xenial (5) rlm_pap.5.gz

Provided by: freeradius-common_2.2.8+dfsg-0.1ubuntu0.1_all bug

NAME
       rlm_pap - FreeRADIUS Module


DESCRIPTION
       The  rlm_pap  module  authenticates RADIUS Access-Request packets that contain a User-Password attribute.
       The module should also be listed last in the  authorize  section,  so  that  it  can  set  the  Auth-Type
       attribute as appropriate.

       When a RADIUS packet contains a clear-text password in the form of a User-Password attribute, the rlm_pap
       module may be used for authentication.  The module requires a "known good" password,  which  it  uses  to
       validate the password given in the RADIUS packet.  That "known good" password must be supplied by another
       module (e.g. rlm_files, rlm_ldap, etc.), and is usually taken from a database.


CONFIGURATION
       The only relevant configuration item is:

       auto_header
              If set to "yes", the module will look inside  of  the  User-Password  attribute  for  the  headers
              {crypt},  {clear}, etc., and will automatically create the appropriate attribute, with the correct
              value.

       This module understands many kinds of password hashing methods, as given by the following table.

       Header       Attribute          Description
       ------       ---------          -----------
       {clear}      Cleartext-Password clear-text passwords
       {cleartext}  Cleartext-Password clear-text passwords
       {crypt}      Crypt-Password     Unix-style "crypt"ed passwords
       {md5}        MD5-Password       MD5 hashed passwords
       {smd5}       SMD5-Password      MD5 hashed passwords, with a salt
       {sha}        SHA-Password       SHA1 hashed passwords
       {ssha}       SSHA-Password      SHA1 hashed passwords, with a salt
       {nt}         NT-Password        Windows NT hashed passwords
       {x-nthash}   NT-Password        Windows NT hashed passwords
       {lm}         LM-Password        Windows Lan Manager (LM) passwords.

       The module tries to be flexible when handling the various password formats.  It will automatically handle
       Base-64 encoded data, hex strings, and binary data, and convert them to a format that the server can use.

       It is important to understand the difference between the User-Password and Cleartext-Password attributes.
       The Cleartext-Password attribute is the "known  good"  password  for  the  user.   Simply  supplying  the
       Cleartext-Password  to  the server will result in most authentication methods working.  The User-Password
       attribute is the password as typed in by the user on their private machine.  The two are  not  the  same,
       and  should  be  treated  very  differently.   That  is,  you  should generally not use the User-Password
       attribute anywhere in the RADIUS configuration.

       For backwards compatibility, there are old configuration parameters which may be work, although we do not
       recommend using them.


SECTIONS
       authorize authenticate


FILES
       /etc/raddb/radiusd.conf


SEE ALSO
       radiusd(8), radiusd.conf(5)


AUTHOR
       Alan DeKok <aland@freeradius.org>

                                                   6 June 2008                                        rlm_pap(5)