ldap+freeradius

David N'DAKPAZE lndakpaze at gmail.com
Tue Mar 24 12:51:31 CET 2009


clients.conf:

# -*- text -*-
##
## clients.conf -- client configuration directives
##
##      $Id$
#######################################################################
#
#  Define RADIUS clients (usually a NAS, Access Point, etc.).
#
#  Defines a RADIUS client.
#
#  '127.0.0.1' is another name for 'localhost'.  It is enabled by default,
#  to allow testing of the server after an initial installation.  If you
#  are not going to be permitting RADIUS queries from localhost, we suggest
#  that you delete, or comment out, this entry.
#
#
#
#  Each client has a "short name" that is used to distinguish it from
#  other clients.
#
#  In version 1.x, the string after the word "client" was the IP
#  address of the client.  In 2.0, the IP address is configured via
#  the "ipaddr" or "ipv6addr" fields.  For compatibility, the 1.x
#  format is still accepted.
#
client GW-RADIUS {
        #  Allowed values are:
        #       dotted quad (1.2.3.4)
        #       hostname    (radius.example.com)
        ipaddr = 172.30.3.121
        #  OR, you can use an IPv6 address, but not both
        #  at the same time.
#       ipv6addr = ::   # any.  ::1 == localhost
 #
        #  A note on DNS:  We STRONGLY recommend using IP addresses
        #  rather than host names.  Using host names means that the
        #  server will do DNS lookups when it starts, making it
        #  dependent on DNS.  i.e. If anything goes wrong with DNS,
        #  the server won't start!
        #
        #  The server also looks up the IP address from DNS once, and
        #  only once, when it starts.  If the DNS record is later
        #  updated, the server WILL NOT see that update.
        #
        #  One client definition can be applied to an entire network.
        #  e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
        #  "netmask = 8"
        #
        #  If not specified, the default netmask is 32 (i.e. /32)
        #
        #  We do NOT recommend using anything other than 32.  There
        #  are usually other, better ways to acheive the same goal.
        #  Using netmasks of other than 32 can cause security issues.
        #
        #  You can specify overlapping networks (127/8 and 127.0/16)
        #  In that case, the smallest possible network will be used
        #  as the "best match" for the client.
        #
        #  Clients can also be defined dynamically at run time, based
        #  on any criteria.  e.g. SQL lookups, keying off of NAS-Identifier,
        #  etc.
        #  See raddb/sites-available/dynamic-clients for details.
        #
#       netmask = 32
        #
        #  The shared secret use to "encrypt" and "sign" packets between
        #  the NAS and FreeRADIUS.  You MUST change this secret from the
 #  The shared secret use to "encrypt" and "sign" packets between
        #  the NAS and FreeRADIUS.  You MUST change this secret from the
        #  default, otherwise it's not a secret any more!
        #
        #  The secret can be any string, up to 8k characters in length.
        #
        #  Control codes can be entered vi octal encoding,
        #       e.g. "\101\102" == "AB"
        #  Quotation marks can be entered by escaping them,
        #       e.g. "foo\"bar"
        #
        #  A note on security:  The security of the RADIUS protocol
        #  depends COMPLETELY on this secret!  We recommend using a
        #  shared secret that is composed of:
        #
        #       upper case letters
        #       lower case letters
        #       numbers
        #
        #  And is at LEAST 8 characters long, preferably 16 characters in
        #  length.  The secret MUST be random, and should not be words,
        #  phrase, or anything else that is recognizable.
        #
        #  The default secret below is only for testing, and should
        #  not be used in any real environment.
        #
        secret          = xxxxx
        #
        #  Old-style clients do not send a Message-Authenticator
        #  in an Access-Request.  RFC 5080 suggests that all clients
        #  SHOULD include it in an Access-Request.  The configuration
        #  item below allows the server to require it.  If a client
        #  is required to include a Message-Authenticator and it does
        #  not, then the packet will be silently discarded.
        #
        #  allowed values: yes, no
        require_message_authenticator = no
 #
        #  The short name is used as an alias for the fully qualified
        #  domain name, or the IP address.
        #
        #  It is accepted for compatibility with 1.x, but it is no
        #  longer necessary in 2.0
        #
        shortname       = GW-RADIUS
        #
        # the following three fields are optional, but may be used by
        # checkrad.pl for simultaneous use checks
        #
        #
        # The nastype tells 'checkrad.pl' which NAS-specific method to
        #  use to query the NAS for simultaneous use.
        #
        #  Permitted NAS types are:
        #
        #       cisco
        #       computone
        #       livingston
        #       max40xx
        #       multitech
        #       netserver
        #       pathras
        #       patton
        #       portslave
        #       tc
        #       usrhiper
        #       other           # for all other types
        #
        nastype     = cisco     # localhost isn't usually a NAS...
}
# IPv6 Client
#client ::1 {
#       secret          = testing123
#       shortname       = localhost
#}
#
# All IPv/usr/local/var/log/radius/6 Site-local clients
#client fe80::/16 {
#       secret          = testing123
#       shortname       = localhost
#}
#client some.host.org {
#       secret          = testing123
#       shortname       = localhost
#}
#
#  You can now specify one secret for a network of clients.
#  When a client request comes in, the BEST match is chosen.
#  When a client request comes in, the BEST match is chosen.
#  i.e. The entry from the smallest possible network.
#
#client 192.168.0.0/24 {
#       secret          = testing123-1
#       shortname       = private-network-1
#}
#
#client 192.168.0.0/16 {
#       secret          = testing123-2
#       shortname       = private-network-2
#}

