Home | History | Annotate | Download | only in hostapd 
      1 # hostapd user database for integrated EAP server
      2 
      3 # Each line must contain an identity, EAP method(s), and an optional password
      4 # separated with whitespace (space or tab). The identity and password must be
      5 # double quoted ("user"). Password can alternatively be stored as
      6 # NtPasswordHash (16-byte MD4 hash of the unicode presentation of the password
      7 # in unicode) if it is used for MSCHAP or MSCHAPv2 authentication. This means
      8 # that the plaintext password does not need to be included in the user file.
      9 # Password hash is stored as hash:<16-octets of hex data> without quotation
     10 # marks.
     11 
     12 # [2] flag in the end of the line can be used to mark users for tunneled phase
     13 # 2 authentication (e.g., within EAP-PEAP). In these cases, an anonymous
     14 # identity can be used in the unencrypted phase 1 and the real user identity
     15 # is transmitted only within the encrypted tunnel in phase 2. If non-anonymous
     16 # access is needed, two user entries is needed, one for phase 1 and another
     17 # with the same username for phase 2.
     18 #
     19 # EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-FAST, EAP-SIM, and EAP-AKA do not use
     20 # password option.
     21 # EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, EAP-PSK, and EAP-SAKE require a
     22 # password.
     23 # EAP-PEAP, EAP-TTLS, and EAP-FAST require Phase 2 configuration.
     24 #
     25 # * can be used as a wildcard to match any user identity. The main purposes for
     26 # this are to set anonymous phase 1 identity for EAP-PEAP and EAP-TTLS and to
     27 # avoid having to configure every certificate for EAP-TLS authentication. The
     28 # first matching entry is selected, so * should be used as the last phase 1
     29 # user entry.
     30 #
     31 # "prefix"* can be used to match the given prefix and anything after this. The
     32 # main purpose for this is to be able to avoid EAP method negotiation when the
     33 # method is using known prefix in identities (e.g., EAP-SIM and EAP-AKA). This
     34 # is only allowed for phase 1 identities.
     35 #
     36 # Multiple methods can be configured to make the authenticator try them one by
     37 # one until the peer accepts one. The method names are separated with a
     38 # comma (,).
     39 #
     40 # [ver=0] and [ver=1] flags after EAP type PEAP can be used to force PEAP
     41 # version based on the Phase 1 identity. Without this flag, the EAP
     42 # authenticator advertises the highest supported version and select the version
     43 # based on the first PEAP packet from the supplicant.
     44 #
     45 # EAP-TTLS supports both EAP and non-EAP authentication inside the tunnel.
     46 # Tunneled EAP methods are configured with standard EAP method name and [2]
     47 # flag. Non-EAP methods can be enabled by following method names: TTLS-PAP,
     48 # TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2. TTLS-PAP and TTLS-CHAP require a
     49 # plaintext password while TTLS-MSCHAP and TTLS-MSCHAPV2 can use NT password
     50 # hash.
     51 
     52 # Phase 1 users
     53 "user"		MD5	"password"
     54 "test user"	MD5	"secret"
     55 "example user"	TLS
     56 "DOMAIN\user"	MSCHAPV2	"password"
     57 "gtc user"	GTC	"password"
     58 "pax user"	PAX	"unknown"
     59 "pax.user (a] example.com"	PAX	0123456789abcdef0123456789abcdef
     60 "psk user"	PSK	"unknown"
     61 "psk.user (a] example.com"	PSK	0123456789abcdef0123456789abcdef
     62 "sake.user (a] example.com"	SAKE	0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
     63 "ttls"		TTLS
     64 "not anonymous"	PEAP
     65 # Default to EAP-SIM and EAP-AKA based on fixed identity prefixes
     66 "0"*		AKA,TTLS,TLS,PEAP,SIM
     67 "1"*		SIM,TTLS,TLS,PEAP,AKA
     68 "2"*		AKA,TTLS,TLS,PEAP,SIM
     69 "3"*		SIM,TTLS,TLS,PEAP,AKA
     70 "4"*		AKA,TTLS,TLS,PEAP,SIM
     71 "5"*		SIM,TTLS,TLS,PEAP,AKA
     72 "6"*		AKA'
     73 "7"*		AKA'
     74 "8"*		AKA'
     75 
     76 # Wildcard for all other identities
     77 *		PEAP,TTLS,TLS,SIM,AKA
     78 
     79 # Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
     80 "t-md5"		MD5	"password"	[2]
     81 "DOMAIN\t-mschapv2"	MSCHAPV2	"password"	[2]
     82 "t-gtc"		GTC	"password"	[2]
     83 "not anonymous"	MSCHAPV2	"password"	[2]
     84 "user"		MD5,GTC,MSCHAPV2	"password"	[2]
     85 "test user"	MSCHAPV2	hash:000102030405060708090a0b0c0d0e0f	[2]
     86 "ttls-user"	TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2	"password"	[2]
     87 
     88 # Default to EAP-SIM and EAP-AKA based on fixed identity prefixes in phase 2
     89 "0"*		AKA	[2]
     90 "1"*		SIM	[2]
     91 "2"*		AKA	[2]
     92 "3"*		SIM	[2]
     93 "4"*		AKA	[2]
     94 "5"*		SIM	[2]
     95 "6"*		AKA'	[2]
     96 "7"*		AKA'	[2]
     97 "8"*		AKA'	[2]
     98