On Sun, Sep 16, 2012 at 3:09 PM, Mik J <mikydevel@yahoo.fr> wrote:
So here's what the documentation says:
== "Attribute == Value": As a check item, it matches if the named attribute is present in the request, AND has the given value. =>>> In my case, I wanted to compare the password sent by the Juniper device to the entry in the radcheck table. If the login and password matches then the check is positive. So the documentation seems to say that it should work with "==" or I don't understand.
No, that's not how it works. If you want to check for other attributes (e.g. bind a user to a particular Calling-Station-Id), you can use "==". But not for password. More details below.
:= "Attribute := Value": Always matches as a check item, and replaces in the configuration items any attribute of the same name. If no attribute of that name appears in the request, then this attribute is added.
If you've read doc/rlm_sql, like I suggested, you would've seen examples of what entry goes where. This is a start. Once that works, you can read other docs to find out what they mean. Regarding user-password, it's somewhat special. Old version of FR manpage (e.g. http://swoolley.org/man.cgi/5/users) actually suggest using "==". Don't use those, as they're outdated. A good explanation on how it should be is included in the current version of FR. For example, if you run "man 5 users" on up-to-date installation, you'd see this snippet: " EXAMPLES bob Cleartext-Password := "hello" Requests containing the User-Name attribute, with value "bob", will be authenticated using the "known good" password "hello". There are no reply items, so the reply will be empty. " "known good password' is a configuration item ("control item" is probably a better term). It tells the server "this is what the correct password for the user is". You need to use ":=", because you're NOT directly comparing it to User-Password in incoming request. The password that user sends might be in the form of User-Password attribute (in which case the content will be the same as cleartext-password that you store in the db), or they might come in different form (e.g. Chap-Password). Since it might be different, you can't compare it directly (thus, you can't use "=="). Instead, you need to tell the server what the correct password is (with ":=" and the attribute Cleartext-Password), and the server will then perform the necessary processing, and then compare it to whatever attribute the client sends. Does that (simplified) explanation make sense? -- Fajar