<div>clients.conf:</div>
<div><br># -*- text -*-<br>##<br>## clients.conf -- client configuration directives<br>##<br>## $Id$</div>
<div>#######################################################################<br>#<br># Define RADIUS clients (usually a NAS, Access Point, etc.).</div>
<div>#<br># Defines a RADIUS client.<br>#<br># '127.0.0.1' is another name for 'localhost'. It is enabled by default,<br># to allow testing of the server after an initial installation. If you<br># are not going to be permitting RADIUS queries from localhost, we suggest<br>
# that you delete, or comment out, this entry.<br>#<br>#</div>
<div>#<br># Each client has a "short name" that is used to distinguish it from<br># other clients.<br>#<br># In version 1.x, the string after the word "client" was the IP<br># address of the client. In 2.0, the IP address is configured via<br>
# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x<br># format is still accepted.<br>#<br>client GW-RADIUS {<br> # Allowed values are:<br> # dotted quad (1.2.3.4)<br>
# hostname (<a href="http://radius.example.com">radius.example.com</a>)<br> ipaddr = 172.30.3.121</div>
<div> # OR, you can use an IPv6 address, but not both<br> # at the same time.<br># ipv6addr = :: # any. ::1 == localhost<br></div>
<div> #<br> # A note on DNS: We STRONGLY recommend using IP addresses<br> # rather than host names. Using host names means that the<br> # server will do DNS lookups when it starts, making it<br>
# dependent on DNS. i.e. If anything goes wrong with DNS,<br> # the server won't start!<br> #<br> # The server also looks up the IP address from DNS once, and<br> # only once, when it starts. If the DNS record is later<br>
# updated, the server WILL NOT see that update.<br> #</div>
<div> # One client definition can be applied to an entire network.<br> # e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and<br> # "netmask = 8"<br> #<br> # If not specified, the default netmask is 32 (i.e. /32)<br>
#<br> # We do NOT recommend using anything other than 32. There<br> # are usually other, better ways to acheive the same goal.<br> # Using netmasks of other than 32 can cause security issues.<br>
#<br> # You can specify overlapping networks (127/8 and 127.0/16)<br> # In that case, the smallest possible network will be used<br> # as the "best match" for the client.<br> #<br>
# Clients can also be defined dynamically at run time, based<br> # on any criteria. e.g. SQL lookups, keying off of NAS-Identifier,<br> # etc.<br> # See raddb/sites-available/dynamic-clients for details.<br>
#</div>
<div># netmask = 32</div>
<div> #<br> # The shared secret use to "encrypt" and "sign" packets between<br> # the NAS and FreeRADIUS. You MUST change this secret from the</div>
<div> # The shared secret use to "encrypt" and "sign" packets between<br> # the NAS and FreeRADIUS. You MUST change this secret from the<br> # default, otherwise it's not a secret any more!<br>
#<br> # The secret can be any string, up to 8k characters in length.<br> #<br> # Control codes can be entered vi octal encoding,<br> # e.g. "\101\102" == "AB"<br>
# Quotation marks can be entered by escaping them,<br> # e.g. "foo\"bar"<br> #<br> # A note on security: The security of the RADIUS protocol<br> # depends COMPLETELY on this secret! We recommend using a<br>
# shared secret that is composed of:<br> #<br> # upper case letters<br> # lower case letters<br> # numbers<br> #<br> # And is at LEAST 8 characters long, preferably 16 characters in<br>
# length. The secret MUST be random, and should not be words,<br> # phrase, or anything else that is recognizable.<br> #<br> # The default secret below is only for testing, and should<br> # not be used in any real environment.<br>
#<br> secret = xxxxx</div>
<div> #<br> # Old-style clients do not send a Message-Authenticator<br> # in an Access-Request. RFC 5080 suggests that all clients<br> # SHOULD include it in an Access-Request. The configuration<br>
# item below allows the server to require it. If a client<br> # is required to include a Message-Authenticator and it does<br> # not, then the packet will be silently discarded.<br> #<br> # allowed values: yes, no<br>
require_message_authenticator = no<br> #<br> # The short name is used as an alias for the fully qualified<br> # domain name, or the IP address.<br> #<br> # It is accepted for compatibility with 1.x, but it is no<br>
