Why doesn't := "Always match?"

Phil Mayers p.mayers at imperial.ac.uk
Sat Jul 22 02:31:38 CEST 2006

Paul Long wrote:
> A man page (http://www.die.net/doc/linux/man/man5/users.5.html) for the 
> users file says, "Attribute := Value ... Always matches as a check 
> item..." So does that mean, no matter what the value is, it will always 

Well, the wording might be a bit confusing.

FreeRadius works the following way:

  1. All attribute-value pairs that come in are the "request" pairs
  2. Internal server attribute per-request are the "config" pairs
  3. Attribute-value pairs to go back to the client are the "reply" pairs

someuser User-Password := "somevalue"

...actually sets (unconditionally) the User-Password AVP in the "config" 
items. This password is *COMPARED* to the password supplied by the 
client in the "request" items. It's not a simple equality - a CHAP 
request will require a challenge/response calculation with the config 
password + request challenge and then an equality test of the chap response.

> match the attribute? I don't see that happening. As an experiment, I 
> have a supplicant in a WiFi phone with user name of "plong" and password 
> of "123". With the following entry in the users file:
>    plong    Auth-Type = Local, User-Password := "126"
> ...I assumed it would match even though the value is different; however, 

Though I realise the terminology might be initially confusing, how did 
you imagine a user with a password of "123" would be matched/accepted by 
a password of "126".

> it does not match, and the access request is rejected:
>  rlm_chap: login attempt by "plong" with CHAP password
>  rlm_chap: Using clear text password 126 for user plong authentication.
>  rlm_chap: Pasword check failed
> To get it to match, I have to have the correct value:
>    plong    Auth-Type = Local, User-Password := "123"
> which results in this debug output:
>  rlm_chap: login attempt by "plong" with CHAP password
>  rlm_chap: Using clear text password 123 for user plong authentication.
>  rlm_chap: chap user plong authenticated succesfully


> In fact, := behaves exactly like == in this case. What's the deal? Why 
> doesn't := "always match?" Am I misunderstanding what it means to "match?"

As per man(5) users:

Attribute := Value
      Always  matches  as  a  check  item, and replaces in the 
configuration items any attribute of the same name.  If no attribute of 
that name appears in the request, then this attribute is added. As a 
reply item, it has an identical meaning, but for the reply items, 
instead of the request items.

Basically, := is a "force set" operator. In a "check" item, it sets a 
check/config pair. In a reply item, it sets/forces a reply pair.

See doc/aaa.txt

More information about the Freeradius-Users mailing list