diff --git a/src/ap/ieee802_11_auth.c b/src/ap/ieee802_11_auth.c
index 63ae3452a..12b65b593 100644
--- a/src/ap/ieee802_11_auth.c
+++ b/src/ap/ieee802_11_auth.c
@@ -482,7 +482,7 @@ hostapd_acl_recv_radius(struct radius_msg *msg, struct radius_msg *req,
 			msg, &passphraselen,
 			hapd->conf->radius->auth_server->shared_secret,
 			hapd->conf->radius->auth_server->shared_secret_len,
-			req);
+			req, 0);
 		cache->has_psk = passphrase != NULL;
 		if (passphrase != NULL) {
 			/* passphrase does not contain the NULL termination.
diff --git a/src/radius/radius.c b/src/radius/radius.c
index d5edfd8c1..d1feec968 100644
--- a/src/radius/radius.c
+++ b/src/radius/radius.c
@@ -1406,11 +1406,12 @@ int radius_msg_get_vlanid(struct radius_msg *msg)
  * @secret: RADIUS shared secret
  * @secret_len: Length of secret
  * @sent_msg: Sent RADIUS message
- * Returns: pointer to password (free with os_free) or %NULL
+ * @n: Number of password attribute to return (starting with 0)
+ * Returns: Pointer to n-th password (free with os_free) or %NULL
  */
 char * radius_msg_get_tunnel_password(struct radius_msg *msg, int *keylen,
 				      const u8 *secret, size_t secret_len,
-				      struct radius_msg *sent_msg)
+				      struct radius_msg *sent_msg, size_t n)
 {
 	u8 *buf = NULL;
 	size_t buflen;
@@ -1420,7 +1421,7 @@ char * radius_msg_get_tunnel_password(struct radius_msg *msg, int *keylen,
 	size_t len[3];
 	u8 hash[16];
 	u8 *pos;
-	size_t i;
+	size_t i, j = 0;
 	struct radius_attr_hdr *attr;
 	const u8 *data;
 	size_t dlen;
@@ -1428,7 +1429,7 @@ char * radius_msg_get_tunnel_password(struct radius_msg *msg, int *keylen,
 	size_t fdlen = -1;
 	char *ret = NULL;
 
-	/* find attribute with lowest tag and check it */
+	/* find n-th valid Tunnel-Password attribute */
 	for (i = 0; i < msg->attr_used; i++) {
 		attr = radius_get_attr_hdr(msg, i);
 		if (attr == NULL ||
@@ -1441,11 +1442,13 @@ char * radius_msg_get_tunnel_password(struct radius_msg *msg, int *keylen,
 		dlen = attr->length - sizeof(*attr);
 		if (dlen <= 3 || dlen % 16 != 3)
 			continue;
-		if (fdata != NULL && fdata[0] <= data[0])
+		j++;
+		if (j <= n)
 			continue;
 
 		fdata = data;
 		fdlen = dlen;
+		break;
 	}
 	if (fdata == NULL)
 		goto out;
diff --git a/src/radius/radius.h b/src/radius/radius.h
index 727640b2f..2031054b1 100644
--- a/src/radius/radius.h
+++ b/src/radius/radius.h
@@ -242,7 +242,7 @@ int radius_msg_get_attr(struct radius_msg *msg, u8 type, u8 *buf, size_t len);
 int radius_msg_get_vlanid(struct radius_msg *msg);
 char * radius_msg_get_tunnel_password(struct radius_msg *msg, int *keylen,
 				      const u8 *secret, size_t secret_len,
-				      struct radius_msg *sent_msg);
+				      struct radius_msg *sent_msg, size_t n);
 
 static inline int radius_msg_add_attr_int32(struct radius_msg *msg, u8 type,
 					    u32 value)