheet" href="onc_spec.css" >
6 <script src="onc_spec.js"></script>
7 <title>Open Network Configuration Format</title>
11 <section id="root" class="not_in_toc">
12 <h1>Open Network Configuration Format</h1>
14 <section class="not_in_toc">
16 <div id="outline"></div>
22 We would like to create a simple, open, but complete format to describe
23 multiple network configurations for Wi-Fi, Ethernet, Cellular,
24 Bluetooth/WiFi-Direct, and VPN connections in a single file format, in order
25 to simplify and automate network configuration for users.
32 Configuring networks is a painful and error-prone experience for users. It
33 is a problem shared across desktop, laptop, tablet, and phone users of all
34 operating system types. It is exacerbated in business and schools which
35 often have complex network configurations (VPNs and 802.1X networking) that
36 change often and have many connected devices. Configuration of Wi-Fi is
37 still done manually, often by administrators physically standing next to
38 users working on devices. Certificate distribution is particularly painful
39 which often results in admins instead using passphrases to protect networks
40 or using protocols without client certificates that instead use LDAP
41 passwords for authentication. Even after networks are configured, updates to
42 the network configuration require another round of manual changes, and
43 accidental changes by a user or malicious changes by an attacker can break
44 connectivity or make connections less private or secure.
50 We propose a single-file format for network configuration that is
51 human-readable, can describe all of the common kinds of network
52 configurations, supports integrity checking, certificate and key
53 provisioning, and updating. The file can be encrypted with a single
54 passphrase so that upon entering the passphrase the entire configuration is
55 loaded. The format can be described as an open format to enable multiple OS
56 vendors to interoperate and share configuration editors.
60 This format neither supports configuring browser settings nor allows setting
61 other types of system policies.
66 <h1>Infrastructure</h1>
68 A standalone configuration editor will be created, downloadable as a Chrome
69 app. This editor will allow creating, modifying, and encrypting an open
70 network configuration file in a way that is intuitive for a system
75 This file format may be delivered to a user and manually imported into a
80 This file format may be created by an administrator, stored in a policy
81 repository, and automatically pushed to a device.
88 <h1>Detailed Design</h1>
90 We use JSON format for the files. The fields in a JSON file are always
91 case-sensitive, so the exact case of the fields in this section must be
92 matched. In addition, the values that are called out as explicit constants
93 must also match the case specified (e.g. WiFi must not be written as wifi,
94 etc.). This document describes a minimum set of required fields and optional
95 fields. Other fields may be created, however, see the
96 implementation-specific fields for guidelines for these fields.
100 The JSON consists of a top level dictionary containing
101 a <span class="field">Type</span> field which must have either the
102 value <span class="value">EncryptedConfiguration</span>
103 or <span class="value">UnencryptedConfiguration</span>.
107 For a description of the <span class="type">EncryptedConfiguration</span>
108 type, see the section on Encrypted Configuration
109 below. The <span class="type">EncryptedConfiguration</span> format encrypts
110 an unencrypted JSON object.
114 <h1>GUIDs and Updating</h1>
116 This format allows for importing updated network configurations and
117 certificates by providing GUIDs to each network configuration and
118 certificate so they can be modified or even removed in future updates.
122 GUIDs are non-empty strings that are meant to be stable and unique. When
123 they refer to the same entity, they should be the same between ONC files. No
124 two different networks or certificates should have the same GUID, similarly
125 a network and certificate should not have the same GUID. A single ONC file
126 should not contain the same entity twice (with the same GUID). Failing any
127 of these tests indicates the ONC file is not valid.
131 Any GUID referred to in an ONC file must be present in the same ONC file. In
132 particular, it is an error to create a certificate in one ONC file and refer
133 to it in a NetworkConfiguration in another ONC file and not define it there,
134 even if the previous ONC file has been imported.
139 <h1>Implementation-specific fields</h1>
141 As there are many different kinds of connections and some that are not yet
142 anticipated may require new fields. This format allows arbitrary other
147 Fields and values should follow these general guidelines:
152 Certificates (with and without keys) should always be placed in the
153 certificate section - specifically certificate contents should not be
154 placed in fields directly. Referring to certificates should be done using
155 a field whose name ends in Ref and whose value is the GUID of the
156 certificate, or if the certificate is not contained in this file, its
157 pattern can be described using a field ending in Pattern of
158 <span class="type">CertificatePattern</span> type.
161 Fields should exist in the most-specific object in the hierarchy and
162 should be named CamelCase style.
165 Booleans and integers should be used directly instead of using a
166 stringified version of the type.
171 Any editor of network configuration information should allows the user to
172 modify any fields that are implementation-specific. It may not be present
173 directly in the UI but it should be able to import files with such settings
174 and leave preserve these settings on export.
179 <h1>Unencrypted Configuration</h1>
181 When the top level <span class="field">Type</span> field
182 is <span class="value">UnencryptedConfiguration</span>, the top level JSON
183 has the <span class="type">UnencryptedConfiguration</span>
184 type. <span class="type">UnencryptedConfiguration</span> type contains the
188 <dl class="field_list">
189 <dt class="field">Type</dt>
191 <span class="field_meta">
192 (optional, defaults to <span class="value">UnencryptedConfiguration
194 <span class="type">string</span>
196 Must be <span class="value">UnencryptedConfiguration</span>.
199 <dt class="field">NetworkConfigurations</dt>
201 <span class="field_meta">
203 <span class="type">array of NetworkConfiguration</span>
205 Describes Wi-Fi, Ethernet, VPN, and wireless connections.
208 <dt class="field">Certificates</dt>
210 <span class="field_meta">
212 <span class="type">array of Certificate</span>
214 Contains certificates stored in X.509 or PKCS#12 format.
218 At least one actual configuration field
219 (<span class="field">NetworkConfigurations</span> or
220 <span class="field">Certificates</span>) should be present, however it should
221 not be considered an error if no such field is present.
224 <h1>Network Configuration</h1>
226 Field <span class="field">NetworkConfigurations</span> is an array
227 of <span class="type">NetworkConfiguration</span> typed
228 objects. The <span class="type">NetworkConfiguration</span> type contains
232 <dl class="field_list">
233 <dt class="field">Ethernet</dt>
235 <span class="field_meta">
236 (required if <span class="field">Type</span> is
237 <span class="value">Ethernet</span>, otherwise ignored)
238 <span class="type">Ethernet</span>
243 <dt class="field">GUID</dt>
245 <span class="field_meta">
247 <span class="type">string</span>
249 A unique identifier for this network connection, which exists to make it
250 possible to update previously imported configurations. Must be a non-empty
254 <dt class="field">IPConfigs</dt>
256 <span class="field_meta">
257 (optional for connected networks, read-only)
258 <span class="type">array of IPConfig</span>
260 Array of IPConfig properties associated with this connection.
263 <dt class="field">StaticIPConfig</dt>
265 <span class="field_meta">
266 (optional if <span class="field">Remove</span> is
267 <span class="value">false</span>, otherwise ignored)
268 <span class="type">IPConfig</span>
270 Each property set in this IPConfig object overrides the respective
271 parameter received over DHCP.
274 <dt class="field">SavedIPConfig</dt>
276 <span class="field_meta">
277 (optional for connected networks, read-only)
278 <span class="type">IPConfig</span>
280 IPConfig property containing the configuration that was received from the
281 DHCP server prior to applying any StaticIPConfig parameters.
284 <dt class="field">Name</dt>
286 <span class="field_meta">
287 (required if <span class="field">Remove</span> is
288 <span class="value">false</span>, otherwise ignored)
289 <span class="type">string</span>
291 A user-friendly description of this connection. This name will not be used
292 for referencing and may not be unique. Instead it may be used for
293 describing the network to the user.
296 <dt class="field">Remove</dt>
298 <span class="field_meta">
299 (optional, defaults to <span class="value">false</span>)
300 <span class="type">boolean</span>
302 If set, remove this network configuration (only GUID should be set).
305 <dt class="field">ProxySettings</dt>
307 <span class="field_meta">
308 (optional if <span class="field">Remove</span> is
309 <span class="value">false</span>, otherwise ignored)
310 <span class="type">ProxySettings</span>
312 Proxy settings for this network
315 <dt class="field">NameServers</dt>
317 <span class="field_meta">
318 (optional if <span class="field">Remove</span> is
319 <span class="value">false</span>, otherwise ignored)
320 <span class="type">array of string</span>
322 Array of addresses to use for name servers. If not specified, DHCP values
326 <dt class="field">SearchDomains</dt>
328 <span class="field_meta">
329 (optional if <span class="field">Remove</span> is
330 <span class="value">false</span>, otherwise ignored)
331 <span class="type">array of string</span>
333 Array of strings to append to names for resolution. Items in this array
334 should not start with a dot. Example:
335 <span class="snippet">["corp.acme.org", "acme.org"]</span>. If not
336 specified, DHCP values will be used.
339 <dt class="field">VPN</dt>
341 <span class="field_meta">
342 (required if <span class="field">Type</span> is
343 <span class="value">VPN</span>, otherwise ignored)
344 <span class="type">VPN</span>
349 <dt class="field">WiFi</dt>
351 <span class="field_meta">
352 (required if <span class="field">Type</span> is
353 <span class="value">WiFi</span>, otherwise ignored)
354 <span class="type">WiFi</span>
359 <dt class="field">WiMAX</dt>
361 <span class="field_meta">
362 (required if <span class="field">Type</span> is
363 <span class="value">WiMAX</span>, otherwise ignored)
364 <span class="type">WiMAX</span>
369 <dt class="field">Cellular</dt>
371 <span class="field_meta">
372 (required if <span class="field">Type</span> is
373 <span class="value">Cellular</span>, otherwise ignored)
374 <span class="type">Cellular</span>
379 <dt class="field">Type</dt>
381 <span class="field_meta">
382 (required if <span class="field">Remove</span> is
383 <span class="value">false</span>, otherwise ignored)
384 <span class="type">string</span>
387 <span class="rule_id"></span>
388 Allowed values are <span class="value">Cellular</span>,
389 <span class="value">Ethernet</span>, <span class="value">WiFi</span>,
390 <span class="value">Cellular</span> and <span class="value">VPN</span>.
