Check against TWO possible password?

Federico Giannici giannici at
Sun Feb 4 13:10:17 CET 2007

Federico Giannici wrote:
> Alan DeKok wrote:
>> Federico Giannici wrote:
>>> Now we have to check every authentication against TWO different 
>>> passwords (it's OK if ONE is matched). Something like setting two 
>>> different and alternative "User-Password" attributes...
>>   Sort of.  See doc/configurable_failover.
> I read it, but I'm a little confused...
> How can I use it to make the AUTHENTICATE sections to be tried a SECOND 
> time (with a different Cleartext-Password set by an authorization 
> module), if the first time the authentication failed?

OK, I think I understood how to implement it by means of group{}: if the 
pap/chap/etc authentication fails then I have to call the authentication 
routine of my module to change the "Cleartext-Password" and then call 
the pap/chap/etc authentication again.
I'm I right?

But the following sentence of "doc/configurable_failover" perplexes me:

"authenticate{...}" itself is not a GROUP, even though it contains a 
list of Auth-Type GROUPs, because its semantics are totally different - 
it uses Auth-Type to decide which of its members to call, and their 
order is irrelevant.

Currently the default authenticate{...} configuration contains a call to 
eap WITHOUT any Auth-Type!

Is that sentence still correct?


    |-                      giannici at
    |ederico Giannici

More information about the Freeradius-Users mailing list