xlat are placeholders in strings, usually used for substituting attribute values, for example:
update reply { Reply-Message := "Hello %{User-Name}" } The %{User-Name} is an xlat expansion. The xlat expansion "%{md5:<text>}" expands to an md5 hash of <text>. So you have something like: if ("%{md5:%{User-Password}:%{Salt}}" == %{<database password>}) { update control { Auth-Type := 'Access-Accept' } } There's also an %{sql:<text>} xlat, which executes the <text> portion as a query and expands to the first column of the first row in the result set. In the above condition you could use the sql xlat in place of %{Salt} and %{<database password>} to retrieve the bits of info you need to authenticate the user, though it's a little inefficient as you have to query twice. There are ways to work around the limitations of sql xlat, for example you can CONCAT the values of two columns and then break them apart with a regex and capture groups. See man unlang. -Arran
Nice :) I have added the follwing to my autorize section and it works: if ("%{md5:%{User-Password}:<SALT>}" == "%{sql:SELECT radcheck.value FROM `radcheck` WHERE radcheck.username ='%{User-Name}'}") { update control { Auth-Type := 'Accept' } } else{ sql #to make sure that the sql module is loaded. } Is there a better war to solve the loading of the sql module? If it do not include the else section, the %{sql:...} does not work. But if I place it outside the else or when the user enters the wrong password the database is queried twice. Thanks for your help - Rene