How to use checkval

Danny Kurniawan danny.kurniawan at fairchildsemi.com
Wed Mar 13 15:56:46 CET 2013 

Thanks Alan, let me try that. So basically you are also saying that i don't
need to enable / use checkval module in the siteavailable/default ?

So the Goal here is to have 802.1X PEAP + MAC authentication at the same
time. User connect to wireless AP, prompted for user name password, then
the information passed over to Radius that query the ldap for username,
password and MAC (or we called that radiusCalling StationID in the user
profile attribute)

Thanks a lot
Danny

On Wed, Mar 13, 2013 at 9:40 PM, Alan DeKok <aland at deployingradius.com>wrote:

> Danny Kurniawan wrote:
> > Hi Russel,
> >
> > So we have LDAP auth here. At this time it works fine. But now we want
> > to added 2 auth, so for example like we want to check the valid user id
> > / password from LDAP and also the MAC address listed from the user
> > attribute in the LDAP.
> >
> > The ldap attribute mapped properly :
> > checkItem    Called-Station-Id        radiusCalledStationId
> > checkItem    Calling-Station-Id        radiusCallingStationId
>
>   That works.  The solution then is simple.  You have a
> Calling-Station-Id in the "control" list, and one in the request.  So
> compare them.
>
> authorize {
>         ...
>         ldap
>
>         if (control:Calling-Station-Id != "%{Calling-Station-Id"}) {
>                 ... # reject, or anything else
>         }
>
>         ...
> }
>
> > so the goal is to make sure that the user is only login from his / her
> > company device that associated with their user profile in LDAP. I
> > already make sure that the user have the attribute
> > radiusCallingStationId set correctly.
>
>   You also need to normalize the Calling-Station-Id in the request.  Or
> at least ensure that all of the NASes use the same format.  Some vendors
> have a "helpful" way of ignoring the standards.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Best Regards,
Danny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130313/8b492514/attachment.html>

More information about the Freeradius-Users mailing list