# longer necessary in 2.0<br> #<br> shortname = GW-RADIUS</div>
<div> #<br> # the following three fields are optional, but may be used by<br> # checkrad.pl for simultaneous use checks<br> #</div>
<div> #<br> # The nastype tells 'checkrad.pl' which NAS-specific method to<br> # use to query the NAS for simultaneous use.<br> #<br> # Permitted NAS types are:<br> #<br>
# cisco<br> # computone<br> # livingston<br> # max40xx<br> # multitech<br> # netserver<br> # pathras<br> # patton<br>
# portslave<br> # tc<br> # usrhiper<br> # other # for all other types</div>
<div> #<br> nastype = cisco # localhost isn't usually a NAS...</div>
<div>}</div>
<div># IPv6 Client<br>#client ::1 {<br># secret = testing123<br># shortname = localhost<br>#}<br>#<br># All IPv/usr/local/var/log/radius/6 Site-local clients<br>#client fe80::/16 {<br># secret = testing123<br>
# shortname = localhost<br>#}</div>
<div>#client <a href="http://some.host.org">some.host.org</a> {<br># secret = testing123<br># shortname = localhost<br>#}</div>
<div>#<br># You can now specify one secret for a network of clients.<br># When a client request comes in, the BEST match is chosen.<br># When a client request comes in, the BEST match is chosen.<br># i.e. The entry from the smallest possible network.<br>
#<br>#client <a href="http://192.168.0.0/24">192.168.0.0/24</a> {<br># secret = testing123-1<br># shortname = private-network-1<br>#}<br>#<br>#client <a href="http://192.168.0.0/16">192.168.0.0/16</a> {<br>
# secret = testing123-2<br># shortname = private-network-2<br>#}</div>
<div><br>client 172.30.2.14 {<br> ipaddr = 172.30.2.14<br># # secret and password are mapped through the "secrets" file.<br> secret = xxxxx<br> shortname = VPN-test<br># # the following three fields are optional, but may be used by<br>
# # checkrad.pl for simultaneous usage checks<br> nastype = cisco<br># login = !root<br># password = someadminpas<br>}</div>
<div>Client RADIUS {<br> ipaddr = 172.30.1.10<br># # secret and password are mapped through the "secrets" file.<br> secret = xxxxxx<br> shortname = RADIUS<br># # the following three fields are optional, but may be used by<br>
# # checkrad.pl for simultaneous usage checks<br> nastype = cisco<br># login = !root<br># password = someadminpas<br>}<br>#######################################################################<br>
#<br># Per-socket client lists. The configuration entries are exactly<br># the same as above, but they are nested inside of a section.<br>#<br># You can have as many per-socket client lists as you have "listen"<br>
# sections, or you can re-use a list among multiple "listen" sections.<br>#<br># Un-comment this section, and edit a "listen" section to add:<br># "clients = per_socket_clients". That IP address/port combination<br>
# will then accept ONLY the clients listed in this section.<br>#<br>#clients per_socket_clients {<br># client 192.168.3.4 {<br># secret = testing123<br># }<br>#}<br>#client 172.30.153.20 {<br># ipaddr = 172.30.153.20<br>
# secret = xxxx<br># nastype = cisco<br>#}</div>
<div> </div>
<div>The output of the debug is the same i've sent.Thank you for your help<br><br><br></div>
<div class="gmail_quote">2009/3/24 <span dir="ltr"><<a href="mailto:tnt@kalik.net">tnt@kalik.net</a>></span><br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Post the debug *and* clients.conf. Mask the passwords this time.<br>
<div class="im"><br>Ivan Kalik<br>Kalik Informatika ISP<br><br><br></div>
<div class="im">Dana 24/3/2009, "David N'DAKPAZE" <<a href="mailto:lndakpaze@gmail.com">lndakpaze@gmail.com</a>> pi¹e:<br><br></div>
<div>
<div></div>
<div class="h5">>Excuse me, i know that it is that clients.conf the server is using because<br>>when i modify a client which appears in the debug output the server<br>>considers this changes and te debug output isn't the same<br>
><br>>2009/3/24 <<a href="mailto:tnt@kalik.net">tnt@kalik.net</a>><br>><br>>> >I've add other clients in the client .conf but when i debug the server<br>>> they<br>>> >don't appear in the output of radiusd -X. ii dont know why.<br>
>> ><br>>><br>>> Because that is not the file server is using. Read the debug - it lists<br>>> which clients.conf file server is reading. Edit that one.<br>>><br>>> Ivan Kalik<br>>> Kalik Informatika ISP<br>
>><br>>> -<br>>> List info/subscribe/unsubscribe? See<br>>> <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>>><br>><br>
><br><br>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br></div></div></blockquote></div><br>