hostapd.eap_user 4.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103
  1. # hostapd user database for integrated EAP server
  2. # Each line must contain an identity, EAP method(s), and an optional password
  3. # separated with whitespace (space or tab). The identity and password must be
  4. # double quoted ("user"). Password can alternatively be stored as
  5. # NtPasswordHash (16-byte MD4 hash of the unicode presentation of the password
  6. # in unicode) if it is used for MSCHAP or MSCHAPv2 authentication. This means
  7. # that the plaintext password does not need to be included in the user file.
  8. # Password hash is stored as hash:<16-octets of hex data> without quotation
  9. # marks.
  10. # [2] flag in the end of the line can be used to mark users for tunneled phase
  11. # 2 authentication (e.g., within EAP-PEAP). In these cases, an anonymous
  12. # identity can be used in the unencrypted phase 1 and the real user identity
  13. # is transmitted only within the encrypted tunnel in phase 2. If non-anonymous
  14. # access is needed, two user entries is needed, one for phase 1 and another
  15. # with the same username for phase 2.
  16. #
  17. # EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-FAST, EAP-SIM, and EAP-AKA do not use
  18. # password option.
  19. # EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, EAP-PSK, and EAP-SAKE require a
  20. # password.
  21. # EAP-PEAP, EAP-TTLS, and EAP-FAST require Phase 2 configuration.
  22. #
  23. # * can be used as a wildcard to match any user identity. The main purposes for
  24. # this are to set anonymous phase 1 identity for EAP-PEAP and EAP-TTLS and to
  25. # avoid having to configure every certificate for EAP-TLS authentication. The
  26. # first matching entry is selected, so * should be used as the last phase 1
  27. # user entry.
  28. #
  29. # "prefix"* can be used to match the given prefix and anything after this. The
  30. # main purpose for this is to be able to avoid EAP method negotiation when the
  31. # method is using known prefix in identities (e.g., EAP-SIM and EAP-AKA). This
  32. # is only allowed for phase 1 identities.
  33. #
  34. # Multiple methods can be configured to make the authenticator try them one by
  35. # one until the peer accepts one. The method names are separated with a
  36. # comma (,).
  37. #
  38. # [ver=0] and [ver=1] flags after EAP type PEAP can be used to force PEAP
  39. # version based on the Phase 1 identity. Without this flag, the EAP
  40. # authenticator advertises the highest supported version and select the version
  41. # based on the first PEAP packet from the supplicant.
  42. #
  43. # EAP-TTLS supports both EAP and non-EAP authentication inside the tunnel.
  44. # Tunneled EAP methods are configured with standard EAP method name and [2]
  45. # flag. Non-EAP methods can be enabled by following method names: TTLS-PAP,
  46. # TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2. TTLS-PAP and TTLS-CHAP require a
  47. # plaintext password while TTLS-MSCHAP and TTLS-MSCHAPV2 can use NT password
  48. # hash.
  49. #
  50. # Arbitrary RADIUS attributes can be added into Access-Accept packets similarly
  51. # to the way radius_auth_req_attr is used for Access-Request packet in
  52. # hostapd.conf. For EAP server, this is configured separately for each user
  53. # entry with radius_accept_attr=<value> line(s) following the main user entry
  54. # line.
  55. # Phase 1 users
  56. "user" MD5 "password"
  57. "test user" MD5 "secret"
  58. "example user" TLS
  59. "DOMAIN\user" MSCHAPV2 "password"
  60. "gtc user" GTC "password"
  61. "pax user" PAX "unknown"
  62. "pax.user@example.com" PAX 0123456789abcdef0123456789abcdef
  63. "psk user" PSK "unknown"
  64. "psk.user@example.com" PSK 0123456789abcdef0123456789abcdef
  65. "sake.user@example.com" SAKE 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
  66. "ttls" TTLS
  67. "not anonymous" PEAP
  68. # Default to EAP-SIM and EAP-AKA based on fixed identity prefixes
  69. "0"* AKA,TTLS,TLS,PEAP,SIM
  70. "1"* SIM,TTLS,TLS,PEAP,AKA
  71. "2"* AKA,TTLS,TLS,PEAP,SIM
  72. "3"* SIM,TTLS,TLS,PEAP,AKA
  73. "4"* AKA,TTLS,TLS,PEAP,SIM
  74. "5"* SIM,TTLS,TLS,PEAP,AKA
  75. "6"* AKA'
  76. "7"* AKA'
  77. "8"* AKA'
  78. # Wildcard for all other identities
  79. * PEAP,TTLS,TLS,SIM,AKA
  80. # Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
  81. "t-md5" MD5 "password" [2]
  82. "DOMAIN\t-mschapv2" MSCHAPV2 "password" [2]
  83. "t-gtc" GTC "password" [2]
  84. "not anonymous" MSCHAPV2 "password" [2]
  85. "user" MD5,GTC,MSCHAPV2 "password" [2]
  86. "test user" MSCHAPV2 hash:000102030405060708090a0b0c0d0e0f [2]
  87. "ttls-user" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2 "password" [2]
  88. # Default to EAP-SIM and EAP-AKA based on fixed identity prefixes in phase 2
  89. "0"* AKA [2]
  90. "1"* SIM [2]
  91. "2"* AKA [2]
  92. "3"* SIM [2]
  93. "4"* AKA [2]
  94. "5"* SIM [2]
  95. "6"* AKA' [2]
  96. "7"* AKA' [2]
  97. "8"* AKA' [2]