How to use checkval
Danny Kurniawan
danny.kurniawan at fairchildsemi.com
Thu Mar 14 06:42:29 CET 2013
Hi Alan,
I tried to put that command in the /siteAvailable/Default after the LDAP
called and receive this error :
Expected string or numbers at: )
/etc/raddb/sites-enabled/default[62]: Errors parsing authorize section.
}
I also commented back the checkval module.
Thanks
Danny
On Wed, Mar 13, 2013 at 9:40 PM, Alan DeKok <aland at deployingradius.com>wrote:
> Danny Kurniawan wrote:
> > Hi Russel,
> >
> > So we have LDAP auth here. At this time it works fine. But now we want
> > to added 2 auth, so for example like we want to check the valid user id
> > / password from LDAP and also the MAC address listed from the user
> > attribute in the LDAP.
> >
> > The ldap attribute mapped properly :
> > checkItem Called-Station-Id radiusCalledStationId
> > checkItem Calling-Station-Id radiusCallingStationId
>
> That works. The solution then is simple. You have a
> Calling-Station-Id in the "control" list, and one in the request. So
> compare them.
>
> authorize {
> ...
> ldap
>
> if (control:Calling-Station-Id != "%{Calling-Station-Id"}) {
> ... # reject, or anything else
> }
>
> ...
> }
>
> > so the goal is to make sure that the user is only login from his / her
> > company device that associated with their user profile in LDAP. I
> > already make sure that the user have the attribute
> > radiusCallingStationId set correctly.
>
> You also need to normalize the Calling-Station-Id in the request. Or
> at least ensure that all of the NASes use the same format. Some vendors
> have a "helpful" way of ignoring the standards.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Best Regards,
Danny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130314/54f3ad53/attachment.html>
More information about the Freeradius-Users
mailing list