Summary of All Modules

Authentication Modules

Module	Description
chap	Performs Challenge Handshake Authentication Protocol (CHAP) authentication, as described by RFC 2865.
digest	The digest module performs HTTP digest authentication, usually for a SIP server. See draft-sterman-aaa-sip-00.txt for details. The module does not support RFC 5090.
eap	Implements the base protocol for EAP (Extensible Authentication Protocol).
eap_inner	EAP/Inner Configuration for secure transmissions.
imap	Allows users to be authenticated against an IMAP server.
krb5	Implements kerberos authentication, using the result of decrypting the TGT as an indication that the provided password was correct.
ldap	Can perform user authentication using LDAP binds, or by retrieving the contents of a password attribute for later comparison by a module such as rlm_pap, or an rlm_eap method.
mschap	Supports MS-CHAP and MS-CHAPv2 authentication. It also enforces the SMB-Account-Ctrl attribute.
ntlm_auth	NTLM Auth
pam	Performs password checking via the Pluggable Authentication Module (PAM) framework.
pap	Accepts a large number of formats for the "known good" (reference) password, such as crypt hashes, md5 hashes, and etc. The module takes the User-Password and performs the necessary transformations of the user submitted password to match the copy of the password the server has retrieved.
rest	Sends HTTP requests to remote servers and decodes the responses.
totp	Implemments the TOTP algorithm to fufill authentication requests.
winbind	The module also allows for direct connection to Samba winbindd (version 4.2.1 or above), which communicates with Active-Directory to retrieve group information and the user’s NT-Password.
yubikey	Supports authentication of yubikey tokens where the PSK is known to FreeRADIUS, and integrates with the Yubico cloud-based authentication service.

Module

Description

Performs Challenge Handshake Authentication Protocol (CHAP) authentication, as described by RFC 2865.

The digest module performs HTTP digest authentication, usually for a SIP server. See draft-sterman-aaa-sip-00.txt for details. The module does not support RFC 5090.

eap

Implements the base protocol for EAP (Extensible Authentication Protocol).

eap_inner

EAP/Inner Configuration for secure transmissions.

imap

Allows users to be authenticated against an IMAP server.

krb5

Implements kerberos authentication, using the result of decrypting the TGT as an indication that the provided password was correct.

ldap

Can perform user authentication using LDAP binds, or by retrieving the contents of a password attribute for later comparison by a module such as rlm_pap, or an rlm_eap method.

mschap

Supports MS-CHAP and MS-CHAPv2 authentication. It also enforces the SMB-Account-Ctrl attribute.

ntlm_auth

NTLM Auth

pam

Performs password checking via the Pluggable Authentication Module (PAM) framework.

pap

Accepts a large number of formats for the "known good" (reference) password, such as crypt hashes, md5 hashes, and etc. The module takes the User-Password and performs the necessary transformations of the user submitted password to match the copy of the password the server has retrieved.

rest

Sends HTTP requests to remote servers and decodes the responses.

totp

Implemments the TOTP algorithm to fufill authentication requests.

winbind

The module also allows for direct connection to Samba winbindd (version 4.2.1 or above), which communicates with Active-Directory to retrieve group information and the user’s NT-Password.

yubikey

Supports authentication of yubikey tokens where the PSK is known to FreeRADIUS, and integrates with the Yubico cloud-based authentication service.

