NetBSD/dist/hostapd/hostapd.eap_user

50 lines
2.2 KiB
Plaintext

# hostapd user database for integrated EAP authenticator
# Each line must contain an identity, EAP method(s), and an optional password
# separated with whitespace (space or tab). The identity and password must be
# double quoted ("user"). [2] flag in the end of the line can be used to mark
# users for tunneled phase 2 authentication (e.g., within EAP-PEAP). In these
# cases, an anonymous identity can be used in the unencrypted phase 1 and the
# real user identity is transmitted only within the encrypted tunnel in phase
# 2. If non-anonymous access is needed, two user entries is needed, one for
# phase 1 and another with the same username for phase 2.
#
# EAP-TLS, EAP-PEAP, EAP-TTLS, and EAP-SIM do not use password option.
# EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, and EAP-PSK require a password.
# EAP-PEAP and EAP-TTLS require Phase 2 configuration.
#
# * can be used as a wildcard to match any user identity. The main purposes for
# this are to set anonymous phase 1 identity for EAP-PEAP and EAP-TTLS and to
# avoid having to configure every certificate for EAP-TLS authentication. The
# first matching entry is selected, so * should be used as the last phase 1
# user entry.
#
# Multiple methods can be configured to make the authenticator try them one by
# one until the peer accepts one. The method names are separated with a
# comma (,).
#
# [ver=0] and [ver=1] flags after EAP type PEAP can be used to force PEAP
# version based on the Phase 1 identity. Without this flag, the EAP
# authenticator advertises the highest supported version and select the version
# based on the first PEAP packet from the supplicant.
# Phase 1 users
"user" MD5 "password"
"test user" MD5 "secret"
"example user" TLS
"DOMAIN\user" MSCHAPV2 "password"
"gtc user" GTC "password"
"pax user" PAX "unknown"
"pax.user@example.com" PAX 0123456789abcdef0123456789abcdef
"psk user" PSK "unknown"
"psk.user@example.com" PSK 0123456789abcdef0123456789abcdef
"ttls" TTLS
"not anonymous" PEAP
* PEAP,TTLS,TLS,SIM
# Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
"t-md5" MD5 "password" [2]
"DOMAIN\t-mschapv2" MSCHAPV2 "password" [2]
"t-gtc" GTC "password" [2]
"not anonymous" MSCHAPV2 "password" [2]
"user" MD5,GTC,MSCHAPV2 "password" [2]