Old password 'grace period'

Wed Jun 24 20:03:23 CEST 2009

> Hi,
> 
> > [JK] Thanks, Arran.  Another quick question.  Will 2.* do this
> 'straight out of the box'?  If not, will it require much work?  We are
> evaluating whether attempt this in radius, or make changes in our
> system.
> 
> your situation is a slightly unique bespoke requirement - as such, it
> wont
> work 'straight out of the box' - you'll need to add a few lines of
> 'unlang'
> to the config.
> 
> check out the FreeRADIUS wiki - in particular
> 
> http://wiki.freeradius.org/Fail-over
> 
> 
> you'll basically need to make an SQL query for the one type...and
> if it fails, make another query for the other type.
> 
> alan
> -

[JK] 
Upgraded to 2.1.6 and got basic auth working.  Then, after consulting
the Fail-over page Alan suggested, I added a second sql section to
sql.conf (I have sql_new and sql_old), each with their own
sql/postgresql/dialup.conf.  The only difference in these two
dialup.conf is one gets the current password, the other gets the old
password (via sql_old).

I added, in the authorize section of sites-available/default, the
following:

        group {
            sql_new {
                fail = 1
                notfound = 2
                noop = 3
                ok = 4
                updated = 5
                reject = 6
                userlock = 7
                invalid = 8
                handled = return
            }
            sql_old {
                fail = 1
                notfound = 2
                noop = 3
                ok = 4
                updated = 5
                reject = 6
                userlock = 7
                invalid = 8
                handled = return
            }
        }

Note that I have been playing with various values for the different
response scenarios (those listed above were current values at this
writing), cannot seem to find anything that works like I need it to.

Just to re-iterate; I need freeradius to attempt to authorize using the
password returned in the sql_new query (and there WILL be a password
returned for any valid user), and if this password does not match what
the user sent, then do the query (sql_old) to get the old password (may
or maynot be available).  IF this password matches, then we accept.

Is this possible?  Should I be able to continue when the query to
sql_new was successful, but due to invalid password, freeradius finds
'MS-CHAP2-Response is incorrect'?

Thanks,
John

This message is confidential to Prodea Systems, Inc unless otherwise indicated 
or apparent from its nature. This message is directed to the intended recipient 
only, who may be readily determined by the sender of this message and its 
contents. If the reader of this message is not the intended recipient, or an 
employee or agent responsible for delivering this message to the intended 
recipient:(a)any dissemination or copying of this message is strictly 
prohibited; and(b)immediately notify the sender by return message and destroy 
any copies of this message in any form(electronic, paper or otherwise) that you 
have.The delivery of this message and its information is neither intended to be 
nor constitutes a disclosure or waiver of any trade secrets, intellectual 
property, attorney work product, or attorney-client communications. The 
authority of the individual sending this message to legally bind Prodea Systems  
is neither apparent nor implied,and must be independently verified.