NULL password

Dom Latter freeradius-users at
Tue Sep 4 14:10:37 CEST 2018

On 31/08/18 17:37, Alan DeKok wrote:
>> On Aug 31, 2018, at 12:12 PM, Dom Latter <freeradius-users at> wrote:
>> Forgive me if this seems too stupid to ask but I must be 100% sure of
>> this - if Cleartext-Password is set to NULL in radcheck then this
>> is equivalent to disabling the account?
>    It will let them log in using "NULL" as the password.

Really?  That's a database NULL not a string containing those four

The query returns a Cleartext-Password value of NULL.  Debug output 
subsequently returns:

(115) Tue Sep  4 12:54:21 2018: Debug: sql: User found in radcheck table
(115) Tue Sep  4 12:54:21 2018: Debug: sql: Conditional check items
  matched, merging assignment check items
(115) Tue Sep  4 12:54:21 2018: Debug: sql:   Cleartext-Password := ""

Is it possible to authenticate with an empty password string in any way?

MSCHAPv2 is the backend.

I have been trying to test this both with a real device and with tools,
and although it seems a blank password gets rejected I would like to

>    It's better to just remove the Cleartext-Password attribute from the database.

Not really an option.

We are using encrypted passwords [1] which are decrypted before being
passed to freeradius.  When new users are created they are sent a link
which enables them to set a new password.  Before this is used we'd like
to have a placeholder value something like "not set yet".  As this is
not decryptable the query returns a NULL value.

[1] So that it can be said that passwords are encrypted.

More information about the Freeradius-Users mailing list