subject:"Re\: How to use checkval"

Hi Alan,

I'm trying it now, compile from source and generated rpm. But now i stuck
at 2 dependencies. Hmm, can you show me how to build and install from
source? Any link? Isn't that still need dependencies?

libpcap-devel is needed by freeradius-server-2.2.0-0.x86_64
sqlite3-devel is needed by freeradius-server-2.2.0-0.x86_64

I have been search aroudn from the DVD ISO of SLES SP4, also from Novell
repo still cant find it. Anyone can help?

Thanks
Danny
On Fri, Mar 15, 2013 at 4:33 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:

  Do you need RPM? Can you not just build and install from the source?

 alan





-- 
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

Hi All,

i just wanted to know, is there anyway i can still use 1.1.7 and have the
ability to check empty Calling-Station-Id? It can used any method as long
it worked.

I already tried install / compile but a lot of dependencies i cant find it
at the DVD / ISO and also from Novell repo i could not find it too.

Thanks a lot.
Danny

On Fri, Mar 15, 2013 at 1:12 AM, Alan DeKok al...@deployingradius.comwrote:

 Danny Kurniawan wrote:
  So is anyone know how to do the following in the FreeRadius 1.1.7 ?
 
  if(control:Calling-Station-Id == ){
  reject
  }

   You don't.  Version 1 doesn't suppot unlang.

  I just want to reject the packet if the Control (or maybe check) is
  empty or has no value. I could not afford to upgrade at this time as
  it's a native freeradius comes with SLES 10 and i'm not sure how to
  compile the new radius there.

   There's a suse directory in the tarball.  You should be able to
 build a SUSE RPM yourself.

   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

2013-03-15 Thread Fajar A. Nugraha

On Fri, Mar 15, 2013 at 8:47 PM, Danny Kurniawan 
danny.kurnia...@fairchildsemi.com wrote:

 Hi Alan,

 I'm trying it now, compile from source and generated rpm. But now i stuck
 at 2 dependencies. Hmm, can you show me how to build and install from
 source? Any link? Isn't that still need dependencies?

 libpcap-devel is needed by freeradius-server-2.2.0-0.x86_64
 sqlite3-devel is needed by freeradius-server-2.2.0-0.x86_64

 I have been search aroudn from the DVD ISO of SLES SP4, also from Novell
 repo still cant find it. Anyone can help?



Short version? Buy a suse subscription.

You'd probably find it on their repository. If you don't, you can ask their
support where to find it.

The other option is to use opensuse (if you still need suse-like
environment), or use whatever version of FR available from
http://download.opensuse.org/repositories/network:/aaa/ . They should at
least have 2.1.12.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

2013-03-15 Thread Alan DeKok

Danny Kurniawan wrote:
 I already tried install / compile but a lot of dependencies i cant find
 it at the DVD / ISO and also from Novell repo i could not find it too.

$ grep pcap suse/*
suse/freeradius.spec:BuildRequires: libpcap-devel

  Edit that file, and delete the line.  FreeRADIUS doesn't *need*
anything.  It can *use* pcap if you have it.  But if you don't, it's fine.

  You may need to create a new tar file, but that should be simple.

  Remember, if it doesn't work, hit it with a hammer.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

Thanks Alan. Let me try that.

PS : i will prepare a hammer too, but to bad the server is in US while i'm
in Singapore :)

If this not going to work, i will give up and ask to install brand new SLES
11 that support 2.1.1.

Thanks
Danny

On Fri, Mar 15, 2013 at 9:49 PM, Alan DeKok al...@deployingradius.comwrote:

 Danny Kurniawan wrote:
  I already tried install / compile but a lot of dependencies i cant find
  it at the DVD / ISO and also from Novell repo i could not find it too.

 $ grep pcap suse/*
 suse/freeradius.spec:BuildRequires: libpcap-devel

   Edit that file, and delete the line.  FreeRADIUS doesn't *need*
 anything.  It can *use* pcap if you have it.  But if you don't, it's fine.

   You may need to create a new tar file, but that should be simple.

   Remember, if it doesn't work, hit it with a hammer.

   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

Update :

It works like charm :)

I removed the sql3lite and libpcap, and i can compile and install it just
fine. And the Radius is works.. *well i haven't really testing it in PROD,
but at least it can accept connecting and unlang.

Thanks Alan, really2 appreciate that.

Have a good weekend.
Danny

On Fri, Mar 15, 2013 at 9:56 PM, Danny Kurniawan 
danny.kurnia...@fairchildsemi.com wrote:

 Thanks Alan. Let me try that.

