Re: Question about Freeradius for mobile device authentication
Alan, Thanks for your reply and sorry for my sluggishness in getting back to you with more info... Alan DeKok [EMAIL PROTECTED] wrote: > Yes. The server allows you nearly unlimited control over what to > look for, and what to do when it finds data of interest. That is good to know :) > Your description is useful, but still a little vague. You describe > what you want, but not how the data is seen by the RADIUS server > (i.e. attributes). Ok.. lets give this an other shot.. the setup I'm building is to authenticate/authorize and account mobile users. The user will specify his username (User-Name), his password (User-Password) and the NAS is also configured to send the MS-ISDN to the radius server which I'm told is send using Calling-Station-ID. Now the way I want this to work is that as soon as a request comes in from the NAS the radius server will check Calling-Station-ID against a list of known values and if no match is found it denies the request. If a match is found it will go on to check for a valid username and password combination. If none is found it should reject the session. If a match is found it should reply with the proper attributes. In an ideal situation I'd like to use realms and bind a group of known Calling-Station-ID's to a specific realm. If this is not possible than a generic list of Calling-Station-ID's for all users will also work but is the less preferred solution. So if I go thru the steps I get.. 1. Check realm a) no realm - reject b) realm found go to 2 2. Check Calling-Station-ID a) no match found for this realm - reject b) match - go to 3 3. Check user+pass a) no match - reject b) match - return attribs for user So in this situation: realm test1: - known cli's ,1112,1113 - known users [EMAIL PROTECTED] w/ pass moo realm test2: - known cli's ,2223,2224 - known users [EMAIL PROTECTED] w/ pass bla If [EMAIL PROTECTED] tries to login with pass of moo coming from cli -1113 he is allow - any other cli will not be allowed. I was the rlm_checkval module.. is this what I would use for this? A sample configuration and users file entry would be really appreciated. I hope this helps to clarify the issue, Thanks, - Jasper - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Freeradius for mobile device authentication
Jasper Jans <[EMAIL PROTECTED]> wrote: > My question is - can this authentication be done in different ways > for different groups of users. Yes. The server allows you nearly unlimited control over what to look for, and what to do when it finds data of interest. > If someone could be so kind as to maybe give an example of how to do > this it would be greatly appreciated. Your description is useful, but still a little vague. You describe what you want, but not how the data is seen by the RADIUS server (i.e. attributes). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Freeradius for mobile device authentication
Well, I can tell you what/how we do this here. We have a wireless setup. I have 5 pops around town. We use Mikrotik 532s or 512s or Defactowireless Wrap2 boards. We use Freeradius with MySql The routers allows 6 different ways to authenticate With In board Radius or remote, MAC address, PAP or CHAP. or by Cookie and a couple others. We use remote radius/MAC/Chap/Cookie, it will look at all four one right after the other. We set up a the IPs of the routers around town to be allowed to send requests to the radius box. Anyone that connects to the service that is not pre programed in the router is prompted by redirect to a login page. This authenticates with our radius box. We have several construction people that have wireless bridges in their trucks and when they get to a site, plug in/ log in and surf. Jasper Jans wrote: Hi, I've been asked to setup a platform for mobile device authentication. I'm looking into setting up Freeradius with a MySQL backend for this. The request that has been been is to verify users on three items: - msisdn - username - password My question is - can this authentication be done in different ways for different groups of users. Say group A wants the unique combination of msisdn, username, password to grant them access - however group B wants a pool of msisdns that are valid for all of their username + password combinations. If someone could be so kind as to maybe give an example of how to do this it would be greatly appreciated. Thanks, - Jasper - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html