Authenticate against FreeIPA PBKDF2_SHA256

Marc Sauer m.sauer at
Wed Apr 7 14:27:43 CEST 2021


I would like to authenticate against our FreeIPA servers. The problem is 
that our passwords are stored in the following format:


FreeRADIUS did not support this at all until version 3.0.22 [1]. The 
functionality has been merged into the v3.0.x branch in September 2020.

Unfortonately it still does not work in 3.0.22 with FreeIPA passwords.

The example-password I'm trying to authenticate against has the 
following content:


When I try to authenticate against it, it shows the following error when 
running freeradius -X:

(1) pap: Unknown header {PBKDF2_SHA256} in Password-With-Header, 
re-writing to Cleartext-Password
(1) pap: Removing &control:Password-With-Header
(1)     [pap] = updated
(1)   } # authorize = updated
(1) Found Auth-Type = PAP
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1)   Auth-Type PAP {
(1) pap: Login attempt with password
(1) pap: Comparing with "known good" Cleartext-Password
(1) pap: ERROR: Cleartext password does not match "known good" password

What I don't understand is, that FreeRADIUS says "Unknown header", 
although the PBKDF2_SHA256 support seems to be implemented.

Is there anything wrong with my configration or is there still something 
wrong with the implementation of those kinds of hashes in FreeRADIUS?

If I'd know C, I would love to help implementing the support.

Maybe someone can help me with that.


Marc Sauer


Marc Sauer
Linux Systems Administrator

Kunsthochschule für Medien Köln/
Academy of Media Arts Cologne
Peter-Welter-Platz 2
50676 Köln

tel: +49 221 20189 - 239
business mobile: +49 151 74230781

More information about the Freeradius-Users mailing list