Thanks for the reply. Here are some examples of our VSA attributes: Type Length Vendor-Id Vendor-type Vendor-length Value Attr1 26 <length> 3456 100 <len> foo Attr2 26 <length> 3456 200 <len> bar The goal is we can configure Freeradius server so that in addition to user/password check: - server reads all the VSA; - for any VSA whose Vendor-Id is 3456, - when Vendor-type is "100", the value must be "foo"; "200", "bar". - If all above checks are good, sends back accept message; otherwise reject message. Our RADIUS client inserts the above to the access request message, currently freeradius debug output does not mention these attributes. I need to somehow configure the server and hence ask the question. I am also updating the system to use later version freeradius. -----Original Message----- From: Alan DeKok <aland@deployingradius.com> Sent: Saturday, March 10, 2018 3:50 AM To: Jibin Han <J.Han@F5.com>; FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: How to configure freeradius server to authenticate VSA attribute EXTERNAL MAIL: aland@deployingradius.com On Mar 10, 2018, at 1:13 AM, Jibin Han via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I am using freeradius v2.1.12
You should really use 2.2.10 at least.
on Ubuntu 16.04, I need to configure it so that it will authenticate the incoming RADIUS messages based on their Vendor Specific Attributes. I looked over freeradius.org, it is not clear how to do that, hence ask people in this group.
Here are the details -
1. We have an in-house developed RADIUS client software which creates a RADIUS access request message and sends to freeradius server. 2. The configuration of freeradius server is ready: when the client message has the right user/password, we can receive accept message; otherwise reject message. The authentication is PAP. 3. Now we insert VSA attribute: the code is 26, the vendor id is our vendor's ID and the custom name and value. 4. Our goal is, make freeradius server authenticate not only user/password, but also this VSA - when an invalid name/value are put into VSA, freeradius sends reject message.
You don't "authenticate" the VSA. You just check it's value.
I check out dictionary, but that seems just some name mapping, I do not think it authenticate attributes.
The dictionary defines attributes. The configuration files tell the server how to process packets.
Could you point me the direction how this could be done and preferably with some examples?
How about giving *us* some examples? What do these attributes look like? What do you want to compare them with? Hint: debug output is infinitely better than vague descriptions.
I can upgrade to freeradius v3 if it is required.
You can probably do it in v2. You jut need to *describe* what you want to do. Alan DeKok.