Overriding a Crypt-Password with a Cleartext-Password in FR 3.x

Alan DeKok aland at deployingradius.com
Tue Jun 6 15:31:48 CEST 2017

On Jun 6, 2017, at 9:12 AM, Bjørn Mork <bjorn at mork.no> wrote:
> I recently upgraded from FR 2.2.5 to FR 3.0.12 as part of an upgrade
> from Debian jessie to stretch.  The config had to be migrated manually,
> which went mostly without problems.

  That's good.

> I use the unix module to load crypt passwords for a few system
> users. But there are also some unix users without any Unix password,
> which should exist as RADIUS users. "no Unix password" means that the
> users have a /etc/shadow entry which cannot be matched. So I need to
> ignore the Crypt-Password attribute for these users.

  i.e. they have a password, but it's wrong?

> In FR 2.x I explicitly set the Auth-Type to foribly ignore the invalid
> Crypt-Password, like this:
> luser  Cleartext-Password := "foo", Auth-Type := Local
> But FR 3.x refused to accept Auth-Type "Local". So I tried to modify the
> entry to
> luser  Cleartext-Password := "foo"
> in the hope that the pap module would be smart enough to figure out that
> the Cleartext-Password should override the invalid Crypt-Password.  It
> was not.
> Being unable to figure out the smart way, I just took the simple route
> out by doing
> luser  User-Password == "foo", Auth-Type := Accept

  Don't do that...

> so I'd really like to figure out a better way.  Is there a smart way to
> override a Crypt-Password per user in FR 3.x?  I guess I could generate
> crypted passwords from the cleartext passwords and simply override
> Crypt-Password in the users file.  But that does not seem much nicer
> than the current User-Password match to me.  What I really want is to be
> able to say "use this Cleartext-Password no matter what".

  You can use "unlang" to check and edit the request:

authorize {

	if (Crypt-Password && Cleartext-Password) {
		update request {
			Crypt-Password !* ANY

  Which should delete the Crypt-Password.  See "man unlang" for more details.

  Alan DeKok.

More information about the Freeradius-Users mailing list