392 Indicates which kind of connection this is.
395 <dt class="field">ConnectionState</dt>
397 <span class="field_meta">
398 (optional, read-only)
399 <span class="type">string</span>
401 The current connection state for this network, provided by the system.
403 <span class="rule_id"></span>
405 <span class="value">Connected</span>,
406 <span class="value">Connecting</span>,
407 <span class="value">NotConnected</span>
411 <dt class="field">RestrictedConnectivity</dt>
413 <span class="field_meta">
414 (optional, defaults to <span class="value">false</span>, read-only)
415 <span class="type">boolean</span>
417 True if a connnected network has limited connectivity to the Internet,
418 e.g. a connection is behind a portal or a cellular network is not
419 activated or requires payment.
422 <dt class="field">Connectable</dt>
424 <span class="field_meta">
425 (optional, read-only)
426 <span class="type">boolean</span>
428 True if the system indicates that the network can be connected to without
429 any additional configuration.
432 <dt class="field">ErrorState</dt>
434 <span class="field_meta">
435 (optional, read-only)
436 <span class="type">string</span>
438 The current error state for this network. Error states are provided by
439 the system and are not explicitly defined here. They may or may not be
440 human-readable. This field will be empty or absent if the network is not
444 <dt class="field">MacAddress</dt>
446 <span class="field_meta">
447 (optional, read-only)
448 <span class="type">string</span>
450 The MAC address for the network. Only applies to connected non-virtual
451 networks. The format is 00:11:22:AA:BB:CC.
454 <dt class="field">Source</dt>
456 <span class="field_meta">
457 (optional, read-only)
458 <span class="type">string</span>
460 Indicates whether the network is configured and how it is configured:
462 <li><span class="value">User</span>: Configured for the active
463 user only, i.e. an unshared configuration.</li>
464 <li><span class="value">Device</span>: Configured for all users of the
465 device (e.g laptop), i.e. a shared configuration.</li>
466 <li><span class="value">UserPolicy</span>: Configured by the user
467 policy for the active user.</li>
468 <li><span class="value">DevicePolicy</span>: Configured by the device
469 policy for the device.</li>
470 <li><span class="value">None</span>: Not configured, e.g. a visible
471 but unconfigured WiFi network.</li>
474 <span class="rule_id"></span>
476 <span class="value">User</span>,
477 <span class="value">Device</span>,
478 <span class="value">UserPolicy</span>,
479 <span class="value">DevicePolicy</span>,
480 <span class="value">None</span>
484 <dt class="field">Priority</dt>
486 <span class="field_meta">
488 <span class="type">integer</span>
490 Provides a suggested priority value for this network. May be used by the
491 system to determine which network to connect to when multiple configured
492 networks are available (or may be ignored).
498 <h1>Ethernet networks</h1>
500 For Ethernet connections, <span class="field">Type</span> must be set to
501 <span class="value">Ethernet</span> and the
502 field <span class="field">Ethernet</span> must be set to an object of
503 type <span class="type">Ethernet</span> containing the following fields:
506 <dl class="field_list">
507 <dt class="field">Authentication</dt>
509 <span class="field_meta">
511 <span class="type">string</span>
514 <span class="rule_id"></span>
515 Allowed values are <span class="value">None</span> and
516 <span class="value">8021X</span>.
520 <dt class="field">EAP</dt>
522 <span class="field_meta">
523 (required if <span class="field">Authentication</span> is
524 <span class="value">8021X</span>, otherwise ignored)
525 <span class="type">EAP</span>
535 Field <span class="field">IPConfigs</span> is an array
536 of <span class="type">IPConfig</span>
537 objects. Each <span class="type">IPConfig</span> object describes a
538 particular static IP configuration and contains the following fields:
541 <dl class="field_list">
542 <dt class="field">Type</dt>
544 <span class="field_meta">
546 <span class="type">string</span>
549 <span class="rule_id"></span>
550 Allowed values are <span class="value">IPv4</span>
551 and <span class="value">IPv6</span>
553 Describes the type of configuration this is.
556 <dt class="field">IPAddress</dt>
558 <span class="field_meta">
560 <span class="type">string</span>
562 Describes the IPv4 or IPv6 address of a connection, depending on the value
563 of <span class="field">Type</span> field. It should not contain the
564 routing prefix (i.e. should not end in something like /64).
567 <dt class="field">RoutingPrefix</dt>
569 <span class="field_meta">
571 <span class="type">integer</span>
574 <span class="rule_id"></span>
575 Must be a number in the range [1, 32] for IPv4 and [1, 128] for IPv6
578 Describes the routing prefix.
581 <dt class="field">Gateway</dt>
583 <span class="field_meta">
585 <span class="type">string</span>
587 Describes the gateway address to use for the configuration. Must match
588 address type specified in <span class="field">Type</span> field. If not
589 specified, DHCP values will be used.
592 <dt class="field">NameServers</dt>
594 <span class="field_meta">
596 <span class="type">array of string</span>
598 Array of addresses to use for name servers. Address format must match that
599 specified in the <span class="field">Type</span> field. Overrides values
600 in the top level NameServers field for this configuration. If not
601 specified, top level values will be used.
604 <dt class="field">SearchDomains</dt>
606 <span class="field_meta">
608 <span class="type">array of string</span>
610 Array of strings to append to names for resolution. Items in this array
611 should not start with a dot. Example: <span class="snippet">[
612 "corp.acme.org", "acme.org" ]</span>. Overrides values in the top level
613 SearchDomains field for this configuration. If not specified, top level
617 <dt class="field">WebProxyAutoDiscoveryUrl</dt>
619 <span class="field_meta">
620 (optional if part of <span class="field">IPConfigs</span>)
621 <span class="type">string</span>
623 The Web Proxy Auto-Discovery URL for this network as reported over DHCP.
630 <h1>Wi-Fi networks</h1>
632 For Wi-Fi connections, <span class="field">Type</span> must be set to
633 <span class="value">WiFi</span> and the
634 field <span class="field">WiFi</span> must be set to an object of
635 type <span class="type">WiFi</span> containing the following fields:
638 <dl class="field_list">
639 <dt class="field">AutoConnect</dt>
641 <span class="field_meta">
642 (optional, defaults to <span class="value">false</span>)
643 <span class="type">boolean</span>
645 Indicating that the network should be connected to automatically when in
649 <dt class="field">EAP</dt>
651 <span class="field_meta">
652 (required if <span class="field">Security</span> is
653 <span class="value">WEP-8021X</span> or
654 <span class="value">WPA-EAP</span>, otherwise ignored)
655 <span class="type">EAP</span>
660 <dt class="field">HiddenSSID</dt>
662 <span class="field_meta">
663 (optional, defaults to <span class="value">false</span>)
664 <span class="type">boolean</span>
666 Indicating if the SSID will be broadcast.
669 <dt class="field">Passphrase</dt>
671 <span class="field_meta">
672 (required if <span class="field">Security</span> is
673 <span class="value">WEP-PSK</span> or
674 <span class="value">WPA-PSK</span>, otherwise ignored)
675 <span class="type">string</span>
677 Describes the passphrase for WEP/WPA/WPA2
678 connections. If <span class="value">WEP-PSK</span> is used, the passphrase
679 must be of the format 0x<hex-number>, where <hex-number> is
680 40, 104, 128, or 232 bits.
683 <dt class="field">Security</dt>
685 <span class="field_meta">
687 <span class="type">string</span>
690 <span class="rule_id"></span>
691 Allowed values are <span class="value">None</span>,
692 <span class="value">WEP-PSK</span>,
693 <span class="value">WEP-8021X</span>,
694 <span class="value">WPA-PSK</span>, and
695 <span class="value">WPA-EAP</span>.
699 <dt class="field">SSID</dt>
701 <span class="field_meta">
703 <span class="type">string</span>
708 <dt class="field">SignalStrength</dt>
710 <span class="field_meta">
711 (optional, read-only)
712 <span class="type">integer</span>
714 The current signal strength for this network in the range [0, 100],
715 provided by the system. If the network is not in range this field will
716 be set to '0' or not present.
722 <h1>VPN networks</h1>
724 There are many kinds of VPNs with widely varying configuration options. We
725 offer standard configuration options for a few common configurations at this
726 time, and may add more later. For all others, implementation specific fields
731 For VPN connections, <span class="field">Type</span> must be set
732 to <span class="value">VPN</span> and the
733 field <span class="field">VPN</span> must be set to an object of
734 type <span class="type">VPN</span> containing the following fields:
737 <dl class="field_list">
738 <dt class="field">AutoConnect</dt>
740 <span class="field_meta">
741 (optional, defaults to <span class="value">false</span>)
742 <span class="type">boolean</span>
744 Indicating that the network should be connected to automatically.
747 <dt class="field">Host</dt>
749 <span class="field_meta">
751 <span class="type">string</span>
753 Host name or IP address of server to connect to. The only scenario that
754 does not require a host is a VPN that encrypts but does not tunnel
755 traffic. Standalone IPsec (v1 or v2, cert or PSK based -- this is not the
756 same as L2TP over IPsec) is one such setup. For all other types of VPN,
757 the <span class="field">Host</span> field is required.
760 <dt class="field">IPsec</dt>
762 <span class="field_meta">
763 (required if <span class="field">Type</span> is
764 <span class="value">IPsec</span> or
765 <span class="value">L2TP-IPsec</span>, otherwise ignored)
766 <span class="type">IPsec</span>
768 IPsec layer settings.
771 <dt class="field">L2TP</dt>
773 <span class="field_meta">
774 (required if <span class="field">Type</span> is
775 <span class="value">L2TP-IPsec</span>, otherwise ignored)
776 <span class="type">L2TP</span>
781 <dt class="field">OpenVPN</dt>
783 <span class="field_meta">
784 (required if <span class="field">Type</span> is
785 <span class="value">OpenVPN</span>, otherwise ignored)
786 <span class="type">OpenVPN</span>
791 <dt class="field">Type</dt>
793 <span class="field_meta">
795 <span class="type">string</span>
798 <span class="rule_id"></span>
799 Allowed values are <span class="value">IPsec</span>,
800 <span class="value">L2TP-IPsec</span>, and
801 <span class="value">OpenVPN</span>.
