the newbie on radiustesting strikes again
Si St
sigbj-st at operamail.com
Fri Apr 18 20:46:43 CEST 2008
WILL THE DEFAULT ROUTER FIREWALL CONFIGURATION BELOW WORK WITH THE RADIUS?
Below you have the default setup of my router firewall section. I have not changed anything there yet. Could the router firewall stay as this? I have been looking through the SuSE-firewall settings in YaST too, and cannot find anything that should interfere there. I would also expect an installation of radius to harmonize with the SuSEfirewall2 through the /sbin/SuSEconfig anyhow.
DOES THE ROUTER EAP CONFIGURATION BELOW LOOK RIGHT?
Further, below you have also a proposal of how I would set up the radius-section of that router. The main thing here is to try to show if I really know what I am doing. The Shared Secret and user passwords are chosen in correspondance with my understanding of Alan DeKOKs answer of my first mails; I am here thinking of identity/password in YaST and secret in Router configs.
ANY FIRST-THOUGHT COMMENT ON MY clients.conf AND users?
I have tested out the changes I have made of /etc/raddb/users and clients.conf, starting debugmode with radiusd -X. This in correspondance with Buxeys recommendations to further proceed into the Inner Circle of Radius.No errors or warnings,"Ready to process requests". (The only one I had was forgetting a comma previous to the Reply_Message line. And I outcommented consciously certain values to test out the messages of the radius debug). As to the recent back-and-forth writing on the mailing-list about the file- and directory permissions in /etc/raddb/certs and demoCA, I chose to stay with the proposal of Hood, letting the files stay 640 as they used to and changing the seemingly bad and wrong permissions of certs/ and demoCA/ from 640 to 750.
The next job is to work out the certificates, but here I have really good help by the stuff in /usr/share/doc/packages/freeradius/CA.certs, and I have already studied and tried out this part .
/*But first - if you may - take a look at the matter below, and by the way it is Friday evening, at least in Norway now, and you may make yourselves a good sharp drink to have that burning sensation of exploring newbies crap with "failed","errors","really bad code,how is it possible to scribble so much sh..","God, do you really need to fill up our servers with so much unnecessary writing", and so on. But don't spill the boos on your keyboards, especially if you have those laptops;it is hell of a job to unscrew it, dry it up, and finally realizing that those plastic screw-holes do not fit so tight anymore.
- Thanks people , so far! */
----------------------------------------
ROUTER FIREWALL SETTINGS
----------------------------------------
Enable SPI : YES
NAT ENDPOINT FILTERING
UDP Endpoint Filtering
Endpoint Independent: NO
Address Restricted: YES
Port And Address Restricted:NO
TCP Endpoint Filtering
Endpoint Independent
Address Restricted: NO
Port And Address Restricted: YES
----------------------------------------
Radius configuration on the router
EAP (802.1x)
----------------------------------------
Authentication Timeout : 60 (minutes)
RADIUS server IP Address : 192.168.0.198
RADIUS server Port : 1812
RADIUS server Shared Secret : testing123
MAC Address Authentication : YES
-------------------------------------------------
SuSE YaST setup for EAP-TLS
-------------------------------------------------
machine/PC IP-address 192.168.0.198
Identity: sigbj
Password: testing-0
Client-certificat: (file-address of this machine)
Server-certificat: (file-address of this machine)
-------------------------------------------------
machine/PC IP-address 192.168.0.196
Identity: elise
Password: testing-2
Client-certificat: (file-address of this machine)
Server-certificat: (file-address of this machine)
-------------------------------------------------
(next machine,but now only WinOS: we have to do PEAP)
========================================
/etc/raddb/clients.conf
--------------------------------------------
client 192.168.0.198 {
secret = testing123
shortname = asus-TL
nastype = other
# SuSE 10.0_EAP-TLS; (WinXP_PEAP) -laptop
}
client 192.168.0.197 {
secret = testing123
shortname = hp-TL
nastype = other
# WinVista_PEAP -laptop
}
client 192.168.0.196 {
secret = testing123
shortname = loft-TL
nastype = other
# SLED SP1_EAP-TLS; WinXP_PEAP -workstation
}
client 192.168.0.195 {
secret = testing123
shortname = acer-TL
nastype = other
# WinXP_PEAP -laptop
}
=================================================================
/etc/raddb/users
-----------------------------------------------------------------
sigbj Auth-Type := Local, User-Password == "testing-0"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 192.168.0.198,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP,
Reply-Message = "Welcome to The Inner Circle, %u"
andr Auth-Type := Local, User-Password == "testing-1"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 192.168.0.197,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP,
Reply-Message = "Welcome to The Inner Circle, %u"
elise Auth-Type := Local, User-Password == "testing-2"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 192.168.0.196,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP,
Reply-Message = "Welcome to The Inner Circle, %u"
ingv Auth-Type := Local, User-Password == "testing-3"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 192.168.0.195,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP,
Reply-Message = "Welcome to The Inner Circle, %u"
---------------------------------------------------------------
--
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 9 at http://www.opera.com
Powered by Outblaze
More information about the Freeradius-Users
mailing list