clients.conf
Peter Carlstedt
pc_007 at hotmail.com
Thu Nov 12 09:27:27 CET 2009
Hello everyone again!
Well as you may understand from the Subject I have a question about how clients.conf works.
I´ve read the documentation in the file about how to add a client but when i tired to add another client it stoped working.
I will try to explain how I have setup the network.
I have one radius server connected to a Netgear wired switch, from that switch I have a AP(Mikrotik) connected. What I am trying to do is to add the Mikrotik into the clients.conf file but when I do i get an error at startup(dont remember the error message). Right now im instead using
client 192.168.118.0/24{
} which accepts all NASes in the subnet.
What i wrote in clients.conf before i changed to include a whole subnet is:
client Netgear{
ipaddr = x.x.x.x
netmask = 24
secret = xxxxxx
require_message_authentication = no
}
client Mikrotik {
ipaddr = x.x.x.x
netmask = 24
secret = xxxxxxx
require_message_authentication = no
}
What I am wondering about is if I have done a correct setup when trying to add several stand alone clients?
Best regards/ Peter
> From: freeradius-users-request at lists.freeradius.org
> Subject: Freeradius-Users Digest, Vol 55, Issue 52
> To: freeradius-users at lists.freeradius.org
> Date: Thu, 12 Nov 2009 08:43:56 +0100
>
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]
> (Ivan Kalik)
> 2. Re: I need some help with freeradius 2.0.4 (Wagner Pereira)
> 3. Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]
> (Wagner Pereira)
> 4. Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]
> (tnt at kalik.net)
> 5. SSL renegotiation ? (John)
> 6. Re: FreeRadius with 3COM (Guk Victor)
> 7. Microsoft: SmardCard or Certificate Auth (swatzy)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 11 Nov 2009 19:30:35 +0000
> From: Ivan Kalik <tnt at kalik.net>
> Subject: Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <4AFB10DB.7040106 at kalik.net>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Wagner Pereira wrote:
> > Dear colleagues,
> >
> > I am introducing now a new information. Below is what is declared into my IOS -
> > Cisco 6500. Is this correct?
> >
> Why don't you just read the cisco wiki page.
>
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> ------------------------------
>
> Message: 2
> Date: Wed, 11 Nov 2009 17:42:15 -0200
> From: Wagner Pereira <wpereira at pop-sp.rnp.br>
> Subject: Re: I need some help with freeradius 2.0.4
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <4AFB1397.9000002 at pop-sp.rnp.br>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Ok, Ivan. I guess I removed that HTML craps now : )
>
> Below is my new radgroupreply:
>
> mysql> select * from radgroupreply;
> +----+-----------+---------------+----+-----------------------+------+
> | id | groupname | attribute | op | value | Prio |
> +----+-----------+---------------+----+-----------------------+------+
> | 3 | pop-sp | Service-Type | := | NAS-Prompt-User | |
> | 5 | reject | reply-message | := | Autentica??o recusada | NULL |
> +----+-----------+---------------+----+-----------------------+------+
> 2 rows in set (0.00 sec)
>
> Hugs,
>
> --
>
> Wagner Pereira
>
> PoP-SP/RNP - Ponto de Presen?a da RNP em S?o Paulo
> CCE/USP - Centro de Computa??o Eletr?nica da Universidade de S?o Paulo
> http://www.pop-sp.rnp.br
> (11) 3091-8902
>
>
>
> tnt at kalik.net escreveu:
> >> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> >>
> >
> > Enough with that HTML!!!! It produces extraordinary ammount of crap as you
> > can see:
> >
> >
> >> I did what you recommended (I guess). See below:<br>
> >>
> >
> > No, you didn't. But getting closer.
> >
> >> | 1 | pop-sp | Framed-Compression | := |
> >> Van-Jacobson-TCP-IP
> >>
> >
> > Remove *all* Framed attributes.
> >
> >
> >> | 3 | pop-sp |
> >> Service-Type | := |
> >> NAS-Prompt
> >> | | <br>
> >>
> >
> > That should be NAS-Prompt-User.
> >
> >
> > Ivan Kalik
> > Kalik Informatika ISP
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> >
>
>
> ------------------------------
>
> Message: 3
> Date: Wed, 11 Nov 2009 17:57:18 -0200
> From: Wagner Pereira <wpereira at pop-sp.rnp.br>
> Subject: Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Message-ID: <4AFB171E.4010105 at pop-sp.rnp.br>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Ivan,
>
> I already read the Cisco wiki page and I implemented what they
> recommend, but it's not working yet.
