Man Linux: Main Page and Category List


       rlm_pap - FreeRADIUS Module


       The  rlm_pap  module  authenticates  RADIUS Access-Request packets that
       contain a User-Password attribute.  The module should  also  be  listed
       last  in  the  authorize  section,  so  that  it  can set the Auth-Type
       attribute as appropriate.

       When a RADIUS packet contains a clear-text password in the  form  of  a
       User-Password   attribute,   the   rlm_pap   module  may  be  used  for
       authentication.  The module requires a "known good" password, which  it
       uses  to validate the password given in the RADIUS packet.  That "known
       good" password must be supplied  by  another  module  (e.g.  rlm_files,
       rlm_ldap, etc.), and is usually taken from a database.


       The only relevant configuration item is:

              If  set  to  "yes",  the  module  will  look inside of the User-
              Password attribute for the headers {crypt}, {clear},  etc.,  and
              will  automatically  create  the appropriate attribute, with the
              correct value.

       This module understands many kinds  of  password  hashing  methods,  as
       given by the following table.

              Header       Attribute          Description
              ------       ---------          -----------
              {clear}      Cleartext-Password clear-text passwords
              {cleartext}  Cleartext-Password clear-text passwords
              {crypt}      Crypt-Password     Unix-style "crypt"ed passwords
              {md5}        MD5-Password       MD5 hashed passwords
              {smd5}       SMD5-Password      MD5 hashed passwords, with a salt
              {sha}        SHA-Password       SHA1 hashed passwords
              {ssha}       SSHA-Password      SHA1 hashed passwords, with a salt
              {nt}         NT-Password        Windows NT hashed passwords
              {x-nthash}   NT-Password        Windows NT hashed passwords
              {lm}         LM-Password        Windows Lan Manager (LM) passwords.

       The  module  tries  to  be  flexible when handling the various password
       formats.  It  will  automatically  handle  Base-64  encoded  data,  hex
       strings,  and binary data, and convert them to a format that the server
       can use.

       It is important to understand the difference between the  User-Password
       and Cleartext-Password attributes.  The Cleartext-Password attribute is
       the  "known  good"  password  for  the  user.   Simply  supplying   the
       Cleartext-Password  to  the  server  will result in most authentication
       methods working.  The User-Password attribute is the password as  typed
       in by the user on their private machine.  The two are not the same, and
       should be treated very differently.  That is, you should generally  not
       use the User-Password attribute anywhere in the RADIUS configuration.

       For  backwards  compatibility,  there  are old configuration parameters
       which may be work, although we do not recommend using them.


       authorize authenticate




       radiusd(8), radiusd.conf(5)


       Alan DeKok <>

                                  6 June 2008                       rlm_pap(5)