Authentication with Juniper SA

Mik J mikydevel at yahoo.fr
Sun Sep 16 11:20:10 CEST 2012 

----- Mail original -----
> De : Fajar A. Nugraha <list at fajar.net>
> À : Mik J <mikydevel at yahoo.fr>; FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Cc : 
> Envoyé le : Dimanche 16 septembre 2012 10h35
> Objet : Re: Authentication with Juniper SA
> 
> On Sun, Sep 16, 2012 at 3:09 PM, Mik J <mikydevel at yahoo.fr> wrote:
> 
>>  So here's what the documentation says:
>> 
>>   ==   "Attribute == Value": As a check item, it matches if the 
> named attribute is present in the request, AND has the given value.
>>  =>>> In my case, I wanted to compare the password sent by the 
> Juniper device to the entry in the radcheck table. If the login and password 
> matches then the check is positive. So the documentation seems to say that it 
> should work with "==" or I don't understand.
> 
> No, that's not how it works.
> 
> If you want to check for other attributes (e.g. bind a user to a
> particular Calling-Station-Id), you can use "==". But not for
> password. More details below.
> 
>> 
>>  :=     "Attribute := Value": Always matches as a check item, and 
> replaces in the configuration items any attribute of the same name.  If no      
>    attribute of that name appears in the request, then this attribute is added.
> 
> If you've read doc/rlm_sql, like I suggested, you would've seen
> examples of what entry goes where. This is a start. Once that works,
> you can read other docs to find out what they mean.
> 
> Regarding user-password, it's somewhat special. Old version of FR
> manpage (e.g. http://swoolley.org/man.cgi/5/users) actually suggest
> using "==". Don't use those, as they're outdated. A good 
> explanation
> on how it should be is included in the current version of FR. For
> example, if you run "man 5 users" on up-to-date installation, 
> you'd
> see this snippet:
> 
> "
> EXAMPLES
> 
> bob     Cleartext-Password := "hello"
> 
> Requests containing the User-Name attribute, with value "bob", will be
> authenticated using the "known good" password "hello".  
> There are no
> reply items, so the reply will be empty.
> "
> 
> "known good password' is a configuration item ("control item" 
> is
> probably a better term). It tells the server "this is what the correct
> password for the user is".  You need to use ":=", because 
> you're NOT
> directly comparing it to User-Password in incoming request.
> 
> The password that user sends might be in the form of User-Password
> attribute (in which case the content will be the same as
> cleartext-password that you store in the db), or they might come in
> different form (e.g. Chap-Password). Since it might be different, you
> can't compare it directly (thus, you can't use "=="). Instead, 
> you
> need to tell the server what the correct password is (with ":=" and
> the attribute Cleartext-Password), and the server will then perform
> the necessary processing, and then compare it to whatever attribute
> the client sends.
> 
> Does that (simplified) explanation make sense?


Hello Fajar,
This is very clear now. My freeradius version is not so new (2.1.12)
Thank you very much for this explanation.
Have a nice week end

More information about the Freeradius-Users mailing list