Annotation of elwix/config/etc/default/hostapd.eap_user, revision 1.1.1.1
1.1 misho 1: # hostapd user database for integrated EAP server
2:
3: # Each line must contain an identity, EAP method(s), and an optional password
4: # separated with whitespace (space or tab). The identity and password must be
5: # double quoted ("user"). Password can alternatively be stored as
6: # NtPasswordHash (16-byte MD4 hash of the unicode presentation of the password
7: # in unicode) if it is used for MSCHAP or MSCHAPv2 authentication. This means
8: # that the plaintext password does not need to be included in the user file.
9: # Password hash is stored as hash:<16-octets of hex data> without quotation
10: # marks.
11:
12: # [2] flag in the end of the line can be used to mark users for tunneled phase
13: # 2 authentication (e.g., within EAP-PEAP). In these cases, an anonymous
14: # identity can be used in the unencrypted phase 1 and the real user identity
15: # is transmitted only within the encrypted tunnel in phase 2. If non-anonymous
16: # access is needed, two user entries is needed, one for phase 1 and another
17: # with the same username for phase 2.
18: #
19: # EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-FAST, EAP-SIM, and EAP-AKA do not use
20: # password option.
21: # EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, EAP-PSK, and EAP-SAKE require a
22: # password.
23: # EAP-PEAP, EAP-TTLS, and EAP-FAST require Phase 2 configuration.
24: #
25: # * can be used as a wildcard to match any user identity. The main purposes for
26: # this are to set anonymous phase 1 identity for EAP-PEAP and EAP-TTLS and to
27: # avoid having to configure every certificate for EAP-TLS authentication. The
28: # first matching entry is selected, so * should be used as the last phase 1
29: # user entry.
30: #
31: # "prefix"* can be used to match the given prefix and anything after this. The
32: # main purpose for this is to be able to avoid EAP method negotiation when the
33: # method is using known prefix in identities (e.g., EAP-SIM and EAP-AKA). This
34: # is only allowed for phase 1 identities.
35: #
36: # Multiple methods can be configured to make the authenticator try them one by
37: # one until the peer accepts one. The method names are separated with a
38: # comma (,).
39: #
40: # [ver=0] and [ver=1] flags after EAP type PEAP can be used to force PEAP
41: # version based on the Phase 1 identity. Without this flag, the EAP
42: # authenticator advertises the highest supported version and select the version
43: # based on the first PEAP packet from the supplicant.
44: #
45: # EAP-TTLS supports both EAP and non-EAP authentication inside the tunnel.
46: # Tunneled EAP methods are configured with standard EAP method name and [2]
47: # flag. Non-EAP methods can be enabled by following method names: TTLS-PAP,
48: # TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2. TTLS-PAP and TTLS-CHAP require a
49: # plaintext password while TTLS-MSCHAP and TTLS-MSCHAPV2 can use NT password
50: # hash.
51:
52: # Phase 1 users
53: "user" MD5 "password"
54: "test user" MD5 "secret"
55: "example user" TLS
56: "DOMAIN\user" MSCHAPV2 "password"
57: "gtc user" GTC "password"
58: "pax user" PAX "unknown"
59: "pax.user@example.com" PAX 0123456789abcdef0123456789abcdef
60: "psk user" PSK "unknown"
61: "psk.user@example.com" PSK 0123456789abcdef0123456789abcdef
62: "sake.user@example.com" SAKE 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
63: "ttls" TTLS
64: "not anonymous" PEAP
65: # Default to EAP-SIM and EAP-AKA based on fixed identity prefixes
66: "0"* AKA,TTLS,TLS,PEAP,SIM
67: "1"* SIM,TTLS,TLS,PEAP,AKA
68: "2"* AKA,TTLS,TLS,PEAP,SIM
69: "3"* SIM,TTLS,TLS,PEAP,AKA
70: "4"* AKA,TTLS,TLS,PEAP,SIM
71: "5"* SIM,TTLS,TLS,PEAP,AKA
72:
73: # Wildcard for all other identities
74: * PEAP,TTLS,TLS,SIM,AKA
75:
76: # Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
77: "t-md5" MD5 "password" [2]
78: "DOMAIN\t-mschapv2" MSCHAPV2 "password" [2]
79: "t-gtc" GTC "password" [2]
80: "not anonymous" MSCHAPV2 "password" [2]
81: "user" MD5,GTC,MSCHAPV2 "password" [2]
82: "test user" MSCHAPV2 hash:000102030405060708090a0b0c0d0e0f [2]
83: "ttls-user" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2 "password" [2]
84:
85: # Default to EAP-SIM and EAP-AKA based on fixed identity prefixes in phase 2
86: "0"* AKA [2]
87: "1"* SIM [2]
88: "2"* AKA [2]
89: "3"* SIM [2]
90: "4"* AKA [2]
91: "5"* SIM [2]
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>