Local User with multiple passwords (or RegEX passwords) possible?
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Thu Jul 7 14:40:36 CEST 2011
You can't put unlang in the configuration block of the files module... Unlang can only exist in policy.conf and in virtual server files.
-Arran
On Jul 7, 2011, at 2:18 PM, Equin Nix wrote:
> Hi Phil,
>
> thanks a lot for the fast answer! Unfortunatelly your radius-skills seem to be far far from mine, but I think I get the point.
>
> I tried to add the following to sites-enabled/default (int authorize section) (Its not a full copy of your text, I wanted to start step by step):
>
> [...]
> #
> # Read the 'users' file
> files {
> # compare them
> if (User-Password != control:Cleartext-Password) {
> reject
> }
>
>
> # probably need to set Auth-Type := Accept here
> update control {
> Auth-Type := Accept
> }
> }
> [...]
>
> and freeradius won't start (even if I remove the update control section). This is the error:
> [...]
> /etc/freeradius/sites-enabled/default[154]: Subsection of module instance call not allowed
> /etc/freeradius/sites-enabled/default[62]: Errors parsing authorize section.
>
> Any idea what might cause the trouble? Line 154 is the "if (User-Password...." line.
>
> BTW: It is not possible with RegEx?
>
> Best regards from Germany
>
>
>
> 2011/7/7 Phil Mayers <p.mayers at imperial.ac.uk>
> On 07/07/11 09:51, Equin Nix wrote:
> Hi,
>
> I am trying to set up something very basic (at least from my point of
> view): I would like to have a User with multiple passwords (two
> actually). How would I do this? I tried the following:
>
> /alice Auth-Type=Local, Cleartext-Password := "test1"
> alice Auth-Type=Local, Cleartext-Password := "test2"/
>
> Do not set Auth-Type. It's almost always wrong, and is certainly wrong in this case.
>
>
> It might be possible to have >1 password; but it will probably only work for PAP requests, unless you play carefully with module failover.
>
> It also probably won't work in the "users" file; this is because the "User-Password" attribute is handled specially here, as a compatibility synonym for Cleartext-Password.
>
> You could try something like this - define a second password attribute in raddb/dictionary:
>
>
> ATTRIBUTE Cleartext-Password2 3002 string
>
> ...then set both in the "users" file:
>
> alice Cleartext-Password := "foo", Cleartext-Password2 := "bar"
>
> ...then use unlang to perform the comparisons in sites-enabled/default:
>
> authorize {
>
> ...
> # read the passwords from "files"
> files
> # compare them
> if ((User-Password != control:Cleartext-Password) && \
> (User-Password != control:Cleartext-Password2)) {
> reject
> }
>
> # probably need to set Auth-Type := Accept here
> update control {
> Auth-Type := Accept
> }
> }
>
> If you want to do this with requests that aren't PAP e.g. CHAP, MSCHAP/PEAP etc. then it will be much harder.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Arran Cudbard-Bell
a.cudbardb at freeradius.org
RADIUS - Half the complexity of Diameter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110707/b7d6051b/attachment.html>
More information about the Freeradius-Users
mailing list