1 # hostapd user database for integrated EAP authenticator
2 # Each line must contain an identity, EAP method(s), and an optional password
3 # separated with whitespace (space or tab). The identity and password must be
4 # double quoted ("user"). [2] flag in the end of the line can be used to mark
5 # users for tunneled phase 2 authentication (e.g., within EAP-PEAP). In these
6 # cases, an anonymous identity can be used in the unencrypted phase 1 and the
7 # real user identity is transmitted only within the encrypted tunnel in phase
8 # 2. If non-anonymous access is needed, two user entries is needed, one for
9 # phase 1 and another with the same username for phase 2.
11 # EAP-TLS, EAP-PEAP, EAP-TTLS, and EAP-SIM do not use password option.
12 # EAP-MD5, EAP-MSCHAPV2, and EAP-GTC require a password.
13 # EAP-PEAP and EAP-TTLS require Phase 2 configuration.
15 # * can be used as a wildcard to match any user identity. The main purposes for
16 # this are to set anonymous phase 1 identity for EAP-PEAP and EAP-TTLS and to
17 # avoid having to configure every certificate for EAP-TLS authentication. The
18 # first matching entry is selected, so * should be used as the last phase 1
21 # Multiple methods can be configured to make the authenticator try them one by
22 # one until the peer accepts one. The method names are separated with a
25 # [ver=0] and [ver=1] flags after EAP type PEAP can be used to force PEAP
26 # version based on the Phase 1 identity. Without this flag, the EAP
27 # authenticator advertises the highest supported version and select the version
28 # based on the first PEAP packet from the supplicant.
32 "test user" MD5 "secret"
34 "DOMAIN\user" MSCHAPV2 "password"
35 "gtc user" GTC "password"
40 # Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users
41 "t-md5" MD5 "password" [2]
42 "DOMAIN\t-mschapv2" MSCHAPV2 "password" [2]
43 "t-gtc" GTC "password" [2]
44 "not anonymous" MSCHAPV2 "password" [2]
45 "user" MD5,GTC,MSCHAPV2 "password" [2]