Checking MAC address with rlm_sql

Fajar A. Nugraha list at fajar.net
Wed Apr 4 11:07:35 CEST 2012


On Wed, Apr 4, 2012 at 3:41 PM, Glen Harris <astfgl at iamnota.org> wrote:
> Just so I understand completely, why does authentication work when there is
> only the Cleartext-Password row in the radcheck table?

If the condition in "==" doesn't match, the check item with ":=" (i.e.
cleartext-password) will not be returned.

> Does the radusergroup
> query somehow come into play when there's a second check item?

It shouldn't, Which is why I suggested you try with simple PAP.

I've used "==" for Calling-Station-Id for several years with PAP +
MSCHAP, but admittedly never tried it with EAP, so I'd like to isolate
the problem first.

Recently I changed it to ":=" plus some unlang block that does the
actual comparison/rejection, to make debugging easier. That is, now I
can put "incorrect calling-station-id" in my logs rather than a
generic "user not found" message. You can also try this method later
if you want.

-- 
Fajar


More information about the Freeradius-Users mailing list