1e5b75505Sopenharmony_ci# hostapd user database for integrated EAP server
2e5b75505Sopenharmony_ci
3e5b75505Sopenharmony_ci# Each line must contain an identity, EAP method(s), and an optional password
4e5b75505Sopenharmony_ci# separated with whitespace (space or tab). The identity and password must be
5e5b75505Sopenharmony_ci# double quoted ("user"). Password can alternatively be stored as
6e5b75505Sopenharmony_ci# NtPasswordHash (16-byte MD4 hash of the unicode presentation of the password
7e5b75505Sopenharmony_ci# in unicode) if it is used for MSCHAP or MSCHAPv2 authentication. This means
8e5b75505Sopenharmony_ci# that the plaintext password does not need to be included in the user file.
9e5b75505Sopenharmony_ci# Password hash is stored as hash:<16-octets of hex data> without quotation
10e5b75505Sopenharmony_ci# marks.
11e5b75505Sopenharmony_ci
12e5b75505Sopenharmony_ci# [2] flag in the end of the line can be used to mark users for tunneled phase
13e5b75505Sopenharmony_ci# 2 authentication (e.g., within EAP-PEAP). In these cases, an anonymous
14e5b75505Sopenharmony_ci# identity can be used in the unencrypted phase 1 and the real user identity
15e5b75505Sopenharmony_ci# is transmitted only within the encrypted tunnel in phase 2. If non-anonymous
16e5b75505Sopenharmony_ci# access is needed, two user entries is needed, one for phase 1 and another
17e5b75505Sopenharmony_ci# with the same username for phase 2.
18e5b75505Sopenharmony_ci#
19e5b75505Sopenharmony_ci# EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-FAST, EAP-SIM, and EAP-AKA do not use
20e5b75505Sopenharmony_ci# password option.
21e5b75505Sopenharmony_ci# EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, EAP-PSK, and EAP-SAKE require a
22e5b75505Sopenharmony_ci# password.
23e5b75505Sopenharmony_ci# EAP-PEAP, EAP-TTLS, and EAP-FAST require Phase 2 configuration.
24e5b75505Sopenharmony_ci#
25e5b75505Sopenharmony_ci# * can be used as a wildcard to match any user identity. The main purposes for
26e5b75505Sopenharmony_ci# this are to set anonymous phase 1 identity for EAP-PEAP and EAP-TTLS and to
27e5b75505Sopenharmony_ci# avoid having to configure every certificate for EAP-TLS authentication. The
28e5b75505Sopenharmony_ci# first matching entry is selected, so * should be used as the last phase 1
29e5b75505Sopenharmony_ci# user entry.
30e5b75505Sopenharmony_ci#
31e5b75505Sopenharmony_ci# "prefix"* can be used to match the given prefix and anything after this. The
32e5b75505Sopenharmony_ci# main purpose for this is to be able to avoid EAP method negotiation when the
33e5b75505Sopenharmony_ci# method is using known prefix in identities (e.g., EAP-SIM and EAP-AKA). This
34e5b75505Sopenharmony_ci# is only allowed for phase 1 identities.
35e5b75505Sopenharmony_ci#
36e5b75505Sopenharmony_ci# Multiple methods can be configured to make the authenticator try them one by
37e5b75505Sopenharmony_ci# one until the peer accepts one. The method names are separated with a
38e5b75505Sopenharmony_ci# comma (,).
39e5b75505Sopenharmony_ci#
40e5b75505Sopenharmony_ci# [ver=0] and [ver=1] flags after EAP type PEAP can be used to force PEAP
41e5b75505Sopenharmony_ci# version based on the Phase 1 identity. Without this flag, the EAP
42e5b75505Sopenharmony_ci# authenticator advertises the highest supported version and select the version
43e5b75505Sopenharmony_ci# based on the first PEAP packet from the supplicant.
44e5b75505Sopenharmony_ci#
45e5b75505Sopenharmony_ci# EAP-TTLS supports both EAP and non-EAP authentication inside the tunnel.
46e5b75505Sopenharmony_ci# Tunneled EAP methods are configured with standard EAP method name and [2]
47e5b75505Sopenharmony_ci# flag. Non-EAP methods can be enabled by following method names: TTLS-PAP,
48e5b75505Sopenharmony_ci# TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2. TTLS-PAP and TTLS-CHAP require a
49e5b75505Sopenharmony_ci# plaintext password while TTLS-MSCHAP and TTLS-MSCHAPV2 can use NT password
50e5b75505Sopenharmony_ci# hash.
