the newbie on radiustesting strikes again

Ivan Kalik tnt at kalik.net
Sat Apr 19 01:15:09 CEST 2008


You need to sort out some basic things:

- your user sits at the laptop and connects to - what? What service is
router controlling?

- your router is most likely the only (radius) client on your network.
User machines should be removed from clients.conf.

- don't use Auth-Type and User-Password. Read instructions in users
file. Documentation you got these entries from is years out of date.

Ican Kalik
Kalik Informatika ISP


Dana 18/4/2008, "Si St" <sigbj-st at operamail.com> piše:

>WILL THE DEFAULT ROUTER FIREWALL CONFIGURATION BELOW WORK WITH THE RADIUS?
>Below you have the default setup of my router firewall section. I have not changed anything there yet. Could the router firewall stay as this? I have been looking through the SuSE-firewall settings in YaST too, and cannot find anything that should interfere there. I would also expect an installation of radius to harmonize with the SuSEfirewall2 through the /sbin/SuSEconfig anyhow.
>
>DOES THE ROUTER EAP CONFIGURATION BELOW LOOK RIGHT?
>Further, below you have also a proposal of how I would set up the radius-section of that router. The main thing here is to try to show if I really know what I am doing. The Shared Secret and user passwords are chosen in correspondance with my understanding of Alan DeKOKs answer of my first mails; I am here thinking of identity/password in YaST and secret in Router configs.
>
>ANY FIRST-THOUGHT COMMENT ON MY clients.conf AND users?
>I have tested out the changes I have made of /etc/raddb/users and clients.conf, starting debugmode with radiusd -X. This in correspondance with Buxeys recommendations to further proceed into the Inner Circle of Radius.No errors or warnings,"Ready to process requests". (The only one I had was forgetting a comma previous to the Reply_Message line. And I outcommented consciously certain values to test out the messages of the radius debug). As to the recent back-and-forth writing on the mailing-list about the file- and directory permissions in /etc/raddb/certs and demoCA, I chose to stay with the proposal of Hood, letting the files stay 640 as they used to and changing the seemingly bad and wrong permissions of certs/ and demoCA/ from 640 to 750.
>
>The next job is to work out the certificates, but here I have really good help by the stuff in /usr/share/doc/packages/freeradius/CA.certs, and I have already studied and tried out this part .
>
>/*But first - if you may - take a look at the matter below, and by the way it is Friday evening, at least in Norway now, and you may make yourselves a good sharp drink to have that burning sensation of exploring newbies crap with "failed","errors","really bad code,how is it possible to scribble so much sh.","God, do you really need to fill up our servers with so much unnecessary writing", and so on. But don't spill the boos on your keyboards, especially if you have those laptops;it is hell of a job to unscrew it, dry it up, and finally realizing that those plastic screw-holes do not fit so tight anymore.
>- Thanks people , so far! */
>
>----------------------------------------
>ROUTER FIREWALL SETTINGS
>----------------------------------------
> Enable SPI : YES
>
> NAT ENDPOINT FILTERING
>  UDP Endpoint Filtering
>   Endpoint Independent: NO
>   Address Restricted: YES
>   Port And Address Restricted:NO
>
>  TCP Endpoint Filtering
>   Endpoint Independent
>   Address Restricted: NO
>   Port And Address Restricted: YES
>
>----------------------------------------
>Radius configuration on the router
>EAP (802.1x)
>----------------------------------------
>Authentication Timeout : 60 (minutes)
>RADIUS server IP Address : 192.168.0.198
>RADIUS server Port : 1812
>RADIUS server Shared Secret : testing123
>MAC Address Authentication : YES
>
>-------------------------------------------------
>SuSE YaST setup for EAP-TLS
>-------------------------------------------------
>machine/PC IP-address 192.168.0.198
>Identity: sigbj
>Password: testing-0
>Client-certificat: (file-address of this machine)
>Server-certificat: (file-address of this machine)
>-------------------------------------------------
>machine/PC IP-address 192.168.0.196
>Identity: elise
>Password: testing-2
>Client-certificat: (file-address of this machine)
>Server-certificat: (file-address of this machine)
>-------------------------------------------------
>(next machine,but now only WinOS: we have to do PEAP)
>========================================
>/etc/raddb/clients.conf
>--------------------------------------------
>client 192.168.0.198 {
>        secret          = testing123
>        shortname       = asus-TL
>        nastype         = other
># SuSE 10.0_EAP-TLS; (WinXP_PEAP) -laptop
>}
>
>client 192.168.0.197 {
>        secret          = testing123
>        shortname       = hp-TL
>        nastype         = other
># WinVista_PEAP -laptop
>}
>
>client 192.168.0.196 {
>        secret          = testing123
>        shortname       = loft-TL
>        nastype         = other
># SLED SP1_EAP-TLS; WinXP_PEAP -workstation
>}
>
>client 192.168.0.195 {
>        secret          = testing123
>        shortname       = acer-TL
>        nastype         = other
># WinXP_PEAP -laptop
>}
>=================================================================
>/etc/raddb/users
>-----------------------------------------------------------------
>sigbj   Auth-Type := Local, User-Password == "testing-0"
>        Service-Type = Framed-User,
>        Framed-Protocol = PPP,
>        Framed-IP-Address = 192.168.0.198,
>        Framed-IP-Netmask = 255.255.255.0,
>        Framed-Routing = Broadcast-Listen,
>        Framed-Filter-Id = "std.ppp",
>        Framed-MTU = 1500,
>        Framed-Compression = Van-Jacobsen-TCP-IP,
>        Reply-Message = "Welcome to The Inner Circle, %u"
>
>andr    Auth-Type := Local, User-Password == "testing-1"
>        Service-Type = Framed-User,
>        Framed-Protocol = PPP,
>        Framed-IP-Address = 192.168.0.197,
>        Framed-IP-Netmask = 255.255.255.0,
>        Framed-Routing = Broadcast-Listen,
>        Framed-Filter-Id = "std.ppp",
>        Framed-MTU = 1500,
>        Framed-Compression = Van-Jacobsen-TCP-IP,
>        Reply-Message = "Welcome to The Inner Circle, %u"
>
>elise   Auth-Type := Local, User-Password == "testing-2"
>        Service-Type = Framed-User,
>        Framed-Protocol = PPP,
>        Framed-IP-Address = 192.168.0.196,
>        Framed-IP-Netmask = 255.255.255.0,
>        Framed-Routing = Broadcast-Listen,
>        Framed-Filter-Id = "std.ppp",
>        Framed-MTU = 1500,
>        Framed-Compression = Van-Jacobsen-TCP-IP,
>        Reply-Message = "Welcome to The Inner Circle, %u"
>
>ingv    Auth-Type := Local, User-Password == "testing-3"
>        Service-Type = Framed-User,
>        Framed-Protocol = PPP,
>        Framed-IP-Address = 192.168.0.195,
>        Framed-IP-Netmask = 255.255.255.0,
>        Framed-Routing = Broadcast-Listen,
>        Framed-Filter-Id = "std.ppp",
>        Framed-MTU = 1500,
>        Framed-Compression = Van-Jacobsen-TCP-IP,
>        Reply-Message = "Welcome to The Inner Circle, %u"
>
>---------------------------------------------------------------
>
>
>--
>_______________________________________________
>Surf the Web in a faster, safer and easier way:
>Download Opera 9 at http://www.opera.com
>
>Powered by Outblaze
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>




More information about the Freeradius-Users mailing list