Hi Alan, I tried to put that command in the /siteAvailable/Default after the LDAP called and receive this error :
Expected string or numbers at: ) /etc/raddb/sites-enabled/default[62]: Errors parsing authorize section. } I also commented back the checkval module. Thanks Danny On Wed, Mar 13, 2013 at 9:40 PM, Alan DeKok <[email protected]>wrote: > Danny Kurniawan wrote: > > Hi Russel, > > > > So we have LDAP auth here. At this time it works fine. But now we want > > to added 2 auth, so for example like we want to check the valid user id > > / password from LDAP and also the MAC address listed from the user > > attribute in the LDAP. > > > > The ldap attribute mapped properly : > > checkItem Called-Station-Id radiusCalledStationId > > checkItem Calling-Station-Id radiusCallingStationId > > That works. The solution then is simple. You have a > Calling-Station-Id in the "control" list, and one in the request. So > compare them. > > authorize { > ... > ldap > > if (control:Calling-Station-Id != "%{Calling-Station-Id"}) { > ... # reject, or anything else > } > > ... > } > > > so the goal is to make sure that the user is only login from his / her > > company device that associated with their user profile in LDAP. I > > already make sure that the user have the attribute > > radiusCallingStationId set correctly. > > You also need to normalize the Calling-Station-Id in the request. Or > at least ensure that all of the NASes use the same format. Some vendors > have a "helpful" way of ignoring the standards. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Best Regards, Danny
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
