On Wed, May 18, 2011 at 11:20:14AM -0400, Garber, Neal wrote:
Has anyone made a patch to rlm_pap and rlm_chap so that it supports multiple instances of Cleartext-Password? The idea would be to succeed if the incoming request matches any one of them.
You wouldn't have multiple Cleartext-Password attributes. You would just have one in the request (the one entered by the user).
The one entered by the user is in User-Password (or CHAP-Password or whatever), not Cleartext-Password.
You want to compare against multiple passwords.
The password that auth_pap/auth_chap compares against is in a Cleartext-Password attribute in the control list. So we'd need multiple instances of that.
Are you using the users file?
No, we're using mysql, but it doesn't make any difference to this discussion.
If so, couldn't you just list multiple entries for each user (one for each password that is acceptable)?
That doesn't work - try it and see: somebody Cleartext-Password := "foo" Fall-Through = Yes somebody Cleartext-Password += "bar" The auth_pap / auth_chap modules only validate the first Cleartext-Password found. Regards, Brian.