1214503Srpaulo# hostapd user database for integrated EAP server 2214503Srpaulo 3214503Srpaulo# Each line must contain an identity, EAP method(s), and an optional password 4214503Srpaulo# separated with whitespace (space or tab). The identity and password must be 5214503Srpaulo# double quoted ("user"). Password can alternatively be stored as 6214503Srpaulo# NtPasswordHash (16-byte MD4 hash of the unicode presentation of the password 7214503Srpaulo# in unicode) if it is used for MSCHAP or MSCHAPv2 authentication. This means 8214503Srpaulo# that the plaintext password does not need to be included in the user file. 9214503Srpaulo# Password hash is stored as hash:<16-octets of hex data> without quotation 10214503Srpaulo# marks. 11214503Srpaulo 12214503Srpaulo# [2] flag in the end of the line can be used to mark users for tunneled phase 13214503Srpaulo# 2 authentication (e.g., within EAP-PEAP). In these cases, an anonymous 14214503Srpaulo# identity can be used in the unencrypted phase 1 and the real user identity 15214503Srpaulo# is transmitted only within the encrypted tunnel in phase 2. If non-anonymous 16214503Srpaulo# access is needed, two user entries is needed, one for phase 1 and another 17214503Srpaulo# with the same username for phase 2. 18214503Srpaulo# 19214503Srpaulo# EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-FAST, EAP-SIM, and EAP-AKA do not use 20214503Srpaulo# password option. 21214503Srpaulo# EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, EAP-PSK, and EAP-SAKE require a 22214503Srpaulo# password. 23214503Srpaulo# EAP-PEAP, EAP-TTLS, and EAP-FAST require Phase 2 configuration. 24214503Srpaulo# 25214503Srpaulo# * can be used as a wildcard to match any user identity. The main purposes for 26214503Srpaulo# this are to set anonymous phase 1 identity for EAP-PEAP and EAP-TTLS and to 27214503Srpaulo# avoid having to configure every certificate for EAP-TLS authentication. The 28214503Srpaulo# first matching entry is selected, so * should be used as the last phase 1 29214503Srpaulo# user entry. 30214503Srpaulo# 31214503Srpaulo# "prefix"* can be used to match the given prefix and anything after this. The 32214503Srpaulo# main purpose for this is to be able to avoid EAP method negotiation when the 33214503Srpaulo# method is using known prefix in identities (e.g., EAP-SIM and EAP-AKA). This 34214503Srpaulo# is only allowed for phase 1 identities. 35214503Srpaulo# 36214503Srpaulo# Multiple methods can be configured to make the authenticator try them one by 37214503Srpaulo# one until the peer accepts one. The method names are separated with a 38214503Srpaulo# comma (,). 39214503Srpaulo# 40214503Srpaulo# [ver=0] and [ver=1] flags after EAP type PEAP can be used to force PEAP 41214503Srpaulo# version based on the Phase 1 identity. Without this flag, the EAP 42214503Srpaulo# authenticator advertises the highest supported version and select the version 43214503Srpaulo# based on the first PEAP packet from the supplicant. 44214503Srpaulo# 45214503Srpaulo# EAP-TTLS supports both EAP and non-EAP authentication inside the tunnel. 46214503Srpaulo# Tunneled EAP methods are configured with standard EAP method name and [2] 47214503Srpaulo# flag. Non-EAP methods can be enabled by following method names: TTLS-PAP, 48214503Srpaulo# TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2. TTLS-PAP and TTLS-CHAP require a 49214503Srpaulo# plaintext password while TTLS-MSCHAP and TTLS-MSCHAPV2 can use NT password 50214503Srpaulo# hash. 51281806Srpaulo# 52281806Srpaulo# Arbitrary RADIUS attributes can be added into Access-Accept packets similarly 53281806Srpaulo# to the way radius_auth_req_attr is used for Access-Request packet in 54281806Srpaulo# hostapd.conf. For EAP server, this is configured separately for each user 55281806Srpaulo# entry with radius_accept_attr=<value> line(s) following the main user entry 56281806Srpaulo# line. 57214503Srpaulo 58214503Srpaulo# Phase 1 users 59214503Srpaulo"user" MD5 "password" 60214503Srpaulo"test user" MD5 "secret" 61214503Srpaulo"example user" TLS 62214503Srpaulo"DOMAIN\user" MSCHAPV2 "password" 63214503Srpaulo"gtc user" GTC "password" 64214503Srpaulo"pax user" PAX "unknown" 65214503Srpaulo"pax.user@example.com" PAX 0123456789abcdef0123456789abcdef 66214503Srpaulo"psk user" PSK "unknown" 67214503Srpaulo"psk.user@example.com" PSK 0123456789abcdef0123456789abcdef 68214503Srpaulo"sake.user@example.com" SAKE 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef 69214503Srpaulo"ttls" TTLS 70214503Srpaulo"not anonymous" PEAP 71214503Srpaulo# Default to EAP-SIM and EAP-AKA based on fixed identity prefixes 72214503Srpaulo"0"* AKA,TTLS,TLS,PEAP,SIM 73214503Srpaulo"1"* SIM,TTLS,TLS,PEAP,AKA 74214503Srpaulo"2"* AKA,TTLS,TLS,PEAP,SIM 75214503Srpaulo"3"* SIM,TTLS,TLS,PEAP,AKA 76214503Srpaulo"4"* AKA,TTLS,TLS,PEAP,SIM 77214503Srpaulo"5"* SIM,TTLS,TLS,PEAP,AKA 78252726Srpaulo"6"* AKA' 79252726Srpaulo"7"* AKA' 80252726Srpaulo"8"* AKA' 81214503Srpaulo 82214503Srpaulo# Wildcard for all other identities 83214503Srpaulo* PEAP,TTLS,TLS,SIM,AKA 84214503Srpaulo 85214503Srpaulo# Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users 86214503Srpaulo"t-md5" MD5 "password" [2] 87214503Srpaulo"DOMAIN\t-mschapv2" MSCHAPV2 "password" [2] 88214503Srpaulo"t-gtc" GTC "password" [2] 89214503Srpaulo"not anonymous" MSCHAPV2 "password" [2] 90214503Srpaulo"user" MD5,GTC,MSCHAPV2 "password" [2] 91214503Srpaulo"test user" MSCHAPV2 hash:000102030405060708090a0b0c0d0e0f [2] 92214503Srpaulo"ttls-user" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2 "password" [2] 93214503Srpaulo 94214503Srpaulo# Default to EAP-SIM and EAP-AKA based on fixed identity prefixes in phase 2 95214503Srpaulo"0"* AKA [2] 96214503Srpaulo"1"* SIM [2] 97214503Srpaulo"2"* AKA [2] 98214503Srpaulo"3"* SIM [2] 99214503Srpaulo"4"* AKA [2] 100214503Srpaulo"5"* SIM [2] 101252726Srpaulo"6"* AKA' [2] 102252726Srpaulo"7"* AKA' [2] 103252726Srpaulo"8"* AKA' [2] 104