Why doesn't := "Always match?"

Paul Long plong at ipdialog.com
Sat Jul 22 03:31:33 CEST 2006


Comments inline...

Phil Mayers wrote:
> Paul Long wrote:
>> A man page (http://www.die.net/doc/linux/man/man5/users.5.html) for 
>> the users file says, "Attribute := Value ... Always matches as a 
>> check item..." So does that mean, no matter what the value is, it 
>> will always 
>
> Well, the wording might be a bit confusing.
>
> FreeRadius works the following way:
>
>  1. All attribute-value pairs that come in are the "request" pairs
>  2. Internal server attribute per-request are the "config" pairs
>  3. Attribute-value pairs to go back to the client are the "reply" pairs
>
> someuser User-Password := "somevalue"
>
> ...actually sets (unconditionally) the User-Password AVP in the 
> "config" items. This password is *COMPARED* to the password supplied 
> by the client in the "request" items.
Okay, so then what is meant in the man page by "Always matches a check 
item?" Should it have said, "Always checks a check item?" :-) As is, it 
sounds like it always returns true.
> It's not a simple equality - a CHAP request will require a 
> challenge/response calculation with the config password + request 
> challenge and then an equality test of the chap response.
>
>
>> match the attribute? I don't see that happening. As an experiment, I 
>> have a supplicant in a WiFi phone with user name of "plong" and 
>> password of "123". With the following entry in the users file:
>>
>>    plong    Auth-Type = Local, User-Password := "126"
>>
>> ...I assumed it would match even though the value is different; however, 
>
> Though I realise the terminology might be initially confusing, how did 
> you imagine a user with a password of "123" would be matched/accepted 
> by a password of "126".
I didn't expect it to match.accept. I was just playing around with 
values trying to better understand the operators. I have everything 
working the way I want--I was just going for extra credit. :-)
>
>> it does not match, and the access request is rejected:
>>
>>  rlm_chap: login attempt by "plong" with CHAP password
>>  rlm_chap: Using clear text password 126 for user plong authentication.
>>  rlm_chap: Pasword check failed
>>
>> To get it to match, I have to have the correct value:
>>
>>    plong    Auth-Type = Local, User-Password := "123"
>>
>> which results in this debug output:
>>
>>  rlm_chap: login attempt by "plong" with CHAP password
>>  rlm_chap: Using clear text password 123 for user plong authentication.
>>  rlm_chap: chap user plong authenticated succesfully
>
> Yes...
>
>>
>> In fact, := behaves exactly like == in this case. What's the deal? 
>> Why doesn't := "always match?" Am I misunderstanding what it means to 
>> "match?"
>
> As per man(5) users:
>
> Attribute := Value
>      Always  matches  as  a  check  item, and replaces in the 
> configuration items any attribute of the same name.  If no attribute 
> of that name appears in the request, then this attribute is added. As 
> a reply item, it has an identical meaning, but for the reply items, 
> instead of the request items.
>
> Basically, := is a "force set" operator. In a "check" item, it sets a 
> check/config pair.
So "Always matches a check item" just means that a check will be 
performed and says nothing about the outcome of that check?
> In a reply item, it sets/forces a reply pair.
>
> See doc/aaa.txt
> - List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
>




More information about the Freeradius-Users mailing list