Authentication Modules

The authentication modules verify user credentials. They can do this by checking them against an external system, or by implementing an authentication protocol such as EAP.

There are many different types and methods of authentication. For example, RADIUS supports PAP, CHAP, or EAP. In many cases, datastores such as LDAP can be used to check a users name and password.

In most cases, we recommend using a datastore (i.e. database) to store user credentials. The server can then obtain the credentials from the datastore, and run the authentication method itself.

In rare cases, the datastore will not return the users credentials to the server. In that case, the server must send the users name and password to the datastore, where it authenticates the user and returns a "pass" or "fail" result. This process almost always requires the user to supply the server with a clear-text password. Other authentication methods such as CHAP or EAP will pretty much never work.

The Authentication modules available are:

Authentication Modules

Module	Description
chap	Performs Challenge Handshake Authentication Protocol (CHAP) authentication, as described by RFC 2865.
digest	The digest module performs HTTP digest authentication, usually for a SIP server. See draft-sterman-aaa-sip-00.txt for details. The module does not support RFC 5090.
eap	Implements the base protocol for EAP (Extensible Authentication Protocol).
eap_inner	EAP/Inner Configuration for secure transmissions.
imap	Allows users to be authenticated against an IMAP server.
krb5	Implements kerberos authentication, using the result of decrypting the TGT as an indication that the provided password was correct.
ldap	Can perform user authentication using LDAP binds, or by retrieving the contents of a password attribute for later comparison by a module such as rlm_pap, or an rlm_eap method.
mschap	Supports MS-CHAP and MS-CHAPv2 authentication. It also enforces the SMB-Account-Ctrl attribute.
ntlm_auth	NTLM Auth
pam	Performs password checking via the Pluggable Authentication Module (PAM) framework.
pap	Accepts a large number of formats for the "known good" (reference) password, such as crypt hashes, md5 hashes, and etc. The module takes the User-Password and performs the necessary transformations of the user submitted password to match the copy of the password the server has retrieved.
rest	Sends HTTP requests to remote servers and decodes the responses.
totp	Implemments the TOTP algorithm to fufill authentication requests.
winbind	The module also allows for direct connection to Samba winbindd (version 4.2.1 or above), which communicates with Active-Directory to retrieve group information and the user’s NT-Password.
yubikey	Supports authentication of yubikey tokens where the PSK is known to FreeRADIUS, and integrates with the Yubico cloud-based authentication service.

Module

Description

chap

Performs Challenge Handshake Authentication Protocol (CHAP) authentication, as described by RFC 2865.

digest

The digest module performs HTTP digest authentication, usually for a SIP server. See draft-sterman-aaa-sip-00.txt for details. The module does not support RFC 5090.

eap

Implements the base protocol for EAP (Extensible Authentication Protocol).

eap_inner

EAP/Inner Configuration for secure transmissions.

imap

Allows users to be authenticated against an IMAP server.

krb5

Implements kerberos authentication, using the result of decrypting the TGT as an indication that the provided password was correct.

ldap

Can perform user authentication using LDAP binds, or by retrieving the contents of a password attribute for later comparison by a module such as rlm_pap, or an rlm_eap method.

mschap

Supports MS-CHAP and MS-CHAPv2 authentication. It also enforces the SMB-Account-Ctrl attribute.

ntlm_auth

NTLM Auth

pam

Performs password checking via the Pluggable Authentication Module (PAM) framework.

pap

Accepts a large number of formats for the "known good" (reference) password, such as crypt hashes, md5 hashes, and etc. The module takes the User-Password and performs the necessary transformations of the user submitted password to match the copy of the password the server has retrieved.

rest

Sends HTTP requests to remote servers and decodes the responses.

totp

Implemments the TOTP algorithm to fufill authentication requests.

winbind

The module also allows for direct connection to Samba winbindd (version 4.2.1 or above), which communicates with Active-Directory to retrieve group information and the user’s NT-Password.

yubikey

Supports authentication of yubikey tokens where the PSK is known to FreeRADIUS, and integrates with the Yubico cloud-based authentication service.