My radius.conf is what was installed as default. Q1? Do I need to add anything other than the below to client.conf?
In my client.conf I've added: # Test on cisco 2801 router(internal ip of router) client 192.168.135.3 { secret =xxxxxxx shortname =myrouter nastype =cisco }
I believe the relavent part of the users file is:
DEFAULT Auth-Type = System Fall-Through = 1
and
DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes
Notes I've read say to change this to 255.255.255.255 ??
That looks fine. Notes are likely about the netmask not IP address.
Q2? I believe I also need to add something similar to the below in the users file?
youruser Cleartext-Password := "somepass" Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15"
Remove the password. You said that it will be stored in /etc/passwd. If you put the password here you dont need /etc/passwd check (Auth-Type System) at all.
Q3? Does "youruser" and "somepass" need to be a valid user from /etc/passwd? I'm unclear if there is a link between users in this file and valid users in /etc/passwd of the linux box.
Link is the username. You want to store password in /etc/passwd and reply attributes in users file.
My cisco 2801 currently has info like: aaa new-model ! ! aaa authentication login default local aaa authorization exec default local if-authenticated aaa authorization network default local ! aaa session-id common ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group VPNCLIENTS key xxxxxxx dns 192.168.135.15 domain xxxxxxx.com pool CLIENTPOOL acl 150 netmask 255.255.255.0 crypto isakmp profile IKE1 match identity group VPNCLIENTS client authentication list default isakmp authorization list default client configuration address respond !
Q4? Do I need to remove any of this info, or just replace the stuff at the top with something like:
aaa new-model aaa authentication login default group radius local aaa authentication login localauth local aaa authentication ppp default if-needed group radius local aaa authorization exec default group radius local aaa authorization network default group radius local aaa accounting delay-start aaa accounting exec default start-stop group radius aaa accounting network default start-stop group radius aaa processes 6 aaa accounting delay-start
This is from here: http://wiki.freeradius.org/Cisco
Q5? Do I also need a line similar to below on the cisco? radius-server host 192.168.135.3 radius-server key xxxx radius-server auth-port 1812
That IP address is the same as the one for the router. That can't be correct - linux box IP should go here. You have not set up accounting - and that was the whole point of this exercise. Add that. If radius IP is also on the private subnet it's quite likely that you wont have to force the router to use the IP address defined in clients.conf - it should select it on it's own. If it doesn't you can force radius source interface in router config. Ivan Kalik Kalik Informatika ISP