808 <h1>IPsec-based VPN types</h1>
810 The <span class="type">IPsec</span> type contains the following:
813 <dl class="field_list">
814 <dt class="field">AuthenticationType</dt>
816 <span class="field_meta">
818 <span class="type">string</span>
821 <span class="rule_id"></span>
822 Allowed values are <span class="value">PSK</span> and
823 <span class="value">Cert</span>. If <span class="value">Cert</span> is used, <span class="field">ClientCertType</span> and <span class="field">ServerCARefs</span> (or the deprecated <span class="field">ServerCARef</span>) must be set.
827 <dt class="field">ClientCertPattern</dt>
829 <span class="field_meta">
830 (required if <span class="field">ClientCertType</span>
831 is <span class="value">Pattern</span>, otherwise ignored)
832 <span class="type">CertificatePattern</span>
834 Pattern describing the client certificate.
837 <dt class="field">ClientCertRef</dt>
839 <span class="field_meta">
840 (required if <span class="field">ClientCertType</span>
841 is <span class="value">Ref</span>, otherwise ignored)
842 <span class="type">string</span>
844 Reference to client certificate stored in certificate section.
847 <dt class="field">ClientCertType</dt>
849 <span class="field_meta">
850 (required if <span class="field">AuthenticationType</span>
851 is <span class="value">Cert</span>, otherwise ignored)
852 <span class="type">string</span>
855 <span class="rule_id"></span>
856 Allowed values are <span class="value">Ref</span> and
857 <span class="value">Pattern</span>
861 <dt class="field">EAP</dt>
863 <span class="field_meta">
864 (optional if <span class="field">IKEVersion</span> is 2, otherwise
866 <span class="type">EAP</span>
868 Indicating that EAP authentication should be used with the provided
872 <dt class="field">Group</dt>
874 <span class="field_meta">
875 (optional if <span class="field">IKEVersion</span> is 1, otherwise
877 <span class="type">string</span>
879 Group name used for machine authentication.
882 <dt class="field">IKEVersion</dt>
884 <span class="field_meta">
886 <span class="type">integer</span>
888 Version of IKE protocol to use.
891 <dt class="field">PSK</dt>
893 <span class="field_meta">
894 (optional if <span class="field">AuthenticationType</span>
895 is <span class="value">PSK</span>, otherwise ignored)
896 <span class="type">string</span>
898 Pre-Shared Key. If not specified, user is prompted at time of
902 <dt class="field">SaveCredentials</dt>
904 <span class="field_meta">
905 (optional if <span class="field">AuthenticationType</span>
906 is <span class="value">PSK</span>, otherwise ignored, defaults
907 to <span class="value">false</span>)
908 <span class="type">boolean</span>
910 If <span class="value">false</span>, require user to enter credentials
911 (PSK) each time they connect.
914 <dt class="field">ServerCARefs</dt>
916 <span class="field_meta">
917 (optional if <span class="field">AuthenticationType</span>
918 is <span class="value">Cert</span>, otherwise rejected)
919 <span class="type">array of string</span>
921 Non-empty list of references to CA certificates in <span class="field">Certificates</span> to be used for verifying the host's certificate chain. At least one of the CA certificates must match. If this field is set, <span class="field">ServerCARef</span> must be unset.
924 <dt class="field">ServerCARef</dt>
926 <span class="field_meta">
927 (optional if <span class="field">AuthenticationType</span>
928 is <span class="value">Cert</span>, otherwise rejected)
929 <span class="type">string</span>
931 DEPRECATED, use <span class="field">ServerCARefs</span> instead.<br/>
932 Reference to a CA certificate in <span class="field">Certificates</span>. Certificate authority to use for verifying connection. If this field is set, <span class="field">ServerCARefs</span> must be unset.
935 <dt class="field">XAUTH</dt>
937 <span class="field_meta">
938 (optional if <span class="field">IKEVersion</span> is 1, otherwise
940 <span class="type">XAUTH</span>
942 Describing XAUTH credentials. XAUTH is not used if this object is not
948 <span class="rule_id"></span>
949 If <span class="field">AuthenticationType</span> is set to <span class="value">Cert</span>, <span class="field">ServerCARefs</span> or <span class="field">ServerCARef</span> must be set.
953 <span class="rule_id"></span>
954 At most one of <span class="field">ServerCARefs</span> and <span class="field">ServerCARef</span> can be set.
958 <span class="type">L2TP</span> type contains the following:
961 <dl class="field_list">
962 <dt class="field">Password</dt>
964 <span class="field_meta">
966 <span class="type">string</span>
968 User authentication password. If not specified, user is prompted at time
972 <dt class="field">SaveCredentials</dt>
974 <span class="field_meta">
975 (optional, defaults to <span class="value">false</span>)
976 <span class="type">boolean</span>
978 If <span class="value">false</span>, require user to enter credentials
979 each time they connect.
982 <dt class="field">Username</dt>
984 <span class="field_meta">
986 <span class="type">string</span>
988 User identity. This value is subject to string expansions. If not
989 specified, user is prompted at time of connection.
994 <span class="type">XAUTH</span> type contains the following:
997 <dl class="field_list">
998 <dt class="field">Password</dt>
1000 <span class="field_meta">
1002 <span class="type">string</span>
1004 XAUTH password. If not specified, user is prompted at time of
1008 <dt class="field">SaveCredentials</dt>
1010 <span class="field_meta">
1011 (optional, defaults to <span class="value">false</span>)
1012 <span class="type">boolean</span>
1014 If <span class="value">false</span>, require user to enter credentials
1015 each time they connect.
1018 <dt class="field">Username</dt>
1020 <span class="field_meta">
1022 <span class="type">string</span>
1024 XAUTH user name. This value is subject to string expansions. If not
1025 specified, user is prompted at time of connection.
1030 <h1>IPsec IKE v1 VPN connections</h1>
1032 <span class="field">VPN.Type</span> must
1033 be <span class="value">IPsec</span>, <span class="field">IKEVersion</span>
1034 must be 1. Do not use this for L2TP over IPsec. This may be used for
1035 machine-authentication-only IKEv1 or for IKEv1 with XAUTH. See
1036 the <span class="type">IPsec</span> type described below.
1041 <h1>IPsec IKE v2 VPN connections</h1>
1043 <span class="field">VPN.Type</span> must
1044 be <span class="value">IPsec</span>, <span class="field">IKEVersion</span>
1045 must be 2. This may be used with EAP-based user authentication.
1050 <h1>L2TP over IPsec VPN connections</h1>
1052 There are two major configurations L2TP over IPsec which depend on how IPsec
1053 is authenticated. In either case <span class="field">Type</span> must be
1054 <span class="value">L2TP-IPsec</span>. They are described below.
1058 L2TP over IPsec with pre-shared key:
1062 <li>The field <span class="field">IPsec</span> must be present and have the
1065 <li><span class="field">IKEVersion</span> must be 1.</li>
1066 <li><span class="field">AuthenticationType</span> must be PSK.</li>
1067 <li><span class="field">XAUTH</span> must not be set.</li>
1070 <li>The field <span class="field">L2TP</span> must be present.</li>
1077 <h1>OpenVPN connections and types</h1>
1079 <span class="field">VPN.Type</span> must be
1080 <span class="value">OpenVPN</span>.
1084 <span class="type">OpenVPN</span> type contains the following:
1087 <dl class="field_list">
1088 <dt class="field">Auth</dt>
1090 <span class="field_meta">
1091 (optional, defaults to <span class="value">SHA1</span>)
1092 <span class="type">string</span>
1096 <dt class="field">AuthRetry</dt>
1098 <span class="field_meta">
1099 (optional, defaults to <span class="value">none</span>)
1100 <span class="type">string</span>
1103 <span class="rule_id"></span>
1104 Allowed values are <span class="value">none</span>,
1105 <span class="value">nointeract</span>, and
1106 <span class="value">interact</span>.
1108 Controls how OpenVPN responds to username/password verification
1109 errors:<br> Either fail with error on retry
1110 (<span class="value">none</span>), retry without asking for authentication
1111 (<span class="value">nointeract</span>), or ask again for authentication
1112 each time (<span class="value">interact</span>).
1115 <dt class="field">AuthNoCache</dt>
1117 <span class="field_meta">
1118 (optional, defaults to <span class="value">false</span>)
1119 <span class="type">boolean</span>
1121 Disable caching of credentials in memory.
1124 <dt class="field">Cipher</dt>
1126 <span class="field_meta">
1127 (optional, defaults to <span class="value">BF-CBC</span>)
1128 <span class="type">string</span>
1133 <dt class="field">ClientCertRef</dt>
1135 <span class="field_meta">
1136 (required if <span class="field">ClientCertType</span> is
1137 <span class="value">Ref</span>, otherwise ignored)
1138 <span class="type">string</span>
1140 Reference to client certificate stored in certificate section.
1143 <dt class="field">ClientCertPattern</dt>
1145 <span class="field_meta">
1146 (required if <span class="field">ClientCertType</span> is
1147 <span class="value">Pattern</span>, otherwise ignored)
1148 <span class="type">CertificatePattern</span>
1150 Pattern to use to find the client certificate.
1153 <dt class="field">ClientCertType</dt>
1155 <span class="field_meta">
1157 <span class="type">string</span>
1160 <span class="rule_id"></span>
1161 Allowed values are <span class="value">Ref</span>,
1162 <span class="value">Pattern</span>, and <span class="value">None</span>.
1164 <span class="value">None</span> implies that the server is configured to
1165 not require client certificates.
1168 <dt class="field">CompLZO</dt>
1170 <span class="field_meta">
1171 (optional, defaults to <span class="value">adaptive</span>)
1172 <span class="type">string</span>
1174 Decides to fast LZO compression with <span class="value">true</span>
1175 and <span class="value">false</span> as other values.
1178 <dt class="field">CompNoAdapt</dt>
1180 <span class="field_meta">
1181 (optional, defaults to <span class="value">false</span>)
1182 <span class="type">boolean</span>
1184 Disables adaptive compression.
1187 <dt class="field">IgnoreDefaultRoute</dt>
1189 <span class="field_meta">
1190 (optional, defaults to <span class="value">false</span>)
1191 <span class="type">bool</span>
1193 Omits a default route to the VPN gateway while the connection is active.
1194 By default, the client creates a default route to the gateway address
1195 advertised by the VPN server. Setting this value to
1196 <span class="value">true</span> will allow split tunnelling for
1197 configurations where the VPN server omits explicit default routes.
