In the radiusd.conf there is documentation on how to use checkval to compare against caller-id. That's exactly what I want to do, but I can't figure out how to *use* it.
Let's say I have 2 groups: students and faculty.
I want to authorize authenticated members of the LDAP group cn=students,ou=Groups IFF their Access-Request Called-Station-ID =~ "/:StudentWLAN$/"
I want to authorize authenticated members of the LDAP group cn=faculty,ou=Groups IFF their Access-Request Called-Station-ID =~ "/:FacultyWLAN$/"
All my users are authenticated against LDAP. If the user enters the correct username/password (as accepted by LDAP), the user should be able to associate to the WLAN, but only to the WLAN of which he/she is allowed. Students can connect to the StudentWLAN; Faculty can connect to the FacultyWLAN.
How would I configure the checkval module? Is it even necessary to use the checkval module? How would I conifgure the users file? Is the users file even necessary?
Just to show what I've got config'd at the moment... Using the config below, I am able to successfully allow users to join the WLAN using WPA and EAP-PEAP from Windows XP SP2. But again, the user should not be able to join just any ol' LAN.
If anyone has any experience with using checkval or doing caller-id type activities, I'd love to read how you did it!
P.S. I don't know who to direct compliments to, but the FreeRADIUS code is probably the most beautifully structured source code I have ever read. It is SO easy to read and extremely consistent! It's phenomenal! And no, I can't answer my question myself just cuz I read the code... ;) But it's helped me to get this far!!
authorize {
# for WinXP, 802.1x, EAP-PEAP, MS-CHAPv2
preprocess
eap
files
ldap
checkval
}
authenticate {
# for WinXP, 802.1x, EAP-PEAP, MS-CHAPv2
Auth-Type MS-CHAP {
mschap
}
eap
}
modules {
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = no
}
ldap {
<snip>
}
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
tls {
private_key_password = <snip>
private_key_file = /etc/1x/server.pem
certificate_file = /etc/1x/server.pem
CA_file = /etc/1x/root.pem
dh_file = /etc/1x/DH
random_file = /etc/1x/random
include_length = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
}
I have NOTHING in users at this moment.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html