Step 1: Configuring PAP

The first step to getting any authentication working in FreeRADIUS is to configure PAP, or clear-text passwords. Even though many deployments will end up using additional authentication protocols, PAP is the simplest and easiest to configure. And as we will see later, once PAP is configured, many other authentication protocols become simple, too.

In this example, we will configure PAP using the users file. The users file is a flat-text file that allows many common policies to be implemented. It is simple to use, easy to edit, and does not require any additional effort to configure databases like LDAP or SQL. It is therefore the ideal configuration file to use when starting to deploy a new server.

To configure PAP authentication, we must tell the server about a particular user, in this case bob. We must also tell the server what the users "known good" password is, in this case hello. This "known good" password will be used to validate the password entered by the user, and sent to FreeRADIUS by the NAS or AP. If the passwords match, then FreeRADIUS will return an Access-Accept packet. If the passwords do not match, then FreeRADIUS will return an Access-Reject packet.

To tell the server about the user and the password, place the following text at the top of the users file:

bob     Cleartext-Password := "hello"

Start the server using radiusd -X, and wait for the debugging text to stop scrolling by. The final line of text should be:

Ready to process requests.

In another terminal window on the same machine, type the following command:

$ radtest bob hello localhost 0 testing123

If all goes well, you should see the server returning an Access-Accept message, and the window with radtest should print text similar to the following:

rad_recv: Access-Accept packet from host port 1812, length=20

This text means that authentication succeeded. With the default configuration in Version 2.x, and the above users file entry, the following authentication types will just work:

If you disable Validate Server Certificate on the 802.1x supplicant strictly for testing, the following authentication types will also just work:

See the EAP page for more instructions on configuring EAP authentication.