On Wed, 2 Apr 2003, Brian Leung wrote:
> Hi all,
>
> i don't know whether it have a bug or not?
> when i used checkval module and radiusCalledStationid, it is prefer.
> But, when i used radiusCheckItem: NAS-IP-Address := 202.14.68.51, it seems
> have problem.
> the NAS 202.14.68.50 still can pass the radius although i have the above
> restriction.
> You can see that the nas-ip module return ok.
> but if i change radiusCheckItem: NAS-IP-Address to 192.168.0.1, it will
> reject as normal if i dial from 202.14.68.50
> it seems can't recognize the ip address except for the first octet
Do a cvs update on rlm_checkval. It should now work better.
>
> rad_recv: Access-Request packet from host 202.14.68.50:1025, id=235,
> length=105
> User-Name = "brianlk"
> User-Password = ""
> NAS-IP-Address = 202.14.68.50
> NAS-Port = 20312
> NAS-Port-Type = Async
> Service-Type = Framed-User
> Framed-Protocol = PPP
> State = 0x
> Calling-Station-Id = "21519330"
> Called-Station-Id = "34234418"
> Acct-Session-Id = "377180294"
> modcall: entering group authorize
> modcall[authorize]: module "preprocess" returns ok
> radius_xlat: '@test.com'
> rlm_attr_rewrite: No match found for attribute User-Name with value
> 'brianlk'
> modcall[authorize]: module "fixusername1" returns ok
> radius_xlat: '@test.com'
> rlm_attr_rewrite: No match found for attribute User-Name with value
> 'brianlk'
> modcall[authorize]: module "fixusername2" returns ok
> modcall: entering group redundant
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for brianlk
> radius_xlat: '(uid=brianlk)'
> radius_xlat: 'o=test.com'
> ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in o=test.com, with filter (uid=brianlk)
> rlm_ldap: Added password {crypt}asdasfsdgdfg in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: extracted attribute NAS-IP-Address from generic item
> NAS-IP-Address := 202.14.68.51
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user brianlk authorized to use remote access
> ldap_release_conn: Release Id: 0
> modcall[authorize]: module "LDAP1" returns ok
> modcall: group redundant returns ok
> rlm_checkval: Item Name: NAS-IP-Address, Value: 202.14.68.50
> rlm_checkval: Value Name: NAS-IP-Address, Value: 202.14.68.51
> modcall[authorize]: module "nas-ip" returns ok
>
> the config inside radiusd.conf:
>
> checkval nas-ip {
> # The attribute to look for in the request
> item-name = NAS-IP-Address
>
> # The attribute to look for in check items. Can be multi
> valued
> check-name = NAS-IP-Address
>
> # The data type. Can be
> # string,integer,ipaddr,date,abinary,octets
> data-type = ipaddr
>
> # If set to yes and we dont find the item-name attribute in
> the
> # request then we send back a reject
> # DEFAULT is no
> #notfound-reject = no
> }
>
>
> Brian
>
> ----- Original Message -----
> From: "Dustin Doris" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, April 01, 2003 10:22 PM
> Subject: Re: check item problem
>
>
> > Do you see how the Called-Station-Id is not coming in with the auth
> > request?
> >
> > > The following is the whole debug when i used "compare_check_items",
> > >
> > > Listening on IP address *, ports 1645/udp and 1646/udp, with proxy on
> > > 1647/udp.
> > > Ready to process requests.
> > > rad_recv: Access-Request packet from host 127.0.0.1:33291, id=223,
> length=59
> > > User-Name = "brianlk"
> > > User-Password = "123jseff"
> > > NAS-IP-Address = 192.168.0.2
> > > NAS-Port = 10
> > > modcall: entering group authorize
> > > rlm_ldap: looking for check items in directory...
> > > rlm_ldap: extracted attribute NAS-IP-Address from generic item
> > > NAS-IP-Address == "192.168.0.1"
> > > rlm_ldap: looking for reply items in directory...
> > > Invalid operator for item User-Password: reverting to '=='
> > > rlm_ldap: Pairs do not match. Rejecting user.
> > > ldap_release_conn: Release Id: 0
> >
> > You need to make sure the NAS is sending the Called-Station-Id for this to
> > work for you. The attributes that come in the Access-Request packet are
> > compared against what is in your LDAP directory. So its comparing
> > Called-Station-Id in your ldap directory to nothing.
> >
> >
> >
> >
> > > >
> > > > > hi all,
> > > > > i wanna to add some rules in freeradius so the user just can access
> the
> > > system from the Calledstationid 123456, for example
> > > > > my ldif is like that:
> > > > >
> > > > > dn: uid=brianlk,ou=dialup,o=test
> > > > > objectClass: top
> > > > > objectClass: person
> > > > > objectClass: organizationalPerson
> > > > > objectClass: inetOrgPerson
> > > > > objectClass: inetLocalMailRecipient
> > > > > objectClass: radiusprofile
> > > > > objectClass: posixAccount
> > > > > objectClass: PureFTPdUser
> > > > > sn: brianlk
> > > > > ou: dialup
> > > > > description:: IFBQUF9VWFBX
> > > > > uid: brianlk
> > > > > uidNumber: 15385
> > > > > gidNumber: 1001
> > > > > homeDirectory: /home/brianlk
> > > > > loginShell: /sbin/nologin
> > > > > userPassword:: e2NyeXB0fTEwVGtiQVlpT3hlNDI=
> > > > > cn: brianlk
> > > > > radiusCalledStationId: 123456
> > > > >
> > > > > However, the radiusCalledStationId haven't checked when i login. So,
> i
> > > can access system from any Calledstationid. How can i fix?
> > > > > And, did i need to enable "compare_check_items = yes"?
> > > > > I have tried to enable, but i was rejected when i login. Anyone
> knows
> > > how to use "compare_check_items"? Thank you
> > > > > the debug:
> > > >
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> >
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
