1rlm_pap(5)                     FreeRADIUS Module                    rlm_pap(5)
2
3
4

NAME

6       rlm_pap - FreeRADIUS Module
7

DESCRIPTION

9       The  rlm_pap  module  authenticates  RADIUS Access-Request packets that
10       contain a User-Password attribute.  The module should  also  be  listed
11       last  in  the  authorize  section,  so  that  it  can set the Auth-Type
12       attribute as appropriate.
13
14       When a RADIUS packet contains a clear-text password in the  form  of  a
15       User-Password attribute, the rlm_pap module may be used for authentica‐
16       tion.  The module requires a "known good" password, which  it  uses  to
17       validate  the  password  given in the RADIUS packet.  That "known good"
18       password must be supplied by another module (e.g. rlm_files,  rlm_ldap,
19       etc.), and is usually taken from a database.
20

CONFIGURATION

22       The only configuration item is:
23
24       normalise
25              The  default  is  "yes".  This means that the module will try to
26              automatically detect passwords that are hex-  or  base64-encoded
27              and  decode  them back to their binary representation.  However,
28              some clear text passwords may be erroneously converted.  Setting
29              this to "no" prevents that conversion.
30

USAGE

32       The module looks for the Password-With-Header control attribute to find
33       the "known good" password. The attribute  value  comprises  the  header
34       followed  immediately  by the password data. The header is given by the
35       following table.
36
37       Header       Attribute           Description
38       ------       ---------           -----------
39       {clear}      Cleartext-Password  clear-text passwords
40       {cleartext}  Cleartext-Password  clear-text passwords
41       {crypt}      Crypt-Password      Unix-style "crypt"ed passwords
42       {md5}        MD5-Password        MD5 hashed passwords
43       {base64_md5} MD5-Password        MD5 hashed passwords
44       {smd5}       SMD5-Password       MD5 hashed passwords, with a salt
45       {sha}        SHA-Password        SHA1 hashed passwords
46                    SHA1-Password       SHA1 hashed passwords
47       {ssha}       SSHA-Password       SHA1 hashed passwords, with a salt
48                    SSHA1-Password      SHA1 hashed passwords, with a salt
49       {ssh2}       SHA2-Password       SHA2 hashed passwords
50       {ssh256}     SHA2-Password       SHA2 hashed passwords
51       {ssh512}     SHA2-Password       SHA2 hashed passwords
52       {nt}         NT-Password         Windows NT hashed passwords
53       {nthash}     NT-Password         Windows NT hashed passwords
54       {x-nthash}   NT-Password         Windows NT hashed passwords
55       {ns-mta-md5} NS-MTA-MD5-Password Netscape MTA MD5 hashed passwords
56       {x- orcllmv} LM-Password         Windows LANMAN hashed passwords
57       {X- orclntv} LM-Password         Windows LANMAN hashed passwords
58
59       The module tries to be flexible when handling the various password for‐
60       mats.   It will automatically handle Base-64 encoded data, hex strings,
61       and binary data, and convert them to a format that the server can use.
62
63       If there is no Password-With-Header attribute, the module looks for one
64       of the Cleartext-Password, NT-Password, Crypt-Password, etc. attributes
65       as listed in the above table. These attributes should contain the rele‐
66       vant format password directly, without the header prefix.
67
68       Only  one control attribute should be set, otherwise behaviour is unde‐
69       fined as to which one is used for authentication.
70

NOTES

72       It is important to understand the difference between the  User-Password
73       and Cleartext-Password attributes.  The Cleartext-Password attribute is
74       the "known good" password for the user.  Simply supplying  the  Cleart‐
75       ext-Password  to  the server will result in most authentication methods
76       working.  The User-Password attribute is the password as  typed  in  by
77       the  user  on  their  private  machine.   The two are not the same, and
78       should be treated very differently.  That is, you should generally  not
79       use the User-Password attribute anywhere in the RADIUS configuration.
80

SECTIONS

82       authorize authenticate
83

FILES

85       /etc/raddb/mods-available/pap
86

SEE ALSO

88       radiusd(8), radiusd.conf(5)
89

AUTHOR

91       Alan DeKok <aland@freeradius.org>
92
93
94
95
96                                10 January 2015                     rlm_pap(5)
Impressum