Untitled :: The FreeRADIUS project

Authentication Modules

Module	Description
chap	Performs Challenge Handshake Authentication Protocol (CHAP) authentication, as described by RFC 2865.
digest	The digest module performs HTTP digest authentication, usually for a SIP server. See draft-sterman-aaa-sip-00.txt for details. The module does not support RFC 5090.
eap	Implements the base protocol for EAP (Extensible Authentication Protocol).
imap	Allows users to be authenticated against an IMAP server.
krb5	Implements kerberos authentication, using the result of decrypting the TGT as an indication that the provided password was correct.
ldap	Allows LDAP directory entries to be retrieved, modified, inserted and deleted.
mschap	Supports MS-CHAP and MS-CHAPv2 authentication. It also enforces the SMB-Account-Ctrl attribute.
opendirectory	Integrates with an Apple OpenDirectory service on the same host as FreeRADIUS to allow OpenDirectory users to authenticate.
pam	Performs password checking via the Pluggable Authentication Module (PAM) framework.
pap	Accepts a large number of formats for the "known good" (reference) password, such as crypt hashes, md5 hashes, and etc. The module takes the User-Password and performs the necessary transformations of the user submitted password to match the copy of the password the server has retrieved.
wimax	Implements WiMAX authentication over RADIUS.
winbind	The module also allows for direct connection to Samba winbindd (version 4.2.1 or above), which communicates with Active-Directory to retrieve group information and the user’s NT-Password.
yubikey	Supports authentication of yubikey tokens where the PSK is known to FreeRADIUS, and integrates with the Yubico cloud-based authentication service.

Module

Description

Performs Challenge Handshake Authentication Protocol (CHAP) authentication, as described by RFC 2865.

The digest module performs HTTP digest authentication, usually for a SIP server. See draft-sterman-aaa-sip-00.txt for details. The module does not support RFC 5090.

eap

Implements the base protocol for EAP (Extensible Authentication Protocol).

imap

Allows users to be authenticated against an IMAP server.

krb5

Implements kerberos authentication, using the result of decrypting the TGT as an indication that the provided password was correct.

ldap

Allows LDAP directory entries to be retrieved, modified, inserted and deleted.

mschap

Supports MS-CHAP and MS-CHAPv2 authentication. It also enforces the SMB-Account-Ctrl attribute.

opendirectory

Integrates with an Apple OpenDirectory service on the same host as FreeRADIUS to allow OpenDirectory users to authenticate.

pam

Performs password checking via the Pluggable Authentication Module (PAM) framework.

pap

Accepts a large number of formats for the "known good" (reference) password, such as crypt hashes, md5 hashes, and etc. The module takes the User-Password and performs the necessary transformations of the user submitted password to match the copy of the password the server has retrieved.

wimax

Implements WiMAX authentication over RADIUS.

winbind

The module also allows for direct connection to Samba winbindd (version 4.2.1 or above), which communicates with Active-Directory to retrieve group information and the user’s NT-Password.

yubikey

Supports authentication of yubikey tokens where the PSK is known to FreeRADIUS, and integrates with the Yubico cloud-based authentication service.

Authorization Modules

Module	Description
smtp	Allows users to submit smtp formatted, mime-encoded emails to a server Supports User-Name User-Password authentication Supports file attachments, size limited by the MTA.

Datastore Modules

Module Description

Module	Description
cache	Stores attributes and/or lists and adds them back to a subsequent request or to the current request on a later execution of the module.
client	Reads client definitions from flat files.
couchbase	Allows attributes to be stored and retrieved from a couchbase server. Client definitions may also be bulk loaded from a couchbase server as FreeRADIUS starts.
csv	Maps values in a CSV file to FreeRADIUS attributes and adds them to the request.
kafka	Produces messages, placing them in a Kafka messaging queue
passwd	Reads and caches line-oriented files that are in a format similar to `/etc/passwd`.
radutmp	Writes a utmp style file that lists the users who are logged in. The file is used mainly for Simultaneous-Use checking and by radwho to see who has current sessions.
redis	Provides connectivity to single and clustered instances of Redis. This module exposes a string expansion that may be used to execute queries against Redis.
redis_ippool	Implements a fast and scalable IP allocation system using Redis. Supports both IPv4 and IPv6 address and prefix allocation, and implements pre-allocation for use with DHCPv4.
rediswho	Records which users are currently logged into the service. The file is used mainly for Simultaneous-Use checking to see who has current sessions.
sql	Provides an abstraction over multiple SQL backends, via database specific drivers.
sqlippool	SQL based IP allocation module.
unix	Retrieves a user’s encrypted password from the local system and places it into the `control.Password.Crypt` attribute. The password is retrieved via the `getpwent()` and `getspwent()` system calls.

cache

Stores attributes and/or lists and adds them back to a subsequent request or to the current request on a later execution of the module.

client

Reads client definitions from flat files.

couchbase

Allows attributes to be stored and retrieved from a couchbase server. Client definitions may also be bulk loaded from a couchbase server as FreeRADIUS starts.

csv

Maps values in a CSV file to FreeRADIUS attributes and adds them to the request.

kafka

Produces messages, placing them in a Kafka messaging queue

passwd

Reads and caches line-oriented files that are in a format similar to /etc/passwd.