51e5b75505Sopenharmony_ci#
52e5b75505Sopenharmony_ci# Arbitrary RADIUS attributes can be added into Access-Accept packets similarly
53e5b75505Sopenharmony_ci# to the way radius_auth_req_attr is used for Access-Request packet in
54e5b75505Sopenharmony_ci# hostapd.conf. For EAP server, this is configured separately for each user
55e5b75505Sopenharmony_ci# entry with radius_accept_attr=<value> line(s) following the main user entry
56e5b75505Sopenharmony_ci# line.
57e5b75505Sopenharmony_ci
58e5b75505Sopenharmony_ci# Phase 1 users
59e5b75505Sopenharmony_ci"user"		MD5	"password"
60e5b75505Sopenharmony_ci"test user"	MD5	"secret"
61e5b75505Sopenharmony_ci"example user"	TLS
62e5b75505Sopenharmony_ci"DOMAIN\user"	MSCHAPV2	"password"
63e5b75505Sopenharmony_ci"gtc user"	GTC	"password"
64e5b75505Sopenharmony_ci"pax user"	PAX	"unknown"
65e5b75505Sopenharmony_ci"pax.user@example.com"	PAX	0123456789abcdef0123456789abcdef
66e5b75505Sopenharmony_ci"psk user"	PSK	"unknown"
67e5b75505Sopenharmony_ci"psk.user@example.com"	PSK	0123456789abcdef0123456789abcdef
68e5b75505Sopenharmony_ci"sake.user@example.com"	SAKE	0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
69e5b75505Sopenharmony_ci"ttls"		TTLS
70e5b75505Sopenharmony_ci"not anonymous"	PEAP
71e5b75505Sopenharmony_ci# Default to EAP-SIM and EAP-AKA based on fixed identity prefixes
72e5b75505Sopenharmony_ci"0"*		AKA,TTLS,TLS,PEAP,SIM
73e5b75505Sopenharmony_ci"1"*		SIM,TTLS,TLS,PEAP,AKA
74e5b75505Sopenharmony_ci"2"*		AKA,TTLS,TLS,PEAP,SIM
75e5b75505Sopenharmony_ci"3"*		SIM,TTLS,TLS,PEAP,AKA
76e5b75505Sopenharmony_ci"4"*		AKA,TTLS,TLS,PEAP,SIM
77e5b75505Sopenharmony_ci"5"*		SIM,TTLS,TLS,PEAP,AKA
78e5b75505Sopenharmony_ci"6"*		AKA'
79e5b75505Sopenharmony_ci"7"*		AKA'
80e5b75505Sopenharmony_ci"8"*		AKA'
81e5b75505Sopenharmony_ci
82e5b75505Sopenharmony_ci# Wildcard for all other identities
83e5b75505Sopenharmony_ci*		PEAP,TTLS,TLS,SIM,AKA
84e5b75505Sopenharmony_ci
85e5b75505Sopenharmony_ci# Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
86e5b75505Sopenharmony_ci"t-md5"		MD5	"password"	[2]
87e5b75505Sopenharmony_ci"DOMAIN\t-mschapv2"	MSCHAPV2	"password"	[2]
88e5b75505Sopenharmony_ci"t-gtc"		GTC	"password"	[2]
89e5b75505Sopenharmony_ci"not anonymous"	MSCHAPV2	"password"	[2]
90e5b75505Sopenharmony_ci"user"		MD5,GTC,MSCHAPV2	"password"	[2]
91e5b75505Sopenharmony_ci"test user"	MSCHAPV2	hash:000102030405060708090a0b0c0d0e0f	[2]
92e5b75505Sopenharmony_ci"ttls-user"	TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2	"password"	[2]
93e5b75505Sopenharmony_ci
94e5b75505Sopenharmony_ci# Default to EAP-SIM and EAP-AKA based on fixed identity prefixes in phase 2
95e5b75505Sopenharmony_ci"0"*		AKA	[2]
96e5b75505Sopenharmony_ci"1"*		SIM	[2]
97e5b75505Sopenharmony_ci"2"*		AKA	[2]
98e5b75505Sopenharmony_ci"3"*		SIM	[2]
99e5b75505Sopenharmony_ci"4"*		AKA	[2]
100e5b75505Sopenharmony_ci"5"*		SIM	[2]
101e5b75505Sopenharmony_ci"6"*		AKA'	[2]
102e5b75505Sopenharmony_ci"7"*		AKA'	[2]
103e5b75505Sopenharmony_ci"8"*		AKA'	[2]
104