How to use checkval
Alan DeKok
aland at deployingradius.com
Wed Mar 13 14:40:11 CET 2013
Danny Kurniawan wrote:
> Hi Russel,
>
> So we have LDAP auth here. At this time it works fine. But now we want
> to added 2 auth, so for example like we want to check the valid user id
> / password from LDAP and also the MAC address listed from the user
> attribute in the LDAP.
>
> The ldap attribute mapped properly :
> checkItem Called-Station-Id radiusCalledStationId
> checkItem Calling-Station-Id radiusCallingStationId
That works. The solution then is simple. You have a
Calling-Station-Id in the "control" list, and one in the request. So
compare them.
authorize {
...
ldap
if (control:Calling-Station-Id != "%{Calling-Station-Id"}) {
... # reject, or anything else
}
...
}
> so the goal is to make sure that the user is only login from his / her
> company device that associated with their user profile in LDAP. I
> already make sure that the user have the attribute
> radiusCallingStationId set correctly.
You also need to normalize the Calling-Station-Id in the request. Or
at least ensure that all of the NASes use the same format. Some vendors
have a "helpful" way of ignoring the standards.
Alan DeKok.
More information about the Freeradius-Users
mailing list