rlm_pap(5)		       FreeRADIUS Module		    rlm_pap(5)



NAME
       rlm_pap - FreeRADIUS Module

DESCRIPTION
       The  rlm_pap  module  authenticates  RADIUS Access-Request packets that
       contain a User-Password attribute.  The module should  also  be	listed
       last  in	 the  authorize	 section,  so  that  it	 can set the Auth-Type
       attribute as appropriate.

       When a RADIUS packet contains a clear-text password in the  form	 of  a
       User-Password attribute, the rlm_pap module may be used for authentica-
       tion.  The module requires a "known good" password, which  it  uses  to
       validate	 the  password	given in the RADIUS packet.  That "known good"
       password must be supplied by another module (e.g. rlm_files,  rlm_ldap,
       etc.), and is usually taken from a database.

CONFIGURATION
       The only relevant configuration item is:

       auto_header
	      If  set  to "yes", the module will look inside of the User-Pass-
	      word attribute for the headers {crypt}, {clear}, etc., and  will
	      automatically create the appropriate attribute, with the correct
	      value.

       This module understands many kinds  of  password	 hashing  methods,  as
       given by the following table.


	      Header	   Attribute	      Description
	      ------	   ---------	      -----------
	      {clear}	   User-Password      clear-text passwords
	      {cleartext}  User-Password      clear-text passwords
	      {crypt}	   Crypt-Password     Unix-style "crypt"ed passwords
	      {md5}	   MD5-Password	      MD5 hashed passwords
	      {smd5}	   SMD5-Password      MD5 hashed passwords, with a salt
	      {sha}	   SHA-Password	      SHA1 hashed passwords
	      {ssha}	   SSHA-Password      SHA1 hashed passwords, with a salt
	      {nt}	   NT-Password	      Windows NT hashed passwords
	      {x-nthash}   NT-Password	      Windows NT hashed passwords
	      {lm}	   LM-Password	      Windows Lan Manager (LM) passwords.


       The module tries to be flexible when handling the various password for-
       mats.  It will automatically handle Base-64 encoded data, hex  strings,
       and  binary data, and convert them to a format that the server can use.

       For backwards compatibility, there  are	old  configuration  parameters
       which may be work, although we do not recommend using them.

SECTIONS
       authorize authenticate


FILES
       /etc/raddb/radiusd.conf


SEE ALSO
       radiusd(8), radiusd.conf(5)

AUTHOR
       Alan DeKok <aland@freeradius.org>




				8 February 2005			    rlm_pap(5)