FreeRADIUS HowTos

Step 1: Configuring PAP

The first step to getting any authentication working in FreeRADIUS is to configure PAP, or clear-text passwords. Even though many deployments will end up using additional authentication protocols, PAP is the simplest and easiest to configure. And as we will see later, once PAP is configured, many other authentication protocols become simple, too.

In this example, we will configure PAP using the users file. The users file is a flat-text file that allows many common policies to be implemented. It is simple to use, easy to edit, and does not require any additional effort to configure databases like LDAP or SQL. It is therefore the ideal configuration file to use when starting to deploy a new server.

To configure PAP authentication, we must tell the server about a particular user, in this case bob. We must also tell the server what the users "known good" password is, in this case hello. This "known good" password will be used to validate the password entered by the user, and sent to FreeRADIUS by the NAS or AP. If the passwords match, then FreeRADIUS will return an Access-Accept packet. If the passwords do not match, then FreeRADIUS will return an Access-Reject packet.

To tell the server about the user and the password, place the following text at the top of the users file:

Start the server using radiusd -X, and wait for the debugging text to stop scrolling by. The final line of text should be:

In another terminal window on the same machine, type the following command:

If all goes well, you should see the server returning an Access-Accept message, and the window with radtest should print text similar to the following:

This text means that authentication succeeded. With the default configuration in Version 2.x, and the above users file entry, the following authentication types will just work:

• PAP
• CHAP
• MS-CHAP
• EAP-MD5
• EAP-MSCHAPv2
• Cisco LEAP

If you disable Validate Server Certificate on the 802.1x supplicant strictly for testing, the following authentication types will also just work:

• PEAPv0
• EAP-GTC
• EAP-MSCHAPv2
• EAP-TTLS
• PAP
• CHAP
• MS-CHAP
• EAP-MD5
• EAP-MSCHAPv2

See the EAP page for more instructions on configuring EAP authentication.

Welcome!

RADIUS implementations can be complicated. This site contains a collection of hints, documentation, and information for people who are using RADIUS.

Pages:

• Front page
• Alan DeKok's Blog
• Downloads
  • Protocols
  • Configurations
  • Scripts
• Link archive
• Back to top

Site news:

How to perform an initial setup of the server.

Configuring PAP as step one to getting the server up and running with your local policy.

Authenticating against Active Directory is a common deployment of FreeRADIUS

The protocol compatibility matrix shows which authentication protocols are compatible with what password storage scheme.

Links:

• FreeRADIUS
• Wiki
• RADIUS books
• RADIUS (O'Reilly)
• RADIUS (Wiley)

Contact us | Privacy policy | Sitemap | Back to top
© 2014 Alan DeKok | Design by Andreas Viklund
All rights reserved