Datastore Modules

Module Description

Module	Description
cache	Stores attributes and/or lists and adds them back to a subsequent request or to the current request on a later execution of the module.
cache_eap	This cache stores replies for user sessions that are used by eap for authentication purposes.
cache_tls	Cache TLS Session saves all eap session attributes in backend cache to provide users with robust and fast session reconnections.
client	Reads client definitions from flat files.
csv	Maps values in a CSV file to FreeRADIUS attributes and adds them to the request.
etc_group	Allow users to be assigned to one or more groups to permit different levels of access.
files	Implements a traditional Livingston-style users file.
file format	A users file example.
ldap	Allows LDAP directory entries to be retrieved, modified, inserted and deleted.
opendirectory	Integrates with an Apple OpenDirectory service on the same host as FreeRADIUS to allow OpenDirectory users to authenticate.
passwd	Reads and caches line-oriented files that are in a format similar to `/etc/passwd`.
mac2ip	Enables the mapping of a MAC address to an ip address.
mac2vlan	Enables the mapping of a MAC address to an vlan id.
smbpasswd	Performs SMB authentication using a flat password file.
redis	Provides connectivity to single and clustered instances of Redis. This module exposes a string expansion that may be used to execute queries against Redis.
redis_ippool	Implements a fast and scalable IP allocation system using Redis. Supports both IPv4 and IPv6 address and prefix allocation, and implements pre-allocation for use with DHCPv4.
rediswho	Records which users are currently logged into the service. The file is used mainly for Simultaneous-Use checking to see who has current sessions.
rest	Sends HTTP requests to remote servers and decodes the responses.
sql	Provides an abstraction over multiple SQL backends, via database specific drivers.
sqlippool	SQL based IP allocation module used to create ip pools.
sqlcounter	Records statistics for users such as data transfer and session time, and prevent further logins when limits are reached.
redundant_sql	Configure a redundant sql server for redundancy or load-balancing purposes.
unix	Retrieves a user’s encrypted password from the local system and places it into the `control.Password.Crypt` attribute. The password is retrieved via the `getpwent()` and `getspwent()` system calls.

cache

Stores attributes and/or lists and adds them back to a subsequent request or to the current request on a later execution of the module.

cache_eap

This cache stores replies for user sessions that are used by eap for authentication purposes.

cache_tls

Cache TLS Session saves all eap session attributes in backend cache to provide users with robust and fast session reconnections.

client

Reads client definitions from flat files.

csv

Maps values in a CSV file to FreeRADIUS attributes and adds them to the request.

etc_group

Allow users to be assigned to one or more groups to permit different levels of access.

files

Implements a traditional Livingston-style users file.

file format

A users file example.

ldap

Allows LDAP directory entries to be retrieved, modified, inserted and deleted.

opendirectory

Integrates with an Apple OpenDirectory service on the same host as FreeRADIUS to allow OpenDirectory users to authenticate.

passwd

Reads and caches line-oriented files that are in a format similar to /etc/passwd.

mac2ip

Enables the mapping of a MAC address to an ip address.

mac2vlan

Enables the mapping of a MAC address to an vlan id.

smbpasswd

Performs SMB authentication using a flat password file.

redis

Provides connectivity to single and clustered instances of Redis. This module exposes a string expansion that may be used to execute queries against Redis.

redis_ippool

Implements a fast and scalable IP allocation system using Redis. Supports both IPv4 and IPv6 address and prefix allocation, and implements pre-allocation for use with DHCPv4.

rediswho

Records which users are currently logged into the service. The file is used mainly for Simultaneous-Use checking to see who has current sessions.

rest

Sends HTTP requests to remote servers and decodes the responses.

sql

Provides an abstraction over multiple SQL backends, via database specific drivers.

sqlippool

SQL based IP allocation module used to create ip pools.

sqlcounter

Records statistics for users such as data transfer and session time, and prevent further logins when limits are reached.

redundant_sql

Configure a redundant sql server for redundancy or load-balancing purposes.

unix

Retrieves a user’s encrypted password from the local system and places it into the control.Password.Crypt attribute. The password is retrieved via the getpwent() and getspwent() system calls.

Formatting and Conversion Modules

Module	Description
cipher	Perform cryptographic calculations on data.
date	Converts date strings between user configurable formats.
escape	Escapes and unescapes strings using the MIME escape format
json	Parses JSON strings into an in memory format using the json-c library.
unpack	Unpacks binary data from octets type attributes into individual attributes.
utf8	Checks all attributes of type string in the current request, to ensure that they only contain valid UTF8 sequences.

