Re: Question about Freeradius for mobile device authentication

[Jasper Jans]

Alan,

Thanks for your reply and sorry for my sluggishness in getting
back to you with more info...

Alan DeKok [EMAIL PROTECTED] wrote:
 
   Yes.  The server allows you nearly unlimited control over what to
 look for, and what to do when it finds data of interest.

That is good to know :)
 
   Your description is useful, but still a little vague.  You describe
 what you want, but not how the data is seen by the RADIUS server
 (i.e. attributes).

Ok.. lets give this an other shot.. the setup I'm building is to
authenticate/authorize and account mobile users.
The user will specify his username (User-Name), his password
(User-Password) and the NAS is also configured to send the
MS-ISDN to the radius server which I'm told is send using
Calling-Station-ID.

Now the way I want this to work is that as soon as a request comes
in from the NAS the radius server will check Calling-Station-ID
against a list of known values and if no match is found it denies
the request.

If a match is found it will go on to check for a valid username
and password combination. If none is found it should reject the
session. If a match is found it should reply with the proper
attributes.

In an ideal situation I'd like to use realms and bind a group of
known Calling-Station-ID's to a specific realm. If this is not possible
than a generic list of Calling-Station-ID's for all users will also
work but is the less preferred solution.

So if I go thru the steps I get..

1. Check realm
a) no realm - reject
b) realm found go to 2

2. Check Calling-Station-ID
a) no match found for this realm - reject
b) match - go to 3

3. Check user+pass
a) no match - reject
b) match - return attribs for user

So in this situation:

realm test1:
- known cli's ,1112,1113
- known users [EMAIL PROTECTED] w/ pass moo

realm test2:
- known cli's ,2223,2224
- known users [EMAIL PROTECTED] w/ pass bla

If [EMAIL PROTECTED] tries to login with pass of moo coming from cli -1113
he is allow - any other cli will not be allowed.

I was the rlm_checkval module.. is this what I would use for this?

A sample configuration and users file entry would be really appreciated.

I hope this helps to clarify the issue,


Thanks,

 - Jasper

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Question about Freeradius for mobile device authentication

[Jasper Jans]

Hi,

I've been asked to setup a platform for mobile device authentication.
I'm looking into setting up Freeradius with a MySQL backend for this.
The request that has been been is to verify users on three items:
 - msisdn
 - username
 - password

My question is - can this authentication be done in different ways
for different groups of users. Say group A wants the unique combination
of msisdn, username, password to grant them access - however group
B wants a pool of msisdns that are valid for all of their username +
password combinations.

If someone could be so kind as to maybe give an example of how to do
this it would be greatly appreciated.

Thanks,

 - Jasper

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Question about Freeradius for mobile device authentication

[Alan DeKok]

Jasper Jans [EMAIL PROTECTED] wrote:
 My question is - can this authentication be done in different ways
 for different groups of users.

  Yes.  The server allows you nearly unlimited control over what to
look for, and what to do when it finds data of interest.

 If someone could be so kind as to maybe give an example of how to do
 this it would be greatly appreciated.

  Your description is useful, but still a little vague.  You describe
what you want, but not how the data is seen by the RADIUS server
(i.e. attributes).

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html