>
> --
>
> Wagner Pereira
>
> PoP-SP/RNP - Ponto de Presen?a da RNP em S?o Paulo
> CCE/USP - Centro de Computa??o Eletr?nica da Universidade de S?o Paulo
> http://www.pop-sp.rnp.br
> (11) 3091-8902
>
>
>
> Ivan Kalik escreveu:
> > Wagner Pereira wrote:
> >> Dear colleagues,
> >>
> >> I am introducing now a new information. Below is what is declared
> >> into my IOS - Cisco 6500. Is this correct?
> >>
> > Why don't you just read the cisco wiki page.
> >
> >
> > Ivan Kalik
> > Kalik Informatika ISP
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 11 Nov 2009 22:01:33 -0000 (UTC)
> From: tnt at kalik.net
> Subject: Re: [Fwd: Re: [Fwd: I need some help with freeradius 2.0.4]]
> To: "FreeRadius users mailing list"
> <freeradius-users at lists.freeradius.org>
> Message-ID: <49743.87.194.16.13.1257976893.squirrel at www.kalik.net>
> Content-Type: text/plain;charset=iso-8859-1
>
> > I already read the Cisco wiki page and I implemented what they
> > recommend, but it's not working yet.
>
> Does the debug now show Nas-Prompt-User in Access-Accept packet? If it
> does - it's some problem on the router - debug ip ssh.
>
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
>
> ------------------------------
>
> Message: 5
> Date: Thu, 12 Nov 2009 11:01:44 +0800 (CST)
> From: John <elmer_radius at yahoo.com.cn>
> Subject: SSL renegotiation ?
> To: freeradius-users at lists.freeradius.org
> Message-ID: <145589.77590.qm at web15706.mail.cnb.yahoo.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
> I found??a new man-in-the-middle attack with SSL.? http://www.sslshopper.com/article-ssl-and-tls-renegotiation-vulnerability-discovered.html
> ?
> I am afraid if freeRADIUS use SSL renegotiation?? The freeRADIUS version is 1.1.6. We use EAP-TLS and the backend OpenLDAP server with TLS connection.?
> Does??freeRADIUS use SSL renegotiation ?
> ?
> Thanks.
> John
>
>
> ___________________________________________________________
> ?????????????????
> http://card.mail.cn.yahoo.com/
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20091112/e7a9b9df/attachment.html>
>
> ------------------------------
>
> Message: 6
> Date: Thu, 12 Nov 2009 08:34:19 +0200
> From: Guk Victor <v.guk at zaz.zp.ua>
> Subject: Re: FreeRadius with 3COM
> To: freeradius-users at lists.freeradius.org
> Message-ID: <4AFBAC6B.4050607 at zaz.zp.ua>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
>
> > Hi All, thanks. Now the 3COM is authenticationing on freeradius. But i
> > don?t know how to set diferent priorities to users; My 3COM is 4210
> > and have 3 levels of priority. Does anybody know how to send the level
> > of priority by freeradius? Thanks.
> If I got it right you, you need access to the switch for a management:
> console, telnet, web. Then do the following:
> #
> local-user admin
> password simple YOUR_PASSWPRD
> service-type ssh telnet terminal
> level 3
> #
> user-interface aux 0 7
> authentication-mode password
> set authentication password simple YOUR_PASSWPRD
> user-interface vty 0 4
> authentication-mode password
> user privilege level 3
> set authentication password simple YOUR_PASSWPRD
> #
>
>
> ------------------------------
>
> Message: 7
> Date: Wed, 11 Nov 2009 23:43:49 -0800 (PST)
> From: swatzy <fernando.calvelo at esrf.fr>
> Subject: Microsoft: SmardCard or Certificate Auth
> To: freeradius-users at lists.freeradius.org
> Message-ID: <26280525.post at talk.nabble.com>
> Content-Type: text/plain; charset=us-ascii
>
>
> Hi:
>
> I'm trying to configure a FreeRadius server to perform a certification
> authentication from a Windows Laptop.
