Re: How to use checkval
Do you need RPM? Can you not just build and install from the source? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Hi Alan, I'm trying it now, compile from source and generated rpm. But now i stuck at 2 dependencies. Hmm, can you show me how to build and install from source? Any link? Isn't that still need dependencies? libpcap-devel is needed by freeradius-server-2.2.0-0.x86_64 sqlite3-devel is needed by freeradius-server-2.2.0-0.x86_64 I have been search aroudn from the DVD ISO of SLES SP4, also from Novell repo still cant find it. Anyone can help? Thanks Danny On Fri, Mar 15, 2013 at 4:33 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Do you need RPM? Can you not just build and install from the source? alan -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Hi All, i just wanted to know, is there anyway i can still use 1.1.7 and have the ability to check empty Calling-Station-Id? It can used any method as long it worked. I already tried install / compile but a lot of dependencies i cant find it at the DVD / ISO and also from Novell repo i could not find it too. Thanks a lot. Danny On Fri, Mar 15, 2013 at 1:12 AM, Alan DeKok al...@deployingradius.comwrote: Danny Kurniawan wrote: So is anyone know how to do the following in the FreeRadius 1.1.7 ? if(control:Calling-Station-Id == ){ reject } You don't. Version 1 doesn't suppot unlang. I just want to reject the packet if the Control (or maybe check) is empty or has no value. I could not afford to upgrade at this time as it's a native freeradius comes with SLES 10 and i'm not sure how to compile the new radius there. There's a suse directory in the tarball. You should be able to build a SUSE RPM yourself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
On Fri, Mar 15, 2013 at 8:47 PM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Hi Alan, I'm trying it now, compile from source and generated rpm. But now i stuck at 2 dependencies. Hmm, can you show me how to build and install from source? Any link? Isn't that still need dependencies? libpcap-devel is needed by freeradius-server-2.2.0-0.x86_64 sqlite3-devel is needed by freeradius-server-2.2.0-0.x86_64 I have been search aroudn from the DVD ISO of SLES SP4, also from Novell repo still cant find it. Anyone can help? Short version? Buy a suse subscription. You'd probably find it on their repository. If you don't, you can ask their support where to find it. The other option is to use opensuse (if you still need suse-like environment), or use whatever version of FR available from http://download.opensuse.org/repositories/network:/aaa/ . They should at least have 2.1.12. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Danny Kurniawan wrote: I already tried install / compile but a lot of dependencies i cant find it at the DVD / ISO and also from Novell repo i could not find it too. $ grep pcap suse/* suse/freeradius.spec:BuildRequires: libpcap-devel Edit that file, and delete the line. FreeRADIUS doesn't *need* anything. It can *use* pcap if you have it. But if you don't, it's fine. You may need to create a new tar file, but that should be simple. Remember, if it doesn't work, hit it with a hammer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Thanks Alan. Let me try that. PS : i will prepare a hammer too, but to bad the server is in US while i'm in Singapore :) If this not going to work, i will give up and ask to install brand new SLES 11 that support 2.1.1. Thanks Danny On Fri, Mar 15, 2013 at 9:49 PM, Alan DeKok al...@deployingradius.comwrote: Danny Kurniawan wrote: I already tried install / compile but a lot of dependencies i cant find it at the DVD / ISO and also from Novell repo i could not find it too. $ grep pcap suse/* suse/freeradius.spec:BuildRequires: libpcap-devel Edit that file, and delete the line. FreeRADIUS doesn't *need* anything. It can *use* pcap if you have it. But if you don't, it's fine. You may need to create a new tar file, but that should be simple. Remember, if it doesn't work, hit it with a hammer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Update : It works like charm :) I removed the sql3lite and libpcap, and i can compile and install it just fine. And the Radius is works.. *well i haven't really testing it in PROD, but at least it can accept connecting and unlang. Thanks Alan, really2 appreciate that. Have a good weekend. Danny On Fri, Mar 15, 2013 at 9:56 PM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Thanks Alan. Let me try that. PS : i will prepare a hammer too, but to bad the server is in US while i'm in Singapore :) If this not going to work, i will give up and ask to install brand new SLES 11 that support 2.1.1. Thanks Danny On Fri, Mar 15, 2013 at 9:49 PM, Alan DeKok al...