> > But when I clear the users file and use sql I have a record in radcheck > > table: > > > > id UserName Attribute op Value ... > > (other fields) > > 1 mylogin User-Password == mypassword ... (other > > values) > > Please read the "rlm_sql" documentation. You are *comparing* the > passwords via '=='. Since, as you said, the client is sending > MS-CHAP, there will be no clear-text password in the request.
I have "rlm_sql" documentation :-) But I think rlm_sql doesn't chceck the password (!). Look at sql queries, (there is no password fields)... radius_xlat: 'cserwis' rlm_sql (sql): sql_set_user escaped user --> 'cserwis' radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'cserwis' ORDER BY id' I think this query builds something like Access-Request... and adds to it what is in table radcheck. So a have an idea... I have modified queries in sql.conf: # authorize_check_query = "SELECT id, UserName, Attribute, Value, op \ # FROM ${authcheck_table} \ # WHERE Username = '%{SQL-User-Name}' \ # ORDER BY id" # authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \ # FROM ${authreply_table} \ # WHERE Username = '%{SQL-User-Name}' \ # ORDER BY id" authorize_check_query = "SELECT id, UserName, Attribute, Value, op \ FROM ${authcheck_table} \ WHERE id = 74 \ ORDER BY id" authorize_reply_query = "SELECT id, UserName, Attribute, Value, op \ FROM ${authreply_table} \ WHERE id = 74 \ ORDER BY id" of course in future I will not use the id fiels but add my own username field to table radcheck. Now in 'Raconfig...' I can set Identity to 'Jan Kowalski' ;-) and login = mylogin and password = mypassword and IT WORKS :-). Now I have what I want: logins are not == Identity. Is it good solution? I have freeradius1.1.0, and sql queries 'thinks' that Username is Identity but *I don't know how* it push Username as login to EAP-PEAP authorization ( sorry, isn't it a BUG ??? ) . Can I overwrite it by another entry in radcheck table? Something like this: id UserName Attribute op Value ... (other fields) 2 myidentity User-Name == mylogin ... (other values) I think I cannot... there is not (?) operator to erase what was *I don't know how* pushed to EAP-PEAP... Norbert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html