2009/12/11 nf-vale <nf-vale@critical-links.com>:
On Friday 11 December 2009 11:59:33 Fabiano Caixeta Duarte wrote:
Maybe I didn't make myself clear.
I don't have AD and don't wanna. I did set clients to use 802.1x
Maybe I should ask: how do I set clients? PEAP? MS-CHAPv2? MD5? But it would depend on what you'd answer about my first question.
Set XP clients to use 802.1x PEAP and don't forget to add your nas client (switch) to the clients.conf file in radius.
You should provide some more info about your current configuration (freeradius version, files modified by you, etc) and at least some debug (radiusd -X) from a client authentication request for people to understand were have you get so far.
Ok. Let's follow that path. The confs I touched: eap.conf: eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" cache { enable = no max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } } modules/ldap: ldap { server = "sti-teste.domain.br" identity = "cn=system,dc=domain,dc=br" password = secret basedn = "ou=Users,dc=domain,dc=br" base_filter = "(objectclass=radiusprofile)" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } access_attr = "radiusFilterId" dictionary_mapping = ${confdir}/ldap.attrmap authtype = ldap edir_account_policy_check = no } sites-enabled/inner-tunnel: server inner-tunnel { authorize { chap mschap unix suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } files ldap expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix Auth-Type LDAP { ldap } eap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } clients.conf: client angelina { ipaddr = 192.168.205.6 secret = testing123 } client tplink { ipaddr = 192.168.205.29 secret = testing123 } # radtest teste secret angelina 1812 testing123 Sending Access-Request of id 48 to 192.168.205.6 port 1812 User-Name = "teste" User-Password = "secret" NAS-IP-Address = 192.168.205.6 NAS-Port = 1812 rad_recv: Access-Accept packet from host 192.168.205.6 port 1812, id=48, length=64 Filter-Id = "Enterasys:version=1:policy=Enterprise User" -- Fabiano Caixeta Duarte Especialista em Redes de Computadores Linux User #195299 Ribeirão Preto - SP