Why doesn't := "Always match?"

Phil Mayers p.mayers at imperial.ac.uk
Mon Jul 24 18:52:35 CEST 2006

George C. Kaplan wrote:
> Phil Mayers wrote:
>>> I'll try to give an example.  Suppose you had two entries, using '=='
>>> for the same user:
>>> plong   Auth-Type = Local, User-Password == "126"
>>> plong   Auth-Type = Local, User-Password == "123"
>>> Then, if 'plong' supplies the password "123", the 'files' module
>>> (which processes the 'users' file) will select the second entry, then
>>> the authentication module will compare the passwords in the request
>>> and config items, and the user will be accepted.
>> Hmm. So it does. I didn't think the server behaved that way. It does not
>> seem terribly consistent.
> OK, now *I'm* confused.  What's inconsistent about the above behavior?

I was referring to the use of the == versus := operator against 
User-Password being inconsistent:

  == compares THERE AND THEN the "request" User-Password to the 
right-hand-side of the operator. It will only ever work for PAP 
requests, not CHAP, MS-CHAP, digest, etc.

  := sets the config/check User-Password to the right hand side of the 
operator. The authorize section completes, then authenticate is run, and 
  the server uses the password in the config items to check the password 
in the request items - this will work for all authentication types.

More information about the Freeradius-Users mailing list