@deployingradius.comwrote: Danny Kurniawan wrote: I already tried install / compile but a lot of dependencies i cant find it at the DVD / ISO and also from Novell repo i could not find it too. $ grep pcap suse/* suse/freeradius.spec:BuildRequires: libpcap-devel Edit that file, and delete the line. FreeRADIUS doesn't *need* anything. It can *use* pcap if you have it. But if you don't, it's fine. You may need to create a new tar file, but that should be simple. Remember, if it doesn't work, hit it with a hammer. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Thanks a lot for your reply. Yes i got it working. However one more question : what is the operator used to check if the value is empty ? if(control:Calling-Station-Id == ){ reject } *not working for above So i tried to make sure if the user LDAP attribute for CallingStationID was not set, reject it. Thanks Danny On Thu, Mar 14, 2013 at 1:52 PM, Fajar A. Nugraha l...@fajar.net wrote: On Thu, Mar 14, 2013 at 4:44 PM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: if (control:Calling-Station-Id != %{Calling-Station-Id}) { reject } IIRC the parser is picky on where the curly braces are located. Look at Alan's example again, and see man unlang for if block. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
On 14.03.2013 07:28, Danny Kurniawan wrote: Thanks a lot for your reply. Yes i got it working. However one more question : what is the operator used to check if the value is empty ? if(control:Calling-Station-Id == ){ reject } if(!control:Calling-Station-Id) { reject } this will be true if the attribute doesn't exist. and btw, on your previous messages : if (control:Calling-Station-Id != %{Calling-Station-Id}) last is misplaced if (control:Calling-Station-Id != %{Calling-Station-Id}) Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Thanks Olivier. yes previous message has been resolved. Thanks a lot. Let me try your suggestion. -Danny On Thu, Mar 14, 2013 at 2:41 PM, Olivier Beytrison oliv...@heliosnet.orgwrote: On 14.03.2013 07:28, Danny Kurniawan wrote: Thanks a lot for your reply. Yes i got it working. However one more question : what is the operator used to check if the value is empty ? if(control:Calling-Station-Id == ){ reject } if(!control:Calling-Station-Id) { reject } this will be true if the attribute doesn't exist. and btw, on your previous messages : if (control:Calling-Station-Id != %{Calling-Station-Id}) last is misplaced if (control:Calling-Station-Id != %{Calling-Station-Id}) Olivier -- Olivier Beytrison Network Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
On Thu, Mar 14, 2013 at 5:28 PM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Thanks a lot for your reply. Yes i got it working. However one more question : what is the operator used to check if the value is empty ? if(control:Calling-Station-Id == ){ reject } *not working for above Not sure. Maybe if( !(%{control:Calling-Station-Id}) ){ reject } -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Hi All, All of the suggestion works fine :) So just wondering, will this unlang method works for radius 1.x version? If its not working, what is the method that i can use in that version? Thanks Danny On Thu, Mar 14, 2013 at 2:58 PM, Fajar A. Nugraha l...@fajar.net wrote: On Thu, Mar 14, 2013 at 5:28 PM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Thanks a lot for your reply. Yes i got it working. However one more question : what is the operator used to check if the value is empty ? if(control:Calling-Station-Id == ){ reject } *not working for above Not sure. Maybe if( !(%{control:Calling-Station-Id}) ){ reject } -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Just to add in, I have tested and i know it works to compare it by enabled the checkval inside radius.conf But now how can i check if the value of the CallingStationID is not empty? In Radius 2.x i can use the unlang below, but in Radius 1.x it's failed when i tried that. Also i have enabled notfound-reject = yes in the checkval function, but i believe that only check the item-name and not the check-name. Is there any way to do this from radius 1.x? I just in the position cant upgrade the radius at this time. Thanks Danny On Thu, Mar 14, 2013 at 6:39 PM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Hi All, All of the suggestion works fine :) So just wondering, will this unlang method works for radius 1.x version? If its not working, what is the method that i can use in that version? Thanks Danny On Thu, Mar 14, 2013 at 2:58 PM, Fajar A. Nugraha l...