xref: /freebsd/contrib/wpa/hostapd/hostapd.eap_user (revision a90b9d0159070121c221b966469c3e36d912bf82) 
139beb93cSSam Leffler# hostapd user database for integrated EAP server
239beb93cSSam Leffler
339beb93cSSam Leffler# Each line must contain an identity, EAP method(s), and an optional password
439beb93cSSam Leffler# separated with whitespace (space or tab). The identity and password must be
539beb93cSSam Leffler# double quoted ("user"). Password can alternatively be stored as
639beb93cSSam Leffler# NtPasswordHash (16-byte MD4 hash of the unicode presentation of the password
739beb93cSSam Leffler# in unicode) if it is used for MSCHAP or MSCHAPv2 authentication. This means
839beb93cSSam Leffler# that the plaintext password does not need to be included in the user file.
939beb93cSSam Leffler# Password hash is stored as hash:<16-octets of hex data> without quotation
1039beb93cSSam Leffler# marks.
1139beb93cSSam Leffler
1239beb93cSSam Leffler# [2] flag in the end of the line can be used to mark users for tunneled phase
1339beb93cSSam Leffler# 2 authentication (e.g., within EAP-PEAP). In these cases, an anonymous
1439beb93cSSam Leffler# identity can be used in the unencrypted phase 1 and the real user identity
1539beb93cSSam Leffler# is transmitted only within the encrypted tunnel in phase 2. If non-anonymous
1639beb93cSSam Leffler# access is needed, two user entries is needed, one for phase 1 and another
1739beb93cSSam Leffler# with the same username for phase 2.
1839beb93cSSam Leffler#
1939beb93cSSam Leffler# EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-FAST, EAP-SIM, and EAP-AKA do not use
2039beb93cSSam Leffler# password option.
2139beb93cSSam Leffler# EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, EAP-PSK, and EAP-SAKE require a
2239beb93cSSam Leffler# password.
2339beb93cSSam Leffler# EAP-PEAP, EAP-TTLS, and EAP-FAST require Phase 2 configuration.
2439beb93cSSam Leffler#
2539beb93cSSam Leffler# * can be used as a wildcard to match any user identity. The main purposes for
2639beb93cSSam Leffler# this are to set anonymous phase 1 identity for EAP-PEAP and EAP-TTLS and to
2739beb93cSSam Leffler# avoid having to configure every certificate for EAP-TLS authentication. The
2839beb93cSSam Leffler# first matching entry is selected, so * should be used as the last phase 1
2939beb93cSSam Leffler# user entry.
3039beb93cSSam Leffler#
3139beb93cSSam Leffler# "prefix"* can be used to match the given prefix and anything after this. The
3239beb93cSSam Leffler# main purpose for this is to be able to avoid EAP method negotiation when the
3339beb93cSSam Leffler# method is using known prefix in identities (e.g., EAP-SIM and EAP-AKA). This
3439beb93cSSam Leffler# is only allowed for phase 1 identities.
3539beb93cSSam Leffler#
3639beb93cSSam Leffler# Multiple methods can be configured to make the authenticator try them one by
3739beb93cSSam Leffler# one until the peer accepts one. The method names are separated with a
3839beb93cSSam Leffler# comma (,).
3939beb93cSSam Leffler#
4039beb93cSSam Leffler# [ver=0] and [ver=1] flags after EAP type PEAP can be used to force PEAP
4139beb93cSSam Leffler# version based on the Phase 1 identity. Without this flag, the EAP
4239beb93cSSam Leffler# authenticator advertises the highest supported version and select the version
4339beb93cSSam Leffler# based on the first PEAP packet from the supplicant.
4439beb93cSSam Leffler#
4539beb93cSSam Leffler# EAP-TTLS supports both EAP and non-EAP authentication inside the tunnel.
4639beb93cSSam Leffler# Tunneled EAP methods are configured with standard EAP method name and [2]
4739beb93cSSam Leffler# flag. Non-EAP methods can be enabled by following method names: TTLS-PAP,
4839beb93cSSam Leffler# TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2. TTLS-PAP and TTLS-CHAP require a
4939beb93cSSam Leffler# plaintext password while TTLS-MSCHAP and TTLS-MSCHAPV2 can use NT password
5039beb93cSSam Leffler# hash.
