clients.conf:
# -*- text -*-
##
## clients.conf -- client configuration directives
##
## $Id$
#######################################################################
#
# Define RADIUS clients (usually a NAS, Access Point, etc.).
#
# Defines a RADIUS client.
#
# '127.0.0.1' is another name for 'localhost'. It is enabled by default,
# to allow testing of the server after an initial installation. If you
# are not going to be permitting RADIUS queries from localhost, we suggest
# that you delete, or comment out, this entry.
#
#
#
# Each client has a "short name" that is used to distinguish it from
# other clients.
#
# In version 1.x, the string after the word "client" was the IP
# address of the client. In 2.0, the IP address is configured via
# the "ipaddr" or "ipv6addr" fields. For compatibility, the 1.x
# format is still accepted.
#
client GW-RADIUS {
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname (
radius.example.com)
ipaddr = 172.30.3.121
# OR, you can use an IPv6 address, but not both
# at the same time.
# ipv6addr = :: # any. ::1 == localhost
#
# A note on DNS: We STRONGLY recommend using IP addresses
# rather than host names. Using host names means that the
# server will do DNS lookups when it starts, making it
# dependent on DNS. i.e. If anything goes wrong with DNS,
# the server won't start!
#
# The server also looks up the IP address from DNS once, and
# only once, when it starts. If the DNS record is later
# updated, the server WILL NOT see that update.
#
# One client definition can be applied to an entire network.
# e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
# "netmask = 8"
#
# If not specified, the default netmask is 32 (i.e. /32)
#
# We do NOT recommend using anything other than 32. There
# are usually other, better ways to acheive the same goal.
# Using netmasks of other than 32 can cause security issues.
#
# You can specify overlapping networks (127/8 and 127.0/16)
# In that case, the smallest possible network will be used
# as the "best match" for the client.
#
# Clients can also be defined dynamically at run time, based
# on any criteria. e.g. SQL lookups, keying off of NAS-Identifier,
# etc.
# See raddb/sites-available/dynamic-clients for details.
#
# netmask = 32
#
# The shared secret use to "encrypt" and "sign" packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# The shared secret use to "encrypt" and "sign" packets between
# the NAS and FreeRADIUS. You MUST change this secret from the
# default, otherwise it's not a secret any more!
#
# The secret can be any string, up to 8k characters in length.
#
# Control codes can be entered vi octal encoding,
# e.g. "\101\102" == "AB"
# Quotation marks can be entered by escaping them,
# e.g. "foo\"bar"
#
# A note on security: The security of the RADIUS protocol
# depends COMPLETELY on this secret! We recommend using a
# shared secret that is composed of:
#
# upper case letters
# lower case letters
# numbers
#
# And is at LEAST 8 characters long, preferably 16 characters in
# length. The secret MUST be random, and should not be words,
# phrase, or anything else that is recognizable.
#
# The default secret below is only for testing, and should
# not be used in any real environment.
#
secret = xxxxx
#
# Old-style clients do not send a Message-Authenticator
# in an Access-Request. RFC 5080 suggests that all clients
# SHOULD include it in an Access-Request. The configuration
# item below allows the server to require it. If a client
# is required to include a Message-Authenticator and it does
# not, then the packet will be silently discarded.
#
# allowed values: yes, no
require_message_authenticator = no
#
# The short name is used as an alias for the fully qualified
# domain name, or the IP address.
#
# It is accepted for compatibility with 1.x, but it is no
# longer necessary in 2.0
#
shortname = GW-RADIUS
#
# the following three fields are optional, but may be used by
# checkrad.pl for simultaneous use checks
#
#
# The nastype tells 'checkrad.pl' which NAS-specific method to
# use to query the NAS for simultaneous use.
#
# Permitted NAS types are:
#
# cisco
# computone
# livingston
# max40xx
# multitech
# netserver
# pathras
# patton
# portslave
# tc
# usrhiper
# other # for all other types
#
nastype = cisco # localhost isn't usually a NAS...
}
# IPv6 Client
#client ::1 {
# secret = testing123
# shortname = localhost
#}
#
# All IPv/usr/local/var/log/radius/6 Site-local clients
#client fe80::/16 {
# secret = testing123
# shortname = localhost
#}
#client
some.host.org {
# secret = testing123
# shortname = localhost
#}
#
# You can now specify one secret for a network of clients.
# When a client request comes in, the BEST match is chosen.
# When a client request comes in, the BEST match is chosen.
# i.e. The entry from the smallest possible network.
#
#client
192.168.0.0/24 {
# secret = testing123-1
# shortname = private-network-1
#}
#
#client
192.168.0.0/16 {
# secret = testing123-2
# shortname = private-network-2
#}
client 172.30.2.14 {
ipaddr = 172.30.2.14
# # secret and password are mapped through the "secrets" file.
secret = xxxxx
shortname = VPN-test
# # the following three fields are optional, but may be used by
# # checkrad.pl for simultaneous usage checks
nastype = cisco
# login = !root
# password = someadminpas
}
Client RADIUS {
ipaddr = 172.30.1.10
# # secret and password are mapped through the "secrets" file.
secret = xxxxxx
shortname = RADIUS
# # the following three fields are optional, but may be used by
# # checkrad.pl for simultaneous usage checks
nastype = cisco
# login = !root
# password = someadminpas
}
#######################################################################
#
# Per-socket client lists. The configuration entries are exactly
# the same as above, but they are nested inside of a section.
#
# You can have as many per-socket client lists as you have "listen"
# sections, or you can re-use a list among multiple "listen" sections.
#
# Un-comment this section, and edit a "listen" section to add:
# "clients = per_socket_clients". That IP address/port combination
# will then accept ONLY the clients listed in this section.
#
#clients per_socket_clients {
# client 192.168.3.4 {
# secret = testing123
# }
#}
#client 172.30.153.20 {
# ipaddr = 172.30.153.20
# secret = xxxx
# nastype = cisco
#}
The output of the debug is the same i've sent.Thank you for your help
2009/3/24
<tnt@kalik.net>
Post the debug *and* clients.conf. Mask the passwords this time.
Ivan Kalik
Kalik Informatika ISP
>Excuse me, i know that it is that clients.conf the server is using because
>when i modify a client which appears in the debug output the server
>considers this changes and te debug output isn't the same
>
>2009/3/24 <
tnt@kalik.net>
>
>> >I've add other clients in the client .conf but when i debug the server
>> they
>> >don't appear in the output of radiusd -X. ii dont know why.
>> >
>>
>> Because that is not the file server is using. Read the debug - it lists
>> which clients.conf file server is reading. Edit that one.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> -
>> List info/subscribe/unsubscribe? See
>>
http://www.freeradius.org/list/users.html>>
>
>
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html