rlm_pap(5)

1rlm_pap(5)                     FreeRADIUS Module                    rlm_pap(5)
2
3
4

NAME

6       rlm_pap - FreeRADIUS Module
7

DESCRIPTION

9       The  rlm_pap  module  authenticates  RADIUS Access-Request packets that
10       contain a User-Password attribute.  The module should  also  be  listed
11       last  in  the  authorize  section,  so  that  it  can set the Auth-Type
12       attribute as appropriate.
13
14       When a RADIUS packet contains a clear-text password in the  form  of  a
15       User-Password attribute, the rlm_pap module may be used for authentica‐
16       tion.  The module requires a "known good" password, which  it  uses  to
17       validate  the  password  given in the RADIUS packet.  That "known good"
18       password must be supplied by another module (e.g. rlm_files,  rlm_ldap,
19       etc.), and is usually taken from a database.
20

CONFIGURATION

22       The only configuration item is:
23
24       normalise
25              The  default  is  "yes".  This means that the module will try to
26              automatically detect passwords that are hex-  or  base64-encoded
27              and  decode  them back to their binary representation.  However,
28              some clear text passwords may be erroneously converted.  Setting
29              this to "no" prevents that conversion.
30

USAGE

32       The module looks for the Password-With-Header control attribute to find
33       the "known good" password. The attribute  value  comprises  the  header
34       followed  immediately  by the password data. The header is given by the
35       following table.
36
37       Header       Attribute           Description
38       ------       ---------           -----------
39       {clear}      Cleartext-Password  Clear-text passwords
40       {cleartext}  Cleartext-Password  Clear-text passwords
41       {crypt}      Crypt-Password      Unix-style "crypt"ed passwords
42       {md5}        MD5-Password        MD5 hashed passwords
43       {base64_md5} MD5-Password        MD5 hashed passwords
44       {smd5}       SMD5-Password       MD5 hashed passwords, with a salt
45       {sha}        SHA-Password        SHA1 hashed passwords
46                    SHA1-Password       SHA1 hashed passwords
47       {ssha}       SSHA-Password       SHA1 hashed passwords, with a salt
48       {sha2}       SHA2-Password       SHA2 hashed passwords
49       {sha224}     SHA2-Password       SHA2 hashed passwords
50       {sha256}     SHA2-Password       SHA2 hashed passwords
51       {sha384}     SHA2-Password       SHA2 hashed passwords
52       {sha512}     SHA2-Password       SHA2 hashed passwords
53       {ssha224}    SSHA2-224-Password  SHA2 hashed passwords, with a salt
54       {ssha256}    SSHA2-256-Password  SHA2 hashed passwords, with a salt
55       {ssha384}    SSHA2-384-Password  SHA2 hashed passwords, with a salt
56       {ssha512}    SSHA2-512-Password  SHA2 hashed passwords, with a salt
57       {nt}         NT-Password         Windows NT hashed passwords
58       {nthash}     NT-Password         Windows NT hashed passwords
59       {md4}        NT-Password         Windows NT hashed passwords
60       {x-nthash}   NT-Password         Windows NT hashed passwords
61       {ns-mta-md5} NS-MTA-MD5-Password Netscape MTA MD5 hashed passwords
62       {x- orcllmv} LM-Password         Windows LANMAN hashed passwords
63       {X- orclntv} NT-Password         Windows NT hashed passwords
64
65       The module tries to be flexible when handling the various password for‐
66       mats.   It will automatically handle Base-64 encoded data, hex strings,
67       and binary data, and convert them to a format that the server can use.
68
69       If there is no Password-With-Header attribute, the module looks for one
70       of the Cleartext-Password, NT-Password, Crypt-Password, etc. attributes
71       as listed in the above table. These attributes should contain the rele‐
72       vant format password directly, without the header prefix.
73
74       Only  one control attribute should be set, otherwise behaviour is unde‐
75       fined as to which one is used for authentication.
76

NOTES

78       It is important to understand the difference between the  User-Password
79       and Cleartext-Password attributes.  The Cleartext-Password attribute is
80       the "known good" password for the user.  Simply supplying  the  Cleart‐
81       ext-Password  to  the server will result in most authentication methods
82       working.  The User-Password attribute is the password as  typed  in  by
83       the  user  on  their  private  machine.   The two are not the same, and
84       should be treated very differently.  That is, you should generally  not
85       use the User-Password attribute anywhere in the RADIUS configuration.
86

SECTIONS

88       authorize authenticate
89

FILES

91       /etc/raddb/mods-available/pap
92

AUTHOR

97       Alan DeKok <aland@freeradius.org>
98
99
100
101
102                                10 January 2015                     rlm_pap(5)