check-item NAS-IP-ADdress & Calling-Station-ID with openldap

Tue May 19 10:40:33 CEST 2009

Checkval with Calling-station-id works fine ! And I want to check also the IP of the NAS to authenticate my user.

rlm_checkval: Item Name: Calling-Station-Id, Value: 192.168.0.80
rlm_checkval: Value Name: Calling-Station-Id, Value: 192.168.0.80
++[station-check] returns ok

>NAS-IP-Address can be forged. Use Client-IP-Address. I am not sure why did
>it come out like that in checkval when elsewhere in the debug it looks OK.

I try with Client-IP-Address instead of NAS-IP-Address but it don't works:

rad_recv: Access-Request packet from host 192.168.0.50 port 1812, id=162, length=80
        NAS-IP-Address = 192.168.0.50
        NAS-Port = 1
        NAS-Port-Type = Virtual
        User-Name = "fmehault"
        Calling-Station-Id = "192.168.0.80"
        User-Password = "toto"
+- entering group authorize {...}

[...]

rlm_checkval: Could not find item named Client-IP-Address in request
rlm_checkval: Could not find attribute named Client-IP-Address in check pairs
++[nas-check] returns notfound

My ldap:

dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr
givenName:: RnJhbsOnb2lz
sn: MEHAULT
uid: fmehault
cn: Francois MEHAULT
homeDirectory: /home/admins/fmehault
loginShell: /usr/local/bin/zsh
gidNumber: 1203
uidNumber: 1203
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: radiusprofile
objectClass: hostObject
radiusGroupName: stagiaire
userPassword: {MD5}9x2+UmKKP4OnerSUgXUlxg==
radiusNASIpAddress: 192.168.0.50
host: labobe1
radiusCheckItem: "Client-IP-Address = 192.168.0.50"
radiusCallingStationId: 192.168.0.80

My checval modul:

checkval station-check {
        item-name = Calling-Station-Id
        check-name = Calling-Station-Id
        data-type = string
        notfound-reject = yes
}

checkval nas-check {
        item-name = Client-IP-Address
        check-name = Client-IP-Address
        data-type = ipaddr
        notfound-reject = yes
}

Thanks Ivan Kalik for your first response

Regards,

François

-----Message d'origine-----
De : freeradius-users-bounces+francois.mehault=netplus.fr at lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus.fr at lists.freeradius.org] De la part de Ivan Kalik
Envoyé : lundi 11 mai 2009 13:29
À : FreeRadius users mailing list
Objet : Re: check-item NAS-IP-ADdress & Calling-Station-ID with openldap

> I want to use FreeRadius to administer network equipement. I use also
> OpenLDAP to stock information about users. FreeRADIUS and OpenLDAP are
> installed on the same server FreeBSD 7.0.
> I contact a Network equipement (like catalyst cisco 2950 v12.1) with putty
> (ssh/telnet).
>
> I have 2 questions :
>
>
> -          Why my calling-station-id in the request is a IP and not a MAC
> ?

Because you are using telnet/ssh. Same applies to VPN. PPPoE (wired and
wireless) request should have mac address in that field. Dial-up should
have phone number.

>
> -          When I authenticate on the cisco 2950, I have in my log «
> rlm_checkval: Item Name: NAS-IP-Address, Value: À¨ » instead of
> 192.168.0.50, what is the problem ???
>

NAS-IP-Address can be forged. Use Client-IP-Address. I am not sure why did
it come out like that in checkval when elsewhere in the debug it looks OK.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html