freeradius-users at latter.org
Tue Sep 4 14:10:37 CEST 2018
On 31/08/18 17:37, Alan DeKok wrote:
>> On Aug 31, 2018, at 12:12 PM, Dom Latter <freeradius-users at latter.org> wrote:
>> Forgive me if this seems too stupid to ask but I must be 100% sure of
>> this - if Cleartext-Password is set to NULL in radcheck then this
>> is equivalent to disabling the account?
> It will let them log in using "NULL" as the password.
Really? That's a database NULL not a string containing those four
The query returns a Cleartext-Password value of NULL. Debug output
(115) Tue Sep 4 12:54:21 2018: Debug: sql: User found in radcheck table
(115) Tue Sep 4 12:54:21 2018: Debug: sql: Conditional check items
matched, merging assignment check items
(115) Tue Sep 4 12:54:21 2018: Debug: sql: Cleartext-Password := ""
Is it possible to authenticate with an empty password string in any way?
MSCHAPv2 is the backend.
I have been trying to test this both with a real device and with tools,
and although it seems a blank password gets rejected I would like to
> It's better to just remove the Cleartext-Password attribute from the database.
Not really an option.
We are using encrypted passwords  which are decrypted before being
passed to freeradius. When new users are created they are sent a link
which enables them to set a new password. Before this is used we'd like
to have a placeholder value something like "not set yet". As this is
not decryptable the query returns a NULL value.
 So that it can be said that passwords are encrypted.
More information about the Freeradius-Users