1198 This is roughly equivalent to omitting "redirect-gateway" OpenVPN client
1199 configuration option. If the server pushes a "redirect-gateway"
1200 configuration flag to the client, this option is ignored.
1203 <dt class="field">KeyDirection</dt>
1205 <span class="field_meta">
1207 <span class="type">string</span>
1209 Passed as --key-direction.
1212 <dt class="field">NsCertType</dt>
1214 <span class="field_meta">
1216 <span class="type">string</span>
1218 If set, checks peer certificate type. Should only be set
1219 to <span class="value">server</span> if set.
1222 <dt class="field">Password</dt>
1224 <span class="field_meta">
1226 <span class="type">string</span>
1228 XAUTH password. If not specified, user is prompted at time of connection.
1231 <dt class="field">Port</dt>
1233 <span class="field_meta">
1234 (optional, defaults to <span class="value">1194</span>)
1235 <span class="type">integer</span>
1237 Port for connecting to server.
1240 <dt class="field">Proto</dt>
1242 <span class="field_meta">
1243 (optional, defaults to <span class="value">udp</span>)
1244 <span class="type">string</span>
1246 Protocol for communicating with server.
1249 <dt class="field">PushPeerInfo</dt>
1251 <span class="field_meta">
1252 (optional, defaults to <span class="value">false</span>)
1253 <span class="type">boolean</span>
1257 <dt class="field">RemoteCertEKU</dt>
1259 <span class="field_meta">
1261 <span class="type">string</span>
1263 Require that the peer certificate was signed with this explicit extended
1264 key usage in oid notation.
1267 <dt class="field">RemoteCertKU</dt>
1269 <span class="field_meta">
1270 (optional, defaults to [])
1271 <span class="type">array of string</span>
1273 Require the given array of key usage numbers. These are strings that are
1274 hex encoded numbers.
1277 <dt class="field">RemoteCertTLS</dt>
1279 <span class="field_meta">
1280 (optional, defaults to <span class="value">server</span>)
1281 <span class="type">string</span>
1284 <span class="rule_id"></span>
1285 Allowed values are <span class="value">none</span> and
1286 <span class="value">server</span>.
1288 Require peer certificate signing based on RFC3280 TLS rules.
1291 <dt class="field">RenegSec</dt>
1293 <span class="field_meta">
1294 (optional, defaults to <span class="value">3600</span>)
1295 <span class="type">integer</span>
1297 Renegotiate data channel key after this number of seconds.
1300 <dt class="field">SaveCredentials</dt>
1302 <span class="field_meta">
1303 (optional, defaults to <span class="value">false</span>)
1304 <span class="type">boolean</span>
1306 If <span class="value">false</span>, require user to enter credentials
1307 each time they connect.
1310 <dt class="field">ServerCARefs</dt>
1312 <span class="field_meta">
1314 <span class="type">array of string</span>
1316 Non-empty list of references to CA certificates in <span class="field">Certificates</span> to be used for verifying the host's certificate chain. At least one of the CA certificates must match. See also OpenVPN's command line option "--ca". If this field is set, <span class="field">ServerCARef</span> must be unset.
1319 <dt class="field">ServerCARef</dt>
1321 <span class="field_meta">
1323 <span class="type">string</span>
1325 DEPRECATED, use <span class="field">ServerCARefs</span> instead.<br/>
1326 Reference to a CA certificate in <span class="field">Certificates</span>. Certificate authority to use for verifying connection. If this field is set, <span class="field">ServerCARefs</span> must be unset.
1329 <dt class="field">ServerCertRef</dt>
1331 <span class="field_meta">
1333 <span class="type">string</span>
1335 Reference to a certificate. Peer's signed certificate.
1338 <dt class="field">ServerPollTimeout</dt>
1340 <span class="field_meta">
1342 <span class="type">integer</span>
1344 Spend no more than this number of seconds before trying the next server.
1347 <dt class="field">Shaper</dt>
1349 <span class="field_meta">
1351 <span class="type">integer</span>
1353 If not specified no bandwidth limiting, otherwise limit bandwidth of
1354 outgoing tunnel data to this number of bytes per second.
1357 <dt class="field">StaticChallenge</dt>
1359 <span class="field_meta">
1361 <span class="type">string</span>
1363 String is used in static challenge response. Note that echoing is always
1367 <dt class="field">TLSAuthContents</dt>
1369 <span class="field_meta">
1371 <span class="type">string</span>
1373 If not set, tls auth is not used. If set, this is the TLS Auth key
1374 contents (usually starts with "-----BEGIN OpenVPN Static Key..."
1377 <dt class="field">TLSRemote</dt>
1379 <span class="field_meta">
1381 <span class="type">string</span>
1383 If set, only allow connections to server hosts with X509 name or common
1384 name equal to this string.
1387 <dt class="field">Username</dt>
1389 <span class="field_meta">
1391 <span class="type">string</span>
1393 OpenVPN user name. This value is subject to string expansions. If not
1394 specified, user is prompted at time of connection.
1397 <dt class="field">Verb</dt>
1399 <span class="field_meta">
1401 <span class="type">string</span>
1403 Verbosity level, defaults to OpenVpn's default if not specified.
1406 <dt class="field">VerifyHash</dt>
1408 <span class="field_meta">
1410 <span class="type">string</span>
1412 If set, this value is passed as the "--verify-hash" argument to OpenVPN,
1413 which specifies the SHA1 fingerprint for the level-1 certificate.
1416 <dt class="field">VerifyX509</dt>
1418 <span class="field_meta">
1420 <span class="type">VerifyX509</span>
1422 If set, the "--verify-x509-name" argument is passed to OpenVPN with the values of this object and only connections will be accepted if a host's X.509 name is equal to the given name.
1427 <span class="rule_id"></span>
1428 At most one of <span class="field">ServerCARefs</span> and <span class="field">ServerCARef</span> can be set.
1432 <span class="type">VerifyX509</span> type contains the following:
1434 <dl class="field_list">
1435 <dt class="field">Name</dt>
1437 <span class="field_meta">
1439 <span class="type">string</span>
1441 The name that the host's X.509 name is compared to. Which host name is compared depends on the value of <span class="field">Type</span>.
1444 <dt class="field">Type</dt>
1446 <span class="field_meta">
1448 <span class="type">string</span>
1450 Determines which of the host's X.509 names will be verified. Allowed values are <span class="value">name</span>, <span class="value">name-prefix</span> and <span class="value">subject</span>. See OpenVPN's documentation for "--verify-x509-name" for the meaning of each value. Defaults to OpenVPN's default if not specified.
1459 <h1>Client certificate patterns</h1>
1461 In order to allow clients to securely key their private keys and request
1462 certificates through PKCS#10 format or through a web flow, we provide
1463 alternative CertificatePattern types. The
1464 <span class="type">CertificatePattern</span> type contains the following:
1467 <dl class="field_list">
1468 <dt class="field">IssuerCARef</dt>
1470 <span class="field_meta">
1472 <span class="type">array of string</span>
1474 Array of references to certificates. At least one must have signed the
1478 <dt class="field">Issuer</dt>
1480 <span class="field_meta">
1482 <span class="type">IssuerSubjectPattern</span>
1484 Pattern to match the issuer X.509 settings against. If not specified, the
1485 only checks done will be a signature check against
1486 the <span class="field">IssuerCARef</span> field. Issuer of the
1487 certificate must match this field exactly to match the pattern.
1490 <dt class="field">Subject</dt>
1492 <span class="field_meta">
1494 <span class="type">IssuerSubjectPattern</span>
1496 Pattern to match the subject X.509 settings against. If not specified, the
1497 subject settings are not checked and any certificate matches. Subject of
1498 the certificate must match this field exactly to match the pattern.
1501 <dt class="field">EnrollmentURI</dt>
1503 <span class="field_meta">
1505 <span class="type">array of string</span>
1507 If no certificate matches this CertificatePattern, the first URI from this
1508 array with a recognized scheme is navigated to, with the intention this
1509 informs the user how to either get the certificate or gets the certificate
1510 for the user. For instance, the array may be [
1511 "chrome-extension://asakgksjssjwwkeielsjs/fetch-client-cert.html",
1512 "http://intra/connecting-to-wireless.html" ] so that for Chrome browsers a
1513 Chrome app or extension is shown to the user, but for other browsers, a
1519 The <span class="type">IssuerSubjectPattern</span> type contains the
1523 <dl class="field_list">
1524 <dt class="field">CommonName</dt>
1526 <span class="field_meta">
1528 <span class="type">string</span>
1530 Certificate subject's commonName must match this string if present.
1533 <dt class="field">Locality</dt>
1535 <span class="field_meta">
1537 <span class="type">string</span>
1539 Certificate subject's location must match this string if present.
1542 <dt class="field">Organization</dt>
1544 <span class="field_meta">
1546 <span class="type">string</span>
1548 At least one of certificate subject's organizations must match this string
1552 <dt class="field">OrganizationalUnit</dt>
1554 <span class="field_meta">
1556 <span class="type">string</span>
1558 At least one of certificate subject's organizational units must match this
1564 <span class="rule_id"></span>
1565 One field in <span class="field">Subject</span>,
1566 <span class="field">Issuer</span>, or <span class="field">IssuerCARef</span>
1567 must be given for a <span class="type">CertificatePattern</span> typed field
1572 For a certificate to be considered matching, it must match all
1573 the fields in the certificate pattern. If multiple certificates match, the
1574 certificate with the latest issue date that is still in the past, and hence
1575 valid, will be used.
1579 If <span class="field">EnrollmentURI</span> is not given and no match is
1580 found to this pattern, the importing tool may show an error to the user.
1585 <h1>Proxy settings</h1>
1587 Every network can be configured to use a
1588 proxy. The <span class="type">ProxySettings</span> type contains the
1592 <dl class="field_list">
1593 <dt class="field">Type</dt>
1595 <span class="field_meta">
1597 <span class="type">string</span>
1600 <span class="rule_id"></span>
1601 Allowed values are <span class="value">Direct</span>,
1602 <span class="value">Manual</span>, <span class="value">PAC</span>, and
1603 <span class="value">WPAD</span>.
1605 <span class="value">PAC</span> indicates Proxy Auto-Configuration.
1606 <span class="value">WPAD</span> indicates Web Proxy Autodiscovery.
