Authentication Modules
The authentication modules verify user credentials. They can do this by checking them against an external system, or by implementing an authentication protocol such as EAP.
There are many different types and methods of authentication. For example, RADIUS supports PAP, CHAP, or EAP. In many cases, datastores such as LDAP can be used to check a users name and password.
In most cases, we recommend using a datastore (i.e. database) to store user credentials. The server can then obtain the credentials from the datastore, and run the authentication method itself.
In rare cases, the datastore will not return the users credentials to the server. In that case, the server must send the users name and password to the datastore, where it authenticates the user and returns a "pass" or "fail" result. This process almost always requires the user to supply the server with a clear-text password. Other authentication methods such as CHAP or EAP will pretty much never work.
The Authentication modules available are:
-
CHAP module - CHAP authentication
-
Digest - HTTP Digest Authentication
-
EAP - EAP-MD5, EAP-MSCHAPv2, TTLS, PEAP, FAST, TEAP, etc.
-
EAP/Inner - limit EAP methods to ones which can be used in an "inner tunnel".
-
-
IMAP - check user credentials against an IMAP server
-
Kerberos - check user credentials against a Kerberos server
-
LDAP - check user credentials against an LDAP server
-
Microsoft CHAP - MSCHAPv1 and MSCHAPv2 authentication.
-
NTLM Auth - check user credentials against a Samba / Active Directory server
-
Pluggable Authentication - check user credentials against the Pluggable Authentication Method (PAM)
-
PAP - PAP authentication. Supports all common password hashing / encryption methods.
-
REST - check user credentials against a REST server
-
TOTP - perform time-based one-time-password (TOTP) checks.
-
Winbind - check user credentials against a Samba / Active Directory server
-
Yubikey - check user credentials against a Yubikey server or database.