----- Mail original ----- > De : Fajar A. Nugraha <l...@fajar.net> > À : Mik J <mikyde...@yahoo.fr>; FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Cc : > Envoyé le : Dimanche 16 septembre 2012 10h35 > Objet : Re: Authentication with Juniper SA > > On Sun, Sep 16, 2012 at 3:09 PM, Mik J <mikyde...@yahoo.fr> wrote: > >> So here's what the documentation says: >> >> == "Attribute == Value": As a check item, it matches if the > named attribute is present in the request, AND has the given value. >> =>>> In my case, I wanted to compare the password sent by the > Juniper device to the entry in the radcheck table. If the login and password > matches then the check is positive. So the documentation seems to say that it > should work with "==" or I don't understand. > > No, that's not how it works. > > If you want to check for other attributes (e.g. bind a user to a > particular Calling-Station-Id), you can use "==". But not for > password. More details below. > >> >> := "Attribute := Value": Always matches as a check item, and > replaces in the configuration items any attribute of the same name. If no > > attribute of that name appears in the request, then this attribute is > added. > > If you've read doc/rlm_sql, like I suggested, you would've seen > examples of what entry goes where. This is a start. Once that works, > you can read other docs to find out what they mean. > > Regarding user-password, it's somewhat special. Old version of FR > manpage (e.g. http://swoolley.org/man.cgi/5/users) actually suggest > using "==". Don't use those, as they're outdated. A good > explanation > on how it should be is included in the current version of FR. For > example, if you run "man 5 users" on up-to-date installation, > you'd > see this snippet: > > " > EXAMPLES > > bob Cleartext-Password := "hello" > > Requests containing the User-Name attribute, with value "bob", will be > authenticated using the "known good" password "hello". > There are no > reply items, so the reply will be empty. > " > > "known good password' is a configuration item ("control item" > is > probably a better term). It tells the server "this is what the correct > password for the user is". You need to use ":=", because > you're NOT > directly comparing it to User-Password in incoming request. > > The password that user sends might be in the form of User-Password > attribute (in which case the content will be the same as > cleartext-password that you store in the db), or they might come in > different form (e.g. Chap-Password). Since it might be different, you > can't compare it directly (thus, you can't use "=="). Instead, > you > need to tell the server what the correct password is (with ":=" and > the attribute Cleartext-Password), and the server will then perform > the necessary processing, and then compare it to whatever attribute > the client sends. > > Does that (simplified) explanation make sense?
Hello Fajar, This is very clear now. My freeradius version is not so new (2.1.12) Thank you very much for this explanation. Have a nice week end - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html