1609 <dt class="field">Manual</dt>
1611 <span class="field_meta">
1612 (required if <span class="field">Type</span>
1613 is <span class="value">Manual</span>, otherwise ignored)
1614 <span class="type">ManualProxySettings</span>
1616 Manual proxy settings.
1619 <dt class="field">ExcludeDomains</dt>
1621 <span class="field_meta">
1622 (optional if <span class="field">Type</span>
1623 is <span class="value">Manual</span>, otherwise ignored)
1624 <span class="type">array of string</span>
1626 Domains and hosts for which to exclude proxy settings.
1629 <dt class="field">PAC</dt>
1631 <span class="field_meta">
1632 (required if <span class="field">Type</span> is
1633 <span class="value">PAC</span>, otherwise ignored)
1634 <span class="type">string</span>
1636 URL of proxy auto-config file.
1641 The <span class="type">ManualProxySettings</span> type contains the
1645 <dl class="field_list">
1646 <dt class="field">HTTPProxy</dt>
1648 <span class="field_meta">
1650 <span class="type">ProxyLocation</span>
1652 settings for HTTP proxy.
1655 <dt class="field">SecureHTTPProxy</dt>
1657 <span class="field_meta">
1659 <span class="type">ProxyLocation</span>
1661 settings for secure HTTP proxy.
1664 <dt class="field">FTPProxy</dt>
1666 <span class="field_meta">
1668 <span class="type">ProxyLocation</span>
1670 settings for FTP proxy
1673 <dt class="field">SOCKS</dt>
1675 <span class="field_meta">
1677 <span class="type">ProxyLocation</span>
1679 settings for SOCKS proxy.
1684 The <span class="type">ProxyLocation</span> type contains the following:
1687 <dl class="field_list">
1688 <dt class="field">Host</dt>
1690 <span class="field_meta">
1692 <span class="type">string</span>
1694 Host (or IP address) to use for proxy
1697 <dt class="field">Port</dt>
1699 <span class="field_meta">
1701 <span class="type">integer</span>
1703 Port to use for proxy
1709 <h1>EAP configurations</h1>
1711 For networks with 802.1X authentication, an <span class="type">EAP</span>
1712 type exists to configure the
1713 authentication. The <span class="type">EAP</span> type contains the
1717 <dl class="field_list">
1718 <dt class="field">AnonymousIdentity</dt>
1720 <span class="field_meta">
1721 (optional if <span class="field">Outer</span> is
1722 <span class="value">PEAP</span> or <span class="value">EAP-TTLS</span>,
1724 <span class="type">string</span>
1726 For tunnelling protocols only, this indicates the identity of the user
1727 presented to the outer protocol. This value is subject to string
1728 expansions. If not specified, use empty string.
1731 <dt class="field">ClientCertPattern</dt>
1733 <span class="field_meta">
1734 (required if <span class="field">ClientCertType</span> is
1735 <span class="value">Pattern</span>, otherwise ignored)
1736 <span class="type">CertificatePattern</span>
1738 Pattern to use to find the client certificate.
1741 <dt class="field">ClientCertRef</dt>
1743 <span class="field_meta">
1744 (required if <span class="field">ClientCertType</span> is
1745 <span class="value">Ref</span>, otherwise ignored)
1746 <span class="type">string</span>
1748 Reference to client certificate stored in certificate section.
1751 <dt class="field">ClientCertType</dt>
1753 <span class="field_meta">
1754 (optional) <span class="type">string</span>
1757 <span class="rule_id"></span>
1758 Allowed values are <span class="value">Ref</span>, and
1759 <span class="value">Pattern</span>.
1763 <dt class="field">Identity</dt>
1765 <span class="field_meta">
1767 <span class="type">string</span>
1769 Identity of user. For tunneling outer protocols
1770 (<span class="value">PEAP</span>, <span class="value">EAP-TTLS</span>, and
1771 <span class="value">EAP-FAST</span>), this is used to authenticate inside
1772 the tunnel, and <span class="field">AnonymousIdentity</span> is used for
1773 the EAP identity outside the tunnel. For non-tunneling outer protocols,
1774 this is used for the EAP identity. This value is subject to string
1778 <dt class="field">Inner</dt>
1780 <span class="field_meta">
1781 (optional if <span class="field">Outer</span> is
1782 <span class="value">EAP-FAST</span>, <span class="value">EAP-TTLS</span>
1783 or <span class="value">PEAP</span>, otherwise ignored, defaults to
1784 <span class="value">Automatic</span>)
1785 <span class="type">string</span>
1788 <span class="rule_id"></span>
1789 Allowed values are <span class="value">Automatic</span>,
1790 <span class="value">MD5</span>, <span class="value">MSCHAPv2</span>,
1791 <span class="value">EAP-MSCHAPv2</span>, and
1792 <span class="value">PAP</span>.
1794 For tunneling outer protocols.
1797 <dt class="field">Outer</dt>
1799 <span class="field_meta">
1801 <span class="type">string</span>
1804 <span class="rule_id"></span>
1805 Allowed values are <span class="value">LEAP</span>,
1806 <span class="value">EAP-AKA</span>, <span class="value">EAP-FAST</span>,
1807 <span class="value">EAP-TLS</span>, <span class="value">EAP-TTLS</span>,
1808 <span class="value">EAP-SIM</span> and <span class="value">PEAP</span>.
1812 <dt class="field">Password</dt>
1814 <span class="field_meta">
1816 <span class="type">string</span>
1818 Password of user. If not specified, defaults to prompting the user.
1821 <dt class="field">SaveCredentials</dt>
1823 <span class="field_meta">
1824 (optional, defaults to <span class="value">false</span>)
1825 <span class="type">boolean</span>
1827 If <span class="value">false</span>, require user to enter credentials
1828 each time they connect. Specifying <span class="field">Identity</span>
1829 and/or <span class="field">Password</span> when
1830 <span class="field">SaveCredentials</span> is
1831 <span class="value">false</span> is not allowed.
1834 <dt class="field">ServerCARefs</dt>
1836 <span class="field_meta">
1838 <span class="type">array of string</span>
1840 Non-empty list of references to CA certificates in <span class="field">Certificates</span> to be used for verifying the host's certificate chain. At least one of the CA certificates must match. If this field is set, <span class="field">ServerCARef</span> must be unset. If neither <span class="field">ServerCARefs</span> nor <span class="field">ServerCARef</span> is set, the client does not check that the server certificate is signed by a specific CA. A verification using the system's CA certificates may still apply. See <span class="field">UseSystemCAs</span> for this.
1843 <dt class="field">ServerCARef</dt>
1845 <span class="field_meta">
1847 <span class="type">string</span>
1849 DEPRECATED, use <span class="field">ServerCARefs</span> instead.<br/>
1850 Reference to a CA certificate in <span class="field">Certificates</span>. If this field is set, <span class="field">ServerCARefs</span> must be unset. If neither <span class="field">ServerCARefs</span> nor <span class="field">ServerCARef</span> is set, the client does not check that the server certificate is signed by a specific CA. A verification using the system's CA certificates may still apply. See <span class="field">UseSystemCAs</span> for this.
1853 <dt class="field">UseSystemCAs</dt>
1855 <span class="field_meta">
1856 (optional, defaults to <span class="value">true</span>)
1857 <span class="type">boolean</span>
1859 Required server certificate to be signed by "system default certificate
1860 authorities". If both <span class="field">ServerCARefs</span> (or <span class="field">ServerCARef</span>)
1861 and <span class="field">UseSystemCAs</span> are supplied, a server
1862 certificate will be allowed if it either has a chain of trust to a system
1863 CA or to one of the given CA certificates. If <span class="field">UseSystemCAs</span>
1864 is <span class="value">false</span>, and no <span class="field">ServerCARef</span> is set, the certificate
1865 must be a self signed certificate, and no CA signature is required.
1870 <span class="rule_id"></span>
1871 At most one of <span class="field">ServerCARefs</span> and <span class="field">ServerCARef</span> can be set.
1876 <h1>WiMAX Networks</h1>
1878 For WiMAX connections, <span class="field">Type</span> must be set to
1879 <span class="value">WiMAX</span> and the
1880 field <span class="field">WiMAX</span> must be set to an object of
1881 type <span class="type">WiMAX</span>. Currently only used for
1882 representing an existing configuration; ONC configuration of
1883 of <span class="field">WiMAX</span> networks is not yet fully supported.
1884 Contains the following fields:
1887 <dl class="field_list">
1888 <dt class="field">AutoConnect</dt>
1890 <span class="field_meta">
1891 (optional, defaults to <span class="value">false</span>)
1892 <span class="type">boolean</span>
1894 Indicating that the network should be connected to automatically when
1898 <dt class="field">EAP</dt>
1900 <span class="field_meta">
1902 <span class="type">EAP</span>
1907 <dt class="field">SignalStrength</dt>
1909 <span class="field_meta">
1910 (optional, read-only)
1911 <span class="type">integer</span>
1913 The current signal strength for this network in the range [0, 100],
1914 provided by the system. If the network is not in range this field will
1915 be set to '0' or not present.
1922 <h1>Cellular Networks</h1>
1924 For Cellular connections, <span class="field">Type</span> must be set to
1925 <span class="value">Cellular</span> and the
1926 field <span class="field">Cellular</span> must be set to an object of
1927 type <span class="type">Cellular</span>. Currently only used for
1928 representing an existing configuration; ONC configuration of
1929 of <span class="field">Cellular</span> networks is not yet supported.
1930 Contains the following fields:
1933 <dl class="field_list">
1934 <dt class="field">AutoConnect</dt>
1936 <span class="field_meta">
1937 (optional, defaults to <span class="value">false</span>)
1938 <span class="type">boolean</span>
1940 Indicating that the network should be connected to automatically when
1941 possible. Note, that disabled <span class="field">AllowRoaming</span>
1942 takes precedence over autoconnect.
