On Jul 21, 2021, at 8:03 AM, David Herselman <dhe@syrex.co> wrote:
Thank you for your feedback. A debug on the legacy FR v1 system is unfortunately not as granular as with FR v3, but it would appear that FR v1 (perhaps incorrectly) didn't replace := values from the SQL radcheck table with ':=' values returned by radgroupcheck.
Quite possibly. That version has been EOL for probably 10 years. In fact, even version 2 has been EOL for many years.
Reading through https://wiki.freeradius.org/config/Operators bring me hope that I could possibly set the radcheck operator for this attribute as ':=' and then set the radgroupcheck operator as '=', but I'm concerned about the comment in the documentation that this is 'Not allowed as a check item for RADIUS protocol attributes.'
My understanding of using the '+=' operator is that the resulting value would be 24, is this incorrect?
That's not correct. See the documentation for the "+=" operator. And yes, you could use ":=" for radcheck, and "=" for radgroupcheck. That would work, too.
PS: Thank you for your recommendation on replacing 'User-Password' with 'Cleartext-Password'. This is on the cards, but we have to allow for a transition period where legacy and new FR nodes reference a common database. We are subsequently using unlang to do the following before pap in the authorize section: if (!control:Cleartext-Password && control:User-Password) { update control { Cleartext-Password := "%{control:User-Password}"
Just do Cleartext-Password := &control:User-Password There's no need to expand it to a string, and then parse it back as a string. Alan DeKok.