 PS : i will prepare a hammer too, but to bad the server is in US while i'm
 in Singapore :)

 If this not going to work, i will give up and ask to install brand new
 SLES 11 that support 2.1.1.

 Thanks
 Danny

 On Fri, Mar 15, 2013 at 9:49 PM, Alan DeKok al...@deployingradius.comwrote:

 Danny Kurniawan wrote:
  I already tried install / compile but a lot of dependencies i cant find
  it at the DVD / ISO and also from Novell repo i could not find it too.

 $ grep pcap suse/*
 suse/freeradius.spec:BuildRequires: libpcap-devel

   Edit that file, and delete the line.  FreeRADIUS doesn't *need*
 anything.  It can *use* pcap if you have it.  But if you don't, it's fine.

   You may need to create a new tar file, but that should be simple.

   Remember, if it doesn't work, hit it with a hammer.

   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Best Regards,
 Danny




-- 
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

Thanks a lot for your reply.

Yes i got it working. However one more question :

what is the operator used to check if the value is empty ?

if(control:Calling-Station-Id == ){
reject
}

*not working for above

So i tried to make sure if the user LDAP attribute for CallingStationID was
not set, reject it.

Thanks
Danny

On Thu, Mar 14, 2013 at 1:52 PM, Fajar A. Nugraha l...@fajar.net wrote:

 On Thu, Mar 14, 2013 at 4:44 PM, Danny Kurniawan 
 danny.kurnia...@fairchildsemi.com wrote:

 if (control:Calling-Station-Id != %{Calling-Station-Id})
 {
 reject
 }


 IIRC the parser is picky on where the curly braces are located. Look at
 Alan's example again, and see man unlang for if block.

 --
 Fajar

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

2013-03-14 Thread Olivier Beytrison

On 14.03.2013 07:28, Danny Kurniawan wrote:
 Thanks a lot for your reply.
 
 Yes i got it working. However one more question :
 
 what is the operator used to check if the value is empty ?
 
 if(control:Calling-Station-Id == ){
 reject
 }

if(!control:Calling-Station-Id) {
 reject
  }

this will be true if the attribute doesn't exist.

and btw, on your previous messages :

if (control:Calling-Station-Id != %{Calling-Station-Id})
last  is misplaced
if (control:Calling-Station-Id != %{Calling-Station-Id})

Olivier

-- 

 Olivier Beytrison
 Network  Security Engineer, HES-SO Fribourg
 Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

Thanks Olivier.

yes previous message has been resolved. Thanks a lot. Let me try your
suggestion.

-Danny

On Thu, Mar 14, 2013 at 2:41 PM, Olivier Beytrison oliv...@heliosnet.orgwrote:

 On 14.03.2013 07:28, Danny Kurniawan wrote:
  Thanks a lot for your reply.
 
  Yes i got it working. However one more question :
 
  what is the operator used to check if the value is empty ?
 
  if(control:Calling-Station-Id == ){
  reject
  }

 if(!control:Calling-Station-Id) {
  reject
   }

 this will be true if the attribute doesn't exist.

 and btw, on your previous messages :

 if (control:Calling-Station-Id != %{Calling-Station-Id})
 last  is misplaced
 if (control:Calling-Station-Id != %{Calling-Station-Id})

 Olivier

 --

  Olivier Beytrison
  Network  Security Engineer, HES-SO Fribourg
  Mail: oliv...@heliosnet.org
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

2013-03-14 Thread Fajar A. Nugraha

On Thu, Mar 14, 2013 at 5:28 PM, Danny Kurniawan 
danny.kurnia...@fairchildsemi.com wrote:

 Thanks a lot for your reply.

 Yes i got it working. However one more question :

 what is the operator used to check if the value is empty ?

 if(control:Calling-Station-Id == ){
 reject
 }

 *not working for above


Not sure. Maybe

if( !(%{control:Calling-Station-Id}) ){
   reject
}

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

Hi All,

All of the suggestion works fine :)

So just wondering, will this unlang method works for radius 1.x version? If
its not working, what is the method that i can use in that version?

Thanks
Danny

On Thu, Mar 14, 2013 at 2:58 PM, Fajar A. Nugraha l...@fajar.net wrote:

 On Thu, Mar 14, 2013 at 5:28 PM, Danny Kurniawan 
 danny.kurnia...@fairchildsemi.com wrote:

 Thanks a lot for your reply.

