rlm_checkval module

Yeargan Yancey yancey at unt.edu
Thu May 29 21:29:38 CEST 2008 

Version: FreeRADIUS 2.0.4

I read the configuration file comments, searched the
forums, and even read the source code for rlm_checkval,
but am still having trouble getting it working the way
I think it should. I am somewhat new to this, so perhaps
I missed something obvious.

I have an LDAP database. I do have LDAP authentication
working without checkval.

In the LDAP database, we have an attribute named 'host' that
is meant to be a list of NAS IP addresses. This attribute is
of type string and multi-valued.

A sample LDAP entry might look something like this:

dn: uid=testuser,ou=people,o=company
host: 192.168.0.1
host: 192.168.0.2
host: 192.168.0.3


I added this to the ldap.attrmap file:

checkItem NAS-IP-Address host


and then added this to the radiusd.conf file:

checkval hostaccess {
   item-name  = NAS-IP-Address
   check-name = NAS-IP-Address
   data-type  = string
   notfound-reject = yes
}


and then added 'hostaccess' after 'ldap'
in the authorize section of
sites-available/default file.


When I perform a test (like this):

radtest testuser testpass localhost 10 testing123


I get the following 'radiusd -X' output:

[...]
Listening on authentication address * port 1812
Listening on accounting address * port 1813
User-Name = "testuser"
User-Password = "testpass"
NAS-IP-Address = 192.168.0.1
NAS-Port = 10
[...]
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,o=unt, with
   filter (uid=testuser)
rlm_ldap: looking for check items in directory...
rlm_ldap: LDAP attribute host as RADIUS attribute
   NAS-IP-Address == 192.168.0.1
rlm_ldap: looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.
   Are you sure that the user is configured correctly?
rlm_ldap: Setting Auth-Type = ldap
rlm_ldap: user testuser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
rlm_checkval: Item Name: NAS-IP-Address, Value: ????
rlm_checkval: Value Name: NAS-IP-Address, Value: 192.168.0.1
rlm_checkval: Value Name: NAS-IP-Address, Value: 192.168.0.2
rlm_checkval: Value Name: NAS-IP-Address, Value: 192.168.0.3
++[hostaccess] returns reject
Invalid user (rlm_checkval: This NAS-IP-Address is not allowed
   for the user): [testuser/testpass] (from client localhost port 10)
   Found Post-Auth-Type Reject
+- entering group REJECT
	expand: %{User-Name} -> testuser
  attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 2 seconds
[...]


The "Item Name: NAS-IP-Address, Value: ????" bothered me a bit.
I don't understand what that means. I think that should show the
value from the Access-Request message, but "????" did not make
any sense. There is a value present in the request, otherwise it
would reject for a missing VP. The value is clearly there.

Now I tried changing to 'data-type  = ipaddr' in the checkval
configuration, but that seems to be ignored in the source code.
The source code seems to compare only string, octet, date, and
integer and ignores other types simply returning noop.

How should I correctly check that the NAS-IP-Address is listed in
the LDAP database's 'host' attribute?

Respectfully,
Yancey

More information about the Freeradius-Users mailing list