summaryrefslogtreecommitdiffstats
path: root/contrib/hostapd/hostapd.eap_user
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/hostapd/hostapd.eap_user')
-rw-r--r--contrib/hostapd/hostapd.eap_user43
1 files changed, 34 insertions, 9 deletions
diff --git a/contrib/hostapd/hostapd.eap_user b/contrib/hostapd/hostapd.eap_user
index fd7b420..b9d7f8b 100644
--- a/contrib/hostapd/hostapd.eap_user
+++ b/contrib/hostapd/hostapd.eap_user
@@ -1,15 +1,24 @@
# hostapd user database for integrated EAP authenticator
+
# Each line must contain an identity, EAP method(s), and an optional password
# separated with whitespace (space or tab). The identity and password must be
-# double quoted ("user"). [2] flag in the end of the line can be used to mark
-# users for tunneled phase 2 authentication (e.g., within EAP-PEAP). In these
-# cases, an anonymous identity can be used in the unencrypted phase 1 and the
-# real user identity is transmitted only within the encrypted tunnel in phase
-# 2. If non-anonymous access is needed, two user entries is needed, one for
-# phase 1 and another with the same username for phase 2.
+# double quoted ("user"). Password can alternatively be stored as
+# NtPasswordHash (16-byte MD4 hash of the unicode presentation of the password
+# in unicode) if it is used for MSCHAP or MSCHAPv2 authentication. This means
+# that the plaintext password does not need to be included in the user file.
+# Password hash is stored as hash:<16-octets of hex data> without quotation
+# marks.
+
+# [2] flag in the end of the line can be used to mark users for tunneled phase
+# 2 authentication (e.g., within EAP-PEAP). In these cases, an anonymous
+# identity can be used in the unencrypted phase 1 and the real user identity
+# is transmitted only within the encrypted tunnel in phase 2. If non-anonymous
+# access is needed, two user entries is needed, one for phase 1 and another
+# with the same username for phase 2.
#
-# EAP-TLS, EAP-PEAP, EAP-TTLS, and EAP-SIM do not use password option.
-# EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, and EAP-PSK require a password.
+# EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-SIM, and EAP-AKA do not use password option.
+# EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, EAP-PSK, and EAP-SAKE require a
+# password.
# EAP-PEAP and EAP-TTLS require Phase 2 configuration.
#
# * can be used as a wildcard to match any user identity. The main purposes for
@@ -18,6 +27,11 @@
# first matching entry is selected, so * should be used as the last phase 1
# user entry.
#
+# "prefix"* can be used to match the given prefix and anything after this. The
+# main purpose for this is to be able to avoid EAP method negotiation when the
+# method is using known prefix in identities (e.g., EAP-SIM and EAP-AKA). This
+# is only allowed for phase 1 identities.
+#
# Multiple methods can be configured to make the authenticator try them one by
# one until the peer accepts one. The method names are separated with a
# comma (,).
@@ -37,9 +51,19 @@
"pax.user@example.com" PAX 0123456789abcdef0123456789abcdef
"psk user" PSK "unknown"
"psk.user@example.com" PSK 0123456789abcdef0123456789abcdef
+"sake.user@example.com" SAKE 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
"ttls" TTLS
"not anonymous" PEAP
-* PEAP,TTLS,TLS,SIM
+# Default to EAP-SIM and EAP-AKA based on fixed identity prefixes
+"0"* AKA,TTLS,TLS,PEAP,SIM
+"1"* SIM,TTLS,TLS,PEAP,AKA
+"2"* AKA,TTLS,TLS,PEAP,SIM
+"3"* SIM,TTLS,TLS,PEAP,AKA
+"4"* AKA,TTLS,TLS,PEAP,SIM
+"5"* SIM,TTLS,TLS,PEAP,AKA
+
+# Wildcard for all other identities
+* PEAP,TTLS,TLS,SIM,AKA
# Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
"t-md5" MD5 "password" [2]
@@ -47,3 +71,4 @@
"t-gtc" GTC "password" [2]
"not anonymous" MSCHAPV2 "password" [2]
"user" MD5,GTC,MSCHAPV2 "password" [2]
+"test user" MSCHAPV2 hash:000102030405060708090a0b0c0d0e0f [2]
OpenPOWER on IntegriCloud