 Yes i got it working. However one more question :

 what is the operator used to check if the value is empty ?

 if(control:Calling-Station-Id == ){
 reject
 }

 *not working for above


 Not sure. Maybe

 if( !(%{control:Calling-Station-Id}) ){
reject
 }

 --
 Fajar

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

Just to add in,

I have tested and i know it works to compare it by enabled the checkval
inside radius.conf

But now how can i check if the value of the CallingStationID is not empty?
In Radius 2.x i can use the unlang below, but in Radius 1.x it's failed
when i tried that.

Also i have enabled
notfound-reject = yes

in the checkval function, but i believe that only check the item-name and
not the check-name.

Is there any way to do this from radius 1.x? I just in the position cant
upgrade the radius at this time.

Thanks
Danny

On Thu, Mar 14, 2013 at 6:39 PM, Danny Kurniawan 
danny.kurnia...@fairchildsemi.com wrote:

 Hi All,

 All of the suggestion works fine :)

 So just wondering, will this unlang method works for radius 1.x version?
 If its not working, what is the method that i can use in that version?

 Thanks
 Danny

 On Thu, Mar 14, 2013 at 2:58 PM, Fajar A. Nugraha l...@fajar.net wrote:

 On Thu, Mar 14, 2013 at 5:28 PM, Danny Kurniawan 
 danny.kurnia...@fairchildsemi.com wrote:

 Thanks a lot for your reply.

 Yes i got it working. However one more question :

 what is the operator used to check if the value is empty ?

 if(control:Calling-Station-Id == ){
 reject
 }

 *not working for above


 Not sure. Maybe

 if( !(%{control:Calling-Station-Id}) ){
reject
 }

  --
 Fajar

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Best Regards,
 Danny




-- 
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

So is anyone know how to do the following in the FreeRadius 1.1.7 ?

if(control:Calling-Station-Id == ){
reject
}

I just want to reject the packet if the Control (or maybe check) is empty
or has no value. I could not afford to upgrade at this time as it's a
native freeradius comes with SLES 10 and i'm not sure how to compile the
new radius there.

Thanks
Danny
On Thu, Mar 14, 2013 at 6:53 PM, Danny Kurniawan 
danny.kurnia...@fairchildsemi.com wrote:

 Just to add in,

 I have tested and i know it works to compare it by enabled the checkval
 inside radius.conf

 But now how can i check if the value of the CallingStationID is not empty?
 In Radius 2.x i can use the unlang below, but in Radius 1.x it's failed
 when i tried that.

 Also i have enabled
 notfound-reject = yes

 in the checkval function, but i believe that only check the item-name and
 not the check-name.

 Is there any way to do this from radius 1.x? I just in the position cant
 upgrade the radius at this time.

 Thanks
 Danny

 On Thu, Mar 14, 2013 at 6:39 PM, Danny Kurniawan 
 danny.kurnia...@fairchildsemi.com wrote:

 Hi All,

 All of the suggestion works fine :)

 So just wondering, will this unlang method works for radius 1.x version?
 If its not working, what is the method that i can use in that version?

 Thanks
 Danny

 On Thu, Mar 14, 2013 at 2:58 PM, Fajar A. Nugraha l...@fajar.net wrote:

 On Thu, Mar 14, 2013 at 5:28 PM, Danny Kurniawan 
 danny.kurnia...@fairchildsemi.com wrote:

 Thanks a lot for your reply.

 Yes i got it working. However one more question :

 what is the operator used to check if the value is empty ?

 if(control:Calling-Station-Id == ){
 reject
 }

 *not working for above


 Not sure. Maybe

 if( !(%{control:Calling-Station-Id}) ){
reject
 }

  --
 Fajar

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Best Regards,
 Danny




 --
 Best Regards,
 Danny




-- 
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

2013-03-14 Thread Alan DeKok

Danny Kurniawan wrote:
 So is anyone know how to do the following in the FreeRadius 1.1.7 ?
 
 if(control:Calling-Station-Id == ){
 reject
 }

  You don't.  Version 1 doesn't suppot unlang.

 I just want to reject the packet if the Control (or maybe check) is
 empty or has no value. I could not afford to upgrade at this time as
 it's a native freeradius comes with SLES 10 and i'm not sure how to
 compile the new radius there.

  There's a suse directory in the tarball.  You should be able to
build a SUSE RPM yourself.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

Thanks Alan.

I have read some article about compiling our own rpm. I only concern about
the --edir integration.

