projects / thirdparty / hostap.git / blame
| Commit | Line | Data |
|---|---|---|
| 6fc6879b JM |
1 | # hostapd user database for integrated EAP server |
| 2 | ||
| 3 | # Each line must contain an identity, EAP method(s), and an optional password | |
| 4 | # separated with whitespace (space or tab). The identity and password must be | |
| 5 | # double quoted ("user"). Password can alternatively be stored as | |
| 6 | # NtPasswordHash (16-byte MD4 hash of the unicode presentation of the password | |
| 7 | # in unicode) if it is used for MSCHAP or MSCHAPv2 authentication. This means | |
| 8 | # that the plaintext password does not need to be included in the user file. | |
| 9 | # Password hash is stored as hash:<16-octets of hex data> without quotation | |
| 10 | # marks. | |
| 11 | ||
| 12 | # [2] flag in the end of the line can be used to mark users for tunneled phase | |
| 13 | # 2 authentication (e.g., within EAP-PEAP). In these cases, an anonymous | |
| 14 | # identity can be used in the unencrypted phase 1 and the real user identity | |
| 15 | # is transmitted only within the encrypted tunnel in phase 2. If non-anonymous | |
| 16 | # access is needed, two user entries is needed, one for phase 1 and another | |
| 17 | # with the same username for phase 2. | |
| 18 | # | |
| 19 | # EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-FAST, EAP-SIM, and EAP-AKA do not use | |
| 20 | # password option. | |
| 21 | # EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, EAP-PSK, and EAP-SAKE require a | |
| 22 | # password. | |
| 23 | # EAP-PEAP, EAP-TTLS, and EAP-FAST require Phase 2 configuration. | |
| 24 | # | |
| 25 | # * can be used as a wildcard to match any user identity. The main purposes for | |
| 26 | # this are to set anonymous phase 1 identity for EAP-PEAP and EAP-TTLS and to | |
| 27 | # avoid having to configure every certificate for EAP-TLS authentication. The | |
| 28 | # first matching entry is selected, so * should be used as the last phase 1 | |
| 29 | # user entry. | |
| 30 | # | |
| 31 | # "prefix"* can be used to match the given prefix and anything after this. The | |
| 32 | # main purpose for this is to be able to avoid EAP method negotiation when the | |
| 33 | # method is using known prefix in identities (e.g., EAP-SIM and EAP-AKA). This | |
| 34 | # is only allowed for phase 1 identities. | |
| 35 | # | |
| 36 | # Multiple methods can be configured to make the authenticator try them one by | |
| 37 | # one until the peer accepts one. The method names are separated with a | |
| 38 | # comma (,). | |
| 39 | # | |
| 40 | # [ver=0] and [ver=1] flags after EAP type PEAP can be used to force PEAP | |
| 41 | # version based on the Phase 1 identity. Without this flag, the EAP | |
| 42 | # authenticator advertises the highest supported version and select the version | |
| 43 | # based on the first PEAP packet from the supplicant. | |
| 44 | # | |
| 45 | # EAP-TTLS supports both EAP and non-EAP authentication inside the tunnel. | |
| 46 | # Tunneled EAP methods are configured with standard EAP method name and [2] | |
| 47 | # flag. Non-EAP methods can be enabled by following method names: TTLS-PAP, | |
| 48 | # TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2. TTLS-PAP and TTLS-CHAP require a | |
| 49 | # plaintext password while TTLS-MSCHAP and TTLS-MSCHAPV2 can use NT password | |
| 50 | # hash. | |
| d0ee16ed JM |
51 | # |
| 52 | # Arbitrary RADIUS attributes can be added into Access-Accept packets similarly | |
| 53 | # to the way radius_auth_req_attr is used for Access-Request packet in | |
| 54 | # hostapd.conf. For EAP server, this is configured separately for each user | |
| 55 | # entry with radius_accept_attr=<value> line(s) following the main user entry | |
| 56 | # line. | |
| 6fc6879b JM |
57 | |
| 58 | # Phase 1 users | |
| 59 | "user" MD5 "password" | |
| 60 | "test user" MD5 "secret" | |
| 61 | "example user" TLS | |
| 62 | "DOMAIN\user" MSCHAPV2 "password" | |
| 63 | "gtc user" GTC "password" | |
| 64 | "pax user" PAX "unknown" | |
| 65 | "pax.user@example.com" PAX 0123456789abcdef0123456789abcdef | |
| 66 | "psk user" PSK "unknown" | |
| 67 | "psk.user@example.com" PSK 0123456789abcdef0123456789abcdef | |
| 68 | "sake.user@example.com" SAKE 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef | |
| 69 | "ttls" TTLS | |
| 70 | "not anonymous" PEAP | |
| 71 | # Default to EAP-SIM and EAP-AKA based on fixed identity prefixes | |
| 72 | "0"* AKA,TTLS,TLS,PEAP,SIM | |
| 73 | "1"* SIM,TTLS,TLS,PEAP,AKA | |
| 74 | "2"* AKA,TTLS,TLS,PEAP,SIM | |
| 75 | "3"* SIM,TTLS,TLS,PEAP,AKA | |
| 76 | "4"* AKA,TTLS,TLS,PEAP,SIM | |
| 77 | "5"* SIM,TTLS,TLS,PEAP,AKA | |
| 762e4ce6 JM |
78 | "6"* AKA' |
| 79 | "7"* AKA' | |
| 80 | "8"* AKA' | |
| 6fc6879b JM |
81 | |
| 82 | # Wildcard for all other identities | |
| 83 | * PEAP,TTLS,TLS,SIM,AKA | |
| 84 | ||
| 85 | # Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users | |
| 86 | "t-md5" MD5 "password" [2] | |
| 87 | "DOMAIN\t-mschapv2" MSCHAPV2 "password" [2] | |
| 88 | "t-gtc" GTC "password" [2] | |
| 89 | "not anonymous" MSCHAPV2 "password" [2] | |
| 90 | "user" MD5,GTC,MSCHAPV2 "password" [2] | |
| 91 | "test user" MSCHAPV2 hash:000102030405060708090a0b0c0d0e0f [2] | |
| 92 | "ttls-user" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2 "password" [2] | |
| 93 | ||
| 94 | # Default to EAP-SIM and EAP-AKA based on fixed identity prefixes in phase 2 | |
| 95 | "0"* AKA [2] | |
| 96 | "1"* SIM [2] | |
| 97 | "2"* AKA [2] | |
| 98 | "3"* SIM [2] | |
| 99 | "4"* AKA [2] | |
| 100 | "5"* SIM [2] | |
| 762e4ce6 JM |
101 | "6"* AKA' [2] |
| 102 | "7"* AKA' [2] | |
| 103 | "8"* AKA' [2] |