Danny Kurniawan wrote:
Hi Russel,
So we have LDAP auth here. At this time it works fine. But now we want to added 2 auth, so for example like we want to check the valid user id / password from LDAP and also the MAC address listed from the user attribute in the LDAP.
The ldap attribute mapped properly : checkItem Called-Station-Id radiusCalledStationId checkItem Calling-Station-Id radiusCallingStationId
That works. The solution then is simple. You have a Calling-Station-Id in the "control" list, and one in the request. So compare them. authorize { ... ldap if (control:Calling-Station-Id != "%{Calling-Station-Id"}) { ... # reject, or anything else } ... }
so the goal is to make sure that the user is only login from his / her company device that associated with their user profile in LDAP. I already make sure that the user have the attribute radiusCallingStationId set correctly.
You also need to normalize the Calling-Station-Id in the request. Or at least ensure that all of the NASes use the same format. Some vendors have a "helpful" way of ignoring the standards. Alan DeKok.