So is there any input for me whether after i upgrade using the rpm that i
build my self, can i still using it with edir? As i saw somewhere article
that said make sure you used --edir option when install freeradius that
doesnt come with the OS

Its just this is PROD server and I'm not really expert in Linux, so if you
/ anyone else can give me a link or guide steps on how to upgrade the free
radius manually on my SLES 10 i will be very happy.

Thanks
Danny

On Fri, Mar 15, 2013 at 1:12 AM, Alan DeKok al...@deployingradius.comwrote:

 Danny Kurniawan wrote:
  So is anyone know how to do the following in the FreeRadius 1.1.7 ?
 
  if(control:Calling-Station-Id == ){
  reject
  }

   You don't.  Version 1 doesn't suppot unlang.

  I just want to reject the packet if the Control (or maybe check) is
  empty or has no value. I could not afford to upgrade at this time as
  it's a native freeradius comes with SLES 10 and i'm not sure how to
  compile the new radius there.

   There's a suse directory in the tarball.  You should be able to
 build a SUSE RPM yourself.

   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

2013-03-14 Thread Alan DeKok

Danny Kurniawan wrote:
 I have read some article about compiling our own rpm. I only concern
 about the --edir integration.

  Add that to the suse files.  Look for the script running configure.

 So is there any input for me whether after i upgrade using the rpm that
 i build my self, can i still using it with edir? As i saw somewhere
 article that said make sure you used --edir option when install
 freeradius that doesnt come with the OS

  You can edit the files in the suse directory.

 Its just this is PROD server and I'm not really expert in Linux, so if
 you / anyone else can give me a link or guide steps on how to upgrade
 the free radius manually on my SLES 10 i will be very happy.

  See the wiki.

http://wiki.freeradius.org/building/Build

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

Hi All,

Sorry for this beginner question again. I have read the wiki  i will need
some hint from any of you:
1. So which files that i need to download from
http://freeradius.org/download.html ? Version 2.2.0: tar.gz OR
Version 2.2.0: tar.bz2 ?
2. So after i download one of them just copy it here  : *
/usr/src/packages/SOURCES* ? Or i should extract the content?
3. So the spec files has to be removed from .tar file or just copy it out?
4. Which file that i should edit to include this --with-edir option during
configure ? I believe the usage of this is for radius to be able to like
check account lockedOut, account disabled etc?

Thanks a bunch
Danny

On Fri, Mar 15, 2013 at 2:00 AM, Alan DeKok al...@deployingradius.comwrote:

 Danny Kurniawan wrote:
  I have read some article about compiling our own rpm. I only concern
  about the --edir integration.

   Add that to the suse files.  Look for the script running configure.

  So is there any input for me whether after i upgrade using the rpm that
  i build my self, can i still using it with edir? As i saw somewhere
  article that said make sure you used --edir option when install
  freeradius that doesnt come with the OS

   You can edit the files in the suse directory.

  Its just this is PROD server and I'm not really expert in Linux, so if
  you / anyone else can give me a link or guide steps on how to upgrade
  the free radius manually on my SLES 10 i will be very happy.

   See the wiki.

 http://wiki.freeradius.org/building/Build

   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

2013-03-14 Thread Fajar A. Nugraha

On Fri, Mar 15, 2013 at 10:52 AM, Danny Kurniawan 
danny.kurnia...@fairchildsemi.com wrote:

 Hi All,

 Sorry for this beginner question again. I have read the wiki  i will need
 some hint from any of you:
 1. So which files that i need to download from
 http://freeradius.org/download.html ? Version 2.2.0: tar.gz OR
 Version 2.2.0: tar.bz2 ?


Same thing. Please spend some time to learn about archive formats. For
example: http://www.dslreports.com/faq/3999


 2. So after i download one of them just copy it here  : *
 /usr/src/packages/SOURCES* ? Or i should extract the content?
 3. So the spec files has to be removed from .tar file or just copy it out?



This is beyond the scope of this list. Please learn about building RPM
packages, especially on suse. Possibly ask on suse list.

In general, the bundled suse spec file assumes that you have the spec file
on SPECS directory, and the bz2 file (as well as all other files on suse
directory) in SOURCES.



 4. Which file that i should edit to include this --with-edir option during
 configure ? I believe the usage of this is for radius to be able to like
 check account lockedOut, account disabled etc?



If you had learned about building RPM, you wouldn't need to ask this
question. Please spend some time to learn about building RPM packages. The
short version is suse's specfile uses --with-edir by default.

