Ah, that makes sense! I'm asking because I was sat staring at this for a
bit before figuring it out. I did read through the Operators bit on the
website, I guess I failed pretty hard at getting the wider picture logic
though. At the time I was trying to match a plaintext password in the
request to a plaintext password in the DB, which I thought would work with
'=='.
We don't use these accounts for anything other than matching DSL users to
routes (not integrated with other backends) so the password is more for
misconfiguration prevention than anything security related.
Received Access-Request Id 170 from 127.0.0.1:39871 to 127.0.0.1:1812
length 79
User-Name = 'cocotest4'
User-Password = 'Password01'
NAS-IP-Address = 10.9.4.53
NAS-Port = 1812
Message-Authenticator = 0x6d25a89d069f56a85c48af5b3559227d
...
(0) mancmsmrad01mc1 : EXPAND
%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}
(0) mancmsmrad01mc1 : --> cocotest4
(0) mancmsmrad01mc1 : SQL-User-Name set to 'cocotest4'
rlm_sql (mancmsmrad01mc1): Reserved connection (4)
(0) mancmsmrad01mc1 : EXPAND SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) mancmsmrad01mc1 : --> SELECT id, username, attribute, value, op
FROM radcheck WHERE username = 'cocotest4' ORDER BY id
rlm_sql (mancmsmrad01mc1): Executing query: 'SELECT id, username,
attribute, value, op FROM radcheck WHERE username = 'cocotest4' ORDER BY id'
(0) mancmsmrad01mc1 : User found in radcheck table
...
(0) [mancmsmrad01mc1] = ok
(0) } # redundant redundant_sql = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap : No "known good" password found for the user. Not
setting Auth-Type
(0) WARNING: pap : Authentication will fail unless a "known good" password
is available
(0) [pap] = noop
(0) } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
MariaDB [radius]> select * from radcheck where username='cocotest4';
+------+-----------+--------------------+----+------------+
| id | username | attribute | op | value |
+------+-----------+--------------------+----+------------+
| 1653 | cocotest4 | Cleartext-Password | == | Password01 |
+------+-----------+--------------------+----+------------+
Thanks,
Ian
Post by Michael SchwartzkopffPost by Ian HiddlestonHi all,
I've got my server working ok, one thing that I'm curious about is why
the
Post by Ian Hiddlestonop value for Cleartext-Password is ':=' rather than '==' ?
As my google-fu appears to be lacking I figured I might as well ask the
question.
Thanks,
Ian.
goole: man 5 users
bash: man 5 users
Attribute := Value
Always matches as a check item, and replaces in the configuration items any
attribute of the same name. If no attribute of that name appears in the
request, then this attribute is added.
As a reply item, it has an identical meaning, but for the reply items,
instead of the request items.
Attribute == Value
As a check item, it matches if the named attribute is present in the
request, AND has the given value.
Not allowed as a reply item.
if you use "==" the Cleartext-Password must be in the incomming RADIUS
request. Very unlikely.
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Schleißheimer Straße 26/MG, 80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/lis