Why doesn't := "Always match?"
Paul Long
plong at ipdialog.com
Sat Jul 22 03:31:33 CEST 2006
Comments inline...
Phil Mayers wrote:
> Paul Long wrote:
>> A man page (http://www.die.net/doc/linux/man/man5/users.5.html) for
>> the users file says, "Attribute := Value ... Always matches as a
>> check item..." So does that mean, no matter what the value is, it
>> will always
>
> Well, the wording might be a bit confusing.
>
> FreeRadius works the following way:
>
> 1. All attribute-value pairs that come in are the "request" pairs
> 2. Internal server attribute per-request are the "config" pairs
> 3. Attribute-value pairs to go back to the client are the "reply" pairs
>
> someuser User-Password := "somevalue"
>
> ...actually sets (unconditionally) the User-Password AVP in the
> "config" items. This password is *COMPARED* to the password supplied
> by the client in the "request" items.
Okay, so then what is meant in the man page by "Always matches a check
item?" Should it have said, "Always checks a check item?" :-) As is, it
sounds like it always returns true.
> It's not a simple equality - a CHAP request will require a
> challenge/response calculation with the config password + request
> challenge and then an equality test of the chap response.
>
>
>> match the attribute? I don't see that happening. As an experiment, I
>> have a supplicant in a WiFi phone with user name of "plong" and
>> password of "123". With the following entry in the users file:
>>
>> plong Auth-Type = Local, User-Password := "126"
>>
>> ...I assumed it would match even though the value is different; however,
>
> Though I realise the terminology might be initially confusing, how did
> you imagine a user with a password of "123" would be matched/accepted
> by a password of "126".
I didn't expect it to match.accept. I was just playing around with
values trying to better understand the operators. I have everything
working the way I want--I was just going for extra credit. :-)
>
>> it does not match, and the access request is rejected:
>>
>> rlm_chap: login attempt by "plong" with CHAP password
>> rlm_chap: Using clear text password 126 for user plong authentication.
>> rlm_chap: Pasword check failed
>>
>> To get it to match, I have to have the correct value:
>>
>> plong Auth-Type = Local, User-Password := "123"
>>
>> which results in this debug output:
>>
>> rlm_chap: login attempt by "plong" with CHAP password
>> rlm_chap: Using clear text password 123 for user plong authentication.
>> rlm_chap: chap user plong authenticated succesfully
>
> Yes...
>
>>
>> In fact, := behaves exactly like == in this case. What's the deal?
>> Why doesn't := "always match?" Am I misunderstanding what it means to
>> "match?"
>
> As per man(5) users:
>
> Attribute := Value
> Always matches as a check item, and replaces in the
> configuration items any attribute of the same name. If no attribute
> of that name appears in the request, then this attribute is added. As
> a reply item, it has an identical meaning, but for the reply items,
> instead of the request items.
>
> Basically, := is a "force set" operator. In a "check" item, it sets a
> check/config pair.
So "Always matches a check item" just means that a check will be
performed and says nothing about the outcome of that check?
> In a reply item, it sets/forces a reply pair.
>
> See doc/aaa.txt
> - List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
More information about the Freeradius-Users
mailing list