515b9c547cSRui Paulo#
525b9c547cSRui Paulo# Arbitrary RADIUS attributes can be added into Access-Accept packets similarly
535b9c547cSRui Paulo# to the way radius_auth_req_attr is used for Access-Request packet in
545b9c547cSRui Paulo# hostapd.conf. For EAP server, this is configured separately for each user
55*a90b9d01SCy Schubert# entry with radius_accept_attr=<attr_id>[:<syntax:value>] line(s) following
56*a90b9d01SCy Schubert# the main user entry line.
5739beb93cSSam Leffler
5839beb93cSSam Leffler# Phase 1 users
5939beb93cSSam Leffler"user"		MD5	"password"
6039beb93cSSam Leffler"test user"	MD5	"secret"
6139beb93cSSam Leffler"example user"	TLS
6239beb93cSSam Leffler"DOMAIN\user"	MSCHAPV2	"password"
6339beb93cSSam Leffler"gtc user"	GTC	"password"
6439beb93cSSam Leffler"pax user"	PAX	"unknown"
6539beb93cSSam Leffler"pax.user@example.com"	PAX	0123456789abcdef0123456789abcdef
6639beb93cSSam Leffler"psk user"	PSK	"unknown"
6739beb93cSSam Leffler"psk.user@example.com"	PSK	0123456789abcdef0123456789abcdef
6839beb93cSSam Leffler"sake.user@example.com"	SAKE	0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
6939beb93cSSam Leffler"ttls"		TTLS
7039beb93cSSam Leffler"not anonymous"	PEAP
7139beb93cSSam Leffler# Default to EAP-SIM and EAP-AKA based on fixed identity prefixes
7239beb93cSSam Leffler"0"*		AKA,TTLS,TLS,PEAP,SIM
7339beb93cSSam Leffler"1"*		SIM,TTLS,TLS,PEAP,AKA
7439beb93cSSam Leffler"2"*		AKA,TTLS,TLS,PEAP,SIM
7539beb93cSSam Leffler"3"*		SIM,TTLS,TLS,PEAP,AKA
7639beb93cSSam Leffler"4"*		AKA,TTLS,TLS,PEAP,SIM
7739beb93cSSam Leffler"5"*		SIM,TTLS,TLS,PEAP,AKA
78f05cddf9SRui Paulo"6"*		AKA'
79f05cddf9SRui Paulo"7"*		AKA'
80f05cddf9SRui Paulo"8"*		AKA'
8139beb93cSSam Leffler
8239beb93cSSam Leffler# Wildcard for all other identities
8339beb93cSSam Leffler*		PEAP,TTLS,TLS,SIM,AKA
8439beb93cSSam Leffler
8539beb93cSSam Leffler# Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
8639beb93cSSam Leffler"t-md5"		MD5	"password"	[2]
8739beb93cSSam Leffler"DOMAIN\t-mschapv2"	MSCHAPV2	"password"	[2]
8839beb93cSSam Leffler"t-gtc"		GTC	"password"	[2]
8939beb93cSSam Leffler"not anonymous"	MSCHAPV2	"password"	[2]
9039beb93cSSam Leffler"user"		MD5,GTC,MSCHAPV2	"password"	[2]
9139beb93cSSam Leffler"test user"	MSCHAPV2	hash:000102030405060708090a0b0c0d0e0f	[2]
9239beb93cSSam Leffler"ttls-user"	TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2	"password"	[2]
9339beb93cSSam Leffler
9439beb93cSSam Leffler# Default to EAP-SIM and EAP-AKA based on fixed identity prefixes in phase 2
9539beb93cSSam Leffler"0"*		AKA	[2]
9639beb93cSSam Leffler"1"*		SIM	[2]
9739beb93cSSam Leffler"2"*		AKA	[2]
9839beb93cSSam Leffler"3"*		SIM	[2]
9939beb93cSSam Leffler"4"*		AKA	[2]
10039beb93cSSam Leffler"5"*		SIM	[2]
101f05cddf9SRui Paulo"6"*		AKA'	[2]
102f05cddf9SRui Paulo"7"*		AKA'	[2]
103f05cddf9SRui Paulo"8"*		AKA'	[2]
104