@fajar.net wrote: On Thu, Mar 14, 2013 at 5:28 PM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Thanks a lot for your reply. Yes i got it working. However one more question : what is the operator used to check if the value is empty ? if(control:Calling-Station-Id == ){ reject } *not working for above Not sure. Maybe if( !(%{control:Calling-Station-Id}) ){ reject } -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
So is anyone know how to do the following in the FreeRadius 1.1.7 ? if(control:Calling-Station-Id == ){ reject } I just want to reject the packet if the Control (or maybe check) is empty or has no value. I could not afford to upgrade at this time as it's a native freeradius comes with SLES 10 and i'm not sure how to compile the new radius there. Thanks Danny On Thu, Mar 14, 2013 at 6:53 PM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Just to add in, I have tested and i know it works to compare it by enabled the checkval inside radius.conf But now how can i check if the value of the CallingStationID is not empty? In Radius 2.x i can use the unlang below, but in Radius 1.x it's failed when i tried that. Also i have enabled notfound-reject = yes in the checkval function, but i believe that only check the item-name and not the check-name. Is there any way to do this from radius 1.x? I just in the position cant upgrade the radius at this time. Thanks Danny On Thu, Mar 14, 2013 at 6:39 PM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Hi All, All of the suggestion works fine :) So just wondering, will this unlang method works for radius 1.x version? If its not working, what is the method that i can use in that version? Thanks Danny On Thu, Mar 14, 2013 at 2:58 PM, Fajar A. Nugraha l...@fajar.net wrote: On Thu, Mar 14, 2013 at 5:28 PM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Thanks a lot for your reply. Yes i got it working. However one more question : what is the operator used to check if the value is empty ? if(control:Calling-Station-Id == ){ reject } *not working for above Not sure. Maybe if( !(%{control:Calling-Station-Id}) ){ reject } -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny -- Best Regards, Danny -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Danny Kurniawan wrote: So is anyone know how to do the following in the FreeRadius 1.1.7 ? if(control:Calling-Station-Id == ){ reject } You don't. Version 1 doesn't suppot unlang. I just want to reject the packet if the Control (or maybe check) is empty or has no value. I could not afford to upgrade at this time as it's a native freeradius comes with SLES 10 and i'm not sure how to compile the new radius there. There's a suse directory in the tarball. You should be able to build a SUSE RPM yourself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Thanks Alan. I have read some article about compiling our own rpm. I only concern about the --edir integration. So is there any input for me whether after i upgrade using the rpm that i build my self, can i still using it with edir? As i saw somewhere article that said make sure you used --edir option when install freeradius that doesnt come with the OS Its just this is PROD server and I'm not really expert in Linux, so if you / anyone else can give me a link or guide steps on how to upgrade the free radius manually on my SLES 10 i will be very happy. Thanks Danny On Fri, Mar 15, 2013 at 1:12 AM, Alan DeKok al...@deployingradius.comwrote: Danny Kurniawan wrote: So is anyone know how to do the following in the FreeRadius 1.1.7 ? if(control:Calling-Station-Id == ){ reject } You don't. Version 1 doesn't suppot unlang. I just want to reject the packet if the Control (or maybe check) is empty or has no value. I could not afford to upgrade at this time as it's a native freeradius comes with SLES 10 and i'm not sure how to compile the new radius there. There's a suse directory in the tarball. You should be able to build a SUSE RPM yourself. