Question about Freeradius for mobile device authentication

Jasper Jans jjans at bio.vu.nl
Fri Aug 5 17:03:20 CEST 2005 

Alan,

Thanks for your reply and sorry for my sluggishness in getting
back to you with more info...

Alan DeKok [aland at ox.org] wrote:
 
>   Yes.  The server allows you nearly unlimited control over what to
> look for, and what to do when it finds data of interest.

That is good to know :)
 
>   Your description is useful, but still a little vague.  You describe
> what you want, but not how the data is seen by the RADIUS server
> (i.e. attributes).

Ok.. lets give this an other shot.. the setup I'm building is to
authenticate/authorize and account mobile users.
The user will specify his username (User-Name), his password
(User-Password) and the NAS is also configured to send the
MS-ISDN to the radius server which I'm told is send using
Calling-Station-ID.

Now the way I want this to work is that as soon as a request comes
in from the NAS the radius server will check Calling-Station-ID
against a list of known values and if no match is found it denies
the request.

If a match is found it will go on to check for a valid username
and password combination. If none is found it should reject the
session. If a match is found it should reply with the proper
attributes.

In an ideal situation I'd like to use realms and bind a group of
known Calling-Station-ID's to a specific realm. If this is not possible
than a generic list of Calling-Station-ID's for all users will also
work but is the less preferred solution.

So if I go thru the steps I get..

1. Check realm
	a) no realm - reject
	b) realm found go to 2

2. Check Calling-Station-ID
	a) no match found for this realm - reject
	b) match - go to 3

3. Check user+pass
	a) no match - reject
	b) match - return attribs for user

So in this situation:

realm test1:
	- known cli's 1111,1112,1113
	- known users moo at test1 w/ pass moo

realm test2:
	- known cli's 2222,2223,2224
	- known users bla at test2 w/ pass bla

If moo at test1 tries to login with pass of moo coming from cli 1111-1113
he is allow - any other cli will not be allowed.

I was the rlm_checkval module.. is this what I would use for this?

A sample configuration and users file entry would be really appreciated.

I hope this helps to clarify the issue,


Thanks,

 - Jasper

More information about the Freeradius-Users mailing list