Active Directory and Calling-Station-Id

Brian Candler b.candler at pobox.com
Thu Feb 23 09:51:00 CET 2017 

On 22/02/2017 18:20, Ethariel wrote:
> I indeed think I don't really get the difference between := and ==.
> I've read several examples and doc but not so sure.

:= is an assignment operator (*set* an attribute). Other ones include 
"=", "+="

== is a test operator (*compare* an attribute). Other ones include "!=", 
"=*"

They can be mixed on the same line.  If all the tests pass, then all the 
assignments are done (*), including assignments to the reply list.

So given an entry like this:

foo Attr1 == "val1", Attr2 == "val2", Attr3 := "val3", Attr4 := "val4"
     Attr5 := "val5"
     Attr6 := "val6"

the logic is essentially this:

if (&request:User-Name == "foo" && &request:Attr1 == "val1" && 
&request:Attr2 == "val2") {
   update control {
     &Attr3 := "val3"
     &Attr4 := "val4"
   }
   update reply {
     &Attr5 := "val5"
     &Attr6 := "val6"
   }
}

Now, a basic local password entry looks like this:

customer1  Cleartext-Password := "xyzzy"

What you need to realise is, this is *not* comparing the password.  This 
says "if the username is customer1, then *set* the Cleartext-Password 
attribute on the control list to be "xyzzy", and continue".

Later, when the radius server gets to the authenticate {} section of the 
config, the authentication module will check that the credentials 
supplied by the user (in the incoming RADIUS request) are consistent 
with the Cleartext-Password that has been put on the control list.  In 
the case of PAP this just means checking that the supplied password and 
the Cleartext-Password are the same; but other authentication methods 
like CHAP work differently.

The same applies if you write:

customer1  Cleartext-Password = "xyzzy"

It's still an assignment, not a check.  The difference between the ":=" 
and "=" assignment operators is that ":=" will replace any existing 
value of the given attribute, while "=" will only set the attribute if 
it doesn't already exist.

Documentation:
http://freeradius.org/radiusd/man/users.html
http://freeradius.org/radiusd/man/rlm_files.html

Regards,

Brian.

(*) I'm not entirely sure what happens if you mix check and control 
update items on the first line.  Safest to put all the check items 
first, and the update items afterwards.

More information about the Freeradius-Users mailing list