1 .\" # DS - begin display
13 .TH rlm_pap 5 "6 June 2008" "" "FreeRADIUS Module"
15 rlm_pap \- FreeRADIUS Module
17 The \fIrlm_pap\fP module authenticates RADIUS Access-Request packets
18 that contain a User-Password attribute. The module should also be
19 listed last in the \fIauthorize\fP section, so that it can set the
20 Auth-Type attribute as appropriate.
22 When a RADIUS packet contains a clear-text password in the form of a
23 User-Password attribute, the \fIrlm_pap\fP module may be used for
24 authentication. The module requires a "known good" password, which it
25 uses to validate the password given in the RADIUS packet. That "known
26 good" password must be supplied by another module
27 (e.g. \fIrlm_files\fP, \fIrlm_ldap\fP, etc.), and is usually taken
31 The only relevant configuration item is:
33 If set to "yes", the module will look inside of the User-Password
34 attribute for the headers {crypt}, {clear}, etc., and will
35 automatically create the appropriate attribute, with the correct
38 This module understands many kinds of password hashing methods, as
39 given by the following table.
43 Header Attribute Description
45 ------ --------- -----------
47 {clear} Cleartext-Password clear-text passwords
49 {cleartext} Cleartext-Password clear-text passwords
51 {crypt} Crypt-Password Unix-style "crypt"ed passwords
53 {md5} MD5-Password MD5 hashed passwords
55 {smd5} SMD5-Password MD5 hashed passwords, with a salt
57 {sha} SHA-Password SHA1 hashed passwords
59 {ssha} SSHA-Password SHA1 hashed passwords, with a salt
61 {nt} NT-Password Windows NT hashed passwords
63 {x-nthash} NT-Password Windows NT hashed passwords
65 {lm} LM-Password Windows Lan Manager (LM) passwords.
68 The module tries to be flexible when handling the various password
69 formats. It will automatically handle Base-64 encoded data, hex
70 strings, and binary data, and convert them to a format that the server
73 It is important to understand the difference between the User-Password
74 and Cleartext-Password attributes. The Cleartext-Password attribute
75 is the "known good" password for the user. Simply supplying the
76 Cleartext-Password to the server will result in most authentication
77 methods working. The User-Password attribute is the password as typed
78 in by the user on their private machine. The two are not the same,
79 and should be treated very differently. That is, you should generally
80 not use the User-Password attribute anywhere in the RADIUS
83 For backwards compatibility, there are old configuration parameters
84 which may be work, although we do not recommend using them.
90 .I /etc/raddb/radiusd.conf
96 Alan DeKok <aland@freeradius.org>