Configuring FreeRADIUS authentication with PAP

This should be the first authentication you set up

The first step to getting any authentication working in FreeRADIUS is to configure PAP (Password Authentication Protocol), or clear-text passwords. Even though most deployments will end up using additional authentication protocols, PAP is the simplest and easiest to configure, which makes it the perfect place to start. And as we will see, once PAP is configured, many other authentication protocols become simple, too.

In this example, we will configure PAP using the users file. The users file is a flat-text file that allows many common policies to be implemented. It is simple to use, easy to edit, and does not require any additional effort to configure databases like LDAP or SQL. It is therefore the ideal configuration file to use when starting to deploy a new server. This file is called users for backwards compatibility with the original Livingston RADIUS server. In FreeRADIUS, the users file lives in the configuration directory (/etc/raddb, or /etc/freeradius), and is most often a soft link to mods-config/files/authorize.

To configure PAP authentication, we must tell the server about a particular user, in this case bob. We must also tell the server what the users “known good” password is, in this case hello. This “known good” password will be used to validate the password entered by the user, and sent to FreeRADIUS by the NAS or AP. If the passwords match, then FreeRADIUS will return an Access-Accept packet. If the passwords do not match, then FreeRADIUS will return an Access-Reject packet.

To tell the server about the user and the password, place the following at the top of the users file:

bob   Cleartext-Password := "hello"

Open a terminal window and start the server with radiusd -X. This starts FreeRADIUS in debug mode. You will see some debugging text scroll by, but the last line of text should be:

Ready to process requests.

Open another terminal window on the same machine, and type the following command:

$ radtest bob hello localhost 0 testing123

If all goes well, you should see the server returning an Access-Accept message, and the window with radtest should print text similar to the following:

rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, length=20

This text means that authentication succeeded. With the default configuration in Version 2.x, and the above users file entry, the following authentication types will just work:

  • PAP
  • CHAP
  • MS-CHAP
  • EAP-MD5
  • EAP-MSCHAPv2
  • Cisco LEAP

If you disable Validate Server Certificate on the 802.1x supplicant (strictly for testing), the following authentication types will also just work:

  • PEAPv0

    • EAP-GTC
    • EAP-MSCHAPv2
  • EAP-TTLS

    • PAP
    • CHAP
    • MS-CHAP
    • EAP-MD5
    • EAP-MSCHAPv2

See the EAP page for more instructions on configuring EAP authentication.

This process is an example of using the two-step process we recommended in an earlier article. It really is that easy to get a basic configuration up and working!

Need more help?

Network RADIUS has been helping clients around the world design and deploy their RADIUS infrastructure for 20 years. We specialize in complex systems and have seen pretty much every variation and problem out there. If you want help from the people who wrote FreeRADIUS, visit our quote page to contact us.

Read more...

Getting started with FreeRADIUS

FreeRADIUS and Active Directory

EAP configuration articles

Related FreeRADIUS documentation

Additional resources