1rlm_pap(5)                     FreeRADIUS Module                    rlm_pap(5)
2
3
4

NAME

6       rlm_pap - FreeRADIUS Module
7

DESCRIPTION

9       The  rlm_pap  module  authenticates  RADIUS Access-Request packets that
10       contain a User-Password attribute.  The module should  also  be  listed
11       last  in  the  authorize  section,  so  that  it  can set the Auth-Type
12       attribute as appropriate.
13
14       When a RADIUS packet contains a clear-text password in the  form  of  a
15       User-Password attribute, the rlm_pap module may be used for authentica‐
16       tion.  The module requires a "known good" password, which  it  uses  to
17       validate  the  password  given in the RADIUS packet.  That "known good"
18       password must be supplied by another module (e.g. rlm_files,  rlm_ldap,
19       etc.), and is usually taken from a database.
20

CONFIGURATION

22       The only relevant configuration item is:
23
24       auto_header
25              If  set  to "yes", the module will look inside of the User-Pass‐
26              word attribute for the headers {crypt}, {clear}, etc., and  will
27              automatically create the appropriate attribute, with the correct
28              value.
29
30       This module understands many kinds  of  password  hashing  methods,  as
31       given by the following table.
32
33       Header       Attribute          Description
34       ------       ---------          -----------
35       {clear}      Cleartext-Password clear-text passwords
36       {cleartext}  Cleartext-Password clear-text passwords
37       {crypt}      Crypt-Password     Unix-style "crypt"ed passwords
38       {md5}        MD5-Password       MD5 hashed passwords
39       {smd5}       SMD5-Password      MD5 hashed passwords, with a salt
40       {sha}        SHA-Password       SHA1 hashed passwords
41       {ssha}       SSHA-Password      SHA1 hashed passwords, with a salt
42       {nt}         NT-Password        Windows NT hashed passwords
43       {x-nthash}   NT-Password        Windows NT hashed passwords
44       {lm}         LM-Password        Windows Lan Manager (LM) passwords.
45
46       The module tries to be flexible when handling the various password for‐
47       mats.  It will automatically handle Base-64 encoded data, hex  strings,
48       and binary data, and convert them to a format that the server can use.
49
50       It  is important to understand the difference between the User-Password
51       and Cleartext-Password attributes.  The Cleartext-Password attribute is
52       the  "known  good" password for the user.  Simply supplying the Cleart‐
53       ext-Password to the server will result in most  authentication  methods
54       working.   The  User-Password  attribute is the password as typed in by
55       the user on their private machine.  The  two  are  not  the  same,  and
56       should  be treated very differently.  That is, you should generally not
57       use the User-Password attribute anywhere in the RADIUS configuration.
58
59       For backwards compatibility, there  are  old  configuration  parameters
60       which may be work, although we do not recommend using them.
61

SECTIONS

63       authorize authenticate
64

FILES

66       /etc/raddb/radiusd.conf
67

SEE ALSO

69       radiusd(8), radiusd.conf(5)
70

AUTHOR

72       Alan DeKok <aland@freeradius.org>
73
74
75
76
77                                  6 June 2008                       rlm_pap(5)