Local User with multiple passwords (or RegEX passwords) possible?

Equin Nix equin.nix at googlemail.com
Thu Jul 7 14:18:12 CEST 2011 

Hi Phil,

thanks a lot for the fast answer! Unfortunatelly your radius-skills seem to
be far far from mine, but I think I get the point.

I tried to add the following to *sites-enabled/default* (int authorize
section) (Its not a full copy of your text, I wanted to start step by step):

[...]
        #
        #  Read the 'users' file
        files {
                # compare them
                if (User-Password != control:Cleartext-Password) {
                        reject
                }


                # probably need to set Auth-Type := Accept here
                update control {
                        Auth-Type := Accept
                }
        }
[...]

and freeradius won't start (even if I remove the update control section).
This is the error:
[...]
/etc/freeradius/sites-enabled/default[154]: Subsection of module instance
call not allowed
/etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section.

Any idea what might cause the trouble? Line 154 is the "if
(User-Password...." line.

BTW: It is not possible with RegEx?

Best regards from Germany



2011/7/7 Phil Mayers <p.mayers at imperial.ac.uk>

> On 07/07/11 09:51, Equin Nix wrote:
>
>> Hi,
>>
>> I am trying to set up something very basic (at least from my point of
>> view): I would like to have a User with multiple passwords (two
>> actually). How would I do this? I tried the following:
>>
>> /alice Auth-Type=Local, Cleartext-Password := "test1"
>> alice Auth-Type=Local, Cleartext-Password := "test2"/
>>
>
> Do not set Auth-Type. It's almost always wrong, and is certainly wrong in
> this case.
>
>
> It might be possible to have >1 password; but it will probably only work
> for PAP requests, unless you play carefully with module failover.
>
> It also probably won't work in the "users" file; this is because the
> "User-Password" attribute is handled specially here, as a compatibility
> synonym for Cleartext-Password.
>
> You could try something like this - define a second password attribute in
> raddb/dictionary:
>
>
> ATTRIBUTE       Cleartext-Password2     3002    string
>
> ...then set both in the "users" file:
>
> alice   Cleartext-Password := "foo", Cleartext-Password2 := "bar"
>
> ...then use unlang to perform the comparisons in sites-enabled/default:
>
> authorize {
>
>  ...
>  # read the passwords from "files"
>  files
>  # compare them
>  if ((User-Password != control:Cleartext-Password) && \
>      (User-Password != control:Cleartext-Password2)) {
>    reject
>  }
>
>  # probably need to set Auth-Type := Accept here
>  update control {
>    Auth-Type := Accept
>  }
> }
>
> If you want to do this with requests that aren't PAP e.g. CHAP, MSCHAP/PEAP
> etc. then it will be much harder.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110707/f62e5b68/attachment.html>

More information about the Freeradius-Users mailing list