Authorization

[Stefan Adams]

I have read all the man pages and /docs and am having a difficult time
understanding the authorization.  I keep wanting to write
"if...elseif...else" stuff but I'm pretty sure that doesn't apply to
FreeRADIUS config files.

In the radiusd.conf there is documentation on how to use checkval to compare
against caller-id.  That's exactly what I want to do, but I can't figure out
how to *use* it.

Let's say I have 2 groups: students and faculty.
I want to authorize authenticated members of the LDAP group
cn=students,ou=Groups IFF their Access-Request Called-Station-ID =~
"/:StudentWLAN$/"
I want to authorize authenticated members of the LDAP group
cn=faculty,ou=Groups IFF their Access-Request Called-Station-ID =~
"/:FacultyWLAN$/"

All my users are authenticated against LDAP.  If the user enters the correct
username/password (as accepted by LDAP), the user should be able to
associate to the WLAN, but only to the WLAN of which he/she is allowed.
Students can connect to the StudentWLAN; Faculty can connect to the
FacultyWLAN.

How would I configure the checkval module?  Is it even necessary to use the
checkval module?  How would I conifgure the users file?  Is the users file
even necessary?

Just to show what I've got config'd at the moment...  Using the config
below, I am able to successfully allow users to join the WLAN using WPA and
EAP-PEAP from Windows XP SP2.  But again, the user should not be able to
join just any ol' LAN.

If anyone has any experience with using checkval or doing caller-id type
activities, I'd love to read how you did it!

P.S.  I don't know who to direct compliments to, but the FreeRADIUS code is
probably the most beautifully structured source code I have ever read.  It
is SO easy to read and extremely consistent!  It's phenomenal!  And no, I
can't answer my question myself just cuz I read the code...  ;)  But it's
helped me to get this far!!

authorize {
        # for WinXP, 802.1x, EAP-PEAP, MS-CHAPv2
        preprocess
        eap
        files
        ldap
        checkval
}
authenticate {
        # for WinXP, 802.1x, EAP-PEAP, MS-CHAPv2
        Auth-Type MS-CHAP {
                mschap
        }
        eap
}
modules {
        mschap {
                authtype = MS-CHAP
                use_mppe = yes
                require_encryption = yes
                require_strong = yes
                with_ntdomain_hack = no
        }
        ldap {
              <snip>
        }
        eap {
                default_eap_type = peap
                timer_expire = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no
                md5 {
                }
                tls {
                        private_key_password = <snip>
                        private_key_file = /etc/1x/server.pem
                        certificate_file = /etc/1x/server.pem
                        CA_file = /etc/1x/root.pem
                        dh_file = /etc/1x/DH
                        random_file = /etc/1x/random
                        include_length = yes
                }
                peap {
                        default_eap_type = mschapv2
                }
                mschapv2 {
                }
        }
}

I have NOTHING in users at this moment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20051219/e2c38d1a/attachment.html>