Thanks for the feedback! The manager has very specific requirements about username and password convention... We have switched to using the name as password and room number as username, since the room number is guaranteed to be unique. As an aside, I'm very curious how other hotels using a captive portal do their authentication. On 10/12/2019, Rens Houben via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Van: Freeradius-Users <freeradius-users-bounces+rhouben=systemec.nl@lists.freeradius.org> namens WAGHORN, Jason (NHS BORDERS) via Freeradius-Users <freeradius-users@lists.freeradius.org> Verzonden: dinsdag 10 december 2019 08:43 Aan: FreeRadius users mailing list CC: WAGHORN, Jason (NHS BORDERS) Onderwerp: RE: Allow same user to authenticate with different passwords
We are trying to allow users to authenticate with different passwords using an SQL database and freeradius version 3.0.17 (hotel scenario, where unrelated people can have the same family name).
Perhaps I'm being strange here - but a single username with multiple passwords sounds like a security hole to me - in that if johnsmith is logging in twice because there are two "John Smith" users - how do you tell them apart in case of (for example) law enforcement request?
Surely it's easier/better/simpler just to give everyone a unique login name? Perhaps in your hotel case use room number plus surname? So 317smith & 226smith
From an infosec point of view this is a *terrible* idea, because it would allow a stalker or PI who knows the name of your guest to potentially figure out what room their target is in by process of elimination.
Use random names and passwords instead.
--Rens. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html