Network authentication and password policy

Gary Gatten Ggatten at
Wed Mar 23 20:58:15 CET 2011

Will you be using some backend database; LDAP, AD, eDirectory, etc.?

"Typically" RADIUS either permits or denies based on a query reply it receives from the backend system.  I don't *think* you would be allowed to change your password via RADIUS (it typically only has RO access to the DB, and I'm not even sure the RADIUS protocol supports it), but I *believe* it will pass attributes to your client that will indicate if the password is expired or not.

And yes, typical password policy requires a change every n days; sometimes as often as 30 days, sometimes every 180+


-----Original Message-----
From: at [ at] On Behalf Of Jeffrey Belles
Sent: Wednesday, March 23, 2011 2:37 PM
To: freeradius-users at
Subject: Network authentication and password policy

I am new to this list and planning to deploy a radius-server. 
Sole purpose will be to authenticate against network equipment. Mainly Juniper and cisco and Sonicwall. 

I am looking for best practice solutions for password policy. Is there any way to force network engineers to change their passwords after either first login or expiry date? 
Having everybody manually submit passwords on the server and/or having them change it every x weeks seems a bad plan. 

Anyone any ideas?


List info/subscribe/unsubscribe? See

<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."

More information about the Freeradius-Users mailing list