1945 <dt class="field">APN</dt>
1947 <span class="field_meta">(optional)
1948 <span class="type">APN</span>
1950 Currently active <span class="type">APN</span> object to be used with a
1951 GSM carrier for making data connections.
1954 <dt class="field">APNList</dt>
1956 <span class="field_meta">(optional, read-only)
1957 <span class="type">array of APN</span>
1959 List of available APN configurations.
1962 <dt class="field">ActivationType</dt>
1964 <span class="field_meta">(optional)
1965 <span class="type">string</span>
1970 <dt class="field">ActivationState</dt>
1972 <span class="field_meta">(optional, read-only)
1973 <span class="type">string</span>
1975 Carrier account activation state.
1977 <span class="rule_id"></span>Allowed values are
1978 <span class="value">Activated</span>,
1979 <span class="value">Activating</span>,
1980 <span class="value">NotActivated</span>,
1981 <span class="value">PartiallyActivated</span>
1985 <dt class="field">AllowRoaming</dt>
1987 <span class="field_meta">(optional)
1988 <span class="type">boolean</span>
1990 Whether cellular data connections are allowed when the device is roaming.
1993 <dt class="field">Carrier</dt>
1995 <span class="field_meta">(optional, read-only)
1996 <span class="type">string</span>
1998 The name of the carrier for which the device is configured.
2001 <dt class="field">ESN</dt>
2003 <span class="field_meta">(optional, read-only)
2004 <span class="type">string</span>
2006 The Electronic Serial Number of the cellular modem.
2009 <dt class="field">Family</dt>
2011 <span class="field_meta">(optional, read-only)
2012 <span class="type">string</span>
2015 <span class="rule"><span class="rule_id"></span>
2017 <span class="value">CDMA</span>,
2018 <span class="value">GSM</span>
2022 <dt class="field">FirmwareRevision</dt>
2024 <span class="field_meta">(optional, read-only)
2025 <span class="type">string</span>
2027 The revision of firmware that is loaded in the modem.
2030 <dt class="field">FoundNetworks</dt>
2032 <span class="field_meta">(optional, read-only, provided only
2033 if <span class="field">Family</span> is <span class="value">GSM</span>)
2034 <span class="type">array of FoundNetwork</span>
2036 The list of cellular netwoks found in the most recent scan operation.
2039 <dt class="field">HardwareRevision</dt>
2041 <span class="field_meta">(optional, read-only)
2042 <span class="type">string</span>
2044 The hardware revision of the cellular modem.
2047 <dt class="field">HomeProvider</dt>
2049 <span class="field_meta">(optional, read-only)
2050 <span class="type">array of CellularProvider</span>
2052 Description of the operator that issued the SIM card currently installed
2056 <dt class="field">ICCID</dt>
2058 <span class="field_meta">(optional, read-only, provided only
2059 if <span class="field">Family</span> is <span class="value">GSM</span>
2060 or <span class="field">NetworkTechnology</span>
2061 is <span class="value">LTE</span>)
2062 <span class="type">string</span>
2064 For GSM / LTE modems, the Integrated Circuit Card Identifer of the SIM
2065 card installed in the device.
2068 <dt class="field">IMEI</dt>
2070 <span class="field_meta">(optional, read-only)
2071 <span class="type">string</span>
2073 The International Mobile Equipment Identity of the cellular modem.
2076 <dt class="field">IMSI</dt>
2078 <span class="field_meta">(optional, read-only, provided only
2079 if <span class="field">Family</span> is <span class="value">GSM</span>)
2080 <span class="type">string</span>
2082 For GSM modems, the International Mobile Subscriber Identity of the SIM
2083 card installed in the device.
2086 <dt class="field">LastGoodAPN</dt>
2088 <span class="field_meta">(optional, read-only)
2089 <span class="type">APN</span>
2091 The APN information used in the last successful connection attempt.
2094 <dt class="field">Manufacturer</dt>
2096 <span class="field_meta">(optional, read-only)
2097 <span class="type">string</span>
2099 The manufacturer of the cellular modem.
2102 <dt class="field">MDN</dt>
2104 <span class="field_meta">(optional)
2105 <span class="type">string</span>
2107 The Mobile Directory Number (i.e., phone number) of the device.
2110 <dt class="field">MEID</dt>
2112 <span class="field_meta">(optional, read-only, provided only
2113 if <span class="field">Family</span> is <span class="value">CDMA</span>)
2114 <span class="type">string</span>
2116 For CDMA modems, the Mobile Equipment Identifer of the cellular modem.
2119 <dt class="field">MIN</dt>
2121 <span class="field_meta">(optional, read-only)
2122 <span class="type">string</span>
2124 The Mobile Identification Number of the device.
2127 <dt class="field">ModelID</dt>
2129 <span class="field_meta">(optional, read-only)
2130 <span class="type">string</span>
2132 The hardware model of the cellular modem.
2135 <dt class="field">NetworkTechnology</dt>
2137 <span class="field_meta">(optional, read-only)
2138 <span class="type">string</span>
2140 If the modem is registered on a network, then this is set to the
2141 network technology currently in use.
2142 <span class="rule"><span class="rule_id"></span>
2144 <span class="value">1xRTT</span>, <span class="value">EVDO</span>,
2145 <span class="value">GPRS</span>, <span class="value">EDGE</span>,
2146 <span class="value">UMTS</span>,
2147 <span class="value">HSPA</span>, <span class="value">HSPA+</span>,
2148 <span class="value">LTE</span>, <span class="value">LTE Advanced</span>
2152 <dt class="field">PRLVersion</dt>
2154 <span class="field_meta">(optional, read-only)
2155 <span class="type">integer</span>
2157 The revision of the Preferred Roaming List that is loaded in the modem.
2160 <dt class="field">ProviderRequiresRoaming</dt>
2162 <span class="field_meta">(optional, read-only)
2163 <span class="type">boolean</span>
2165 Indicates that the cellular provider (determined based on IMSI and SPN)
2169 <dt class="field">RoamingState</dt>
2171 <span class="field_meta">(optional, read-only)
2172 <span class="type">string</span>
2174 The roaming status of the cellular modem on the current network.
2177 <dt class="field">ServingOperator</dt>
2179 <span class="field_meta">(optional, read-only, provided only
2180 if <span class="field">Family</span> is <span class="value">GSM</span>)
2181 <span class="type">CellularProvider</span>
2183 Description of the operator on whose network the modem is currently
2187 <dt class="field">SIMLockStatus</dt>
2189 <span class="field_meta">(optional, read-only, provided only
2190 if <span class="field">Family</span> is <span class="value">GSM</span>)
2191 <span class="type">SIMLockStatus</span>
2193 For GSM modems, a dictionary containing two properties describing the
2194 state of the SIM card lock.
2197 <dt class="field">SIMPresent</dt>
2199 <span class="field_meta">(optional, read-only, provided only
2200 if <span class="field">Family</span> is <span class="value">GSM</span>
2201 or <span class="field">NetworkTechnology</span>
2202 is <span class="value">LTE</span>)
2203 <span class="type">boolean</span>
2205 For GSM or LTE modems, indicates whether a SIM card is present or not.
2208 <dt class="field">SupportNetworkScan</dt>
2210 <span class="field_meta">(optional, read-only)
2211 <span class="type">boolean</span>
2213 True if the cellular network supports scanning.
2216 <dt class="field">SupportedCarriers</dt>
2218 <span class="field_meta">(optional, read-only)
2219 <span class="type">array of string</span>
2221 A list of supported carriers.
2226 <p><span class="type">APN</span> type contains the following:</p>
2227 <dl class="field_list">
2228 <dt class="field">AccessPointName</dt>
2230 <span class="field_meta">(required)
2231 <span class="type">string</span>
2233 The access point name used when making connections.
2236 <dt class="field">Name</dt>
2238 <span class="field_meta">(optional)
2239 <span class="type">string</span>
2241 Description of the APN.
2244 <dt class="field">LocalizedName</dt>
2246 <span class="field_meta">(optional)
2247 <span class="type">string</span>
2249 Localized description of the APN.
2252 <dt class="field">Username</dt>
2254 <span class="field_meta">(optional)
2255 <span class="type">string</span>
2257 Username for making connections if required.
2260 <dt class="field">Password</dt>
2262 <span class="field_meta">(optional)
2263 <span class="type">string</span>
2265 Password for making connections if required.
2268 <dt class="field">Language</dt>
2270 <span class="field_meta">(optional, rquired if <span class="field">
2271 LocalizedName</span> is provided)
2272 <span class="type">string</span>
2274 Two letter language code for Localizedname if provided.
2278 <p><span class="type">FoundNetwork</span> type contains the following:</p>
2279 <dl class="field_list">
2280 <dt class="field">Status</dt>
2282 <span class="field_meta">(required)
2283 <span class="type">string</span>
2285 The availability of the network.
2288 <dt class="field">NetworkId</dt>
2290 <span class="field_meta">(required)
2291 <span class="type">string</span>
2293 The network id in the form MCC/MNC (without the '/').
2296 <dt class="field">Technology</dt>
2298 <span class="field_meta">(required)
2299 <span class="type">string</span>
2301 Access technology used by the network,
2302 e.g. "GSM", "UMTS", "EDGE", "HSPA", etc.
2305 <dt class="field">ShortName</dt>
2307 <span class="field_meta">(optional)
2308 <span class="type">string</span>
2310 Short-format name of the network operator.
2313 <dt class="field">LongName</dt>
2315 <span class="field_meta">(optional)
2316 <span class="type">string</span>
2318 Long-format name of the network operator.
2322 <p><span class="type">CellularProvider</span> type contains the following:</p>
2323 <dl class="field_list">
2324 <dt class="field">Name</dt>
2326 <span class="field_meta">(required)
2327 <span class="type">string</span>
2332 <dt class="field">Code</dt>
2334 <span class="field_meta">(required)
2335 <span class="type">string</span>
2337 The network id in the form MCC/MNC (without the '/').
2340 <dt class="field">Country</dt>
2342 <span class="field_meta">(optional)
2343 <span class="type">string</span>
2345 The two-letter country code.
2349 <p><span class="type">SIMLockStatus</span> type contains the following:</p>
2350 <dl class="field_list">
2351 <dt class="field">LockType</dt>
2353 <span class="field_meta">(required)
2354 <span class="type">string</span>
2356 Specifies the type of lock in effect, or an empty string if unlocked.
2357 <span class="rule"><span class="rule_id"></span>
2359 <span class="value">sim-pin</span>,
2360 <span class="value">sim-puk</span>
2364 <dt class="field">LockEnabled</dt>
2366 <span class="field_meta">(required)
2367 <span class="type">boolean</span>
2369 Indicates whether SIM locking is enabled
2372 <dt class="field">RetriesLeft</dt>
2374 <span class="field_meta">(optional)
2375 <span class="type">integer</span>
2377 If <span class="field">LockType</span> is empty
2378 or <span class="value">sim-pin</span>, then this property represents
2379 the number of attempts remaining to supply a correct PIN before the
2380 PIN becomes blocked, at which point a PUK provided by the carrier would
2381 be necessary to unlock the SIM (and <span class="field">LockType</span>
2382 changes to <span class="value">sim-puk</span>).
