elwix/config/etc/uboot/hostapd.eap_user - diff

Return to hostapd.eap_user CVS log

Up to [ELWIX - Embedded LightWeight unIX -] / elwix / config / etc / uboot

Diff for /elwix/config/etc/uboot/hostapd.eap_user between versions 1.1 and 1.2

-version 1.1, 2014/01/23 09:30:22
+version 1.2, 2014/09/15 19:06:46
- Line 0
+ Line 1
+ # hostapd user database for integrated EAP server
+ # Each line must contain an identity, EAP method(s), and an optional password
+ # separated with whitespace (space or tab). The identity and password must be
+ # double quoted ("user"). Password can alternatively be stored as
+ # NtPasswordHash (16-byte MD4 hash of the unicode presentation of the password
+ # in unicode) if it is used for MSCHAP or MSCHAPv2 authentication. This means
+ # that the plaintext password does not need to be included in the user file.
+ # Password hash is stored as hash:<16-octets of hex data> without quotation
+ # marks.
+ # [2] flag in the end of the line can be used to mark users for tunneled phase
+ # 2 authentication (e.g., within EAP-PEAP). In these cases, an anonymous
+ # identity can be used in the unencrypted phase 1 and the real user identity
+ # is transmitted only within the encrypted tunnel in phase 2. If non-anonymous
+ # access is needed, two user entries is needed, one for phase 1 and another
+ # with the same username for phase 2.
+ #
+ # EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-FAST, EAP-SIM, and EAP-AKA do not use
+ # password option.
+ # EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, EAP-PSK, and EAP-SAKE require a
+ # password.
+ # EAP-PEAP, EAP-TTLS, and EAP-FAST require Phase 2 configuration.
+ #
+ # * can be used as a wildcard to match any user identity. The main purposes for
+ # this are to set anonymous phase 1 identity for EAP-PEAP and EAP-TTLS and to
+ # avoid having to configure every certificate for EAP-TLS authentication. The
+ # first matching entry is selected, so * should be used as the last phase 1
+ # user entry.
+ #
+ # "prefix"* can be used to match the given prefix and anything after this. The
+ # main purpose for this is to be able to avoid EAP method negotiation when the
+ # method is using known prefix in identities (e.g., EAP-SIM and EAP-AKA). This
+ # is only allowed for phase 1 identities.
+ #
+ # Multiple methods can be configured to make the authenticator try them one by
+ # one until the peer accepts one. The method names are separated with a
+ # comma (,).
+ #
+ # [ver=0] and [ver=1] flags after EAP type PEAP can be used to force PEAP
+ # version based on the Phase 1 identity. Without this flag, the EAP
+ # authenticator advertises the highest supported version and select the version
+ # based on the first PEAP packet from the supplicant.
+ #
+ # EAP-TTLS supports both EAP and non-EAP authentication inside the tunnel.
+ # Tunneled EAP methods are configured with standard EAP method name and [2]
+ # flag. Non-EAP methods can be enabled by following method names: TTLS-PAP,
+ # TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2. TTLS-PAP and TTLS-CHAP require a
+ # plaintext password while TTLS-MSCHAP and TTLS-MSCHAPV2 can use NT password
+ # hash.
+ # Phase 1 users
+ "user"          MD5     "password"
+ "test user"     MD5     "secret"
+ "example user"  TLS
+ "DOMAIN\user"   MSCHAPV2        "password"
+ "gtc user"      GTC     "password"
+ "pax user"      PAX     "unknown"
+ "pax.user@example.com"  PAX     0123456789abcdef0123456789abcdef
+ "psk user"      PSK     "unknown"
+ "psk.user@example.com"  PSK     0123456789abcdef0123456789abcdef
+ "sake.user@example.com" SAKE    0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
+ "ttls"          TTLS
+ "not anonymous" PEAP
+ # Default to EAP-SIM and EAP-AKA based on fixed identity prefixes
+ "0"*            AKA,TTLS,TLS,PEAP,SIM
+ "1"*            SIM,TTLS,TLS,PEAP,AKA
+ "2"*            AKA,TTLS,TLS,PEAP,SIM
+ "3"*            SIM,TTLS,TLS,PEAP,AKA
+ "4"*            AKA,TTLS,TLS,PEAP,SIM
+ "5"*            SIM,TTLS,TLS,PEAP,AKA
+ # Wildcard for all other identities
+ *               PEAP,TTLS,TLS,SIM,AKA
+ # Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
+ "t-md5"         MD5     "password"      [2]
+ "DOMAIN\t-mschapv2"     MSCHAPV2        "password"      [2]
+ "t-gtc"         GTC     "password"      [2]
+ "not anonymous" MSCHAPV2        "password"      [2]
+ "user"          MD5,GTC,MSCHAPV2        "password"      [2]
+ "test user"     MSCHAPV2        hash:000102030405060708090a0b0c0d0e0f   [2]
+ "ttls-user"     TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2    "password"      [2]
+ # Default to EAP-SIM and EAP-AKA based on fixed identity prefixes in phase 2
+ "0"*            AKA     [2]
+ "1"*            SIM     [2]
+ "2"*            AKA     [2]
+ "3"*            SIM     [2]
+ "4"*            AKA     [2]
+ "5"*            SIM     [2]

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.1
changed lines
	Added in v.1.2