Active Directory and Calling-Station-Id
Brian Candler
b.candler at pobox.com
Thu Feb 23 09:51:00 CET 2017
On 22/02/2017 18:20, Ethariel wrote:
> I indeed think I don't really get the difference between := and ==.
> I've read several examples and doc but not so sure.
:= is an assignment operator (*set* an attribute). Other ones include
"=", "+="
== is a test operator (*compare* an attribute). Other ones include "!=",
"=*"
They can be mixed on the same line. If all the tests pass, then all the
assignments are done (*), including assignments to the reply list.
So given an entry like this:
foo Attr1 == "val1", Attr2 == "val2", Attr3 := "val3", Attr4 := "val4"
Attr5 := "val5"
Attr6 := "val6"
the logic is essentially this:
if (&request:User-Name == "foo" && &request:Attr1 == "val1" &&
&request:Attr2 == "val2") {
update control {
&Attr3 := "val3"
&Attr4 := "val4"
}
update reply {
&Attr5 := "val5"
&Attr6 := "val6"
}
}
Now, a basic local password entry looks like this:
customer1 Cleartext-Password := "xyzzy"
What you need to realise is, this is *not* comparing the password. This
says "if the username is customer1, then *set* the Cleartext-Password
attribute on the control list to be "xyzzy", and continue".
Later, when the radius server gets to the authenticate {} section of the
config, the authentication module will check that the credentials
supplied by the user (in the incoming RADIUS request) are consistent
with the Cleartext-Password that has been put on the control list. In
the case of PAP this just means checking that the supplied password and
the Cleartext-Password are the same; but other authentication methods
like CHAP work differently.
The same applies if you write:
customer1 Cleartext-Password = "xyzzy"
It's still an assignment, not a check. The difference between the ":="
and "=" assignment operators is that ":=" will replace any existing
value of the given attribute, while "=" will only set the attribute if
it doesn't already exist.
Documentation:
http://freeradius.org/radiusd/man/users.html
http://freeradius.org/radiusd/man/rlm_files.html
Regards,
Brian.
(*) I'm not entirely sure what happens if you mix check and control
update items on the first line. Safest to put all the check items
first, and the update items afterwards.
More information about the Freeradius-Users
mailing list