Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / etc / hostapd / hostapd.eap_user < prev next >

Wrap

Text File | 2006-05-15 | 3KB | 75 lines

# hostapd user database for integrated EAP authenticator E # Each line must contain an identity, EAP method(s), and an optional password # separated with whitespace (space or tab). The identity and password must be # double quoted ("user"). Password can alternatively be stored as # NtPasswordHash (16-byte MD4 hash of the unicode presentation of the password # in unicode) if it is used for MSCHAP or MSCHAPv2 authentication. This means # that the plaintext password does not need to be included in the user file. # Password hash is stored as hash:<16-octets of hex data> without quotation # marks. # [2] flag in the end of the line can be used to mark users for tunneled phase # 2 authentication (e.g., within EAP-PEAP). In these cases, an anonymous # identity can be used in the unencrypted phase 1 and the real user identity # is transmitted only within the encrypted tunnel in phase 2. If non-anonymous # access is needed, two user entries is needed, one for phase 1 and another # with the same username for phase 2. # # EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-SIM, and EAP-AKA do not use password option. # EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, EAP-PSK, and EAP-SAKE require a # password. # EAP-PEAP and EAP-TTLS require Phase 2 configuration. # # * can be used as a wildcard to match any user identity. The main purposes for # this are to set anonymous phase 1 identity for EAP-PEAP and EAP-TTLS and to # avoid having to configure every certificate for EAP-TLS authentication. The # first matching entry is selected, so * should be used as the last phase 1 # user entry. # # "prefix"* can be used to match the given prefix and anything after this. The # main purpose for this is to be able to avoid EAP method negotiation when the # method is using known prefix in identities (e.g., EAP-SIM and EAP-AKA). This # is only allowed for phase 1 identities. # # Multiple methods can be configured to make the authenticator try them one by # one until the peer accepts one. The method names are separated with a # comma (,). # # [ver=0] and [ver=1] flags after EAP type PEAP can be used to force PEAP # version based on the Phase 1 identity. Without this flag, the EAP # authenticator advertises the highest supported version and select the version # based on the first PEAP packet from the supplicant. # Phase 1 users "user" MD5 "password" "test user" MD5 "secret" "example user" TLS "DOMAIN\user" MSCHAPV2 "password" "gtc user" GTC "password" "pax user" PAX "unknown" "pax.user@example.com" PAX 0123456789abcdef0123456789abcdef "psk user" PSK "unknown" "psk.user@example.com" PSK 0123456789abcdef0123456789abcdef "sake.user@example.com" SAKE 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef "ttls" TTLS "not anonymous" PEAP # Default to EAP-SIM and EAP-AKA based on fixed identity prefixes "0"* AKA,TTLS,TLS,PEAP,SIM "1"* SIM,TTLS,TLS,PEAP,AKA "2"* AKA,TTLS,TLS,PEAP,SIM "3"* SIM,TTLS,TLS,PEAP,AKA "4"* AKA,TTLS,TLS,PEAP,SIM "5"* SIM,TTLS,TLS,PEAP,AKA # Wildcard for all other identities * PEAP,TTLS,TLS,SIM,AKA # Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users "t-md5" MD5 "password" [2] "DOMAIN\t-mschapv2" MSCHAPV2 "password" [2] "t-gtc" GTC "password" [2] "not anonymous" MSCHAPV2 "password" [2] "user" MD5,GTC,MSCHAPV2 "password" [2] "test user" MSCHAPV2 hash:000102030405060708090a0b0c0d0e0f [2]