client 172.30.2.14 {
        ipaddr      = 172.30.2.14
#       # secret and password are mapped through the "secrets" file.
        secret      = xxxxx
        shortname   = VPN-test
#       # the following three fields are optional, but may be used by
#       # checkrad.pl for simultaneous usage checks
        nastype     = cisco
#       login       = !root
#       password    = someadminpas
}
Client RADIUS {
        ipaddr    = 172.30.1.10
#       # secret and password are mapped through the "secrets" file.
        secret    = xxxxxx
        shortname = RADIUS
#       # the following three fields are optional, but may be used by
#       # checkrad.pl for simultaneous usage checks
        nastype   = cisco
#       login       = !root
#       password    = someadminpas
}
#######################################################################
#
#  Per-socket client lists.  The configuration entries are exactly
#  the same as above, but they are nested inside of a section.
#
#  You can have as many per-socket client lists as you have "listen"
#  sections, or you can re-use a list among multiple "listen" sections.
#
#  Un-comment this section, and edit a "listen" section to add:
#  "clients = per_socket_clients".  That IP address/port combination
#  will then accept ONLY the clients listed in this section.
#
#clients per_socket_clients {
#       client 192.168.3.4 {
#               secret = testing123
#        }
#}
#client 172.30.153.20 {
#       ipaddr = 172.30.153.20
#       secret = xxxx
#       nastype = cisco
#}

The output of the debug is the same i've sent.Thank you for your help


2009/3/24 <tnt at kalik.net>

> Post the debug *and* clients.conf. Mask the passwords this time.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 24/3/2009, "David N'DAKPAZE" <lndakpaze at gmail.com> piše:
>
>  >Excuse me, i know that it is that clients.conf the server is using
> because
> >when i modify a client which appears in the debug output the server
> >considers this changes and te debug output isn't the same
> >
> >2009/3/24 <tnt at kalik.net>
> >
> >> >I've add other clients in the client .conf but when i debug the server
> >> they
> >> >don't appear in the output of radiusd -X. ii dont know why.
> >> >
> >>
> >> Because that is not the file server is using. Read the debug - it lists
> >> which clients.conf file server is reading. Edit that one.
> >>
> >> Ivan Kalik
> >> Kalik Informatika ISP
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >>
> >
> >
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090324/b8783433/attachment.html>


More information about the Freeradius-Users mailing list