Authentication with Juniper SA

Fajar A. Nugraha list at fajar.net
Sun Sep 16 10:35:27 CEST 2012


On Sun, Sep 16, 2012 at 3:09 PM, Mik J <mikydevel at yahoo.fr> wrote:

> So here's what the documentation says:
>
>  ==   "Attribute == Value": As a check item, it matches if the named attribute is present in the request, AND has the given value.
> =>>> In my case, I wanted to compare the password sent by the Juniper device to the entry in the radcheck table. If the login and password matches then the check is positive. So the documentation seems to say that it should work with "==" or I don't understand.

No, that's not how it works.

If you want to check for other attributes (e.g. bind a user to a
particular Calling-Station-Id), you can use "==". But not for
password. More details below.

>
> :=     "Attribute := Value": Always matches as a check item, and replaces in the configuration items any attribute of the same name.  If no         attribute of that name appears in the request, then this attribute is added.

If you've read doc/rlm_sql, like I suggested, you would've seen
examples of what entry goes where. This is a start. Once that works,
you can read other docs to find out what they mean.

Regarding user-password, it's somewhat special. Old version of FR
manpage (e.g. http://swoolley.org/man.cgi/5/users) actually suggest
using "==". Don't use those, as they're outdated. A good explanation
on how it should be is included in the current version of FR. For
example, if you run "man 5 users" on up-to-date installation, you'd
see this snippet:

"
EXAMPLES

bob     Cleartext-Password := "hello"

Requests containing the User-Name attribute, with value "bob", will be
authenticated using the "known good" password "hello".  There are no
reply items, so the reply will be empty.
"

"known good password' is a configuration item ("control item" is
probably a better term). It tells the server "this is what the correct
password for the user is".  You need to use ":=", because you're NOT
directly comparing it to User-Password in incoming request.

The password that user sends might be in the form of User-Password
attribute (in which case the content will be the same as
cleartext-password that you store in the db), or they might come in
different form (e.g. Chap-Password). Since it might be different, you
can't compare it directly (thus, you can't use "=="). Instead, you
need to tell the server what the correct password is (with ":=" and
the attribute Cleartext-Password), and the server will then perform
the necessary processing, and then compare it to whatever attribute
the client sends.

Does that (simplified) explanation make sense?

-- 
Fajar


More information about the Freeradius-Users mailing list