Authentication with Juniper SA
mikydevel at yahoo.fr
Sun Sep 16 11:20:10 CEST 2012
----- Mail original -----
> De : Fajar A. Nugraha <list at fajar.net>
> À : Mik J <mikydevel at yahoo.fr>; FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Cc :
> Envoyé le : Dimanche 16 septembre 2012 10h35
> Objet : Re: Authentication with Juniper SA
> On Sun, Sep 16, 2012 at 3:09 PM, Mik J <mikydevel at yahoo.fr> wrote:
>> So here's what the documentation says:
>> == "Attribute == Value": As a check item, it matches if the
> named attribute is present in the request, AND has the given value.
>> =>>> In my case, I wanted to compare the password sent by the
> Juniper device to the entry in the radcheck table. If the login and password
> matches then the check is positive. So the documentation seems to say that it
> should work with "==" or I don't understand.
> No, that's not how it works.
> If you want to check for other attributes (e.g. bind a user to a
> particular Calling-Station-Id), you can use "==". But not for
> password. More details below.
>> := "Attribute := Value": Always matches as a check item, and
> replaces in the configuration items any attribute of the same name. If no
> attribute of that name appears in the request, then this attribute is added.
> If you've read doc/rlm_sql, like I suggested, you would've seen
> examples of what entry goes where. This is a start. Once that works,
> you can read other docs to find out what they mean.
> Regarding user-password, it's somewhat special. Old version of FR
> manpage (e.g. http://swoolley.org/man.cgi/5/users) actually suggest
> using "==". Don't use those, as they're outdated. A good
> on how it should be is included in the current version of FR. For
> example, if you run "man 5 users" on up-to-date installation,
> see this snippet:
> bob Cleartext-Password := "hello"
> Requests containing the User-Name attribute, with value "bob", will be
> authenticated using the "known good" password "hello".
> There are no
> reply items, so the reply will be empty.
> "known good password' is a configuration item ("control item"
> probably a better term). It tells the server "this is what the correct
> password for the user is". You need to use ":=", because
> you're NOT
> directly comparing it to User-Password in incoming request.
> The password that user sends might be in the form of User-Password
> attribute (in which case the content will be the same as
> cleartext-password that you store in the db), or they might come in
> different form (e.g. Chap-Password). Since it might be different, you
> can't compare it directly (thus, you can't use "=="). Instead,
> need to tell the server what the correct password is (with ":=" and
> the attribute Cleartext-Password), and the server will then perform
> the necessary processing, and then compare it to whatever attribute
> the client sends.
> Does that (simplified) explanation make sense?
This is very clear now. My freeradius version is not so new (2.1.12)
Thank you very much for this explanation.
Have a nice week end
More information about the Freeradius-Users