-- 
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

Thanks in advance for all the explanation. I will spent more time on
learning on it for sure, it's just the requirement need me to learn it on
practical way *this task handed over to me not in a good timely manner and
yet they want it fast :)

Again i believe thats not an excuse for me not to read / learn, so thanks a
bunch for all the explanation and i will try this soon.

Many thanks
Danny

On Fri, Mar 15, 2013 at 9:11 AM, Fajar A. Nugraha l...@fajar.net wrote:

 On Fri, Mar 15, 2013 at 10:52 AM, Danny Kurniawan 
 danny.kurnia...@fairchildsemi.com wrote:

 Hi All,

 Sorry for this beginner question again. I have read the wiki  i will
 need some hint from any of you:
 1. So which files that i need to download from
 http://freeradius.org/download.html ? Version 2.2.0: tar.gz OR
 Version 2.2.0: tar.bz2 ?


 Same thing. Please spend some time to learn about archive formats. For
 example: http://www.dslreports.com/faq/3999


 2. So after i download one of them just copy it here  : *
 /usr/src/packages/SOURCES* ? Or i should extract the content?
 3. So the spec files has to be removed from .tar file or just copy it out?



 This is beyond the scope of this list. Please learn about building RPM
 packages, especially on suse. Possibly ask on suse list.

 In general, the bundled suse spec file assumes that you have the spec file
 on SPECS directory, and the bz2 file (as well as all other files on suse
 directory) in SOURCES.



 4. Which file that i should edit to include this --with-edir option
 during configure ? I believe the usage of this is for radius to be able to
 like check account lockedOut, account disabled etc?



 If you had learned about building RPM, you wouldn't need to ask this
 question. Please spend some time to learn about building RPM packages. The
 short version is suse's specfile uses --with-edir by default.

 --
 Fajar

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

So basically i found this old 2008 case :

Feb 27, 2008; 6:13pm Re: Radius MAC filtering with EAP-PEAP
[image: Alan
DeKok-2]http://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=user_nodesuser=106330
11708 posts
Era wrote:
Could you please assist me to find my fault. I have test user with
laptop. I
want to restrict access for this laptop. In users file I added wrong mac
address (00-18-de-4e-8f-11) but laptop still can connect with
testuser/12345
credentials.

Did you read the documentation for the users file?

Here is my users file:

testuser User-Password == 12345
Calling-Station-Id = 00-18-de-4e-8f-11

What do you think this entry does?

Here is my checkval config:

I don't think you need to use the checkval module.

In 2.0, you can just write the logic you want in unlang.

Alan DeKok.

The different things that i want to achieve here is :

use checkval to check the station id, if pass then go to EAP-MSCHAPV2. If
this can be use with unlang method, can anyone show me the link of the
doucmentation? For example which conf file i need to edit to put that if
else clause.

Thanks
Danny

On Wed, Mar 13, 2013 at 3:53 PM, Danny Kurniawan
danny.kurnia...@fairchildsemi.com wrote:

Hi All.

I found this error when enabled checkval

rlm_checkval: Could not find attribute named Calling-Station-Id in check
pairs
++[checkval] returns notfound
++[expiration] returns noop

What is the meaning of that error?

Thanks in advance

--
Best Regards,
Danny

--
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

2013-03-13 Thread Russell Mike

checkval can helpful when you need to apply NAS-identifier 
Calling-Station-Id - FR attributes.

checkval calledstationid {
   item-name = Called-Station-Id
   check-name = Called-Station-Id
   data-type = string
   notfound-reject = no
}


checkval nasidentifier {
item-name = NAS-Identifier
check-name = NAS-Identifier
data-type = string
notfound-reject = no
}


Thanks / Regards
RM --



On Wed, Mar 13, 2013 at 7:53 AM, Danny Kurniawan 
danny.kurnia...@fairchildsemi.com wrote:

 Hi All.

 I found this error when enabled checkval

 rlm_checkval: Could not find attribute named Calling-Station-Id in check
 pairs
 ++[checkval] returns notfound
 ++[expiration] returns noop

 What is the meaning of that error?

 Thanks in advance

 --
 Best Regards,
 Danny

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

Hi Russel,

Thanks for that. However it seems the check-name cant even populated. as
you can see from my log file.

