-
Notifications
You must be signed in to change notification settings - Fork 10
/
hostapd.eap_user
86 lines (78 loc) · 3.61 KB
/
hostapd.eap_user
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# hostapd user database for integrated EAP server
# Each line must contain an identity, EAP method(s), and an optional password
# separated with whitespace (space or tab). The identity and password must be
# double quoted ("user"). Password can alternatively be stored as
# NtPasswordHash (16-byte MD4 hash of the unicode presentation of the password
# in unicode) if it is used for MSCHAP or MSCHAPv2 authentication. This means
# that the plaintext password does not need to be included in the user file.
# Password hash is stored as hash:<16-octets of hex data> without quotation
# marks.
# [2] flag in the end of the line can be used to mark users for tunneled phase
# 2 authentication (e.g., within EAP-PEAP). In these cases, an anonymous
# identity can be used in the unencrypted phase 1 and the real user identity
# is transmitted only within the encrypted tunnel in phase 2. If non-anonymous
# access is needed, two user entries is needed, one for phase 1 and another
# with the same username for phase 2.
#
# EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-FAST, EAP-SIM, and EAP-AKA do not use
# password option.
# EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, EAP-PSK, and EAP-SAKE require a
# password.
# EAP-PEAP, EAP-TTLS, and EAP-FAST require Phase 2 configuration.
#
# * can be used as a wildcard to match any user identity. The main purposes for
# this are to set anonymous phase 1 identity for EAP-PEAP and EAP-TTLS and to
# avoid having to configure every certificate for EAP-TLS authentication. The
# first matching entry is selected, so * should be used as the last phase 1
# user entry.
#
# "prefix"* can be used to match the given prefix and anything after this. The
# main purpose for this is to be able to avoid EAP method negotiation when the
# method is using known prefix in identities (e.g., EAP-SIM and EAP-AKA). This
# is only allowed for phase 1 identities.
#
# Multiple methods can be configured to make the authenticator try them one by
# one until the peer accepts one. The method names are separated with a
# comma (,).
#
# [ver=0] and [ver=1] flags after EAP type PEAP can be used to force PEAP
# version based on the Phase 1 identity. Without this flag, the EAP
# authenticator advertises the highest supported version and select the version
# based on the first PEAP packet from the supplicant.
#
# EAP-TTLS supports both EAP and non-EAP authentication inside the tunnel.
# Tunneled EAP methods are configured with standard EAP method name and [2]
# flag. Non-EAP methods can be enabled by following method names: TTLS-PAP,
# TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2. TTLS-PAP and TTLS-CHAP require a
# plaintext password while TTLS-MSCHAP and TTLS-MSCHAPV2 can use NT password
# hash.
# Phase 1 users
#"user" MD5 "password"
#"test user" MD5 "secret"
#"example user" TLS
#"DOMAIN\user" MSCHAPV2 "password"
#"gtc user" GTC "password"
#"psk user" PSK "unknown"
#"[email protected]" PSK 0123456789abcdef0123456789abcdef
#"[email protected]" SAKE 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
#"ttls" TTLS
#"not anonymous" PEAP
# Default to EAP-SIM and EAP-AKA based on fixed identity prefixes
#"0"* AKA,TTLS,TLS,PEAP,SIM
#"1"* SIM,TTLS,TLS,PEAP,AKA
#"2"* AKA,TTLS,TLS,PEAP,SIM
#"3"* SIM,TTLS,TLS,PEAP,AKA
#"4"* AKA,TTLS,TLS,PEAP,SIM
#"5"* SIM,TTLS,TLS,PEAP,AKA
# Wildcard for all other identities
#
# WPE - DO NOT REMOVE - These entries are specifically in here
* PEAP,TTLS,TLS,FAST
"t" PEAP,GTC,TTLS-PAP,TTLS-MSCHAPV2,MSCHAPV2,TTLS-CHAP,TTLS-MSCHAP,MD5 "testtest" [2]
# Default to EAP-SIM and EAP-AKA based on fixed identity prefixes in phase 2
#"0"* AKA [2]
#"1"* SIM [2]
#"2"* AKA [2]
#"3"* SIM [2]
#"4"* AKA [2]
#"5"* SIM [2]