On Wed, 2004-01-07 at 15:54, Alan DeKok wrote: > John Horne <[EMAIL PROTECTED]> wrote: > > However, if I simply change the users file entry to: > > > > fred Auth-Type := Local, User-Password != "anything" > > > > Specifying that the pwd should not be 'anything' then it doesn't work. > > That is, I cannot authenticate. The radiusd output shows: > > I don't see why you would expect that user to authenticate. > Because I am reading the '!=' as meaning that when a check of the stored password and the user-supplied password is done then the user is 'valid' - that is, authenticated - providing the password they entered did not match the radiusd calculated/encrypted password derived from 'anything'. If that is not so then what does the '!=', '!~', '=*' and so on mean?
> > OK, go to src/modules/rlm_mschap/rlm_mschap.c, look for: > > vp = pairmake("Auth-Type", authtype_name, T_OP_SET); > > change the T_OP_SET to T_OP_EQ, and re-compile & install the > module. It should work then. > This seemed to make no difference. However I did notice, before and after the change, that if the user file entry has something like: User-Password != "something" Then if the user enters the password of 'something' they are authenticated. To me this seems odd since what then is the difference between using '==' or '!='? My reading of this, as stated above, is that if they enter 'something' as the password they should not be authenticated, and if they enter anything which does not match 'something' then they will. > > Anyone got any suggestions about this. Relevant parts of the > > radiusd.conf are below, but simply change the users file entry operator > > from '==' to '!=' surely shouldn't cause a problem? All the encryption > > stuff should work because instead of comparing the users file password > > with the one the user enters when connecting should simply check for > > equality or not. When '==' is used they should be equal, when '!=' is > > used the should not be equal. > > Due to the way passwords are checked, it doesn't quite work that > way. > In which case I think I am somewhat lost! :-) Given that in our case MS-CHAPv2 must be used, and hence some form of encryption is going on, do the '!=', '!~' etc operators still apply? If so, then how are they applied. As stated above using '==' or '!=' makes no difference, in both cases the user is authenticated. John. -- --------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 233839 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html