+- entering group authorize {...}
++[preprocess] returns ok
rlm_checkval: Item Name: Calling-Station-Id, Value: A0-88-B4-0F-C3-D8
rlm_checkval: *Could not find attribute named **Calling-Station-Id in check
pairs*
++[checkval] returns notfound
[auth_log]  expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radius/radacct/172.21.118.231/auth-detail-20130313
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/172.21.118.231/auth-detail-20130313
[auth_log]  expand: %t - Wed Mar 13 17:47:09 2013


I check the ldap.attrmap and its correctly mapped to the LDAP attribute.

So how to make sure that Radius reject the request when the MAC address is
not listed.. thats what i want to achieve

Thanks
Danny


On Wed, Mar 13, 2013 at 4:51 PM, Russell Mike radius@gmail.com wrote:

 checkval can helpful when you need to apply NAS-identifier 
 Calling-Station-Id - FR attributes.

 checkval calledstationid {
item-name = Called-Station-Id
check-name = Called-Station-Id
data-type = string
notfound-reject = no
 }


 checkval nasidentifier {
 item-name = NAS-Identifier
 check-name = NAS-Identifier
 data-type = string
 notfound-reject = no
 }


 Thanks / Regards
 RM --



 On Wed, Mar 13, 2013 at 7:53 AM, Danny Kurniawan 
 danny.kurnia...@fairchildsemi.com wrote:

 Hi All.

 I found this error when enabled checkval

 rlm_checkval: Could not find attribute named Calling-Station-Id in check
 pairs
 ++[checkval] returns notfound
 ++[expiration] returns noop

 What is the meaning of that error?

 Thanks in advance

 --
 Best Regards,
 Danny

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

2013-03-13 Thread Russell Mike

Hi Dan,
What Reject ? And MAC address listed where? Are you working around MAC
authentication? FR MAC auth is working for me, I use CoovaChilli as NAS.

0.) MAc address would exist as user in MySQL DB or file
1.) Configure NAS to send MAC-Addr as username to Freeradius
2.)  And do the following at Freeradius side.
username=mac address;attribute=Auth-Type;op=:=;value=Accept

Thanks / Regards
RM --


On Wed, Mar 13, 2013 at 10:49 AM, Danny Kurniawan 
danny.kurnia...@fairchildsemi.com wrote:

 Hi Russel,

 Thanks for that. However it seems the check-name cant even populated. as
 you can see from my log file.

 +- entering group authorize {...}
 ++[preprocess] returns ok
 rlm_checkval: Item Name: Calling-Station-Id, Value: A0-88-B4-0F-C3-D8

 rlm_checkval: *Could not find attribute named *
 *Calling-Station-Id in check pairs*
 ++[checkval] returns notfound
 [auth_log]  expand:
 /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
 /var/log/radius/radacct/172.21.118.231/auth-detail-20130313
 [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
 expands to /var/log/radius/radacct/172.21.118.231/auth-detail-20130313
 [auth_log]  expand: %t - Wed Mar 13 17:47:09 2013


 I check the ldap.attrmap and its correctly mapped to the LDAP attribute.

 So how to make sure that Radius reject the request when the MAC address is
 not listed.. thats what i want to achieve

 Thanks
 Danny


 On Wed, Mar 13, 2013 at 4:51 PM, Russell Mike radius@gmail.comwrote:

 checkval can helpful when you need to apply NAS-identifier 
 Calling-Station-Id - FR attributes.

 checkval calledstationid {
item-name = Called-Station-Id
check-name = Called-Station-Id
data-type = string
notfound-reject = no
 }


 checkval nasidentifier {
 item-name = NAS-Identifier
 check-name = NAS-Identifier
 data-type = string
 notfound-reject = no
 }


 Thanks / Regards
 RM --



 On Wed, Mar 13, 2013 at 7:53 AM, Danny Kurniawan 
 danny.kurnia...@fairchildsemi.com wrote:

 Hi All.

 I found this error when enabled checkval

 rlm_checkval: Could not find attribute named Calling-Station-Id in check
 pairs
 ++[checkval] returns notfound
 ++[expiration] returns noop

 What is the meaning of that error?

 Thanks in advance

 --
 Best Regards,
 Danny

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Best Regards,
 Danny

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

Hi Russel,

So we have LDAP auth here. At this time it works fine. But now we want to
added 2 auth, so for example like we want to check the valid user id /
password from LDAP and also the MAC address listed from the user attribute
in the LDAP.

The ldap attribute mapped properly :
checkItemCalled-Station-IdradiusCalledStationId
checkItemCalling-Station-IdradiusCallingStationId


so the goal is to make sure that the user is only login from his / her
company device that associated with their user profile in LDAP. I already
make sure that the user have the attribute radiusCallingStationId set
correctly.

