Ah, that makes sense! I'm asking because I was sat staring at this for a bit before figuring it out. I did read through the Operators bit on the website, I guess I failed pretty hard at getting the wider picture logic though. At the time I was trying to match a plaintext password in the request to a plaintext password in the DB, which I thought would work with '=='. We don't use these accounts for anything other than matching DSL users to routes (not integrated with other backends) so the password is more for misconfiguration prevention than anything security related. Received Access-Request Id 170 from 127.0.0.1:39871 to 127.0.0.1:1812 length 79 User-Name = 'cocotest4' User-Password = 'Password01' NAS-IP-Address = 10.9.4.53 NAS-Port = 1812 Message-Authenticator = 0x6d25a89d069f56a85c48af5b3559227d ... (0) mancmsmrad01mc1 : EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} (0) mancmsmrad01mc1 : --> cocotest4 (0) mancmsmrad01mc1 : SQL-User-Name set to 'cocotest4' rlm_sql (mancmsmrad01mc1): Reserved connection (4) (0) mancmsmrad01mc1 : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) mancmsmrad01mc1 : --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'cocotest4' ORDER BY id rlm_sql (mancmsmrad01mc1): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'cocotest4' ORDER BY id' (0) mancmsmrad01mc1 : User found in radcheck table ... (0) [mancmsmrad01mc1] = ok (0) } # redundant redundant_sql = ok (0) [expiration] = noop (0) [logintime] = noop (0) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type (0) WARNING: pap : Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject MariaDB [radius]> select * from radcheck where username='cocotest4'; +------+-----------+--------------------+----+------------+ | id | username | attribute | op | value | +------+-----------+--------------------+----+------------+ | 1653 | cocotest4 | Cleartext-Password | == | Password01 | +------+-----------+--------------------+----+------------+ Thanks, Ian On 6 July 2016 at 12:10, Michael Schwartzkopff <ms@sys4.de> wrote:
Am Mittwoch, 6. Juli 2016, 12:06:28 schrieb Ian Hiddleston:
Hi all,
I've got my server working ok, one thing that I'm curious about is why the op value for Cleartext-Password is ':=' rather than '==' ?
As my google-fu appears to be lacking I figured I might as well ask the question.
Thanks, Ian.
goole: man 5 users bash: man 5 users
Attribute := Value Always matches as a check item, and replaces in the configuration items any attribute of the same name. If no attribute of that name appears in the request, then this attribute is added. As a reply item, it has an identical meaning, but for the reply items, instead of the request items. Attribute == Value As a check item, it matches if the named attribute is present in the request, AND has the given value. Not allowed as a reply item.
if you use "==" the Cleartext-Password must be in the incomming RADIUS request. Very unlikely.
Mit freundlichen Grüßen,
Michael Schwartzkopff
-- [*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Schleißheimer Straße 26/MG, 80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html