Radiator Server Documentation — v10.33.2

pap

PAP action for plaintext password authentication

Table of Contents
  • pap
  • Basic Syntax
  • Modes
  • Parameters
  • attribute
  • range
  • Result
  • Backend Mapping
  • Related Actions

pap

Validates passwords using the Password Authentication Protocol (PAP). PAP transmits passwords in cleartext over the authentication protocol (though the protocol itself may be encrypted, such as RADIUS over TLS).

Can be combined with other authentication methods like totp or hotp for two-factor authentication.

Basic Syntax

@execute {
    backend {
        name "USERS";
        query "FIND_USER";
    }

    # Validate password
    pap;
}

Modes

The pap action has two modes that control whether it actually validates the PAP response or only stages it on the shared authentication state for later actions to consume.

FormModeDescription
pap; or pap authentication;AuthenticateRead the current PAP response from the protocol context and validate it against user.password. Records the authentication outcome on the AAA context.
pap response;Extract responseRead the current PAP response from the protocol context and store it on the shared authentication state as the canonical PAP response. Does not call the backend, does not compare credentials, and does not by itself decide accept or reject.
pap { ... }Block formSame as pap; by default. Add response; inside the block to switch to extract-only mode, or authentication; to be explicit. Combine with attribute and/or range to override where the response comes from and which substring is used.

pap response; is most useful in TACACS+ multistage flows. The first password prompt populates the protocol's PAP response, but a later challenge round overwrites it with the next user reply. Snapshot the password with pap response; before the next round so a later pap; can still authenticate against the original password. See TACACS+ Authentication, Authorization, and Accounting for a worked example.

Parameters

attribute

Override the source of the PAP response with a context expression. The value of that expression is used as the PAP response bytes instead of the protocol's default credential location. Useful when reading a TACACS+ continue message with attribute tacacsplus.request.message;.

attribute is only valid inside the block form pap { ... } and can be combined with either authentication; (validate the supplied value against user.password) or response; (only stage the supplied value).

range

Extracts a substring from the password field for validation. This enables two-factor authentication by splitting the password field into password and one-time code components.

Syntax: range <start> <end> [exclusive]

  • <start> - Starting index (negative values count from end)
  • <end> - Ending index (negative values count from end)
  • exclusive - Optional keyword to invert the range (extract everything except the specified range)
  • Indices are 0-based

Examples:

# Extract last 6 characters
pap {
    range -6 0;
}

# Extract all but last 6 characters (typical for password in 2FA)
pap {
    range -6 0 exclusive;
}

# Extract first 10 characters
pap {
    range 0 10;
}

# Extract characters 5-15
pap {
    range 5 15;
}

# Extract all but last 8 characters (for 8-digit OTP)
pap {
    range -8 0 exclusive;
}

Result

The pap action produces the following pipeline results:

  • Accept: The supplied password matches the stored password. Execution continues to the next action.
  • Reject: Authentication failed. This occurs when:
    • The user was not found (reason: "No such user"). Ensure the preceding backend action populates user.password.
    • The password does not match (reason: "Incorrect password").
  • Ignore: The request does not contain PAP credentials. This allows combining pap with other authentication actions such as chap or mschapv2 in the same pipeline - the non-matching action is skipped.

Backend Mapping

The backend must populate the user password:

backends {
    sqlite "USERS" {
        filename "users.db";
        query "FIND_USER" {
            statement "SELECT username, password FROM users WHERE username = ?";
            bindings {
                aaa.identity;
            }
            mapping {
                user.username = username;
                user.password = password;  # Required for PAP
            }
        }
    }
}

Required context variables:

  • user.password - User's password for comparison
  • http-basic-auth - HTTP Basic Authentication for HTTP server handlers
  • totp - Time-based OTP for 2FA
  • hotp - Counter-based OTP for 2FA
  • chap - Challenge-response authentication
  • mschapv2 - Microsoft CHAP v2 authentication
Table of Contents
Navigation
Home

  • accept

  • all

  • any

  • append

  • assert

  • backend

  • challenge

  • chap

  • conditions

  • copy

  • count

  • debug

  • discard

  • each

  • eap

  • error

  • filter

  • first

  • hotp

  • http-basic-auth

  • if

  • ignore

  • invoke

  • log

  • map

  • message

  • modify

  • mschap

  • mschapv2

  • none

  • pap

  • reason

  • reject

  • reject_errors

  • replace

  • reply

  • rewrite

  • set

  • sleep

  • sometimes

  • stop

  • totp

  • trace

  • try

  • until

  • while

  • with

  • yubikey

Related
  • http-basic-auth
  • totp
  • hotp
  • chap
  • mschapv2
Navigation
Home
Related