2389 <h1>Bluetooth / WiFi Direct Networks</h1>
2391 This format will eventually also cover configuration of Bluetooth and Wi-Fi
2392 Direct network technologies, however they are currently not supported.
2399 <h1>Certificates</h1>
2401 Certificate data is stored in a separate section. Each certificate may be
2402 referenced from within the NetworkConfigurations array using a certificate
2403 reference. A certificate reference is its GUID.
2407 The top-level field <span class="field">Certificates</span> is an array of
2408 objects of <span class="type">Certificate</span> type.
2412 The <span class="type">Certificate</span> type contains the following:
2415 <dl class="field_list">
2416 <dt class="field">GUID</dt>
2418 <span class="field_meta">
2420 <span class="type">string</span>
2422 A unique identifier for this certificate. Must be a non-empty string.
2425 <dt class="field">PKCS12</dt>
2427 <span class="field_meta">
2428 (required if <span class="field">Type</span> is
2429 <span class="value">Client</span>, otherwise ignored)
2430 <span class="type">string</span>
2431 </span> For certificates with
2432 private keys, this is the base64 encoding of the a PKCS#12 file.
2435 <dt class="field">Remove</dt>
2437 <span class="field_meta">
2438 (optional, defaults to <span class="value">false</span>)
2439 <span class="type">boolean</span>
2441 If <span class="value">true</span>, remove this certificate (only GUID
2445 <dt class="field">TrustBits</dt>
2447 <span class="field_meta">
2448 (optional if <span class="field">Type</span>
2449 is <span class="value">Server</span>
2450 or <span class="value">Authority</span>, otherwise ignored, defaults to
2452 <span class="type">array of string</span>
2454 An array of trust flags. Clients should ignore unknown flags. For
2455 backwards compatibility, each flag should only increase the trust and
2456 never restrict. The trust flag <span class="value">Web</span> implies that
2457 the certificate is to be trusted for HTTPS SSL identification. A typical
2458 web certificate authority would have <span class="field">Type</span> set
2459 to <span class="value">Authority</span> and
2460 <span class="field">TrustBits</span> set to
2461 <span class="snippet">["Web"]</span>.
2464 <dt class="field">Type</dt>
2466 <span class="field_meta">
2467 (required if <span class="field">Remove</span> is
2468 <span class="value">false</span>, otherwise ignored)
2469 <span class="type">string</span>
2472 <span class="rule_id"></span>
2473 Allowed values are <span class="value">Client</span>,
2474 <span class="value">Server</span>, and
2475 <span class="value">Authority</span>.
2477 <span class="value">Client</span> indicates the certificate is for
2478 identifying the user or device over HTTPS or for
2479 VPN/802.1X. <span class="value">Server</span> indicates the certificate
2480 identifies an HTTPS or VPN/802.1X peer.
2481 <span class="value">Authority</span> indicates the certificate is a
2482 certificate authority and any certificates it issues should be
2483 trusted. Note that if <span class="field">Type</span> disagrees with the
2484 x509 v3 basic constraints or key usage attributes, the
2485 <span class="field">Type</span> field should be honored.
2488 <dt class="field">X509</dt>
2490 <span class="field_meta">
2491 (required if <span class="field">Type</span> is
2492 <span class="value">Server</span> or
2493 <span class="value">Authority</span>, otherwise ignored)
2494 <span class="type">string</span>
2495 </span> For certificate
2496 without private keys, this is the X509 certificate in PEM format.
2501 The passphrase of the PKCS#12 encoding must be empty. Encryption of key data
2502 should be handled at the level of the entire file, or the transport of the
2507 If a global-scoped network connection refers to a user-scoped certificate,
2508 results are undefined, so this configuration should be prohibited by the
2509 configuration editor.
2516 <h1>Encrypted Configuration</h1>
2518 We assume that when this format is imported as part of policy that
2519 file-level encryption will not be necessary because the policy transport is
2520 already encrypted, but when it is imported as a standalone file, it is
2521 desirable to encrypt it. Since this file has private information (user
2522 names) and secrets (passphrases and private keys) in it, and we want it to
2523 be usable as a manual way to distribute network configuration, we must
2528 For this standalone export, the entire file will be encrypted in a symmetric
2529 fashion with a passphrase stretched using salted PBKDF2 using at least 20000
2530 iterations, and encrypted using an AES-256 CBC mode cipher with an SHA-1
2531 HMAC on the ciphertext.
2535 An encrypted ONC file's top level object will have the
2536 <span class="type">EncryptedConfiguration</span>
2537 type. <span class="type">EncryptedConfiguration</span> type contains the
2541 <dl class="field_list">
2542 <dt class="field">Cipher</dt>
2544 <span class="field_meta">
2546 <span class="type">string</span>
2548 The type of cipher used. Currently only <span class="value">AES256</span>
2552 <dt class="field">Ciphertext</dt>
2554 <span class="field_meta">
2556 <span class="type">string</span>
2558 The raw ciphertext of the encrypted ONC file, base64 encoded.
2561 <dt class="field">HMAC</dt>
2563 <span class="field_meta">
2565 <span class="type">string</span>
2567 The HMAC for the ciphertext, base64 encoded.
2570 <dt class="field">HMACMethod</dt>
2572 <span class="field_meta">
2574 <span class="type">string</span>
2576 The method used to compute the Hash-based Message Authentication Code
2577 (HMAC). Currently only <span class="value">SHA1</span> is supported.
2580 <dt class="field">Salt</dt>
2582 <span class="field_meta">
2584 <span class="type">string</span>
2586 The salt value used during key stretching.
2589 <dt class="field">Stretch</dt>
2591 <span class="field_meta">
2593 <span class="type">string</span>
2595 The key stretching algorithm used. Currently
2596 only <span class="value">PBKDF2</span> is supported.
2599 <dt class="field">Iterations</dt>
2601 <span class="field_meta">
2603 <span class="type">integer</span>
2605 The number of iterations to use during key stretching.
2608 <dt class="field">IV</dt>
2610 <span class="field_meta">
2612 <span class="type">string</span>
2614 The initial vector (IV) used for Cyclic Block Cipher (CBC) mode, base64
2618 <dt class="field">Type</dt>
2620 <span class="field_meta">
2622 <span class="type">string</span>
2624 The type of the ONC file, which must be set
2625 to <span class="value">EncryptedConfiguration</span>.
2630 <span class="rule_id"></span>
2631 When decrypted, the ciphertext must contain a JSON object of
2632 type <span class="type">UnencryptedConfiguration</span>.
2637 <h1>String Expansions</h1>
2639 The values of some fields, such
2640 as <span class="field">WiFi.EAP.Identity</span>
2641 and <span class="field">VPN.*.Username</span>, are subject to string
2642 expansions. These allow one ONC to have basic user-specific variations.
2651 ${LOGIN_ID} - expands to the email address of the user, but before the
2655 ${LOGIN_EMAIL} - expands to the email address of the user.
2660 The following SED would properly handle resolution.
2665 s/\$\{LOGIN_ID\}/bobquail$1/g
2668 s/\$\{LOGIN_EMAIL\}/bobquail@example.com$1/g
2673 Example expansions, assuming the user was bobquail@example.com:
2678 "${LOGIN_ID}" -> "bobquail"
2681 "${LOGIN_ID}@corp.example.com" -> "bobquail@corp.example.com"
2684 "${LOGIN_EMAIL}" -> "bobquail@example.com"
2687 "${LOGIN_ID}X" -> "bobquailX"
2690 "${LOGIN_IDX}" -> "${LOGIN_IDX}"
2693 "X${LOGIN_ID}" -> "Xbobquail"
2701 This format should be sent in files ending in the .onc extension. When
2702 transmitted with a MIME type, the MIME type should be
2703 application/x-onc. These two methods make detection of data to be handled in
2704 this format, especially when encryption is used and the payload itself is
2712 <h1>Alternatives considered</h1>
2714 For the overall format, we considered XML, ASN.1, and protobufs. JSON and
2715 ASN.1 seem more widely known than protobufs. Since administrators are
2716 likely to want to tweak settings that will not exist in common UIs, we
2717 should provide a format that is well known and human modifiable. ASN.1 is
2718 not human modifiable. Protobufs formats are known by open source developers
2719 but seem less likely to be known by administrators. JSON serialization
2720 seems to have good support across languages.
2724 We considered sending the exact connection manager configuration format of
2725 an open source connection manager like connman. There are a few issues
2726 here, for instance, referencing certificates by identifiers not tied to a
2727 particular PKCS#11 token, and tying to one OS's connection manager.
