On Sun, Sep 16, 2012 at 4:20 PM, Mik J <mikydevel@yahoo.fr> wrote:
The password that user sends might be in the form of User-Password attribute (in which case the content will be the same as cleartext-password that you store in the db), or they might come in different form (e.g. Chap-Password). Since it might be different, you can't compare it directly (thus, you can't use "=="). Instead, you need to tell the server what the correct password is (with ":=" and the attribute Cleartext-Password), and the server will then perform the necessary processing, and then compare it to whatever attribute the client sends.
Does that (simplified) explanation make sense?
Hello Fajar, This is very clear now. My freeradius version is not so new (2.1.12)
2.1.12 is actually new-enough, in that many distro still ships with it, and it also needs "Cleartext-Password :=" instead of "==". There's a know security issue with anything under 2.2.0 though, so if you're using anything older make sure the fix is backported (e.g. if you're using debian/ubuntu make sure you use 2.1.12+dfsg-1.1). Ask your distro support/forum/list for details. Also, just in case I wasn't clear, you can still use "==" in newer versions of FR (and you probably need to, for some situations). The exception is only for user password, where you should use "Cleartext-Password :=" instead of "User-Password ==". -- Fajar