Annotation of elwix/config/etc/uboot/hostapd.eap_user, revision 1.1.2.1
1.1.2.1 ! misho 1: # hostapd user database for integrated EAP server
! 2:
! 3: # Each line must contain an identity, EAP method(s), and an optional password
! 4: # separated with whitespace (space or tab). The identity and password must be
! 5: # double quoted ("user"). Password can alternatively be stored as
! 6: # NtPasswordHash (16-byte MD4 hash of the unicode presentation of the password
! 7: # in unicode) if it is used for MSCHAP or MSCHAPv2 authentication. This means
! 8: # that the plaintext password does not need to be included in the user file.
! 9: # Password hash is stored as hash:<16-octets of hex data> without quotation
! 10: # marks.
! 11:
! 12: # [2] flag in the end of the line can be used to mark users for tunneled phase
! 13: # 2 authentication (e.g., within EAP-PEAP). In these cases, an anonymous
! 14: # identity can be used in the unencrypted phase 1 and the real user identity
! 15: # is transmitted only within the encrypted tunnel in phase 2. If non-anonymous
! 16: # access is needed, two user entries is needed, one for phase 1 and another
! 17: # with the same username for phase 2.
! 18: #
! 19: # EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-FAST, EAP-SIM, and EAP-AKA do not use
! 20: # password option.
! 21: # EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, EAP-PSK, and EAP-SAKE require a
! 22: # password.
! 23: # EAP-PEAP, EAP-TTLS, and EAP-FAST require Phase 2 configuration.
! 24: #
! 25: # * can be used as a wildcard to match any user identity. The main purposes for
! 26: # this are to set anonymous phase 1 identity for EAP-PEAP and EAP-TTLS and to
! 27: # avoid having to configure every certificate for EAP-TLS authentication. The
! 28: # first matching entry is selected, so * should be used as the last phase 1
! 29: # user entry.
! 30: #
! 31: # "prefix"* can be used to match the given prefix and anything after this. The
! 32: # main purpose for this is to be able to avoid EAP method negotiation when the
! 33: # method is using known prefix in identities (e.g., EAP-SIM and EAP-AKA). This
! 34: # is only allowed for phase 1 identities.
! 35: #
! 36: # Multiple methods can be configured to make the authenticator try them one by
! 37: # one until the peer accepts one. The method names are separated with a
! 38: # comma (,).
! 39: #
! 40: # [ver=0] and [ver=1] flags after EAP type PEAP can be used to force PEAP
! 41: # version based on the Phase 1 identity. Without this flag, the EAP
! 42: # authenticator advertises the highest supported version and select the version
! 43: # based on the first PEAP packet from the supplicant.
! 44: #
! 45: # EAP-TTLS supports both EAP and non-EAP authentication inside the tunnel.
! 46: # Tunneled EAP methods are configured with standard EAP method name and [2]
! 47: # flag. Non-EAP methods can be enabled by following method names: TTLS-PAP,
! 48: # TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2. TTLS-PAP and TTLS-CHAP require a
! 49: # plaintext password while TTLS-MSCHAP and TTLS-MSCHAPV2 can use NT password
! 50: # hash.
! 51:
! 52: # Phase 1 users
! 53: "user" MD5 "password"
! 54: "test user" MD5 "secret"
! 55: "example user" TLS
! 56: "DOMAIN\user" MSCHAPV2 "password"
! 57: "gtc user" GTC "password"
! 58: "pax user" PAX "unknown"
! 59: "pax.user@example.com" PAX 0123456789abcdef0123456789abcdef
! 60: "psk user" PSK "unknown"
! 61: "psk.user@example.com" PSK 0123456789abcdef0123456789abcdef
! 62: "sake.user@example.com" SAKE 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
! 63: "ttls" TTLS
! 64: "not anonymous" PEAP
! 65: # Default to EAP-SIM and EAP-AKA based on fixed identity prefixes
! 66: "0"* AKA,TTLS,TLS,PEAP,SIM
! 67: "1"* SIM,TTLS,TLS,PEAP,AKA
! 68: "2"* AKA,TTLS,TLS,PEAP,SIM
! 69: "3"* SIM,TTLS,TLS,PEAP,AKA
! 70: "4"* AKA,TTLS,TLS,PEAP,SIM
! 71: "5"* SIM,TTLS,TLS,PEAP,AKA
! 72:
! 73: # Wildcard for all other identities
! 74: * PEAP,TTLS,TLS,SIM,AKA
! 75:
! 76: # Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
! 77: "t-md5" MD5 "password" [2]
! 78: "DOMAIN\t-mschapv2" MSCHAPV2 "password" [2]
! 79: "t-gtc" GTC "password" [2]
! 80: "not anonymous" MSCHAPV2 "password" [2]
! 81: "user" MD5,GTC,MSCHAPV2 "password" [2]
! 82: "test user" MSCHAPV2 hash:000102030405060708090a0b0c0d0e0f [2]
! 83: "ttls-user" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2 "password" [2]
! 84:
! 85: # Default to EAP-SIM and EAP-AKA based on fixed identity prefixes in phase 2
! 86: "0"* AKA [2]
! 87: "1"* SIM [2]
! 88: "2"* AKA [2]
! 89: "3"* SIM [2]
! 90: "4"* AKA [2]
! 91: "5"* SIM [2]
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>