Question about Freeradius for mobile device authentication
jjans at bio.vu.nl
Fri Aug 5 17:03:20 CEST 2005
Thanks for your reply and sorry for my sluggishness in getting
back to you with more info...
Alan DeKok [aland at ox.org] wrote:
> Yes. The server allows you nearly unlimited control over what to
> look for, and what to do when it finds data of interest.
That is good to know :)
> Your description is useful, but still a little vague. You describe
> what you want, but not how the data is seen by the RADIUS server
> (i.e. attributes).
Ok.. lets give this an other shot.. the setup I'm building is to
authenticate/authorize and account mobile users.
The user will specify his username (User-Name), his password
(User-Password) and the NAS is also configured to send the
MS-ISDN to the radius server which I'm told is send using
Now the way I want this to work is that as soon as a request comes
in from the NAS the radius server will check Calling-Station-ID
against a list of known values and if no match is found it denies
If a match is found it will go on to check for a valid username
and password combination. If none is found it should reject the
session. If a match is found it should reply with the proper
In an ideal situation I'd like to use realms and bind a group of
known Calling-Station-ID's to a specific realm. If this is not possible
than a generic list of Calling-Station-ID's for all users will also
work but is the less preferred solution.
So if I go thru the steps I get..
1. Check realm
a) no realm - reject
b) realm found go to 2
2. Check Calling-Station-ID
a) no match found for this realm - reject
b) match - go to 3
3. Check user+pass
a) no match - reject
b) match - return attribs for user
So in this situation:
- known cli's 1111,1112,1113
- known users moo at test1 w/ pass moo
- known cli's 2222,2223,2224
- known users bla at test2 w/ pass bla
If moo at test1 tries to login with pass of moo coming from cli 1111-1113
he is allow - any other cli will not be allowed.
I was the rlm_checkval module.. is this what I would use for this?
A sample configuration and users file entry would be really appreciated.
I hope this helps to clarify the issue,
More information about the Freeradius-Users