On Jul 6, 2016, at 8:23 AM, Ian Hiddleston <ian.hid@gmail.com> wrote:
Ah, that makes sense! I'm asking because I was sat staring at this for a bit before figuring it out. I did read through the Operators bit on the website, I guess I failed pretty hard at getting the wider picture logic though. At the time I was trying to match a plaintext password in the request to a plaintext password in the DB, which I thought would work with '=='.
You should never "match" passwords. The simple explanation is that there are many password storage method (crypt, etc.), and many authentication methods (PAP, CHAP, MS-CHAP, etc.) You should tell the server what the "known good" password is. The server will then do the authentication itself. After all, FreeRADIUS is an authentication server. Let it do authentication, and everything will "just work". Alan DeKok.