So this the content of sites-available/default # # The ldap module will set Auth-Type to LDAP if it has not # already been set ldap if (control:Calling-Station-Id != "%{Calling-Station-Id"}) { reject } # # Enforce daily limits on time spent logged in. # daily # # Use the checkval module # checkval Thanks Danny On Thu, Mar 14, 2013 at 1:42 PM, Danny Kurniawan < danny.kurniawan@fairchildsemi.com> wrote:
Hi Alan,
I tried to put that command in the /siteAvailable/Default after the LDAP called and receive this error :
Expected string or numbers at: ) /etc/raddb/sites-enabled/default[62]: Errors parsing authorize section. }
I also commented back the checkval module.
Thanks Danny
On Wed, Mar 13, 2013 at 9:40 PM, Alan DeKok <aland@deployingradius.com>wrote:
Danny Kurniawan wrote:
Hi Russel,
So we have LDAP auth here. At this time it works fine. But now we want to added 2 auth, so for example like we want to check the valid user id / password from LDAP and also the MAC address listed from the user attribute in the LDAP.
The ldap attribute mapped properly : checkItem Called-Station-Id radiusCalledStationId checkItem Calling-Station-Id radiusCallingStationId
That works. The solution then is simple. You have a Calling-Station-Id in the "control" list, and one in the request. So compare them.
authorize { ... ldap
if (control:Calling-Station-Id != "%{Calling-Station-Id"}) { ... # reject, or anything else }
... }
so the goal is to make sure that the user is only login from his / her company device that associated with their user profile in LDAP. I already make sure that the user have the attribute radiusCallingStationId set correctly.
You also need to normalize the Calling-Station-Id in the request. Or at least ensure that all of the NASes use the same format. Some vendors have a "helpful" way of ignoring the standards.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Best Regards, Danny
-- Best Regards, Danny