How to use checkval

Danny Kurniawan danny.kurniawan at fairchildsemi.com
Wed Mar 13 13:38:20 CET 2013


Hi Russel,

So we have LDAP auth here. At this time it works fine. But now we want to
added 2 auth, so for example like we want to check the valid user id /
password from LDAP and also the MAC address listed from the user attribute
in the LDAP.

The ldap attribute mapped properly :
checkItem    Called-Station-Id        radiusCalledStationId
checkItem    Calling-Station-Id        radiusCallingStationId


so the goal is to make sure that the user is only login from his / her
company device that associated with their user profile in LDAP. I already
make sure that the user have the attribute radiusCallingStationId set
correctly.

Thanks
Danny

On Wed, Mar 13, 2013 at 7:08 PM, Russell Mike <radius.sir at gmail.com> wrote:

> Hi Dan,
> What Reject ? And MAC address listed where? Are you working around MAC
> authentication? FR MAC auth is working for me, I use CoovaChilli as NAS.
>
> 0.) MAc address would exist as user in MySQL DB or file
> 1.) Configure NAS to send MAC-Addr as username to Freeradius
> 2.)  And do the following at Freeradius side.
> username="<mac address>";attribute="Auth-Type";op=":=";value="Accept"
>
> Thanks / Regards
> RM --
>
>
> On Wed, Mar 13, 2013 at 10:49 AM, Danny Kurniawan <
> danny.kurniawan at fairchildsemi.com> wrote:
>
>> Hi Russel,
>>
>> Thanks for that. However it seems the check-name cant even populated. as
>> you can see from my log file.
>>
>> +- entering group authorize {...}
>> ++[preprocess] returns ok
>> rlm_checkval: Item Name: Calling-Station-Id, Value: A0-88-B4-0F-C3-D8
>>
>> rlm_checkval: *Could not find attribute named *
>> *Calling-Station-Id in check pairs*
>> ++[checkval] returns notfound
>> [auth_log]      expand:
>> /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
>> /var/log/radius/radacct/172.21.118.231/auth-detail-20130313
>> [auth_log]
>> /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to
>> /var/log/radius/radacct/172.21.118.231/auth-detail-20130313
>> [auth_log]      expand: %t -> Wed Mar 13 17:47:09 2013
>>
>>
>> I check the ldap.attrmap and its correctly mapped to the LDAP attribute.
>>
>> So how to make sure that Radius reject the request when the MAC address
>> is not listed.. thats what i want to achieve
>>
>> Thanks
>> Danny
>>
>>
>> On Wed, Mar 13, 2013 at 4:51 PM, Russell Mike <radius.sir at gmail.com>wrote:
>>
>>> checkval can helpful when you need to apply NAS-identifier &
>>> Calling-Station-Id - FR attributes.
>>>
>>> checkval calledstationid {
>>>        item-name = Called-Station-Id
>>>        check-name = Called-Station-Id
>>>        data-type = string
>>>        notfound-reject = no
>>> }
>>>
>>>
>>> checkval nasidentifier {
>>>         item-name = NAS-Identifier
>>>         check-name = NAS-Identifier
>>>         data-type = string
>>>         notfound-reject = no
>>> }
>>>
>>>
>>> Thanks / Regards
>>> RM --
>>>
>>>
>>>
>>> On Wed, Mar 13, 2013 at 7:53 AM, Danny Kurniawan <
>>> danny.kurniawan at fairchildsemi.com> wrote:
>>>
>>>> Hi All.
>>>>
>>>> I found this error when enabled checkval
>>>>
>>>> rlm_checkval: Could not find attribute named Calling-Station-Id in
>>>> check pairs
>>>> ++[checkval] returns notfound
>>>> ++[expiration] returns noop
>>>>
>>>> What is the meaning of that error?
>>>>
>>>> Thanks in advance
>>>>
>>>> --
>>>> Best Regards,
>>>> Danny
>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>>>
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>
>>
>>
>> --
>> Best Regards,
>> Danny
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Best Regards,
Danny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130313/6b5cf08f/attachment-0001.html>


More information about the Freeradius-Users mailing list