Module

Description

cipher

Perform cryptographic calculations on data.

date

Converts date strings between user configurable formats.

escape

Escapes and unescapes strings using the MIME escape format

json

Parses JSON strings into an in memory format using the json-c library.

unpack

Unpacks binary data from octets type attributes into individual attributes.

utf8

Checks all attributes of type string in the current request, to ensure that they only contain valid UTF8 sequences.

Language Modules

Module	Description
echo	Echo is used in conjunction with the exec module to display output from a program or command.
exec	Executes an external script, passing in FreeRADIUS attributes as environmental variables or as arguments.
lua	Allows the server to call embedded lua scripts.
mruby	Allows the server to call a persistent, embedded mRuby script.
perl	Allows the server to call a persistent, embedded Perl script.
python	Allows the server to call a persistent, embedded Python script.

Module

Description

echo

Echo is used in conjunction with the exec module to display output from a program or command.

exec

Executes an external script, passing in FreeRADIUS attributes as environmental variables or as arguments.

lua

Allows the server to call embedded lua scripts.

mruby

Allows the server to call a persistent, embedded mRuby script.

perl

Allows the server to call a persistent, embedded Perl script.

python

Allows the server to call a persistent, embedded Python script.

Logging Modules

linelog	Creates log entries from attributes, string expansions, or static strings, and writes them to a variety of backends, including syslog, flat files, and raw UDP/TCP sockets.
logtee	Tee’s request logging at runtime, sending it to additional log destinations.
detail	Writes attributes from a request list to a flat file in 'detail' format.
example	Detail file example for configuration.
log example	Log example.

linelog

Creates log entries from attributes, string expansions, or static strings, and writes them to a variety of backends, including syslog, flat files, and raw UDP/TCP sockets.

logtee

Tee’s request logging at runtime, sending it to additional log destinations.

detail

Writes attributes from a request list to a flat file in 'detail' format.

example

Detail file example for configuration.

log example

Log example.

Policy Modules

Module	Description
always	Returns a pre-configured result code such as 'ok', 'noop', 'reject' etc…
attr_filter	Filters attributes in a request. Can delete attributes or permit them to have only certain values.
idn	Converts internationalized domain names to ASCII.
sometimes	Is a hashing and distribution protocol, that will sometimes return one code or another depending on the input value configured.

Module

Description

always

Returns a pre-configured result code such as 'ok', 'noop', 'reject' etc…

attr_filter

Filters attributes in a request. Can delete attributes or permit them to have only certain values.

idn

Converts internationalized domain names to ASCII.

sometimes

Is a hashing and distribution protocol, that will sometimes return one code or another depending on the input value configured.

Protocol Modules

cui	CUI
dhcpv4	Implements DHCPv4 (Dynamic Host Configuration Protocol for IPv4) client and relay.
isc_dhcp	isc_dhcp
radius	Allows Access-Requests, Accounting-Requests, CoA-Requests and Disconnect-Messages to be sent during request processing.
wimax	Implements WiMAX authentication over RADIUS.

cui

CUI

dhcpv4

Implements DHCPv4 (Dynamic Host Configuration Protocol for IPv4) client and relay.

isc_dhcp

radius

Allows Access-Requests, Accounting-Requests, CoA-Requests and Disconnect-Messages to be sent during request processing.

wimax

Implements WiMAX authentication over RADIUS.

Utility Modules

Module	Description
dict	Dictionary file for main definitions that used for lookups by name.
smtp	Allows users to submit smtp formatted, mime-encoded emails to a server Supports User-Name User-Password authentication. Supports file attachments, size limited by the MTA.
stats	Gather internal server statistics.
unbound	Performs queries against a DNS service to allow FQDNs to be resolved during request processing.

Module

Description

dict

Dictionary file for main definitions that used for lookups by name.

smtp

Allows users to submit smtp formatted, mime-encoded emails to a server Supports User-Name User-Password authentication. Supports file attachments, size limited by the MTA.

stats

Gather internal server statistics.

unbound

Performs queries against a DNS service to allow FQDNs to be resolved during request processing.