Multiple Password Auth

[Alan DeKok]

On Jun 18, 2020, at 3:45 PM, Miguel Barrera <miguel.barrera at datawifi.co> wrote:
> 
> We have a captive portal integrated with freeradius for auth and
> accounting, and I have a question, how can I handle multiple password (PAP
> ClearText Password) with a single User?, for auth, we use the sql module so
> the passwords are stored on a mysql database.
> 
> There are some scenarios where we need to store two or three password for
> the same user, here is the log for one of these password and the radcheck
> table registers of this user.

  Do you mean that the one user has multiple passwords, and can log in with any of them?

  If so, it's possible.  But the default SQL queries aren't really set up to do that.

> Ready to process requests
> (8) Received Access-Request Id 4 from 186.154.58.197:41224 to 172.31.51.38:1812 length 345
> (8)   User-Name = "a450460f6823"
> (8)   User-Password = "a450460f6823"

  You're better off checking for that case specially, and allowing it.  And, only putting in the *other* password into SQL

  i.e.

authorize {
	...
	sql

	# user was found in SQL, but we don't use that password
	if (found && (&User-Name == &User-Password)) {
		accept
	}
	else {
		pap # check Cleartext-Password from SQL
	}
	...

  Alan DeKok.