I have just installed 2.05 and have successfully linked to my ldap server. I would like to build in MAC address checking on top of the user name / password auth. I read some docs and concluded that I could change access_attr = to use radiusCallingStationId. I set the value of this in LDAP to that which I could see in the debug output; Calling-Station-Id = "0019E3021FD8". The user happily logged in, however when I changed the value he could still log in! Now I am guessing that this attribute is only checked for presence within the user profile rather than checking if they match. Is there a way of getting Radius to check that the Calling-Station-Id matches radiusCallingStationId before access is allowed? I have read the ldap docs and not been able to find what I am looking for. Many thanks, Neil. -- Neil Marjoram Systems Manager Adastral Park Campus University College London Ross Building Adastral Park Martlesham Heath Ipswich - Suffolk IP5 3RE Tel: 01473 663711 Fax: 01473 635199 Reclaim Your Inbox! http://www.mozilla.org/products/thunderbird
Neil Marjoram wrote:
I have just installed 2.05 and have successfully linked to my ldap server. I would like to build in MAC address checking on top of the user name / password auth. ... Is there a way of getting Radius to check that the Calling-Station-Id matches radiusCallingStationId before access is allowed? I have read the ldap docs and not been able to find what I am looking for.
Don't set "compare_check_items" in the LDAP configuration. It's supposed to work, but there are pending bugs. You can do an LDAP query directly in unlang: ... if ("%{ldap: ... query ...}" != "%{Calling-Station-Id}") { reject } ... You'll have to edit the LDAP query for your local system... Alan DeKok.
participants (2)
-
Alan DeKok -
Neil Marjoram