Local User with multiple passwords (or RegEX passwords) possible?

Phil Mayers p.mayers at imperial.ac.uk
Thu Jul 7 12:34:09 CEST 2011

On 07/07/11 09:51, Equin Nix wrote:
> Hi,
> I am trying to set up something very basic (at least from my point of
> view): I would like to have a User with multiple passwords (two
> actually). How would I do this? I tried the following:
> /alice Auth-Type=Local, Cleartext-Password := "test1"
> alice Auth-Type=Local, Cleartext-Password := "test2"/

Do not set Auth-Type. It's almost always wrong, and is certainly wrong 
in this case.

It might be possible to have >1 password; but it will probably only work 
for PAP requests, unless you play carefully with module failover.

It also probably won't work in the "users" file; this is because the 
"User-Password" attribute is handled specially here, as a compatibility 
synonym for Cleartext-Password.

You could try something like this - define a second password attribute 
in raddb/dictionary:

ATTRIBUTE	Cleartext-Password2	3002	string

...then set both in the "users" file:

alice	Cleartext-Password := "foo", Cleartext-Password2 := "bar"

...then use unlang to perform the comparisons in sites-enabled/default:

authorize {

   # read the passwords from "files"
   # compare them
   if ((User-Password != control:Cleartext-Password) && \
       (User-Password != control:Cleartext-Password2)) {

   # probably need to set Auth-Type := Accept here
   update control {
     Auth-Type := Accept

If you want to do this with requests that aren't PAP e.g. CHAP, 
MSCHAP/PEAP etc. then it will be much harder.

More information about the Freeradius-Users mailing list