check-item NAS-IP-ADdress & Calling-Station-ID with openldap

François Mehault Francois.Mehault at
Tue May 19 10:40:33 CEST 2009

Checkval with Calling-station-id works fine ! And I want to check also the IP of the NAS to authenticate my user.

rlm_checkval: Item Name: Calling-Station-Id, Value:
rlm_checkval: Value Name: Calling-Station-Id, Value:
++[station-check] returns ok

>NAS-IP-Address can be forged. Use Client-IP-Address. I am not sure why did
>it come out like that in checkval when elsewhere in the debug it looks OK.

I try with Client-IP-Address instead of NAS-IP-Address but it don't works:

rad_recv: Access-Request packet from host port 1812, id=162, length=80
        NAS-IP-Address =
        NAS-Port = 1
        NAS-Port-Type = Virtual
        User-Name = "fmehault"
        Calling-Station-Id = ""
        User-Password = "toto"
+- entering group authorize {...}


rlm_checkval: Could not find item named Client-IP-Address in request
rlm_checkval: Could not find attribute named Client-IP-Address in check pairs
++[nas-check] returns notfound

My ldap:

dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr
givenName:: RnJhbsOnb2lz
uid: fmehault
cn: Francois MEHAULT
homeDirectory: /home/admins/fmehault
loginShell: /usr/local/bin/zsh
gidNumber: 1203
uidNumber: 1203
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: radiusprofile
objectClass: hostObject
radiusGroupName: stagiaire
userPassword: {MD5}9x2+UmKKP4OnerSUgXUlxg==
host: labobe1
radiusCheckItem: "Client-IP-Address ="

My checval modul:

checkval station-check {
        item-name = Calling-Station-Id
        check-name = Calling-Station-Id
        data-type = string
        notfound-reject = yes

checkval nas-check {
        item-name = Client-IP-Address
        check-name = Client-IP-Address
        data-type = ipaddr
        notfound-reject = yes

Thanks Ivan Kalik for your first response



-----Message d'origine-----
De : at [ at] De la part de Ivan Kalik
Envoyé : lundi 11 mai 2009 13:29
À : FreeRadius users mailing list
Objet : Re: check-item NAS-IP-ADdress & Calling-Station-ID with openldap

> I want to use FreeRadius to administer network equipement. I use also
> OpenLDAP to stock information about users. FreeRADIUS and OpenLDAP are
> installed on the same server FreeBSD 7.0.
> I contact a Network equipement (like catalyst cisco 2950 v12.1) with putty
> (ssh/telnet).
> I have 2 questions :
> -          Why my calling-station-id in the request is a IP and not a MAC
> ?

Because you are using telnet/ssh. Same applies to VPN. PPPoE (wired and
wireless) request should have mac address in that field. Dial-up should
have phone number.

> -          When I authenticate on the cisco 2950, I have in my log «
> rlm_checkval: Item Name: NAS-IP-Address, Value: À¨ » instead of
>, what is the problem ???

NAS-IP-Address can be forged. Use Client-IP-Address. I am not sure why did
it come out like that in checkval when elsewhere in the debug it looks OK.

Ivan Kalik
Kalik Informatika ISP

List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list