Configuring FreeRADIUS authentication with PAP (Password Authentication Protocol)

PAP should be the first authentication you set up

Introduction to PAP authentication

Password Authentication Protocol (PAP) is one of the most fundamental authentication methods used in Remote Authentication Dial-In User Service (RADIUS). Despite being one of the oldest authentication protocols, PAP remains an essential starting point for configuring your authentication server properly.

Why start with PAP?

The first step to getting any authentication working in FreeRADIUS is to configure PAP (Password Authentication Protocol), or clear-text passwords. Even though most deployments will end up using additional authentication protocols, PAP is the simplest and easiest to configure, which makes it the perfect place to start. And as we will see, once PAP authentication is configured, many other authentication protocols become simple, too.

Step-by-step configuration guide

In this example, we will configure PAP using the users file. The users file is a flat-text file that allows many common policies to be implemented. It is simple to use, easy to edit, and does not require any additional effort to configure databases like Lightweight Directory Access Protocol (LDAP), Active DIrectory, or SQL. It is therefore the ideal configuration file to use when starting to deploy a new server. This file is called users for backwards compatibility with the original Livingston RADIUS server. In FreeRADIUS, the users file lives in the configuration directory (/etc/raddb, or /etc/freeradius), and is most often a soft link to mods-config/files/authorize.

To configure PAP authentication, we must tell the server about a particular user, in this case bob. We must also tell the server what the users “known good” password is, in this case hello. This “known good” password will be used to validate the password entered by the user, and sent to FreeRADIUS by the NAS or AP. If the passwords match, then FreeRADIUS will return an Access-Accept packet. If the passwords do not match, then FreeRADIUS will return an Access-Reject packet.

To tell the server about the user and the password, place the following at the top of the users file:

bob   Cleartext-Password := "hello"

Testing your configuration

Open a terminal window and start the server with radiusd -X. This starts FreeRADIUS in debug mode. You will see some debugging text scroll by, but the last line of text should be:

Ready to process requests.

Open another terminal window on the same machine, and type the following command:

$ radtest bob hello localhost 0 testing123

If all goes well, you should see the server returning an Access-Accept message, and the window with radtest should print text similar to the following:

rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, length=20

This text means that the password-based authentication succeeded using the IP address of your local host.

Compatible authentication types

With the default configuration in Version 2.x, and the above users file entry, the following authentication types will just work:

PAP
CHAP
MS-CHAP
EAP-MD5
EAP-MSCHAPv2
Cisco LEAP

If you disable Validate Server Certificate on the 802.1x supplicant (strictly for testing), the following authentication types will also just work:

PEAPv0
- EAP-GTC
- EAP-MSCHAPv2
EAP-TTLS
- PAP
- CHAP
- MS-CHAP
- EAP-MD5
- EAP-MSCHAPv2

See the EAP page for more instructions on configuring EAP authentication.

This process is an example of using the two-step process we recommend when setting up FreeRADIUS for the first time. It really is that easy to get a basic configuration up and working!

Need more help?

InkBridge Networks has been at the forefront of network security for over two decades, tackling complex challenges across various protocols and infrastructures. Our team of seasoned experts has encountered and solved nearly every conceivable network security issue. If you're looking for insights from the architects behind some of the internet's most foundational authentication systems, you can request a quote for network security solutions here.

How one-time passwords work

One-time passwords (OTP) and multi-factor authentication (MFA) are important mechanisms used to improve security. Both these strategies can combine the username and password credentials with a one-time token as part of the sign-in process. The one-time token is usually supplied through an authentication app, or a small separate piece of hardware. In network security, using a one-time token is common practice for activites such as signing into private networks through VPN.

How authentication protocols work

Choosing an authentication protocol is one of the most important decisions when designing a RADIUS ecosystem. There are a variety of authentication protocols to choose from, each with their own set of advantages, disadvantages, and constraints. In general, we recommend using PAP whenever possible. It is compatible with all known back-end databases, and it has no known security issues.

in Blog

# Network Security Best Practices Network Security Protocols

We won’t fill your inbox with self-serving marketing fluff.

Our newsletter serves up best practices, how-to guides, and answers to common questions we encounter in the networking community.