the newbie on radiustesting strikes again
Si St
sigbj-st at operamail.com
Sat Apr 19 15:21:41 CEST 2008
> ----- Original Message -----
> From: "Ivan Kalik" <tnt at kalik.net>
> To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
> Subject: Re: the newbie on radiustesting strikes again
> Date: Sat, 19 Apr 2008 00:15:09 +0100
>
>
> You need to sort out some basic things:
>
> - your user sits at the laptop and connects to - what? What service is
> router controlling?
A: to internett via the router for example
What service is router controlling?
A:The traffic through the DSL-modem (You mean to say: "Which service is the router controlling" or "Which service is routercontrolling" i.e. controlling the router?)
>
> - your router is most likely the only (radius) client on your network.
> User machines should be removed from clients.conf.
A:Remove all user machines
Thus only one machine, the router, is to be defined as client
client 192.168.0.1 {
secret = testing123
shortname = asus-TL
nastype = other
# DLINK 635 Router
}
>
> - don't use Auth-Type and User-Password. Read instructions in users
> file. Documentation you got these entries from is years out of date.
A: FreeRADIUS Version 1.0.4. - And this is a tricky part.
If no Auth-Type and User-Password, should I apply Fall-Through instead
to have a DEFAULT running?
>
> Ican Kalik
> Kalik Informatika ISP
>
>
> Dana 18/4/2008, "Si St" <sigbj-st at operamail.com> piše:
>
> > WILL THE DEFAULT ROUTER FIREWALL CONFIGURATION BELOW WORK WITH THE RADIUS?
> > Below you have the default setup of my router firewall section. I
> > have not changed anything there yet. Could the router firewall
> > stay as this? I have been looking through the SuSE-firewall
> > settings in YaST too, and cannot find anything that should
> > interfere there. I would also expect an installation of radius to
> > harmonize with the SuSEfirewall2 through the /sbin/SuSEconfig
> > anyhow.
> >
> > DOES THE ROUTER EAP CONFIGURATION BELOW LOOK RIGHT?
> > Further, below you have also a proposal of how I would set up the
> > radius-section of that router. The main thing here is to try to
> > show if I really know what I am doing. The Shared Secret and user
> > passwords are chosen in correspondance with my understanding of
> > Alan DeKOKs answer of my first mails; I am here thinking of
> > identity/password in YaST and secret in Router configs.
> >
> > ANY FIRST-THOUGHT COMMENT ON MY clients.conf AND users?
> > I have tested out the changes I have made of /etc/raddb/users and
> > clients.conf, starting debugmode with radiusd -X. This in
> > correspondance with Buxeys recommendations to further proceed
> > into the Inner Circle of Radius.No errors or warnings,"Ready to
> > process requests". (The only one I had was forgetting a comma
> > previous to the Reply_Message line. And I outcommented
> > consciously certain values to test out the messages of the radius
> > debug). As to the recent back-and-forth writing on the
> > mailing-list about the file- and directory permissions in
> > /etc/raddb/certs and demoCA, I chose to stay with the proposal of
> > Hood, letting the files stay 640 as they used to and changing the
> > seemingly bad and wrong permissions of certs/ and demoCA/ from
> > 640 to 750.
> >
> > The next job is to work out the certificates, but here I have
> > really good help by the stuff in
> > /usr/share/doc/packages/freeradius/CA.certs, and I have already
> > studied and tried out this part .
