summaryrefslogtreecommitdiff
path: root/contrib/hostapd/hostapd.eap_user
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/hostapd/hostapd.eap_user')
-rw-r--r--contrib/hostapd/hostapd.eap_user45
1 files changed, 45 insertions, 0 deletions
diff --git a/contrib/hostapd/hostapd.eap_user b/contrib/hostapd/hostapd.eap_user
new file mode 100644
index 0000000000000..529334a0e157d
--- /dev/null
+++ b/contrib/hostapd/hostapd.eap_user
@@ -0,0 +1,45 @@
+# hostapd user database for integrated EAP authenticator
+# Each line must contain an identity, EAP method(s), and an optional password
+# separated with whitespace (space or tab). The identity and password must be
+# double quoted ("user"). [2] flag in the end of the line can be used to mark
+# users for tunneled phase 2 authentication (e.g., within EAP-PEAP). In these
+# cases, an anonymous identity can be used in the unencrypted phase 1 and the
+# real user identity is transmitted only within the encrypted tunnel in phase
+# 2. If non-anonymous access is needed, two user entries is needed, one for
+# phase 1 and another with the same username for phase 2.
+#
+# EAP-TLS, EAP-PEAP, EAP-TTLS, and EAP-SIM do not use password option.
+# EAP-MD5, EAP-MSCHAPV2, and EAP-GTC require a password.
+# EAP-PEAP and EAP-TTLS require Phase 2 configuration.
+#
+# * can be used as a wildcard to match any user identity. The main purposes for
+# this are to set anonymous phase 1 identity for EAP-PEAP and EAP-TTLS and to
+# avoid having to configure every certificate for EAP-TLS authentication. The
+# first matching entry is selected, so * should be used as the last phase 1
+# user entry.
+#
+# Multiple methods can be configured to make the authenticator try them one by
+# one until the peer accepts one. The method names are separated with a
+# comma (,).
+#
+# [ver=0] and [ver=1] flags after EAP type PEAP can be used to force PEAP
+# version based on the Phase 1 identity. Without this flag, the EAP
+# authenticator advertises the highest supported version and select the version
+# based on the first PEAP packet from the supplicant.
+
+# Phase 1 users
+"user" MD5 "password"
+"test user" MD5 "secret"
+"example user" TLS
+"DOMAIN\user" MSCHAPV2 "password"
+"gtc user" GTC "password"
+"ttls" TTLS
+"not anonymous" PEAP
+* PEAP,TTLS,TLS,SIM
+
+# Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
+"t-md5" MD5 "password" [2]
+"DOMAIN\t-mschapv2" MSCHAPV2 "password" [2]
+"t-gtc" GTC "password" [2]
+"not anonymous" MSCHAPV2 "password" [2]
+"user" MD5,GTC,MSCHAPV2 "password" [2]
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-08 15:11:48 +0000