Multiple Cleartext-Password?
Brian Candler
B.Candler at pobox.com
Thu May 19 12:28:42 CEST 2011
On Wed, May 18, 2011 at 11:20:14AM -0400, Garber, Neal wrote:
> > Has anyone made a patch to rlm_pap and rlm_chap so
> > that it supports multiple instances of Cleartext-Password?
> > The idea would be to succeed if the incoming request matches
> > any one of them.
>
> You wouldn't have multiple Cleartext-Password attributes. You
> would just have one in the request (the one entered by the user).
The one entered by the user is in User-Password (or CHAP-Password or
whatever), not Cleartext-Password.
> You want to compare against multiple passwords.
The password that auth_pap/auth_chap compares against is in a
Cleartext-Password attribute in the control list. So we'd need multiple
instances of that.
> Are you using
> the users file?
No, we're using mysql, but it doesn't make any difference to this
discussion.
> If so, couldn't you just list multiple entries
> for each user (one for each password that is acceptable)?
That doesn't work - try it and see:
somebody Cleartext-Password := "foo"
Fall-Through = Yes
somebody Cleartext-Password += "bar"
The auth_pap / auth_chap modules only validate the first Cleartext-Password
found.
Regards,
Brian.
More information about the Freeradius-Devel
mailing list