This is an old revision of the document!
Network Manager version 1.12 integrated a basic IWD-based wifi backend as an alternative to wpa_supplicant. To use Network Manager (NM) with the IWD backend one NM configuration change is necessary. Additionally the versions of the two software packages need to be compatible, this is because IWD's API and capabilities are evolving and the NM backend is adapting to those changes. IWD and the NM backend are work in progress and the capabilities are still limited.
|IWD version||Compatible NM versions||Capabilities|
|0.3 to 0.4||1.12.*||Open and WPA/WPA2 Personal wifi networks, WPA2 Enterprise (see below), No AP mode, no hidden or Ad-hoc networks|
|0.5 to 0.7||1.14.0||Open and WPA/WPA2 Personal and Enterprise networks, No AP mode, no hidden or Ad-hoc networks|
|0.8 to 0.23||1.14.*||Open and WPA/WPA2 Personal and Enterprise networks, No AP mode, no hidden or Ad-hoc networks|
|0.8 to 0.23||1.16.0 and later||Open and WPA/WPA2 Personal and Enterprise networks, Infrastructure/AP/Ad-hoc modes, no hidden or P2P networks|
|1.0 and later||1.20.6 and later||Open and WPA/WPA2 Personal and Enterprise networks, Infrastructure/AP/Ad-hoc modes, no hidden or P2P networks|
If you can use an NM build provided by the Linux distribution that will simplify things a lot. So far Arch linux is known to ship compatible iwd and NM packages so there's no need to manually build the sources.
Even though a distribution may ship an NM-1.12 or 1.14 package, the IWD backend may not have been enabled. This is done with with
–with-iwd switch to
./configure during the build process (or
./autogen). Pass other
./configure options as required and follow with standard compilation and installation instructions. See the
./configure –help output for the possible options, some will be required and some can not be used depending on what other packages are installed on your system and their settings – this page will not cover other options.
$ wget https://github.com/NetworkManager/NetworkManager/archive/1.14.0.tar.gz $ tar -xvzf 1.14.0.tar.gz $ cd NetworkManager-1.14.0 $ ./autogen.sh --with-crypto=gnutls --disable-ppp --without-tests --disable-ovs --without-wext --without-libnm-glib --disable-maintainer-mode --disable-qt --disable-gtk-doc --disable-introspection --with-iwd $ make -j 3 # make install
Note that on some distributions, including Ubuntu, an NM installation in
/usr/local may be disallowed to launch the DHCP client subprocess by the Linux audit mechanism and a permission needs to be added through
app_armor. Before that is done, making connections, of any type, from Network Manager, will fail after about a 1 minute timeout (dmesg will show a line similar to this:
[98438.542859] audit: type=1400 audit(1532953834.917:242): apparmor=“DENIED” operation=“open” profile=“/sbin/dhclient” name=“/usr/local/var/lib/NetworkManager/dhclient-wlp2s0.conf” pid=31241 comm=“dhclient” requested_mask=“r” denied_mask=“r” fsuid=0 ouid=0). You can either add necessary rules to
/etc/apparmor.d/sbin.dhclient) or temporarily unload the dhclient-related rules with:
# apparmor_parser -R /etc/apparmor.d/sbin.dhclient
# /etc/init.d/apparmor stop
To switch NM from the wpa_supplicant backend to the IWD backend the following lines need to be added in
nm.conf. This file is normally located at
/etc/NetworkManager/conf.d/nm.conf but if you've built NM from source it may be in your
The example above switches all NM-managed WiFi devices to use the IWD backend. NM configuration syntax allows for other possibilties, see NM documentation in
After this Network Manager needs to be restarted. The wpa_supplicant daemon will often still be running in the background and needs to be explicitly stopped with
killall wpa_supplicant. IWD is currently not automatically started by NM, see Getting Started about starting IWD – this can be done either before or after starting NM. wpa_supplicant and IWD should not generally be active at the same time, neither will be able to manage WiFi connections correctly during the time both are active.
Once this is done you should be able to see a list of available networks from your Network Manager client interface (nm-applet, Gnome Shell or one of the command line NM clients) and be able to connect to Open and WPA/WPA2-Personal networks (Pre-Shared Key networks) as normal.
IWD allows the EAP Identity, i.e. the username, to be omitted in the
.8021x config files for the following EAP methods: PWD, GTC and MsCHAPv2 in which case they would be requested from the user through the Agent API. Network Manager's agent API is reserved for secrets only and Identity is not a secret so the Identity has to be always provided in the network's config file.
IWD does not show Ad-Hoc networks in its scan results and does not support scanning while connected in Ad-Hoc mode. Thus connecting to an existing Ad-Hoc network is done in the same way as setting up a new one and requires an NM Connection object to be first set up. With nm-applet this is done using the Create New Wi-Fi Network… dialog and either selecting and existing Connection or selecting New….
This section is mainly for network administrators information who are configuring access to a WPA Enterprise network on the users systems, or users who configure their own networks.
IWD requires 802.1X-secured WiFi networks to be set up by using a provisioning file in
/var/lib/iwd. However with the NM IWD-backend before 1.14.0 this alone is not enough to allow connecting to such networks. In the 1.12 NM versions each 802.1X network needs to also be configured with an NM Connection profile (i.e. a settings file in
/etc/NetworkManager/system-connections). The profile can also be created using the nm-applet GUI or the Gnome Shell GUI, same as with the wpa_supplicant backend.
The NM-side profile for the 802.1X network should match the settings stored in the IWD provisioning file for given network, as closely as possible, but using the standard NM settings sytntax (
nm-settings-keyfile(5)) – this will allow the NM clients to ask users for the right secrets during a connection attempt, if any secrets are required. If no connection-time secrets are needed, e.g. because they're provided in the provisioning file already, then the NM profile can have any settings in it – the profile will not be used by IWD, it only tells NM that given network is known and connectable.