radutmp

Writes a utmp style file that lists the users who are logged in. The file is used mainly for Simultaneous-Use checking and by radwho to see who has current sessions.

redis

Provides connectivity to single and clustered instances of Redis. This module exposes a string expansion that may be used to execute queries against Redis.

redis_ippool

Implements a fast and scalable IP allocation system using Redis. Supports both IPv4 and IPv6 address and prefix allocation, and implements pre-allocation for use with DHCPv4.

rediswho

Records which users are currently logged into the service. The file is used mainly for Simultaneous-Use checking to see who has current sessions.

sql

Provides an abstraction over multiple SQL backends, via database specific drivers.

sqlippool

SQL based IP allocation module.

unix

Retrieves a user’s encrypted password from the local system and places it into the control.Password.Crypt attribute. The password is retrieved via the getpwent() and getspwent() system calls.

IO Modules

Module	Description
detail	Writes attributes from a request list to a flat file in 'detail' format.
dhcpv4	Implements DHCPv4 (Dynamic Host Configuration Protocol for IPv4) client and relay.
files	Implements a traditional Livingston-style users file.
icmp	Sends an ICMP "echo request" message to a particular IP address.
linelog	Creates log entries from attributes, string expansions, or static strings, and writes them to a variety of backends, including syslog, flat files, and raw UDP/TCP sockets.
logtee	Tee’s request logging at runtime, sending it to additional log destinations.
radius	Allows Access-Requests, Accounting-Requests, CoA-Requests and Disconnect-Messages to be sent during request processing.
rest	Sends HTTP requests to remote servers and decodes the responses.
unbound	Performs queries against a DNS service to allow FQDNs to be resolved during request processing.

Module

Description

detail

Writes attributes from a request list to a flat file in 'detail' format.

dhcpv4

Implements DHCPv4 (Dynamic Host Configuration Protocol for IPv4) client and relay.

files

Implements a traditional Livingston-style users file.

icmp

Sends an ICMP "echo request" message to a particular IP address.

linelog

Creates log entries from attributes, string expansions, or static strings, and writes them to a variety of backends, including syslog, flat files, and raw UDP/TCP sockets.

logtee

Tee’s request logging at runtime, sending it to additional log destinations.

radius

Allows Access-Requests, Accounting-Requests, CoA-Requests and Disconnect-Messages to be sent during request processing.

rest

Sends HTTP requests to remote servers and decodes the responses.

unbound

Performs queries against a DNS service to allow FQDNs to be resolved during request processing.

Language Modules

Module	Description
exec	Executes an external script, passing in FreeRADIUS attributes as environmental variables or as arguments.
lua	Allows the server to call embedded lua scripts.
mruby	Allows the server to call a persistent, embedded mRuby script.
perl	Allows the server to call a persistent, embedded Perl script.
python	Allows the server to call a persistent, embedded Python script.

Module

Description

exec

Executes an external script, passing in FreeRADIUS attributes as environmental variables or as arguments.

lua

Allows the server to call embedded lua scripts.

mruby

Allows the server to call a persistent, embedded mRuby script.

perl

Allows the server to call a persistent, embedded Perl script.

python

Allows the server to call a persistent, embedded Python script.

Miscellaneous Modules

Module	Description
abfab_psk_sql	ADFAB PSK
cache_eap	Cache EAP
cache_tls	Cache TLS Session
cipher	Cipher
cui	CUI
detail.example.com	Detail (Sample)
detail.log	Detail (Log Sample)
eap_inner	EAP/Inner
echo	Echo
etc_group	etc_group
isc_dhcp	isc_dhcp
mac2ip	Mac2IP
mac2vlan	Mac2Vlan
ntlm_auth	NTLM Auth
redundant_sql	redundant_sql
smbpasswd	SMBPasswd
sradutmp	sRadutmp
stats	Stats
totp

Module

Description

ADFAB PSK

Cache EAP

Cache TLS Session

Cipher

CUI

Detail (Sample)

Detail (Log Sample)

EAP/Inner

Echo

Mac2IP

Mac2Vlan

NTLM Auth

SMBPasswd

sRadutmp

Stats

Policy Modules

Module	Description
always	Returns a pre-configured result code such as 'ok', 'noop', 'reject' etc…
attr_filter	Filters attributes in a request. Can delete attributes or permit them to have only certain values.
cipher	Cipher
date	Converts date strings between user configurable formats.
delay	Introduces an artificial non-blocking delay when processing a request.
escape	Escapes and unescapes strings using the MIME escape format
idn	Converts internationalized domain names to ASCII.
json	Parses JSON strings into an in memory format using the json-c library.
sometimes	Is a hashing and distribution protocol, that will sometimes return one code or another depending on the input value configured.
sqlcounter	Records statistics for users such as data transfer and session time, and prevent further logins when limits are reached.
unpack	Unpacks binary data from octets type attributes into individual attributes.
utf8	Checks all attributes of type string in the current request, to ensure that they only contain valid UTF8 sequences.

Module

Description

always

Returns a pre-configured result code such as 'ok', 'noop', 'reject' etc…

attr_filter

Filters attributes in a request. Can delete attributes or permit them to have only certain values.

cipher

Cipher

date

Converts date strings between user configurable formats.

delay

Introduces an artificial non-blocking delay when processing a request.