<font face="tahoma,sans-serif">So this the content of sites-available/default<br><br> #<br> # The ldap module will set Auth-Type to LDAP if it has not<br> # already been set<br> ldap<br><br> if (control:Calling-Station-Id != "%{Calling-Station-Id"}) <br>
{<br> reject<br> }<br><br> #<br> # Enforce daily limits on time spent logged in.<br># daily<br><br> #<br> # Use the checkval module<br># checkval<br><br></font><br>Thanks<br>Danny<br><br><div class="gmail_quote">
On Thu, Mar 14, 2013 at 1:42 PM, Danny Kurniawan <span dir="ltr"><<a href="mailto:danny.kurniawan@fairchildsemi.com" target="_blank">danny.kurniawan@fairchildsemi.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<font face="tahoma,sans-serif">Hi Alan,<br><br>I tried to put that command in the /siteAvailable/Default after the LDAP called and receive this error :<br><br>Expected string or numbers at: )<br>/etc/raddb/sites-enabled/default[62]: Errors parsing authorize section.<br>
}<br><br>I also commented back the checkval module.<br><br>Thanks<br>Danny<br></font><br><div class="gmail_quote"><div class="im">On Wed, Mar 13, 2013 at 9:40 PM, Alan DeKok <span dir="ltr"><<a href="mailto:aland@deployingradius.com" target="_blank">aland@deployingradius.com</a>></span> wrote:<br>
</div><div><div class="h5"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>Danny Kurniawan wrote:<br>
> Hi Russel,<br>
><br>
> So we have LDAP auth here. At this time it works fine. But now we want<br>
> to added 2 auth, so for example like we want to check the valid user id<br>
> / password from LDAP and also the MAC address listed from the user<br>
> attribute in the LDAP.<br>
><br>
> The ldap attribute mapped properly :<br>
> checkItem Called-Station-Id radiusCalledStationId<br>
> checkItem Calling-Station-Id radiusCallingStationId<br>
<br>
</div> That works. The solution then is simple. You have a<br>
Calling-Station-Id in the "control" list, and one in the request. So<br>
compare them.<br>
<br>
authorize {<br>
...<br>
ldap<br>
<br>
if (control:Calling-Station-Id != "%{Calling-Station-Id"}) {<br>
... # reject, or anything else<br>
}<br>
<br>
...<br>
<div>}<br>
<br>
> so the goal is to make sure that the user is only login from his / her<br>
> company device that associated with their user profile in LDAP. I<br>
> already make sure that the user have the attribute<br>
> radiusCallingStationId set correctly.<br>
<br>
</div> You also need to normalize the Calling-Station-Id in the request. Or<br>
at least ensure that all of the NASes use the same format. Some vendors<br>
have a "helpful" way of ignoring the standards.<br>
<span><font color="#888888"><br>
Alan DeKok.<br>
</font></span><div><div>-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div></div></div><span class="HOEnZb"><font color="#888888"><br><br clear="all"><br>-- <br><div><font face="tahoma, sans-serif">Best Regards,</font></div>
<div><font face="tahoma, sans-serif">Danny</font></div>
</font></span></blockquote></div><br><br clear="all"><br>-- <br><div><font face="tahoma, sans-serif">Best Regards,</font></div>
<div><font face="tahoma, sans-serif">Danny</font></div>