NAME¶
rlm_pap - FreeRADIUS Module
DESCRIPTION¶
The
rlm_pap module authenticates RADIUS Access-Request packets that
contain a User-Password attribute. The module should also be listed last in
the
authorize section, so that it can set the Auth-Type attribute as
appropriate.
When a RADIUS packet contains a clear-text password in the form of a
User-Password attribute, the
rlm_pap module may be used for
authentication. The module requires a "known good" password, which
it uses to validate the password given in the RADIUS packet. That "known
good" password must be supplied by another module (e.g.
rlm_files,
rlm_ldap, etc.), and is usually taken from a database.
CONFIGURATION¶
The only relevant configuration item is:
- auto_header
- If set to "yes", the module will look inside of the
User-Password attribute for the headers {crypt}, {clear}, etc., and will
automatically create the appropriate attribute, with the correct
value.
This module understands many kinds of password hashing methods, as given by the
following table.
Header Attribute Description
------ --------- -----------
{clear} Cleartext-Password clear-text passwords
{cleartext} Cleartext-Password clear-text passwords
{crypt} Crypt-Password Unix-style "crypt"ed passwords
{md5} MD5-Password MD5 hashed passwords
{smd5} SMD5-Password MD5 hashed passwords, with a salt
{sha} SHA-Password SHA1 hashed passwords
{ssha} SSHA-Password SHA1 hashed passwords, with a salt
{nt} NT-Password Windows NT hashed passwords
{x-nthash} NT-Password Windows NT hashed passwords
{lm} LM-Password Windows Lan Manager (LM) passwords.
The module tries to be flexible when handling the various password formats. It
will automatically handle Base-64 encoded data, hex strings, and binary data,
and convert them to a format that the server can use.
It is important to understand the difference between the User-Password and
Cleartext-Password attributes. The Cleartext-Password attribute is the
"known good" password for the user. Simply supplying the
Cleartext-Password to the server will result in most authentication methods
working. The User-Password attribute is the password as typed in by the user
on their private machine. The two are not the same, and should be treated very
differently. That is, you should generally not use the User-Password attribute
anywhere in the RADIUS configuration.
For backwards compatibility, there are old configuration parameters which may be
work, although we do not recommend using them.
SECTIONS¶
authorize authenticate
FILES¶
/etc/raddb/radiusd.conf
SEE ALSO¶
radiusd(8),
radiusd.conf(5)
AUTHOR¶
Alan DeKok <aland@freeradius.org>