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Danny Kurniawan wrote: I have read some article about compiling our own rpm. I only concern about the --edir integration. Add that to the suse files. Look for the script running configure. So is there any input for me whether after i upgrade using the rpm that i build my self, can i still using it with edir? As i saw somewhere article that said make sure you used --edir option when install freeradius that doesnt come with the OS You can edit the files in the suse directory. Its just this is PROD server and I'm not really expert in Linux, so if you / anyone else can give me a link or guide steps on how to upgrade the free radius manually on my SLES 10 i will be very happy. See the wiki. http://wiki.freeradius.org/building/Build Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Hi All, Sorry for this beginner question again. I have read the wiki i will need some hint from any of you: 1. So which files that i need to download from http://freeradius.org/download.html ? Version 2.2.0: tar.gz OR Version 2.2.0: tar.bz2 ? 2. So after i download one of them just copy it here : * /usr/src/packages/SOURCES* ? Or i should extract the content? 3. So the spec files has to be removed from .tar file or just copy it out? 4. Which file that i should edit to include this --with-edir option during configure ? I believe the usage of this is for radius to be able to like check account lockedOut, account disabled etc? Thanks a bunch Danny On Fri, Mar 15, 2013 at 2:00 AM, Alan DeKok al...@deployingradius.comwrote: Danny Kurniawan wrote: I have read some article about compiling our own rpm. I only concern about the --edir integration. Add that to the suse files. Look for the script running configure. So is there any input for me whether after i upgrade using the rpm that i build my self, can i still using it with edir? As i saw somewhere article that said make sure you used --edir option when install freeradius that doesnt come with the OS You can edit the files in the suse directory. Its just this is PROD server and I'm not really expert in Linux, so if you / anyone else can give me a link or guide steps on how to upgrade the free radius manually on my SLES 10 i will be very happy. See the wiki. http://wiki.freeradius.org/building/Build Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
On Fri, Mar 15, 2013 at 10:52 AM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Hi All, Sorry for this beginner question again. I have read the wiki i will need some hint from any of you: 1. So which files that i need to download from http://freeradius.org/download.html ? Version 2.2.0: tar.gz OR Version 2.2.0: tar.bz2 ? Same thing. Please spend some time to learn about archive formats. For example: http://www.dslreports.com/faq/3999 2. So after i download one of them just copy it here : * /usr/src/packages/SOURCES* ? Or i should extract the content? 3. So the spec files has to be removed from .tar file or just copy it out? This is beyond the scope of this list. Please learn about building RPM packages, especially on suse. Possibly ask on suse list. In general, the bundled suse spec file assumes that you have the spec file on SPECS directory, and the bz2 file (as well as all other files on suse directory) in SOURCES. 4. Which file that i should edit to include this --with-edir option during configure ? I believe the usage of this is for radius to be able to like check account lockedOut, account disabled etc? If you had learned about building RPM, you wouldn't need to ask this question. Please spend some time to learn about building RPM packages. The short version is suse's specfile uses --with-edir by default. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Thanks in advance for all the explanation. I will spent more time on learning on it for sure, it's just the requirement need me to learn it on practical way *this task handed over to me not in a good timely manner and yet they want it fast :) Again i believe thats not an excuse for me not to read / learn, so thanks a bunch for all the explanation and i will try this soon. Many thanks Danny On Fri, Mar 15, 2013 at 9:11 AM, Fajar A. Nugraha l...@fajar.net wrote: On Fri, Mar 15, 2013 at 10:52 AM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Hi All, Sorry for this beginner question again. I have read the wiki i will need some hint from any of you: 1. So which files that i need to download from http://freeradius.org/download.html ? Version 2.2.0: tar.gz OR Version 2.2.0: tar.bz2 ? Same thing. Please spend some time to learn about archive formats. For example: http://www.dslreports.com/faq/3999 2. So after i download one of them just copy it here : * /usr/src/packages/SOURCES* ? Or i should extract the content? 