On Wed, Apr 4, 2012 at 3:41 PM, Glen Harris <[email protected]> wrote: > Just so I understand completely, why does authentication work when there is > only the Cleartext-Password row in the radcheck table?
If the condition in "==" doesn't match, the check item with ":=" (i.e. cleartext-password) will not be returned. > Does the radusergroup > query somehow come into play when there's a second check item? It shouldn't, Which is why I suggested you try with simple PAP. I've used "==" for Calling-Station-Id for several years with PAP + MSCHAP, but admittedly never tried it with EAP, so I'd like to isolate the problem first. Recently I changed it to ":=" plus some unlang block that does the actual comparison/rejection, to make debugging easier. That is, now I can put "incorrect calling-station-id" in my logs rather than a generic "user not found" message. You can also try this method later if you want. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
