On Sun, Sep 16, 2012 at 3:09 PM, Mik J <mikyde...@yahoo.fr> wrote: > So here's what the documentation says: > > == "Attribute == Value": As a check item, it matches if the named > attribute is present in the request, AND has the given value. > =>>> In my case, I wanted to compare the password sent by the Juniper device > to the entry in the radcheck table. If the login and password matches then > the check is positive. So the documentation seems to say that it should work > with "==" or I don't understand.
No, that's not how it works. If you want to check for other attributes (e.g. bind a user to a particular Calling-Station-Id), you can use "==". But not for password. More details below. > > := "Attribute := Value": Always matches as a check item, and replaces in > the configuration items any attribute of the same name. If no > attribute of that name appears in the request, then this attribute is added. If you've read doc/rlm_sql, like I suggested, you would've seen examples of what entry goes where. This is a start. Once that works, you can read other docs to find out what they mean. Regarding user-password, it's somewhat special. Old version of FR manpage (e.g. http://swoolley.org/man.cgi/5/users) actually suggest using "==". Don't use those, as they're outdated. A good explanation on how it should be is included in the current version of FR. For example, if you run "man 5 users" on up-to-date installation, you'd see this snippet: " EXAMPLES bob Cleartext-Password := "hello" Requests containing the User-Name attribute, with value "bob", will be authenticated using the "known good" password "hello". There are no reply items, so the reply will be empty. " "known good password' is a configuration item ("control item" is probably a better term). It tells the server "this is what the correct password for the user is". You need to use ":=", because you're NOT directly comparing it to User-Password in incoming request. The password that user sends might be in the form of User-Password attribute (in which case the content will be the same as cleartext-password that you store in the db), or they might come in different form (e.g. Chap-Password). Since it might be different, you can't compare it directly (thus, you can't use "=="). Instead, you need to tell the server what the correct password is (with ":=" and the attribute Cleartext-Password), and the server will then perform the necessary processing, and then compare it to whatever attribute the client sends. Does that (simplified) explanation make sense? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
