diff options
author | sam <sam@FreeBSD.org> | 2007-07-09 16:15:06 +0000 |
---|---|---|
committer | sam <sam@FreeBSD.org> | 2007-07-09 16:15:06 +0000 |
commit | 1bf2fd00c50865c26197a0fb9ce70f417b9fa121 (patch) | |
tree | c6f336fc28b042f00efc2373c71fceadfa394e52 /contrib/hostapd/hostapd.eap_user | |
parent | 620bfba12034be7d2ad4a357063d609ff5b6e63a (diff) | |
download | FreeBSD-src-1bf2fd00c50865c26197a0fb9ce70f417b9fa121.zip FreeBSD-src-1bf2fd00c50865c26197a0fb9ce70f417b9fa121.tar.gz |
Import of hostapd 0.5.8
Diffstat (limited to 'contrib/hostapd/hostapd.eap_user')
-rw-r--r-- | contrib/hostapd/hostapd.eap_user | 43 |
1 files changed, 34 insertions, 9 deletions
diff --git a/contrib/hostapd/hostapd.eap_user b/contrib/hostapd/hostapd.eap_user index fd7b420..b9d7f8b 100644 --- a/contrib/hostapd/hostapd.eap_user +++ b/contrib/hostapd/hostapd.eap_user @@ -1,15 +1,24 @@ # hostapd user database for integrated EAP authenticator + # Each line must contain an identity, EAP method(s), and an optional password # separated with whitespace (space or tab). The identity and password must be -# double quoted ("user"). [2] flag in the end of the line can be used to mark -# users for tunneled phase 2 authentication (e.g., within EAP-PEAP). In these -# cases, an anonymous identity can be used in the unencrypted phase 1 and the -# real user identity is transmitted only within the encrypted tunnel in phase -# 2. If non-anonymous access is needed, two user entries is needed, one for -# phase 1 and another with the same username for phase 2. +# double quoted ("user"). Password can alternatively be stored as +# NtPasswordHash (16-byte MD4 hash of the unicode presentation of the password +# in unicode) if it is used for MSCHAP or MSCHAPv2 authentication. This means +# that the plaintext password does not need to be included in the user file. +# Password hash is stored as hash:<16-octets of hex data> without quotation +# marks. + +# [2] flag in the end of the line can be used to mark users for tunneled phase +# 2 authentication (e.g., within EAP-PEAP). In these cases, an anonymous +# identity can be used in the unencrypted phase 1 and the real user identity +# is transmitted only within the encrypted tunnel in phase 2. If non-anonymous +# access is needed, two user entries is needed, one for phase 1 and another +# with the same username for phase 2. # -# EAP-TLS, EAP-PEAP, EAP-TTLS, and EAP-SIM do not use password option. -# EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, and EAP-PSK require a password. +# EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-SIM, and EAP-AKA do not use password option. +# EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, EAP-PSK, and EAP-SAKE require a +# password. # EAP-PEAP and EAP-TTLS require Phase 2 configuration. # # * can be used as a wildcard to match any user identity. The main purposes for @@ -18,6 +27,11 @@ # first matching entry is selected, so * should be used as the last phase 1 # user entry. # +# "prefix"* can be used to match the given prefix and anything after this. The +# main purpose for this is to be able to avoid EAP method negotiation when the +# method is using known prefix in identities (e.g., EAP-SIM and EAP-AKA). This +# is only allowed for phase 1 identities. +# # Multiple methods can be configured to make the authenticator try them one by # one until the peer accepts one. The method names are separated with a # comma (,). @@ -37,9 +51,19 @@ "pax.user@example.com" PAX 0123456789abcdef0123456789abcdef "psk user" PSK "unknown" "psk.user@example.com" PSK 0123456789abcdef0123456789abcdef +"sake.user@example.com" SAKE 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef "ttls" TTLS "not anonymous" PEAP -* PEAP,TTLS,TLS,SIM +# Default to EAP-SIM and EAP-AKA based on fixed identity prefixes +"0"* AKA,TTLS,TLS,PEAP,SIM +"1"* SIM,TTLS,TLS,PEAP,AKA +"2"* AKA,TTLS,TLS,PEAP,SIM +"3"* SIM,TTLS,TLS,PEAP,AKA +"4"* AKA,TTLS,TLS,PEAP,SIM +"5"* SIM,TTLS,TLS,PEAP,AKA + +# Wildcard for all other identities +* PEAP,TTLS,TLS,SIM,AKA # Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users "t-md5" MD5 "password" [2] @@ -47,3 +71,4 @@ "t-gtc" GTC "password" [2] "not anonymous" MSCHAPV2 "password" [2] "user" MD5,GTC,MSCHAPV2 "password" [2] +"test user" MSCHAPV2 hash:000102030405060708090a0b0c0d0e0f [2] |