"Chris Knipe" <[EMAIL PROTECTED]> wrote: > I only realised after I posted. Basically, both of them are authorised if > they happen within a short period of time after each other...
Ok... > rlm_pap: login attempt by "user@realm" with password fl4shp1x13 > rlm_pap: Using password 6e8a104e79c05453663713d06b797611 for user user@realm > authentication. ... > rlm_pap: login attempt by "user@realm" with password fl4shp1x131 > rlm_pap: Using password for user user@realm authentication. And that's probably the cause of the problem. The passwords in the RADIUS requests are different (the second one has an additional '1'), but the second time, the *configured* password to check against is empty. It's a bug in rlm_pap, and I'll go fix it. My question then is where does the empty password come from? The PAP module is trying to compare the user-supplied password with an *empty*, but not non-existent password taken from some database, by another module. So the fix to rlm_pap is NOT sufficient here. We need to know which other module you're using to get the MD5 password, and why it returns an empty password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
