Active Directory and Calling-Station-Id
Thks a lot. I indeed think I don't really get the difference between := and ==. I've read several examples and doc but not so sure. I think the last entry (with the reject) is what is missing in my conf to prevent AD authentication when the CLI is not correct. I'll try asap and let you know. I can't access the site for a few days, but I'll return here with the conclusions.
On 22/02/2017 18:20, Ethariel wrote:
I indeed think I don't really get the difference between := and ==. I've read several examples and doc but not so sure.
:= is an assignment operator (*set* an attribute). Other ones include "=", "+=" == is a test operator (*compare* an attribute). Other ones include "!=", "=*" They can be mixed on the same line. If all the tests pass, then all the assignments are done (*), including assignments to the reply list. So given an entry like this: foo Attr1 == "val1", Attr2 == "val2", Attr3 := "val3", Attr4 := "val4" Attr5 := "val5" Attr6 := "val6" the logic is essentially this: if (&request:User-Name == "foo" && &request:Attr1 == "val1" && &request:Attr2 == "val2") { update control { &Attr3 := "val3" &Attr4 := "val4" } update reply { &Attr5 := "val5" &Attr6 := "val6" } } Now, a basic local password entry looks like this: customer1 Cleartext-Password := "xyzzy" What you need to realise is, this is *not* comparing the password. This says "if the username is customer1, then *set* the Cleartext-Password attribute on the control list to be "xyzzy", and continue". Later, when the radius server gets to the authenticate {} section of the config, the authentication module will check that the credentials supplied by the user (in the incoming RADIUS request) are consistent with the Cleartext-Password that has been put on the control list. In the case of PAP this just means checking that the supplied password and the Cleartext-Password are the same; but other authentication methods like CHAP work differently. The same applies if you write: customer1 Cleartext-Password = "xyzzy" It's still an assignment, not a check. The difference between the ":=" and "=" assignment operators is that ":=" will replace any existing value of the given attribute, while "=" will only set the attribute if it doesn't already exist. Documentation: http://freeradius.org/radiusd/man/users.html http://freeradius.org/radiusd/man/rlm_files.html Regards, Brian. (*) I'm not entirely sure what happens if you mix check and control update items on the first line. Safest to put all the check items first, and the update items afterwards.
Thks for the examples. This is clearer than the docs I've read before. Now I've got it. 2017-02-23 9:51 GMT+01:00 Brian Candler <b.candler@pobox.com>:
On 22/02/2017 18:20, Ethariel wrote:
I indeed think I don't really get the difference between := and ==. I've read several examples and doc but not so sure.
:= is an assignment operator (*set* an attribute). Other ones include "=", "+="
== is a test operator (*compare* an attribute). Other ones include "!=", "=*"
They can be mixed on the same line. If all the tests pass, then all the assignments are done (*), including assignments to the reply list.
So given an entry like this:
foo Attr1 == "val1", Attr2 == "val2", Attr3 := "val3", Attr4 := "val4" Attr5 := "val5" Attr6 := "val6"
the logic is essentially this:
if (&request:User-Name == "foo" && &request:Attr1 == "val1" && &request:Attr2 == "val2") { update control { &Attr3 := "val3" &Attr4 := "val4" } update reply { &Attr5 := "val5" &Attr6 := "val6" } }
Now, a basic local password entry looks like this:
customer1 Cleartext-Password := "xyzzy"
What you need to realise is, this is *not* comparing the password. This says "if the username is customer1, then *set* the Cleartext-Password attribute on the control list to be "xyzzy", and continue".
Later, when the radius server gets to the authenticate {} section of the config, the authentication module will check that the credentials supplied by the user (in the incoming RADIUS request) are consistent with the Cleartext-Password that has been put on the control list. In the case of PAP this just means checking that the supplied password and the Cleartext-Password are the same; but other authentication methods like CHAP work differently.
The same applies if you write:
customer1 Cleartext-Password = "xyzzy"
It's still an assignment, not a check. The difference between the ":=" and "=" assignment operators is that ":=" will replace any existing value of the given attribute, while "=" will only set the attribute if it doesn't already exist.
Documentation: http://freeradius.org/radiusd/man/users.html http://freeradius.org/radiusd/man/rlm_files.html
Regards,
Brian.
(*) I'm not entirely sure what happens if you mix check and control update items on the first line. Safest to put all the check items first, and the update items afterwards.
participants (2)
-
Brian Candler -
Ethariel