2734 This format should be sent in files ending in the .onc extension. When
2735 transmitted with a MIME type, the MIME type should be
2736 application/x-onc. These two methods make detection of data to be handled in
2737 this format, especially when encryption is used and the payload itself is
2746 <h1>Simple format example: PEAP/MSCHAPv2 network (per device)</h1>
2750 "Type": "UnencryptedConfiguration",
2751 "NetworkConfigurations": [
2753 "GUID": "{f2c17903-b0e1-8593-b3ca74f977236bd7}",
2757 "AutoConnect": true,
2760 "UseSystemCAs": true
2762 "HiddenSSID": false,
2764 "Security": "WPA-EAP"
2773 Notice that in this case, we do not provide a username and password - we set
2774 SaveCredentials to <span class="value">false</span> so we are prompted every
2775 time. We could have passed in username and password - but such a file should
2781 <h1>Complex format example: TLS network with client certs (per device)</h1>
2785 "Type": "UnencryptedConfiguration",
2786 "NetworkConfigurations": [
2788 "GUID": "{00f79111-51e0-e6e0-76b3b55450d80a1b}",
2789 "Name": "MyTTLSNetwork",
2792 "AutoConnect": false,
2794 "ClientCertPattern": {
2796 "http://fetch-my-certificate.com"
2799 "{6ed8dce9-64c8-d568-d225d7e467e37828}"
2802 "ClientCertType": "Pattern",
2804 "ServerCARef": "{6ed8dce9-64c8-d568-d225d7e467e37828}",
2805 "UseSystemCAs": true
2807 "HiddenSSID": false,
2808 "SSID": "MyTTLSNetwork",
2809 "Security": "WPA-EAP"
2815 "GUID": "{6ed8dce9-64c8-d568-d225d7e467e37828}",
2816 "Type": "Authority",
2817 "X509": "MIIEpzCCA4+gAwIBAgIJAMueiWq5WEIAMA0GCSqGSIb3DQEBBQUAMIGTMQswCQYDVQQGEwJGUjEPMA0GA1UECBMGUmFkaXVzMRIwEAYDVQQHEwlTb21ld2hlcmUxFTATBgNVBAoTDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5jb20xJjAkBgNVBAMTHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTExMDEyODA2MjA0MFoXDTEyMDEyODA2MjA0MFowgZMxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZSYWRpdXMxEjAQBgNVBAcTCVNvbWV3aGVyZTEVMBMGA1UEChMMRXhhbXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLmNvbTEmMCQGA1UEAxMdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9EDplhyrVNJIoy1OsVqvD/K67B5PW2bDKKxGznodrzCu8jHsP1Ne3mgrK20vbzQUUBdmxTCWO6x3a3//r4ZuPOuZd1ViycWjt6mRfRbBzNrHzP7NiyFuXjdlz74beHQQLcHwvZ3qFAWZK37uweiLiDPaMaEQlka2Bztqx4PsogmSdoVPSCxi5Cl1XlJmITA03LlKpO79+0rEPRamWO/DMCwvffn2/UUjJLog4/lYe16HQ6iq/6bjhffm2rLXDFKOGZmBVbLNMCfANRMtdFWHYdBXERoUo2zpM9tduOOUNLy7E7kRKVm/wy38s51ChFPlpORrhimN2j1caar+KAv2tAgMBAAGjgfswgfgwHQYDVR0OBBYEFBTIImiXp+57jjgn2N5wq93GgAAtMIHIBgNVHSMEgcAwgb2AFBTIImiXp+57jjgn2N5wq93GgAAtoYGZpIGWMIGTMQswCQYDVQQGEwJGUjEPMA0GA1UECBMGUmFkaXVzMRIwEAYDVQQHEwlTb21ld2hlcmUxFTATBgNVBAoTDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5jb20xJjAkBgNVBAMTHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5ggkAy56JarlYQgAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAnNd0YY7s2YVYPsgEgDS+rBNjcQloTFWgc9Hv4RWBjwcdJdSPIrpBp7LSjC96wH5U4eWpQjlWbOYQ9RBq9Z/RpuAPEjzRV78rIrQrCWQ3lxwywWEb5Th1EVJSN68eNv7Ke5BlZ2l9kfLRKFm5MEBXX9YoHMX0U8I8dPIXfTyevmKOT1PuEta5cQOM6/zH86XWn6WYx3EXkyjpeIbVOw49AqaEY8u70yBmut4MO03zz/pwLjV1BWyIkXhsrtuJyA+ZImvgLK2oAMZtGGFo7b0GW/sWY/P3R6Un3RFy35k6U3kXCDYYhgZEcS36lIqcj5y6vYUUVM732/etCsuOLz6ppw=="
2824 In this example, the client certificate is not sent in the ONC format, but
2825 rather we send a certificate authority which we know will have signed the
2826 client certificate that is needed, along with an enrollment URI to navigate
2827 to if the required certificate is not yet available on the client.
2832 <h1>Simple format example: HTTPS Certificate Authority</h1>
2835 In this example a new certificate authority is added to be trusted for HTTPS
2836 server authentication.
2841 "Type": "UnencryptedConfiguration",
2842 "NetworkConfigurations": [],
2845 "GUID": "{f31f2110-9f5f-61a7-a8bd7c00b94237af}",
2846 "TrustBits": [ "Web" ],
2847 "Type": "Authority",
2848 "X509": "MIIEpzCCA4+gAwIBAgIJAMueiWq5WEIAMA0GCSqGSIb3DQEBBQUAMIGTMQswCQYDVQQGEwJGUjEPMA0GA1UECBMGUmFkaXVzMRIwEAYDVQQHEwlTb21ld2hlcmUxFTATBgNVBAoTDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5jb20xJjAkBgNVBAMTHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTExMDEyODA2MjA0MFoXDTEyMDEyODA2MjA0MFowgZMxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIEwZSYWRpdXMxEjAQBgNVBAcTCVNvbWV3aGVyZTEVMBMGA1UEChMMRXhhbXBsZSBJbmMuMSAwHgYJKoZIhvcNAQkBFhFhZG1pbkBleGFtcGxlLmNvbTEmMCQGA1UEAxMdRXhhbXBsZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9EDplhyrVNJIoy1OsVqvD/K67B5PW2bDKKxGznodrzCu8jHsP1Ne3mgrK20vbzQUUBdmxTCWO6x3a3//r4ZuPOuZd1ViycWjt6mRfRbBzNrHzP7NiyFuXjdlz74beHQQLcHwvZ3qFAWZK37uweiLiDPaMaEQlka2Bztqx4PsogmSdoVPSCxi5Cl1XlJmITA03LlKpO79+0rEPRamWO/DMCwvffn2/UUjJLog4/lYe16HQ6iq/6bjhffm2rLXDFKOGZmBVbLNMCfANRMtdFWHYdBXERoUo2zpM9tduOOUNLy7E7kRKVm/wy38s51ChFPlpORrhimN2j1caar+KAv2tAgMBAAGjgfswgfgwHQYDVR0OBBYEFBTIImiXp+57jjgn2N5wq93GgAAtMIHIBgNVHSMEgcAwgb2AFBTIImiXp+57jjgn2N5wq93GgAAtoYGZpIGWMIGTMQswCQYDVQQGEwJGUjEPMA0GA1UECBMGUmFkaXVzMRIwEAYDVQQHEwlTb21ld2hlcmUxFTATBgNVBAoTDEV4YW1wbGUgSW5jLjEgMB4GCSqGSIb3DQEJARYRYWRtaW5AZXhhbXBsZS5jb20xJjAkBgNVBAMTHUV4YW1wbGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5ggkAy56JarlYQgAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAnNd0YY7s2YVYPsgEgDS+rBNjcQloTFWgc9Hv4RWBjwcdJdSPIrpBp7LSjC96wH5U4eWpQjlWbOYQ9RBq9Z/RpuAPEjzRV78rIrQrCWQ3lxwywWEb5Th1EVJSN68eNv7Ke5BlZ2l9kfLRKFm5MEBXX9YoHMX0U8I8dPIXfTyevmKOT1PuEta5cQOM6/zH86XWn6WYx3EXkyjpeIbVOw49AqaEY8u70yBmut4MO03zz/pwLjV1BWyIkXhsrtuJyA+ZImvgLK2oAMZtGGFo7b0GW/sWY/P3R6Un3RFy35k6U3kXCDYYhgZEcS36lIqcj5y6vYUUVM732/etCsuOLz6ppw=="
2856 <h1>Encrypted format example</h1>
2859 In this example a simple wireless network is added, but the file is encrypted
2860 with the passphrase "test0000".
2866 "Ciphertext": "eQ9/r6v29/83M745aa0JllEj4lklt3Nfy4kPPvXgjBt1eTByxXB+FnsdvL6Uca5JBU5aROxfiol2+ZZOkxPmUNNIFZj70pkdqOGVe09ncf0aVBDsAa27veGIG8rG/VQTTbAo7d8QaxdNNbZvwQVkdsAXawzPCu7zSh4NF/hDnDbYjbN/JEm1NzvWgEjeOfqnnw3PnGUYCArIaRsKq9uD0a1NccU+16ZSzyDhX724JNrJjsuxohotk5YXsCK0lP7ZXuXj+nSR0aRIETSQ+eqGhrew2octLXq8cXK05s6ZuVAc0mFKPkntSI/fzBACuPi4ZaGd3YEYiKzNOgKJ+qEwgoE39xp0EXMZOZyjMOAtA6e1ZZDQGWG7vKdTLmLKNztHGrXvlZkyEf1RDs10YgkwwLgUhm0yBJ+eqbxO/RiBXz7O2/UVOkkkVcmeI6yh3BdL6HIYsMMygnZa5WRkd/2/EudoqEnjcqUyGsL+YUqV6KRTC0PH+z7zSwvFs2KygrSM7SIAZM2yiQHTQACkA/YCJDwACkkQOBFnRWTWiX0xmN55WMbgrs/wqJ4zGC9LgdAInOBlc3P+76+i7QLaNjMovQ==",
2867 "HMAC": "3ylRy5InlhVzFGakJ/9lvGSyVH0=",
2868 "HMACMethod": "SHA1",
2869 "Iterations": 20000,
2870 "IV": "hcm6OENfqG6C/TVO6p5a8g==",
2871 "Salt": "/3O73QadCzA=",
2872 "Stretch": "PBKDF2",
2873 "Type": "EncryptedConfiguration"
2881 <h1>Standalone editor</h1>
2884 The source code for a Chrome packaged app to generate ONC configuration can
2886 <a href="https://gerrit.chromium.org/gitweb/?p=chromiumos/platform/spigots.git;a=tree">"https://gerrit.chromium.org/gitweb/?p=chromiumos/platform/spigots.git;a=tree"</a>
2891 <h1>Internationalization and Localization</h1>
2894 UIs will need to have internationalization and localizations - the file
2895 format will remain in English.
2900 <h1>Security Considerations</h1>
2903 Data stored inside of open network configuration files is highly sensitive
2904 to users and enterprises. The file format itself provides adequate
2905 encryption options to allow standalone use-cases to be secure. For automatic
2906 updates sent by policy, the policy transport should be made secure. The file
2907 should not be stored unencrypted on disk as part of policy fetching and
2908 should be cleared from memory after use.
2913 <h1>Privacy Considerations</h1>
2916 Similarly to the security considerations, user names will be present in
2917 these files for certain kinds of connections, so any places where the file
2918 is transmitted or saved to disk should be secure. On client device, when
2919 user names for connections that are user-specific are persisted to disk,
2920 they should be stored in a location that is encrypted. Users can also opt in
2921 these cases to not save their user credentials in the config file and will
2922 instead be prompted when they are needed.