1 # hostapd user database for integrated EAP server
3 # Each line must contain an identity, EAP method(s), and an optional password
4 # separated with whitespace (space or tab). The identity and password must be
5 # double quoted ("user"). Password can alternatively be stored as
6 # NtPasswordHash (16-byte MD4 hash of the unicode presentation of the password
7 # in unicode) if it is used for MSCHAP or MSCHAPv2 authentication. This means
8 # that the plaintext password does not need to be included in the user file.
9 # Password hash is stored as hash:<16-octets of hex data> without quotation
12 # [2] flag in the end of the line can be used to mark users for tunneled phase
13 # 2 authentication (e.g., within EAP-PEAP). In these cases, an anonymous
14 # identity can be used in the unencrypted phase 1 and the real user identity
15 # is transmitted only within the encrypted tunnel in phase 2. If non-anonymous
16 # access is needed, two user entries is needed, one for phase 1 and another
17 # with the same username for phase 2.
19 # EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-FAST, EAP-SIM, and EAP-AKA do not use
21 # EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, EAP-PSK, and EAP-SAKE require a
23 # EAP-PEAP, EAP-TTLS, and EAP-FAST require Phase 2 configuration.
25 # * can be used as a wildcard to match any user identity. The main purposes for
26 # this are to set anonymous phase 1 identity for EAP-PEAP and EAP-TTLS and to
27 # avoid having to configure every certificate for EAP-TLS authentication. The
28 # first matching entry is selected, so * should be used as the last phase 1
31 # "prefix"* can be used to match the given prefix and anything after this. The
32 # main purpose for this is to be able to avoid EAP method negotiation when the
33 # method is using known prefix in identities (e.g., EAP-SIM and EAP-AKA). This
34 # is only allowed for phase 1 identities.
36 # Multiple methods can be configured to make the authenticator try them one by
37 # one until the peer accepts one. The method names are separated with a
40 # [ver=0] and [ver=1] flags after EAP type PEAP can be used to force PEAP
41 # version based on the Phase 1 identity. Without this flag, the EAP
42 # authenticator advertises the highest supported version and select the version
43 # based on the first PEAP packet from the supplicant.
45 # EAP-TTLS supports both EAP and non-EAP authentication inside the tunnel.
46 # Tunneled EAP methods are configured with standard EAP method name and [2]
47 # flag. Non-EAP methods can be enabled by following method names: TTLS-PAP,
48 # TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2. TTLS-PAP and TTLS-CHAP require a
49 # plaintext password while TTLS-MSCHAP and TTLS-MSCHAPV2 can use NT password
54 "test user" MD5 "secret"
56 "DOMAIN\user" MSCHAPV2 "password"
57 "gtc user" GTC "password"
58 "pax user" PAX "unknown"
59 "pax.user@example.com" PAX 0123456789abcdef0123456789abcdef
60 "psk user" PSK "unknown"
61 "psk.user@example.com" PSK 0123456789abcdef0123456789abcdef
62 "sake.user@example.com" SAKE 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
65 # Default to EAP-SIM and EAP-AKA based on fixed identity prefixes
66 "0"* AKA,TTLS,TLS,PEAP,SIM
67 "1"* SIM,TTLS,TLS,PEAP,AKA
68 "2"* AKA,TTLS,TLS,PEAP,SIM
69 "3"* SIM,TTLS,TLS,PEAP,AKA
70 "4"* AKA,TTLS,TLS,PEAP,SIM
71 "5"* SIM,TTLS,TLS,PEAP,AKA
73 # Wildcard for all other identities
74 * PEAP,TTLS,TLS,SIM,AKA
76 # Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
77 "t-md5" MD5 "password" [2]
78 "DOMAIN\t-mschapv2" MSCHAPV2 "password" [2]
79 "t-gtc" GTC "password" [2]
80 "not anonymous" MSCHAPV2 "password" [2]
81 "user" MD5,GTC,MSCHAPV2 "password" [2]
82 "test user" MSCHAPV2 hash:000102030405060708090a0b0c0d0e0f [2]
83 "ttls-user" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2 "password" [2]
85 # Default to EAP-SIM and EAP-AKA based on fixed identity prefixes in phase 2