[BACK]Return to hostapd.eap_user CVS log [TXT] [DIR] Up to [ELWIX - Embedded LightWeight unIX -] / elwix / config / etc / default
File:  [ELWIX - Embedded LightWeight unIX -] / elwix / config / etc / default / hostapd.eap_user
Revision 1.1.1.1 (vendor branch): download - view: text, annotated - select for diffs - revision graph
Tue Jul 5 23:43:00 2011 UTC (13 years ago) by misho
Branches: misho, MAIN
CVS tags: start, elwix2_8, elwix2_7, elwix2_6, elwix2_3, elwix2_2, elwix2_1, elwix2_0, elwix1_9_mips, elwix1_9, elwix1_8, elwix1_7, elwix1_6, elwix1_5, elwix1_4, Patch1, HEAD, ELWIX2_7, ELWIX2_6, ELWIX2_5, ELWIX2_2p0, ELWIX2_1, ELWIX2_0, ELWIX1_9, ELWIX1_8, ELWIX1_7, ELWIX1_6, ELWIX1_5
ELWIX project

    1: # hostapd user database for integrated EAP server
    2: 
    3: # Each line must contain an identity, EAP method(s), and an optional password
    4: # separated with whitespace (space or tab). The identity and password must be
    5: # double quoted ("user"). Password can alternatively be stored as
    6: # NtPasswordHash (16-byte MD4 hash of the unicode presentation of the password
    7: # in unicode) if it is used for MSCHAP or MSCHAPv2 authentication. This means
    8: # that the plaintext password does not need to be included in the user file.
    9: # Password hash is stored as hash:<16-octets of hex data> without quotation
   10: # marks.
   11: 
   12: # [2] flag in the end of the line can be used to mark users for tunneled phase
   13: # 2 authentication (e.g., within EAP-PEAP). In these cases, an anonymous
   14: # identity can be used in the unencrypted phase 1 and the real user identity
   15: # is transmitted only within the encrypted tunnel in phase 2. If non-anonymous
   16: # access is needed, two user entries is needed, one for phase 1 and another
   17: # with the same username for phase 2.
   18: #
   19: # EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-FAST, EAP-SIM, and EAP-AKA do not use
   20: # password option.
   21: # EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, EAP-PSK, and EAP-SAKE require a
   22: # password.
   23: # EAP-PEAP, EAP-TTLS, and EAP-FAST require Phase 2 configuration.
   24: #
   25: # * can be used as a wildcard to match any user identity. The main purposes for
   26: # this are to set anonymous phase 1 identity for EAP-PEAP and EAP-TTLS and to
   27: # avoid having to configure every certificate for EAP-TLS authentication. The
   28: # first matching entry is selected, so * should be used as the last phase 1
   29: # user entry.
   30: #
   31: # "prefix"* can be used to match the given prefix and anything after this. The
   32: # main purpose for this is to be able to avoid EAP method negotiation when the
   33: # method is using known prefix in identities (e.g., EAP-SIM and EAP-AKA). This
   34: # is only allowed for phase 1 identities.
   35: #
   36: # Multiple methods can be configured to make the authenticator try them one by
   37: # one until the peer accepts one. The method names are separated with a
   38: # comma (,).
   39: #
   40: # [ver=0] and [ver=1] flags after EAP type PEAP can be used to force PEAP
   41: # version based on the Phase 1 identity. Without this flag, the EAP
   42: # authenticator advertises the highest supported version and select the version
   43: # based on the first PEAP packet from the supplicant.
   44: #
   45: # EAP-TTLS supports both EAP and non-EAP authentication inside the tunnel.
   46: # Tunneled EAP methods are configured with standard EAP method name and [2]
   47: # flag. Non-EAP methods can be enabled by following method names: TTLS-PAP,
   48: # TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2. TTLS-PAP and TTLS-CHAP require a
   49: # plaintext password while TTLS-MSCHAP and TTLS-MSCHAPV2 can use NT password
   50: # hash.
   51: 
   52: # Phase 1 users
   53: "user"		MD5	"password"
   54: "test user"	MD5	"secret"
   55: "example user"	TLS
   56: "DOMAIN\user"	MSCHAPV2	"password"
   57: "gtc user"	GTC	"password"
   58: "pax user"	PAX	"unknown"
   59: "pax.user@example.com"	PAX	0123456789abcdef0123456789abcdef
   60: "psk user"	PSK	"unknown"
   61: "psk.user@example.com"	PSK	0123456789abcdef0123456789abcdef
   62: "sake.user@example.com"	SAKE	0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
   63: "ttls"		TTLS
   64: "not anonymous"	PEAP
   65: # Default to EAP-SIM and EAP-AKA based on fixed identity prefixes
   66: "0"*		AKA,TTLS,TLS,PEAP,SIM
   67: "1"*		SIM,TTLS,TLS,PEAP,AKA
   68: "2"*		AKA,TTLS,TLS,PEAP,SIM
   69: "3"*		SIM,TTLS,TLS,PEAP,AKA
   70: "4"*		AKA,TTLS,TLS,PEAP,SIM
   71: "5"*		SIM,TTLS,TLS,PEAP,AKA
   72: 
   73: # Wildcard for all other identities
   74: *		PEAP,TTLS,TLS,SIM,AKA
   75: 
   76: # Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
   77: "t-md5"		MD5	"password"	[2]
   78: "DOMAIN\t-mschapv2"	MSCHAPV2	"password"	[2]
   79: "t-gtc"		GTC	"password"	[2]
   80: "not anonymous"	MSCHAPV2	"password"	[2]
   81: "user"		MD5,GTC,MSCHAPV2	"password"	[2]
   82: "test user"	MSCHAPV2	hash:000102030405060708090a0b0c0d0e0f	[2]
   83: "ttls-user"	TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2	"password"	[2]
   84: 
   85: # Default to EAP-SIM and EAP-AKA based on fixed identity prefixes in phase 2
   86: "0"*		AKA	[2]
   87: "1"*		SIM	[2]
   88: "2"*		AKA	[2]
   89: "3"*		SIM	[2]
   90: "4"*		AKA	[2]
   91: "5"*		SIM	[2]
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>