Thanks
Danny

On Wed, Mar 13, 2013 at 7:08 PM, Russell Mike radius@gmail.com wrote:

 Hi Dan,
 What Reject ? And MAC address listed where? Are you working around MAC
 authentication? FR MAC auth is working for me, I use CoovaChilli as NAS.

 0.) MAc address would exist as user in MySQL DB or file
 1.) Configure NAS to send MAC-Addr as username to Freeradius
 2.)  And do the following at Freeradius side.
 username=mac address;attribute=Auth-Type;op=:=;value=Accept

 Thanks / Regards
 RM --


 On Wed, Mar 13, 2013 at 10:49 AM, Danny Kurniawan 
 danny.kurnia...@fairchildsemi.com wrote:

 Hi Russel,

 Thanks for that. However it seems the check-name cant even populated. as
 you can see from my log file.

 +- entering group authorize {...}
 ++[preprocess] returns ok
 rlm_checkval: Item Name: Calling-Station-Id, Value: A0-88-B4-0F-C3-D8

 rlm_checkval: *Could not find attribute named *
 *Calling-Station-Id in check pairs*
 ++[checkval] returns notfound
 [auth_log]  expand:
 /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
 /var/log/radius/radacct/172.21.118.231/auth-detail-20130313
 [auth_log]
 /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to
 /var/log/radius/radacct/172.21.118.231/auth-detail-20130313
 [auth_log]  expand: %t - Wed Mar 13 17:47:09 2013


 I check the ldap.attrmap and its correctly mapped to the LDAP attribute.

 So how to make sure that Radius reject the request when the MAC address
 is not listed.. thats what i want to achieve

 Thanks
 Danny


 On Wed, Mar 13, 2013 at 4:51 PM, Russell Mike radius@gmail.comwrote:

 checkval can helpful when you need to apply NAS-identifier 
 Calling-Station-Id - FR attributes.

 checkval calledstationid {
item-name = Called-Station-Id
check-name = Called-Station-Id
data-type = string
notfound-reject = no
 }


 checkval nasidentifier {
 item-name = NAS-Identifier
 check-name = NAS-Identifier
 data-type = string
 notfound-reject = no
 }


 Thanks / Regards
 RM --



 On Wed, Mar 13, 2013 at 7:53 AM, Danny Kurniawan 
 danny.kurnia...@fairchildsemi.com wrote:

 Hi All.

 I found this error when enabled checkval

 rlm_checkval: Could not find attribute named Calling-Station-Id in
 check pairs
 ++[checkval] returns notfound
 ++[expiration] returns noop

 What is the meaning of that error?

 Thanks in advance

 --
 Best Regards,
 Danny

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




 --
 Best Regards,
 Danny

 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

2013-03-13 Thread Alan DeKok

Danny Kurniawan wrote:
 Hi Russel,
 
 So we have LDAP auth here. At this time it works fine. But now we want
 to added 2 auth, so for example like we want to check the valid user id
 / password from LDAP and also the MAC address listed from the user
 attribute in the LDAP.
 
 The ldap attribute mapped properly :
 checkItemCalled-Station-IdradiusCalledStationId
 checkItemCalling-Station-IdradiusCallingStationId

  That works.  The solution then is simple.  You have a
Calling-Station-Id in the control list, and one in the request.  So
compare them.

authorize {
...
ldap

if (control:Calling-Station-Id != %{Calling-Station-Id}) {
... # reject, or anything else
}

...
}

 so the goal is to make sure that the user is only login from his / her
 company device that associated with their user profile in LDAP. I
 already make sure that the user have the attribute
 radiusCallingStationId set correctly.

  You also need to normalize the Calling-Station-Id in the request.  Or
at least ensure that all of the NASes use the same format.  Some vendors
have a helpful way of ignoring the standards.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

Thanks Alan, let me try that. So basically you are also saying that i don't
need to enable / use checkval module in the siteavailable/default ?

So the Goal here is to have 802.1X PEAP + MAC authentication at the same
time. User connect to wireless AP, prompted for user name password, then
the information passed over to Radius that query the ldap for username,
password and MAC (or we called that radiusCalling StationID in the user
profile attribute)

Thanks a lot
Danny

On Wed, Mar 13, 2013 at 9:40 PM, Alan DeKok al...@deployingradius.comwrote:

 Danny Kurniawan wrote:
  Hi Russel,
 
  So we have LDAP auth here. At this time it works fine. But now we want
  to added 2 auth, so for example like we want to check the valid user id
  / password from LDAP and also the MAC address listed from the user
  attribute in the LDAP.
 
