1rlm_pap(5) FreeRADIUS Module rlm_pap(5)
2
3
4
6 rlm_pap - FreeRADIUS Module
7
9 The rlm_pap module authenticates RADIUS Access-Request packets that
10 contain a User-Password attribute. The module should also be listed
11 last in the authorize section, so that it can set the Auth-Type
12 attribute as appropriate.
13
14 When a RADIUS packet contains a clear-text password in the form of a
15 User-Password attribute, the rlm_pap module may be used for authentica‐
16 tion. The module requires a "known good" password, which it uses to
17 validate the password given in the RADIUS packet. That "known good"
18 password must be supplied by another module (e.g. rlm_files, rlm_ldap,
19 etc.), and is usually taken from a database.
20
22 The only configuration item is:
23
24 normalise
25 The default is "yes". This means that the module will try to
26 automatically detect passwords that are hex- or base64-encoded
27 and decode them back to their binary representation. However,
28 some clear text passwords may be erroneously converted. Setting
29 this to "no" prevents that conversion.
30
32 The module looks for the Password-With-Header control attribute to find
33 the "known good" password. The attribute value comprises the header
34 followed immediately by the password data. The header is given by the
35 following table.
36
37 Header Attribute Description
38 ------ --------- -----------
39 {clear} Cleartext-Password clear-text passwords
40 {cleartext} Cleartext-Password clear-text passwords
41 {crypt} Crypt-Password Unix-style "crypt"ed passwords
42 {md5} MD5-Password MD5 hashed passwords
43 {base64_md5} MD5-Password MD5 hashed passwords
44 {smd5} SMD5-Password MD5 hashed passwords, with a salt
45 {sha} SHA-Password SHA1 hashed passwords
46 SHA1-Password SHA1 hashed passwords
47 {ssha} SSHA-Password SHA1 hashed passwords, with a salt
48 SSHA1-Password SHA1 hashed passwords, with a salt
49 {ssh2} SHA2-Password SHA2 hashed passwords
50 {ssh256} SHA2-Password SHA2 hashed passwords
51 {ssh512} SHA2-Password SHA2 hashed passwords
52 {nt} NT-Password Windows NT hashed passwords
53 {nthash} NT-Password Windows NT hashed passwords
54 {x-nthash} NT-Password Windows NT hashed passwords
55 {ns-mta-md5} NS-MTA-MD5-Password Netscape MTA MD5 hashed passwords
56 {x- orcllmv} LM-Password Windows LANMAN hashed passwords
57 {X- orclntv} LM-Password Windows LANMAN hashed passwords
58
59 The module tries to be flexible when handling the various password for‐
60 mats. It will automatically handle Base-64 encoded data, hex strings,
61 and binary data, and convert them to a format that the server can use.
62
63 If there is no Password-With-Header attribute, the module looks for one
64 of the Cleartext-Password, NT-Password, Crypt-Password, etc. attributes
65 as listed in the above table. These attributes should contain the rele‐
66 vant format password directly, without the header prefix.
67
68 Only one control attribute should be set, otherwise behaviour is unde‐
69 fined as to which one is used for authentication.
70
72 It is important to understand the difference between the User-Password
73 and Cleartext-Password attributes. The Cleartext-Password attribute is
74 the "known good" password for the user. Simply supplying the Cleart‐
75 ext-Password to the server will result in most authentication methods
76 working. The User-Password attribute is the password as typed in by
77 the user on their private machine. The two are not the same, and
78 should be treated very differently. That is, you should generally not
79 use the User-Password attribute anywhere in the RADIUS configuration.
80
82 authorize authenticate
83
85 /etc/raddb/mods-available/pap
86
88 radiusd(8), radiusd.conf(5)
89
91 Alan DeKok <aland@freeradius.org>
92
93
94
95
96 10 January 2015 rlm_pap(5)