I have read all the man pages and /docs and am having a difficult time understanding the authorization. I keep wanting to write "if...elseif...else" stuff but I'm pretty sure that doesn't apply to FreeRADIUS config files.
In the radiusd.conf there is documentation on how to use checkval to compare against caller-id. That's exactly what I want to do, but I can't figure out how to *use* it.
Let's say I have 2 groups: students and faculty.
I want to authorize authenticated members of the LDAP group cn=students,ou=Groups IFF their Access-Request Called-Station-ID =~ "/:StudentWLAN$/"
I want to authorize authenticated members of the LDAP group cn=faculty,ou=Groups IFF their Access-Request Called-Station-ID =~ "/:FacultyWLAN$/"
All my users are authenticated against LDAP. If the user enters the correct username/password (as accepted by LDAP), the user should be able to associate to the WLAN, but only to the WLAN of which he/she is allowed. Students can connect to the StudentWLAN; Faculty can connect to the FacultyWLAN.
How would I configure the checkval module? Is it even necessary to use the checkval module? How would I conifgure the users file? Is the users file even necessary?
Just to show what I've got config'd at the moment... Using the config below, I am able to successfully allow users to join the WLAN using WPA and EAP-PEAP from Windows XP SP2. But again, the user should not be able to join just any ol' LAN.
If anyone has any experience with using checkval or doing caller-id type activities, I'd love to read how you did it!
P.S. I don't know who to direct compliments to, but the FreeRADIUS code is probably the most beautifully structured source code I have ever read. It is SO easy to read and extremely consistent! It's phenomenal! And no, I can't answer my question myself just cuz I read the code... ;) But it's helped me to get this far!!
authorize {
# for WinXP, 802.1x, EAP-PEAP, MS-CHAPv2
preprocess
eap
files
ldap
checkval
}
authenticate {
# for WinXP, 802.1x, EAP-PEAP, MS-CHAPv2
Auth-Type MS-CHAP {
mschap
}
eap
}
modules {
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = no
}
ldap {
<snip>
}
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
tls {
private_key_password = <snip>
private_key_file = /etc/1x/server.pem
certificate_file = /etc/1x/server.pem
CA_file = /etc/1x/root.pem
dh_file = /etc/1x/DH
random_file = /etc/1x/random
include_length = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
}
I have NOTHING in users at this moment.