  The ldap attribute mapped properly :
  checkItemCalled-Station-IdradiusCalledStationId
  checkItemCalling-Station-IdradiusCallingStationId

   That works.  The solution then is simple.  You have a
 Calling-Station-Id in the control list, and one in the request.  So
 compare them.

 authorize {
 ...
 ldap

 if (control:Calling-Station-Id != %{Calling-Station-Id}) {
 ... # reject, or anything else
 }

 ...
 }

  so the goal is to make sure that the user is only login from his / her
  company device that associated with their user profile in LDAP. I
  already make sure that the user have the attribute
  radiusCallingStationId set correctly.

   You also need to normalize the Calling-Station-Id in the request.  Or
 at least ensure that all of the NASes use the same format.  Some vendors
 have a helpful way of ignoring the standards.

   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

2013-03-13 Thread Alan DeKok

Danny Kurniawan wrote:
 Thanks Alan, let me try that. So basically you are also saying that i
 don't need to enable / use checkval module in the siteavailable/default ?

  I fail to understand the reason for this question.  I gave you an
answer.  Instead of doing what I said, your first response is to
question it.

  That's rude.  Do you think I'm lying to you?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

Hi,

I'm very sorry if that consider as rude. I said that i will try that and i
just want to make sure i didn't need to use checkval as i already enabled
it. So what i want to do is disabled it and try the solution.

Again, apologize for this misunderstanding.

Thanks  Best Regards,
Danny

On Thu, Mar 14, 2013 at 1:38 AM, Alan DeKok al...@deployingradius.comwrote:

 Danny Kurniawan wrote:
  Thanks Alan, let me try that. So basically you are also saying that i
  don't need to enable / use checkval module in the siteavailable/default ?

   I fail to understand the reason for this question.  I gave you an
 answer.  Instead of doing what I said, your first response is to
 question it.

   That's rude.  Do you think I'm lying to you?

   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

2013-03-13 Thread EasyHorpak.com


  
  
On 13/03/2556 14:53, Danny Kurniawan
  wrote:

Hi All.

I found this error when enabled checkval

rlm_checkval: Could not find attribute named Calling-Station-Id
in check pairs
++[checkval] returns notfound
++[expiration] returns noop

What is the meaning of that error?

Thanks in advance
  
  -- 
  Best Regards,
  Danny
  
  
  
  -
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

you can read my link

https://www.easyzonecorp.net/network/view.php?ID=1373

-- 
  
  
  EasyZone Hotspot Billing v3.0 LDAP - supports LDAP , VLAN,
  Landing Page, Block site by Group, Multi Hotspot, Cisco WLC
  EasyZone Ready Hotspot Box - Mikrotik + EasyZone ISP
  Billing stable and easy to use.
  EasyZone ISP Billing - Billing for Wireless ISP, Local ISP.
  http://www.easyzonecorp.net

  

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval

Hi Alan,

I tried to put that command in the /siteAvailable/Default after the LDAP
called and receive this error :

Expected string or numbers at: )
/etc/raddb/sites-enabled/default[62]: Errors parsing authorize section.
 }

I also commented back the checkval module.

Thanks
Danny

On Wed, Mar 13, 2013 at 9:40 PM, Alan DeKok al...@deployingradius.comwrote:

 Danny Kurniawan wrote:
  Hi Russel,
 
  So we have LDAP auth here. At this time it works fine. But now we want
  to added 2 auth, so for example like we want to check the valid user id
  / password from LDAP and also the MAC address listed from the user
  attribute in the LDAP.
 
  The ldap attribute mapped properly :
  checkItemCalled-Station-IdradiusCalledStationId
  checkItemCalling-Station-IdradiusCallingStationId

   That works.  The solution then is simple.  You have a
 Calling-Station-Id in the control list, and one in the request.  So
 compare them.

 authorize {
 ...
 ldap

 if (control:Calling-Station-Id != %{Calling-Station-Id}) {
 ... # reject, or anything else
 }

 ...
 }

  so the goal is to make sure that the user is only login from his / her
  company device that associated with their user profile in LDAP. I
  already make sure that the user have the attribute
  radiusCallingStationId set correctly.

   You also need to normalize the Calling-Station-Id in the request.  Or
 at least ensure that all of the NASes use the same format.  Some vendors
 have a helpful way of ignoring the standards.

   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to use checkval