On Jul 21, 2006, at 6:31 PM, Paul Long wrote:
Phil Mayers wrote:
Paul Long wrote:
A man page (http://www.die.net/doc/linux/man/man5/users.5.html) for the users file says, "Attribute := Value ... Always matches as a check item..." So does that mean, no matter what the value is, it will always
Well, the wording might be a bit confusing.
FreeRadius works the following way:
1. All attribute-value pairs that come in are the "request" pairs 2. Internal server attribute per-request are the "config" pairs 3. Attribute-value pairs to go back to the client are the "reply" pairs
someuser User-Password := "somevalue"
...actually sets (unconditionally) the User-Password AVP in the "config" items. This password is *COMPARED* to the password supplied by the client in the "request" items. Okay, so then what is meant in the man page by "Always matches a check item?" Should it have said, "Always checks a check item?" :-) As is, it sounds like it always returns true.
The way I think of it is that the "match" criterion only applies to which clause of the users file gets selected. Subsequent processing of the request may still cause the request to be rejected.
match the attribute? I don't see that happening. As an experiment, I have a supplicant in a WiFi phone with user name of "plong" and password of "123". With the following entry in the users file:
plong Auth-Type = Local, User-Password := "126"
...I assumed it would match even though the value is different; however,
I'll try to give an example. Suppose you had two entries, using '==' for the same user: plong Auth-Type = Local, User-Password == "126" plong Auth-Type = Local, User-Password == "123" Then, if 'plong' supplies the password "123", the 'files' module (which processes the 'users' file) will select the second entry, then the authentication module will compare the passwords in the request and config items, and the user will be accepted. But if you use ':=' plong Auth-Type = Local, User-Password := "126" plong Auth-Type = Local, User-Password := "123" the 'files' module will select the first entry ("always match"), then the authentication module will compare the supplied password "123" with the configured password "126" and the user will be rejected. I hope I got that right; Phil can correct me if not. -- George C. Kaplan gckaplan@ack.berkeley.edu Communication & Network Services 510-643-0496 University of California at Berkeley