Hi all,
i don't know whether it have a bug or not?
when i used checkval module and radiusCalledStationid, it is prefer.
But, when i used radiusCheckItem: NAS-IP-Address := 202.14.68.51, it seems
have problem.
the NAS 202.14.68.50 still can pass the radius although i have the above
restriction.
You can see that the nas-ip module return ok.
but if i change radiusCheckItem: NAS-IP-Address to 192.168.0.1, it will
reject as normal if i dial from 202.14.68.50
it seems can't recognize the ip address except for the first octet
rad_recv: Access-Request packet from host 202.14.68.50:1025, id=235,
length=105
User-Name = "brianlk"
User-Password = ""
NAS-IP-Address = 202.14.68.50
NAS-Port = 20312
NAS-Port-Type = Async
Service-Type = Framed-User
Framed-Protocol = PPP
State = 0x
Calling-Station-Id = "21519330"
Called-Station-Id = "34234418"
Acct-Session-Id = "377180294"
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
radius_xlat: '@test.com'
rlm_attr_rewrite: No match found for attribute User-Name with value
'brianlk'
modcall[authorize]: module "fixusername1" returns ok
radius_xlat: '@test.com'
rlm_attr_rewrite: No match found for attribute User-Name with value
'brianlk'
modcall[authorize]: module "fixusername2" returns ok
modcall: entering group redundant
rlm_ldap: - authorize
rlm_ldap: performing user authorization for brianlk
radius_xlat: '(uid=brianlk)'
radius_xlat: 'o=test.com'
ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=test.com, with filter (uid=brianlk)
rlm_ldap: Added password {crypt}asdasfsdgdfg in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: extracted attribute NAS-IP-Address from generic item
NAS-IP-Address := 202.14.68.51
rlm_ldap: looking for reply items in directory...
rlm_ldap: user brianlk authorized to use remote access
ldap_release_conn: Release Id: 0
modcall[authorize]: module "LDAP1" returns ok
modcall: group redundant returns ok
rlm_checkval: Item Name: NAS-IP-Address, Value: 202.14.68.50
rlm_checkval: Value Name: NAS-IP-Address, Value: 202.14.68.51
modcall[authorize]: module "nas-ip" returns ok
the config inside radiusd.conf:
checkval nas-ip {
# The attribute to look for in the request
item-name = NAS-IP-Address
# The attribute to look for in check items. Can be multi
valued
check-name = NAS-IP-Address
# The data type. Can be
# string,integer,ipaddr,date,abinary,octets
data-type = ipaddr
# If set to yes and we dont find the item-name attribute in
the
# request then we send back a reject
# DEFAULT is no
#notfound-reject = no
}
Brian
----- Original Message -----
From: "Dustin Doris" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, April 01, 2003 10:22 PM
Subject: Re: check item problem
> Do you see how the Called-Station-Id is not coming in with the auth
> request?
>
> > The following is the whole debug when i used "compare_check_items",
> >
> > Listening on IP address *, ports 1645/udp and 1646/udp, with proxy on
> > 1647/udp.
> > Ready to process requests.
> > rad_recv: Access-Request packet from host 127.0.0.1:33291, id=223,
length=59
> > User-Name = "brianlk"
> > User-Password = "123jseff"
> > NAS-IP-Address = 192.168.0.2
> > NAS-Port = 10
> > modcall: entering group authorize
> > rlm_ldap: looking for check items in directory...
> > rlm_ldap: extracted attribute NAS-IP-Address from generic item
> > NAS-IP-Address == "192.168.0.1"
> > rlm_ldap: looking for reply items in directory...
> > Invalid operator for item User-Password: reverting to '=='
> > rlm_ldap: Pairs do not match. Rejecting user.
> > ldap_release_conn: Release Id: 0
>
> You need to make sure the NAS is sending the Called-Station-Id for this to
> work for you. The attributes that come in the Access-Request packet are
> compared against what is in your LDAP directory. So its comparing
> Called-Station-Id in your ldap directory to nothing.
>
>
>
>
> > >
> > > > hi all,
> > > > i wanna to add some rules in freeradius so the user just can access
the
> > system from the Calledstationid 123456, for example
> > > > my ldif is like that:
> > > >
> > > > dn: uid=brianlk,ou=dialup,o=test
> > > > objectClass: top
> > > > objectClass: person
> > > > objectClass: organizationalPerson
> > > > objectClass: inetOrgPerson
> > > > objectClass: inetLocalMailRecipient
> > > > objectClass: radiusprofile
> > > > objectClass: posixAccount
> > > > objectClass: PureFTPdUser
> > > > sn: brianlk
> > > > ou: dialup
> > > > description:: IFBQUF9VWFBX
> > > > uid: brianlk
> > > > uidNumber: 15385
> > > > gidNumber: 1001
> > > > homeDirectory: /home/brianlk
> > > > loginShell: /sbin/nologin
> > > > userPassword:: e2NyeXB0fTEwVGtiQVlpT3hlNDI=
> > > > cn: brianlk
> > > > radiusCalledStationId: 123456
> > > >
> > > > However, the radiusCalledStationId haven't checked when i login. So,
i
> > can access system from any Calledstationid. How can i fix?
> > > > And, did i need to enable "compare_check_items = yes"?
> > > > I have tried to enable, but i was rejected when i login. Anyone
knows
> > how to use "compare_check_items"? Thank you
> > > > the debug:
> > >
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