3. So the spec files has to be removed from .tar file or just copy it out? This is beyond the scope of this list. Please learn about building RPM packages, especially on suse. Possibly ask on suse list. In general, the bundled suse spec file assumes that you have the spec file on SPECS directory, and the bz2 file (as well as all other files on suse directory) in SOURCES. 4. Which file that i should edit to include this --with-edir option during configure ? I believe the usage of this is for radius to be able to like check account lockedOut, account disabled etc? If you had learned about building RPM, you wouldn't need to ask this question. Please spend some time to learn about building RPM packages. The short version is suse's specfile uses --with-edir by default. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
So basically i found this old 2008 case : Feb 27, 2008; 6:13pm Re: Radius MAC filtering with EAP-PEAP [image: Alan DeKok-2]http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=user_nodesuser=106330 11708 posts Era wrote: Could you please assist me to find my fault. I have test user with laptop. I want to restrict access for this laptop. In users file I added wrong mac address (00-18-de-4e-8f-11) but laptop still can connect with testuser/12345 credentials. Did you read the documentation for the users file? Here is my users file: testuser User-Password == 12345 Calling-Station-Id = 00-18-de-4e-8f-11 What do you think this entry does? Here is my checkval config: I don't think you need to use the checkval module. In 2.0, you can just write the logic you want in unlang. Alan DeKok. The different things that i want to achieve here is : use checkval to check the station id, if pass then go to EAP-MSCHAPV2. If this can be use with unlang method, can anyone show me the link of the doucmentation? For example which conf file i need to edit to put that if else clause. Thanks Danny On Wed, Mar 13, 2013 at 3:53 PM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Hi All. I found this error when enabled checkval rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound ++[expiration] returns noop What is the meaning of that error? Thanks in advance -- Best Regards, Danny -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
checkval can helpful when you need to apply NAS-identifier Calling-Station-Id - FR attributes. checkval calledstationid { item-name = Called-Station-Id check-name = Called-Station-Id data-type = string notfound-reject = no } checkval nasidentifier { item-name = NAS-Identifier check-name = NAS-Identifier data-type = string notfound-reject = no } Thanks / Regards RM -- On Wed, Mar 13, 2013 at 7:53 AM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Hi All. I found this error when enabled checkval rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound ++[expiration] returns noop What is the meaning of that error? Thanks in advance -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Hi Russel, Thanks for that. However it seems the check-name cant even populated. as you can see from my log file. +- entering group authorize {...} ++[preprocess] returns ok rlm_checkval: Item Name: Calling-Station-Id, Value: A0-88-B4-0F-C3-D8 rlm_checkval: *Could not find attribute named **Calling-Station-Id in check pairs* ++[checkval] returns notfound [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radius/radacct/172.21.118.231/auth-detail-20130313 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.21.118.231/auth-detail-20130313 [auth_log] expand: %t - Wed Mar 13 17:47:09 2013 I check the ldap.attrmap and its correctly mapped to the LDAP attribute. So how to make sure that Radius reject the request when the MAC address is not listed.. thats what i want to achieve Thanks Danny On Wed, Mar 13, 2013 at 4:51 PM, Russell Mike radius@gmail.com wrote: checkval can helpful when you need to apply NAS-identifier Calling-Station-Id - FR attributes. checkval calledstationid { item-name = Called-Station-Id check-name = Called-Station-Id data-type = string notfound-reject = no } checkval nasidentifier { item-name = NAS-Identifier check-name = NAS-Identifier data-type = string notfound-reject = no } Thanks / Regards RM -- On Wed, Mar 13, 2013 at 7:53 AM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Hi All. I found this error when enabled checkval rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound ++[expiration] returns noop What is the meaning of that error? Thanks in advance -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Hi Dan, What Reject ? And MAC address listed where? Are you working around MAC authentication? FR MAC auth is working for me, I use CoovaChilli as NAS. 0.) MAc address would exist as user in MySQL DB or file 1.) Configure NAS to send MAC-Addr as username to Freeradius 2.) And do the following at Freeradius side. username=mac address;attribute=Auth-Type;op=:=;value=Accept Thanks / Regards RM -- On Wed, Mar 13, 2013 at 10:49 AM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Hi Russel, Thanks for that. However it seems the check-name cant even populated. as you can see from my log file. +- entering group authorize {...} ++[preprocess] returns ok rlm_checkval: Item Name: Calling-Station-Id, Value: A0-88-B4-0F-C3-D8 rlm_checkval: *Could not find attribute named * *Calling-Station-Id in check pairs* ++[checkval] returns notfound [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radius/radacct/172.21.118.231/auth-detail-20130313 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.21.118.231/auth-detail-20130313 [auth_log] expand: %t - Wed Mar 13 17:47:09 2013 I check the ldap.attrmap and its correctly mapped to the LDAP attribute. So how to make sure that Radius reject the request when the MAC address is not listed.. thats what i want to achieve Thanks Danny On Wed, Mar 13, 2013 at 4:51 PM, Russell Mike radius@gmail.comwrote: checkval can helpful when you need to apply NAS-identifier Calling-Station-Id - FR attributes. checkval calledstationid { item-name = Called-Station-Id check-name = Called-Station-Id data-type = string notfound-reject = no } checkval nasidentifier { item-name = NAS-Identifier check-name = NAS-Identifier data-type = string notfound-reject = no } Thanks / Regards RM -- On Wed, Mar 13, 2013 at 7:53 AM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Hi All. I found this error when enabled checkval rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound ++[expiration] returns noop What is the meaning of that error? Thanks in advance -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Hi Russel, So we have LDAP auth here. At this time it works fine. But now we want to added 2 auth, so for example like we want to check the valid user id / password from LDAP and also the MAC address listed from the user attribute in the LDAP. The ldap attribute mapped properly : checkItemCalled-Station-IdradiusCalledStationId checkItemCalling-Station-IdradiusCallingStationId so the goal is to make sure that the user is only login from his / her company device that associated with their user profile in LDAP. I already make sure that the user have the attribute radiusCallingStationId set correctly. Thanks Danny On Wed, Mar 13, 2013 at 7:08 PM, Russell Mike radius@gmail.com wrote: Hi Dan, What Reject ? And MAC address listed where? Are you working around MAC authentication? FR MAC auth is working for me, I use CoovaChilli as NAS. 0.) MAc address would exist as user in MySQL DB or file 1.) Configure NAS to send MAC-Addr as username to Freeradius 2.) And do the following at Freeradius side. username=mac address;attribute=Auth-Type;op=:=;value=Accept Thanks / Regards RM -- On Wed, Mar 13, 2013 at 10:49 AM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Hi Russel, Thanks for that. However it seems the check-name cant even populated. as you can see from my log file. +- entering group authorize {...} ++[preprocess] returns ok rlm_checkval: Item Name: Calling-Station-Id, Value: A0-88-B4-0F-C3-D8 rlm_checkval: *Could not find attribute named * *Calling-Station-Id in check pairs* ++[checkval] returns notfound [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d - /var/log/radius/radacct/172.21.118.231/auth-detail-20130313 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/172.21.118.231/auth-detail-20130313 [auth_log] expand: %t - Wed Mar 13 17:47:09 2013 I check the ldap.attrmap and its correctly mapped to the LDAP attribute. So how to make sure that Radius reject the request when the MAC address is not listed.. thats what i want to achieve Thanks Danny On Wed, Mar 13, 2013 at 4:51 PM, Russell Mike radius@gmail.comwrote: checkval can helpful when you need to apply NAS-identifier Calling-Station-Id - FR attributes. checkval calledstationid { item-name = Called-Station-Id check-name = Called-Station-Id data-type = string notfound-reject = no } checkval nasidentifier { item-name = NAS-Identifier check-name = NAS-Identifier data-type = string notfound-reject = no } Thanks / Regards RM -- On Wed, Mar 13, 2013 at 7:53 AM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Hi All. I found this error when enabled checkval rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound ++[expiration] returns noop What is the meaning of that error? Thanks in advance -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Danny Kurniawan wrote: Hi Russel, So we have LDAP auth here. At this time it works fine. But now we want to added 2 auth, so for example like we want to check the valid user id / password from LDAP and also the MAC address listed from the user attribute in the LDAP. The ldap attribute mapped properly : checkItemCalled-Station-IdradiusCalledStationId checkItemCalling-Station-IdradiusCallingStationId That works. The solution then is simple. You have a Calling-Station-Id in the control list, and one in the request. So compare them. authorize { ... ldap if (control:Calling-Station-Id != %{Calling-Station-Id}) { ... # reject, or anything else } ... } so the goal is to make sure that the user is only login from his / her company device that associated with their user profile in LDAP. I already make sure that the user have the attribute radiusCallingStationId set correctly. You also need to normalize the Calling-Station-Id in the request. Or at least ensure that all of the NASes use the same format. Some vendors have a helpful way of ignoring the standards. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Thanks Alan, let me try that. So basically you are also saying that i don't need to enable / use checkval module in the siteavailable/default ? So the Goal here is to have 802.1X PEAP + MAC authentication at the same time. User connect to wireless AP, prompted for user name password, then the information passed over to Radius that query the ldap for username, password and MAC (or we called that radiusCalling StationID in the user profile attribute) Thanks a lot Danny On Wed, Mar 13, 2013 at 9:40 PM, Alan DeKok al...@deployingradius.comwrote: Danny Kurniawan wrote: Hi Russel, So we have LDAP auth here. At this time it works fine. But now we want to added 2 auth, so for example like we want to check the valid user id / password from LDAP and also the MAC address listed from the user attribute in the LDAP. The ldap attribute mapped properly : checkItemCalled-Station-IdradiusCalledStationId checkItemCalling-Station-IdradiusCallingStationId That works. The solution then is simple. You have a Calling-Station-Id in the control list, and one in the request. So compare them. authorize { ... ldap if (control:Calling-Station-Id != %{Calling-Station-Id}) { ... # reject, or anything else } ... } so the goal is to make sure that the user is only login from his / her company device that associated with their user profile in LDAP. I already make sure that the user have the attribute radiusCallingStationId set correctly. You also need to normalize the Calling-Station-Id in the request. Or at least ensure that all of the NASes use the same format. Some vendors have a helpful way of ignoring the standards. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Danny Kurniawan wrote: Thanks Alan, let me try that. So basically you are also saying that i don't need to enable / use checkval module in the siteavailable/default ? I fail to understand the reason for this question. I gave you an answer. Instead of doing what I said, your first response is to question it. That's rude. Do you think I'm lying to you? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Hi, I'm very sorry if that consider as rude. I said that i will try that and i just want to make sure i didn't need to use checkval as i already enabled it. So what i want to do is disabled it and try the solution. Again, apologize for this misunderstanding. Thanks Best Regards, Danny On Thu, Mar 14, 2013 at 1:38 AM, Alan DeKok al...@deployingradius.comwrote: Danny Kurniawan wrote: Thanks Alan, let me try that. So basically you are also saying that i don't need to enable / use checkval module in the siteavailable/default ? I fail to understand the reason for this question. I gave you an answer. Instead of doing what I said, your first response is to question it. That's rude. Do you think I'm lying to you? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
