Authentication with Juniper SA

Fajar A. Nugraha list at
Sun Sep 16 11:40:05 CEST 2012

On Sun, Sep 16, 2012 at 4:20 PM, Mik J <mikydevel at> wrote:
>> The password that user sends might be in the form of User-Password
>> attribute (in which case the content will be the same as
>> cleartext-password that you store in the db), or they might come in
>> different form (e.g. Chap-Password). Since it might be different, you
>> can't compare it directly (thus, you can't use "=="). Instead,
>> you
>> need to tell the server what the correct password is (with ":=" and
>> the attribute Cleartext-Password), and the server will then perform
>> the necessary processing, and then compare it to whatever attribute
>> the client sends.
>> Does that (simplified) explanation make sense?
> Hello Fajar,
> This is very clear now. My freeradius version is not so new (2.1.12)

2.1.12 is actually new-enough, in that many distro still ships with
it, and it also needs "Cleartext-Password :=" instead of "==".

There's a know security issue with anything under 2.2.0 though, so if
you're using anything older make sure the fix is backported (e.g. if
you're using debian/ubuntu make sure you use 2.1.12+dfsg-1.1). Ask
your distro support/forum/list for details.

Also, just in case I wasn't clear, you can still use "==" in newer
versions of FR (and you probably need to, for some situations). The
exception is only for user password, where you should use
"Cleartext-Password :=" instead of "User-Password ==".


More information about the Freeradius-Users mailing list