Phil, you got it working!
All of what you wrote was right:
- added Cleartext-Password2 to /usr/share/freeradius/dictionary.freeradius.internal
- created user file like this:
user Cleartext-Password := "1", Cleartext-Password2 += "2"
- updated sites-enabled/default to look like this (authorize section)
[..]
#
# Read the 'users' file
files {
}
if (("%{User-Password}" != "%{control:Cleartext-Password}") && ("%{User-Password}" != "%{control:Cleartext-Password2}")) {
update reply {
Reply-Message = "I suck at FreeRadiusing!"
}
reject
}
else {
update control {
Auth-Type := Accept
}
}
[..]
If I can buy you a beer or something (thinking of https://secure.wikimedia.org/wikipedia/en/wiki/Beerware or https://secure.wikimedia.org/wikipedia/en/wiki/Postcardware) just email me :)
Best Regards
Hi Phil,
thanks a lot for the fast answer! Unfortunatelly your radius-skills seem to be far far from mine, but I think I get the point.
I tried to add the following to sites-enabled/default (int authorize section) (Its not a full copy of your text, I wanted to start step by step):
[...]
#
# Read the 'users' file
files {
# compare them
if (User-Password != control:Cleartext-Password) {[...]
reject
}
# probably need to set Auth-Type := Accept here
update control {
Auth-Type := Accept
}
}
and freeradius won't start (even if I remove the update control section). This is the error:[...]
/etc/freeradius/sites-enabled/default[154]: Subsection of module instance call not allowed
/etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section.
Any idea what might cause the trouble? Line 154 is the "if (User-Password...." line.
BTW: It is not possible with RegEx?
Best regards from Germany
2011/7/7 Phil Mayers <p.mayers@imperial.ac.uk>On 07/07/11 09:51, Equin Nix wrote:
Hi,alice Auth-Type=Local, Cleartext-Password := "test2"/
I am trying to set up something very basic (at least from my point of
view): I would like to have a User with multiple passwords (two
actually). How would I do this? I tried the following:
/alice Auth-Type=Local, Cleartext-Password := "test1"
Do not set Auth-Type. It's almost always wrong, and is certainly wrong in this case.
It might be possible to have >1 password; but it will probably only work for PAP requests, unless you play carefully with module failover.
It also probably won't work in the "users" file; this is because the "User-Password" attribute is handled specially here, as a compatibility synonym for Cleartext-Password.
You could try something like this - define a second password attribute in raddb/dictionary:
ATTRIBUTE Cleartext-Password2 3002 string
...then set both in the "users" file:
alice Cleartext-Password := "foo", Cleartext-Password2 := "bar"
...then use unlang to perform the comparisons in sites-enabled/default:
authorize {
...
# read the passwords from "files"
files
# compare them
if ((User-Password != control:Cleartext-Password) && \
(User-Password != control:Cleartext-Password2)) {
reject
}
# probably need to set Auth-Type := Accept here
update control {
Auth-Type := Accept
}
}
If you want to do this with requests that aren't PAP e.g. CHAP, MSCHAP/PEAP etc. then it will be much harder.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html