Here are some simplest setting for PAP, client only pass Username/Password to RADIUS server.
For server side, I only want test basic username/password.
Here are 3 files involved.
"client.conf","users" and "modules/pap"
[peter@localhost raddb]$ vim clients.conf
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (radius.example.com)
#ipaddr = 127.0.0.1
ipaddr = 172.21.33.112
secret = testing123
#vim modules/pap
pap {
auto_header = yes
}
#vi users
peter Cleartext-Password := "4321"
-----------------------
For client test.
----------------------
[peter@localhost raddb]$ vim /share/rootfs/etc/radiusclient/radiusclient.conf
authserver 172.21.46.133
#vim /share/rootfs/etc/radiusclient/servers
172.21.46.133 testing123
conclusion:
The shared secrets ("testing123" in this case) MUST match with client/server.
The User-Passowrd was sent by s MD5(password, secrets). so the clear-password was never sent to network.
TIP:
#server daemon in my environment.
LD_LIBRARY_PATH=/usr/lib:/lib/:/lib/tls/:$LD_LIBRARY_PATH ./radiusd -s -X
#client test utility
echo "User-Name = test" | /usr/local/bin/radclient localhost:1812 auth s3cr3t
echo "User-Name=test,Password=mypass,Framed-Protocol=PPP " | /usr/local/bin/radclient localhost:1812 auth s3cr3t
--------------------
A debug mode of radiusd -s -X
-------------
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.21.33.112 port 1054, id=60, length=63
User-Name = "peter"
User-Password = "4321"
Service-Type = Authenticate-Only
NAS-Port = 0
NAS-IP-Address = 172.21.33.112
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "peter", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry peter at line 93
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "4321"
[pap] Using clear text password "4321"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 60 to 172.21.33.112 port 1054
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 60 with timestamp +9
Ready to process requests.
