User with password and user without password

Angelo Corsaro angelo.corsaro at
Mon Dec 6 19:01:53 CET 2021

Hi Alan,

Il 06/12/21 17:48, Alan DeKok ha scritto:
> On Dec 6, 2021, at 11:32 AM, Angelo Corsaro <angelo.corsaro at> wrote:
>> I need a basic input to (if possible) fix my problem:
>> now my radius is verifying only SIM (we're talking a private APN) with only Calling-Station-Id and I disabled the pap and chap as below
>    That disables it for *all* users.  Which is not what you want.
>    And there's no need to disable PAP.  If your'e authenticating via Calling-Station-Id, you can do something like:
> 	if (calling station ID is OK) {
> 		accept
> 	}
>    What goes in the "if" condition depends on how you've set up your system.  i.e. where are the "known good" Calling-Station-ID values stored?

In the radcheck table: the SIM belongs to an appliance without userid 
and password, the GGSN of MNO send to us a request for an IP to start 
the connection with our server.

>> but in a near future a different client will be authenticate with User-Name, Cleartext-Password and Calling-Station-Id (always coming from a private APN): how can I manage those different requests ?
>    Authenticate *how* with those attributes?  You need to answer that question in order to come up with the correct solution.
>    For example:
> 	If the user is in the SQL database, AND the calling-station-ID matches
>          THEN get the Cleratext-Password from the DB, and use PAP for authentication
>    What this does is force you to write down exactly what you want to do.  Once you've done that, writing "unlang" policies is simple.
>    And until you write down what you want, you'll just be changing random things in the configuration, hoping that it works.

I'll put all the info needed always in the radcheck table as I doing in 
a different radius server: calling-station-id, username and password.

>> I thought a simple "if"  into the file site-enabled/default in the authorize/preprocess section:
>>          if (ClearText-Password == "Void") {
>>                          update attribute {
>>                                  ClearText-Password := "--"
>>                          }
>>                  }
>    To do... what?  You're not saying.

to use a single authorization process: I can reintroduce the check of 
the password putting a fake password in the void field coming from the 
SIM with only the calling-station-id

>> and re-enabling the verify of the password in in authenticate section. But it seems too easy :)
> Q: Here's a sample configuration.  Will it do what I want?
> A: I don't know.  You haven't said what you want to do.
>    Alan DeKok.
> -
> List info/subscribe/unsubscribe? See


More information about the Freeradius-Users mailing list