Re: the newbie on radiustesting strikes again
----- Original Message ----- From: "Ivan Kalik" <tnt@kalik.net> To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Subject: Re: the newbie on radiustesting strikes again Date: Sat, 19 Apr 2008 00:15:09 +0100
You need to sort out some basic things:
- your user sits at the laptop and connects to - what? What service is router controlling? A: to internett via the router for example What service is router controlling? A:The traffic through the DSL-modem (You mean to say: "Which service is the router controlling" or "Which service is routercontrolling" i.e. controlling the router?)
- your router is most likely the only (radius) client on your network. User machines should be removed from clients.conf. A:Remove all user machines Thus only one machine, the router, is to be defined as client client 192.168.0.1 { secret = testing123 shortname = asus-TL nastype = other # DLINK 635 Router }
- don't use Auth-Type and User-Password. Read instructions in users file. Documentation you got these entries from is years out of date. A: FreeRADIUS Version 1.0.4. - And this is a tricky part. If no Auth-Type and User-Password, should I apply Fall-Through instead to have a DEFAULT running?
Ican Kalik Kalik Informatika ISP
Dana 18/4/2008, "Si St" <sigbj-st@operamail.com> piše:
WILL THE DEFAULT ROUTER FIREWALL CONFIGURATION BELOW WORK WITH THE RADIUS? Below you have the default setup of my router firewall section. I have not changed anything there yet. Could the router firewall stay as this? I have been looking through the SuSE-firewall settings in YaST too, and cannot find anything that should interfere there. I would also expect an installation of radius to harmonize with the SuSEfirewall2 through the /sbin/SuSEconfig anyhow.
DOES THE ROUTER EAP CONFIGURATION BELOW LOOK RIGHT? Further, below you have also a proposal of how I would set up the radius-section of that router. The main thing here is to try to show if I really know what I am doing. The Shared Secret and user passwords are chosen in correspondance with my understanding of Alan DeKOKs answer of my first mails; I am here thinking of identity/password in YaST and secret in Router configs.
ANY FIRST-THOUGHT COMMENT ON MY clients.conf AND users? I have tested out the changes I have made of /etc/raddb/users and clients.conf, starting debugmode with radiusd -X. This in correspondance with Buxeys recommendations to further proceed into the Inner Circle of Radius.No errors or warnings,"Ready to process requests". (The only one I had was forgetting a comma previous to the Reply_Message line. And I outcommented consciously certain values to test out the messages of the radius debug). As to the recent back-and-forth writing on the mailing-list about the file- and directory permissions in /etc/raddb/certs and demoCA, I chose to stay with the proposal of Hood, letting the files stay 640 as they used to and changing the seemingly bad and wrong permissions of certs/ and demoCA/ from 640 to 750.
The next job is to work out the certificates, but here I have really good help by the stuff in /usr/share/doc/packages/freeradius/CA.certs, and I have already studied and tried out this part .
---------------------------------------- ROUTER FIREWALL SETTINGS ---------------------------------------- Enable SPI : YES
NAT ENDPOINT FILTERING UDP Endpoint Filtering Endpoint Independent: NO Address Restricted: YES Port And Address Restricted:NO
TCP Endpoint Filtering Endpoint Independent Address Restricted: NO Port And Address Restricted: YES
---------------------------------------- Radius configuration on the router EAP (802.1x) ---------------------------------------- Authentication Timeout : 60 (minutes) RADIUS server IP Address : 192.168.0.198 RADIUS server Port : 1812 RADIUS server Shared Secret : testing123 MAC Address Authentication : YES
------------------------------------------------- SuSE YaST setup for EAP-TLS ------------------------------------------------- machine/PC IP-address 192.168.0.198 Identity: sigbj Password: testing-0 Client-certificat: (file-address of this machine) Server-certificat: (file-address of this machine) ------------------------------------------------- machine/PC IP-address 192.168.0.196 Identity: elise Password: testing-2 Client-certificat: (file-address of this machine) Server-certificat: (file-address of this machine) ------------------------------------------------- (next machine,but now only WinOS: we have to do PEAP) ======================================== /etc/raddb/clients.conf -------------------------------------------- client 192.168.0.198 { secret = testing123 shortname = asus-TL nastype = other # SuSE 10.0_EAP-TLS; (WinXP_PEAP) -laptop }
client 192.168.0.197 { secret = testing123 shortname = hp-TL nastype = other # WinVista_PEAP -laptop }
client 192.168.0.196 { secret = testing123 shortname = loft-TL nastype = other # SLED SP1_EAP-TLS; WinXP_PEAP -workstation }
client 192.168.0.195 { secret = testing123 shortname = acer-TL nastype = other # WinXP_PEAP -laptop } ================================================================= /etc/raddb/users ----------------------------------------------------------------- sigbj Auth-Type := Local, User-Password == "testing-0" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.0.198, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = "std.ppp", Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP, Reply-Message = "Welcome to The Inner Circle, %u"
andr Auth-Type := Local, User-Password == "testing-1" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.0.197, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = "std.ppp", Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP, Reply-Message = "Welcome to The Inner Circle, %u"
elise Auth-Type := Local, User-Password == "testing-2" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.0.196, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = "std.ppp", Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP, Reply-Message = "Welcome to The Inner Circle, %u"
ingv Auth-Type := Local, User-Password == "testing-3" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 192.168.0.195, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = Broadcast-Listen, Framed-Filter-Id = "std.ppp", Framed-MTU = 1500, Framed-Compression = Van-Jacobsen-TCP-IP, Reply-Message = "Welcome to The Inner Circle, %u"
---------------------------------------------------------------
-- _______________________________________________ Surf the Web in a faster, safer and easier way: Download Opera 9 at http://www.opera.com
Powered by Outblaze
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- _______________________________________________ Surf the Web in a faster, safer and easier way: Download Opera 9 at http://www.opera.com Powered by Outblaze
You need to sort out some basic things:
- your user sits at the laptop and connects to - what? What service is router controlling? A: to internett via the router for example What service is router controlling? A:The traffic through the DSL-modem (You mean to say: "Which service is the router controlling" or "Which service is routercontrolling" i.e. controlling the router?)
OK. But how are they going to connect to the router? You are mentioning PEAP, so I assume that router does support EAP (WPA-Enterprise)? For wireless clients. Will there be wired clients? Can their access be controlled?
- your router is most likely the only (radius) client on your network. User machines should be removed from clients.conf. A:Remove all user machines Thus only one machine, the router, is to be defined as client client 192.168.0.1 { secret = testing123 shortname = asus-TL nastype = other # DLINK 635 Router }
That should be fine now.
- don't use Auth-Type and User-Password. Read instructions in users file. Documentation you got these entries from is years out of date.
A: FreeRADIUS Version 1.0.4. - And this is a tricky part. If no Auth-Type and User-Password, should I apply Fall-Through instead to have a DEFAULT running?
OK, disregard what I said. You are using version that is years out of date, so those entries are likely to be correct. Just check that you can disable DHCP on the router and hand IPs via radius. If you upgrade to current version certificates will be created for you. Even if you don't want to upgrade you can download 2.0.3 and use it to generate certificates that you can use in 1.0.4. Ivan Kalik Kalik Informatika ISP
participants (2)
-
Ivan Kalik -
Si St