I have read all the man pages and /docs and am having a difficult time understanding the authorization.  I keep wanting to write "if...elseif...else" stuff but I'm pretty sure that doesn't apply to FreeRADIUS config files.

In the radiusd.conf there is documentation on how to use checkval to compare against caller-id.  That's exactly what I want to do, but I can't figure out how to *use* it.

Let's say I have 2 groups: students and faculty.
I want to authorize authenticated members of the LDAP group cn=students,ou=Groups IFF their Access-Request Called-Station-ID =~ "/:StudentWLAN$/"
I want to authorize authenticated members of the LDAP group cn=faculty,ou=Groups IFF their Access-Request Called-Station-ID =~ "/:FacultyWLAN$/"

All my users are authenticated against LDAP.  If the user enters the correct username/password (as accepted by LDAP), the user should be able to associate to the WLAN, but only to the WLAN of which he/she is allowed.  Students can connect to the StudentWLAN; Faculty can connect to the FacultyWLAN.

How would I configure the checkval module?  Is it even necessary to use the checkval module?  How would I conifgure the users file?  Is the users file even necessary?

Just to show what I've got config'd at the moment...  Using the config below, I am able to successfully allow users to join the WLAN using WPA and EAP-PEAP from Windows XP SP2.  But again, the user should not be able to join just any ol' LAN.

If anyone has any experience with using checkval or doing caller-id type activities, I'd love to read how you did it!

P.S.  I don't know who to direct compliments to, but the FreeRADIUS code is probably the most beautifully structured source code I have ever read.  It is SO easy to read and extremely consistent!  It's phenomenal!  And no, I can't answer my question myself just cuz I read the code...  ;)  But it's helped me to get this far!!

authorize {
        # for WinXP, 802.1x, EAP-PEAP, MS-CHAPv2
authenticate {
        # for WinXP, 802.1x, EAP-PEAP, MS-CHAPv2
        Auth-Type MS-CHAP {
modules {
        mschap {
                authtype = MS-CHAP
                use_mppe = yes
                require_encryption = yes
                require_strong = yes
                with_ntdomain_hack = no
        ldap {
        eap {
                default_eap_type = peap
                timer_expire = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no
                md5 {
                tls {
                        private_key_password = <snip>
                        private_key_file = /etc/1x/server.pem
                        certificate_file = /etc/1x/server.pem
                        CA_file = /etc/1x/root.pem
                        dh_file = /etc/1x/DH
                        random_file = /etc/1x/random
                        include_length = yes
                peap {
                        default_eap_type = mschapv2
                mschapv2 {

I have NOTHING in users at this moment.

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to