Return to hostapd.eap_user CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / elwix / config / etc / default |
1.1 ! misho 1: # hostapd user database for integrated EAP server ! 2: ! 3: # Each line must contain an identity, EAP method(s), and an optional password ! 4: # separated with whitespace (space or tab). The identity and password must be ! 5: # double quoted ("user"). Password can alternatively be stored as ! 6: # NtPasswordHash (16-byte MD4 hash of the unicode presentation of the password ! 7: # in unicode) if it is used for MSCHAP or MSCHAPv2 authentication. This means ! 8: # that the plaintext password does not need to be included in the user file. ! 9: # Password hash is stored as hash:<16-octets of hex data> without quotation ! 10: # marks. ! 11: ! 12: # [2] flag in the end of the line can be used to mark users for tunneled phase ! 13: # 2 authentication (e.g., within EAP-PEAP). In these cases, an anonymous ! 14: # identity can be used in the unencrypted phase 1 and the real user identity ! 15: # is transmitted only within the encrypted tunnel in phase 2. If non-anonymous ! 16: # access is needed, two user entries is needed, one for phase 1 and another ! 17: # with the same username for phase 2. ! 18: # ! 19: # EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-FAST, EAP-SIM, and EAP-AKA do not use ! 20: # password option. ! 21: # EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, EAP-PSK, and EAP-SAKE require a ! 22: # password. ! 23: # EAP-PEAP, EAP-TTLS, and EAP-FAST require Phase 2 configuration. ! 24: # ! 25: # * can be used as a wildcard to match any user identity. The main purposes for ! 26: # this are to set anonymous phase 1 identity for EAP-PEAP and EAP-TTLS and to ! 27: # avoid having to configure every certificate for EAP-TLS authentication. The ! 28: # first matching entry is selected, so * should be used as the last phase 1 ! 29: # user entry. ! 30: # ! 31: # "prefix"* can be used to match the given prefix and anything after this. The ! 32: # main purpose for this is to be able to avoid EAP method negotiation when the ! 33: # method is using known prefix in identities (e.g., EAP-SIM and EAP-AKA). This ! 34: # is only allowed for phase 1 identities. ! 35: # ! 36: # Multiple methods can be configured to make the authenticator try them one by ! 37: # one until the peer accepts one. The method names are separated with a ! 38: # comma (,). ! 39: # ! 40: # [ver=0] and [ver=1] flags after EAP type PEAP can be used to force PEAP ! 41: # version based on the Phase 1 identity. Without this flag, the EAP ! 42: # authenticator advertises the highest supported version and select the version ! 43: # based on the first PEAP packet from the supplicant. ! 44: # ! 45: # EAP-TTLS supports both EAP and non-EAP authentication inside the tunnel. ! 46: # Tunneled EAP methods are configured with standard EAP method name and [2] ! 47: # flag. Non-EAP methods can be enabled by following method names: TTLS-PAP, ! 48: # TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2. TTLS-PAP and TTLS-CHAP require a ! 49: # plaintext password while TTLS-MSCHAP and TTLS-MSCHAPV2 can use NT password ! 50: # hash. ! 51: ! 52: # Phase 1 users ! 53: "user" MD5 "password" ! 54: "test user" MD5 "secret" ! 55: "example user" TLS ! 56: "DOMAIN\user" MSCHAPV2 "password" ! 57: "gtc user" GTC "password" ! 58: "pax user" PAX "unknown" ! 59: "pax.user@example.com" PAX 0123456789abcdef0123456789abcdef ! 60: "psk user" PSK "unknown" ! 61: "psk.user@example.com" PSK 0123456789abcdef0123456789abcdef ! 62: "sake.user@example.com" SAKE 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef ! 63: "ttls" TTLS ! 64: "not anonymous" PEAP ! 65: # Default to EAP-SIM and EAP-AKA based on fixed identity prefixes ! 66: "0"* AKA,TTLS,TLS,PEAP,SIM ! 67: "1"* SIM,TTLS,TLS,PEAP,AKA ! 68: "2"* AKA,TTLS,TLS,PEAP,SIM ! 69: "3"* SIM,TTLS,TLS,PEAP,AKA ! 70: "4"* AKA,TTLS,TLS,PEAP,SIM ! 71: "5"* SIM,TTLS,TLS,PEAP,AKA ! 72: ! 73: # Wildcard for all other identities ! 74: * PEAP,TTLS,TLS,SIM,AKA ! 75: ! 76: # Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users ! 77: "t-md5" MD5 "password" [2] ! 78: "DOMAIN\t-mschapv2" MSCHAPV2 "password" [2] ! 79: "t-gtc" GTC "password" [2] ! 80: "not anonymous" MSCHAPV2 "password" [2] ! 81: "user" MD5,GTC,MSCHAPV2 "password" [2] ! 82: "test user" MSCHAPV2 hash:000102030405060708090a0b0c0d0e0f [2] ! 83: "ttls-user" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2 "password" [2] ! 84: ! 85: # Default to EAP-SIM and EAP-AKA based on fixed identity prefixes in phase 2 ! 86: "0"* AKA [2] ! 87: "1"* SIM [2] ! 88: "2"* AKA [2] ! 89: "3"* SIM [2] ! 90: "4"* AKA [2] ! 91: "5"* SIM [2]