How to use checkval

Alan DeKok aland at
Wed Mar 13 14:40:11 CET 2013

Danny Kurniawan wrote:
> Hi Russel,
> So we have LDAP auth here. At this time it works fine. But now we want
> to added 2 auth, so for example like we want to check the valid user id
> / password from LDAP and also the MAC address listed from the user
> attribute in the LDAP.
> The ldap attribute mapped properly :
> checkItem    Called-Station-Id        radiusCalledStationId
> checkItem    Calling-Station-Id        radiusCallingStationId

  That works.  The solution then is simple.  You have a
Calling-Station-Id in the "control" list, and one in the request.  So
compare them.

authorize {

	if (control:Calling-Station-Id != "%{Calling-Station-Id"}) {
		... # reject, or anything else


> so the goal is to make sure that the user is only login from his / her
> company device that associated with their user profile in LDAP. I
> already make sure that the user have the attribute
> radiusCallingStationId set correctly.

  You also need to normalize the Calling-Station-Id in the request.  Or
at least ensure that all of the NASes use the same format.  Some vendors
have a "helpful" way of ignoring the standards.

  Alan DeKok.

More information about the Freeradius-Users mailing list