On 13/03/2556 14:53, Danny Kurniawan wrote: Hi All. I found this error when enabled checkval rlm_checkval: Could not find attribute named Calling-Station-Id in check pairs ++[checkval] returns notfound ++[expiration] returns noop What is the meaning of that error? Thanks in advance -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html you can read my link https://www.easyzonecorp.net/network/view.php?ID=1373 -- EasyZone Hotspot Billing v3.0 LDAP - supports LDAP , VLAN, Landing Page, Block site by Group, Multi Hotspot, Cisco WLC EasyZone Ready Hotspot Box - Mikrotik + EasyZone ISP Billing stable and easy to use. EasyZone ISP Billing - Billing for Wireless ISP, Local ISP. http://www.easyzonecorp.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
Hi Alan, I tried to put that command in the /siteAvailable/Default after the LDAP called and receive this error : Expected string or numbers at: ) /etc/raddb/sites-enabled/default[62]: Errors parsing authorize section. } I also commented back the checkval module. Thanks Danny On Wed, Mar 13, 2013 at 9:40 PM, Alan DeKok al...@deployingradius.comwrote: Danny Kurniawan wrote: Hi Russel, So we have LDAP auth here. At this time it works fine. But now we want to added 2 auth, so for example like we want to check the valid user id / password from LDAP and also the MAC address listed from the user attribute in the LDAP. The ldap attribute mapped properly : checkItemCalled-Station-IdradiusCalledStationId checkItemCalling-Station-IdradiusCallingStationId That works. The solution then is simple. You have a Calling-Station-Id in the control list, and one in the request. So compare them. authorize { ... ldap if (control:Calling-Station-Id != %{Calling-Station-Id}) { ... # reject, or anything else } ... } so the goal is to make sure that the user is only login from his / her company device that associated with their user profile in LDAP. I already make sure that the user have the attribute radiusCallingStationId set correctly. You also need to normalize the Calling-Station-Id in the request. Or at least ensure that all of the NASes use the same format. Some vendors have a helpful way of ignoring the standards. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
So this the content of sites-available/default # # The ldap module will set Auth-Type to LDAP if it has not # already been set ldap if (control:Calling-Station-Id != %{Calling-Station-Id}) { reject } # # Enforce daily limits on time spent logged in. #daily # # Use the checkval module #checkval Thanks Danny On Thu, Mar 14, 2013 at 1:42 PM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: Hi Alan, I tried to put that command in the /siteAvailable/Default after the LDAP called and receive this error : Expected string or numbers at: ) /etc/raddb/sites-enabled/default[62]: Errors parsing authorize section. } I also commented back the checkval module. Thanks Danny On Wed, Mar 13, 2013 at 9:40 PM, Alan DeKok al...@deployingradius.comwrote: Danny Kurniawan wrote: Hi Russel, So we have LDAP auth here. At this time it works fine. But now we want to added 2 auth, so for example like we want to check the valid user id / password from LDAP and also the MAC address listed from the user attribute in the LDAP. The ldap attribute mapped properly : checkItemCalled-Station-IdradiusCalledStationId checkItemCalling-Station-IdradiusCallingStationId That works. The solution then is simple. You have a Calling-Station-Id in the control list, and one in the request. So compare them. authorize { ... ldap if (control:Calling-Station-Id != %{Calling-Station-Id}) { ... # reject, or anything else } ... } so the goal is to make sure that the user is only login from his / her company device that associated with their user profile in LDAP. I already make sure that the user have the attribute radiusCallingStationId set correctly. You also need to normalize the Calling-Station-Id in the request. Or at least ensure that all of the NASes use the same format. Some vendors have a helpful way of ignoring the standards. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards, Danny -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use checkval
On Thu, Mar 14, 2013 at 4:44 PM, Danny Kurniawan danny.kurnia...@fairchildsemi.com wrote: if (control:Calling-Station-Id != %{Calling-Station-Id}) { reject } IIRC the parser is picky on where the curly braces are located. Look at Alan's example again, and see man unlang for if block. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html