Thanks Alan, let me try that. So basically you are also saying that i don't
need to enable / use checkval module in the siteavailable/default ?
So the Goal here is to have 802.1X PEAP + MAC authentication at the same
time. User connect to wireless AP, prompted for user name password, then
the information passed over to Radius that query the ldap for username,
password and MAC (or we called that radiusCalling StationID in the user
profile attribute)
Thanks a lot
Danny
On Wed, Mar 13, 2013 at 9:40 PM, Alan DeKok <al...@deployingradius.com>wrote:
> Danny Kurniawan wrote:
> > Hi Russel,
> >
> > So we have LDAP auth here. At this time it works fine. But now we want
> > to added 2 auth, so for example like we want to check the valid user id
> > / password from LDAP and also the MAC address listed from the user
> > attribute in the LDAP.
> >
> > The ldap attribute mapped properly :
> > checkItem Called-Station-Id radiusCalledStationId
> > checkItem Calling-Station-Id radiusCallingStationId
>
> That works. The solution then is simple. You have a
> Calling-Station-Id in the "control" list, and one in the request. So
> compare them.
>
> authorize {
> ...
> ldap
>
> if (control:Calling-Station-Id != "%{Calling-Station-Id"}) {
> ... # reject, or anything else
> }
>
> ...
> }
>
> > so the goal is to make sure that the user is only login from his / her
> > company device that associated with their user profile in LDAP. I
> > already make sure that the user have the attribute
> > radiusCallingStationId set correctly.
>
> You also need to normalize the Calling-Station-Id in the request. Or
> at least ensure that all of the NASes use the same format. Some vendors
> have a "helpful" way of ignoring the standards.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
