Hi Alan, I tried to put that command in the /siteAvailable/Default after the LDAP called and receive this error : Expected string or numbers at: ) /etc/raddb/sites-enabled/default[62]: Errors parsing authorize section. } I also commented back the checkval module. Thanks Danny On Wed, Mar 13, 2013 at 9:40 PM, Alan DeKok <aland@deployingradius.com>wrote:
Danny Kurniawan wrote:
Hi Russel,
So we have LDAP auth here. At this time it works fine. But now we want to added 2 auth, so for example like we want to check the valid user id / password from LDAP and also the MAC address listed from the user attribute in the LDAP.
The ldap attribute mapped properly : checkItem Called-Station-Id radiusCalledStationId checkItem Calling-Station-Id radiusCallingStationId
That works. The solution then is simple. You have a Calling-Station-Id in the "control" list, and one in the request. So compare them.
authorize { ... ldap
if (control:Calling-Station-Id != "%{Calling-Station-Id"}) { ... # reject, or anything else }
... }
so the goal is to make sure that the user is only login from his / her company device that associated with their user profile in LDAP. I already make sure that the user have the attribute radiusCallingStationId set correctly.
You also need to normalize the Calling-Station-Id in the request. Or at least ensure that all of the NASes use the same format. Some vendors have a "helpful" way of ignoring the standards.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Best Regards, Danny