> I have follow the steps at
> http://wiki.freeradius.org/WPA_HOWTO#HOWTO_Do_It:_An_Outline
> But when I try to do the connection, it never ends... and I get peridical
> messeges at the FreeRadius server ouput in this way...
>
> rad_recv: Access-Request packet from host 160.103.180.252:32769, id=0,
> length=176
> User-Name = "radiusserv"
> Calling-Station-Id = "00-1d-e0-7f-c7-bd"
> Called-Station-Id = "00-26-cb-4c-f7-c0:Bidon"
> NAS-Port = 13
> NAS-IP-Address = 160.103.180.252
> NAS-Identifier = "wlc01"
> Airespace-Wlan-Id = 6
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-802.11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "82"
> EAP-Message = 0x0202000f0172616469757373657276
> Message-Authenticator = 0x978d232412c863306539d3ad92c9d6b8
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No '@' in User-Name = "radiusserv", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 0
> users: Matched entry DEFAULT at line 179
> modcall[authorize]: module "files" returns ok for request 0
> modcall: leaving group authorize (returns ok) for request 0
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> rlm_eap: EAP Identity
> rlm_eap: processing type tls
> rlm_eap_tls: Requiring client certificate
> rlm_eap_tls: Initiate
> rlm_eap_tls: Start returned 1
> modcall[authenticate]: module "eap" returns handled for request 0
> modcall: leaving group authenticate (returns handled) for request 0
> Sending Access-Challenge of id 0 to 160.103.180.252 port 32769
> EAP-Message = 0x010300060d20
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xc321c12ede0c59624273d465195058be
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 160.103.180.252:32769, id=1,
> length=300
> User-Name = "radiusserv"
> Calling-Station-Id = "00-1d-e0-7f-c7-bd"
> Called-Station-Id = "00-26-cb-4c-f7-c0:Bidon"
> NAS-Port = 13
> NAS-IP-Address = 160.103.180.252
> NAS-Identifier = "wlc01"
> Airespace-Wlan-Id = 6
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-802.11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "82"
> EAP-Message =
> 0x020300790d800000006f160301006a0100006603014af93134b45308b2252422bb395d6ce641bfdc48695e46696178ab4d4b407442000018002f00350005000ac009c00ac013c0140032003800130004010000250000000f000d00000a72616469757373657276000a00080006001700180019000b00020100
> State = 0xc321c12ede0c59624273d465195058be
> Message-Authenticator = 0x209186e1eb149efd3ce2e8796100a977
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 1
> modcall[authorize]: module "preprocess" returns ok for request 1
> modcall[authorize]: module "chap" returns noop for request 1
> modcall[authorize]: module "mschap" returns noop for request 1
> rlm_realm: No '@' in User-Name = "radiusserv", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 1
> users: Matched entry DEFAULT at line 179
> modcall[authorize]: module "files" returns ok for request 1
> modcall: leaving group authorize (returns ok) for request 1
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 1
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/tls
> rlm_eap: processing type tls
> rlm_eap_tls: Authenticate
> rlm_eap_tls: processing TLS
> rlm_eap_tls: Length Included
> eaptls_verify returned 11
> (other): before/accept initialization
> TLS_accept: before/accept initialization
> rlm_eap_tls: <<< TLS 1.0 Handshake [length 006a], ClientHello
> TLS_accept: SSLv3 read client hello A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
> TLS_accept: SSLv3 write server hello A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 0283], Certificate
> TLS_accept: SSLv3 write certificate A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 0085], CertificateRequest
> TLS_accept: SSLv3 write certificate request A
> TLS_accept: SSLv3 flush data
> TLS_accept:error in SSLv3 read client certificate A
> rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
> In SSL Handshake Phase
> In SSL Accept mode
> eaptls_process returned 13
> modcall[authenticate]: module "eap" returns handled for request 1
> modcall: leaving group authenticate (returns handled) for request 1
> Sending Access-Challenge of id 1 to 160.103.180.252 port 32769
> EAP-Message =
