Provided by: freeradius-common_2.1.10+dfsg-3build2_all bug


       rlm_pap - FreeRADIUS Module


       The  rlm_pap  module  authenticates  RADIUS  Access-Request  packets  that contain a User-
       Password attribute.  The module should also be listed last in the  authorize  section,  so
       that it can set the Auth-Type attribute as appropriate.

       When  a  RADIUS  packet  contains  a  clear-text  password  in the form of a User-Password
       attribute, the rlm_pap module may be used  for  authentication.   The  module  requires  a
       "known  good" password, which it uses to validate the password given in the RADIUS packet.
       That "known good" password must be supplied by another module (e.g.  rlm_files,  rlm_ldap,
       etc.), and is usually taken from a database.


       The only relevant configuration item is:

              If set to "yes", the module will look inside of the User-Password attribute for the
              headers {crypt}, {clear}, etc.,  and  will  automatically  create  the  appropriate
              attribute, with the correct value.

       This  module understands many kinds of password hashing methods, as given by the following

       Header       Attribute          Description
       ------       ---------          -----------
       {clear}      Cleartext-Password clear-text passwords
       {cleartext}  Cleartext-Password clear-text passwords
       {crypt}      Crypt-Password     Unix-style "crypt"ed passwords
       {md5}        MD5-Password       MD5 hashed passwords
       {smd5}       SMD5-Password      MD5 hashed passwords, with a salt
       {sha}        SHA-Password       SHA1 hashed passwords
       {ssha}       SSHA-Password      SHA1 hashed passwords, with a salt
       {nt}         NT-Password        Windows NT hashed passwords
       {x-nthash}   NT-Password        Windows NT hashed passwords
       {lm}         LM-Password        Windows Lan Manager (LM) passwords.

       The module tries to be flexible when handling  the  various  password  formats.   It  will
       automatically  handle Base-64 encoded data, hex strings, and binary data, and convert them
       to a format that the server can use.

       It is important to understand the difference  between  the  User-Password  and  Cleartext-
       Password  attributes.   The  Cleartext-Password attribute is the "known good" password for
       the user.  Simply supplying the Cleartext-Password to  the  server  will  result  in  most
       authentication  methods  working.  The User-Password attribute is the password as typed in
       by the user on their private machine.  The two are not the same,  and  should  be  treated
       very  differently.   That  is,  you  should  generally not use the User-Password attribute
       anywhere in the RADIUS configuration.

       For backwards compatibility, there are old configuration parameters  which  may  be  work,
       although we do not recommend using them.


       authorize authenticate




       radiusd(8), radiusd.conf(5)


       Alan DeKok <>

                                           6 June 2008                                 rlm_pap(5)