Provided by: freeradius-common_3.2.5+dfsg-3~ubuntu24.04.1_all bug

NAME

       rlm_pap - FreeRADIUS Module

DESCRIPTION

       The  rlm_pap  module  authenticates  RADIUS  Access-Request  packets  that contain a User-
       Password attribute.  The module should also be listed last in the  authorize  section,  so
       that it can set the Auth-Type attribute as appropriate.

       When  a  RADIUS  packet  contains  a  clear-text  password  in the form of a User-Password
       attribute, the rlm_pap module may be used  for  authentication.   The  module  requires  a
       "known  good" password, which it uses to validate the password given in the RADIUS packet.
       That "known good" password must be supplied by another module (e.g.  rlm_files,  rlm_ldap,
       etc.), and is usually taken from a database.

CONFIGURATION

       The only configuration item is:

       normalise
              The  default is "yes".  This means that the module will try to automatically detect
              passwords that are hex- or base64-encoded and decode  them  back  to  their  binary
              representation.   However,  some clear text passwords may be erroneously converted.
              Setting this to "no" prevents that conversion.

USAGE

       The module looks for the Password-With-Header control attribute to find the  "known  good"
       password.  The  attribute  value comprises the header followed immediately by the password
       data. The header is given by the following table.

       Header       Attribute           Description
       ------       ---------           -----------
       {clear}      Cleartext-Password  Clear-text passwords
       {cleartext}  Cleartext-Password  Clear-text passwords
       {crypt}      Crypt-Password      Unix-style "crypt"ed passwords
       {md5}        MD5-Password        MD5 hashed passwords
       {base64_md5} MD5-Password        MD5 hashed passwords
       {smd5}       SMD5-Password       MD5 hashed passwords, with a salt
       {sha}        SHA-Password        SHA1 hashed passwords
                    SHA1-Password       SHA1 hashed passwords
       {ssha}       SSHA-Password       SHA1 hashed passwords, with a salt
       {sha2}       SHA2-Password       SHA2 hashed passwords
       {sha224}     SHA2-Password       SHA2 hashed passwords
       {sha256}     SHA2-Password       SHA2 hashed passwords
       {sha384}     SHA2-Password       SHA2 hashed passwords
       {sha512}     SHA2-Password       SHA2 hashed passwords
       {ssha224}    SSHA2-224-Password  SHA2 hashed passwords, with a salt
       {ssha256}    SSHA2-256-Password  SHA2 hashed passwords, with a salt
       {ssha384}    SSHA2-384-Password  SHA2 hashed passwords, with a salt
       {ssha512}    SSHA2-512-Password  SHA2 hashed passwords, with a salt
       {nt}         NT-Password         Windows NT hashed passwords
       {nthash}     NT-Password         Windows NT hashed passwords
       {md4}        NT-Password         Windows NT hashed passwords
       {x-nthash}   NT-Password         Windows NT hashed passwords
       {ns-mta-md5} NS-MTA-MD5-Password Netscape MTA MD5 hashed passwords
       {x- orcllmv} LM-Password         Windows LANMAN hashed passwords
       {X- orclntv} NT-Password         Windows NT hashed passwords

       The module tries to be flexible when handling  the  various  password  formats.   It  will
       automatically  handle Base-64 encoded data, hex strings, and binary data, and convert them
       to a format that the server can use.

       If there is no Password-With-Header attribute, the module looks for one of the  Cleartext-
       Password, NT-Password, Crypt-Password, etc. attributes as listed in the above table. These
       attributes should contain the  relevant  format  password  directly,  without  the  header
       prefix.

       Only one control attribute should be set, otherwise behaviour is undefined as to which one
       is used for authentication.

NOTES

       It is important to understand the difference  between  the  User-Password  and  Cleartext-
       Password  attributes.   The  Cleartext-Password attribute is the "known good" password for
       the user.  Simply supplying the Cleartext-Password to  the  server  will  result  in  most
       authentication  methods  working.  The User-Password attribute is the password as typed in
       by the user on their private machine.  The two are not the same,  and  should  be  treated
       very  differently.   That  is,  you  should  generally not use the User-Password attribute
       anywhere in the RADIUS configuration.

SECTIONS

       authorize authenticate

FILES

       /etc/freeradius/3.0/mods-available/pap

SEE ALSO

       radiusd(8), radiusd.conf(5)

AUTHOR

       Alan DeKok <aland@freeradius.org>

                                         10 January 2015                               rlm_pap(5)