Respond with access-accept when password incorrect
Alan DeKok
aland at deployingradius.com
Tue Feb 7 21:13:52 UTC 2023
On Feb 7, 2023, at 4:01 PM, Steven Walters <steven.walters1 at gmail.com> wrote:
>
> We have guest broadband user accounts. I would like RADIUS to respond with
> access-accept on PAP even if the password is incorrect. I will then write
> to the database to indicate the session has an incorrect password and allow
> the PPPoE to connect to the internet.
>
> This will allow the agent to access the CPE to update the password.
>
> What is the best way to achieve this, that is to respond with an
> authentication success even if the password is incorrect for a specific
> username?
You can just use the "accept" policy:
authorize {
...
accept
}
And it will accept the user.
If you're actually checking passwords, it will have to be a bit different:
authenticate {
...
Auth-Type pap {
pap {
reject = 1
}
if (reject) {
accept
}
}
}
Though I would strongly recommend putting these users into a limited VLAN. They should have access to update the password, but shouldn't be allowed to connect to the internet.
Alan DeKok.
More information about the Freeradius-Users
mailing list