Hi Alan,

I tried to put that command in the /siteAvailable/Default after the LDAP called and receive this error :

Expected string or numbers at: )
/etc/raddb/sites-enabled/default[62]: Errors parsing authorize section.
 }

I also commented back the checkval module.

Thanks
Danny

On Wed, Mar 13, 2013 at 9:40 PM, Alan DeKok <aland@deployingradius.com> wrote:
Danny Kurniawan wrote:
> Hi Russel,
>
> So we have LDAP auth here. At this time it works fine. But now we want
> to added 2 auth, so for example like we want to check the valid user id
> / password from LDAP and also the MAC address listed from the user
> attribute in the LDAP.
>
> The ldap attribute mapped properly :
> checkItem    Called-Station-Id        radiusCalledStationId
> checkItem    Calling-Station-Id        radiusCallingStationId

  That works.  The solution then is simple.  You have a
Calling-Station-Id in the "control" list, and one in the request.  So
compare them.

authorize {
        ...
        ldap

        if (control:Calling-Station-Id != "%{Calling-Station-Id"}) {
                ... # reject, or anything else
        }

        ...
}

> so the goal is to make sure that the user is only login from his / her
> company device that associated with their user profile in LDAP. I
> already make sure that the user have the attribute
> radiusCallingStationId set correctly.

  You also need to normalize the Calling-Station-Id in the request.  Or
at least ensure that all of the NASes use the same format.  Some vendors
have a "helpful" way of ignoring the standards.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
Best Regards,
Danny