> 0x0104036b0d8000000361160301004a0200004603014af93134a0ad2fc9103447a6a53e1bd7b8e1a2581b8e10093af80ed2eb04a3b420561e9f8d80da1f899a98dce9e25e4ee70e780ba01becdc9ba1deb915f60224a4002f0016030102830b00027f00027c00027930820275308201dea003020102020100300d06092a864886f70d01010505003074310b3009060355040613024652310e300c0603550408130549736572653111300f060355040713084772656e6f626c65310d300b060355040a130445535246311330110603550403130a72616469757373657276311e301c06092a864886f70d010901160f6e6574776f726b40657372662e6672
> EAP-Message =
> 0x301e170d3039313130333136353833315a170d3130313130333136353833315a3074310b3009060355040613024652310e300c0603550408130549736572653111300f060355040713084772656e6f626c65310d300b060355040a130445535246311330110603550403130a72616469757373657276311e301c06092a864886f70d010901160f6e6574776f726b40657372662e667230819f300d06092a864886f70d010101050003818d0030818902818100b8fd3330a5f8ed59944b0ab8f162332223f749059609e5dd68c5efeced0434e500b7178aa3d9ffe32679034200952f14c64f321c851ee7254e78210ad1b8b0420980fb43fa1adf2f89b8
> EAP-Message =
> 0x56fadc8092ef42b1f507a02fc81ab60ed258c3fb079f8d709d8821164011516b7d4d4589ff86306ce61f98130a360ebb3182983900c30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000381810091d8dca090d57b08a7731dd90db757ed0da0e534cfda5565b6220528e37edadf12944d2fc1c6398e418a99b636904e2b1c4152f614bc5f0b3c4309cf264f27b794e28242ee02bb6ea48d0e3b1440b69ad926bb080ccebc20c3f1ef3b23a9e7868b2a86303b82ee891e9829dd1d6750837c8d533df59899ddaf9c2350b46992ae16030100850d00007d020102007800763074310b3009
> EAP-Message =
> 0x060355040613024652310e300c0603550408130549736572653111300f060355040713084772656e6f626c65310d300b060355040a130445535246311330110603550403130a72616469757373657276311e301c06092a864886f70d010901160f6e6574776f726b40657372662e66720e000000
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xa8f213a60ac152b2e7e42048e94461f9
> Finished request 1
> Going to the next request
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 160.103.180.252:32769, id=2,
> length=185
> User-Name = "radiusserv"
> Calling-Station-Id = "00-1d-e0-7f-c7-bd"
> Called-Station-Id = "00-26-cb-4c-f7-c0:Bidon"
> NAS-Port = 13
> NAS-IP-Address = 160.103.180.252
> NAS-Identifier = "wlc01"
> Airespace-Wlan-Id = 6
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-802.11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "82"
> EAP-Message = 0x020400060d00
> State = 0xa8f213a60ac152b2e7e42048e94461f9
> Message-Authenticator = 0xe9f04c151b954deb2b5e5c1ca7032f53
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 2
> modcall[authorize]: module "preprocess" returns ok for request 2
> modcall[authorize]: module "chap" returns noop for request 2
> modcall[authorize]: module "mschap" returns noop for request 2
> rlm_realm: No '@' in User-Name = "radiusserv", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 2
> users: Matched entry DEFAULT at line 179
> modcall[authorize]: module "files" returns ok for request 2
> modcall: leaving group authorize (returns ok) for request 2
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 2
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/tls
> rlm_eap: processing type tls
> rlm_eap_tls: Authenticate
> rlm_eap_tls: processing TLS
> rlm_eap_tls: Received EAP-TLS ACK message
> rlm_eap_tls: ack handshake fragment handler
> eaptls_verify returned 1
> eaptls_process returned 13
> modcall[authenticate]: module "eap" returns handled for request 2
> modcall: leaving group authenticate (returns handled) for request 2
> Sending Access-Challenge of id 2 to 160.103.180.252 port 32769
> EAP-Message = 0x0105000a0d8000000000
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x09770a67d71842c41d63756db81b29fc
> Finished request 2
> Going to the next request
> Waking up in 6 seconds...
> -------------------------------------
>
> Any ideas what i'm doing wrong?
> --
> View this message in context: http://old.nabble.com/Microsoft%3A-SmardCard-or-Certificate-Auth-tp26280525p26280525.html
> Sent from the FreeRadius - User mailing list archive at Nabble.com.
>
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 55, Issue 52
> ************************************************
_________________________________________________________________
Windows Live: Friends get your Flickr, Yelp, and Digg updates when they e-mail you.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_3:092010
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091112/92a50f05/attachment.html>
More information about the Freeradius-Users
mailing list