How to use checkval

Danny Kurniawan danny.kurniawan at fairchildsemi.com
Thu Mar 14 06:44:35 CET 2013 

So this the content of sites-available/default

    #
    #  The ldap module will set Auth-Type to LDAP if it has not
    #  already been set
    ldap

    if (control:Calling-Station-Id != "%{Calling-Station-Id"})
    {
        reject
    }

    #
    #  Enforce daily limits on time spent logged in.
#    daily

    #
    # Use the checkval module
#    checkval


Thanks
Danny

On Thu, Mar 14, 2013 at 1:42 PM, Danny Kurniawan <
danny.kurniawan at fairchildsemi.com> wrote:

> Hi Alan,
>
> I tried to put that command in the /siteAvailable/Default after the LDAP
> called and receive this error :
>
> Expected string or numbers at: )
> /etc/raddb/sites-enabled/default[62]: Errors parsing authorize section.
>  }
>
> I also commented back the checkval module.
>
> Thanks
> Danny
>
> On Wed, Mar 13, 2013 at 9:40 PM, Alan DeKok <aland at deployingradius.com>wrote:
>
>> Danny Kurniawan wrote:
>> > Hi Russel,
>> >
>> > So we have LDAP auth here. At this time it works fine. But now we want
>> > to added 2 auth, so for example like we want to check the valid user id
>> > / password from LDAP and also the MAC address listed from the user
>> > attribute in the LDAP.
>> >
>> > The ldap attribute mapped properly :
>> > checkItem    Called-Station-Id        radiusCalledStationId
>> > checkItem    Calling-Station-Id        radiusCallingStationId
>>
>>   That works.  The solution then is simple.  You have a
>> Calling-Station-Id in the "control" list, and one in the request.  So
>> compare them.
>>
>> authorize {
>>         ...
>>         ldap
>>
>>         if (control:Calling-Station-Id != "%{Calling-Station-Id"}) {
>>                 ... # reject, or anything else
>>         }
>>
>>         ...
>> }
>>
>> > so the goal is to make sure that the user is only login from his / her
>> > company device that associated with their user profile in LDAP. I
>> > already make sure that the user have the attribute
>> > radiusCallingStationId set correctly.
>>
>>   You also need to normalize the Calling-Station-Id in the request.  Or
>> at least ensure that all of the NASes use the same format.  Some vendors
>> have a "helpful" way of ignoring the standards.
>>
>>   Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
>
> --
> Best Regards,
> Danny
>



-- 
Best Regards,
Danny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130314/4515adca/attachment.html>

More information about the Freeradius-Users mailing list