Check against TWO possible password?

Federico Giannici giannici at neomedia.it
Sun Feb 4 16:06:45 CET 2007 

Federico Giannici wrote:
> Federico Giannici wrote:
>> Alan DeKok wrote:
>>> Federico Giannici wrote:
>>>> Now we have to check every authentication against TWO different 
>>>> passwords (it's OK if ONE is matched). Something like setting two 
>>>> different and alternative "User-Password" attributes...
>>>   Sort of.  See doc/configurable_failover.
>> I read it, but I'm a little confused...
>>
>> How can I use it to make the AUTHENTICATE sections to be tried a SECOND 
>> time (with a different Cleartext-Password set by an authorization 
>> module), if the first time the authentication failed?
> 
> OK, I think I understood how to implement it by means of group{}: if the 
> pap/chap/etc authentication fails then I have to call the authentication 
> routine of my module to change the "Cleartext-Password" and then call 
> the pap/chap/etc authentication again.
> I'm I right?

OK, it seems to work.
At the end of this email there is my authenticate{} section.
Is it correct?
Is there a simpler way to implement it?

Please note that "nm" is my custom module that eventually does a 
pairreplace() of the "User-Password" attribute. It only returns 
RLM_MODULE_UPDATED or RLM_MODULE_NOOP.

Thanks.



authenticate {
	Auth-Type PAP {
		group {
			pap {
				notfound = return
				noop     = return
				ok       = return
				updated  = return
				fail     = return
				reject   = 1
				userlock = return
				invalid  = return
				handled  = return
			}
			nm {
				noop     = reject
				updated  = 1
			}
			pap {
				notfound = return
				noop     = return
				ok       = return
				updated  = return
				fail     = return
				reject   = return
				userlock = return
				invalid  = return
				handled  = return
			}
		}
	}
	Auth-Type CHAP {
		group {
			chap {
				notfound = return
				noop     = return
				ok       = return
				updated  = return
				fail     = return
				reject   = 1
				userlock = return
				invalid  = return
				handled  = return
			}
			nm {
				noop     = reject
				updated  = 1
			}
			chap {
				notfound = return
				noop     = return
				ok       = return
				updated  = return
				fail     = return
				reject   = return
				userlock = return
				invalid  = return
				handled  = return
			}
		}
	}
	Auth-Type MS-CHAP {
		group {
			mschap {
				notfound = return
				noop     = return
				ok       = return
				updated  = return
				fail     = return
				reject   = 1
				userlock = return
				invalid  = return
				handled  = return
			}
			nm {
				noop     = reject
				updated  = 1
			}
			mschap {
				notfound = return
				noop     = return
				ok       = return
				updated  = return
				fail     = return
				reject   = return
				userlock = return
				invalid  = return
				handled  = return
			}
		}
	}
}



-- 
___________________________________________________
     __
    |-                      giannici at neomedia.it
    |ederico Giannici      http://www.neomedia.it
___________________________________________________

More information about the Freeradius-Users mailing list