Active Directory and Calling-Station-Id

Ethariel ethariel at gmail.com
Thu Feb 23 11:33:34 CET 2017


Thks for the examples. This is clearer than the docs I've read before.
Now I've got it.


2017-02-23 9:51 GMT+01:00 Brian Candler <b.candler at pobox.com>:
> On 22/02/2017 18:20, Ethariel wrote:
>>
>> I indeed think I don't really get the difference between := and ==.
>> I've read several examples and doc but not so sure.
>
>
> := is an assignment operator (*set* an attribute). Other ones include "=",
> "+="
>
> == is a test operator (*compare* an attribute). Other ones include "!=",
> "=*"
>
> They can be mixed on the same line.  If all the tests pass, then all the
> assignments are done (*), including assignments to the reply list.
>
> So given an entry like this:
>
> foo Attr1 == "val1", Attr2 == "val2", Attr3 := "val3", Attr4 := "val4"
>     Attr5 := "val5"
>     Attr6 := "val6"
>
> the logic is essentially this:
>
> if (&request:User-Name == "foo" && &request:Attr1 == "val1" &&
> &request:Attr2 == "val2") {
>   update control {
>     &Attr3 := "val3"
>     &Attr4 := "val4"
>   }
>   update reply {
>     &Attr5 := "val5"
>     &Attr6 := "val6"
>   }
> }
>
> Now, a basic local password entry looks like this:
>
> customer1  Cleartext-Password := "xyzzy"
>
> What you need to realise is, this is *not* comparing the password.  This
> says "if the username is customer1, then *set* the Cleartext-Password
> attribute on the control list to be "xyzzy", and continue".
>
> Later, when the radius server gets to the authenticate {} section of the
> config, the authentication module will check that the credentials supplied
> by the user (in the incoming RADIUS request) are consistent with the
> Cleartext-Password that has been put on the control list.  In the case of
> PAP this just means checking that the supplied password and the
> Cleartext-Password are the same; but other authentication methods like CHAP
> work differently.
>
> The same applies if you write:
>
> customer1  Cleartext-Password = "xyzzy"
>
> It's still an assignment, not a check.  The difference between the ":=" and
> "=" assignment operators is that ":=" will replace any existing value of the
> given attribute, while "=" will only set the attribute if it doesn't already
> exist.
>
> Documentation:
> http://freeradius.org/radiusd/man/users.html
> http://freeradius.org/radiusd/man/rlm_files.html
>
> Regards,
>
> Brian.
>
> (*) I'm not entirely sure what happens if you mix check and control update
> items on the first line.  Safest to put all the check items first, and the
> update items afterwards.


More information about the Freeradius-Users mailing list