> >
> >
> > ----------------------------------------
> > ROUTER FIREWALL SETTINGS
> > ----------------------------------------
> > Enable SPI : YES
> >
> > NAT ENDPOINT FILTERING
> > UDP Endpoint Filtering
> > Endpoint Independent: NO
> > Address Restricted: YES
> > Port And Address Restricted:NO
> >
> > TCP Endpoint Filtering
> > Endpoint Independent
> > Address Restricted: NO
> > Port And Address Restricted: YES
> >
> > ----------------------------------------
> > Radius configuration on the router
> > EAP (802.1x)
> > ----------------------------------------
> > Authentication Timeout : 60 (minutes)
> > RADIUS server IP Address : 192.168.0.198
> > RADIUS server Port : 1812
> > RADIUS server Shared Secret : testing123
> > MAC Address Authentication : YES
> >
> > -------------------------------------------------
> > SuSE YaST setup for EAP-TLS
> > -------------------------------------------------
> > machine/PC IP-address 192.168.0.198
> > Identity: sigbj
> > Password: testing-0
> > Client-certificat: (file-address of this machine)
> > Server-certificat: (file-address of this machine)
> > -------------------------------------------------
> > machine/PC IP-address 192.168.0.196
> > Identity: elise
> > Password: testing-2
> > Client-certificat: (file-address of this machine)
> > Server-certificat: (file-address of this machine)
> > -------------------------------------------------
> > (next machine,but now only WinOS: we have to do PEAP)
> > ========================================
> > /etc/raddb/clients.conf
> > --------------------------------------------
> > client 192.168.0.198 {
> > secret = testing123
> > shortname = asus-TL
> > nastype = other
> > # SuSE 10.0_EAP-TLS; (WinXP_PEAP) -laptop
> > }
> >
> > client 192.168.0.197 {
> > secret = testing123
> > shortname = hp-TL
> > nastype = other
> > # WinVista_PEAP -laptop
> > }
> >
> > client 192.168.0.196 {
> > secret = testing123
> > shortname = loft-TL
> > nastype = other
> > # SLED SP1_EAP-TLS; WinXP_PEAP -workstation
> > }
> >
> > client 192.168.0.195 {
> > secret = testing123
> > shortname = acer-TL
> > nastype = other
> > # WinXP_PEAP -laptop
> > }
> > =================================================================
> > /etc/raddb/users
> > -----------------------------------------------------------------
> > sigbj Auth-Type := Local, User-Password == "testing-0"
> > Service-Type = Framed-User,
> > Framed-Protocol = PPP,
> > Framed-IP-Address = 192.168.0.198,
> > Framed-IP-Netmask = 255.255.255.0,
> > Framed-Routing = Broadcast-Listen,
> > Framed-Filter-Id = "std.ppp",
> > Framed-MTU = 1500,
> > Framed-Compression = Van-Jacobsen-TCP-IP,
> > Reply-Message = "Welcome to The Inner Circle, %u"
> >
> > andr Auth-Type := Local, User-Password == "testing-1"
> > Service-Type = Framed-User,
> > Framed-Protocol = PPP,
> > Framed-IP-Address = 192.168.0.197,
> > Framed-IP-Netmask = 255.255.255.0,
> > Framed-Routing = Broadcast-Listen,
> > Framed-Filter-Id = "std.ppp",
> > Framed-MTU = 1500,
> > Framed-Compression = Van-Jacobsen-TCP-IP,
> > Reply-Message = "Welcome to The Inner Circle, %u"
> >
> > elise Auth-Type := Local, User-Password == "testing-2"
> > Service-Type = Framed-User,
> > Framed-Protocol = PPP,
> > Framed-IP-Address = 192.168.0.196,
> > Framed-IP-Netmask = 255.255.255.0,
> > Framed-Routing = Broadcast-Listen,
> > Framed-Filter-Id = "std.ppp",
> > Framed-MTU = 1500,
> > Framed-Compression = Van-Jacobsen-TCP-IP,
> > Reply-Message = "Welcome to The Inner Circle, %u"
> >
> > ingv Auth-Type := Local, User-Password == "testing-3"
> > Service-Type = Framed-User,
> > Framed-Protocol = PPP,
> > Framed-IP-Address = 192.168.0.195,
> > Framed-IP-Netmask = 255.255.255.0,
> > Framed-Routing = Broadcast-Listen,
> > Framed-Filter-Id = "std.ppp",
> > Framed-MTU = 1500,
> > Framed-Compression = Van-Jacobsen-TCP-IP,
> > Reply-Message = "Welcome to The Inner Circle, %u"
> >
> > ---------------------------------------------------------------
> >
> >
> > --
> > _______________________________________________
> > Surf the Web in a faster, safer and easier way:
> > Download Opera 9 at http://www.opera.com
> >
> > Powered by Outblaze
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
_______________________________________________
Surf the Web in a faster, safer and easier way:
Download Opera 9 at http://www.opera.com
Powered by Outblaze
More information about the Freeradius-Users
mailing list